Two-computer network, MSHOME is not accessible" on both

Jonathan Sachs · Apr 9, 2007

I'm trying to establish file sharing between my desktop computer and a
portable computer. The desktop is running Windows XP Professional
SP2. The portable is running Windows XP Tablet Edition SP2. Both are
configured to use Microsoft Windows Network with the default workgroup
name, MSHOME.

Both computers are connected to my broadband modem and can access the
Internet.

When I try to access either computer from the other, Windows Explorer
will not show me the machines on the network. When I click the
workgroup name, Windows Explorer displays a message that says, "MSHOME
is not accessible. You might not have permission to use this network
resource.... The list of servers for this workgroup is not currently
available."

Both machines are firewalled by Norton Internet Security 2007. On
each machine I set Norton's trusted zone to include the other
computer's IP address. The desktop can ping the portable, but the
portable times out when it pings the desktop, for reasons that are not
clear to me.

I have searched the web for advice and found lots of it, but I have
tried all of the suggestions that seemed applicable, without results.
One was to make sure that the registry entry
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
was set to 0. On the portable it already was; on the desktop it was
set to 1, and I set it to 0, but that did not help. (I accordingly
set it back to 1.)

At this point I'm baffled. Any suggestions are welcome.

Robert L [MVP - Networking] · Apr 9, 2007

if disable Norton or any firewall on both computer, can you ping each other by IP?

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
I'm trying to establish file sharing between my desktop computer and a
portable computer. The desktop is running Windows XP Professional
SP2. The portable is running Windows XP Tablet Edition SP2. Both are
configured to use Microsoft Windows Network with the default workgroup
name, MSHOME.

Both computers are connected to my broadband modem and can access the
Internet.

When I try to access either computer from the other, Windows Explorer
will not show me the machines on the network. When I click the
workgroup name, Windows Explorer displays a message that says, "MSHOME
is not accessible. You might not have permission to use this network
resource.... The list of servers for this workgroup is not currently
available."

Both machines are firewalled by Norton Internet Security 2007. On
each machine I set Norton's trusted zone to include the other
computer's IP address. The desktop can ping the portable, but the
portable times out when it pings the desktop, for reasons that are not
clear to me.

I have searched the web for advice and found lots of it, but I have
tried all of the suggestions that seemed applicable, without results.
One was to make sure that the registry entry
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
was set to 0. On the portable it already was; on the desktop it was
set to 1, and I set it to 0, but that did not help. (I accordingly
set it back to 1.)

At this point I'm baffled. Any suggestions are welcome.

Jonathan Sachs · Apr 10, 2007

if disable Norton or any firewall on both computer, can you ping each other by IP?

I can indeed.

Norton's interface is so elaborate and poorly structured that it's
unclear how to find the setting(s) responsible. I can probably find
it/them if I look very hard, but if someone can suggest what to look
for, that may shorten the task.

Once the firewalls were disabled, both machines were able to display
the network. However, both reported that the network contained only
one computer -- the portable. That's clearly an independent problem,
but again, it's a baffling one.

Chuck · Apr 10, 2007

I can indeed.

Norton's interface is so elaborate and poorly structured that it's
unclear how to find the setting(s) responsible. I can probably find
it/them if I look very hard, but if someone can suggest what to look
for, that may shorten the task.

Once the firewalls were disabled, both machines were able to display
the network. However, both reported that the network contained only
one computer -- the portable. That's clearly an independent problem,
but again, it's a baffling one.

Jonathan,

It's a known problem. The error "The list of servers for this workgroup is not
currently available." comes from lack of browser SMBs, in your case with the
firewall blocking either SMBs directly hosted (NetBT NOT Enabled) or SMBs over
NetBT (NetBT being CONSISTENTLY Enabled). You absolutely must be consistent
here.
<http://nitecruzr.blogspot.com/2006/07/advanced-windows-networking-using.html>
http://nitecruzr.blogspot.com/2006/07/advanced-windows-networking-using.html

Jonathan Sachs · Apr 10, 2007

It's a known problem. The error "The list of servers for this workgroup is not
currently available." comes from lack of browser SMBs...

Thanks for your assistance. With your guidance and some rummaging
around in Norton, I have almost got the thing to work.

