Networking Problem: Share not accessible (but viewable) from other PC's

Hi,

I have three WinXP Pro machines connected to a network all of which do NOT use simple file sharing. Lets call the machines M1, M2 and M3.

For some odd reason when I create a share on M1 it can be viewed by both M2 and M3 but only accessed by M2. M3 complains that the share is not accessible and that I may not have permissions to use the network resource.

I have checked the file permissions and security settings for the share on M1 and cannot find anything wrong. When the share is created the permissions are set so that Everyone has Read only access. The security settings are exactly those which are set when a share is created on any other machine (which does share properly).

Even stranger it works correctly the other way around. If I make a share on M2 or M3 they are viewable and accessible to M1.

Some time back on M1 I clicked "Set up a home or small office network" from the "My Network Places" window and proceeded to do somthing which resulted in a floppy disk that contained settings meant for all the other machines on the network. The floppy disk was not, however, presented to any other machine.

Could this in some way have caused this strange behaviour?

I have discovered that I can make the share accessible to M2 and M3 by adding the Everyone user to the Group and user names: section on the security tab for the share on M1.

Why would I need to make this non standard change?

Regards FarmerJo

 

The disk you made shouldn't have changed anything - probably.

Are all three of the machines
- logging on with username & non-blank password
- set for NetBios over TCP/IP enabled
- in the same workgroup
- set up with all the user accounts loaded on each machine?

If so then as a quick test, try logging on to each machine using the same username/password as the one with the share and see if things work.

 

Hi,

The first three items are correct on my setup. I am not sure what
you mean in item four

"setup with all the user accounts loaded on each machine "

How do I check this? If they are not all loaded you do I load them all?

Regards FarmerJo

 

Hi,

I have noticed something else peculiar on the machine that cannot access the share. If I look in Network Connections there is an Internet Connection entry. This does not appear on any other machine on the network. Further if I disable this connection it disables internet access on all THREE machines.

All three machines are connected to a DSL504 router which provides a gateway onto the internet.

Any idea what this connection is and why it is only one one machine?

Regards FarmerJo

 

Extra connection - see your other thread.

As to the user account thing, I may have phrased it badly. No, I did phrase it badly.

- start~run~%SystemRoot%\system32\compmgmt.msc /s
- drill down to Local Users & Groups and the Users folder.
- each user account on your network (what folks log on with) should be entered on each machine.
- They need to be exact matches and the password part is case sensitive. ALL the accounts should have a non-blank password.

 

Hi,

Are you saying that you need to add thee extra accounts in order to be selective over who you allow to access shares on a mchine OR that these extra accounts are needed in order to make the network operate correctly?

Sorry to ask its just that my initial network problem have now been resolved but I am still left with the challenge of controlling what users on the network has access to what shares on the network.

Regards FarmerJo

 

In theory you could use the "Everyone" group to give anyone connecting to a Microsoft PC, access to a rescource (file or printer for example). In realty it is very flakey. Sometimes it will work, sometimes not - as you are finding. It is also very insecure.

Instead you need to do what Newt is suggesting and create a user account on each machine for each of the users connecting to that machine.

Three PCs, each wanting to access to the other two, means three user accounts on each PC. As Newt says they should be the same on each PC (username and password) - they don't have to be, but it makes life a lot easier if they are.

This is why peer to peer networking can be such a pain. If you had a server (with a server OS) you would just have to set up the users in one place. This is the key reason why you should consider client/server rather than peer to peer in anything but the smallest (less that 5 nodes) networks.

Of course if you are a real bodger you could go for the one user account used by everyone approach. But if you do that you've just lost all control for the sake of setting up a couple more accounts.

 

Hi,

Right I think I understand now, but just to check suppose I have a network with just three machines on it, A, B and C. Machines A and B both have shares and machine A needs to be able to access shares on B and vice versa. However, machine C must not be able to acces the shares on either A or B.

What I need to do then is setup a user account on A to give B access and a user account on B to give A access.

This is where I get a little hazy on the subject. At present machines A and B has the same sole user and machine C another sole user. All three machines at present has a single Administrator logon account. If I understand correctly what you are saying is that these additional accounts are not the same accounts that are displayed when the machine starts up but accounts that are hidden and configured to control access to shares on a machine.

Is this correct? If so could you point me to a procedure that describes how these (hidden) accounts are setup?

