Using a Group Policy in an XP Workgroup

[Guest]

I have a small office network all on XP Pro and all in the same Workgroup. I
do not run Active Server Directory and do not operate a Domain.

Two of the PC's operate as file servers. I want to manage access to folders
on the file servers by allowing certain groups and not others.

I want the members of the Groups to be Workgroup PC's. In other words,
whomever is logged on to the PC will have access to the folders.

I would also consider using Users as the members of a Group if I could work
out an easy way to create a single user entity for each employee that could
operate across the whole Workgroup.

I know how to add in snap-ins to MMC on the file servers but am not sure
which ones to add and how to configure them to achieve the above.

Any help would be appreciated.

 

[Doug Knox MS-MVP]

Create a BAT file using the NET USE command. Open a Command Prompt window and enter NET USE /? for the command line options. Use a username and password that exists on the file server to enable access to the file server's folders.

Then, on the machines that you want to be able to access the file servers, run GPEDIT.MSC. Go to User Configuration, Windows Settings, Scripts. Here you can point the logon script to the BAT file you created. Additionally, you could create a BAT file that undoes the drive mapping, and set it as the log off script.

Since you're not in a domain, these settings apply to all users of the machine.

 

[Colin Nash [MVP]]

I have a small office network all on XP Pro and all in the same Workgroup.
I
do not run Active Server Directory and do not operate a Domain.

Two of the PC's operate as file servers. I want to manage access to
folders
on the file servers by allowing certain groups and not others.

I want the members of the Groups to be Workgroup PC's. In other words,
whomever is logged on to the PC will have access to the folders.

I would also consider using Users as the members of a Group if I could
work
out an easy way to create a single user entity for each employee that
could
operate across the whole Workgroup.

I know how to add in snap-ins to MMC on the file servers but am not sure
which ones to add and how to configure them to achieve the above.

Any help would be appreciated.

Sounds like you are asking how to put permissions on files and shares. This
isn't really a Group Policy thing. See
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418 for info.
Also see http://support.microsoft.com/?kbid=290403 (you may need to change
XP's default behavior of authenticating as a guest while installed in a
workgroup.)

Without a domain, you will need matching accounts on all PCs for all users
(same names+password) - this means that if the users all have their own
accounts, you could have a lot of work to do to keep things in sync. It
would be simplified if everyone just used a generic "user" account on each
PC (in fact, you could set up Windows to automatically log on with that
account.)

If there's nobody else on the network, and you don't want to be very
granular (i.e. Bob can access FolderA, Susan can read FolderA but not make
changes, but she can do anything on FolderB) you could just set your
permissions to allow "Everyone"

As for " I could work out an easy way to create a single user entity for
each employee that could operate across the whole Workgroup." - you have
basically described one of the main reasons for getting domain. Microsoft
does have a Server product designed (and priced) for smaller environments
that allows you to set up a domain. Small Business Server 2003:
http://www.microsoft.com/windowsserver2003/sbs/default.mspx (no I don't work
for them and I'm not trying to sell it to you!!, just making sure you know
that there is a product.)

 

[Guest]

Thanks Colin & thanks Doug

You are correct in saying that I wantng to put permissions in place for
files and shares.

I have done a bunch of research and I am coming to the conclusion that I
really need a domain. I actually have a copy of SBS 2003 and I suppose I have
tended not to deploy that because I am not a techie type and was afraid that
the level of complexity in setting up and maintaining would be too great.

Do you know how hard it would be for me to implement SBS 2003?

 

[Steve Winograd [MVP]]

I have a small office network all on XP Pro and all in the same Workgroup. I
do not run Active Server Directory and do not operate a Domain.

Two of the PC's operate as file servers. I want to manage access to folders
on the file servers by allowing certain groups and not others.

I want the members of the Groups to be Workgroup PC's. In other words,
whomever is logged on to the PC will have access to the folders.

I would also consider using Users as the members of a Group if I could work
out an easy way to create a single user entity for each employee that could
operate across the whole Workgroup.

I know how to add in snap-ins to MMC on the file servers but am not sure
which ones to add and how to configure them to achieve the above.

Any help would be appreciated.

Group policy isn't necessary -- you can set the permissions directly
in XP Pro. Ron Lowe and I have written a web page with full details:

Windows XP Professional File Sharing
http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm

Access control in XP Pro is based on user accounts, not on computer
names.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Lanwench [MVP - Exchange]]

In

Thanks Colin & thanks Doug

You are correct in saying that I wantng to put permissions in place
for files and shares.

I have done a bunch of research and I am coming to the conclusion
that I really need a domain. I actually have a copy of SBS 2003 and I
suppose I have tended not to deploy that because I am not a techie
type and was afraid that the level of complexity in setting up and
maintaining would be too great.

Do you know how hard it would be for me to implement SBS 2003?

I suggest you look for a consultant to do the setup for you. A *good*
consultant who has done a lot of these setups - get references. SBS has tons
of wizards that will walk you through the setup, but there is still a lot to
know - and wizards should be viewed as a timesaver, not a substitute for
knowlege.

Invest in good hardware for your server, too, or it doesn't matter how well
you set things up. Hardware SCSI RAID, 1GB RAM, UPS, tape drive....those are
all mandatory for servers in my view, even on small networks.

