Главная » Linux

Windows share access denied

Содержание
  1. Отказ в доступе при доступе к SMB-файлу в Windows
  2. Симптомы
  3. Причина
  4. Решение
  5. Устранение неполадок
  6. Access Denied when you access an SMB file share in Windows
  7. Symptoms
  8. Cause
  9. Resolution
  10. Troubleshooting
  11. Access Denied Trying to Connect to Administrative Shares C$, D$ etc.
  12. Problem
  13. Solution
  14. Access Denied to Share Folder
  15. Replies (1) 
  16. Access denied to Administrative (Admin) shares in Windows 8
  17. Map Admin Shares with the built-in administrator account ^
  18. LocalAccountTokenFilterPolicy – UAC remote restrictions ^
  19. Disable UAC Admin Approval mode ^

Отказ в доступе при доступе к SMB-файлу в Windows

В этой статье помогают устранить ошибку с отказом в доступе, которая возникает при доступе к файлу Блока сообщений сервера (SMB).

Оригинальная версия продукта: Windows Server 2012 R2, Windows 7 Пакет обновления 1
Исходный номер КБ: 3035936

Симптомы

При попытке получить доступ к определенной папке, расположенной на файлере сетевого устройства (NetApp) или Windows Server, который поддерживает SMB2 из системы Windows через протокол SMB Версии 2, доступ отклоняется. Эта проблема возникает в следующей версии Windows:

  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 8
  • Windows Server 2012
  • Windows 7
  • Windows Server 2008 R2
  • Windows Vista
  • Windows Server 2008

Эта проблема не возникает, если отключить протокол SMB2 для клиента или использовать клиент Windows SMB, например Windows XP или Windows Server 2003.

Причина

Эта проблема возникает из-за того, что в целевой папке в SMB-папке отсутствуют записи управления доступом SYNCHRONIZE.

Решение

Чтобы устранить эту проблему, используйте утилиту ICACLS для набора нужных разрешений, содержащих бит Синхронизация.

Например, в командной подсказке введите следующую команду и нажмите кнопку ENTER:

Разделенный запятой список в скобки определенных прав:

  • RC — управление чтением
  • RD — каталог считываний данных и списков
  • REA — расширенные атрибуты чтения
  • RA — атрибуты чтения
  • X — выполнение/обход
  • S — Синхронизация

Устранение неполадок

Для проверки и устранения неполадок можно использовать следующие методы.

Убедитесь, что в файле NetApp установлен бит синхронизации в папке.

Сетевой след может показать ошибку DesiredAccess для процесса создания SMB2 в папке пакета Запрос и Ответ.

Средство AccessChk.exe доступно на сайте Windows Sysinternals для чтения параметров разрешений.

Например, выполните следующую команду:

Затем можно увидеть следующий результат, который показывает набор бита SYNCHRONIZE:

Заявление об отказе от ответственности за сведения о продуктах сторонних производителей

В этой статье упомянуты программные продукты независимых производителей. Корпорация Майкрософт не дает никаких гарантий, подразумеваемых и прочих, относительно производительности и надежности этих продуктов.

Access Denied when you access an SMB file share in Windows

This article helps fix the Access Denied error that occurs when you access a Server Message Block (SMB) file share.

Original product version: В Windows Server 2012 R2, Windows 7 Service Pack 1
Original KB number: В 3035936

Symptoms

When you try to access a specific folder that’s located on a Network Appliance (NetApp) Filer or a Windows Server that supports SMB2 from a Windows-based system through the SMB Version 2 protocol, the access is denied. This issue occurs in the following version of Windows:

  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 8
  • Windows Server 2012
  • Windows 7
  • Windows Server 2008 R2
  • Windows Vista
  • Windows Server 2008

This issue doesn’t occur if you disable the SMB2 protocol on the client or use a Windows SMB client, such as Windows XP or Windows Server 2003.

Читайте также:  Intel graphics driver для windows 10 64 bit

Cause

This issue occurs because the target folder on the SMB share is missing the SYNCHRONIZE access control entries.

Resolution

To resolve this issue, use the ICACLS utility to set the desired permissions that contain the Synchronize bit.

For example, at a command prompt, type the following command, and then press ENTER:

A comma-separated list in parentheses of specific rights:

  • RC — read control
  • RD — read data/list directory
  • REA — read extended attributes
  • RA — read attributes
  • X — execute/traverse
  • S — Synchronize

Troubleshooting

You can use the following methods to verify and troubleshoot the issue.

Verify that the NetApp Filer has the Synchronize bit set on the folder.

A network trace can show the DesiredAccess error for the SMB2 CREATE process on the folder for the Request and Response packet.

The AccessChk.exe tool is available on Windows Sysinternals site for reading out the permission settings.

For example, run the following command:

Then, you can see the following result that shows the SYNCHRONIZE bit is set:

See the behavior of the SYNCHRONIZE bit on Windows SMB2 clients.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Access Denied Trying to Connect to Administrative Shares C$, D$ etc.

Under certain circumstances, you cannot connect to administrative shares (e.g. C$) on remote computers, even though you use the right credentials. Accessing a normal (i.e. non-administrative) share works flawlessly, though.

Problem

In this situation you get the following error when trying to connect to the admin share in Explorer:

This is the message text:

\\192.168.175.129\c$ is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

Multiple connections to a server or shared resource by the same user, using more than one username, are not allowed. Disconnect all previous connections to the server or shared resource and try again.

The message hints at multiple connections, but that is misleading.

