Manage 30 XP, 2000, 98 without Domain Controller

[hkcat0]

Background
I am a teacher but I need to manage my school workgroup peer to peer
network because I have a little more experience than other teachers.
The network has 15 XP home, 5 XP Pro, 10 2000 Pro and 5 98SE. Those
machines are in two building connected by VPN router under the same
workgroup. Each machine has only 2 kind of account student
account(restricted user) and teacher account(administrator).

Current situation
I manage those machine through remote desktop and some VNC program, log
into each machine one by one for installing or uninstalling software.
Pretty easy job but boring. Because teachers don't have a fix computer
to use they share out the whole root C: so they can get access to the
file whichever computer they are using later. The problem is student
can access those shared folders (with sensitive info like test paper).
Different teacher can access each other shared folder because there is
only 2 kind of account. And there is a matrix of shared drives and
folders.

Attempt
I tried to set permission on those shared folder and the next day some
teachers complaine about not able to browse into their share so i turn
it off after verified that the machine do ask for a password, I tried
the only password we use and still no access.
I tried to setup one machine as the file server and setup a folder for
each teacher, but they don't like the idea of saving file into
\\fileserver\teacherA folder. They are used to save file in My
Document, share it and access anywhere.

Goal
The management ask me to setup something so that only teacher can
access to his/her own files from any machine. No student or other
teacher are able to access the folder.
At the same time setup share folder for all teacher to exchange files
among themselves.

My Solution
Create account for each teachers (arround 40 of them) on each machine
(30 of them) that mean 40 X 30 = 1200 accounts. After than set
permission on folder. I really don't think it is an good idea because
it is a lot of work.
We don't have a domain controller, even if we have, no one will able to
use it. half of our teachers need a lot assistance to apply for a
yahoo email account, most of them don't have the idea of directory
structure, so anything new, advance, fancy will not work. As I said
for most of them, the only place to save file is My Document.

 

[Steven L Umbach]

Keep in mind that in your situation only XP Pro and Windows 2000 computers
are considered secure operating systems that can restrict access to
shares/folder based on user credentials and for such XP Pro needs to have
simple file sharing disabled.. What you might try is to use some of the XP
Pro computers as your "servers" keeping in mind that a non server operating
system can accept only 10 simultaneous connections via file and print
sharing. You can use the command net sessions to see current sessions to a
computer or use Computer Management/shared folders/sessions.

You would only need to create the user accounts on the computers that are
offering shares to the users and each user logon must have a password. Then
the user can logon to their computer using the same logon/password that
exists on the "server" and should get seamless access to their folder. You
can create individual shares for each user that are at the same level [not
nested in each other] or create one share and then a folder in the share
folder for each user in the share. Give the "share" folder needed
permissions for the users which would be read/change for users/group that
need to be able to read/write/delete and just read for users that need to
read/execute only. Then configure NTFS permissions on each user folder in
the share so that only the user has permissions to the folder and
administrators if you want administrators to have access. The links below
may be of help. --- Steve

http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml

 

[CCC]

Thank you so much Steve

Your explaination and the links provide information on why my last
attempt to setup a XP File server cause so many access problems. For
example mentioned by
http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm

Unable to Browse the Network
On a Windows 95/98/Me machine, the most common cause of this is that
the user isn't logged on. (This mean I still need to create the same
account on 98 machines)

User is prompted for IPC$ Password
Your current user name doesn't exist on the XP machine.? To fix this,
either enable the Guest account, or log in with a user name which has a
valid account on the XP machine. (This also mean I still need to create
the same account on 98 machines)

I think the solution is
1)create 40 accounts on the XP File Server and 98 machine. Create 40
folders on the File Server, setup NTFS permission on each folder.
2)Give new user ID and password to 40 teachers.
3)Log in with the ID and PW when using 98 machine
4)Log in as usual when using 2000, XP machine
5)Teach them how to open and save files to their own folder on the File
Server. If prompt for a password, use the new ID and PW given.

My new questions are
1) How to prevent them from share out local folders, is a restricted
user account a solution? how about on 98 machine?
2) I would like to map all 40 folders to each machine in order to make
the change easier to comply. How to map 40 network folders to each
machine, there are only 26 drive letters and some of them have been
used. I think I can nest 40 folders under TeachFolder and map only the
TeachFolder to Drive X:. Any disadvantage? I heard that it slow down a
lot software, especially Ms Office when open and save file.
3) All machine is under the same workgroup "abcschool" now. By
assigning diferent workgroup the machine will not be able to
communicate right? So is it possible to make the workgroup change
according to who is logged in, eg when a student login, the workgroup
of the machine automatically became "abcschool_student" so that he will
not be able to see the File Server. When later a teacher login on the
same machine, the workgroup change to "abcschool_teacher" and he is
able to access the File Server. Is this possible?

 

[Steven L Umbach]

Comments inline.

