File and printer sharing suddenly broken

[Guest]

I have a home network with four PCs. Two are Windows XP Home and two are
Media Center. One of the Windows XP Home machines (call it "victim") shares
a folder and printers. All other machines have been able to print on that
printer
for a long time. Then, last week, none of the machines could print on that
printer
any more. Clicking on "victim"'s name in Windows Explorer caused an error
message that said that login on that machine failed. "Victim" is running
Norton
Internet Security and I tried various things with that to no avail. After
much
research, I found two things. First, (this is not relevant to the problem
but is
strange) I found automatic updates turned off when I know I left it turned on.
Second, looking at the event log and other posts here, I figured out that the
security rights had been messed up. I downloaded Dumpsec and NTRights
to both Windows XP Home machines and compared rights. "Victim" was
missing all its SeNetworkLogonRights entries. Using NTRights, I copied
some of the entries from the other machine, namely BUILTIN\Users and
VICTIM\Guest. Now, I still can't access "victim" remotely, but it doesn't
complain about a logon failure. Instead it says "Access is denied".
Since the event log now looks the same on victim as on the other machine
(shows a network logon using the guest account followed by a
SeChangeNotifyPrivilege assigned to VICTIM\Guest) and there are no more
Failure Audits, I have no clue what to do next.

 

[Steven L Umbach]

Verify that the guest account is active. You can use the command net user
guest to see if it is and if not use the command net user guest /active:yes
.. Verify that the Windows Firewall is disabled or has the exception for file
and print sharing enabled for your network though I don't think that is the
main problem sine that usually generates a "not found" message. I would also
look in the application/security log via Event Viewer to se if anything is
recorded there that may be of help. The command net share should show that
the $IPC share is available and the share you are trying to access needs
permissions for the everyone group for both share and folder [NTFS]
permissions. The link below can show you how to check those permissions.
Since you are experiencing unusual unexplained behavior you should also scan
for viruses and spyware in regular and Safe Mode being sure to use the
latest definitions for any program you use to do such. I would also try
booting into Safe Mode with networking to see if that makes any difference
or not in case some process/application [legitimate or otherwise] is
interfering. If you do not have an "internet router" or firewall device
protecting your network I would disconnect from the internet before booting
into Safe Mode with networking. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://www.microsoft.com/downloads/...8d-6b4a-448e-a632-076f98a351a2&DisplayLang=en
--- White paper on troubleshooting sharing in XP.

 

[Guest]

Thanks for the quick and very insightful response.
Here's what I found:

1. "net user guest" reports the same info on the working
Windows XP Home system as on victim, namely that the
guest count exists. I assumed it would be since I no longer
get a Failure Audit logon event when the remote machine tries
to access victim.

2. Windows firewall is indeed disabled.

3. There is nothing in the event log that looks useful to me.

4. net share looks the way you describe it should.
I created a new shared modifiable folder and then rebooted in
Safe Mode with Networking. The NTFS permissions for the
Everyone group has Modify, Read & Execute, List Folder Contents,
Read, and Write, while the share permissions for
the Everyone group has Read and Change (but
not Full Control). Again, I got Access is denied when I
tried to look at \\Victim

5. I have an up-to-date Norton Antivirus and have done a full
scan in both regular and Safe Mode with nothing found.

Any ideas what to look at next?

Jeff

Verify that the guest account is active. You can use the command net user
guest to see if it is and if not use the command net user guest /active:yes
.. Verify that the Windows Firewall is disabled or has the exception for file
and print sharing enabled for your network though I don't think that is the
main problem sine that usually generates a "not found" message. I would also
look in the application/security log via Event Viewer to se if anything is
recorded there that may be of help. The command net share should show that
the $IPC share is available and the share you are trying to access needs
permissions for the everyone group for both share and folder [NTFS]
permissions. The link below can show you how to check those permissions.
Since you are experiencing unusual unexplained behavior you should also scan
for viruses and spyware in regular and Safe Mode being sure to use the
latest definitions for any program you use to do such. I would also try
booting into Safe Mode with networking to see if that makes any difference
or not in case some process/application [legitimate or otherwise] is
interfering. If you do not have an "internet router" or firewall device
protecting your network I would disconnect from the internet before booting
into Safe Mode with networking. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://www.microsoft.com/downloads/...8d-6b4a-448e-a632-076f98a351a2&DisplayLang=en
--- White paper on troubleshooting sharing in XP.

