Map a drive without domain membership

Here’s the problem: You’ve got a small business with an Active Directory domain, but some of your computers have Windows XP/VISTA Home, so they can’t be joined to the domain. Furthermore, you want to map a shared shared resource such as a printer or network drive on one of said computers. When you use the “Net Use” command to map drives in a login script, it passes the local username, not the  domain/username and thus fails to map. Here’s how to map a network drive with a set of domain credentials on a computer not joined to the domain using a login script.


[step 1] Using Notepad or a text editor create a file with a BAT extension (i.e. login.BAT)

[step 2] Enter the following, then save the file.

NET USE Z: \SERVERSHARE /USER:<domain><domainusername> <password>

[step 3] Copy the file to your computers start-up folder (i.e. C:Users<USER>AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup)

[step 4] To test, log out and back in or just double click the BAT file. Your computer should now have a Z: drive mapped to the shared folder.
That’s it.


Posted

in

by

Comments

11 responses to “Map a drive without domain membership”

  1. Jens Avatar
    Jens

    Can I change the label? the name of the drive?

    1. David Vielmetter Avatar

      Jens,

      You could try renaming the connection. Just right-click the mounted drive and choose “rename”. Then enter the name you want.

      Cheers,
      David

  2. anton Avatar
    anton

    I have the opposite problem. I would like to join a computer outside domain from one within. and can’t connect. if I use /user:username, it will automatically use the domain name. I don’t know how to make it omit the domain name completely.

    1. David Vielmetter Avatar

      Hi Anton

      The correct format for logging into a computer not joined to a domain should just be:

      Username
      Password

      Or you can try:

      Computernameusername
      Password

      Hope this helps.

      David

      1. Banderman Avatar
        Banderman

        I have a similar issue, small company, windows 2008 R2 server; set up as a ‘file server’ NOT a domain, mapping drives has been somewhat of an issue. Should there be username/password account credentials setup for each workstation user ON THE SERVER (for drive mapping purposes and coding use in a script)? Thank you, I appreciate your response. The ever dreaded Vista Home Premium workstation (ugh) is especially a problem child and will not remap the drives on reboot; requiring server credentials to remap (currently using Administrator) Security not a big issue in this company. Windows 7 will remap, no problems.

  3. tmeita Avatar
    tmeita

    So I tried your solution above and it worked. But then this non-domain user can access all the rest of the shares on the domain through START>RUN>\Server with Full access privileges.

    How can I just map a network drive to a non-domain user and restrict permission to access only that share instead of all shares through \Server ??

    1. David Vielmetter Avatar

      You’ll need to create a permission structure on all your shared folders reflective of the access and access exclusions you want. Once you authenticate a user, that user has access to any of the resources that he or she can access. Chances are that you’ve got shares that are accessible to a large group of users like ‘users’ or ‘everyone’ and your authenticated user is part of that group.

      Permissions and permission structures can be complicated, so you’ll want to do you homework and some research before changing them willy nilly.

      1. tmeita Avatar
        tmeita

        Thank you David Vielmetter for your reply,

        All my network shares have a very restricted permission structure on them but then the administrator has full access permission on all those shares. I mapped the network share with the administrator’s username and password which is my only option for mapping drives. So maybe this is the reason why this non-domain user can access all other network shares through \server because of the administrator’s access privileges.

        It would be great if you happen to have any other solutions for my situation. In the meanwhile, I will keep researching.

        Thanks again.

        1. David Vielmetter Avatar

          Hi Tmeita,

          Well you answered your own question. The administrator account will have privileges to all areas…because it’s the administrator account. I don’t see why the administrator account is the only option for mapping a drive…that doesn’t make sense to me you should be able to use any account with proper permissions.

          Perhaps you’ve restricted the shares and need to open them…but the share permissions are different from the file system permissions. Try doing some reading on the differences between the two. I have a feeling your issue is trivial and can be resolved with a bit of understanding of Windows file system and share permissions.

          Cheers,
          David

  4. Tom Avatar
    Tom

    Only problem is that this is unsecure. Having a password stored in plain text in a text file is really bad news. If unauthorized access were to get into that computer they could easily get to your data. That doesn’t mean your office, it could be through a virus or malware. In addition you should force periodic PW changes at least every 90 days, so every 90 days you’ll be modifying the login script.

    The script should be written to prompt the user for the password. You could keep the user name the same as the destination network resource and use %username% for the user ID and leave the password blank and the user will be prompted. You could also synch the resource on both the server and workstation, as long as the proper setting is allowed in the local security policy of the server, who identical logins with identical passwords will authorize automatically. Not ideal but better than storing a password in a plain text file.

    1. David Vielmetter Avatar

      Tom,

      Agreed. This is neither a secure or a best Microsoft practice. I believe I mentioned that in my article, but thanks for raising the issue again.

      Cheers,
      David