By default, when a user tries to access a network shared folder on a server joined to the Active Directory domain from a workgroup computer, the prompt to enter a domain account credentials appears. Let’s consider how to enable unauthenticated (anonymous) access to a shared folders or printers on a domain server from workgroup computers in Windows 10 / Windows Server 2016.
Local Anonymous Access Group Policies
Open the Local Group Policy Editor (gpedit.msc) on a server/computer, which you want to enable anonymous access to.
Go to the following GPO section: Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Configure the following policies:
- Accounts: Guest Account Status: Enabled
- Network access: Let Everyone permissions apply to anonymous users: Enabled
- Network access: Do not allow anonymous enumeration of SAM accounts and shares: Disabled
For a security reasons, make sure that the Guest account is specified in the Deny log on locally policy under the Local Policies -> User Rights Assignment.
Then make sure that Guest is also specified in the Access this computer from network policy in the same section, and the Deny access to this computer from the network policy should not have Guest as the value.
Also make sure that network folder sharing is enabled in Windows ( Settings -> Network & Internet -> Ethernet -> Change advanced sharing options). In All Networks section, select the options Turn on sharing so anyone with network access can read and write files in the Public folders and Turn off password protected sharing if you trust all devices in your network (refer the article “Can’t see computers on my network”.)
Allow Anonymous Access to a Shared Folder on Windows
Then you have to configure permissions to access the network folder you want to share. Open the folder properties, got to the Security tab and check current folder NTFS permissions. Press Edit -> and assign Read permissions (and Modify if needed) to Everyone local group. To do it, click Edit -> Add -> Everyone and select the folder access privileges for anonymous users. I have granted read-only permissions.
In the Sharing tab, allow anonymous users to access the shared folder (Share -> Advanced Setting -> Permissions). Make sure that Everyone group has Change and Read permissions.
In the Local Policies -> Security Options section of the Local Group Policy Editor enable the policy Network access: Shares that can be accessed anonymous. Here you must specify the shared folder names you want to enable anonymous access to (in my example, it is Share1, Distr and Docs folders).
How to Enable Anonymous Access to a Shared Printer?
To enable anonymous access to a shared printer on your computer, open the shared printer properties in theControl Panel -> Hardware and Sound -> Devices and Printers. Check the options Render print jobs on client computers on the Sharing tab.
Then check all permissions for Everyone group on the printer Security tab.
After that you will be able to connect to your shared folder (\\server-name\sharedfolder) and printer on a domain computer/server from workgroup computers without entering your credentials, i. e. anonymously.
9 comments
It’s not because we can do something that it must be done.
Despite your warning, how many people will apply quickly – too quickly I would say – what is written in this article ?
Article totally useless, and moreover in the present days, very dangerous for security.
… and what will be the next article? How to do to pass all passwords in clear text ? How to do to avec all inbound rules open on a firewall ?
Be responsible
Thanks for your feedback!
Yes, you are right – anonymous access is an extremely dangerous thing from a security point of view.
In the article, I described a fairly secure way to provide anonymous access to a specific shared folder on Windows. In my case, this was the only solution available to access shared resource on a specific domain computer from a workgroup .
You can use the article for informational purposes, or check your policy settings to completely disable anonymous access in your network. 🙂
No need to be a prick. These changes are absolutely necessary in many circumstances, and the writeup is very clearly outlined and helpful to those who may need this ability.
Oliver (and other like you), what if I don’t care about corporate security? What if my windows machine is inside a local network behind a router i.e. totally inaccessible from the outside? What if I just want to print my stupid cartoon from another PC in the same network (and I don’t *really* care if somebody hijacks my printer)? What if I have not remembered any of my local users’ passwords for ages because of the stupid (but convenient) PIN sign-in thing? There are different users and use cases Oliver. You don create SECURITY by preaching about it without knowing the details.
BTW, damn Windows won’t let me print my cartoon without typing in the credentials even with all the instructions written in this post :/
People like Oliver are the worst. Without this article I couldn’t have setup my internal lab network to host deployable network images.
I don’t need staff member to have to authenticate to the share where the images are located, what’s the point, its internal with the no internet access. He probably supported the whole “Browser Choice” debacle ….
i have problem with this setting, if i want next folder with credential(local account) not work, no prompt for input user name and pass
A huge ‘Thank You’ !
This article has helped restore my sanity after being unable to ‘see’ other machines on my local Home network for purposes of simple folder sharing.
Having gone through the described steps I eventually struck gold by enabling ‘Function Discovery Resource Publication’ service which wasn’t running for some reason.
I had zero chance of figuring this out without your help, so thanks once again.
PS:
F*ck Olivier.
after 21h1 update – this not working. any idea?
I have had the same issues a while back and I read a few posts that stated win 10 home will allow you to change global sharing policies but ignores them. They are only applied in the pro versions. Something someone may be able to verify…………….