File/Printer sharing requires Guest logon

[jason]

I posted this a few days ago in the general help & support group, but I
think it's probably more likely a security admin issue - sorry for
multiple posts.

Our wireless network comrises three XP Home systems and one XP Pro
machine. All share fiiles and printers. Suddenly, though, whenever I
open My Network Places on one of the XP Home machines and try to open a
folder on the Pro machine, it pops up a logon dialog box for the Guest
user on the Pro system. The Guest id exists on the Pro system, but
regardless of whether it's enabled or not (and has been disabled
routinely forever) and regardless of the password assigned, logon fails.
This is new behavior after a failed attempt to install IE7 that required
hours on the phone with MS support. The support folks had me download
and run two command-line utilities that spent a great deal of time
"repairing" permissions problems with Registry entries. I don't know if
that is the cause of my trouble or not. And I don't know how to
diagnose/fix the problem.

TIA

Jason

 

[Anton Pegan]

Hi Jason,

First run gpedit.msc again and take a look at the following keys:

Computer Configuration/Windows Settings/Security Settings/Local Policies.
Under User Rights Assignments check the following keys:

-Access this computer from network (Guest should be in)

-Deny access to this computer from network (remove Guest and Everyone group)

Under the Security options take a look at this key:

-Accounts: Limit local account use of blank passwords to console logon only
(disabled)-only if local administrators do not have passwords

-Accounts: Guest account status (Enabled)

-Network access: Do not allow anonymous enumerations of SAM accounts
(enabled)

-Network access: Do not allow anonymous enumerations of SAM accounts and
shares (disabled)

-Network access: Allow anonymous SID/Name translation (disabled)

-Network access: Let everyone permission apply to the anonymous user
(disabled)

-Network Access: Sharing and security model for local accounts (Guest only)

Also check the permissions that you set on your shared folders (give
everyone read permissions). Set passwords for the Administrator account and
the account you are using to logon.

Regards,

Anton Pegan

 

[jason]

Hi Jason,

First run gpedit.msc again and take a look at the following keys:

Computer Configuration/Windows Settings/Security Settings/Local Policies.
Under User Rights Assignments check the following keys:

-Access this computer from network (Guest should be in)

-Deny access to this computer from network (remove Guest and Everyone group)

Under the Security options take a look at this key:

-Accounts: Limit local account use of blank passwords to console logon only
(disabled)-only if local administrators do not have passwords

-Accounts: Guest account status (Enabled)

Strange... Geust account status shows a "Not Applicable" and trying to
change it presents me with options that are "gray'd out" so I cannot
change anything.

-Network access: Do not allow anonymous enumerations of SAM accounts
(enabled)

-Network access: Do not allow anonymous enumerations of SAM accounts and
shares (disabled)

-Network access: Allow anonymous SID/Name translation (disabled)

Also "Not Applicable" and I cannot change anything

-Network access: Let everyone permission apply to the anonymous user
(disabled)

-Network Access: Sharing and security model for local accounts (Guest only)

Also check the permissions that you set on your shared folders (give
everyone read permissions). Set passwords for the Administrator account and
the account you are using to logon.

Regards,

Anton Pegan

The rest of the settings are as you described they should be.

Enabling/disabling the Guest account from the Control Panel app doesn't
affect the "Not Applicable" status.

?

Jason

 

[jason]

This is too weird... Shortly after I posted the previous response, I
took another look and the references to the Guest account were no longer
showing "Not Applicable" status. All the settings are now per your post.
I walked to another machine and tried to access a shared folder. It
prompted me for a password again, but this time it accepted it and
displayed the folder contents. Other shared resources appear to work
properly, including a shared printer which had reported Access Denied
earlier when I tried to use it.

I have enabled the Guest account. Perhaps this made the difference,
except that I know it was previously NOT enabled and everything had
worked properly until recently.

So I guess I'm back on the air.

Thanks so much for your help, Anton. I surely would never have figured
this out myself. I'm just a lowly application developer with 35 years of
experience... and a somewhat reluctant Windows user .

Jason

 

[jason]

So I guess I'm back on the air.

Mostly. One of the Home machines still asks for a Guest logon, but it
accepts the password and file access works. This isn't how it worked
before, but at least I can access resources.

One curiosity: I went back into GPEDIT and there are little padlock
icons on many of the lines. I presume this means they are locked, but by
whom and why? (I am logged in as Administrator).

Jason

 

[Anton Pegan]

Hi Jason,

If you are logged on with the Administrator account, you should have
everything enabled (unlocked). Perhaps some other application disabled them
(try running your computer in safe mode and check the issue). Because
Windows XP Home does not have Group Policy Editor, you can check some
settings in the registry (Start/Run/regedit), just open the following key:
HKLM/System/CurrentControlSet/Control/Lsa.

Regards,

Anton Pegan

 

[jason]

Hi Jason, Because
Windows XP Home does not have Group Policy Editor, you can check some
settings in the registry (Start/Run/regedit), just open the following key:
HKLM/System/CurrentControlSet/Control/Lsa.

Regards,

Anton Pegan

The system is XP Pro. If I run gpedit as Administrator, I don't see the
padlocks. If I run it from my normal ID, which has Admin privileges,
they show up. A mystery... : )

Jason