networking with different groups

[DenoxiS]

Hi,

I have 6 Windows XP Pro computers on a network. They are under the
same workgroup. Sharing etc. works well.

3 of them are "management" computers, while other 3 are "terminals".
Right now, all shared folders are seen by each other. What I need is
the management should see all 6 computers while terminals should only
see themselves, which is 3.

What is the most cost-effective way to do it? (Please consider that
purchasing a hardware that will save time also cost-effective.)

I'm not an expert but I'm familiar with creating users, groups,
assigning users to groups, and setting permissions for those.

I appreciate your suggestions.

 

[Steve Winograd [MVP]]

Hi,

I have 6 Windows XP Pro computers on a network. They are under the
same workgroup. Sharing etc. works well.

3 of them are "management" computers, while other 3 are "terminals".
Right now, all shared folders are seen by each other. What I need is
the management should see all 6 computers while terminals should only
see themselves, which is 3.

What is the most cost-effective way to do it? (Please consider that
purchasing a hardware that will save time also cost-effective.)

I'm not an expert but I'm familiar with creating users, groups,
assigning users to groups, and setting permissions for those.

I appreciate your suggestions.

As you've seen, the default setting on XP Pro (in a workgroup) is to
allow network access by all users. Disable simple file sharing on
each computer. Then, you can define users and groups and specify the
desired access permissions for each shared disk and folder. Ron Lowe
and I have written a web page with full details:

Windows XP Professional File Sharing
http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[DenoxiS]

As you've seen, the default setting on XP Pro (in a workgroup) is to
allow network access by all users. Disable simple file sharing on
each computer. Then, you can define users and groups and specify the
desired access permissions for each shared disk and folder. Ron Lowe
and I have written a web page with full details:

Windows XP Professional File Sharing
http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm

But in this case don't I have to create 6 accounts for 6 different
users? If I want USER1 at PC1 to access some folders on PC2, I have to
go to PC2 and set the permissions for that folder. But when setting
the permissions there is no way I can see USER1. So how can I give
USER1 a permission?

Or do I have to create 2 users (lets say "Boss" and "Employee") and
give all the employees the password of "Employee" so they reach the
shared folder by entering that password? I prefer not to assign
seperate password, but if it's the only way...

 

[Steve Winograd [MVP]]

As you've seen, the default setting on XP Pro (in a workgroup) is to
allow network access by all users. Disable simple file sharing on
each computer. Then, you can define users and groups and specify the
desired access permissions for each shared disk and folder. Ron Lowe
and I have written a web page with full details:

Windows XP Professional File Sharing
http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm

But in this case don't I have to create 6 accounts for 6 different
users? If I want USER1 at PC1 to access some folders on PC2, I have to
go to PC2 and set the permissions for that folder. But when setting
the permissions there is no way I can see USER1. So how can I give
USER1 a permission?

Or do I have to create 2 users (lets say "Boss" and "Employee") and
give all the employees the password of "Employee" so they reach the
shared folder by entering that password? I prefer not to assign
seperate password, but if it's the only way...[/QUOTE]

Without a server computer and domain to handle user validation for all
computers, each computer does its own user validation. So, allowing
USER1 to access folders on PC2 requires setting up an account for
USER1 on PC2. Then, you can grant access permission to USER1 on
folders stored on PC2.

It's your choice whether to create 6 individual user accounts or 2
boss/employee accounts. I'd create individual user accounts, so that
each person can have his/her own account, with personalized desktop,
E-mail, favorites, etc.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[DenoxiS]

But in this case don't I have to create 6 accounts for 6 different
users? If I want USER1 at PC1 to access some folders on PC2, I have to
go to PC2 and set the permissions for that folder. But when setting
the permissions there is no way I can see USER1. So how can I give
USER1 a permission?

Or do I have to create 2 users (lets say "Boss" and "Employee") and
give all the employees the password of "Employee" so they reach the
shared folder by entering that password? I prefer not to assign
seperate password, but if it's the only way...

Without a server computer and domain to handle user validation for all
computers, each computer does its own user validation. So, allowing
USER1 to access folders on PC2 requires setting up an account for
USER1 on PC2. Then, you can grant access permission to USER1 on
folders stored on PC2.

It's your choice whether to create 6 individual user accounts or 2
boss/employee accounts. I'd create individual user accounts, so that
each person can have his/her own account, with personalized desktop,
E-mail, favorites, etc.[/QUOTE]

I see. At this moment there are limited number of users and computers
but in the future it may be >10. Each time a new computer comes, I
have to adjust at least more than one computer.

If I got a server box just for this purpose, just for handling the
permissions and user logins, would it be easier? What version of
Windows is enough to do this task? In this case do I leave work group
concept and switch to "domain" as you mentioned above?

Thanks much.

