Group Permissions

[K Miller]

Our organization has a peer-to-peer network with 10 machines, all Win XP
pro. We have a shared folder on one machine which, for lack of a better
term, acts as a "server". What I would like to do is limit access to some of
the subfolders. I thought I would be able to create a new group, add the
appropriate users and set permissions that way but I haven't had any luck
figuring it out. Is this possible in a peer-to-peer environment? or is there
another way to implement this?

TIA,

K Miller

 

[Kerry Brown]

Our organization has a peer-to-peer network with 10 machines, all Win
XP pro. We have a shared folder on one machine which, for lack of a
better term, acts as a "server". What I would like to do is limit
access to some of the subfolders. I thought I would be able to create
a new group, add the appropriate users and set permissions that way
but I haven't had any luck figuring it out. Is this possible in a
peer-to-peer environment? or is there another way to implement this?

TIA,

K Miller

It is possible. Make sure "simple file sharing" is turned off on all
computers. Make sure everyone has a different user name. Make sure all
accounts use passwords. Make sure the user names and passwords also exist on
the "server". Make sure the users are not members of the administrators
group on the "server".

http://support.microsoft.com/default.aspx?scid=kb;EN-US;307874

http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

Kerry

 

[K Miller]

Thanks for the prompt reply and links Kerry. I knew it would take someone
with a great first name like yours to figure this out! Just one question, I
will need to set up accounts for each user on the "server" in order to "make
sure the user names and passwords exist..."?

Kerry Miller

 

[Malke]

Thanks for the prompt reply and links Kerry. I knew it would take
someone with a great first name like yours to figure this out! Just
one question, I will need to set up accounts for each user on the
"server" in order to "make sure the user names and passwords
exist..."?

Yes, of course. Here's an example:

You have four users - Kerry, Malke, Bill, and Sue. You have a folder for
Marketing that you only want Sue to be able to get to (and you, of
course).

1. On the pseudo-server, make accounts for all 4 users with the
passwords matching the ones on the users' workstations.

2. On the pseudo-server, make Malke, Bill and Sue just plain users.
Kerry is the Administrator (also a member of users group).

3. On the pseudo-server, create a user group called Marketing. Add users
to this group - Kerry and Sue.

4. Set permissions on the folder so no one except the Marketing group
has read access. Now Malke and Bill won't be able to access that
folder.

One thing I should mention to you if this is a new setup. You have ten
machines, all accessing one pseudo-server. You may very well run into
the inbound concurrent connections limit. Note that inbound connections
doesn't mean *computers*; depending on what you are doing with the
pseudo-server, each workstation can make more than one connection to
it. See this link for more information:

http://support.microsoft.com/?id=314882

concurrent connections:

10 for XP Pro/Tablet/MCE
5 for XP Home
49 for SBS 2000
74 for SBS 2003
Unlimited for full Server O/Ses

If you run into this issue, the only way to get around it is to 1)
replace the XP Pro on the pseudo-server with a real MS server operating
system (SBS would be good for you); or 2) if the pseudo-server is just
a file server and isn't running any Windows programs, replace the XP
Pro on it with an operating system that doesn't have those limitations
such as Linux.

Depending on your business, a real server operating system has many
advantages such as centralized workstation management, antivirus, group
policies, etc.

Malke

 

[Kerry Brown]

Thanks for the prompt reply and links Kerry. I knew it would take
someone with a great first name like yours to figure this out! Just
one question, I will need to set up accounts for each user on the
"server" in order to "make sure the user names and passwords
exist..."?
Kerry Miller

It is a great name

Because you are using peer to peer (P2P) the same accounts must exist on the
server as well as the workstation. The server needs all the accounts. Each
workstation only needs the accounts of people who use that workstation. The
passwords must be the same on the server and the workstation accounts. If a
user changes their password they will lose access to the shares on the
server until you also change the password on the server. This is one of the
headaches of P2P networking. On the server you can create security groups
and assign share or NTFS permissions to the groups and/or individual users.

With 10 computers you are at the limit for Windows XP as a server. If all
you are doing is file sharing then I recommend you look at a Linux server or
the recent low cost network drives. The network drives are very attractive
price wise. You could actually purchase two and use one for backup for the
price of installing a Linux server. The network drives mostly run an
embedded version of Linux and are easy to setup and administer via a web
interface.

You may also want to look at Small Business Server 2003. It is a lower cost
way to get into a Windows server and has Exchange, SharePoint and more built
in. It can really streamline sharing documents, calendars etc. It would also
allow you to manage the network a lot better.

Kerry

 

[K Miller]

Yes, of course. Here's an example:

You have four users - Kerry, Malke, Bill, and Sue. You have a folder for
Marketing that you only want Sue to be able to get to (and you, of
course).

1. On the pseudo-server, make accounts for all 4 users with the
passwords matching the ones on the users' workstations.

2. On the pseudo-server, make Malke, Bill and Sue just plain users.
Kerry is the Administrator (also a member of users group).

3. On the pseudo-server, create a user group called Marketing. Add users
to this group - Kerry and Sue.

4. Set permissions on the folder so no one except the Marketing group
has read access. Now Malke and Bill won't be able to access that
folder.

One thing I should mention to you if this is a new setup. You have ten
machines, all accessing one pseudo-server. You may very well run into
the inbound concurrent connections limit. Note that inbound connections
doesn't mean *computers*; depending on what you are doing with the
pseudo-server, each workstation can make more than one connection to
it. See this link for more information:

http://support.microsoft.com/?id=314882

concurrent connections:

10 for XP Pro/Tablet/MCE
5 for XP Home
49 for SBS 2000
74 for SBS 2003
Unlimited for full Server O/Ses

If you run into this issue, the only way to get around it is to 1)
replace the XP Pro on the pseudo-server with a real MS server operating
system (SBS would be good for you); or 2) if the pseudo-server is just
a file server and isn't running any Windows programs, replace the XP
Pro on it with an operating system that doesn't have those limitations
such as Linux.

Depending on your business, a real server operating system has many
advantages such as centralized workstation management, antivirus, group
policies, etc.

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

Thanks Malke and Kerry,

That's exactly what I'm looking for.

Kerry Miller

 

[Manny Borges]

Wow, I haven't played with that kind of network in quite a long while, and
correct me if I am wrong, but I seem to remember the biggest issue with this
is maintenance.

If a user changes thier password on thier local machine, then you have to
make sure that the "Server" has its password changed manually as well(of
course, to the exact same password), right?

Really any kind of directory service would be advisable here. NT4 server is
pretty cheap nowadays, and a machine to run it can be bought for 20 bucks.
--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

There are 10 kinds of people in the world. Those who do understand binary
and those who don't.