Thank you so much Steve

Your explaination and the links provide information on why my last
attempt to setup a XP File server cause so many access problems. For
example mentioned by
http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm

Unable to Browse the Network
On a Windows 95/98/Me machine, the most common cause of this is that
the user isn't logged on. (This mean I still need to create the same
account on 98 machines)

User is prompted for IPC$ Password
Your current user name doesn't exist on the XP machine.? To fix this,
either enable the Guest account, or log in with a user name which has a
valid account on the XP machine. (This also mean I still need to create
the same account on 98 machines)

I think the solution is
1)create 40 accounts on the XP File Server and 98 machine. Create 40
folders on the File Server, setup NTFS permission on each folder.
2)Give new user ID and password to 40 teachers.
3)Log in with the ID and PW when using 98 machine
4)Log in as usual when using 2000, XP machine

I am not sure what you mean logon as usual but it usually makes sense to
have each user who uses a computer to have their own user account to logon
to with credentials that match their user accounts on the computer with the
shares though they could logon with a common acount and then provide
credentials
to access a folder that needs such.

5)Teach them how to open and save files to their own folder on the File
Server. If prompt for a password, use the new ID and PW given.

My new questions are
1) How to prevent them from share out local folders, is a restricted
user account a solution? how about on 98 machine?

Windows 98 is not a secure operating system and you can not restrict who
creates shares. For XP only
power users [in XP Pro/Windows 2000 only] or administrators can create
shares - not regular users.

2) I would like to map all 40 folders to each machine in order to make
the change easier to comply. How to map 40 network folders to each
machine, there are only 26 drive letters and some of them have been
used. I think I can nest 40 folders under TeachFolder and map only the
TeachFolder to Drive X:. Any disadvantage? I heard that it slow down a
lot software, especially Ms Office when open and save file.

It would be best to have one share with user folders in the share. Make sure
that the mapped drive does NOT connect at logon
as the XP computer can only take 10 connections at a time. Maybe you want to
divide the load between two or so XP Pro computers.
Train users to only use the mapped network drive when needed and disconnect
when done or others can be denied access.

3) All machine is under the same workgroup "abcschool" now. By
assigning diferent workgroup the machine will not be able to
communicate right? So is it possible to make the workgroup change
according to who is logged in, eg when a student login, the workgroup
of the machine automatically became "abcschool_student" so that he will
not be able to see the File Server. When later a teacher login on the
same machine, the workgroup change to "abcschool_teacher" and he is
able to access the File Server. Is this possible?

That is not possible. The computer belongs to the workgroup - not users.
Also workgroups are NOT security boundaries as
they are strictly for conveinece for browsing network resources. Rely on
share and NTFS permissions to manage who can access a share along with the
user right for access this computer from the network [Windows 2000 and XP
Pro]. For instance if you have a share just for teachers then create a group
on the computer with the share that contains only the teacher accounts. Then
give only that group access to the share [and administrators if
appropriate]. I would also
make sure that auditing for logon events is enabled on the XP Pro computer
that will contain shares in Local Security Policy. Then you can
view the security log for logon failures to see if unathorized users are
trying to access the computer and the computer they are trying such
rom. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
-- applying principle of least privilige to users in Wndows XP

 

[Guest]

This is clearly a situation where a server-centric setup would be best. If
all documents are on one computer, then you have only one place where
security and backup need to be managed. (Well not quite as there is still the
issue of unauthorised software being installed, but still, it makes things
MUCH simpler to manage.) As you rightly point out, the connectivity-problems
with peer-groups grow by the square of the workgroup-size, and quickly become
unmanageable.

Since you have more than ten workstations a WinXP machine won't do as the
server. Linux with Samba is a good option, though Windows servers are
undoubtedly easier to manage.

To allow multiple users to logon to any computer without the need for
roaming profiles, MyLogon might be suitable. This makes the logon
server-centric instead of local, and is intended to be used witha setup where
users' files are all stored on the server. It doesn't require the computers
to be domain-members if you don't want to do that for whatever reason.
http://mylogon.net

 

[CCC]

I am not sure what you mean logon as usual
I am they still logon to computer as before using only "student" and
"teacher" account and prepare to be prompted for ID and PW when trying
to save on the XP Pro File Server.

it usually makes sense to have each user who uses a computer to have their own user account to logon to with credentials that match their user accounts

I understand, but I am too busy or lazy to add 40 accounts for each
teacher and set permission on every computers. Teacher come and go, I
can't keep adding and deleting account when new teacher arrive and old
teacher retire.

 

[CCC]

Thank you Ian,

That fine software seem to solve my problem of "anyone,any computer".
I can't believe it is free. I will read more before I test drive it.
I have find the information about how user accounts are handled. The
software say no need to install it on the server, so where is the user
ID and PW stored? On each client computer?

 

[Malke]

I am they still logon to computer as before using only "student" and
"teacher" account and prepare to be prompted for ID and PW when trying
to save on the XP Pro File Server.

I understand, but I am too busy or lazy to add 40 accounts for each
teacher and set permission on every computers. Teacher come and go, I
can't keep adding and deleting account when new teacher arrive and old
teacher retire.

You have to do the necessary work so make the time.

Set up a Linux Samba server - since you don't want to spend time
learning new things, hire a local professional to do this for you.

An example of a Linux Samba file server for a school - which I set up
for my kid's laptop program - is that you make generic user accounts
and groups for the teachers and students. That way you don't need to
add "40 accounts" and change anything when new people come and go. You
will be able to set very fine-grained permissions on folders on the
server such as:

Teacher folder - only teachers (and root and selected users) can
read/write to it.
Handout folder - Everyone can read content, but students cannot write to
it.
Student folder to submit their work - Everyone can read/write to it.
Etc.

Malke