Windows shared folders not accessible after disabling admin user

Windows Access Rights Management
Locked
Jamieg285
New here
Posts: 3
Joined: Fri Jul 02, 2021 4:20 pm

Windows shared folders not accessible after disabling admin user

Post by Jamieg285 »

Hi,

New to QNAP NAS, so still finding my way around things and making tweaks as I go.

I had the NAS setup and working OK. It's shared folders were visible and accessible und the Network section of Windows File Explorer - all good.

After the recent firmware update, it recommends that you disable the default 'admin' account for security reasons, so I did. Now, the NAS is visible under network, but when I try to go in to see the shares it says it's not accessible. I know it's the admin account causing this, as I've tested re-enabling it.

Any guidance on what I need to do - either on the NAS or on Windows to give me access to those shares again?
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Windows shared folders not accessible after disabling admin user

Post by Mousetick »

OPTIONAL:
First create a new user on the NAS with exactly the same name and password as your Windows account. Refer to this part of the user manual: https://docs.qnap.com/operating-system/ ... 60CCE.html

MANDATORY:
You need to edit the access permissions of your shared folders on the NAS and add the user you created above, or the user you created or re-used as a replacement when you disabled the admin account. Give read or write permissions to this user as desired. Refer to this part of the user manual: https://docs.qnap.com/operating-system/ ... E126A.html

Once that's done, you need to connect to the network shared folders from Windows using the new user. But first you need to make Windows forget about the NAS admin user. In Windows, go to Control Panel > Credentials Manager > Windows Credentials and delete any entry that contains the admin user name or the name or IP address of your NAS. You may need to log off or reboot Windows to ensure everything is properly cleared.

To connect from Windows Explorer with the new user:
- If you followed the optional first step, you should be able to connect directly without any prompting.
- Otherwise, enter the username and password of the new user you added in the mandatory step above, when prompted by Windows. If you're refused access and are not prompted to authenticate, specify the credentials manually by choosing 'Map Network Drive' or 'Add Network Location' in Windows Explorer, then select the option to 'Connect using different credentials'. If you ask Windows to remember the credentials, this step needs only be done once.
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Windows shared folders not accessible after disabling admin user

Post by P3R »

I was writing an answer but Mousetick beat me to it with his great post. The only thing I have to add is that if you have or will ever get multiple users, it's better to create a user group that you give access permissions to your shared folders. That will simplify your future user administration.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Jamieg285
New here
Posts: 3
Joined: Fri Jul 02, 2021 4:20 pm

Re: Windows shared folders not accessible after disabling admin user

Post by Jamieg285 »

Excellent - thank you. I found the 'admin' user entry in Windows Credentials. As a quick fix I changed this to my new custom admin user and access was restored.

I'll look into the fuller user config later - I need to setup access from each of the various family accounts next.
Dr. HaZaRd
New here
Posts: 2
Joined: Mon Jul 05, 2021 5:02 pm

Re: Windows shared folders not accessible after disabling admin user

Post by Dr. HaZaRd »

Thank you, it help me to solve the same problem, but i have a question: the new user that is created on the NAS, can still be an admin or does this make everything useless?
I didn't understand if the original admin is different from an admin created by me later. I haven't tried yet, but logically, an admin must always be present and active, otherwise how can I manage the users and other NAS settings with an user without privileges? At the same time, however, if I disable the original admin and then create a new one, then what is this procedure for? How is security enforced by simply disabling one admin and creating another? Can you explain this a little better to me? Thank you!
Jamieg285
New here
Posts: 3
Joined: Fri Jul 02, 2021 4:20 pm

Re: Windows shared folders not accessible after disabling admin user

Post by Jamieg285 »

The 'admin' user is a known admin account, so will be an obvious target for hackers.

When you create a new user with admin rights, no-one else knows what the name of the admin account is.
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Windows shared folders not accessible after disabling admin user

Post by P3R »

Jamieg285 wrote: Mon Jul 05, 2021 5:16 pm The 'admin' user is a known admin account, so will be an obvious target for hackers.
2FA on admin accounts goes a long way to protect them and it's not the brute force attacks that's the main security issue. It's the frequent zero-day (and near zero-day) attacks that's really dangerous and renaming admin is meaningless against that threat.

