Problem accessing a shared folder

[ironwoodcanyon]

Here's my situation:

Three computers on a LAN:

Computer "A":
Vista Business
UAC turned off; no firewall
A "shared" folder (C:\AAA) with permissions set to allow full control
by Everyone

Computer "B":
Windows XPPro
From Windows Explorer, I can access the AAA folder (add, delete and
edit files) on computer "A" with no problem.

Computer "C":
Vista Business
UAC turned on
From Windows Explorer, when I try to access the AAA folder I get an
"Windows cannot access \\ComputerName\aaa" pop-up. Clicking on
<Diagnose> displays: "aaa is available but the user account that you
are logged on with was denied access."


How can I get it so that Computer "C" has full access to the folder on
Computer "A" ?

 

[Robert L. \(MS-MVP\)]

Do you have 3rd party security software? This post may help too.

Vista: Windows cannot access1 post - Last post: Oct 14
the Vista x64 with SP1 the other clients are unable to connect to the
file share with various errors like - Windows cannot access ...
www.chicagotech.net/netforums/viewtopic.php?t=5034


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

 

[ironwoodcanyon]

No - there's no 3rd party stuff. No firewalls. Nothing on either
computer.

The post you suggested I look at led to a list of things to check. One
of them said something about having a common user id and password on
both computer ("A" and "C" in my example). Is that really necessary? I
would think that if I share this folder with "Everyone" then Everyone
should be able to get to it.

Any other thoughts?

 

[Malke]

No - there's no 3rd party stuff. No firewalls. Nothing on either
computer.

The post you suggested I look at led to a list of things to check. One
of them said something about having a common user id and password on
both computer ("A" and "C" in my example). Is that really necessary? I
would think that if I share this folder with "Everyone" then Everyone
should be able to get to it.

"Everyone" refers to all users on the local machine so yes, you should
create identical user accounts/passwords. See below for more details.

Problems sharing files between computers on a network are generally caused
by 1) a misconfigured firewall or overlooked firewall (including a stateful
firewall in a VPN); or 2) inadvertently running two firewalls such as the
built-in Windows Firewall and a third-party firewall; and/or 3) not having
identical user accounts and passwords on all Workgroup machines; 4) trying
to create shares where the operating system does not permit it.

A. Configure firewalls on all machines to allow the Local Area Network (LAN)
traffic as trusted. With Windows Firewall, this means allowing File/Printer
Sharing on the Exceptions tab. Normally running the Network Setup Wizard on
XP will take care of this for those machines.The only "gotcha" is that this
will turn on the XPSP2 Windows Firewall. If you aren't running a
third-party firewall or have an antivirus/security program with its own
firewall component, then you're fine. With third-party firewalls, I
usually configure the LAN allowance with an IP range. Ex. would be
192.168.1.0-192.168.1.254. Obviously you would substitute your correct
subnet. Refer to any third party security program's Help or user forums for
how to properly configure its firewall. Do not run more than one firewall.
DO NOT TURN OFF FIREWALLS; CONFIGURE THEM CORRECTLY.

B. For ease of organization, put all computers in the same Workgroup. This
is done from the System applet in Control Panel, Computer Name tab.

C. Create matching user accounts and passwords on all machines. You do not
need to be logged into the same account on all machines and the passwords
assigned to each user account can be different; the accounts/passwords just
need to exist and match on all machines. DO NOT NEGLECT TO CREATE
PASSWORDS, EVEN IF ONLY SIMPLE ONES. If you wish a machine to boot directly
to the Desktop (into one particular user's account) for convenience, you
can do this. The instructions at this link work for both XP and Vista:

Configure Windows to Automatically Login (MVP Ramesh) -
http://windowsxp.mvps.org/Autologon.htm

D. If one or more of the computers is XP Pro or Media Center, turn off
Simple File Sharing (Folder Options>View tab).

Malke

 

[ironwoodcanyon]

"Everyone" refers to all users on the local machine so yes, you should
create identical user accounts/passwords. See below for more details.

Problems sharing files between computers on a network are generally caused
by 1) a misconfigured firewall or overlooked firewall (including a stateful
firewall in a VPN); or 2) inadvertently running two firewalls such as the
built-in Windows Firewall and a third-party firewall; and/or 3) not having
identical user accounts and passwords on all Workgroup machines; 4) trying
to create shares where the operating system does not permit it.

A. Configure firewalls on all machines to allow the Local Area Network (LAN)
traffic as trusted. With Windows Firewall, this means allowing File/Printer
Sharing on the Exceptions tab. Normally running the Network Setup Wizard on
XP will take care of this for those machines.The only "gotcha" is that this
will turn on the XPSP2 Windows Firewall. If you aren't running a
third-party firewall or have an antivirus/security program with its own
firewall component, then you're fine.  With third-party firewalls, I
usually configure the LAN allowance with an IP range. Ex. would be
192.168.1.0-192.168.1.254. Obviously you would substitute your correct
subnet. Refer to any third party security program's Help or user forums for
how to properly configure its firewall. Do not run more than one firewall..
DO NOT TURN OFF FIREWALLS; CONFIGURE THEM CORRECTLY.

