Articles

Issue with browsing network resource

April 18, 2012 at 08:37:16
Specs: Windows Server 2008

issue with browsing network resource
I have a problem I'm trying to understand...

I have a Windows Server 2008 running as my AD Server/Domain Controller and Print Server. Workstations (Win7 and XP) on my domain can access printers and shares without any issues.

There are workstations (XP) on a different AD server/Domain Controller I don't have control over. Though these workstations are in the same building as the workstations that are on my domain, they are on different networks/subnets. In other words, my print server and workstations are on the same subnet. The workstations I don't have control over are on a different subnet but can obviously share network resources like network drives by going through the map network wizard and entering the right domain credentials to authenticate.

Hope everything I've described above is clear enough. Recently, a request came in to install printers on my print server to the workstations I have no control over. Now mind you, these workstations in question are on a domain I have no rights to.

When I try to install one of my printers using a script or batch file, I get an error message stating that there's a group policy preventing me from adding the printer. When I tried manually by using the add a printer wizard, it get's to the username and password then complains that there's a group policy preventing me from adding the printer. That's understandably since I think these workstations might have a gpo preventing outsiders so to speak to add printers from a different network/subnet.

This is the really confusing part. One of my users recently discovered that they can browse to my print server by doing: \\servername and in there are all the printers. They can right click on a printer and connect to the printer without any problems. Since the workstation is on a different domain, I expected him to get a login prompt to authenticate but he didn't. So then I went around to about 10 different workstations and try to browse to the server doing exactly what my user did and it was a hit or miss. Out of the 10 workstations, about 6 were able to browse and install the printers without authenticating. The other 4 would get the authentication prompt. I type in username/password and it shows the shares and printers; from there the printer can be added as well. Only problem is that when the users reboots their workstations the printer cannot be accessed since it complains that "access denied". Workstations that were able to add the printers without authenticating are fine after they reboot.

My question is why are some users able to do this without authenticating and other not? And is it possible to keep the credentials cached so that it doesn't get cleared out after a reboot. Yes, I check the box to remember the password but it doesn't get remembered.

Thanks in advance.


See More: Issue with browsing network resource

Report •


#1
April 18, 2012 at 17:44:20

It sounds like trust issue between the domains. Also, look at the OUs as well.

How do you know when a politician is lying? His mouth is moving.


Report •

#2
April 19, 2012 at 06:21:53

There is no trust between the two domains. They don't know anything about each other and that's why I expect users to authenticate before getting to network resource but only some users are being prompted to authenticate, others just get the resources without authenticating.

Report •

#3
April 19, 2012 at 06:29:10

As far as I know, there can be a trust between the domains & the users still have to authenticate.

How do you know when a politician is lying? His mouth is moving.


Report •

Related Solutions

#4
April 19, 2012 at 06:44:49

I believe you are right but the main issue here is that some users on the same network/domain (not the domain I control) are browsing to my network resources without authenticating.

Report •

#5
April 19, 2012 at 08:31:50

You only authenicate to your domain to then access a trusted domains resources. You never have to authenicate via a trust. That's the whole purpose behind a trust.

When you are joined to a domain, but are accessing resources in another domain, its on a peer to peer basis. You have to have the same user account you logon to the pc with existing in the other domain.

Check your server accounts. Do you see user accounts for the folks that can access from the other domain?

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#6
April 19, 2012 at 10:15:48

What I'm doing is strictly peer to peer. The users trying to access the domain resources on my domain have accounts on my domain. So they are trying to access resources on a domain their workstations aren't on. However, they have accounts on that domain to authenticate.

The problem again isn't about the authentication. The problem is that some users get the prompt to authenticate before getting the network resources on my domain and other don't (they are let in without authenticating).

None of the accounts that can get in have local accounts on the server but they do have AD accounts on that server.


Report •

#7
April 19, 2012 at 13:24:46

"they are let in without authenticating"

This is because their logon passwords match the accounts they are logging onto. They are authenicating but since their passwords match you don't see the dialog box.

You only get the authenciation dialog box when the passwords don't match.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#8
April 20, 2012 at 05:57:46

Unfortunately, that's not the answer to this problem. I've tested this theory already. I first asked the users if their passwords are the same on both domains and the answer was NO. So I ended up testing this myself since I have accounts on both domains as well and was able to confirm that having the same password doesn't let me in without authenticating.

Report •

#9
April 20, 2012 at 08:32:09

On an account that autologs on, change the password and see what happens.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#10
April 23, 2012 at 05:40:42

I did but that didn't change the behavior.

Report •

#11
April 24, 2012 at 10:50:08

You changed the password on an account that was autologging onto your domain from a workstation joined to a different domain and the user was not asked for credencials to logon to your domain?

What happens if you disable their account? Do they get denied access then?

You don't have the guest account enabled on the server do you?

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#12
April 24, 2012 at 12:04:01

I thought we were onto something there for a minute. Yes, everything you stated above is 100% correct.

The guest account is disabled. I thought that was enabled since I had enabled it when I was trying to figure out a way to get the computers on the other domain to add printers on my domain. I double checked and it is disabled.


Report •


Ask Question