Solved

Limit which workgroup members can access my shared files

Posted on 2006-07-12
25
547 Views
Last Modified: 2010-03-18
Hello,

I am working in a university in which each research group has it's own workgroup. There are no domains.

I am running windows XP SP2 as are the majority of my colleagues. Some others are running Win2k.

Basically my problem is that I would like to share folders with some of my colleagues and not with outhers. However, if I share a folder, it seems that anyone running XP can access it. The Win2k people cannot.

There is only one user account (myself) which is password protected and the Guest account is disabled.

I have tried setting permissions but because it is not a domain, this hasn't worked. Basically if I remove the everyone permission then nobody can connect.

Ideally I would like a situation where everyone can see my computer but can't get past that without a username and password. So they can navigate in My Network Places, through the workgroup, see all of the computers but when they try to access mine they get asked for a username and password. That would be ideal but any other method of allowing some and blocking others would do.

I have also tried using Zonelabs to just allow certain hostnames into my trusted zone. Still no luck.

Any ideas?
0
Comment
Question by:franksmyth
  • 11
  • 10
  • 4
25 Comments
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 150 total points
Comment Utility
If you convert your drive to NTFS format (if it is not already done) you will have share permissions and security permissions tabs on the folders properties box. This gives you far greater control. Though with simple sharing permissions you can accomplish this, NTFS allows you to very tightly control what users have what permissions.
You will need to create 1 user account for all you want to give access to, or better yet an account for each user.
Then, on the sharing tab give everyone full control permissions (this will be overridden by the security permissions)
and on the security tab give the specified users the access you wish, for example everyone list folder contents only, specified users read and execute, or even write and modify permissions.
If you create user accounts identical to what the users use on their own computer (user-name and password) they allowed users will not need to enter the password, but you may not want to do that for your purpose.
I would simply create a single user account called "Staff" and a password. Give only that account modify, read, write and execute permissions. When they connect they will need the user-name and password. When the password has leaked out you only need to change the one password in the one location.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sorry forgot link to convert the drive to NTFS:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/convertfat.mspx
Make sure you back up any critical data first as a safety. For the record converting the drive is not reversible process, though I cannot imaging you would want to. NTFS is becoming the default and offerers more security and stability. You drive may well be NTFS already. To check open my computer and right click on the partition in question, and choose properties. The file system will be displayed there.
0
 

Author Comment

by:franksmyth
Comment Utility
Thanks for the quick response.

Yes the drive was already NTFS.

I've done what you have said but when I go to the computer beside me and try to access the folder in question I just get the Access is Denied message box.

You may not have permission to use this resource etc etc.
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
You need to make sure that the NTFS permissons and share permissions are OK.
Simplest to leave Share permissions at Everyone Full Control (or change).
Set NTFS permissions for each user you have created also to change.
The user and password needs to match the ones on the other box.

You can also map a drive from the other box using a specific password using the "connect as another user" option in the map drive dialog box or by using

net use \\server\share /user:username password /persistent:yes

Steve
0
 

Author Comment

by:franksmyth
Comment Utility
Hi Steve,

That is basically the same as the second thing that RobWill suggested. Am I correct?

Tried that too and still no luck.

Just getting the access is denied box.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
-can you log on to your machine with the new account to verify it works?
-on both machines make sure under your network card properties, client for Microsoft networks and file and print sharing are both installed  and enabled
-check that both computers are members of the same workgroup
-on your computer try disabling the Windows firewall (as a test) we can configure later. Also check for any other software firewalls such as McAfee, Symantec, Zone Alarm, etc.
-can you ping the computer in question verifying a physical connection?
0
 

Author Comment

by:franksmyth
Comment Utility
When I go to the security tab,

"Everyone" is present there with all of the "allow" boxes greyed out and ticked.

Is this the expected behaviour? Should I leave it or remove it?
0
 

Author Comment

by:franksmyth
Comment Utility
-can you log on to your machine with the new account to verify it works?

Yes, no problem here

-on both machines make sure under your network card properties, client for Microsoft networks and file and print sharing are both installed  and enabled

Both have both installed

-check that both computers are members of the same workgroup

Yes

-on your computer try disabling the Windows firewall (as a test) we can configure later. Also check for any other software firewalls such as McAfee, Symantec, Zone Alarm, etc.

Windows firewall is disabled and I have shutdown zonealarm during testing.

-can you ping the computer in question verifying a physical connection?

Yes. Can ping both ways. Also from the second computer I can access my computer and see all of the shares (5 folders shared). I can still access all of them except the one that I performed your steps on to change the permissions.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"Is this the expected behaviour? Should I leave it or remove it?"
You might want to leave it as a test, but you need to remove that. What is happening is the folder is "inheriting" properties from the parent folder. To change that on the security tap/page click advanced, then uncheck "inherit from parent the permissions ....."
When you do so a box will pop up asking you if you want to copy or remove the permissions. Choose copy and click OK. Now if you go back to the security tab you can make the changes you want. Ether restrict, remove all permissions or delete everyone, and add staff and any others. Make sure your account is present with full control.
Once complete to make sure all items within the folder have the same rights, again on the security tap/page click advanced, then this time check "replace permissions on child objects..." and OK, OK
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Can you access the folder with  \\computername\sharename  ?
0
 

Author Comment

by:franksmyth
Comment Utility
>>"Is this the expected behaviour? Should I leave it or remove it?"
You might want to leave it as a test, but you need to remove that. What is happening is the folder is "inheriting" properties from the parent folder. To change that on the security tap/page click advanced, then uncheck "inherit from parent the permissions ....."
When you do so a box will pop up asking you if you want to copy or remove the permissions. Choose copy and click OK. Now if you go back to the security tab you can make the changes you want. Ether restrict, remove all permissions or delete everyone, and add staff and any others. Make sure your account is present with full control.
Once complete to make sure all items within the folder have the same rights, again on the security tap/page click advanced, then this time check "replace permissions on child objects..." and OK, OK

I have done all this now. And all looks as expected. Three users in the security: Frank, Marc, Staff. Frank with full control and the other two with read, read & execute, and list folder contents.

