Network Access Denied

[Vince]

Hello:

Just puchased a Vista machine I swore I would wait a year but I got hit by
lightning 3 days after the Vista release and guess what, every store in town
only sells Vista now.

Besides having to rush though the learning curve to find my way around I
have unresolved issues.

I tell Vista to share my whole Crive. Yes the whole thing. I have only
three machines in the same room and no critical data just need to have full
access to each machine.

Vista can access XP No problem. XP gets access denied. I have turned on
network discovery, file sharing, turned off password protected sharing. On
the c drive I clicked advanced sharing and then permissions. In permissions
there was the everyone group. I gave the group all permissions. Still when I
try to access it I get access denied.

Please tell me what I missed.

Thanks
Vince

 

[Bruce Sanderson]

1. on Vista, the Administrator user account is disabled by default, so you
can use it to connect remotely or logon locally
2. on Vista, by default, access to shares over the network is denied for
user accounts with blank passwords. This is also true of Windows XP
Professional, but notXP Home.

a. logon to the XP computer with a user account that is NOT Administrator
and which requires a password
b. on the Vista computer, create a user account with the same name and
password as you are using on the XP computer

Does this help?

 

[Guest]

Vince,

I'm sorry you're experiencing problems. Bruce is right in his response.
While you can share out the root, it's not recommended. Read through the
TechNet article below which explains the differences in Vista file share and
permissions. Please let us know if, after following the steps in the article
below, you're still experincing problems.

http://www.microsoft.com/technet/network/evaluate/vista_fp.mspx

 

[Bruce Sanderson]

Here's some info that might help - I hope it does not seem pedantic or
"insulting to your intelligence"!

Different editions of Vista (e.g. Home Basic, Business) have slightly
different details with respect to sharing, security etc., so if this doesn't
help, please state which editon you have.

There are two sets of permissions:
1. permissions to for access remotely through a Share
2. permissions for users to actually read or modify the content of the
folders that are the subject (target) of the Share (sometimes referred to as
NTFS permissions)


This concept has been in Windows since Windows NT - it's not new with Vista.
Windows XP has the same concepts, but, especially with XP Home, some of this
is "simplified" so you may not be aware of it. With XP, your C partition
might be formatted with FAT32 - if this is the case, the concept of
permissions on folders is missing completely.

To successfully get access to a folder remotely, you have to have both types
of permissions. Unlike XP, with Vista, by default, the Everyone group does
NOT have permissions (type 2) on the root of the C drive and I suggest you
really don't want to grant that permission - it will create havoc with the
security on your Vista computer

Sound like you used "Advanced Sharing" to grant the Everyone group
permission to access remotely through the share (type 1 above). However, if
the user attempting to access remotely does not have permission to do
anything on the folder that is the target of the share - the root of the c
partition in this case, that user will get access is denied, even if
Everyone has permission on the share.

However, by default "bypass Travers checking" is turned on. This means,
that even though you don't have access to the target folder of the share, if
you know the name of the folder inside the target folder, you can access
that remotely.

To try the test below, you will need to know the Computer Name of your Vista
computer - if you don't know for sure what it is, click Start, right click
Computer, select Properties - the Computer name is shown in the "Computer
name, domain, and workgroup settings" section

You didn't state what Share Name you used for the share you created on the
root of your C drive on the Vista computer - I've assumed you called it Call

1. on the XP computer
2. click Start, Run
3. key \\VistaComputername\call\users
4. press Enter (or click OK)

Although the User folder should appear in Windows Explorer, you'll most
likely get "access is denied" to all the folders inside the Users folder.
This is becuase the Everyone group has permission to access the Users
folder, but not any of the child folders.

I suggest you really don't want to do this. There is far too much important
stuff on the C drive that is vital for Vista to function. You're much
better off either using the Public folder with "Public folder sharing" or
creating a Share on exactly what it is you want to access remotely (for
example, your folder under Users).

Even better, turn on Password Protected Sharing, set a password for your
Vista user account and use that to connect to shares on the Vista computer
remotely.

You might want to open Help and Support, key "folder sharing" or "file
sharing essentials" in the Search box, press Enter. In some ways, Vista
makes sharing easier while still being secure, but the concepts in Vista are
a bit different from those in XP.

For another approach that you might find useful, see the thread "Hidden
Shares?" in this newsgroup.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

 

[Vince]

Thanks all for the information.

I will read the link provided by Kim and try some of the things Bruce
mentioned.

