Peculiar permissions problem

[Nightowl]

Hello all

I'm very much a beginner at networking, trying to help a friend. He has
5 computers running XP SP2 in a workgroup, with simple file sharing
disabled. Machines 1 and 2 are the main ones used and these both have
shared folders. All the machines have the same user account, "Joe".

Everything worked well except that computer 1 could see but not access
the shared folders on computer 2 -- "Access denied; you may not have
permission" messages, according to my friend. It has been like this for
a couple of years.

I suggested, just as an experiment, giving Joe full control of the share
on machine 2 and suddenly machine 1 could access it! But why was it
necessary for computer 1, when all the others were accessing 2 happily
through the same Joe account? Any ideas?

He'd rather not leave it set like that and I'd love to understand the
underlying cause. Is it possible that some permission setting in the
local Joe account on computer 1 is affecting it? I thought only the Joe
account on the host (machine 2) mattered, but I am only a beginner. . .
Any comments very welcome.

 

[Chuck]

Hello all

I'm very much a beginner at networking, trying to help a friend. He has
5 computers running XP SP2 in a workgroup, with simple file sharing
disabled. Machines 1 and 2 are the main ones used and these both have
shared folders. All the machines have the same user account, "Joe".

Everything worked well except that computer 1 could see but not access
the shared folders on computer 2 -- "Access denied; you may not have
permission" messages, according to my friend. It has been like this for
a couple of years.

I suggested, just as an experiment, giving Joe full control of the share
on machine 2 and suddenly machine 1 could access it! But why was it
necessary for computer 1, when all the others were accessing 2 happily
through the same Joe account? Any ideas?

He'd rather not leave it set like that and I'd love to understand the
underlying cause. Is it possible that some permission setting in the
local Joe account on computer 1 is affecting it? I thought only the Joe
account on the host (machine 2) mattered, but I am only a beginner. . .
Any comments very welcome.

You disabled Simple File Sharing on all computers, which says that all computers
are running XP Pro? Right? Did you disable the Guest account, properly, on all
computers?
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest

 

[Nightowl]

You disabled Simple File Sharing on all computers, which says that all computers
are running XP Pro? Right? Did you disable the Guest account, properly, on all
computers?

Thank you, Chuck, for the reply and for the links; I had come across
your website while I was searching and found it very helpful.

Sorry, I did mean to say XP Pro as well as SP2 I can't check myself
as the friend is a couple of hundred miles away, but I'm sure he would
have disabled Guest. He knows a lot more about networking than I do and
is at heart a Linux man and fanatical about security.

As I said, he's had the network running for about three years with
computer 1 unable to share 2's folders and swore he'd checked all the
permissions many times. When I struck lucky with suggesting giving Joe
full control, he was more than ever convinced that Windows networking is
a black art

 

[Chuck]

Thank you, Chuck, for the reply and for the links; I had come across
your website while I was searching and found it very helpful.

Sorry, I did mean to say XP Pro as well as SP2 I can't check myself
as the friend is a couple of hundred miles away, but I'm sure he would
have disabled Guest. He knows a lot more about networking than I do and
is at heart a Linux man and fanatical about security.

As I said, he's had the network running for about three years with
computer 1 unable to share 2's folders and swore he'd checked all the
permissions many times. When I struck lucky with suggesting giving Joe
full control, he was more than ever convinced that Windows networking is
a black art

Well, I appreciate the feedback about my website, but if you truly read and
believed what I said there, you will understand that Windows Networking is not
at all a black art. It is coldly logical.

If you have 2 computers running XP Pro, with disk drives formatted with NTFS,
network access from one to the other absolutely requires either Guest, or a
non-Guest, account properly activated for network access.
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html

Either:
1) The disk partition is formatted with FAT.
2) The Guest account is activated for network access.
3) A non-Guest account is activated for network access, with matching (or blank)
passwords.

So you can say what you will - it's your (your friend's) computer after all.
But if you want to solve the mystery / fix the problem, go with an open mind and
you will find the answer.

 

[Nightowl]

Well, I appreciate the feedback about my website, but if you truly read and
believed what I said there, you will understand that Windows Networking is not
at all a black art. It is coldly logical.

I agree absolutely -- that's why I'm so interested in trying to find the
answer. Sorry if I gave the wrong impression. What I meant was, my
friend is rather a Windows-hater and has no patience to troubleshoot
when things go wrong; his attitude is just "That's $%&* Windows for
you!" I'm looking forward to digging around when I can next get down
there and I *know* there has to be a reason for this.

If you have 2 computers running XP Pro, with disk drives formatted with NTFS,
network access from one to the other absolutely requires either Guest, or a
non-Guest, account properly activated for network access.
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html
Right.

Either:
1) The disk partition is formatted with FAT.
2) The Guest account is activated for network access.
3) A non-Guest account is activated for network access, with matching
(or blank)
passwords.

So you can say what you will - it's your (your friend's) computer after
all. But if you want to solve the mystery / fix the problem, go with an
open mind and you will find the answer.

Thanks, Chuck. I'm sorry, I'm a bit confused about your 3 points above;
are these possible causes of the problem? Would they be on computer 1
(the only one that couldn't access the share?) Because if they're on 2
(the server), wouldn't it affect the other 3 computers too?

I know 1) doesn't apply -- definitely NTFS. 2) I will get him to check
-- do you mean that if Guest is enabled, it could be interfering with
attempts to share using "Joe"? 3) Do you mean there may be another
enabled account that is using the same password as Joe? Sorry if I'm
being a bit thick here but I want to understand. Could you possibly
expand on those points a bit more, please?