The consultant can show you how to do any day-to-day admin, too.

Note that the best newsgroup for SBS help is in
microsoft.public.windows.server.sbs - there are a lot of very smart &
friendly people in there, and I am sure you'll get a ton of information.

 

[Guest]

Thanks Lanwench & thanks Steve

I am going to persevere with trying user permissions (thanks for the url)
and hopefully implement my requirements that way.

Thanks for the assistance - it's very much appreciated.

 

[Lanwench [MVP - Exchange]]

In

Thanks Lanwench & thanks Steve

I am going to persevere with trying user permissions (thanks for the
url) and hopefully implement my requirements that way.

Thanks for the assistance - it's very much appreciated.

You're welcome. Best of luck. I do think you should confront your Fear of
Domains, though.....it would make life SO much easier for you, and your
users would benefit from it too. I may be biased, but I think Exchange is a
wonderful thing to use on a network of nearly any size, and you bought SBS
already.

 

[Guest]

Implemented as per Steve's web site and all working OK.

I agree Lanwench - I think a PDC will be the better long term outcome.

One problem has arisen though - I have shared printers on the file server
and they are now unavailable to users unless they jave already logged in to
that machine.

This is not a major problem but it would be nice to not have to do that.

I guess I could alter the Security and Permissions on the printer shares to
allow Everyone?

Do you think that doing this is a security risk on the LAN? In other words,
I ahve just removed the default Permissions for the Everyone group and now I
am about to reinstate it on two shares.

Cheers

David

 

[Lanwench [MVP - Exchange]]

In

Implemented as per Steve's web site and all working OK.

I agree Lanwench - I think a PDC will be the better long term outcome.

One problem has arisen though - I have shared printers on the file
server and they are now unavailable to users unless they jave already
logged in to that machine.

What do you mean by already logged in - to what machine? They're logging
into *their* machines, right - and the permissions on their *identical*
accounts on the server are set correctly?

This is not a major problem but it would be nice to not have to do
that.

I guess I could alter the Security and Permissions on the printer
shares to allow Everyone?
Sure.

Do you think that doing this is a security risk on the LAN?

You don't really have much in the way of security now, to be honest.

In other
words, I ahve just removed the default Permissions for the Everyone
group and now I am about to reinstate it on two shares.

The share permissions should always be everyone=full control (note that
there is some argument on this point - I do it this way) and the NTFS
permissions are what control what. You don't need to use Everyone for that.
You can use individual users, or groups, on the 'host'/server.

 

[Guest]

--

David M

In

What do you mean by already logged in - to what machine? They're logging
into *their* machines, right - and the permissions on their *identical*
accounts on the server are set correctly?

Yes - they log into their local PC however on the first attempt of the day
to access a resource on a different workgroup PC to which they have
permission they are prompted for a uname & pwd log in. Once they does this
once they don't have to do it again until they reboot their PC.

But they already need to log into their workstations anyway <is puzzled>

See above.

You don't really have much in the way of security now, to be honest.
<whispers: build your sbs box>

Yeah - you're right. I know.

 

[Lanwench [MVP - Exchange]]

In

Yes - they log into their local PC however on the first attempt of
the day to access a resource on a different workgroup PC to which
they have permission they are prompted for a uname & pwd log in. Once
they does this once they don't have to do it again until they reboot
their PC.

Same workgroup, though? Make sure the user name and password exists
identically on the server and any other machine they need to access shares
on. This is yet another reason I prefer domains.

 

[Guest]

--

David M

In

Same workgroup, though? Make sure the user name and password exists
identically on the server and any other machine they need to access shares
on. This is yet another reason I prefer domains.

Same workgroup and identical uname & pwd combos on all machines. I deleted
all printers from each workstation and reinstalled which appears to have
solved this problem.

I am no longer seeing the uname & pwd box when I access a shared folder. I
am hoping this is because XP is smart and knows that I am logged in; my
credentials match and therefore no need to prompt me for authentication
....... then again that could be me just being overly optimistic.

;-)

 

[Lanwench [MVP - Exchange]]

In

Same workgroup and identical uname & pwd combos on all machines. I
deleted all printers from each workstation and reinstalled which
appears to have solved this problem.

I am no longer seeing the uname & pwd box when I access a shared
folder. I am hoping this is because XP is smart and knows that I am
logged in; my credentials match and therefore no need to prompt me
for authentication ...... then again that could be me just being
overly optimistic.

;-)

Glad you got it working....and yes, you're correct in your assumption. Just
remember, when you change passwords (which you & everyone should do
regularly) that you need to change them in two places.

<snip>

 

[Guest]

--

David M

In

Glad you got it working....and yes, you're correct in your assumption. Just
remember, when you change passwords (which you & everyone should do
regularly) that you need to change them in two places.

<snip>

Thanks Lanwench for all the help. Much appreciated.

Next challenge is my SBS server ....

Ciao

 

[Lanwench [MVP - Exchange]]

In David M <[email protected]> typed:

Thanks Lanwench for all the help. Much appreciated.

Most welcome!

Next challenge is my SBS server ....

Try posting in microsoft.public.windows.server.sbs and you will find a lot
of help there.