Creating a windows account only for share access

I'm running Windows Server 2008 R2 in a workgroup, not a domain, and I want to create a local account that is only used for allowing other computers in the same workgroup to access file shares on that server.

When clients connect they will be prompted for a username/password (hopefully) and this account would serve as a way to allow them access.

I do not want this account to have a profile, or be used to actually log into the server itself. I only need it as a way to authenticate users for shared folders.

Can this be done? If not, what is the recommended approach for this?


Solution 1:

Sure it can be done. When you've set up the local user account on the server add the user account to the "Deny log on locally" and "Deny log on through Terminal Services" user rights assignment. That will prevent anyone from using this user account to log on to the server locally or via TS/RDS but will allow them to access the share with this uer.

Solution 2:

As the reply of joeqwerty is not clear, I want to put the steps in line. This works for Windows 7, 8, and 10 (I'm on 10), as well as Windows Server 2003, 2008, and 2012.

  1. Create the user (if you don't have it created already, and check this if you want it local on W10) from users, or Computer Management, whatever you like more.

  2. Open Administrative Tools, then go to Local Security Policy, and go to Local Policies > User Rights Assignment

  3. From there, look for the policy called Deny log on locally. Double click it and add the username that you just created to that list.

    • You can also add the user to Deny log on through Terminal Services option, which will be shown on Windows Server. You can also add the user to Deny log on through Remote Desktop Services which will be covered with the logon option, but just in case.

Solution 3:

You should be able to accomplish this by creating the local account, giving it share and NTFS rights on the file shares. Then use secedit to edit the local security policy. You want to use Local Policies> User Rights Assignment> Deny log on locally. Add the account to this setting.