Guest Access to Printers

[Mark stang]

How do you allow guest access to printers on a print server?

Situation:
Windows 2000 Server (workgroup server) not in a domain.
Windows XP clients.

I have granted the Everyone group "access this computer from the
network" on the server.
I have granted the Everyone group full printing rights on the shared
printers
I have granted the Everyone group read access to the print$ share.
The "restrict anonymous" registry key has been set to "0"
The guest account is enabled.


The XP clients belong to an AD domain, but the LAN we are on is an
island and does not have any DCs on it, so the users log on with
cached credentials.

All I want is for the users to got to "Add New Printer", be able to
type in "\\Servername\sharename" and get the driver for the printer,
and be able to print. However, when they attempt to do this, a box
pops up requesting a username and password (standard windows
authentication dialog). It makes no difference at all what you type
in this dialog, you can literally type random characters as the
username, and any or no password, you just have to put in something,
and then it goes ahead and sets up the printer! With Auditing turned
on I get an infamous 681 "Account Logon" failure for the user account
I typed in, but I still can connect to and use the printer!

When I look in "Computer Management\Shared folders\Sessions" I show
up as the account "GUEST" and the column "Guest" has "Yes" in it.


Problem is, as soon as you reboot the XP client the printer shows up
as "Access Denied" and will stay that way until you delete and re-add
the printer (or add another printer, or connect to the server with a
net use command).

The net use command does the same thing:

C:\>net use * \\server\print$
The password is invalid for \\server\print$.

Enter the user name for 'server':

I can enter literally anything and get connected. Onc connected I am
no longer prompted, I connect automatically.

There is something that is causing the authentication dialog to pop
up. If I could stop that, and allow true guest or anonymous access
to the printers, I would be a very happy person.

What could be causing this useless authentication dialog to pop up?

Thanks in advance!

 

[Michael A. Covington]

I think there is no way, except to enable the Guest account, which is used
by default when an unrecognized user tries to access a printer.

Then you may be opening it up to the entire world. IPSec will help you
control which IP addresses can connect to your server. Brief notes about
IPSec in my blog: www.ai.uga.edu/mc/blog/index.html#040312

 

[Mark stang]

I think there is no way, except to enable the Guest account, which is used
by default when an unrecognized user tries to access a printer.

Then you may be opening it up to the entire world. IPSec will help you
control which IP addresses can connect to your server. Brief notes about
IPSec in my blog: www.ai.uga.edu/mc/blog/index.html#040312

Thank you for the response, unfortunately, it does not help me. I
*want* the guest account enabled. In fact, the guest account *is*
enabled. Even with it enabled I am *still* getting the authentication
prompts I listed in the original post.

Does anyone have any ideas?

Thanks in advance

Mark

 

[Steven L Umbach]

My guess is that the user trying to access the share is logged onto their computer
with the same user name but different password [possibly administrator] than on the
computer offering the share. If you are logged on as a user that has no account on
the target computer, you get guest access and no credentials box If you are logged on
with a user logon/password that exists on the target computer, you get access as that
user and groups it belongs to. However I believe if you are logged as a user that
exists on the target machine, but different password then the credentials box pops up
giving you the opportunity to logon with correct credentials. I may be wrong about
this but that is the pattern I see when using the guest account. --- Steve

 

[Mark stang]

My guess is that the user trying to access the share is logged onto their computer
with the same user name but different password [possibly administrator] than on the
computer offering the share. If you are logged on as a user that has no account on
the target computer, you get guest access and no credentials box If you are logged on
with a user logon/password that exists on the target computer, you get access as that
user and groups it belongs to. However I believe if you are logged as a user that
exists on the target machine, but different password then the credentials box pops up
giving you the opportunity to logon with correct credentials. I may be wrong about
this but that is the pattern I see when using the guest account. --- Steve

Thanks for the reply.

I have seen the same behavior in the past. However, this is not the
case here. The server has no user accounts on it other than the
standard accounts installed with windows. The logon accounts on the
client are not on the server.

There is some security setting somewhere that is forcing these
authentication boxes to pop up. Note that they are not actually
authenticating anything as I can type in anything for the user and
password and still connect. I mean anything: garbage characters, or
even the locally logged in username and password. They all work.

 

[Steven L Umbach]

I can't think of anything else that would cause that offhand. I experienced the same
exact thing - type in anything in the user box to get guest access, but it only
happened when I was logged onto the remote computer as local administrator with a
different password than on the computer offering guest access. If you have not done
so try giving everyone and administrator permissions [no users] to the printer. If
you want, you can try to reset security settings to default defined values on the
server as described in the KB link below but I would append [ /areas securitypolicy
user_rights ] to the end of the command to change just those settings. You can also
export Local Security Policy settings before making any changes. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

"Steven L Umbach" <[email protected]> wrote in message

My guess is that the user trying to access the share is logged onto their computer
with the same user name but different password [possibly administrator] than on the
computer offering the share. If you are logged on as a user that has no account on
the target computer, you get guest access and no credentials box If you are logged on
with a user logon/password that exists on the target computer, you get access as that
user and groups it belongs to. However I believe if you are logged as a user that
exists on the target machine, but different password then the credentials box pops up
giving you the opportunity to logon with correct credentials. I may be wrong about
this but that is the pattern I see when using the guest account. --- Steve

Thanks for the reply.

I have seen the same behavior in the past. However, this is not the
case here. The server has no user accounts on it other than the
standard accounts installed with windows. The logon accounts on the
client are not on the server.

There is some security setting somewhere that is forcing these
authentication boxes to pop up. Note that they are not actually
authenticating anything as I can type in anything for the user and
password and still connect. I mean anything: garbage characters, or
even the locally logged in username and password. They all work.

 

[Mark stang]

Thank you for the link! I will definitely try this out. I suspect
there is a custom security setting that is causing this.

I can't think of anything else that would cause that offhand. I experienced the same
exact thing - type in anything in the user box to get guest access, but it only
happened when I was logged onto the remote computer as local administrator with a
different password than on the computer offering guest access. If you have not done
so try giving everyone and administrator permissions [no users] to the printer. If
you want, you can try to reset security settings to default defined values on the
server as described in the KB link below but I would append [ /areas securitypolicy
user_rights ] to the end of the command to change just those settings. You can also
export Local Security Policy settings before making any changes. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

"Steven L Umbach" <[email protected]> wrote in message

My guess is that the user trying to access the share is logged onto their computer
with the same user name but different password [possibly administrator] than on the
computer offering the share. If you are logged on as a user that has no account on
the target computer, you get guest access and no credentials box If you are logged on
with a user logon/password that exists on the target computer, you get access as that
user and groups it belongs to. However I believe if you are logged as a user that
exists on the target machine, but different password then the credentials box pops up
giving you the opportunity to logon with correct credentials. I may be wrong about
this but that is the pattern I see when using the guest account. --- Steve

Thanks for the reply.

I have seen the same behavior in the past. However, this is not the
case here. The server has no user accounts on it other than the
standard accounts installed with windows. The logon accounts on the
client are not on the server.

There is some security setting somewhere that is forcing these
authentication boxes to pop up. Note that they are not actually
authenticating anything as I can type in anything for the user and
password and still connect. I mean anything: garbage characters, or
even the locally logged in username and password. They all work.