Huh? I thought Windows 2000 was designed for networking

[Tea]

Simple job. I need the following directry structure on a server:

C:\data\sharedfiles (any machine on the network has full acces to this)

C:\data\Alan (Shared folder, available only to Alan and on the server)

C:\data\Betty (Shared folder, available only to Betty and on the server)

C:\data\Colin (Shared folder, available only to Colin and on the server)

Easy, yup? Create shares, set permissions.

Huh?

Where the F*k do you do that in Windows 2000? You can create the share OK, and then when it comes to the permissions, it's totally screwy! If you leave "Everyone" in, anyone can access it from anywhere on the network.

If you add in the another user - "Alan", let's say - and take out "Everyone", then no-one can access the folder.

How screwy is that?

Also, how do I make the damn thing work right?

I need to go back and do this in the morning, so a fast answer would be great!

 

[Howell]

A)Do you have a domain?

If not, you must create a user on the "server" with the same name and password as is used on the "workstation". You must do this for each user. You then put all the users in a group and give the group the rights to the folders. Having a domain minimises the workload when you need to say change someones password.

B)Call Sol.

 

[Tea]

No more Sol. Sol is in South Australia (having accepted a full time job).

No domain.

I already made users on the server, same as I do under OS/2 (which is vastly easier to do this stuff with). (Or possibly I am more used to.) It doesn't work. If I leave "everyone" ticked, everyone can access the folder. If I don't, no-one can. That's an appallingly stupid bit of design work by Microsoft. I don't see what difference having a group will make, but I'll do that. Thanks Howell.

 

[Mercutio]

You weren't, perchance, using the little "deny" tick-box for something, were you?

 

[Pradeep]

Default when you share a folder is that any user in the Everyone group gets Full Access.

http://www.geocities.com/SiliconValley/Monitor/3131/ntadmin/ntadmin5.html

"Remove the default permission Everyone, Full Control from the group for a new shared folder. Use Domain Users - Read instead.
Everyone group includes even Guests; Domain Users includes only the account you created. "

 

[Tea]

Ahah! I think you have spotted it Merc. Thankyou.

Yes I was ticking "deny". A quick little experiement on this machine (which doesn't have any others connected to it, bar the firewall, so I can't test properly) shows me that you can tick "allow", tick "deny" OR just untick "allow". Weird.

I didn't think of that. So I have to:

untick "allow" on everyone
tick "allow" on user Alan
(possibly) tick "deny" on users Betty through Colin

I'll try that.

 

[Mercutio]

Did you maybe miss the part where there's no domain controller?

 

[Tea]

The part where there is no domain controller?

No domain, just a simple peer-to-peer network. Five or six users, and a horrible Hewlett-Crapard all-in-one printer on a JetDirect port. (Dreadful things - but I've got that particular bastard beaten into submission.)

(Pradeep's link doesn't work, BTW - Geocities says the page has exceeded its space limit.)

 

[Buck]

The part where there is no domain controller?

That was probably meant for Pradeep.

 

[e_dawg]

What OS are all clients running?

Is everyone in the same workgroup? (Windows key + Break > Network Identification)

Is anyone running any firewalling software (or XP, which has a built-in firewall)? Are ports 137 and 139 open on each machine?

Are the Computer Browser, Remote Access Control, RPC, and RPC Locator services (Run: services.msc) enabled on all computers?

Is NetBIOS enabled over TCP/IP? (Control Panel > NW and Dialup Connections > Local Area Connection > TCP/IP > Properties > Advanced > WINS)

Can all clients ping the server?

Can each client see the share from the command line? (Run: cmd. At the command line, type: net view \\computername). Make sure you know the computer name of the server, which is different from the user name that you typed to log on (Windows key + Break > Network Identification)

Check your Local Security policy (Run: secpol.msc). Go to Security Settings > Local Policy > User Rights Assignment > Access this computer from the network. Make sure your clients are added.

Besides the usual checking of permissions, that's about what I do to troubleshoot "invisible share syndrome".