The only way to really secure the NAS is to not expose it directly on the internet.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Windows shared folders not accessible after disabling admin user

Post by Mousetick »

Dr. HaZaRd wrote: Mon Jul 05, 2021 5:07 pm Can you explain this a little better to me?
I don't quite understand all your questions. It's not clear what you're referring to exactly by 'the new user' and 'this procedure', but I'll try to explain.

Basic Generalities:
- The built-in user named 'admin' is different from any other user on the NAS. It's known as the 'superuser' on systems running Linux, like the NAS, or more generally on systems running Unix-like OSes. This is a very powerful user which can do everything and anything on the system, including the ability to modify or wipe the system itself. The OS itself runs on behalf of this user.
- All other users are known as 'regular' users. They have limited capabilities or privileges to access and interact with the system. Those capabilities are granted via various types of permissions.
- Regular users and the 'admin' user can belong to what is known as a 'user group', which is simply a list of users. Each user group has a name. QNAP NASes provide two built-in user groups: 'administrators' and 'everyone'. The 'admin' user is a member of the 'administrators' group. All regular users are members of the 'everyone' group by default.
- All NAS administration tasks and tools (e.g. Control Panel, Network & Virtual Switches, Storage & Snapshots, ...) available through the QTS web UI are restricted to members of the 'administrators' group.

Disabling the 'admin' user account:
- The 'admin' user having omnipotent privileges, including that of destroying the system, willingly or inadvertently, is unsuitable for regular non-administrative usage of the NAS. It's still unsuitable for administrative usage because it is weak from a security standpoint: its name is fixed and already known, all that is needed to access the system as the 'superuser' is to figure out the password. So it makes sense to disable it completely so it can't be used neither for regular nor for administrative usage.
- Disabling an account prevents signing in to the system as that user, it doesn't remove the user. The OS and background services continue to run in the system on behalf of the 'admin' user which still exists.
- At least one user account member of the 'administrators' group must be enabled and is required in order to administer the NAS. There can be more than one enabled user accounts in that group if desired. The user management UI of the QTS web interface ensures that it's not possible to disable one's own account nor to have no enabled accounts in the 'administrators' group.
- The procedure for disabling the 'admin' user account provided by QNAP (https://www.qnap.com/en/how-to/tutorial ... er-account) involves 1) creating a new user (regular user) 2) making this new user a member of the 'administrators' group 3) signing in as that new user and 4) disabling the 'admin' account. Let's assume we give this new user the name 'mynasadmin'.
- At this point the 'mynasadmin' user has administrative privileges by virtue of being a member of the 'administrators' group, but it is still a regular user, it is quite different from the 'admin' user as it doesn't have infinite power to access and do everything and anything, good or bad, with the system. And its name is only known to you. All this is highly desirable from a security and safety perspectives.

Does that help?

Addendum:
As noted by @P3R above, disabling the 'admin' account should not be considered the end all be all mean to ultimate security, especially online security. It's just one mechanism in a set that must involve multiple layers. No amount of security mechanisms will protect QNAP systems as long as their web UI (QTS and all the hosted apps) itself runs on behalf of the 'admin' user. Any exploited vulnerability, software defect, or malicious app can wreak havoc on the system.