At this point each computer can see the network, and can see the other
on the network. The desktop computer can access shared folders on the
portable, but the portable cannot access shared folders on the
desktop. When it tries, it gets the error message:

[systemname] is not accessible... Login failure: the user has not been
granted the requested logon type at the computer.

I am logged in with the same name on both computers, using the same
password on both, so I expected each computer to be able to access the
other without requiring me to enter a password.

I tried to research this myself, and concluded that the problem was my
setting for the "Access to this computer from the network..." policy
in the "User Rights Assignment" section of "Administrative Tools." On
the portable computer it is set to a long list of values which
includes "Everyone" and "Users." On the desktop computer it was set
to only "ASPNET."

I changed that policy on the desktop computer to include "Everyone."
It didn't help, though, even when I rebooted the portable. I then
tried adding "Users" and "Power Users" to the policy, but
Administrative Tools refused to accept those values, saying they did
not exist. Microsoft's documentation appears to say that they are
standard (predefined) group names, so I don't know what to make of
that.

I've got a couple of puzzles now. The first is why the portable still
can't access shared folders on the desktop computer.

The second is the ASPNET entry in "Access to this computer from the
network..." in the course of trying to duplicate the portable's
setting on the desktop I deleted this item and tried to redefine it,
and found that I could not! When I enter ASPNET, the policy applet
interprets it as "[systemname]\ASPNET". I have no idea what ASPNET is
-- it's certainly nothing of mine -- so I have no idea what the
significance of this problem is, much less how to correct it.

Chuck · Apr 11, 2007

It's a known problem. The error "The list of servers for this workgroup is not
currently available." comes from lack of browser SMBs...

Click to expand...

Thanks for your assistance. With your guidance and some rummaging
around in Norton, I have almost got the thing to work.

At this point each computer can see the network, and can see the other
on the network. The desktop computer can access shared folders on the
portable, but the portable cannot access shared folders on the
desktop. When it tries, it gets the error message:

[systemname] is not accessible... Login failure: the user has not been
granted the requested logon type at the computer.

I am logged in with the same name on both computers, using the same
password on both, so I expected each computer to be able to access the
other without requiring me to enter a password.

I tried to research this myself, and concluded that the problem was my
setting for the "Access to this computer from the network..." policy
in the "User Rights Assignment" section of "Administrative Tools." On
the portable computer it is set to a long list of values which
includes "Everyone" and "Users." On the desktop computer it was set
to only "ASPNET."

I changed that policy on the desktop computer to include "Everyone."
It didn't help, though, even when I rebooted the portable. I then
tried adding "Users" and "Power Users" to the policy, but
Administrative Tools refused to accept those values, saying they did
not exist. Microsoft's documentation appears to say that they are
standard (predefined) group names, so I don't know what to make of
that.

I've got a couple of puzzles now. The first is why the portable still
can't access shared folders on the desktop computer.

The second is the ASPNET entry in "Access to this computer from the
network..." in the course of trying to duplicate the portable's
setting on the desktop I deleted this item and tried to redefine it,
and found that I could not! When I enter ASPNET, the policy applet
interprets it as "[systemname]\ASPNET". I have no idea what ASPNET is
-- it's certainly nothing of mine -- so I have no idea what the
significance of this problem is, much less how to correct it.

Microsoft documents predefined group names, because that's how you start out.
If you change the groups, you gotta change the group designations. Did you
check both LSP lists?
# "Deny access to this computer from the network".
# "Access this computer from the network".
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Help>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Help

Is Simple File Sharing Enabled, or Disabled, on the Desktop?
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Guest>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Guest

Jonathan Sachs · Apr 11, 2007

Microsoft documents predefined group names, because that's how you start out.
If you change the groups, you gotta change the group designations. Did you
check both LSP lists?
# "Deny access to this computer from the network".
# "Access this computer from the network".
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Help>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Help

Is Simple File Sharing Enabled, or Disabled, on the Desktop?
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Guest>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Guest

I'm afraid this does not make things clearer. I checked my options
and found that I am using simple file sharing (which is fine for now,
since no one else uses these machines).

According to the reference you gave, I should be fine if "Guest" is
not in the "Denied" list and "Everyone" is in the "Access" list. That
is the case, yet the portable computer cannot use files on the desktop
computer.

"Access this computer from the network" contains: Everyone, ASPNET.

"Deny access to this computer from the network" contains:
SUPPORT_38895a0.

