Active Directory and Network Shares

[Matthew]

I have a Windows 2000 Server computer with 1 Win2000 Pro, 8 XP Pro, and 2 XP
Home computers connecting. Currently it's set up almost like a P2P network
with shared printers and files scattered around several computers.
Of course, the important files are on the server and are backed up
regularly.

I have set up my users in Active Directory.
I noticed that to view a file share on the server the user has to provide
credentials from AD. The Win2000 box requires credentials from the local
machine, and the XP boxes don't require any credentials.

I would like to make it so all computers require credentials from AD to view
the shared printers and files.
What is the course you would recommend to accomplish this goal?

Thanks in advance,

Matthew

 

[Steven L Umbach]

When using an Active Directory domain, domain users logon to the domain once
and can normally access resources on domain computers that they have
permissions to based on combination of share/ntfs permissions or permissions
to printers. You can control access by adding the appropriated users/groups
to the permissions for the shares/printers. Any resource that has
permissions for the users or everyone group will be accessible to all domain
users without a prompt for credentials. For the W2K box, check that
users/everyone [or the appropriate domain group] has been added to the
permissions for the share/printer you want domain users to access. As for XP
Home, it is not a secure operating system like W2K or XP Pro is for
networking because it uses "simple file sharing" which means that when you
create a share on a XP Home computer that anyone can access the share and
accesses it as guest. You can not add domain users to the access control
lists of an XP Home computer like you can with an XP Pro computer. ---
Steve

 

[Roger Abell]

Also, if the shares that are allowing transparent access
on XP are on XP Pro machines, then there may be no
request for authentication because of two reasons.
1. the share may be allowing guest access
or
2. the share may be configured to allow domain users
and the users are logging in with their domain accounts
on the machine from which they access the share (and
so behind the scenes they actually are being authenticated)

You should move all sharing off from the XP Home
and your overall setup issues will be simplified.
If people logged into Home can access the shares on
some other system easily, then you may need to examine
how those shares are secured (and, if they log in with
an account that does not agree with name and password
with another account defined in the domain, then certainly
you need to visit the security settings of those shares).

 

[Laura A. Robinson]

circa Fri, 3 Dec 2004 00:14:41 -0500, in
microsoft.public.win2000.security, Matthew
([email protected]) said,

I would like to make it so all computers require credentials from AD to view
the shared printers and files.
What is the course you would recommend to accomplish this goal?

If you want all of your computers to use AD accounts, the first thing
you'll need to do is to join them to the domain that you created.

Laura

 

[Matthew]

If you want all of your computers to use AD accounts, the first thing

you'll need to do is to join them to the domain that you created.

Well, I guess I'll create my domain and go from there.

Thanks to all for your help.

Matthew

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, Matthew

Well, I guess I'll create my domain and go from there.

If, as you said in your original post, you've got user accounts in
Active Directory, then you've already got a domain.

--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)

 

[Matthew]

If, as you said in your original post, you've got user accounts in

Active Directory, then you've already got a domain.

Sorry, I do have a domain. However, none of the clients are connected to
it.
They are just connecting to file shares on the server and entering their
Active Directory credentials for access.

Matthew

 

[Laura A. Robinson]

circa Sat, 4 Dec 2004 19:58:47 -0500, in
microsoft.public.win2000.security, Matthew
([email protected]) said,

Sorry, I do have a domain. However, none of the clients are connected to
it.
They are just connecting to file shares on the server and entering their
Active Directory credentials for access.

I think that you'll find that joining them to the domain is going to
gain you a lot of benefits above and beyond what has already been
mentioned- domains exist to make management easier and security
tighter than workgroup environments provide. Both good things.

Laura

 

[Matthew]

I think that you'll find that joining them to the domain is going to

gain you a lot of benefits above and beyond what has already been
mentioned- domains exist to make management easier and security
tighter than workgroup environments provide. Both good things.

Thanks for the tip. Is there a resource you would recommend so I can
quickly get up to speed on the workings of a domain?

Matthew

 

[Laura A. Robinson]

circa Sun, 5 Dec 2004 14:49:31 -0500, in
microsoft.public.win2000.security, Matthew
([email protected]) said,

Thanks for the tip. Is there a resource you would recommend so I can
quickly get up to speed on the workings of a domain?

Matthew

Oh, boy, that's a question with a whole lot of answers...a good place
to start might be right here:

http://www.microsoft.com/windowsserver2003/technologies/directory/act
ivedirectory/default.mspx

AKA

http://tinyurl.com/i5q4

Laura

 

[prffxlfj]

http://www.ardice.com/Regional/Europe/Ireland/Limerick/Localities/Adare/