I have a home network with four PCs. Two are Windows XP Home and two are
Media Center. One of the Windows XP Home machines (call it "victim")
shares
a folder and printers. All other machines have been able to print on that
printer
for a long time. Then, last week, none of the machines could print on
that
printer
any more. Clicking on "victim"'s name in Windows Explorer caused an error
message that said that login on that machine failed. "Victim" is running
Norton
Internet Security and I tried various things with that to no avail. After
much
research, I found two things. First, (this is not relevant to the problem
but is
strange) I found automatic updates turned off when I know I left it turned
on.
Second, looking at the event log and other posts here, I figured out that
the
security rights had been messed up. I downloaded Dumpsec and NTRights
to both Windows XP Home machines and compared rights. "Victim" was
missing all its SeNetworkLogonRights entries. Using NTRights, I copied
some of the entries from the other machine, namely BUILTIN\Users and
VICTIM\Guest. Now, I still can't access "victim" remotely, but it doesn't
complain about a logon failure. Instead it says "Access is denied".
Since the event log now looks the same on victim as on the other machine
(shows a network logon using the guest account followed by a
SeChangeNotifyPrivilege assigned to VICTIM\Guest) and there are no more
Failure Audits, I have no clue what to do next.

 

[Steven L Umbach]

Do you see any logon failures in the security log at the same time when you
try to access the share and get the access denied message?? Does it show
that the guest account is active on the problem computer as it needs to be?
Make sure you can ping the problem computer by name an IP address from the
computers that want to access the share. Try to access "victim" by it's IP
address rather then name by using \\xxx.xxx.xxx.xxx in the run box of the
computer you are trying to access it from. When you run the command
netstat -an you should see ports 139 TCP and 445 TCP listening on "victim"
computer. If that is the case see if you can telnet into port 139 TCP to see
if that works. From a computer where you want to access the share use the
command telnet xxx.xxx.xxx.xxx 139 using the IP address of "victim" . If
the port is open and available from the client computer you will get a blank
command screen with a blinking cursor. If none of that pans out try using
the netsh command to reset tcp/ip on "victim" as shown in the link below.
Doing so will make it a DHCP client however just in case you are using
static IP address. You can use ipconfig /all to check the tcp/ip info before
and after. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;299357

netsh int ip reset c:\resetlog.txt

Thanks for the quick and very insightful response.
Here's what I found:

1. "net user guest" reports the same info on the working
Windows XP Home system as on victim, namely that the
guest count exists. I assumed it would be since I no longer
get a Failure Audit logon event when the remote machine tries
to access victim.

2. Windows firewall is indeed disabled.

3. There is nothing in the event log that looks useful to me.

4. net share looks the way you describe it should.
I created a new shared modifiable folder and then rebooted in
Safe Mode with Networking. The NTFS permissions for the
Everyone group has Modify, Read & Execute, List Folder Contents,
Read, and Write, while the share permissions for
the Everyone group has Read and Change (but
not Full Control). Again, I got Access is denied when I
tried to look at \\Victim

5. I have an up-to-date Norton Antivirus and have done a full
scan in both regular and Safe Mode with nothing found.

Any ideas what to look at next?