 

[Tea]

Thankyou E_Dawg. I do believe that Mercutio has nailed it: as ever with these things, very simple once you know. It simply didn't occur to me htt you could untick boxes without ticking the opposite box, if you know what I mean. Microsoft have set up a three way permission system:

• allow
• deny
• something else that is neither of the above

but skimped on the user interface to it, so that there are only two tick boxes to do three jobs - which is quite sufficient to trick a simple ape like me.

Now that I'm at the office, with a sufficiency of spare machines, I have had the opportunity to try Merc's suggestion out, and (fo far as I can tell in 5 minutes) it works exactly the way I want it to. So, in a moment, I'll dash off and implement it for real. Following that, I have to teach the rest of the network how to talk to the HP all-in-one. (Yuk. Tedious stuff.)

The long and the short of it is that Mercutio, doubtless having had lots of practice spotting simple errors made by his simple students, sat down and thought "now, we are dealing with a simple ape here: what is the most simple and obvious error?" and nailed it first time.

Thankyou Merc.

 

[blakerwry]

The deny actions simply take precidence over the allow actions Tea.. so if the "everyone" group (everyone in winNT is an alias to the users group and not anonymous by default) is denied then you are denying all users... this takes precidence over the allow.

I'm surprised you were not aware of this. I guess most of my networking experience involves non domain controlled windows machines so I am pretty familiar with this action. Is OS/2 not the same?

 

[Tea]

Never used a domain in my life.

Nope, the thing that tricked me is that there are three possibilities, and two things to tick. Easy enough once you know how, but typically stupid Microsoft interface design.

(Tannin knew this all the time, of course, but he refused to tell me unless I owned up to the missing pineapples.)

 

[blakerwry]

i've setup a winNT and 2k domain controller, but never knew how to configure them as such properly... (if you read my post carefully i *did* say "non domain")

I find with only a few computers and users that it doesn't make much sense to dedicate a machine for domain controlling.. but perhaps if you already have a dedicated file server or something then having it serve double duty as a domain controller can ease administration of users/passwords and permissions.

At work we have a domain controller setup, but oxymoronically most poeple use the same login and pass for the machines there...

 

[Jan Kivar]

At work we have a domain controller setup, but oxymoronically most poeple use the same login and pass for the machines there...

If You log into your own workstation (not to the server) You need to use exactly the same user/pass for the shares in server to function properly. Otherwise You will be asked for a password (or even user/pass, if You use a username that doesn't exist on the server) the first time in each session to allow access to the server. Windows automatically passes on the current user/pass, so if they are same both in workstation and server, this happens transparently to the user.

But everyone should use their domain logon, if a domain is present. You can't access other people's shares (in their own workstations that is), if You don't know an user/pass that's valid on that workstation. If You want to share something, You must either create user/pass for everyone wishing to use the share, or just add "Domain Users" group from the server to the ACL.

Hopefully that wasn't a boring read.

Cheers,

Jan

 

[blakerwry]

i understand what you're saying, but I don't understand why you are saying it... what I meant is that where I work we have a username called "tech" every technician uses this exact login. This means that the majority of the people in the building are logged in as tech.

In such a state you really have no security from other users and permissions become a non-issue as in winNT based OSes tech is in the users group and there's no reason to change that ever.

Having a domain alows roaming profiles and the ability to add users and adjust passwords and permissions on the fly. We are not doing that where I work. So the point of a domain is largely futile.

 

[Howell]

It simply didn't occur to me htt you could untick boxes without ticking the opposite box, if you know what I mean.

In MSs visual nomenclature, they use radio buttons for options that are mutually exclusive.

The reason you have the option to deny is because it overrides all other allow permissions without much complication.

 

[Tea]

Hmmm .... It's still downright hopeless interface design. If you have three options (as they do) it is axiomatic to have three buttons.

Better than in XP though. Having set up the shares on the server, it took me maybe 2 minutes to set up the connections on the other W2000 machines and the remaining 98 boxes, and over half an hour to do it on the sole XP machine. I knew I had to turn off the stupid "simple networking" - which manages to turn a simple task into an impossible one - but I had to buggerise about for ages looking for the obscure place they hid the switch.

