ICS without logon

Wed, 2007-07-18 08:33 by admin · Forum/category:

ICS without logon

ICS (Internet Connection Sharing) by default does not dial out when nobody is logged on locally to the ICS server. I believe this is a defect and hope that it will be repaired in a future update, as it makes no sense to me.

Meanwhile you can use one of the known workarounds.

With the appearance of cheap WAN (Wide Area Network) routers like the DrayTek series or the even cheaper SMC routers, this is certainly one of the best ways out, particularly for cable or DSL Internet connections. For high loads like file sharing you have to use a better one, as the very cheap ones will crash and falter under high loads (example: SMC 7004 VBR), so in that case turn to DrayTek or another high-quality router maker.

To the best of my current knowledge, ICS always auto-dials when an administrator is logged on, so the automatic administrator logon solves this problem.

In many cases, though not always, ICS dials when a guest is logged on. I have not yet found out when this works and when it fails, but when it fails, then somebody can walk up to the ICS server, log on as guest, and establish the connection by hand. After that ICS seems to auto-dial as well.

I got ICS to work without anybody being logged on locally to the ICS server with the following convoluted procedure (no guarantee at all, but please report back if you try it).

Everything has to be done on the ICS server.

  • Log on with administrator rights.

Note: For the following steps you need to work with the guest account. On non-english versions of Windows do not use the account "Guest", even if it exists. Always use the predefined, localized account. For example in the German version the guest account is named "Gast". "Guest" will not work there. Any other account does not work either.

  • Open the management console, local security options and make sure that the guest account is not renamed. (You can also disallow renaming if you like.)
  • In the control panel open the user and passwords section and add the guest account to the administrators group.
  • In the same panel go to the extended part and activate the guest account. (It is by default not activated.)
  • Log on as guest.
  • Change the settings for the ICS DUN (Dial-Up Networking) entry to force the username and password dialog to appear.
  • Remove and reenter the password.
  • Dial and let the connection establish.
  • Break the connection.
  • Remove the setting to have the username and password appear.
  • Log off and log on to another account with administrator rights.
  • Remove the guest account from the Administrators group. (Never forget this!)
  • Deactivate the guest account.
  • Rename ntuser.dat in the Default User profile to ntuser.da$.
  • Copy ntuser.dat from the (newly created) guest profile to the Default User profile.
  • Reboot, don't log on locally, test the auto-dialing from a client computer.
  • If everything works, delete the entire guest profile, because it is normally not needed for guests without administrator rights.

If something goes wrong, you can reverse everything by deleting the entire guest profile, and renaming ntuser.da$ in the Default User profile to ntuser.dat after deleting the newly created ntuser.dat.

(Procedure originally developed by Hans-Georg Michna. Thanks to Thomas Osthege for important additions and testing.)

Related problems

Hangup when another user logs on

A related problem is that ICS hangs up when another local user on the ICS server logs on. The solution depends on the version of Windows.

Windows XP

When not in a domain, the behavior of RAS during Fast User Switching can be controlled from the New Connection Wizard, which offers the two settings "Anyone who uses this computer" and "My use only". The default is anyone, which means that the connection will stay open when switching users.

If this setting got changed, open Network Connections, right-click the dial-up connection in question and select Properties, Options. Check "Prompt for name and password, certificate, etc" and click OK. Then double-click the same connection and check "Save this user name and password for the following users" and click "Anyone who uses this computer". Finally click Dial.

See also the following Knowledge Base articles:

How to Keep RAS Connections Active After Logging Off (Q158909)
http://support.microsoft.com/kb/158909/

Behavior of RAS Connections With the Fast User Switching Feature (Q289669)
http://support.microsoft.com/kb/289669/

Windows NT or 2000

On  add or change the following registry key on the ICS server.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"KeepRasConnections"="1"

The next thing to check is whether the RAS service is disabled (Start, Settings, Control panel, Services). It should be set up for manual start and should nonetheless get started automatically when RAS is used.

Password loss

One more note: dial-up networking has an annoying habit—whenever user authentication fails, it immediately deletes the stored password and leaves the password field empty. Thus, every time this happens, you first have to enable the username-password dialog, do one manual logon, then disable the username-password dialog again.

MAGIC! - joining domain does the same

Thu, 2009-09-24 12:06 by Kalmi

Very odd: Joining (and leaving) a Windows 7 machine to a domain made ICS work without logon...

Domain admin can do this

Thu, 2009-09-24 15:28 by admin

The domain administrator can allow or block all kinds of functions through policies. When you join a domain, these policies become active.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.