Jeff

Verify that the guest account is active. You can use the command net user
guest to see if it is and if not use the command net user guest
/active:yes
.. Verify that the Windows Firewall is disabled or has the exception for
file
and print sharing enabled for your network though I don't think that is
the
main problem sine that usually generates a "not found" message. I would
also
look in the application/security log via Event Viewer to se if anything
is
recorded there that may be of help. The command net share should show
that
the $IPC share is available and the share you are trying to access needs
permissions for the everyone group for both share and folder [NTFS]
permissions. The link below can show you how to check those permissions.
Since you are experiencing unusual unexplained behavior you should also
scan
for viruses and spyware in regular and Safe Mode being sure to use the
latest definitions for any program you use to do such. I would also try
booting into Safe Mode with networking to see if that makes any
difference
or not in case some process/application [legitimate or otherwise] is
interfering. If you do not have an "internet router" or firewall device
protecting your network I would disconnect from the internet before
booting
into Safe Mode with networking. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://www.microsoft.com/downloads/...8d-6b4a-448e-a632-076f98a351a2&DisplayLang=en
--- White paper on troubleshooting sharing in XP.

I have a home network with four PCs. Two are Windows XP Home and two
are
Media Center. One of the Windows XP Home machines (call it "victim")
shares
a folder and printers. All other machines have been able to print on
that
printer
for a long time. Then, last week, none of the machines could print on
that
printer
any more. Clicking on "victim"'s name in Windows Explorer caused an
error
message that said that login on that machine failed. "Victim" is
running
Norton
Internet Security and I tried various things with that to no avail.
After
much
research, I found two things. First, (this is not relevant to the
problem
but is
strange) I found automatic updates turned off when I know I left it
turned
on.
Second, looking at the event log and other posts here, I figured out
that
the
security rights had been messed up. I downloaded Dumpsec and NTRights
to both Windows XP Home machines and compared rights. "Victim" was
missing all its SeNetworkLogonRights entries. Using NTRights, I copied
some of the entries from the other machine, namely BUILTIN\Users and
VICTIM\Guest. Now, I still can't access "victim" remotely, but it
doesn't
complain about a logon failure. Instead it says "Access is denied".
Since the event log now looks the same on victim as on the other
machine
(shows a network logon using the guest account followed by a
SeChangeNotifyPrivilege assigned to VICTIM\Guest) and there are no more
Failure Audits, I have no clue what to do next.

 

[Guest]

There are no logon failures. In fact, there is a logon success from the
connecting computer using the guest account and that is followed
immediately by an assignment of the SeChangeNotifyPrivilege.
I was playing around on victim with the net commands and I stumbled
upon one that showed that there was even a connection open from the
other machine as guest. Indeed, victim shows that the guest account
is active. I can ping victim by name and by IP address. I can telnet
into port 139 and get the static screen with the blinking cursor, just as
you described. It just seems that whatever the first thing is that is being
accessed, guest does not have enough permissions for the access.
But what would that be?

Jeff

Do you see any logon failures in the security log at the same time when you
try to access the share and get the access denied message?? Does it show
that the guest account is active on the problem computer as it needs to be?
Make sure you can ping the problem computer by name an IP address from the
computers that want to access the share. Try to access "victim" by it's IP
address rather then name by using \\xxx.xxx.xxx.xxx in the run box of the
computer you are trying to access it from. When you run the command
netstat -an you should see ports 139 TCP and 445 TCP listening on "victim"
computer. If that is the case see if you can telnet into port 139 TCP to see
if that works. From a computer where you want to access the share use the
command telnet xxx.xxx.xxx.xxx 139 using the IP address of "victim" . If
the port is open and available from the client computer you will get a blank
command screen with a blinking cursor. If none of that pans out try using
the netsh command to reset tcp/ip on "victim" as shown in the link below.
Doing so will make it a DHCP client however just in case you are using
static IP address. You can use ipconfig /all to check the tcp/ip info before
and after. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;299357

netsh int ip reset c:\resetlog.txt

Thanks for the quick and very insightful response.
Here's what I found:

1. "net user guest" reports the same info on the working
Windows XP Home system as on victim, namely that the
guest count exists. I assumed it would be since I no longer
get a Failure Audit logon event when the remote machine tries
to access victim.

2. Windows firewall is indeed disabled.

3. There is nothing in the event log that looks useful to me.

4. net share looks the way you describe it should.
I created a new shared modifiable folder and then rebooted in
Safe Mode with Networking. The NTFS permissions for the
Everyone group has Modify, Read & Execute, List Folder Contents,
Read, and Write, while the share permissions for
the Everyone group has Read and Change (but
not Full Control). Again, I got Access is denied when I
tried to look at \\Victim

5. I have an up-to-date Norton Antivirus and have done a full
scan in both regular and Safe Mode with nothing found.

Any ideas what to look at next?

