Access Denied Browsing XP Home & XP Pro Workgroup

[Robb Pickinpaugh]

This is the setup.

XP Home (not sp2) "host computer" with modem and running
ICS
XP Pro (not sp2) "client computer"
XP Pro (not sp2) "client computer"

Both XP Pro boxes able to browse to shares on XP Home,
Neither XP Pro able to browse to each other. XP Home
unable to browse to either XP Pro.

Have gone around the loop with checking firewall
settings, etc. If you enter the path in Start->RUN as
\\computername\share\ you can get to the shares as
expected.

However printing to a shared printer on one of the XP Pro
machines is non-functional. I have checked security
settings in the Local security policies and the Access
computer from network has the veryone group in it.

One hotfix on the XP home box has (SP2) in the name it
references Q329115. I am not sure if this is the issue
or not.

Any suggestions.

 

[>Joe Anderson-Davis]

http://support.microsoft.com/default.aspx?scid=kb;en-us;318030&Product=winxp

That cured my sharing problems

Try it on all three computers. If it's not the cure for you nothing will be
lost by trying.

 

[Chuck]

This is the setup.

XP Home (not sp2) "host computer" with modem and running
ICS
XP Pro (not sp2) "client computer"
XP Pro (not sp2) "client computer"

Both XP Pro boxes able to browse to shares on XP Home,
Neither XP Pro able to browse to each other. XP Home
unable to browse to either XP Pro.

Have gone around the loop with checking firewall
settings, etc. If you enter the path in Start->RUN as
\\computername\share\ you can get to the shares as
expected.

However printing to a shared printer on one of the XP Pro
machines is non-functional. I have checked security
settings in the Local security policies and the Access
computer from network has the veryone group in it.

One hotfix on the XP home box has (SP2) in the name it
references Q329115. I am not sure if this is the issue
or not.

Any suggestions.

Robb,

Please provide ipconfig information for each computer.
Start - Run - "cmd". Type "ipconfig /all >c:\ipconfig.txt" into the command
window - Open c:\ipconfig.txt in Notepad, copy and paste into your next post.
Identify operating system (by name and version) with each ipconfig listing.

Make sure the browser service is running on each computer. Control Panel -
Administrative Tools - Services. Verify that the Computer Browser, and the
TCP/IP NetBIOS Helper, services both show with Status = Started.

The Microsoft Browstat program will show us what browsers you have in your
domain / workgroup, at any time.
http://support.microsoft.com/?id=188305

You can download Browstat from either:
<http://www.dynawell.com/reskit/microsoft/win2000/browstat.zip>
<http://rescomp.stanford.edu/staff/manual/rcc/tools/browstat.zip>

Browstat is very small (40K), and needs no install. Just unzip the downloaded
file, copy browstat.exe to any folder in the Path, and run it from a command
window.

Please provide browstat information for each computer.
Start - Run - "cmd". Type "browstat status >c:\browstat.txt" into the command
window - Open c:\browstat.txt in Notepad, copy and paste into your next post.

For more information about the browser subsystem (very intricate), see:
http://support.microsoft.com/?id=188001
http://support.microsoft.com/?id=188305
<http://www.microsoft.com/technet/prodtechnol/winntas/deploy/prodspecs/ntbrowse.mspx>

And Robb, please don't contribute to the spread and success of email address
mining viruses. Learn to munge your email address properly, to keep yourself a
bit safer when posting to open forums. Protect yourself and the rest of the
internet - read this article.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Robb]

I tried the steps in Q318030, no change.

XP Home Ipconfig:


Windows IP Configuration



Host Name . . . . . . . . . . . . : Gideon

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NVIDIA nForce
MCP Networking Adapter

Physical Address. . . . . . . . . : 00-40-CA-2F-A8-
8D

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.0.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :



PPP adapter TC3net:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : WAN (PPP/SLIP)
Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-
00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 64.112.197.138

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 64.112.197.138

DNS Servers . . . . . . . . . . . : 64.112.192.34

64.112.204.187

NetBIOS over Tcpip. . . . . . . . : Disabled

XP Home Browstat:


Status for domain MSHOME on transport \Device\NetBT_Tcpip_
{6540D47B-8972-40C4-9649-7A53533DC688}
Browsing is active on domain.
Master browser name is: GIDEON
Master browser is running build 2600
2 backup servers retrieved from master GIDEON
\\ABIGAIL
\\GIDEON
There are 3 servers in domain MSHOME on transport
\Device\NetBT_Tcpip_{6540D47B-8972-40C4-9649-7A53533DC688}
There are 1 domains in domain MSHOME on transport
\Device\NetBT_Tcpip_{6540D47B-8972-40C4-9649-7A53533DC688}

XP Pro 1 Ipconfig:


Windows IP Configuration



Host Name . . . . . . . . . . . . : Abigail

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Mixed

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Office Network:



Connection-specific DNS Suffix . : mshome.net

Description . . . . . . . . . . . : 3Com 3C905TX-
based Ethernet Adapter (Generic)

Physical Address. . . . . . . . . : 00-60-08-CB-CD-
1C

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.184

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Monday,
September 27, 2004 4:19:18 PM

Lease Expires . . . . . . . . . . : Monday,
October 04, 2004 4:19:18 PM

XP Pro 1 Browstat:


Status for domain MSHOME on transport \Device\NetBT_Tcpip_
{D8320D94-74DA-4BC0-AC07-488C90BE73E1}
Browsing is active on domain.
Master browser name is: GIDEON
Could not connect to registry, error = 53 Unable to
determine build of browser master: 53
\\\\GIDEON . Version:05.01 Flags: 51203 NT
POTENTIAL MASTER
2 backup servers retrieved from master GIDEON
\\GIDEON
\\ABIGAIL
There are 3 servers in domain MSHOME on transport
\Device\NetBT_Tcpip_{D8320D94-74DA-4BC0-AC07-488C90BE73E1}
There are 1 domains in domain MSHOME on transport
\Device\NetBT_Tcpip_{D8320D94-74DA-4BC0-AC07-488C90BE73E1}

XP Pro 2 Ipconfig:


Windows IP Configuration



Host Name . . . . . . . . . . . . : USER

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Mixed

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : mshome.net

Description . . . . . . . . . . . : 3Com EtherLink
XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)

Physical Address. . . . . . . . . : 00-50-04-D4-CB-
F4

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.225

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Monday,
September 27, 2004 4:22:33 PM

Lease Expires . . . . . . . . . . : Monday,
October 04, 2004 4:22:33 PM

Xp Pro 2 Browstat:


Status for domain MSHOME on transport \Device\NetBT_Tcpip_
{779CAB87-A559-4F07-9137-DB3B58F8F172}
Browsing is active on domain.
Master browser name is: GIDEON
Could not connect to registry, error = 53 Unable to
determine build of browser master: 53
\\\\GIDEON . Version:05.01 Flags: 51203 NT
POTENTIAL MASTER
2 backup servers retrieved from master GIDEON
\\ABIGAIL
\\GIDEON
There are 3 servers in domain MSHOME on transport
\Device\NetBT_Tcpip_{779CAB87-A559-4F07-9137-DB3B58F8F172}
There are 1 domains in domain MSHOME on transport
\Device\NetBT_Tcpip_{779CAB87-A559-4F07-9137-DB3B58F8F172}


Any suggestions helpful.

TIA,
Robb

 

[Chuck]

I tried the steps in Q318030, no change.

Any suggestions helpful.

TIA,
Robb

Robb,

Browstat's and IPConfigs all look normal.

Do any of the computers have a software firewall (ICF or third party) ever
installed? If so, you need to configure them for file sharing, by opening ports
TCP 139, 445 and UDP 137, 138, 445, or by identifying the other computers as
present in the Local (Trusted) zone. Firewall configurations are a very common
cause of (network) browser, and file sharing, problems.

If it's not a firewall issue, then let's look at authorisation issues.

On each XP Pro computer, check to see if Simple File Sharing (Control Panel -
Folder Options - View - Advanced settings) is enabled or disabled. With XP Pro,
you need to have SFS properly set on each computer.

With XP Pro, if SFS is disabled, check the Local Security Policy (Control Panel
- Administrative Tools). Under Local Policies - Security Options, look at
"Network access: Sharing and security model", and ensure it's set to "Classic -
local users authenticate as themselves".

