My first question is, "Is there a newsgroup for 2003 machines?"

Now, for my question:

I've "Shared" a folder called "Myfolder" on a Windows 2003 Standard Edition 
machine to "everyone" with "Full Control"

Now, from a Windows 2000 or Windows XP machine:

C:\>dir \\<windows2003_IPaddress>\Myfolder
Logon failure: unknown user name or bad password.

If I do the same proceedure on a Windows 2000 or XP machine, the dir works!

How do I get this behavior on Windows 2003.

Here's an article that discusses NULL user settings, etc.

http://web.mit.edu/is/topics/window...urity.html#null

[ Post a follow-up to this message ]

I forgot to mention, I don't want to enable the Guest Account.
If I enable the Guest account, it works.

[ Post a follow-up to this message ]

On Wed, 18 Feb 2004 12:06:05 -0800, "Paul"
<anonymous@discussions.microsoft.com> wrote:

>
>My first question is, "Is there a newsgroup for 2003 machines?"

A number.  The microsoft.public.windows.server. set of groups.

>I've "Shared" a folder called "Myfolder" on a Windows 2003 Standard Edition
 machine to "everyone" with "Full Control"
>
>Now, from a Windows 2000 or Windows XP machine:
>
>C:\>dir \\<windows2003_IPaddress>\Myfolder
>Logon failure: unknown user name or bad password.
>
>If I do the same proceedure on a Windows 2000 or XP machine, the dir works!

Yup.  New security in 2003.

>How do I get this behavior on Windows 2003.

It's in your article, though the default is wrong for 2003 as listed.
You need to set the RestrictAnonymous to 0 in the registry as
described.  Though it's not a recommended process by any means.

>Here's an article that discusses NULL user settings, etc.
>
>http://web.mit.edu/is/topics/window...urity.html#null

Follow it but assume the defaults aren't set that way.

Jeff

[ Post a follow-up to this message ]

I did set RestrictAnonymous to 0.
Still doesn't work.

Go ahead, try it.

Any other suggestions.

[ Post a follow-up to this message ]

Maybe the reason it worked on the 2000/XP machines was because either the
user authenticated to a user account on the XP/2000 machine or the guest
account was enabled on it which can be determined  by viewing Computer
Management/shared folders/sessions. Try enabling the guest account on the
W2003 server if you really want to have unauthenticated access or otherwise
for a specific share try adding it to the null share list in security
options and you would then probably have to enable the let everyone
permissions apply to anonymous users security option, enable allow anonymous
enumeration of shares security option, and the everyone group would need to
be in the user right on the W2003 server for access this computer from the
network.  --- Steve


"Paul" <anonymous@discussions.microsoft.com> wrote in message
news:DA486BBD-0BBC-4A1A-94D1-B5563439210B@microsoft.com...
>
> My first question is, "Is there a newsgroup for 2003 machines?"
>
> Now, for my question:
>
> I've "Shared" a folder called "Myfolder" on a Windows 2003 Standard
Edition machine to "everyone" with "Full Control"
>
> Now, from a Windows 2000 or Windows XP machine:
>
> C:\>dir \\<windows2003_IPaddress>\Myfolder
> Logon failure: unknown user name or bad password.
>
> If I do the same proceedure on a Windows 2000 or XP machine, the dir
works!
>
> How do I get this behavior on Windows 2003.
>
> Here's an article that discusses NULL user settings, etc.
>
> http://web.mit.edu/is/topics/window...urity.html#null
>

[ Post a follow-up to this message ]

>Try enabling the guest account on the W2003 server if you really want to ha
ve unauthenticated access

I enabled the guest account, but it still doesn't work from my W2K box.
It works from my XP box.

>otherwise for a specific share try adding it to the null share list in security opt
ions

How do you I do this?
What is the "null share list" and how do I add my specific share to it?

I did find under the Group Policy Management Object
Networkaccess: Shares that can be accessed anonymously
but there's no way of adding a new entry through the snap-in;
so I searched the registry and found the path:
 HKLM\SYSTEM\CurrentControlSet\Services\l
anmanserver\parameters\NullSessionSh
ares
I added my share to the list, but it still doesn't work!

Thank you for your help.

[ Post a follow-up to this message ]

That seems very odd that you have guest enabled on the W2003 server and now 
XP
can acces it but W2K can not. Make sure that you logoff of W2K before trying
again. Whay kind of message are you getting from the W2K box when you try to
access the W2003 machine? Can you ping it by IP address and name??