Chuck · Apr 11, 2007

I'm afraid this does not make things clearer. I checked my options
and found that I am using simple file sharing (which is fine for now,
since no one else uses these machines).

According to the reference you gave, I should be fine if "Guest" is
not in the "Denied" list and "Everyone" is in the "Access" list. That
is the case, yet the portable computer cannot use files on the desktop
computer.

"Access this computer from the network" contains: Everyone, ASPNET.

"Deny access to this computer from the network" contains:
SUPPORT_38895a0.

The Local Security Policy settings is one part of the puzzle. Is Guest
Activated for Network Access, on each computer?
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate

Jonathan Sachs · Apr 11, 2007

The Local Security Policy settings is one part of the puzzle. Is Guest
Activated for Network Access, on each computer?
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate

The desktop's Guest account was disabled (for good reasons, I
thought), but I enabled it, and I still could not access the machine.
I tried rebooting the portable, but that did not help. I assume there
is no need to reboot the desktop in this situation.

I have questions about the security implications of enabling the Guest
account, since it apparently cannot be password protected, but I will
defer those until it's clear that this is part of the solution.

Chuck · Apr 11, 2007

The desktop's Guest account was disabled (for good reasons, I
thought), but I enabled it, and I still could not access the machine.
I tried rebooting the portable, but that did not help. I assume there
is no need to reboot the desktop in this situation.

I have questions about the security implications of enabling the Guest
account, since it apparently cannot be password protected, but I will
defer those until it's clear that this is part of the solution.

Actually, you can put a password on Guest, just as any other account. With SFS
though most people don't password protect anything. If you had a non-blank
password set on either computer, but not the other, you'll have a problem there.

If you have SFS, Guest is it. Is Guest a member of "Everyone"?

Jonathan Sachs · Apr 13, 2007

Actually, you can put a password on Guest, just as any other account.

I was referring to a page from Microsoft's Windows XT documentation...

http://www.microsoft.com/resources/...proddocs/en-us/usercpl_overview.mspx?mfr=true

...., which says, "The guest account is intended for use by someone who
has no user account on the computer. There is no password for the
guest account, so the user can log on quickly to check e-mail or
browse the Internet."

I assumed that "there is no password" means "there is no password."
In retrospect I see that it could be interpreted to mean "by default,
there is no password," but that interpretation seems strained to me.
I'd hate to have to say whether Microsoft's statement is unclearly
worded or just plain wrong.

I tried to coax User Accounts into letting me define a password for
Guests, but it refused, although I am logged in as an administrative
user. Based on that, I would have said quite positively that Guest
cannot have a password. if it can, there must be some more obscure
procedure for creating one.

That's a side issue, but it reminds me that Microsoft documentation is
as likely to get me in trouble as get me out, and that even trying
something to see how it works can be misleading! Please bear this in
mind and be patient if I seem reluctant to try things or look things
up for myself.

With SFS though most people don't password protect anything.

My concern is with someone who has physical access to my computer but
does not have permission to use it -- someone hired to water my plants
while I'm away, for example. They should not have access, period.
Thus SFS is perfectly adequate.

The "natural" way to deny access would be to delete the Guest account,
but apparently it has special functions which make that impossible.
Putting a strong password on it would be less direct but equally
effective.

If you had a non-blank
password set on either computer, but not the other, you'll have a problem there.

I checked, and found that Guest is unprotected on the desktop system.
On the portable computer is turned off. This adds to my puzzlement,
because as I understand the function of Guest, turning it off on the
portable computer should prevent sharing of files ON the portable
computer by others, but should not affect sharing of files BY the
portable computer on others. Yet I observe that the reverse is true.

If you have SFS, Guest is it. Is Guest a member of "Everyone"?

Apparently not. Until you asked the question, I assumed that groups
were predefined and immutable, since there is no Control Panel applet
for managing them. Once I realized that was not true, I found the
Local Users and Groups entry in Computer Management (Local), but its
list of groups does not even include Everyone. Yet Everyone is listed
in the security setting for "Access this computer from the network."

Might the absence of a definition for Everyone (and possibly other
missing or incorrect group definitions) be at the root of my problem?
If so, how can I tell what should be defined?

(I may never know, but I also wonder how the definitions got mangled.
I did not do it, since I didn't even know one could control group
definitions until now; nor did another user, because this computer has
never had another user.)

