Encountering “System Error 5 has occurred. Access is denied.” when trying to access a Windows network share can be frustrating. This error typically indicates that while the client can reach the server, the server is rejecting the connection for security reasons. This often happens when trying to connect as a non-domain user or when guest access is not properly configured.
This guide will walk you through the common causes of “Access Denied” (Error 5) and provide clear, step-by-step solutions to fix it.
Understanding the Root Cause: Blocked Guest/Anonymous Access
The most common reason for “Access Denied” (Error 5) on a network share that is supposedly open to “Everyone” is that the server is configured to block anonymous or guest access at the SMB (Server Message Block) level.
Even if the share permissions and NTFS permissions are set to allow “Everyone,” Windows security policies can still prevent unauthenticated users from connecting.
The Solution: Enabling Guest/Anonymous Access on the Server
To resolve this, you need to modify the security settings on the server hosting the share (in this example, s2) to allow insecure guest logons.
Run the following commands in an elevated PowerShell prompt on the server (s2):
# === ENABLE GUEST/NON-DOMAIN ACCESS ===
# Allow anonymous access to be able to see shares
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictAnonymous" -Value 0 -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RestrictAnonymousSAM" -Value 0 -Force
# Allow insecure guest logons, which is required for guest access to SMB shares
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows" -Name "LanmanWorkstation" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" `
-Name "AllowInsecureGuestAuth" -Value 1 -Type DWord -Force
# Ensure the 'Everyone' group has access to the share
Grant-SmbShareAccess -Name "image" -AccountName "Everyone" -AccessRight Full -Force
# Restart the SMB server service to apply the changes
Restart-Service -Name "LanmanServer" -Force
Write-Host "✅ Guest access enabled. You can now test the connection from a client." -ForegroundColor GreenExplanation of the Commands:
Set-ItemProperty -Name "RestrictAnonymous": These commands modify the Local Security Authority (LSA) policies to allow anonymous users to list shares and enumerate user accounts.Set-ItemProperty -Name "AllowInsecureGuestAuth": This is the key setting. It explicitly tells the server to accept guest logons over SMB. This is disabled by default on modern Windows versions for security reasons.Grant-SmbShareAccess: This ensures that the “Everyone” group has the necessary permissions at the share level.Restart-Service -Name "LanmanServer": Restarts the SMB server service to apply all the changes immediately.
Verification: Testing from the Client
After applying the changes on the server, you can test the connection from a client machine.
-
Clear any cached connections:
net use \\s2 /delete -
Test the connection:
net view \\s2 dir \\s2\image\nms\job\update-MPS\zip
The connection should now work instantly without the “Access Denied” error.
Important Security Consideration
Enabling AllowInsecureGuestAuth can have security implications, as it allows unauthenticated access to any shares that are open to “Everyone” or “Guest”. This setting should only be used in trusted, internal networks.
For internet-facing servers or in a zero-trust environment, it is highly recommended to use authenticated access with specific user accounts and strong passwords instead of relying on guest access.
Conclusion
“Access Denied” (Error 5) on Windows network shares is almost always a server-side security issue related to blocked guest or anonymous access. By enabling AllowInsecureGuestAuth and ensuring the correct share permissions, you can quickly resolve this issue for non-domain clients.
Always remember to weigh the security implications of allowing guest access and use it only in trusted network environments.