Access local shares when DC is down

I have a system with two locations connected through VPN. One location
has the domain controller and some workstations. The second location
has 3 workstations. All workstations are members of the domain. Users
can login to their workstations even if the domain is unavailable
because of cached credentials, which is OK.



On the second location one of the workstations has a folder which is
shared. That folder should be accessible by all computers/users in that
location. The problem is that if the VPN tunnel goes down and
communication with the server is lost, that share is not accessible
anymore. When I try to access it- it wants login information.



I want it to continue to be available all the time, regardless of
credentials. How do I do this?



I have given everyone full access to that share and to the security but
it did not help. I do not want to enable the guest account.

enable the guest account on the xp box with no password. Set up a second
share of the same folder with guest access.

Sharing the guest account is not a good idea for security.

One option is to include the share as a mapped drive in your netlogon
scripts. When you use the net use command map a user's credentials with it.
You can do this for each user, which will take a lot of scripts, or you can
create an global account that has rights to the folder and use those
credentials. To even further ensure connection, if you use the global
account create the same user and password of the account as a local user on
the machine you are trying to share from.

So let's say we create a user called Share with a password of 123456 on the
server. You would also create a local account on the workstation you wish to
share from as Share \ 123456. Then for the logon script,

net use S: \\workstation\share 123456 /userOMAIN\Share /savecred

Just remember if you change any passwords for the global account, you have
to change them in two places.

Hope this helps,
--
Louis Vitiello Jr.
------------------------------
MCSE, MCSA, MCP, A+/N+
ERCP XP Pro / Net Concepts



"Joshua Bolton" <(E-Mail Removed)> wrote in message
news:9E98765C-9F61-4FF6-9CA9-(E-Mail Removed)...
> enable the guest account on the xp box with no password. Set up a second
> share of the same folder with guest access.

Louis, Thank you for the suggestion, i will try this solution later
today.

Thanks.

Louis Vitiello Jr. wrote:
> Sharing the guest account is not a good idea for security.
>
> One option is to include the share as a mapped drive in your netlogon
> scripts. When you use the net use command map a user's credentials with it.
> You can do this for each user, which will take a lot of scripts, or you can
> create an global account that has rights to the folder and use those
> credentials. To even further ensure connection, if you use the global
> account create the same user and password of the account as a local user on
> the machine you are trying to share from.
>
> So let's say we create a user called Share with a password of 123456 on the
> server. You would also create a local account on the workstation you wish to
> share from as Share \ 123456. Then for the logon script,
>
> net use S: \\workstation\share 123456 /userOMAIN\Share /savecred
>
> Just remember if you change any passwords for the global account, you have
> to change them in two places.
>
> Hope this helps,
> --
> Louis Vitiello Jr.
> ------------------------------
> MCSE, MCSA, MCP, A+/N+
> ERCP XP Pro / Net Concepts
>
>
>
> "Joshua Bolton" <(E-Mail Removed)> wrote in message
> news:9E98765C-9F61-4FF6-9CA9-(E-Mail Removed)...
> > enable the guest account on the xp box with no password. Set up a second
> > share of the same folder with guest access.

I'm familar with Gobal vs. Domain Local Groups, but when you say Global
Account, is this different that a "normal" user account you would
create in AD ?


(E-Mail Removed) wrote:
> Louis, Thank you for the suggestion, i will try this solution later
> today.
>
> Thanks.
>
> Louis Vitiello Jr. wrote:
> > Sharing the guest account is not a good idea for security.
> >
> > One option is to include the share as a mapped drive in your netlogon
> > scripts. When you use the net use command map a user's credentials with it.
> > You can do this for each user, which will take a lot of scripts, or you can
> > create an global account that has rights to the folder and use those
> > credentials. To even further ensure connection, if you use the global
> > account create the same user and password of the account as a local user on
> > the machine you are trying to share from.
> >
> > So let's say we create a user called Share with a password of 123456 on the
> > server. You would also create a local account on the workstation you wish to
> > share from as Share \ 123456. Then for the logon script,
> >
> > net use S: \\workstation\share 123456 /userOMAIN\Share /savecred
> >
> > Just remember if you change any passwords for the global account, you have
> > to change them in two places.
> >
> > Hope this helps,
> > --
> > Louis Vitiello Jr.
> > ------------------------------
> > MCSE, MCSA, MCP, A+/N+
> > ERCP XP Pro / Net Concepts
> >
> >
> >
> > "Joshua Bolton" <(E-Mail Removed)> wrote in message
> > news:9E98765C-9F61-4FF6-9CA9-(E-Mail Removed)...
> > > enable the guest account on the xp box with no password. Set up a second
> > > share of the same folder with guest access.