You found the correct list for null shares. I have never tried to modifiy it
 so
maybe it just shows what is configured in the registry.  --- Steve


"Paul" <anonymous@discussions.microsoft.com> wrote in message
news:9595947B-6EF5-415B-88DE-6ED541B49DFE@microsoft.com... 
unauthenticated access
>
> I enabled the guest account, but it still doesn't work from my W2K box.
> It works from my XP box.
> 
security options
>
> How do you I do this?
> What is the "null share list" and how do I add my specific share to it?
>
> I did find under the Group Policy Management Object
> Networkaccess: Shares that can be accessed anonymously
> but there's no way of adding a new entry through the snap-in;
> so I searched the registry and found the path:
>
 HKLM\SYSTEM\CurrentControlSet\Services\l
 anmanserver\parameters\NullSessionShares

> I added my share to the list, but it still doesn't work!
>
> Thank you for your help.
>

[ Post a follow-up to this message ]

>That seems very odd that you have guest enabled on the W2003 server and now
 XP can acces it but W2K can not.
You call it odd, I call it broken, pOtato, potAto.

I do have another data point, I've tried it (dir \\<windows2003_IPaddress>\M
yfolder) from
three different W2K machines, all of them can ping <windows2003_IPaddress>,
all of them are on the same subnet:
Host1 = W2K, build 5.00.2195 SP 3 => WORKS!
Host2 = W2K, build 5.00.2195 SP 4 => WORKS!
Host3 = W2K, build 5.00.2195 SP 4 => DOES NOT WORK!!!!
Host4 = W2K, build 5.00.2195 SP 4 => DOES NOT WORK!!!!

So it looks like a specific problem with specific W2K machines.
DAMN!

Regardless, my goal is to get it to work with the Guest Account disabled,
and that doesn't work from any machine (W2K or XP).

>Make sure that you logoff of W2K before trying again.
I logged off/on and tried it again, but I got the same result:
Logon failure: unknown user name or bad password.

By the way, that's the error I get from all machines if I disable the Guest 
Account.
I want to do this without enabling the Guest Account (for security reasons).

So how do you want to attack this?
Do you want to get the W2K machines to work with the Guest Account Enabled f
irst?
Or do you want to skip ahead and try to get all of them to work with the Gue
st Account Disabled?

Any way, here is what I see as being the relavant settings in the Group Poli
cy snap-in:

Default Settings:
Accounts: Guest account status  - Disabled
Accounts: Limit local account use of blank passwords to console logon only -
 Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts - Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts and share
s - Enabled
Network Access: Let Everyone permissions apply to anonymous user - Disabled
Network Access: Restrict anonymous access to Named Pipes and Shares - Enable
d
Network Access: Shares that can be accessed anonymously - COMCFG, DFS$
Network Access: Sharing and security model for local accounts - Classic - lo
cal users authenticate as themselves

And here are some of their corresponding registry settings:

 HKLM\SYSTEM\CurrentControlSet\Control\LS
A\RestrictAnonymous=1 (DWORD)
 HKLM\SYSTEM\CurrentControlSet\Control\LS
A\RestrictAnonymoussam=1 (DWORD)
 HKLM\SYSTEM\CurrentControlSet\Control\LS
A\EveryoneIncludesAnonymous=1 (DWORD
)
 HKLM\SYSTEM\CurrentControlSet\Services\l
anmanserver\parameters\RestrictNullS
essAccess=1 (DWORD)
 HKLM\SYSTEM\CurrentControlSet\Services\l
anmanserver\parameters\NullSessionSh
ares=DFS$,etc.

I've tried all sorts of combinations and can't seem to get access to a share
 without supplying a username and password.

Steve, did you get this to work?
Boy this is frustrating!

[ Post a follow-up to this message ]

Hi Paul.

I have not tried it yet, but here is what I believe you need to try.

Network Access: Do not allow anonymous enumeration of SAM accounts and
shares - disabled.
Why?  -- because anonymous access is needed to shares.

Network Access: Let Everyone permissions apply to anonymous user - enabled.
Why?  -- to allow anonymous access based on permissions to the everyone
group.

Network Access: Restrict anonymous access to Named Pipes and Shares -
disabled.
Why?  -- because anonymous needs access to shares.

Network Access: Shares that can be accessed anonymously - COMCFG, DFS$  --
Your share needs to show here.
Type in the name of the share and hit apply [hit enter first to go to next
line to let you type share name] and double check that it also shows in the
registry.
http://support.microsoft.com/defaul...kb;en-us;289655  --- info on
how it is done for W2K.

If you make changes to security options, they may or probably will not
happen right away. Either try gpupdate /target:computer /force on a Windows
2003 server or reboot. --- Steve