Jeff

Verify that the guest account is active. You can use the command net user
guest to see if it is and if not use the command net user guest
/active:yes
.. Verify that the Windows Firewall is disabled or has the exception for
file
and print sharing enabled for your network though I don't think that is
the
main problem sine that usually generates a "not found" message. I would
also
look in the application/security log via Event Viewer to se if anything
is
recorded there that may be of help. The command net share should show
that
the $IPC share is available and the share you are trying to access needs
permissions for the everyone group for both share and folder [NTFS]
permissions. The link below can show you how to check those permissions.
Since you are experiencing unusual unexplained behavior you should also
scan
for viruses and spyware in regular and Safe Mode being sure to use the
latest definitions for any program you use to do such. I would also try
booting into Safe Mode with networking to see if that makes any
difference
or not in case some process/application [legitimate or otherwise] is
interfering. If you do not have an "internet router" or firewall device
protecting your network I would disconnect from the internet before
booting
into Safe Mode with networking. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://www.microsoft.com/downloads/...8d-6b4a-448e-a632-076f98a351a2&DisplayLang=en
--- White paper on troubleshooting sharing in XP.


I have a home network with four PCs. Two are Windows XP Home and two
are
Media Center. One of the Windows XP Home machines (call it "victim")
shares
a folder and printers. All other machines have been able to print on
that
printer
for a long time. Then, last week, none of the machines could print on
that
printer
any more. Clicking on "victim"'s name in Windows Explorer caused an
error
message that said that login on that machine failed. "Victim" is
running
Norton
Internet Security and I tried various things with that to no avail.
After
much
research, I found two things. First, (this is not relevant to the
problem
but is
strange) I found automatic updates turned off when I know I left it
turned
on.
Second, looking at the event log and other posts here, I figured out
that
the
security rights had been messed up. I downloaded Dumpsec and NTRights
to both Windows XP Home machines and compared rights. "Victim" was
missing all its SeNetworkLogonRights entries. Using NTRights, I copied
some of the entries from the other machine, namely BUILTIN\Users and
VICTIM\Guest. Now, I still can't access "victim" remotely, but it
doesn't
complain about a logon failure. Instead it says "Access is denied".
Since the event log now looks the same on victim as on the other
machine
(shows a network logon using the guest account followed by a
SeChangeNotifyPrivilege assigned to VICTIM\Guest) and there are no more
Failure Audits, I have no clue what to do next.

 

[Steven L Umbach]

Yet you get "access denied" error message?? What did the net command show?
You probably used net sessions maybe? I would again verify that everyone has
share and NTFS permissions to the folder you want to access and make sure
there are no deny permissions on that folder for share or NTFS. It
definitely sounds like you have network connectivity to computer "victim".
Try the command net config server to make sure that "server is active" as
shown in the example below. --- Steve

D:\Documents and Settings\Steve>net config server
Server Name \\STEVE-XP
Server Comment

Software version Windows 2002
Server is active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{19C66C86-CB8F-40CF-95C3-E6E755957325} (000795ec77ca)


Server hidden No
Maximum Logged On Users 10
Maximum open files per session 16384

Idle session time (min) 15
The command completed successfully.

There are no logon failures. In fact, there is a logon success from the
connecting computer using the guest account and that is followed
immediately by an assignment of the SeChangeNotifyPrivilege.
I was playing around on victim with the net commands and I stumbled
upon one that showed that there was even a connection open from the
other machine as guest. Indeed, victim shows that the guest account
is active. I can ping victim by name and by IP address. I can telnet
into port 139 and get the static screen with the blinking cursor, just as
you described. It just seems that whatever the first thing is that is
being
accessed, guest does not have enough permissions for the access.
But what would that be?