Of course enabling the guest account is a less than secure option. But
consider the request of "on the fly" changing from client/server to peer to
peer networking. If you don't want to enable the guest account your only
option is to create a local account for EVERY person you want accessing the
share when the server is down. This means x amount of wksts times x amount
of users that you will have to sync their local account/password with the pc
with the shares [along with their AD accouont passwds]. Then you have to
assign those users to those shares. Whew I get tired just thinking about it.

Makes enabling the guest account look pretty easy doesn't it?

There are no "global" accounts in a peer to peer network!!! There is no
server/AD authenication if the DC is down.

************************************************** *******

"So let's say we create a user called Share with a password of 123456 on the
server. You would also create a local account on the workstation you wish to
share from as Share \ 123456. Then for the logon script,

net use S: \\workstation\share 123456 /userOMAIN\Share /savecred "

Are you suggesting creating a user account on the server and all pcs called
"share"? Looks to be just another name for "guest". AND you would put the
local password in the script??? I would consider that far more insecure than
enabling guest

The site is small, and i don't mind having to recreate users accounts
locally. The guest account just can NOT be enable, reguardless of how
much extra work it may require.

I understand that in a p2p network, there would be no gobal accounts,
but, the previous suggestion, was talking about creating one on the DC.

Thanks

Joshua Bolton wrote:
> Of course enabling the guest account is a less than secure option. But
> consider the request of "on the fly" changing from client/server to peer to
> peer networking. If you don't want to enable the guest account your only
> option is to create a local account for EVERY person you want accessing the
> share when the server is down. This means x amount of wksts times x amount
> of users that you will have to sync their local account/password with the pc
> with the shares [along with their AD accouont passwds]. Then you have to
> assign those users to those shares. Whew I get tired just thinking about it.
>
> Makes enabling the guest account look pretty easy doesn't it?
>
> There are no "global" accounts in a peer to peer network!!! There is no
> server/AD authenication if the DC is down.
>
> ************************************************** *******
>
> "So let's say we create a user called Share with a password of 123456 on the
> server. You would also create a local account on the workstation you wish to
> share from as Share \ 123456. Then for the logon script,
>
> net use S: \\workstation\share 123456 /userOMAIN\Share /savecred "
>
> Are you suggesting creating a user account on the server and all pcs called
> "share"? Looks to be just another name for "guest". AND you would put the
> local password in the script??? I would consider that far more insecure than
> enabling guest

Sorry for my delay. Create a regular account you would make on a domain. My
methodology will eliminate having to make a local profile for everyone.

Hope this helps,
--
Louis Vitiello Jr.
------------------------------
MCSE, MCSA, MCP, A+/N+
ERCP XP Pro / Net Concepts


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> The site is small, and i don't mind having to recreate users accounts
> locally. The guest account just can NOT be enable, reguardless of how
> much extra work it may require.
>
> I understand that in a p2p network, there would be no gobal accounts,
> but, the previous suggestion, was talking about creating one on the DC.
>
> Thanks
>
> Joshua Bolton wrote:
>> Of course enabling the guest account is a less than secure option. But
>> consider the request of "on the fly" changing from client/server to peer
>> to
>> peer networking. If you don't want to enable the guest account your only
>> option is to create a local account for EVERY person you want accessing
>> the
>> share when the server is down. This means x amount of wksts times x
>> amount
>> of users that you will have to sync their local account/password with the
>> pc
>> with the shares [along with their AD accouont passwds]. Then you have to
>> assign those users to those shares. Whew I get tired just thinking about
>> it.
>>
>> Makes enabling the guest account look pretty easy doesn't it?
>>
>> There are no "global" accounts in a peer to peer network!!! There is no
>> server/AD authenication if the DC is down.
>>
>> ************************************************** *******
>>
>> "So let's say we create a user called Share with a password of 123456 on
>> the
>> server. You would also create a local account on the workstation you wish
>> to
>> share from as Share \ 123456. Then for the logon script,
>>
>> net use S: \\workstation\share 123456 /userOMAIN\Share /savecred "
>>
>> Are you suggesting creating a user account on the server and all pcs
>> called
>> "share"? Looks to be just another name for "guest". AND you would put
>> the
>> local password in the script??? I would consider that far more insecure
>> than
>> enabling guest
>