Regards FarmerJo

 

Correct.

New accounts -
- start~run~%SystemRoot%\system32\compmgmt.msc /s
- drill down to Local Users & Groups and the Users folder
- Action - new user.

The users you add will display on the XP logon screen if you are using the option to show the pretty pictures with an icon for each user. No problem since the user will need to enter a password to get logged on so will use his/her account.

Otherwise you could opt for the classic (NT/2000) style logon like a domain will use where you have to enter a user name and password and never see the user accounts that are on the PC.

As ReggieB noted, this is all due to XP-pro security being designed to work on a domain with a server acting as domain controller and holding all the accounts so you don't need local ones.

XP systems demand to know 'who' wants to connect via the network so they know how much access to give. This is all done via user accounts.
- if Guest is enabled then any logon is OK but you have almost no control.
- if Simple File Sharing is turned on I don't think you even need a password but again, at the expense of security.

With a peer network (workgroup) and networking, when a user on PC-A wants to work with files on PC-B and with the setup you have (the one I prefer too), PC-B will look to it's list of users and match permissions to the local copy of the account it has.

With NTFS as the file system, you also have lots more fine-grained control of access for users. At least twice as many options as with FAT32 and maybe more. I haven't run FAT32 for years and just don't remember exactly.

 

Hi,

OK, if for example, machine A wants to allow five others different machines to access its share we are saying that machine A needs six accounts. The sole user account in addition to another five that are used to specify other machines/users that wish to connect.

Is that correct?

If so, does this mean then, that machine A needs to have six logins before the machine is ready for sharing with the other five machines? Or is one login sufficient, presumably the main user account?

I know this seems an odd question but for some reason I have got it in mind that if an account is setup for sharing purposes and appears on the logon screen then surely it needs to be logged in before it is operative. Presumably this is incorrect?

Regards FarmerJo

 

Yup. Incorrect. Sorta.

The account has to be logged in before it is operative but in can be on any machine on the network that wants access.

For instance, if we are set up properly and there is a word document on PC-A that B-user makes changes to from a network connection from PC-B, the document will record the fact that B-user made the changes even though B-user never physically logged on to PC-A.

Likewise, if PC-A is running but no one is logged on, B-user can still connect to it via the network from PC-B.

You could even, if you wanted, simultaneously log on to PC-C, PC-D, PC-E as B-user.

As noted earlier, this whole thing makes more sense if you think of it in the context of a large domain. Create a domain user account for each user. None of the PCs need the account and may have only an admin account created locally.

As long as the PCs connect to the domain, then any domain user can log on to any domain PC. The domain controller has a record of all the accounts and a PC simply checks with the DC when a user tries to log on.

Same sort of thing with file servers. We have a big one that holds the 'My Documents' folder for each user. Makes back-ups lots simpler. The users connect to their own My Documents on the file server and no one is logged on at the file server console unless an admin needs to work on the system.

The users never notice this since when they log on to a PC, part of the process is an auto-connect to their files on the file server. Nice since a user can log on to any PC in the building (and we have several thousand) and get their own desktop (stored on the DC along with their account) and their own My Documents.

Also nice since if a PC goes bad, the user can simply be issued a new one and not have to fiddle with setting it up. Our PC support folks can simply fix the problem, ghost a clean XP load onto it, and have it available for the next person who needs a PC.

But on a small peer network, I can certainly see how you would question the sanity of whoever designed the whole networking system. That's the basic reason that XP-home behaves the way it does. Easy setup for peer networking. You just have to be able to live with the lack of admin control that goes along with 'simple'.

 

Hi,

I think I have got it now, at last. I need to do some playing around to see if I am missing anything else.

I do have another question in the mean time though (a simple one this time).

When a PC first logs onto another PC to access a share, you are prompted for a username and password. Having typed these in you then have an option for windows to remember the password. If you do this the user name and password are used for subsequent logins to that machine (as desired) but I cannot see a way after this, to logon to the same machine but to differenct account.

How is this achieved?

I have found a long winded way to do it where the password is changed on the machine which is being logged into which then forces the other machine to redisplay the username/password screen again and here you can log into a differenct account if you like. Of course the procedure must be repeated in order to restore the original password. It bit of a pain so therefore I deduce that there must be an easier way!

Regards FarmerJo