When you try to connect to the admin share on the command line, you get a different error message:

Solution

As described in MS KB article 951916, Microsoft introduced as part of UAC a little known feature called “UAC remote restrictions”. It filters the access token for connections made with local user accounts or Microsoft accounts (the latter typically have the format MicrosoftAccount\EMailAddress). In other words, it removes the SID for “Administrators”. Connections made with domain accounts remain unchanged.

If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop, if these services are available.

One may like this or not, the solution is luckily pretty simple. UAC remote restrictions can be disabled by setting the registry value LocalAccountTokenFilterPolicy to 1:

Читайте также:  Темы для windows с голосом

After a reboot access tokens from remote connections are not filtered any more. On Windows 8 and Windows 10 the reboot is not even required any more.

Access Denied to Share Folder

I networked the Server with more than 10 Windows, but when I re-setup a new user and deleted the old user in 1 PC with Windows 7, then I cannot access the shared folder on Server anymore.

It still said there is no permission to access, but even I set everyone with Full Control right it still not accessible by that PC while all the others PC are still working fine with the shared folder.

What will be the issue and any solution for that?

[Moved from: Windows / Windows 7 / Network & internet]

Replies (1) 

If you have already given full control to the folder through the Sharing tab (right-click the folder > select Properties > click the Sharing tab), you might also need to configure permissions settings through the Security tab. Here’s how:

  1. Click on the Security tab of the folder you want to share.
  2. Then Edit.
  3. In the new window click Add.
  4. In the new window click Advanced.
  5. In the new window click Find Now.
  6. Select the user who needs the permission to access the folder.
  7. Go back to the Permissions for dialog.
  8. Choose the user you added.
  9. Set permission to Allow/Full control.
  10. Click Apply.
  11. On the Sharing tab, the only entries you need are:
    • Everyone
    • Full Control

Let me know how it goes.

5 people found this reply helpful

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Access denied to Administrative (Admin) shares in Windows 8

  • OpenVPN IPv6 and IPv4 configuration — Mon, Mar 1 2021
  • 4sysops author and member competition 2020 — Fri, Jan 1 2021
  • Assign an IPv6 address to an EC2 instance (dual stack) — Tue, Dec 15 2020

This message is a bit misleading because, by default, there is no such network password. However, in this post, I will explain how you can “create” this password and describe two other ways to access Admin Shares on standalone machines.

Access denied admin share

Traditionally, Administrative Shares have been a favorite Windows feature of hackers and crackers. And, as everyone knows, the best way to improve security is to give in to hackers and terrorists by restricting the freedom to move for everyone. Thus, even if you have an account with administrative rights, Windows will deny access to Admin Shares by default.

Access to Admin Shares is often required to remotely administer computers. That’s why they are called Administrative Shares. In a corporate environment, it might make sense to get your administrative privileges back.

Map Admin Shares with the built-in administrator account ^

The network password that I referred to above is the password of the built-in administrator account, which is disabled by default in Windows 8. A while back, I outlined two methods for enabling the built-in administrator account if you have no other administrator account. Here I assume that you have another account with admin privileges. To enable the administrator account, you just have to launch a command prompt with administrator privileges and then type net user administrator /active:yes.

Читайте также:  Windows 10 pro academic edition

If you now try to connect to an Admin Share with the user name “administrator,” you will receive the error message “Login error: user account restriction. Possible reasons are blank passwords not allowed,…” Yup, we have to create the ominous network password that I mentioned above.

Login failure — user account restriction blank password

Open the Control Panel, click User Account and Family Safety (“family safety”—funny, isn’t it?), click User Accounts, and then Manage Accounts. You should see the local Administrator now, and you can set a password.

Create the network password for local Administrator account

You can now access Administrative Shares remotely with the built-in Administrator account.

LocalAccountTokenFilterPolicy – UAC remote restrictions ^

The reason why access is denied if you try to access an Admin Share with an account with administrator privileges is User Account Control (UAC). For the built-in administrator account, UAC prompts are disabled by default. That is why the above described procedure works. If you don’t want to enable the built-in administrator for security reasons, you can disable the UAC remote restrictions with the LocalAccountTokenFilterPolicy Registry setting. Note that this will also enable other remote management features, such as the ability to remotely connect through the Computer Management console.

To get rid of the Access Denied message, follow this procedure:

  1. Launch the Registry editor by typing regedit.exe in the Start Screen.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
  3. Create a new entry by right-clicking System and then selecting DWORD (32-bit) Value.
  4. Choose LocalAccountTokenFilterPolicy as name for the new entry.
  5. Set the value of LocalAccountTokenFilterPolicy to 1 by right-clicking the new entry.

Disable UAC Admin Approval mode ^

Another way to access Administrative Shares is to disable the Admin Approval mode for all administrator accounts. Note that this setting not only removes the remote UAC restrictions as described above, but it also affects UAC for logged-on administrator accounts.

Note: Disabling UAC Admin Approval mode will also disable the Windows Store app.

  1. Launch Control Panel, type admin… in the search box, and then click Administrative Tools.
  2. Open the Local Security Policy application.
  3. Navigate to Local Policies > Security Options.
  4. Disable the policy User Account Control: Run all administrators in Admin Approval Mode.

Disable UAC Admin Approval mode

From now on, the Access Denied message will disappear if you try to access an Administrative Share with a local account in the administrators group.

Please let me know if you know another method. I am a how-to collector. 🙂

Оцените статью
© 2024 Советы по настройке компьютера