Windows Error: 'You can't access this shared folder because your organization's security policies block unauthenticated guest access'

Problem:

Though having an internal IP and being registered in the DESY network environment the connection to the DESY printserver fails with the following error:

"You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network."

Reason:

In Windows 10, Windows Server 2019, or Windows Server 2016, the SMB2 client no longer allows the connection through insecure guest accounts to file & printservers.

As your host is not part of the DESY WIN Domain the DESY domain printserver adprint10 is considered unsecure by your local host and access is denied.

Please read the Microsoft article below to completley understand the reasons for this behaviour and the possible workarounds.

 

Solution:

though desireable it is currently not possible to define an individual exception from the general rule of not accessing servers using guest accounts (aka flaggin adprint10 as a 'secure' host).

The current soultion is to disable the security feature by enabling smb2 access to servers using the guest account globally.

Please read the above statement from Microsoft completely and make sure you understand the impact on the security of your system as this means lowering the default security level at least a little.

We also advice that you only enable insecure guest access temporarily using the first registry script below while you are at DESY. Resecure your host with the second script once you do not need access to the DESY print server anymore.

The registry editor scripts below can live on your desktop and be activated by doubleclicking ...

text/x-ms-regedit allow_insec_guest.reg (259Bytes)
allow_insec_guest.reg
text/x-ms-regedit forbid_insec_guest.reg (150Bytes)
forbid_insec_guest.reg