Anonymous Printer Share - Access Denied

[John]

We have just migrated from unix to windows 2000 server,
with windows 2000 workstations. The domain setup and group
policy is great, but we're having trouble with non-domain
machines being able to install and print to the shared
printers.

I have enabled the guest account which has full access to
the shared printers on the domain controller, as well as
giving everyone full access to the printers. In all
security policies, everyone has the ability to access the
domain controller from the network.

The problem is that when you use Network Neighborhood to
browse to the domain controller, it gives a password dialog
box which must be populated. If a user on a non-domain
machine connect to the pdc before printing, everything
works fine. But if those machines are restarted (which
happens 12-15 times a day), the user must browse to the pdc
using network neighborhood and enter a password before
everything will work again.

When a non-domain user/box tries to print, it gives an
access denied in the printer status. It seems to me that
when everyone access is enabled, everyone should be able to
print. However, that is not the case.

What settings do i need to change to allow
non-authenticated users to browse the shares and printers?
Users have to log into the domain before they can print,
and i'm catching much heat over this.

I've spent the last 2 days researching this, and the little
information i could find in microsoft's site is wrong (as
in the options do not exist where they say, or the command
line arguments are just plain wrong)

I've read a few posts that say what i want to do is
impossible, but i find that difficult to believe.

Thanks in advance,
John

 

[Steven L Umbach]

I have never tried what you are doing but check that the computer offering
the share does not have the security option effective setting for
"additional restrictions for anonymous connections" in Local Security Policy
set to anything but "none rely on default permissions" to see if that
helps. --- Steve

 

[Guest]

Thanks for the reply, I made sure that was set in all 3
security policies to no avail. Perhaps it is because the
box hosting the shares is a domain controller?

Thanks again for the reply,
John

 

[Steven L Umbach]

I am not sure about that but generally you don't want to enable the guest
account on the domain controller as that is the guest account for the domain
which could give unathenticated users potential access on all domain
controllers shares, but having said that you said that a credentials box
pops up. Do they have to enter a domain user/password in it or will anything
do? I have seen where sometimes a paasword box will pop up when the guest
account is enabled and anything can be entered into it and access will be
gained. I think that is because the user trying to gain access is logged
onto a computer with the same name but different password than a domain user
account. You can use Computer Management/shared folders/sessions to see how
a connected user is being authenticated. The link below may also be
pertinent as it talks about the need for permissions to the
\winnt\system32\spool folder.

http://support.microsoft.com/default.aspx?scid=kb;en-us;271901

Another solution may be to create user accounts in the domain that use the
same logon name and password as those non domain users use to logon to their
computers. Then they should get pass through access to domain resources
without actually logging onto the domain - I do that all the time at home
with my laptop. Of course those users would potentially have access to any
domain resources available to the users group and password changes would
need to be synchronized. However you could add those users to their own
group and add them to the "deny access to this computer from the network"
for the domain or at the OU level to prevent them from accessing resources
that they should not. --- Steve

 

[Guest]

Wow, you're right, anything will do in the password dialog
box when the guest account is enabled. However, one of my
policies is that IT will never ask for their password, so
adding a mirrored account for their machines is not an
option . Maybe i can get a dialog box to pop up when they
try to print if they're not authenticated with the domain
somehow. (I'm a bit disappointed that this is so difficult,
i was under the impression that windows was quick and
easy). I guess i could write a script to put in their
startup folder that will authenticate when they logon
locally... Just brainstorming now.

Thanks again for your help, I really do appreciate it.

John