 

[Steve Winograd [MVP]]

I see. At this moment there are limited number of users and computers
but in the future it may be >10. Each time a new computer comes, I
have to adjust at least more than one computer.

If I got a server box just for this purpose, just for handling the
permissions and user logins, would it be easier? What version of
Windows is enough to do this task? In this case do I leave work group
concept and switch to "domain" as you mentioned above?

Thanks much.

I don't see why you would have to adjust multiple computers when a new
computer arrives. Access to shared folders is based on user names,
not on computer names.

I think that my previous answer made the situation sound worse than it
actually is. In this page from our article, we show how to create
user groups:

http://www.practicallynetworked.com/sharing/xp_filesharing/04usergroups.htm

You can create groups called Boss and Employee, assign each user
account to one of the groups, and use the 2 groups, not the 6+ user
accounts, to specify access permissions for shared folders.

Adding a new person to the network would require creating a new user
account on each computer and assigning the user to the appropriate
group on each computer. It wouldn't require changing any access
permissions.

In a domain, each user would need just one account, maintained by the
server. The server would handle user accounts and access permissions
for all of the computers. Adding a new person to the network would
require creating a new user account on the domain and assigning the
user to the appropriate group. It wouldn't require creating an
account for that person on each computer. I think it's clear how that
would be easier, especially if there are a large number of users.
Windows 2000 Server and Windows Server 2003 can do that.

Take a look at this site, which describes Windows Small Business
Server 2003:
http://www.microsoft.com/windowsserver2003/sbs/default.mspx
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[DenoxiS]

I see. At this moment there are limited number of users and computers

I don't see why you would have to adjust multiple computers when a new
computer arrives. Access to shared folders is based on user names,
not on computer names.

Sorry for the confussion, what I meant was adjusting each of the
computers that has a shared folder. If I undestand correctly, if a new
PC comes and we decide to share its folder, than we need to create
those 2 groups on this computer too.

Now that's the part I'm not clear. If the user groups are created on
computers and there is no server either, then I have to go to PC1 and
create a group(Boss). But PC2 wouldn't know anything about Boss,
right? In this case, if PC2 has a shared folder for Bosses, then I
will also create a Boss group for PC2. If I want user1 be able to
reach the shared folder on PC1, then I go to PC1, put the user1 in the
Boss group. Now user1 is in the Boss group. But only for PC1, right?
If I want user1 to be able to reach shared folder on PC2, then I
include user1 in the group "Boss" on PC2. In another point of view,
it's not different than adding individual users, unless you have more
than one shred folder per PC.

Is the above scenario logical?

In a domain, each user would need just one account, maintained by the
server. The server would handle user accounts and access permissions
for all of the computers. Adding a new person to the network would
require creating a new user account on the domain and assigning the
user to the appropriate group. It wouldn't require creating an
account for that person on each computer. I think it's clear how that
would be easier, especially if there are a large number of users.
Windows 2000 Server and Windows Server 2003 can do that.

Take a look at this site, which describes Windows Small Business
Server 2003:
http://www.microsoft.com/windowsserver2003/sbs/default.mspx

I will.

Thank you for the good explanations, I really appreciate that. I'm
sure it's benefical for others too.

~D

 

[Steve Winograd [MVP]]

I don't see why you would have to adjust multiple computers when a new
computer arrives. Access to shared folders is based on user names,
not on computer names.

Sorry for the confussion, what I meant was adjusting each of the
computers that has a shared folder. If I undestand correctly, if a new
PC comes and we decide to share its folder, than we need to create
those 2 groups on this computer too.[/QUOTE]

Yes. In a workgroup, you'd have to set up the 2 groups and an account
for each user who will be accessing the shared folder. Those steps
wouldn't be necessary in a domain, where the server handles all the
accounts and groups.

Now that's the part I'm not clear. If the user groups are created on
computers and there is no server either, then I have to go to PC1 and
create a group(Boss). But PC2 wouldn't know anything about Boss,
right? In this case, if PC2 has a shared folder for Bosses, then I
will also create a Boss group for PC2. If I want user1 be able to
reach the shared folder on PC1, then I go to PC1, put the user1 in the
Boss group. Now user1 is in the Boss group. But only for PC1, right?
If I want user1 to be able to reach shared folder on PC2, then I
include user1 in the group "Boss" on PC2. In another point of view,
it's not different than adding individual users, unless you have more
than one shred folder per PC.

I think you've got it.

In a workgroup, each computer that wants to control access to its
shared folders needs to have user accounts and user groups defined for
all potential network users.

However, sharing more than one folder per PC doesn't add any
complexity. Each shared folder can have permissions for the same
users and/or user groups.

Is the above scenario logical?

Logical, but tedious to set up and maintain as the number of users and
computers gets larger.

Thank you for the good explanations, I really appreciate that. I'm
sure it's benefical for others too.

You're welcome.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com