I hate to say this but I am not really worried about security on these
machines because there is nothing to protect and very limited users who all
need full access. We have been running full c: share since before XP came
out even back when we had Win 95. Looks like I may have to password protect
the accounts or just have the issues of having to go back and forth between
machines.

I normally sit at one machine and do backups of various locations and clean
up of others. I guess my only work around to sharing c is to spend time to
share many locations on the Vista Machine or change the location of the
machines and make the Vista machine the one that I sit at all day so I can
access the c drives of the XP machines.

Anyway I will play with this as I have time as this is my busy time of year
and at least I have a working machine for now.

Will message back when I figure out what I need to do. Probably in worse
case I will set machines to automatically log onto the account I want if I
put in a password.

Thanks
Vince

 

[Bruce Sanderson]

Unlike Windows 95 and, to a lesser extent, Windows XP, Vista is designed and
configured to be "secure by default". One of the reasons that Windows 95
had so many problems is because it has essentially no security - any
application or user can do anything, including destroying (or replacing)
things vital to the OS and applications.

There are some alternatives:
1. connect remotely using Remote Desktop Connection
2. enable the use of the hidden Administrative shares as discussed in the
thread "Hidden Shares?" in this news group - this provides network access to
the entire C partition for administrators
3. arrange for all data that needs to be routinely backed up to be in a
"Data" folder, rather than in various places in user profiles or application
folders in, for example Program Files. Unfortunately, this later is subject
to the vagaries of application designers, many of whom have chosen ignore
design guidelines, security and data backup requirements for over a decade.
4. understand the business requirement for backups - is it to protect data
or to provide rapid restoration of function (e.g. if a hard drive or
computer failure)? - use that to drive your backup strategy. If the
former - put the data in one place (folder) and backup that folder (e.g.
using robocopy from the Windows 2003 Resource Kit tools).

 

[Vince]

Well I guess I can live with this thing I will follow the instructions on
how to turn on administration shares. That will work for me. I have not used
them before but will read the thread.

I only have one folder I must share anyway and as far as backing up there is
nothing on the Vista machine that needs backed up. All of the data that is
mission critical is housed on an XP machine.

Even when we move our main machine to Vista I guess I can live with
admistrative shares.

Thanks for the info I will get this thing worked out. Just wish I did not
have to do it in my buisiest time of year.

Vince

 

[Guest]

Thanks for the link! The information there solved my problem.

 

[Guest]

As a network manager I am now facing the following issue.

Look at the permission to user profiles ( you will not see domain admins in
the permission list) Try adding it, you will get access denied, then if you
try and successed the user will then begin to get user errors on loading user
profiles.

 

[Bruce Sanderson]

On all the Vista computers I have (Business, Enterprise and Ultimate), the
local Adminstrators group has Full Control over the c:\Users folder and all
sub-folders and files. As far as I can tell, this is the default setting.

In a domain, the domain group Domain Admins is automatically added to the
local Administrators group when the computer joins the domain, so it should
be there unless you've deleted it.

The "junctions" (e.g. c:\Documents and Settings) have:

Everyone - Deny - List folder / read data

which means you can not navigate through these "junctions" in explorer.
But, if you know the name of a child folder (e.g. the name of a user's
profile folder), you can access the content of that folder. For example:

1. click Start, Run
2. key c:\documents and settings\Default
3. press Enter

Each user profile folder, by default, has the user account in the ACL. If
you are not careful how you modify the permissions on these folders, this
specific "grant" may be removed, which would result in the symptom you
observe.

When logged on with a domain user account that is a member of the local
Adminstrators group (directly or indirectly), you should automatically have
Full Control permission to all of the user profile folders. If, in
Explorer, you click on a user profile folder (e.g. c:\users\UserName), you
may get told you don't currently have permission to access the folder, but
if you click Continue, your access gets "elevated" and you can do whatever
you want to with that user's profile folder - you may get one or more "UAC"
prompts, but you can accomplish the task (e.g. delete files or sub-folders).
Through Control Panel, System, you can delete user profiles which results in
the deletion of the corresponding user's profile folder in c:\users.

If your concern is about "Roaming Profiles", there is a setting you can make
that will cause the local Administrators group to be granted permission to
every user profile folder in the share that houses the Roaming Profiles. In
gpedit (or GPMC), see:

Computer Configuration
Administrative Templates
System
User Profiles
Add the Administrators security group to roaming user profiles

If this does not help, please post additional details about what you are
observing.