I'm running Windows Server 2008 R2 in a workgroup, not a domain, and I want to create a local account that is only used for allowing other computers in the same workgroup to access file shares on that server.
When clients connect they will be prompted for a username/password (hopefully) and this account would serve as a way to allow them access.
I do not want this account to have a profile, or be used to actually log into the server itself. I only need it as a way to authenticate users for shared folders.
Can this be done? If not, what is the recommended approach for this?
As the reply of joeqwerty is not clear, I want to put the steps in line. This works for Windows 7, 8, and 10 (I'm on 10), as well as Windows Server 2003, 2008, and 2012.
Create the user (if you don't have it created already, and check this if you want it local on W10) from users, or Computer Management, whatever you like more.
Open Administrative Tools, then go to Local Security Policy, and go to Local Policies > User Rights Assignment
From there, look for the policy called Deny log on locally. Double click it and add the username that you just created to that list.
Sure it can be done. When you've set up the local user account on the server add the user account to the "Deny log on locally" and "Deny log on through Terminal Services" user rights assignment. That will prevent anyone from using this user account to log on to the server locally or via TS/RDS but will allow them to access the share with this uer.
You should be able to accomplish this by creating the local account, giving it share and NTFS rights on the file shares. Then use
seceditto edit the local security policy. You want to use Local Policies> User Rights Assignment> Deny log on locally. Add the account to this setting.