Can you access the folder with  \\computername\sharename  ?

No. Same as trying to double click it. Access is denied message box.

I presume that rebooting either computer each time I make a change is not necessary?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Hmmmmmm....
Just to confirm you have multiple shares on computer #1
All accounts can access the first 4 of 5 shares from computer #2
The new account Staff works, as tested on local machine

Therefore it is not a connection or account problem, so it has to be permissions related.
Is the problematic Share a sub-folder of another Share?
The folder does have sharing enabled, right ?  not just permissions set ???

Perhaps as a test create a new share in the root of the drive, such as d:\sharename  and give everyone full control under sharing permissions, and full control under security permissions. Verify the new account "staff" can connect from PC #2, and then gradually tighten control by removing everyone from security permissions and only allow specified accounts. Make sure you leave everyone full control for share permissions. If this works we can try to isolate why the other doesn't. I am wondering if it has to do with an inherited right.

You can also verify the users effective permissions. On the primary computer (holding the share) open the properties window for the share, click on security, advanced, effective permissions. Choose select, advanced find now, and add the user account -staff, then OK, OK and verify the users "true" permissions in the effective permissions window.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
ps- rebooting is not necessary with any permissions changes, may not hurt to log off and on of computer #2 though to make sure nothing is cached.
0
 

Author Comment

by:franksmyth
Comment Utility
Okay,

Starting to get somewhere now. I did the same thing with my laptop.....added the user name to computer#1 with the same password and now I can control which folders on my desktop I can access through my laptop.

Which iswhat I wanted. However it isn't a whole lot of use if it only works for certain computer & user combinations. Any ideas why it would work for one machine & user combination and not another.

Originally what used to happen was that a "connect as" dialogue box would pop up rather than just saying access is denied. Where has this gone. It would make it all so easy!
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
No sure I follow.
You added another username (from the laptop) to the problematic share on PC#1 (yours) and the laptop can connect, but not workstation #2 ?
0
 

Author Comment

by:franksmyth
Comment Utility
Basically,

It works from one machine (my laptop) but not from another (pc #2)
0
 

Author Comment

by:franksmyth
Comment Utility
Thanks for all your help RobWill, this is a problem which has been bugging me for a long time and it's almost sorted.

Situation now:

My PC: Users: Me, Laptop, Staff
PC #2: Users: Marc, Staff
PC #3: Users: Staff
Laptop: Users: Laptop

Shared folders: My Work (Me, Laptop, Staff), My Music (Me, Laptop), My Pictures (Me, Laptop), My Documents (Me,Laptop)

So, things work perfectly between my laptop and pc#3. Because the primary log in has been given security permissions to access my folders it works as expected.
However for PC#2 to access the shared stuff Marc has to log out and log back in as Staff. I would like him to have the option to "connect as" and then he could put in Staff's details rather than simply getting Access Denied.


0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 150 total points
Comment Utility
Just a thought... have you got the guest account enabled as part of the above tests - if so try disabling that - it could be if the user "marc" doesn't exist it is authenticating as guest which then doesn't have any access to the shared data

Steve
0
 

Author Comment

by:franksmyth
Comment Utility
Woo hoo.

Finally, it works the way I want it to.

Yes it turns out that the although the Guest Account was disabled in the users section of control panel, it was enabled in the Local Security Policy settings.......whats that all about.

I had just done that before your post Steve after finding some info about it elsewhere, however as you came up with it as the solution and RobWill got the intial permissions and security thing sorted for me I'm going to increase the points to 300 and split them evenly between the two of you.

Thanks for all your help. Like I say, that one has been annoying me for a long time.
0
 

Author Comment

by:franksmyth
Comment Utility
Can either of you explain what the point is then in having permissions at all.

Why not just have security??
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
If you are talking about share permissions then it is mainly historical in that before NTFS there were only share permissions.  It also means you can restrict access to a share to read only or remove all access without touching the security rights (NTFS) behind it.

0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Guessing Frank you are on the same side of the "pond" as Steve, or an early riser. (I'm in Canada) glad to hear you were able to resolve.
I'm going to have to play with that policy, that is good to know. I was aware of it, but surprised you had to disable, then again, as suggested, it is likely due to the account configurations in this situation. Usually you have matching accounts which wouldn't be a problem. I'll stick to Domains, workgroups are so complicated :-)
Thanks for the points as well.
--Rob
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Sorry for jumping in there... rarely use workgroups myself either,  of course any decent sized company uses domains ... except when they use mainly NetWare servers and ZEN to create local accounts mind.  Boy does that get messy.

Steve
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"Sorry for jumping in there... "
Not at all, appreciate it very much, and I'm sure Frank does as well.

Fortunately none of my clients have mixed server environments. A couple have a single Netware file server and Windows clients but that is it. Makes my life easy :-)
0
 

Author Comment

by:franksmyth
Comment Utility
Yes,

Thanks again to both of you.

-Frank
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now