B. For ease of organization, put all computers in the same Workgroup. This
is done from the System applet in Control Panel, Computer Name tab.

C. Create matching user accounts and passwords on all machines. You do not
need to be logged into the same account on all machines and the passwords
assigned to each user account can be different; the accounts/passwords just
need to exist and match on all machines. DO NOT NEGLECT TO CREATE
PASSWORDS, EVEN IF ONLY SIMPLE ONES. If you wish a machine to boot directly
to the Desktop (into one particular user's account) for convenience, you
can do this. The instructions at this link work for both XP and Vista:

Configure Windows to Automatically Login (MVP Ramesh) -http://windowsxp.mvps.org/Autologon.htm

D. If one or more of the computers is XP Pro or Media Center, turn off
Simple File Sharing (Folder Options>View tab).

Malke

Thank you, Malke.

I created an account on computer "A" (with the user id and password
from computer "C") and the AAA folder magically became available.

Is this the ONLY way to resolve this issue? This means that if I have
a half-dozen users that need to access computer "A" then they have to
publicize their password (to me at least) so I can create the account
on computer "A". Seems to me that the user should be able to keep his
password to himself.

 

[Malke]

I created an account on computer "A" (with the user id and password
from computer "C") and the AAA folder magically became available.

Is this the ONLY way to resolve this issue? This means that if I have
a half-dozen users that need to access computer "A" then they have to
publicize their password (to me at least) so I can create the account
on computer "A". Seems to me that the user should be able to keep his
password to himself.

If you are going to use a Workgroup, then yes you need to create the
matching user accounts/passwords on all machines. Doing this for 6 users on
only 3 machines takes only a very few minutes. You don't even need to log
into the extra accounts or spend any time setting them up if the users
won't be working directly on that machine; the accounts just need to exist
on the machine with the shared resources.

If this is an office situation and you have more than 6 or 7 machines, it's
time to look into setting up a server running a real server operating
system with Active Directory. Then all user management is done centrally on
the server.

Although certainly the person in charge of tech support should know all the
passwords for all the users. Unless this is a home situation, I don't see
why you wouldn't want to know everyone's password. Whoever is in charge of
supporting these computers needs to be able to enter anyone's account to
fix things. Naturally passwords can be changed by an administrator, but
normally the IT Dept. wouldn't want to take the extra time to do this.

If you need more help, perhaps explaining your situation would be a good
next step toward getting focused advice.

Malke

 

[Zaphod Beeblebrox]

If this is an office situation and you have more than 6 or 7 machines,
it's
time to look into setting up a server running a real server operating
system with Active Directory. Then all user management is done
centrally on
the server.

The way I've handled it in the OP's circumstance is to create the
account (without local login permissions unless they are actually
needed) and have the user enter their password so that I don't need to
know it. That said, I completely agree with the recommendation to use a
domain / Active Directory to manage user accounts and other resources.

Although certainly the person in charge of tech support should know
all the
passwords for all the users. Unless this is a home situation, I don't
see
why you wouldn't want to know everyone's password. Whoever is in
charge of
supporting these computers needs to be able to enter anyone's account
to
fix things. Naturally passwords can be changed by an administrator,
but
normally the IT Dept. wouldn't want to take the extra time to do this.

Although discussions about security practices probably belong elsewhere,
I have to disagree with this. No one other than the user should know
their password. Period. Tech support should be using an account
tailored to their needs for general maintainance, and if they need to
log in as the specific user to handle a problem then that user should
log themself in (if available to do so) or an administrator should
change the password to allow tech support in. When tech support is
done, the administrator should reset the password and notify the user.
Handling it the way you appear to recommend allows (if not invites)
abuse and violates basic security procedures.

 

[Grand_Poobah]

Although discussions about security practices probably belong elsewhere,
I have to disagree with this. No one other than the user should know
their password. Period. Tech support should be using an account
tailored to their needs for general maintainance, and if they need to
log in as the specific user to handle a problem then that user should
log themself in (if available to do so) or an administrator should
change the password to allow tech support in. When tech support is
done, the administrator should reset the password and notify the user.
Handling it the way you appear to recommend allows (if not invites)
abuse and violates basic security procedures.

Amen to that. In my old IT Manager position I would have been tarred &
feathered if I had required everyone to give me their passwords. At the
very least, they would have given it to me - and immediately changed it.
Your method works very well.

GP