With XP Pro, if you set the above Local Security Policy to "Guest only", enable
the Guest account, using Start - Run - "cmd" - type "net user guest /active:yes"
in the command window. If "Classic", setup and use a common non-Guest account
on all computers. Whichever account is used, give it an identical, non-blank
password on all computers.

For XP Home, OR for XP Pro with Simple File Sharing enabled, make sure that the
Guest account is enabled, on each computer. Enable Guest with Start - Run -
"cmd" - type "net user guest /active:yes" in the command window.

More about file sharing, between all different versions of Windows:
<http://www.microsoft.com/downloads/...db-aef8-4bef-925e-7ac9be791028&DisplayLang=en>

Let's verify shares visibility. From each computer, from a command window:
"net view abigail"
"net view gideon"
"net view user"
Report visibility of shares / exact error displayed in each test (9 tests
total).

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Robb Pickinpaugh]

Do any of the computers have a software firewall (ICF or third party) ever
installed? <snip>

The computer in question is acting like there is one
there, but I am unable to find it. ICF is turned off, and
as far as I can tell there is not a third party firewall
on the system.

On each XP Pro computer, check to see if Simple File Sharing (Control Panel -
Folder Options - View - Advanced settings) is enabled or disabled. With XP Pro,
you need to have SFS properly set on each computer.

Yes SFS is enabled.

With XP Pro, if SFS is disabled, check the Local Security Policy (Control Panel
- Administrative Tools). Under Local Policies - Security Options, look at
"Network access: Sharing and security model", and ensure it's set to "Classic -
local users authenticate as themselves".

With XP Pro, if you set the above Local Security Policy to "Guest only", enable
the Guest account, using Start - Run - "cmd" - type "net user guest /active:yes"
in the command window. If "Classic", setup and use a common non-Guest account
on all computers. Whichever account is used, give it an identical, non-blank
password on all computers.

Set to Guest Only

For XP Home, OR for XP Pro with Simple File Sharing enabled, make sure that the
Guest account is enabled, on each computer. Enable Guest with Start - Run -
"cmd" - type "net user guest /active:yes" in the command

window.

Guest account active

More about file sharing, between all different versions of Windows:
<http://www.microsoft.com/downloads/details.aspx?

FamilyID=87c0a6db-aef8-4bef-925e-
7ac9be791028&DisplayLang=en>

Downloaded, haven't read it yet.

Let's verify shares visibility. From each computer, from a command window:
"net view abigail"
"net view gideon"
"net view user"
Report visibility of shares / exact error displayed in each test (9 tests
total).

Report Follows:
Run on USER

net view abigail

System error 5 has occurred.

Access is denied.

---------

net view gideon

All shares visible (not including here)


-----------

net view user

All shares visible (not including here)


---------------

Run on Gideon

net view abigail

System error 5 has occurred.

Access is denied.

---------

net view gideon

All shares visible (not including here)


-----------

net view user

All shares visible (not including here)


---------------

Run on abigail

net view abigail

All shares visible (not including here)

------------

net view gideon

All shares visible (not including here)


-----------

net view user

All shares visible (not including here)


---------------


Will begin reading MS doc.

Thanks much.

Robb

 

[Chuck]

On Tue, 28 Sep 2004 09:39:50 -0700, "Robb Pickinpaugh"

Report Follows:

Run on USER

net view abigail

System error 5 has occurred.

Access is denied.

---------

net view gideon

All shares visible (not including here)


-----------

net view user

All shares visible (not including here)


---------------

Run on Gideon

net view abigail

System error 5 has occurred.

Access is denied.

---------

net view gideon

All shares visible (not including here)


-----------

net view user

All shares visible (not including here)


---------------

Run on abigail

net view abigail

All shares visible (not including here)

------------

net view gideon

All shares visible (not including here)


-----------

net view user

All shares visible (not including here)


---------------

Well, Robb,

When you start looking in detail, you need to start IMHO with Abigail. Once you
get Abigail accessible from User, then figure out if there's a problem with
Gideon.