"Paul" <anonymous@discussions.microsoft.com> wrote in message
news:95707F1D-DEB4-4957-82A3-7FA6ED49158E@microsoft.com... 
now XP can acces it but W2K can not.
> You call it odd, I call it broken, pOtato, potAto.
>
> I do have another data point, I've tried it (dir
\\<windows2003_IPaddress>\Myfolder) from
> three different W2K machines, all of them can ping
<windows2003_IPaddress>,
> all of them are on the same subnet:
> Host1 = W2K, build 5.00.2195 SP 3 => WORKS!
> Host2 = W2K, build 5.00.2195 SP 4 => WORKS!
> Host3 = W2K, build 5.00.2195 SP 4 => DOES NOT WORK!!!!
> Host4 = W2K, build 5.00.2195 SP 4 => DOES NOT WORK!!!!
>
> So it looks like a specific problem with specific W2K machines.
> DAMN!
>
> Regardless, my goal is to get it to work with the Guest Account disabled,
> and that doesn't work from any machine (W2K or XP).
> 
> I logged off/on and tried it again, but I got the same result:
> Logon failure: unknown user name or bad password.
>
> By the way, that's the error I get from all machines if I disable the
Guest Account.
> I want to do this without enabling the Guest Account (for security
reasons).
>
> So how do you want to attack this?
> Do you want to get the W2K machines to work with the Guest Account Enabled
first?
> Or do you want to skip ahead and try to get all of them to work with the
Guest Account Disabled?
>
> Any way, here is what I see as being the relavant settings in the Group
Policy snap-in:
>
> Default Settings:
> Accounts: Guest account status  - Disabled
> Accounts: Limit local account use of blank passwords to console logon
only - Enabled
> Network Access: Do not allow anonymous enumeration of SAM accounts -
Enabled
> Network Access: Do not allow anonymous enumeration of SAM accounts and
shares - Enabled
> Network Access: Let Everyone permissions apply to anonymous user -
Disabled
> Network Access: Restrict anonymous access to Named Pipes and Shares -
Enabled
> Network Access: Shares that can be accessed anonymously - COMCFG, DFS$
> Network Access: Sharing and security model for local accounts - Classic -
local users authenticate as themselves
>
> And here are some of their corresponding registry settings:
>
>  HKLM\SYSTEM\CurrentControlSet\Control\LS
A\RestrictAnonymous=1 (DWORD)
>  HKLM\SYSTEM\CurrentControlSet\Control\LS
A\RestrictAnonymoussam=1 (DWORD)
>  HKLM\SYSTEM\CurrentControlSet\Control\LS
A\EveryoneIncludesAnonymous=1
(DWORD)
>
 HKLM\SYSTEM\CurrentControlSet\Services\l
anmanserver\parameters\RestrictNullS
essAccess=1 (DWORD)
>
 HKLM\SYSTEM\CurrentControlSet\Services\l
anmanserver\parameters\NullSessionSh
ares=DFS$,etc.
>
> I've tried all sorts of combinations and can't seem to get access to a
share without supplying a username and password.
>
> Steve, did you get this to work?
> Boy this is frustrating!
>
>
>
>

[ Post a follow-up to this message ]

You may also find the following link and the whole guide itself helpful and
interesting.  --- Steve

http://www.microsoft.com/technet/tr...TCG/TCGCH05.asp

"Steven L Umbach" <sumbach@nospam-ameritech.net> wrote in message
news:gV8Zb.11336$PY.25@newssvr26.news.prodigy.com...
> Hi Paul.
>
> I have not tried it yet, but here is what I believe you need to try.
>
> Network Access: Do not allow anonymous enumeration of SAM accounts and
> shares - disabled.
> Why?  -- because anonymous access is needed to shares.
>
> Network Access: Let Everyone permissions apply to anonymous user -
enabled.
> Why?  -- to allow anonymous access based on permissions to the everyone
> group.
>
> Network Access: Restrict anonymous access to Named Pipes and Shares -
> disabled.
> Why?  -- because anonymous needs access to shares.
>
> Network Access: Shares that can be accessed anonymously - COMCFG, DFS$  --
> Your share needs to show here.
> Type in the name of the share and hit apply [hit enter first to go to next
> line to let you type share name] and double check that it also shows in
the
> registry.
> http://support.microsoft.com/defaul...kb;en-us;289655  --- info
on
> how it is done for W2K.
>
> If you make changes to security options, they may or probably will not
> happen right away. Either try gpupdate /target:computer /force on a
Windows
> 2003 server or reboot. --- Steve
>
> "Paul" <anonymous@discussions.microsoft.com> wrote in message
> news:95707F1D-DEB4-4957-82A3-7FA6ED49158E@microsoft.com... 
> now XP can acces it but W2K can not. 
> \\<windows2003_IPaddress>\Myfolder) from 
> <windows2003_IPaddress>, 
disabled, 
> Guest Account. 
> reasons). 
Enabled
> first? 
> Guest Account Disabled? 
> Policy snap-in: 
> only - Enabled 
> Enabled 
> shares - Enabled 
> Disabled 
> Enabled 
Classic -
> local users authenticate as themselves 
> (DWORD) 
>
 HKLM\SYSTEM\CurrentControlSet\Services\l
 anmanserver\parameters\RestrictNullS[col
or=blue]
> essAccess=1 (DWORD) 
>
 HKLM\SYSTEM\CurrentControlSet\Services\l
 anmanserver\parameters\NullSessionSh[col
or=blue]
> ares=DFS$,etc. 
> share without supplying a username and password. 
>
>
>

[ Post a follow-up to this message ]