Here are my group definitions at present:

Administrators: Administrator, and the account I normally use.
Backup Operators: none.
Guests: Guest.
Network Configuration Operators: none.
Power Users: none.
Remote Desktop Users: none.
Replicator: none.
Users: NT AUTHORITY\Authenticated Users (S-1-5-11); NT
AUTHORITY\INTERACTIVE (S-1-5-4).
HelpServicesGroup: SUPPORT_388945a0.

Chuck · Apr 13, 2007

I was referring to a page from Microsoft's Windows XT documentation...

http://www.microsoft.com/resources/...proddocs/en-us/usercpl_overview.mspx?mfr=true

..., which says, "The guest account is intended for use by someone who
has no user account on the computer. There is no password for the
guest account, so the user can log on quickly to check e-mail or
browse the Internet."

I assumed that "there is no password" means "there is no password."
In retrospect I see that it could be interpreted to mean "by default,
there is no password," but that interpretation seems strained to me.
I'd hate to have to say whether Microsoft's statement is unclearly
worded or just plain wrong.

I tried to coax User Accounts into letting me define a password for
Guests, but it refused, although I am logged in as an administrative
user. Based on that, I would have said quite positively that Guest
cannot have a password. if it can, there must be some more obscure
procedure for creating one.

That's a side issue, but it reminds me that Microsoft documentation is
as likely to get me in trouble as get me out, and that even trying
something to see how it works can be misleading! Please bear this in
mind and be patient if I seem reluctant to try things or look things
up for myself.

My concern is with someone who has physical access to my computer but
does not have permission to use it -- someone hired to water my plants
while I'm away, for example. They should not have access, period.
Thus SFS is perfectly adequate.

The "natural" way to deny access would be to delete the Guest account,
but apparently it has special functions which make that impossible.
Putting a strong password on it would be less direct but equally
effective.

I checked, and found that Guest is unprotected on the desktop system.
On the portable computer is turned off. This adds to my puzzlement,
because as I understand the function of Guest, turning it off on the
portable computer should prevent sharing of files ON the portable
computer by others, but should not affect sharing of files BY the
portable computer on others. Yet I observe that the reverse is true.

Apparently not. Until you asked the question, I assumed that groups
were predefined and immutable, since there is no Control Panel applet
for managing them. Once I realized that was not true, I found the
Local Users and Groups entry in Computer Management (Local), but its
list of groups does not even include Everyone. Yet Everyone is listed
in the security setting for "Access this computer from the network."

Might the absence of a definition for Everyone (and possibly other
missing or incorrect group definitions) be at the root of my problem?
If so, how can I tell what should be defined?

(I may never know, but I also wonder how the definitions got mangled.
I did not do it, since I didn't even know one could control group
definitions until now; nor did another user, because this computer has
never had another user.)

Here are my group definitions at present:

Administrators: Administrator, and the account I normally use.
Backup Operators: none.
Guests: Guest.
Network Configuration Operators: none.
Power Users: none.
Remote Desktop Users: none.
Replicator: none.
Users: NT AUTHORITY\Authenticated Users (S-1-5-11); NT
AUTHORITY\INTERACTIVE (S-1-5-4).
HelpServicesGroup: SUPPORT_388945a0.

If Everyone is the group (the only group??) listed for "Access this computer
from the network.", and if Guest isn't a member of Everyone, then Guest won't be
able to access the computer from the network. That's one problem. Make Guest a
member of "Everyone".

Now, instead of playing with User Accounts, which is used to setup Local access,
go to Administrative Tools, then Computer Management. Or, from a command
window, enter "control userpasswords2". You can password protect Guest with no
problem.
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Synchronise>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Synchronise

Jonathan Sachs · Apr 14, 2007

If Everyone is the group (the only group??) listed for "Access this computer
from the network.", and if Guest isn't a member of Everyone, then Guest won't be
able to access the computer from the network. That's one problem. Make Guest a
member of "Everyone".

Would it were so easy.

Since the list of groups in Computer Management's "Groups" folder does
not show Everyone, I right-clicked the list and selected "New Group."
I entered the group name Everyone and added Guest to the group. Then
I clicked the Create button and got the error:

The following error occurred while attempting to create the group
Everyone on computer <systemname>:
The account already exists.