Actually, they way MS took away the simple, practical "network" icon in the control panel (as in Win95 and similar) and spread the functions all over the place for W2000 and later is downright stupid.

The relocation of "printers" and "dial up networking" to the control panel, on the other hand, was sensible.

 

[Mercutio]

Simple file sharing simply disgusts me. I don't know why it's hidden with the Explorer options like that, either.
Mainly, it's insulting to me that XP "just does things" that seem, to me, to break rules I thought were well-established and clear... like what ends up in Network Places, and yes, how Simple File Sharing works as opposed to "real" Windows Networking.

In other news, Samba 3.0 is a pinnacle of greatness I had despaired of ever seeing. XP talks to it perfectly and it appears that it can duplicate AD domain controller functionality... which gives me a great new service that I can sell.

 

[Tea]

Wel, I might need Samba before too long for that place, Merc. They have seven machines at present. If they get too much bigger, we will hit the W2K ten-connection limit. And you can rest assured that we won't be shelling out insane dollars for a copy of the server edition!

If I had to do it today, I'd use ECS, but I imagine that by the time that happens nix skills wil be readily available, and nix connectivity will be a combination too hard to ignore.

 

[Handruin]

Have you considered recommending a NAS solution for them? This could also work around you 10 user limit.

Managing user access for NAS may be easier than working with NT accounts. They could each map their own network share and you could also create a community share for everyone.

 

[Tea]

Ahh .. yes. Good idea, Doug. Not something that most of my customer base has a need for - but these guys might be an exception.

 

[Jan Kivar]

i understand what you're saying, but I don't understand why you are saying it...

I'm sorry Blake, I misunderstood You. That does sound stupid use for a domain. Do you "tech" guys have admin rights in your own workstation, or do You have only user rights?

Cheers,

Jan

 

[blakerwry]

i figured it was just a simple mis-communication. Sometimes what I type does not accurately (or maybe completely is a better word) describe my thoughts. The "tech" login is just under the users group. This is used for 1) login into one of the 30 or so workstations and 2) login to a file server. For everything else there are individual logins that give rights on a need basis. This usually means that seldom would somebody have admin access.

Managers and such do not use the tech login, they have dedicated machines and their own login. I'm not sure if roaming profiles are setup at all, i believe that they are not. So, having a domain controller doesn't do a whole lot in this situation.

 

[Mercutio]

Roaming profiles are generally not a good idea anyway. They create obnoxious amounts of network traffic and seem to add an exciting extra chance of causing profile corruption.

 

[blakerwry]

everything in the section where I work is on a 100MBit switched LAN anyway (about 40 or so computers at best).

I miss the setup I had at KU. All engineering students had a home folder on the main file server and when you logged in you had all your data and profile information there ready for you. All main applications ran off the host system, but there were a few applications you could run off the network if you wanted.

For windows roaming profiles is it the same? for some reason I was thinking the windows roaming profile was downloaded like a package to the client computer at login and then at log off was sent back to the server. VS everything staying on the server and only the things that are needed are downloaded or written back.

 

[Santilli]

Tea:
Try the fermented bananas. Makes understanding MSFT much easier, or, at least, less painful...
gs
:mrgrn: :wink: :evil:

 

[B4RSK]

To add to the confusion, you can either set share permissions via the share, or via the NTFS permissions.

If the share is on an NTFS drive (it should be if at all possible), then you should leave the Share Permissions to "Everyone Full Access" and then restrict access by the NTFS file permissions. NTFS permissions are a lot more flexible than Share Level Permissions. If the share is on a FAT or FAT32 drive, then you have no choice but to use Share Level Permissions.

Whatever you do, don't set some permissions via Share Level and some via NTFS... It will be a nightmare to administer!

Some points about NTFS Permissions:

- Make sure that Administrators still have Full Access to the folder structure

- Make sure that SYSTEM still has Full Access to the folder structure

- Don't use Deny permissions if you can avoid it -- they just complicate things. If you don't specifically grant permissions to a user, they are denied anyway, so it is rarely needed. (There are times, but IMO it doesn't apply here)

- If you already have a tree of sub directories or files in the folder you are sharing, then you need to make sure that you apply your settings to them too. To do this, first set the permissions you want on the Security tab. Then click on the Advanced button. You will see a check box at the bottom of that dialog that will let you reset permissions on child objects. Tick it and then click on OK. It will reset all permissions to the ones you want.

