Sign in with
Sign up | Sign in
Your question

Using a Group Policy in an XP Workgroup

Last response: in Windows XP
Share
Anonymous
June 25, 2005 3:05:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have a small office network all on XP Pro and all in the same Workgroup. I
do not run Active Server Directory and do not operate a Domain.

Two of the PC's operate as file servers. I want to manage access to folders
on the file servers by allowing certain groups and not others.

I want the members of the Groups to be Workgroup PC's. In other words,
whomever is logged on to the PC will have access to the folders.

I would also consider using Users as the members of a Group if I could work
out an easy way to create a single user entity for each employee that could
operate across the whole Workgroup.

I know how to add in snap-ins to MMC on the file servers but am not sure
which ones to add and how to configure them to achieve the above.

Any help would be appreciated.

--

David M

More about : group policy workgroup

Anonymous
June 25, 2005 4:53:51 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Create a BAT file using the NET USE command. Open a Command Prompt window and enter NET USE /? for the command line options. Use a username and password that exists on the file server to enable access to the file server's folders.

Then, on the machines that you want to be able to access the file servers, run GPEDIT.MSC. Go to User Configuration, Windows Settings, Scripts. Here you can point the logon script to the BAT file you created. Additionally, you could create a BAT file that undoes the drive mapping, and set it as the log off script.

Since you're not in a domain, these settings apply to all users of the machine.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"David M" <DavidM@discussions.microsoft.com> wrote in message news:EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com...
>I have a small office network all on XP Pro and all in the same Workgroup. I
> do not run Active Server Directory and do not operate a Domain.
>
> Two of the PC's operate as file servers. I want to manage access to folders
> on the file servers by allowing certain groups and not others.
>
> I want the members of the Groups to be Workgroup PC's. In other words,
> whomever is logged on to the PC will have access to the folders.
>
> I would also consider using Users as the members of a Group if I could work
> out an easy way to create a single user entity for each employee that could
> operate across the whole Workgroup.
>
> I know how to add in snap-ins to MMC on the file servers but am not sure
> which ones to add and how to configure them to achieve the above.
>
> Any help would be appreciated.
>
> --
>
> David M
Anonymous
June 25, 2005 8:18:54 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"David M" <DavidM@discussions.microsoft.com> wrote in message
news:EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com...
>I have a small office network all on XP Pro and all in the same Workgroup.
>I
> do not run Active Server Directory and do not operate a Domain.
>
> Two of the PC's operate as file servers. I want to manage access to
> folders
> on the file servers by allowing certain groups and not others.
>
> I want the members of the Groups to be Workgroup PC's. In other words,
> whomever is logged on to the PC will have access to the folders.
>
> I would also consider using Users as the members of a Group if I could
> work
> out an easy way to create a single user entity for each employee that
> could
> operate across the whole Workgroup.
>
> I know how to add in snap-ins to MMC on the file servers but am not sure
> which ones to add and how to configure them to achieve the above.
>
> Any help would be appreciated.
>
> --
>
> David M

Sounds like you are asking how to put permissions on files and shares. This
isn't really a Group Policy thing. See
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418 for info.
Also see http://support.microsoft.com/?kbid=290403 (you may need to change
XP's default behavior of authenticating as a guest while installed in a
workgroup.)

Without a domain, you will need matching accounts on all PCs for all users
(same names+password) - this means that if the users all have their own
accounts, you could have a lot of work to do to keep things in sync. It
would be simplified if everyone just used a generic "user" account on each
PC (in fact, you could set up Windows to automatically log on with that
account.)

If there's nobody else on the network, and you don't want to be very
granular (i.e. Bob can access FolderA, Susan can read FolderA but not make
changes, but she can do anything on FolderB) you could just set your
permissions to allow "Everyone"

As for " I could work out an easy way to create a single user entity for
each employee that could operate across the whole Workgroup." - you have
basically described one of the main reasons for getting domain. Microsoft
does have a Server product designed (and priced) for smaller environments
that allows you to set up a domain. Small Business Server 2003:
http://www.microsoft.com/windowsserver2003/sbs/default.... (no I don't work
for them and I'm not trying to sell it to you!!, just making sure you know
that there is a product.)


--
Colin Nash
Microsoft MVP
Windows Shell/User
Related resources
Anonymous
June 25, 2005 8:18:55 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks Colin & thanks Doug

You are correct in saying that I wantng to put permissions in place for
files and shares.