Personally I always disable the 'superuser' on all my systems, even if they are offline, to protect against my own mistakes and to enforce security restrictions (the latter would go unnoticed as the 'superuser') as I tend to work mostly from the command line.
Dr. HaZaRd
New here
Posts: 2
Joined: Mon Jul 05, 2021 5:02 pm

Re: Windows shared folders not accessible after disabling admin user

Post by Dr. HaZaRd »

yes, all my questions have been answered, thanks.
williaca
New here
Posts: 9
Joined: Wed Jan 25, 2017 12:53 am

Re: Windows shared folders not accessible after disabling admin user

Post by williaca »

Hi
Yes the answer is to change the username via Windows Credentials. It took me a while and much Googling to figure that out.
BTW - share permissions have to be set and, if you are using Qsync, there i no way of changing the account and the only way I could solve this was to de-install and re-install the client on both my PC and smartphone (Grrrrrr!).
I raised a Qnap help ticket because I feel that there was not enough advice on the consequences of changing the NAS login.
Moocow
Starting out
Posts: 13
Joined: Tue Feb 24, 2015 10:24 am
Location: Canada

Re: Windows shared folders not accessible after disabling admin user

Post by Moocow »

Mousetick wrote: Fri Jul 02, 2021 4:54 pm OPTIONAL:
First create a new user on the NAS with exactly the same name and password as your Windows account. Refer to this part of the user manual: https://docs.qnap.com/operating-system/ ... 60CCE.html

MANDATORY:
You need to edit the access permissions of your shared folders on the NAS and add the user you created above, or the user you created or re-used as a replacement when you disabled the admin account. Give read or write permissions to this user as desired. Refer to this part of the user manual: https://docs.qnap.com/operating-system/ ... E126A.html

Once that's done, you need to connect to the network shared folders from Windows using the new user. But first you need to make Windows forget about the NAS admin user. In Windows, go to Control Panel > Credentials Manager > Windows Credentials and delete any entry that contains the admin user name or the name or IP address of your NAS. You may need to log off or reboot Windows to ensure everything is properly cleared.

To connect from Windows Explorer with the new user:
- If you followed the optional first step, you should be able to connect directly without any prompting.
- Otherwise, enter the username and password of the new user you added in the mandatory step above, when prompted by Windows. If you're refused access and are not prompted to authenticate, specify the credentials manually by choosing 'Map Network Drive' or 'Add Network Location' in Windows Explorer, then select the option to 'Connect using different credentials'. If you ask Windows to remember the credentials, this step needs only be done once.
Thank you Mousetick... I have been trying to get my user update fixed for weeks!!
Dogsled3
First post
Posts: 1
Joined: Thu Nov 04, 2021 1:54 am

Re: Windows shared folders not accessible after disabling admin user

Post by Dogsled3 »

OK, I have similar issue, except only ONE folder is not accessible and no credentials will work. I set up a parent folder on the TS 219 NAS, and then subfolders for various files. One of the subfolders is "public" and this folder is not accessible with any credentials from windows PC (win10) attempting access. All the other folders can be mapped using the user/pw setup on the NAS. I use the same user/pw on the particular NAS folders and NAS login as the win 10 PC's. All works fine except for the ONE folder. I have double & triple checked the permissions on the NAS and appear to be identical for the folders in question.So I am stumped on how to access this folder on the network. I can login to the QNAP webpage and have access to the "public" folder with no problem, just cannot get files on or off over the network.
It appears to be a windows access issue, but the credentials have all been cleared and updated.
The NAS 'admin" user has been disabled, and the new user setup in the administrators group, all as described in this thread. What or where can I determined why the one folder is inaccessible?
RobLatour
Starting out
Posts: 32
Joined: Sat Nov 26, 2016 12:49 am

Re: Windows shared folders not accessible after disabling admin user

Post by RobLatour »

First, thanks to all for this thread - it was exactly what I needed to know.

@Dogsled3, I ran into the same problem, but with several folders. In the end, I re-enabled the default admin user on the QNAP, and using that account copied the files over to a shared folder where I had access with my new admin account, then after I was sure I could access them fine, as well as read and write a dummy .txt file, from the new admin account from in their new location, I signed back onto to the default admin account, deleted them from the problematic folder with the admin account, deleted the problematic folder with the admin account, signed out of the admin account, signed on to the new admin account that I created to replace the original default one, created a folder with the same name as the one I just deleted, and moved the files over to it, and then finally checked everything was good with the new admin account and disabled the default admin account.
Locked

Return to “Windows”