That's about all I can think of now.

The pretty graphical interface of Windows makes it all look easy... But there is quite a bit to know, especially in Win2K. Probably more in 2K3, but I've not gone there yet!

Ian

 

[B4RSK]

Ah, one more item that didn't quite make it in. Slow brain.

It is best to only set permissions to one of the three "standard" Windows permission settings:

1. Read Only (this is the standard one that Windows presets when you add a new user or group for permissions. It includes Read & Execute, List Folder Contents, and Read)

2. Modify. This includes all the Read Only ones, plus "Modify" and "Write"

3. Full Control. Clicking on Full Access will automatically check all other boxes.

If you do not want a user to have any access to the folder, don't add them to the list in the Security tab.

Ah, and another thing, make sure you remove the Everyone group from the security tab!!! If you have the Everyone there, all users (guests too, if the guest account is active) will have the access levels given to the Everyone group.

Ian

 

[Tea]

Thankyou, Ian. I now feel well-equipped.

 

[Tea]

By the way, I have a slow brain too. Especially on Mondays.

 

[Howell]

The pretty graphical interface of Windows makes it all look easy... But there is quite a bit to know, especially in Win2K.

Ian

Ahh, so the real solution is to remove the graphical interface. It's the unix way!

 

[B4RSK]

Heheh! Well, often doing things via the command line is easier and faster. Especially tasks that can be scripted.

In any case, at least with the command line no one thinks it looks easier than it really is...

Ian

 

[B4RSK]

Tea,

Regarding the reason for having Allow/Deny/No permissions set...

In Windows, if permission is not granted specifically, it is automatically refused. Hence the ability to have Allow and No Permissions set. The Deny is for the following situation:

You have a group of 50 people that are in one of the Windows user groups. Everyone in this group should have access to a set of resources -- maybe some folders/files and a printer. For some reason, 1 or 2 people in the group have to be restricted from accessing one of these items.

What do you do? Remove them from the group, create a new group, and then reset all the permissions on all the items? Sure, that is possible.

Or, you could create a group, add the users that are to be restricted, and then deny that group access to the one item in question.

Deny settings always take precedence over allow settings, so this will stop the group from seeing the restricted item without you having to re-set all the permissions on all the items.

The joys of networking...

Ian

 

[Tea]

Ahh, thankyou, Ian. That makes a good deal of sense that way. I'll pop that somewhere into the back of my mind for pulling out when needed. Mostly, as you undoubtedly know, I only work on small networks - 2 to 4 machines is typical.

BTW, we are still building heaps of Smoothies. It was your recommendation of Smoothwal that made me try it out in the first place, and we must have 20 or 30 Smoothies out there by now, all running just fine. It was a grest tip.

Are you still using Smoothwall? Or have you switched to a different one now? Also, it seems that the day is not far off when it will be cheaper to just buy a dedicated hardware firewall - particularly if you have to buy a hub as well.

 

[B4RSK]

Great to hear about the Smoothwalls!! I use one at home, and have some private consulting clients on them as well. At my daily job we use a BSD-based firewall that is under the control of the IT deptartment in our head office.

The small hardware-only boxes are very cheap here now. They do lack features though -- no logs, no IDS, no VPN, no Dynamic DNS, etc... But for a set-and-forget with no support, they do have a place too.

On the network side of things... If you get past 5 machines, and the client will pay for a license, then a domain-based setup becomes quite a lot easier to manage... Just one set of accounts to take care of, centralized backup... It costs $ to set up, but is usually less expensive to make changes too, and is a lot more flexible.

Hope that all is well with the Tea/Tannin/Tony group these days!

Ian

 

[Tea]

Indeed it is. As you will read in the other thread (over in the Pub and Brewery) we are about to set off on something that adds up, more or less, to long service leave.

Five weeks alone with a telescope, a camera, and lots of bird species we have never seen before. Bliss!