Jeff

Do you see any logon failures in the security log at the same time when
you
try to access the share and get the access denied message?? Does it show
that the guest account is active on the problem computer as it needs to
be?
Make sure you can ping the problem computer by name an IP address from
the
computers that want to access the share. Try to access "victim" by it's
IP
address rather then name by using \\xxx.xxx.xxx.xxx in the run box of the
computer you are trying to access it from. When you run the command
netstat -an you should see ports 139 TCP and 445 TCP listening on
"victim"
computer. If that is the case see if you can telnet into port 139 TCP to
see
if that works. From a computer where you want to access the share use the
command telnet xxx.xxx.xxx.xxx 139 using the IP address of "victim" . If
the port is open and available from the client computer you will get a
blank
command screen with a blinking cursor. If none of that pans out try
using
the netsh command to reset tcp/ip on "victim" as shown in the link below.
Doing so will make it a DHCP client however just in case you are using
static IP address. You can use ipconfig /all to check the tcp/ip info
before
and after. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;299357

netsh int ip reset c:\resetlog.txt

Thanks for the quick and very insightful response.
Here's what I found:

1. "net user guest" reports the same info on the working
Windows XP Home system as on victim, namely that the
guest count exists. I assumed it would be since I no longer
get a Failure Audit logon event when the remote machine tries
to access victim.

2. Windows firewall is indeed disabled.

3. There is nothing in the event log that looks useful to me.

4. net share looks the way you describe it should.
I created a new shared modifiable folder and then rebooted in
Safe Mode with Networking. The NTFS permissions for the
Everyone group has Modify, Read & Execute, List Folder Contents,
Read, and Write, while the share permissions for
the Everyone group has Read and Change (but
not Full Control). Again, I got Access is denied when I
tried to look at \\Victim

5. I have an up-to-date Norton Antivirus and have done a full
scan in both regular and Safe Mode with nothing found.

Any ideas what to look at next?

Jeff

:

Verify that the guest account is active. You can use the command net
user
guest to see if it is and if not use the command net user guest
/active:yes
.. Verify that the Windows Firewall is disabled or has the exception
for
file
and print sharing enabled for your network though I don't think that
is
the
main problem sine that usually generates a "not found" message. I
would
also
look in the application/security log via Event Viewer to se if
anything
is
recorded there that may be of help. The command net share should show
that
the $IPC share is available and the share you are trying to access
needs
permissions for the everyone group for both share and folder [NTFS]
permissions. The link below can show you how to check those
permissions.
Since you are experiencing unusual unexplained behavior you should
also
scan
for viruses and spyware in regular and Safe Mode being sure to use the
latest definitions for any program you use to do such. I would also
try
booting into Safe Mode with networking to see if that makes any
difference
or not in case some process/application [legitimate or otherwise] is
interfering. If you do not have an "internet router" or firewall
device
protecting your network I would disconnect from the internet before
booting
into Safe Mode with networking. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://www.microsoft.com/downloads/...8d-6b4a-448e-a632-076f98a351a2&DisplayLang=en
--- White paper on troubleshooting sharing in XP.


I have a home network with four PCs. Two are Windows XP Home and two
are
Media Center. One of the Windows XP Home machines (call it
"victim")
shares
a folder and printers. All other machines have been able to print
on
that
printer
for a long time. Then, last week, none of the machines could print
on
that
printer
any more. Clicking on "victim"'s name in Windows Explorer caused an
error
message that said that login on that machine failed. "Victim" is
running
Norton
Internet Security and I tried various things with that to no avail.
After
much
research, I found two things. First, (this is not relevant to the
problem
but is
strange) I found automatic updates turned off when I know I left it
turned
on.
Second, looking at the event log and other posts here, I figured out
that
the
security rights had been messed up. I downloaded Dumpsec and
NTRights
to both Windows XP Home machines and compared rights. "Victim" was
missing all its SeNetworkLogonRights entries. Using NTRights, I
copied
some of the entries from the other machine, namely BUILTIN\Users and
VICTIM\Guest. Now, I still can't access "victim" remotely, but it
doesn't
complain about a logon failure. Instead it says "Access is denied".
Since the event log now looks the same on victim as on the other
machine
(shows a network logon using the guest account followed by a
SeChangeNotifyPrivilege assigned to VICTIM\Guest) and there are no
more
Failure Audits, I have no clue what to do next.