In addition to any possibilities you might find in the article, look at registry
key [HKLM\System\CurrentControlSet\Control\Lsa], value restrictanonymous.
<http://www.microsoft.com/windows200...2000/techinfo/reskit/en-us/regentry/46688.asp>

The above article is for Windows 2000. Remember WinXP is NT V5.1, and Win2K is
NT V5.0.

Have you used the Registry Editor before? If not, it's a scary tool, but it's
pretty simple once you get used to it. Here are a couple articles that might
help:
<http://www.microsoft.com/windowsxp/...home/using/productdoc/en/tools_regeditors.asp>
<http://www.annoyances.org/exec/show/registry>

Just remember to backup the key (create a registry patch) for
[HKLM\System\CurrentControlSet\Control\Lsa] before making any changes, if
appropriate.

From the Annoyances article:
You can create a Registry patch by opening the Registry Editor, selecting a
branch, and choosing Export from the File menu. Then, specify a filename, and
press OK. You can then view the Registry patch file by opening it in Notepad
(right-click on it and select Edit). Again, just double-click on a Registry
patch file (or use Import in the Registry Editor's File menu) to apply it to the
registry.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Robb Pickinpaugh]

Have you used the Registry Editor before? If not, it's a scary tool, but it's
pretty simple once you get used to it. Here are a couple articles that might
help:
<http://www.microsoft.com/windowsxp/home/using/productdoc/ en/default.asp?
url=/windowsxp/home/using/productdoc/en/tools_regeditors.as
p>
<http://www.annoyances.org/exec/show/registry>

Just remember to backup the key (create a registry patch) for
[HKLM\System\CurrentControlSet\Control\Lsa] before making any changes, if
appropriate.

<snip>

Chuck thanks for the additional info. I had already
pretty much figured the problem was on abigail, but hadn't
a clue where to look. So much happens in the background
when that "Set Up Network" wizard runs. It's nice for
people who don't know anything, but when it breaks... LOOK
OUT BELOW!

I'll check out the registry settings, and articles, and
post back if I still can't find it. There are already
issues on that computer like System Restore causes errors
and will not run, so there may be justification for
starting over.

Thanks,

Robb

 

[Guest]

Chuck,

I changed the registry entry to 0 which did not change
anything.

I then went into Local Security Policy and set:

Network Access: Do not allow anonymous enumeration of SAM
accounts - Disabled

Network Access: Do not allow anonymous enumeration of SAM
accounts and shares - Enabled

Network Access: Let Everyone permissions apply to
anonymous users - Enabled

Can now browse to abigail from USER and GIDEON

Thanks for the help. I really appreciate it.

The only thing I can think of is that somehow the
permissions for the guest account got screwed up.

I realize the potential danger in this from a security
point of view, but it does get them back working as
expected.

Thanks.

Robb

 

[Chuck]

Chuck,

I changed the registry entry to 0 which did not change
anything.

I then went into Local Security Policy and set:

Network Access: Do not allow anonymous enumeration of SAM
accounts - Disabled

Network Access: Do not allow anonymous enumeration of SAM
accounts and shares - Enabled

Network Access: Let Everyone permissions apply to
anonymous users - Enabled

Can now browse to abigail from USER and GIDEON

Thanks for the help. I really appreciate it.

The only thing I can think of is that somehow the
permissions for the guest account got screwed up.

I realize the potential danger in this from a security
point of view, but it does get them back working as
expected.

Thanks.

Robb

Robb,

I'm still reading the articles myself, and trying to figure out what those
registry keys do, and if they are the same as the LSP settings.

I presume you made those changes on Abigail? What then are the corresponding
values on Gideon and User? Maybe check both the LSP settings, and the registry
values?

What you did may educate us all, so maybe if we can analyse your setup this
information may be of use to further readers here.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Robb Pickinpaugh]

I presume you made those changes on Abigail? What then are the corresponding
values on Gideon and User? Maybe check both the LSP settings, and the registry
values?

Yes changes were made to Abigail.

Registry keys follow. Gideon does not have the LSP plug-
in, I tried to install it in the mmc, but it must not work
with XP home.

