SMB Connection to non-domain server

windows-server-2016 windows-server-2012-r2 server-message-block ntlm

I have a service that needs to establish a SMB connection to several servers. There is no issue with domain-joined computers using a domain account with access. However, I need it to connect to a few servers that are not joined.

  • The service needs Admin privileges to the Admin$ share.
  • The built-in Administrator account is disabled.
  • I have the created Local Admin username and password.
  • Windows Firewall is off.
  • Servers are on the same subnet, no firewall between them.

Initially NTLM was set to DENY ALL, and I never got a connection. When I stepped the setting "down" to DENY ALL DOMAIN ACCOUNTS I was finally able to connect to a test server. However when I made the same change to a production server, I could not connect.

It took a while, but I realized I was using the built-in Administrator account on the test system. We disable this built-in account on all of our production servers, and create a new account that is added to the local Administrators group.

If enabled, I can connect using the built-in Administrator account.

C:\Windows\system32>net use \\Server\Admin$ /USER:Administrator P@$$w0rd1
The command completed successfully.

However, using any other members of the local Administrators group, I cannot connect.

C:\Windows\system32>net use \\Server\Admin$ /USER:NewAdmin NewP@$$wd
System error 5 has occurred.
    
Access is denied

Any guidance appreciated.


Solution 1:

https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cannot-logon-access-administrative-share

To allow administrative share access in a workgroup for Windows, use the following workaround.

1. Click Start, type regedit in the Start Search box, and then press Enter.
2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. On the Edit menu, point to New, and then click DWORD (32-bit) Value.
4. Type LocalAccountTokenFilterPolicy to name the new entry, and then press Enter.
5. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Exit Registry Editor.

Also documented here: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction.

Related

Apache hangs after every 2-3 weeks, with closed_wait connections increasing until it is restarted
How to monitor RAM usage for Hyper-V VMs?
How do I share all resources between two AWS Root accounts?
How can I enable HSTS on the default Google Load Balancer coming with Google Container Engine?
iptables for a /16 subnet with a /24 exception
Can a single DC be demoted?
How do I generate an SSHFP record for a Mikrotik router?
Implementing LDAP with Public IP
Kaniko (GitLab CI, K8s) can not push to Nexus Repository Manager: UNAUTHORIZED: access to the requested resource is not authorized
Prevention of replication in Azure blob storage
What does {"ResourceType":"runtimeconfig.v1beta1.waiter","ResourceErrorCode":"504","ResourceErrorMessage":"Timeout expired."} mean?
Ingress Nginx SSL 503 Error