Anonymous user cannot access a shared folder

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This problem typically occurs when someone logging on with a Guest account attempts to access a shared folder. Users or services that attempt to access an object anonymously are not granted access if the access control list (ACL) on the object includes the Everyone group.

Cause

While Windows NT 4.0 and Windows 2000 allowed anonymous access to the server, the inclusion of the Everyone security group in the anonymous user access token is disabled by default in Windows Server 2003 and Windows XP. In Windows XP and in Windows Server 2003, the Everyone group does not contain the security identifier (SID) "Anonymous." Anonymous access is only granted for objects whose ACL explicitly contains the anonymous SID.

Solution

Add the Anonymous SID to the Everyone access token.

Warning

For security reasons, it is strongly recommended that you do not allow anonymous access to your server.

However, if anonymous access is needed, perform one of the following procedures.

Enable anonymous access on a local computer

Enable anonymous access on a domain controller

Enable anonymous access on a local workstation or server computer

Perform the following procedure to enable anonymous access on a local workstation or server computer.

To enable anonymous access on a local workstation or server computer

  1. Open Local Security Settings. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

  2. In the console tree, double-click Local Policies, and then click Security Options.

  3. In the details pane, right-click Network access: Let Everyone permissions apply to anonymous users, and then click Properties.

  4. On the Local Security Settings tab, click Enabled, and then click OK.

Enable anonymous access on a domain controller

Perform the following procedure to enable anonymous access on a domain controller.

To enable anonymous access on a domain controller

  1. Open Local Security Settings. Click Start, point to Programs, point to Administrative Tools, and then click Domain Security Policy.

  2. In the console tree, double-click Security Settings, double-click Local Policies, and then click Security Options.

  3. In the details pane, right-click Network access: Let Everyone permissions apply to anonymous users, and then click Properties.

  4. Select the Define this policy setting check box, click Enabled, and then click OK.

For more information, see Article 278259, Everyone Group Does Not Include Anonymous Security Identifier, on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=47167).