Thanks for your time and help.

 

[Chuck]

I agree absolutely -- that's why I'm so interested in trying to find the
answer. Sorry if I gave the wrong impression. What I meant was, my
friend is rather a Windows-hater and has no patience to troubleshoot
when things go wrong; his attitude is just "That's $%&* Windows for
you!" I'm looking forward to digging around when I can next get down
there and I *know* there has to be a reason for this.

Thanks, Chuck. I'm sorry, I'm a bit confused about your 3 points above;
are these possible causes of the problem? Would they be on computer 1
(the only one that couldn't access the share?) Because if they're on 2
(the server), wouldn't it affect the other 3 computers too?

I know 1) doesn't apply -- definitely NTFS. 2) I will get him to check
-- do you mean that if Guest is enabled, it could be interfering with
attempts to share using "Joe"? 3) Do you mean there may be another
enabled account that is using the same password as Joe? Sorry if I'm
being a bit thick here but I want to understand. Could you possibly
expand on those points a bit more, please?

Thanks for your time and help.

On a server running NTFS, with Simple File Sharing disabled, there is a clear
sequence of events followed when authentication is required.
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest

What I meant above is that, if any 1 of the 3 possibilities is true on a server,
a person accessing that server from a client will have access to the server.
Now, you can have additional details which would prevent access to all areas of
the server, but barring those details, the server will provide access. NTFS
permissions are a lot of fun.
<http://nitecruzr.blogspot.com/2005/09/server-access-authorisation.html>
http://nitecruzr.blogspot.com/2005/09/server-access-authorisation.html

 

[Nightowl]

What I meant above is that, if any 1 of the 3 possibilities is true on a server,
a person accessing that server from a client will have access to the server.
Now, you can have additional details which would prevent access to all areas of
the server, but barring those details, the server will provide access. NTFS
permissions are a lot of fun.
<http://nitecruzr.blogspot.com/2005/09/server-access-authorisation.html>
http://nitecruzr.blogspot.com/2005/09/server-access-authorisation.html

Thanks for the explanation, Chuck, I do appreciate your help. And I have
been reading all the links and bookmarking them too.

The puzzle is that all the computers have the same Joe account, and all
the computers can access the share on 2 using it, except 1 -- which
suddenly could when Joe was given full control. This is what I can't
understand. Surely if there were something wrong with permissions for
the Joe account on the server (2), it would have affected all the
clients? From what I've read I had thought only the settings on the
server account mattered, but can it possibly be something in the local
Joe account on computer 1 that is the problem?

 

[Chuck]

Thanks for the explanation, Chuck, I do appreciate your help. And I have
been reading all the links and bookmarking them too.

The puzzle is that all the computers have the same Joe account, and all
the computers can access the share on 2 using it, except 1 -- which
suddenly could when Joe was given full control. This is what I can't
understand. Surely if there were something wrong with permissions for
the Joe account on the server (2), it would have affected all the
clients? From what I've read I had thought only the settings on the
server account mattered, but can it possibly be something in the local
Joe account on computer 1 that is the problem?

OK, what access did Joe have before granted full control? What access does it
currently have on the other servers? And are we talking about Sharing, or
Security?

 

[Nightowl]

OK, what access did Joe have before granted full control? What access does it
currently have on the other servers? And are we talking about Sharing, or
Security?

Hi Chuck

I was trying to help diagnose the problem for my friend over the phone,
but from what he told me: Joe previously had read and create
permissions. The change to full control was made in the properties of
the actual shared folder (would that be Security?)

Thanks for your perseverance with me!

 

[Chuck]

Hi Chuck

I was trying to help diagnose the problem for my friend over the phone,
but from what he told me: Joe previously had read and create
permissions. The change to full control was made in the properties of
the actual shared folder (would that be Security?)

Thanks for your perseverance with me!

Both Sharing (network permissions) and Security (local permissions) can be made
at the root folder level, the leaf folder level, or anywhere in between.
Permissions can be inherited from a higher level too.
<http://nitecruzr.blogspot.com/2005/11/irregularities-in-individual-share.html>
http://nitecruzr.blogspot.com/2005/11/irregularities-in-individual-share.html
<http://nitecruzr.blogspot.com/2005/09/server-access-authorisation.html>
http://nitecruzr.blogspot.com/2005/09/server-access-authorisation.html

 

[Nightowl]

Both Sharing (network permissions) and Security (local permissions) can be made
at the root folder level, the leaf folder level, or anywhere in between.
Permissions can be inherited from a higher level too.

Yes, I see, thanks. I just keep coming back, though, to wondering: if
the permissions for Joe on computer 2 were incorrect, how were the other
3 machines able to access it using that same user account? I keep
thinking the problem must lie with computer 1 since that's the only one
that couldn't access the share. I'm really puzzled. Perhaps it won't
make sense until I can actually get at the machines and see the settings
for myself. I do appreciate all your help, Chuck.

 

[Chuck]

Yes, I see, thanks. I just keep coming back, though, to wondering: if
the permissions for Joe on computer 2 were incorrect, how were the other
3 machines able to access it using that same user account? I keep
thinking the problem must lie with computer 1 since that's the only one
that couldn't access the share. I'm really puzzled. Perhaps it won't
make sense until I can actually get at the machines and see the settings
for myself. I do appreciate all your help, Chuck.

I think you being in front of the computers is the best idea. Going from me to
you to the owner, and back again is not an efficient use of time.

When you get there, disable "Joe", on all 3 computers, from network access.
Then re enable it, one computer at a time. See what you get.