I have done a bunch of research and I am coming to the conclusion that I
really need a domain. I actually have a copy of SBS 2003 and I suppose I have
tended not to deploy that because I am not a techie type and was afraid that
the level of complexity in setting up and maintaining would be too great.

Do you know how hard it would be for me to implement SBS 2003?

--

David M


"Colin Nash [MVP]" wrote:

>
> "David M" <DavidM@discussions.microsoft.com> wrote in message
> news:EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com...
> >I have a small office network all on XP Pro and all in the same Workgroup.
> >I
> > do not run Active Server Directory and do not operate a Domain.
> >
> > Two of the PC's operate as file servers. I want to manage access to
> > folders
> > on the file servers by allowing certain groups and not others.
> >
> > I want the members of the Groups to be Workgroup PC's. In other words,
> > whomever is logged on to the PC will have access to the folders.
> >
> > I would also consider using Users as the members of a Group if I could
> > work
> > out an easy way to create a single user entity for each employee that
> > could
> > operate across the whole Workgroup.
> >
> > I know how to add in snap-ins to MMC on the file servers but am not sure
> > which ones to add and how to configure them to achieve the above.
> >
> > Any help would be appreciated.
> >
> > --
> >
> > David M
>
> Sounds like you are asking how to put permissions on files and shares. This
> isn't really a Group Policy thing. See
> http://support.microsoft.com/default.aspx?scid=kb;en-us;308418 for info.
> Also see http://support.microsoft.com/?kbid=290403 (you may need to change
> XP's default behavior of authenticating as a guest while installed in a
> workgroup.)
>
> Without a domain, you will need matching accounts on all PCs for all users
> (same names+password) - this means that if the users all have their own
> accounts, you could have a lot of work to do to keep things in sync. It
> would be simplified if everyone just used a generic "user" account on each
> PC (in fact, you could set up Windows to automatically log on with that
> account.)
>
> If there's nobody else on the network, and you don't want to be very
> granular (i.e. Bob can access FolderA, Susan can read FolderA but not make
> changes, but she can do anything on FolderB) you could just set your
> permissions to allow "Everyone"
>
> As for " I could work out an easy way to create a single user entity for
> each employee that could operate across the whole Workgroup." - you have
> basically described one of the main reasons for getting domain. Microsoft
> does have a Server product designed (and priced) for smaller environments
> that allows you to set up a domain. Small Business Server 2003:
> http://www.microsoft.com/windowsserver2003/sbs/default.... (no I don't work
> for them and I'm not trying to sell it to you!!, just making sure you know
> that there is a product.)
>
>
> --
> Colin Nash
> Microsoft MVP
> Windows Shell/User
>
>
>
>
Anonymous
June 26, 2005 7:38:47 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com>,
"David M" <DavidM@discussions.microsoft.com> wrote:
>I have a small office network all on XP Pro and all in the same Workgroup. I
>do not run Active Server Directory and do not operate a Domain.
>
>Two of the PC's operate as file servers. I want to manage access to folders
>on the file servers by allowing certain groups and not others.
>
>I want the members of the Groups to be Workgroup PC's. In other words,
>whomever is logged on to the PC will have access to the folders.
>
>I would also consider using Users as the members of a Group if I could work
>out an easy way to create a single user entity for each employee that could
>operate across the whole Workgroup.
>
>I know how to add in snap-ins to MMC on the file servers but am not sure
>which ones to add and how to configure them to achieve the above.
>
>Any help would be appreciated.

Group policy isn't necessary -- you can set the permissions directly
in XP Pro. Ron Lowe and I have written a web page with full details:

Windows XP Professional File Sharing
http://www.practicallynetworked.com/sharing/xp_fileshar...

Access control in XP Pro is based on user accounts, not on computer
names.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
Anonymous
June 26, 2005 3:07:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:5D4CBEB4-2BF3-4DD2-990E-982E6AE4D16B@microsoft.com,
David M <DavidM@discussions.microsoft.com> typed:
> Thanks Colin & thanks Doug
>
> You are correct in saying that I wantng to put permissions in place
> for files and shares.
>
> I have done a bunch of research and I am coming to the conclusion
> that I really need a domain. I actually have a copy of SBS 2003 and I
> suppose I have tended not to deploy that because I am not a techie
> type and was afraid that the level of complexity in setting up and
> maintaining would be too great.
>
> Do you know how hard it would be for me to implement SBS 2003?

