Workgroup user is able to access domain shared folder

It's Not Lupus

Senior member
Aug 19, 2012
838
3
81
I have this Windows Server (2012 R2 Essentials) where there's a domain and a shared folder. I created an account and gave it read permission to the folder. It's the only permission.

On a workgroup computer, there's an account with the same username and password that is able to access the shared folder. I didn't think this should happened. What's going on?
 

KB

Diamond Member
Nov 8, 1999
5,406
389
126
On a workgroup computer, there's an account with the same username and password that is able to access the shared folder. I didn't think this should happened. What's going on?

Well you learned something today. This is how windows behaves and it has done so since the beginning of the NT Domain. If the account attempts to connect to a domain it will attempt to use its current credentials and it they match a domain credential then they are in. I remember using this trick in windows NT 4.0 to get DMZ resources access to domain resources.
 

It's Not Lupus

Senior member
Aug 19, 2012
838
3
81
Well you learned something today. This is how windows behaves and it has done so since the beginning of the NT Domain. If the account attempts to connect to a domain it will attempt to use its current credentials and it they match a domain credential then they are in. I remember using this trick in windows NT 4.0 to get DMZ resources access to domain resources.
I see. It seems like a security issue, and to me, makes more sense for the computer to joined the domain first before accessing the share.
 

xSauronx

Lifer
Jul 14, 2000
19,582
4
81
I see. It seems like a security issue, and to me, makes more sense for the computer to joined the domain first before accessing the share.

i disagree. it can be pretty useful to shared a folder from a domain machine and allow a non-domain device to access the data. maybe a nas, switch, router, *nix box, apple machine, etc has a need to read/write data to an SMB share but they cannot all necessarily be joined to your domain.

If you want good security, require complex passwords on domain accounts and carefully manage permissions on shared folders.