Abigail:

HKLM/system/currentcontrolset/control/lsa
everyoneincludesanonymous = 0x00000001(1)
restrictanonymous = 0x00000001(1)
restrictanonymoussam = 0x00000000(0)

Gideon:
HKLM/system/currentcontrolset/control/lsa
everyoneincludesanonymous = 0x00000000(0)
restrictanonymous = 0x00000000(0)
restrictanonymoussam = 0x00000001(1)

USER:
HKLM/system/currentcontrolset/control/lsa
everyoneincludesanonymous = 0x00000000(0)
restrictanonymous = 0x00000000(0)
restrictanonymoussam = 0x00000001(1)

LSP Settings USER:
Network Access: Do not allow anonymous enumeration of SAM
accounts - Enabled
Network Access: Do not allow anonymous enumeration of SAM
accounts and shares - Disabled
Network Access: Let everyone permissions apply to
anonymous users - Disabled

LSP Settings Abigail:
Network Access: Do not allow anonymous enumeration of SAM
accounts - Disabled
Network Access: Do not allow anonymous enumeration of SAM
accounts and shares - Enabled
Network Access: Let everyone permissions apply to
anonymous users - Enabled


No functional LSP plugin for Gideon - XP Home

I hope that helps,

Robb

 

[Trog Dog]

net view abigail

System error 5 has occurred.

Access is denied.

---------

net view gideon

All shares visible (not including here)


-----------

net view user

All shares visible (not including here)


---------------

Run on Gideon

net view abigail

System error 5 has occurred.

Access is denied.

---------

net view gideon

All shares visible (not including here)


-----------

net view user

All shares visible (not including here)


---------------

Run on abigail

net view abigail

All shares visible (not including here)

------------

net view gideon

All shares visible (not including here)


-----------

net view user

All shares visible (not including here)

Try mapping the shared folders as a network drive - that is
\\abigail\{shared folder}

 

[Chuck]

Yes changes were made to Abigail.

Registry keys follow. Gideon does not have the LSP plug-
in, I tried to install it in the mmc, but it must not work
with XP home.

Abigail:

HKLM/system/currentcontrolset/control/lsa
everyoneincludesanonymous = 0x00000001(1)
restrictanonymous = 0x00000001(1)
restrictanonymoussam = 0x00000000(0)

Gideon:
HKLM/system/currentcontrolset/control/lsa
everyoneincludesanonymous = 0x00000000(0)
restrictanonymous = 0x00000000(0)
restrictanonymoussam = 0x00000001(1)

USER:
HKLM/system/currentcontrolset/control/lsa
everyoneincludesanonymous = 0x00000000(0)
restrictanonymous = 0x00000000(0)
restrictanonymoussam = 0x00000001(1)

LSP Settings USER:
Network Access: Do not allow anonymous enumeration of SAM
accounts - Enabled
Network Access: Do not allow anonymous enumeration of SAM
accounts and shares - Disabled
Network Access: Let everyone permissions apply to
anonymous users - Disabled

LSP Settings Abigail:
Network Access: Do not allow anonymous enumeration of SAM
accounts - Disabled
Network Access: Do not allow anonymous enumeration of SAM
accounts and shares - Enabled
Network Access: Let everyone permissions apply to
anonymous users - Enabled


No functional LSP plugin for Gideon - XP Home

I hope that helps,

Robb

Robb,

That's VERY interesting. And you have shares on all 3 computers, and all 3
computers able to access shares on each of the other 2? Even though the
settings for Abigail and User (the 2 Pro computers) have totally opposite
settings? And making these settings on Abigail resolved the problem there?

If you have any future observations on this issue, various folks would benefit
from your postings here.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Robb Pickinpaugh]

Robb,

That's VERY interesting. And you have shares on all 3 computers, and all 3
computers able to access shares on each of the other 2? Even though the
settings for Abigail and User (the 2 Pro computers) have totally opposite
settings? And making these settings on Abigail resolved

the problem there?

Yes all the shares are usable as expected from the other
computers in the workgroup.

The changes resolved the issue on Abigail.

My guess is that there is still something wrong in the
permissions settings for at least the guest account, but I
don't have any more time to dig further at this time.

It would help if I could find some documentation on what
all the network setup wizard does... that's what started
this whole mess.

If you have any future observations on this issue, various folks would benefit
from your postings here.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
.

If I see any more weird things I'll be sure to pass them
along.

Thanks for the help Chuck,

Robb