 

[Guest]

I boot Victim into Safe Mode with Networking.
I go to computer Other and in Run, I type \\Victim
It says access is denied. I go back to Victim and in cmd I type
net config server. The output is:
Server Name \\VICTIM
Server Comment P4 2.8 GHz

Software version Windows 2002
Server is active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{1D2790F6-7A41-4F41-9AF7-A434E1BDBFF4} (000c4113b946)


Server hidden No
Maximum Logged On Users 5
Maximum open files per session 16384

Idle session time (min) 15
The command completed successfully.

I start up Computer Management and open Shared Folders.
I click on Sessions and see:
User Computer Type # Open Files Connected Time Idle Time Guest
JEFF OTHER Windows 0 00:00:15
00:00:14 Yes

I click on Shares and see:
Shared Folder Shared Path Type # Client Connections Comment
Documents C:\Docume... Windows 0
IPC$ Windows 1
Remote IPC
print$ C:\Docume... WIndows 0
Printer Drivers

I double click on Documents and look at
Share Permissions and see:
Everyone: Change, Read
I look at Security and see:
<other groups, other users>, Everyone: Modufy, Read & Execute,
List Folder Contents, Read, Write
I click advanced and see a number of lines including:
Everyone: Modify <not inherited> This folder, subfolders and file
I double click Everyone and see a long list of allowed permissions; they
are all checked except Full Control, Delete Subfolders and Files,
Change Permissions, and Take Ownership. The entire Deny column is
clear of check marks.

I enabled the guest account and logged in as guest (after a normal reboot)
just to make sure that guest had access to the shared documents folder
and it did. So why does guest get Access is denied when it is used to logon
remotely?

Is there a way of turning on more auditing so that I can get something in
the event log when the Access is denied message is generated?

Jeff

 

[Steven L Umbach]

I am about out of ideas here. Since you have unexplained configuration
changes on your computer that could have been caused by malware there may be
something else going on that would not be so apparent. Try using System
Restore to restore your computer to a point in time before the problems
began. If that does not help or can not be done what I would try is to go to
networking properties, uninstall file and print sharing, reboot and install
it again to see if that helps or not. If you have not tried netsh to reset
tcp/ip try that. If that fails I would consider an upgrade/repair install
of the operating system and you would need your install disk for that and
after being done you would need to first install your service pack [if not
part of the install disk] and then go to Windows Updates to download all the
needed critical security updates. You also may want to post in the
Microsoft.public.windowsxp.network_web newsgroup to see if anyone there has
any ideas that we have not tried yet. Review the info in the link below if
you have not seen that yet. --- Steve

http://support.microsoft.com/default.aspx?kbid=308007

 

[Guest]

Suspiciously enough, System Restore doesn't go back far enough.
It was the first thing I looked at in the beginning and even at that
time, it didn't go back far enough. I tried the uninstall/reinstall file
and printer sharing as you suggested, but it didn't help. I tried
netsh to reset the TCP/IP stack and thaqt didn't help either. I will
consider the upgrade/repai install of the OS later if I can't think of
anything else. What I would really like to do is to enable auditing
on file and directory access and then see if I can get a log entry for
the access that is failing. I can turn auditing on for specific folders
and see what happens.

In any case, I want to thank you for all the effort you have generously
put in trying to solve my problem. Even though it is not yet solved,
I really appreciate what you have done.

Thanks again.