I puzzled over whether "account" meant "group" (the message would make
sense, but would not be true) or "user account" (the message would be
true, but would make no sense). I tried creating the group Everyone
with no members and got the same message, which means that it must be
the former. It follows that the group Everyone is defined, but is not
accessible through the list of groups, which makes it impossible to
manage.

It occurred to me that if I cannot add Guest to Everyone's set of
members, perhaps I can add Everyone to Guest's set of groups. I tried
this operation and found that Computer Management does indeed provide
for it. When I tried to do it, though, I got the error "An object
named "Everyone" cannot be found."

So the first approach won't let me add user account Guest to group
Everyone because Everyone is not in the list of groups, and won't let
me create it because it already exists; and the second approach won't
let me add for him in a group Everyone to user account Guest because
Everyone does NOT already exist.

Where do we go from here?

Chuck · Apr 15, 2007

Would it were so easy.

Since the list of groups in Computer Management's "Groups" folder does
not show Everyone, I right-clicked the list and selected "New Group."
I entered the group name Everyone and added Guest to the group. Then
I clicked the Create button and got the error:

The following error occurred while attempting to create the group
Everyone on computer <systemname>:
The account already exists.

I puzzled over whether "account" meant "group" (the message would make
sense, but would not be true) or "user account" (the message would be
true, but would make no sense). I tried creating the group Everyone
with no members and got the same message, which means that it must be
the former. It follows that the group Everyone is defined, but is not
accessible through the list of groups, which makes it impossible to
manage.

It occurred to me that if I cannot add Guest to Everyone's set of
members, perhaps I can add Everyone to Guest's set of groups. I tried
this operation and found that Computer Management does indeed provide
for it. When I tried to do it, though, I got the error "An object
named "Everyone" cannot be found."

So the first approach won't let me add user account Guest to group
Everyone because Everyone is not in the list of groups, and won't let
me create it because it already exists; and the second approach won't
let me add for him in a group Everyone to user account Guest because
Everyone does NOT already exist.

Where do we go from here?

I think that would be a brain fart of mine, Jonathan. You can't maintain
Everyone - that's a special group that defines all accounts together. Guest, by
definition, is a member of "Everyone". As are all other accounts.

So here are the rules for Guest.
* The "Guest" account must be properly setup, and activated for network use.
* "Guest" must NOT be in LSP #1.
* "Everyone" must be in LSP #2.
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Help>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Help

Starting from there, where do we go next? I'm going to recommend that we start
from the bottom, and test upwards. I'm not convinced that you have unrestricted
connectivity. Since we're using Guest, check restrictanonymous again please.
You noted above that you changed it from 1 to 0 and back to 1. With Guest
authentication, it must be 0.
<http://nitecruzr.blogspot.com/2005/07/restrictanonymous-and-your-server.html>
http://nitecruzr.blogspot.com/2005/07/restrictanonymous-and-your-server.html
<http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html>
http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html
<

Jonathan Sachs · Apr 15, 2007

Starting from there, where do we go next? I'm going to recommend that we start
from the bottom, and test upwards. I'm not convinced that you have unrestricted
connectivity. Since we're using Guest, check restrictanonymous again please.
You noted above that you changed it from 1 to 0 and back to 1. With Guest
authentication, it must be 0.

It now works!

We can both breathe a huge sigh of relief, but I have one other
concern. I keep notes on everything I do to my system(s) so that I can
duplicate the operations if I should ever have to rebuild. This
process has been so involved that I have completely lost track of what
I did! Should the steps in your last message do the whole job, or
must I include earlier stuff, no longer fresh in my memory?

Chuck · Apr 16, 2007

It now works!

We can both breathe a huge sigh of relief, but I have one other
concern. I keep notes on everything I do to my system(s) so that I can
duplicate the operations if I should ever have to rebuild. This
process has been so involved that I have completely lost track of what
I did! Should the steps in your last message do the whole job, or
must I include earlier stuff, no longer fresh in my memory?

Two-computer network, MSHOME is not accessible" on both

Jonathan Sachs

Robert L [MVP - Networking]

Jonathan Sachs

Chuck

Jonathan Sachs

Chuck

Jonathan Sachs

Chuck

Jonathan Sachs

Chuck

Jonathan Sachs

Chuck

Jonathan Sachs

Chuck

Jonathan Sachs

Chuck