By default, when a user tries to access a network shared folder on a server joined to the Active Directory domain from a workgroup computer, the prompt to enter a domain account credentials appears. Let’s see how to enable unauthenticated (anonymous) access to a shared folders or printers on a domain server from workgroup computers in Windows 10 / Windows Server 2016.
From the security point of view, it is not recommended to enable anonymous network access for a guest account. Moreover you should never do it on the AD Domain Controllers. So prior to enabling anonymous access, try to use the more correct way – join workgroup computer to your domain or create domain accounts for all users in a workgroup.
Local Anonymous Access Group Policies
Open the Local Group Policy Editor (gpedit.msc) on a server/computer, which you want to enable anonymous access to.
Go to the following GPO section: Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Configure the following policies:
- Accounts: Guest Account Status: Enabled
- Network access: Let Everyone permissions apply to anonymous users: Enabled
- Network access: Do not allow anonymous enumeration of SAM accounts and shares: Disabled
For a security reasons, make sure that the Guest account is specified in the Deny log on locally policy under the Local Policies -> User Rights Assignment.
Then make sure that Guest is also specified in the Access this computer from network policy in the same section, and the Deny access to this computer from the network policy should not have Guest as the value.
Also make sure that network folder sharing is enabled in Windows ( Settings -> Network & Internet -> Ethernet -> Change advanced sharing options). In All Networks section, select the options Turn on sharing so anyone with network access can read and write files in the Public folders and Turn off password protected sharing if you trust all devices in your network.
Allow Anonymous Access to a Shared Folder on Windows
Now you have to configure permissions to access the network folder you want to share. Open the folder properties, got to the Security tab and check current folder NTFS permissions. Press Edit -> and assign Read permissions (and Modify if needed) to Everyone local group. To do it, click Edit -> Add -> Everyone and select the folder access privileges for anonymous users. I have granted read-only permissions.
In the Sharing tab, allow anonymous users to access the shared folder (Share -> Advanced Setting -> Permissions). Make sure that Everyone group has Change and Read permissions.
In the Local Policies -> Security Options section of the Local Group Policy Editor enable the policy Network access: Shares that can be accessed anonymous. Here you must specify the shared folder names you want to enable anonymous access to (in my example, it is Share1, Distr and Docs folders).
How to Enable Anonymous Access to a Shared Printer?
To enable anonymous access to a shared printer on your computer, open the shared printer properties in theControl Panel -> Hardware and Sound -> Devices and Printers. Check the options Render print jobs on client computers on the Sharing tab.
Then check all permissions for Everyone group on the printer Security tab.
After that you will be able to connect to your shared folder (\\server-name\sharedfolder) and printer on a domain computer/server from workgroup computers without entering your credentials, i. e. anonymously.In Windows 10 1709 or newer network access to a shared folder over the SMBv2 protocol under the guest account is restricted by default and you can see the following error: ‘You can’t access this shared folder because your organization’s security policies block unauthenticated guest access’. See this article.