Windows – Creating a windows account only for share access

file-sharinguser-managementwindowswindows-server-2008-r2

I'm running Windows Server 2008 R2 in a workgroup, not a domain, and I want to create a local account that is only used for allowing other computers in the same workgroup to access file shares on that server.

When clients connect they will be prompted for a username/password (hopefully) and this account would serve as a way to allow them access.

I do not want this account to have a profile, or be used to actually log into the server itself. I only need it as a way to authenticate users for shared folders.

Can this be done? If not, what is the recommended approach for this?

Best Answer

Sure it can be done. When you've set up the local user account on the server add the user account to the "Deny log on locally" and "Deny log on through Terminal Services" user rights assignment. That will prevent anyone from using this user account to log on to the server locally or via TS/RDS but will allow them to access the share with this uer.

Related Solutions

Windows Scripting – Script to Reset Home Directory Permissions on a Windows Share

Assuming you're running this on Windows Server 2003 or newer you'll have both the TAKEOWN and ICACLS commands. I'm also assuming the that top level folder permission is set sanely (i.e. "Authenticated Users - List Folder Contents - This folder only", proper "Administrator" permissions if you like them being able to get into user folders, etc).

@echo off
FOR /D %%i in (*) do (
  TAKEOWN /f "%%i" /r /d y
  ICACLS "%%i" /reset /T
  ICACLS "%%i" /grant:r "DOMAIN\%%i":(OI)(CI)F
  rem Unremark this line to set the owner to the user, if you like that
  rem ICACLS "%%i" /setowner "DOMAIN\%%i" /T
)

That'll take ownership, clean up all the permissions and restore inheritance, add the user w/ Full Control rights to the directory, and then optionally give back ownership if you un-rem the last line.

My condolences for having to deal with users sharing files between each other out of home directories. That's a real pain.

How to Grant Network Access to LocalSystem Account – Windows Security

In a domain environment, you can grant access rights to computer accounts; this applies to processes running on those computers as LocalSystem or NetworkService (but not LocalService, which presents anonymous credentials on the network) when they connect to remote systems.

So, if you have a computer called MANGO, you'll have an Active Directory computer account called MANGO$, which you can grant permissions to.

enter image description here

Note: You can't do any of this in a workgroup environment; this applies only to domains.

Best Answer

Related Solutions

Windows Scripting – Script to Reset Home Directory Permissions on a Windows Share

How to Grant Network Access to LocalSystem Account – Windows Security

Related Topic