Jeff

I am about out of ideas here. Since you have unexplained configuration
changes on your computer that could have been caused by malware there may be
something else going on that would not be so apparent. Try using System
Restore to restore your computer to a point in time before the problems
began. If that does not help or can not be done what I would try is to go to
networking properties, uninstall file and print sharing, reboot and install
it again to see if that helps or not. If you have not tried netsh to reset
tcp/ip try that. If that fails I would consider an upgrade/repair install
of the operating system and you would need your install disk for that and
after being done you would need to first install your service pack [if not
part of the install disk] and then go to Windows Updates to download all the
needed critical security updates. You also may want to post in the
Microsoft.public.windowsxp.network_web newsgroup to see if anyone there has
any ideas that we have not tried yet. Review the info in the link below if
you have not seen that yet. --- Steve

http://support.microsoft.com/default.aspx?kbid=308007

I boot Victim into Safe Mode with Networking.
I go to computer Other and in Run, I type \\Victim
It says access is denied. I go back to Victim and in cmd I type
net config server. The output is:
Server Name \\VICTIM
Server Comment P4 2.8 GHz

Software version Windows 2002
Server is active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{1D2790F6-7A41-4F41-9AF7-A434E1BDBFF4} (000c4113b946)


Server hidden No
Maximum Logged On Users 5
Maximum open files per session 16384

Idle session time (min) 15
The command completed successfully.

I start up Computer Management and open Shared Folders.
I click on Sessions and see:
User Computer Type # Open Files Connected Time Idle Time
Guest
JEFF OTHER Windows 0 00:00:15
00:00:14 Yes

I click on Shares and see:
Shared Folder Shared Path Type # Client Connections Comment
Documents C:\Docume... Windows 0
IPC$ Windows 1
Remote IPC
print$ C:\Docume... WIndows 0
Printer Drivers

I double click on Documents and look at
Share Permissions and see:
Everyone: Change, Read
I look at Security and see:
<other groups, other users>, Everyone: Modufy, Read & Execute,
List Folder Contents, Read, Write
I click advanced and see a number of lines including:
Everyone: Modify <not inherited> This folder, subfolders and file
I double click Everyone and see a long list of allowed permissions; they
are all checked except Full Control, Delete Subfolders and Files,
Change Permissions, and Take Ownership. The entire Deny column is
clear of check marks.

I enabled the guest account and logged in as guest (after a normal reboot)
just to make sure that guest had access to the shared documents folder
and it did. So why does guest get Access is denied when it is used to
logon
remotely?

Is there a way of turning on more auditing so that I can get something in
the event log when the Access is denied message is generated?

Jeff

 

[Guest]

Just when I was about to give up, I had an idea.
All along I had been trying to open Victim either from
My Network Places or from Start->Run. I decided to
try to directly open one of the shared folders. So in
Start->Run, I entered \\victim\documents and, amazingly,
it opened correctly. So then I tried printing to the shared
printer on Victim, and that too worked. But just trying to
open Victim from Start->Run or My Network Places gets
the Access is denied error message.

Does this tell us something like there is a file or folder that
is shared somewhere on Victim for which Guest does not have
access and that doesn't show up in Computer Management->Shared
Folders->Shares?

Jeff

 

[Steven L Umbach]

Interesting. To answer a question from your last post you can audit access
to folders in XP Pro but not in XP Home. The other thing I would check from
the description of your results is to make sure that netbios over tcp/ip is
enabled. If you run ipconfig /all it will tell you if it is disabled. Also
the command nbtstat -n should show at least three registered names if
netbios over tcp/ip is enabled on "victim" and one of your computers needs
to show being the master browser. Your problem definitely does not sound
like a permissions issue since you can access the shares by specifying the
full UNC path. Sometimes Windows will show an access denied message when it
really means "can not find". If netbios over tcp/ip is enabled then you
probably have some sort of problem with the browse list [uses port 138 UDP]
being correctly propagated which is what is shown when you use My Network
Places. I would check the application log on your computers to see if any
are showing errors/warning concerning the master browser. Often problems
arise if the computer that is the master browser has more than one network
adapter. The command net view will show the current browse list on a
computer. If you have some experience using a packet sniffer like Ethereal
you might be able to see what the problem is such as no answer to broadcasts
[IP addresses ending in .255] to port 138 TCP for browse list request. ---
Steve

http://support.microsoft.com/?kbid=141229 --- info on net view which is
old but still applicable.
http://www.practicallynetworked.com/sharing/troubleshoot/netbt.htm --- how
to enable/disable NBT