I suggest you look for a consultant to do the setup for you. A *good*
consultant who has done a lot of these setups - get references. SBS has tons
of wizards that will walk you through the setup, but there is still a lot to
know - and wizards should be viewed as a timesaver, not a substitute for
knowlege.

Invest in good hardware for your server, too, or it doesn't matter how well
you set things up. Hardware SCSI RAID, 1GB RAM, UPS, tape drive....those are
all mandatory for servers in my view, even on small networks.

The consultant can show you how to do any day-to-day admin, too.

Note that the best newsgroup for SBS help is in
microsoft.public.windows.server.sbs - there are a lot of very smart &
friendly people in there, and I am sure you'll get a ton of information.

>
>
>>
>> "David M" <DavidM@discussions.microsoft.com> wrote in message
>> news:EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com...
>>> I have a small office network all on XP Pro and all in the same
>>> Workgroup. I
>>> do not run Active Server Directory and do not operate a Domain.
>>>
>>> Two of the PC's operate as file servers. I want to manage access to
>>> folders
>>> on the file servers by allowing certain groups and not others.
>>>
>>> I want the members of the Groups to be Workgroup PC's. In other
>>> words, whomever is logged on to the PC will have access to the
>>> folders.
>>>
>>> I would also consider using Users as the members of a Group if I
>>> could work
>>> out an easy way to create a single user entity for each employee
>>> that could
>>> operate across the whole Workgroup.
>>>
>>> I know how to add in snap-ins to MMC on the file servers but am not
>>> sure which ones to add and how to configure them to achieve the
>>> above.
>>>
>>> Any help would be appreciated.
>>>
>>> --
>>>
>>> David M
>>
>> Sounds like you are asking how to put permissions on files and
>> shares. This isn't really a Group Policy thing. See
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;308418 for
>> info. Also see http://support.microsoft.com/?kbid=290403 (you may
>> need to change XP's default behavior of authenticating as a guest
>> while installed in a workgroup.)
>>
>> Without a domain, you will need matching accounts on all PCs for all
>> users (same names+password) - this means that if the users all have
>> their own accounts, you could have a lot of work to do to keep
>> things in sync. It would be simplified if everyone just used a
>> generic "user" account on each PC (in fact, you could set up Windows
>> to automatically log on with that account.)
>>
>> If there's nobody else on the network, and you don't want to be very
>> granular (i.e. Bob can access FolderA, Susan can read FolderA but
>> not make changes, but she can do anything on FolderB) you could just
>> set your permissions to allow "Everyone"
>>
>> As for " I could work out an easy way to create a single user entity
>> for each employee that could operate across the whole Workgroup." -
>> you have basically described one of the main reasons for getting
>> domain. Microsoft does have a Server product designed (and priced)
>> for smaller environments that allows you to set up a domain. Small
>> Business Server 2003:
>> http://www.microsoft.com/windowsserver2003/sbs/default.... (no I
>> don't work for them and I'm not trying to sell it to you!!, just
>> making sure you know that there is a product.)
>>
>>
>> --
>> Colin Nash
>> Microsoft MVP
>> Windows Shell/User
Anonymous
June 26, 2005 6:32:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks Lanwench & thanks Steve

I am going to persevere with trying user permissions (thanks for the url)
and hopefully implement my requirements that way.

Thanks for the assistance - it's very much appreciated.
--

David M


"Steve Winograd [MVP]" wrote:

> In article <EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com>,
> "David M" <DavidM@discussions.microsoft.com> wrote:
> >I have a small office network all on XP Pro and all in the same Workgroup. I
> >do not run Active Server Directory and do not operate a Domain.
> >
> >Two of the PC's operate as file servers. I want to manage access to folders
> >on the file servers by allowing certain groups and not others.
> >
> >I want the members of the Groups to be Workgroup PC's. In other words,
> >whomever is logged on to the PC will have access to the folders.
> >
> >I would also consider using Users as the members of a Group if I could work
> >out an easy way to create a single user entity for each employee that could
> >operate across the whole Workgroup.
> >
> >I know how to add in snap-ins to MMC on the file servers but am not sure
> >which ones to add and how to configure them to achieve the above.
> >
> >Any help would be appreciated.
>
> Group policy isn't necessary -- you can set the permissions directly
> in XP Pro. Ron Lowe and I have written a web page with full details:
>
> Windows XP Professional File Sharing
> http://www.practicallynetworked.com/sharing/xp_fileshar...
>
> Access control in XP Pro is based on user accounts, not on computer
> names.
> --
> Best Wishes,
> Steve Winograd, MS-MVP (Windows Networking)
>
> Please post any reply as a follow-up message in the news group
> for everyone to see. I'm sorry, but I don't answer questions
> addressed directly to me in E-mail or news groups.
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com
>
Anonymous
June 27, 2005 2:53:22 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:1E775DB4-5C15-4C11-BFBA-43F35D7C9E83@microsoft.com,
David M <DavidM@discussions.microsoft.com> typed:
> Thanks Lanwench & thanks Steve
>
> I am going to persevere with trying user permissions (thanks for the
> url) and hopefully implement my requirements that way.
>
> Thanks for the assistance - it's very much appreciated.

You're welcome. Best of luck. I do think you should confront your Fear of
Domains, though.....it would make life SO much easier for you, and your
users would benefit from it too. I may be biased, but I think Exchange is a
wonderful thing to use on a network of nearly any size, and you bought SBS
already.

>
>> In article <EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com>,
>> "David M" <DavidM@discussions.microsoft.com> wrote:
>>> I have a small office network all on XP Pro and all in the same
>>> Workgroup. I do not run Active Server Directory and do not operate
>>> a Domain.
>>>
>>> Two of the PC's operate as file servers. I want to manage access to
>>> folders on the file servers by allowing certain groups and not
>>> others.
>>>
>>> I want the members of the Groups to be Workgroup PC's. In other
>>> words, whomever is logged on to the PC will have access to the
>>> folders.
>>>
>>> I would also consider using Users as the members of a Group if I
>>> could work out an easy way to create a single user entity for each
>>> employee that could operate across the whole Workgroup.
>>>
>>> I know how to add in snap-ins to MMC on the file servers but am not
>>> sure which ones to add and how to configure them to achieve the
>>> above.
>>>
>>> Any help would be appreciated.
>>
>> Group policy isn't necessary -- you can set the permissions directly
>> in XP Pro. Ron Lowe and I have written a web page with full details:
>>
>> Windows XP Professional File Sharing
>> http://www.practicallynetworked.com/sharing/xp_fileshar...
>>
>> Access control in XP Pro is based on user accounts, not on computer
>> names.
>> --
>> Best Wishes,
>> Steve Winograd, MS-MVP (Windows Networking)
>>
>> Please post any reply as a follow-up message in the news group
>> for everyone to see. I'm sorry, but I don't answer questions
>> addressed directly to me in E-mail or news groups.
>>
>> Microsoft Most Valuable Professional Program
>> http://mvp.support.microsoft.com
Anonymous
June 27, 2005 8:38:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Implemented as per Steve's web site and all working OK.

I agree Lanwench - I think a PDC will be the better long term outcome.

One problem has arisen though - I have shared printers on the file server
and they are now unavailable to users unless they jave already logged in to
that machine.

This is not a major problem but it would be nice to not have to do that.

I guess I could alter the Security and Permissions on the printer shares to
allow Everyone?

Do you think that doing this is a security risk on the LAN? In other words,
I ahve just removed the default Permissions for the Everyone group and now I
am about to reinstate it on two shares.

Cheers

David
--

David M


"Lanwench [MVP - Exchange]" wrote:

>
>
> In news:1E775DB4-5C15-4C11-BFBA-43F35D7C9E83@microsoft.com,
> David M <DavidM@discussions.microsoft.com> typed:
> > Thanks Lanwench & thanks Steve
> >
> > I am going to persevere with trying user permissions (thanks for the
> > url) and hopefully implement my requirements that way.
> >
> > Thanks for the assistance - it's very much appreciated.
>
> You're welcome. Best of luck. I do think you should confront your Fear of
> Domains, though.....it would make life SO much easier for you, and your
> users would benefit from it too. I may be biased, but I think Exchange is a
> wonderful thing to use on a network of nearly any size, and you bought SBS
> already.
>
> >
> >> In article <EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com>,
> >> "David M" <DavidM@discussions.microsoft.com> wrote:
> >>> I have a small office network all on XP Pro and all in the same
> >>> Workgroup. I do not run Active Server Directory and do not operate
> >>> a Domain.
> >>>
> >>> Two of the PC's operate as file servers. I want to manage access to
> >>> folders on the file servers by allowing certain groups and not
> >>> others.
> >>>
> >>> I want the members of the Groups to be Workgroup PC's. In other
> >>> words, whomever is logged on to the PC will have access to the
> >>> folders.
> >>>
> >>> I would also consider using Users as the members of a Group if I
> >>> could work out an easy way to create a single user entity for each
> >>> employee that could operate across the whole Workgroup.
> >>>
> >>> I know how to add in snap-ins to MMC on the file servers but am not
> >>> sure which ones to add and how to configure them to achieve the
> >>> above.
> >>>
> >>> Any help would be appreciated.
> >>
> >> Group policy isn't necessary -- you can set the permissions directly
> >> in XP Pro. Ron Lowe and I have written a web page with full details:
> >>
> >> Windows XP Professional File Sharing
> >> http://www.practicallynetworked.com/sharing/xp_fileshar...
> >>
> >> Access control in XP Pro is based on user accounts, not on computer
> >> names.
> >> --
> >> Best Wishes,
> >> Steve Winograd, MS-MVP (Windows Networking)
> >>
> >> Please post any reply as a follow-up message in the news group
> >> for everyone to see. I'm sorry, but I don't answer questions
> >> addressed directly to me in E-mail or news groups.
> >>
> >> Microsoft Most Valuable Professional Program
> >> http://mvp.support.microsoft.com
>
>
>
Anonymous
June 28, 2005 2:46:10 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:1BF2A2F8-BFDE-4FA5-B378-945C96BE7B9B@microsoft.com,
David M <DavidM@discussions.microsoft.com> typed:
> Implemented as per Steve's web site and all working OK.
>
> I agree Lanwench - I think a PDC will be the better long term outcome.
>
> One problem has arisen though - I have shared printers on the file
> server and they are now unavailable to users unless they jave already
> logged in to that machine.

What do you mean by already logged in - to what machine? They're logging
into *their* machines, right - and the permissions on their *identical*
accounts on the server are set correctly?
>
> This is not a major problem but it would be nice to not have to do
> that.

But they already need to log into their workstations anyway <is puzzled>
>
> I guess I could alter the Security and Permissions on the printer
> shares to allow Everyone?

Sure.
>
> Do you think that doing this is a security risk on the LAN?

You don't really have much in the way of security now, to be honest.
<whispers: build your sbs box>

> In other
> words, I ahve just removed the default Permissions for the Everyone
> group and now I am about to reinstate it on two shares.

The share permissions should always be everyone=full control (note that
there is some argument on this point - I do it this way) and the NTFS
permissions are what control what. You don't need to use Everyone for that.
You can use individual users, or groups, on the 'host'/server.
>
> Cheers
>
> David
>
>>
>>
>> In news:1E775DB4-5C15-4C11-BFBA-43F35D7C9E83@microsoft.com,
>> David M <DavidM@discussions.microsoft.com> typed:
>>> Thanks Lanwench & thanks Steve
>>>
>>> I am going to persevere with trying user permissions (thanks for the
>>> url) and hopefully implement my requirements that way.
>>>
>>> Thanks for the assistance - it's very much appreciated.
>>
>> You're welcome. Best of luck. I do think you should confront your
>> Fear of Domains, though.....it would make life SO much easier for
>> you, and your users would benefit from it too. I may be biased, but
>> I think Exchange is a wonderful thing to use on a network of nearly
>> any size, and you bought SBS already.
>>
>>>
>>>> In article <EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com>,
>>>> "David M" <DavidM@discussions.microsoft.com> wrote:
>>>>> I have a small office network all on XP Pro and all in the same
>>>>> Workgroup. I do not run Active Server Directory and do not operate
>>>>> a Domain.
>>>>>
>>>>> Two of the PC's operate as file servers. I want to manage access
>>>>> to folders on the file servers by allowing certain groups and not
>>>>> others.
>>>>>
>>>>> I want the members of the Groups to be Workgroup PC's. In other
>>>>> words, whomever is logged on to the PC will have access to the
>>>>> folders.
>>>>>
>>>>> I would also consider using Users as the members of a Group if I
>>>>> could work out an easy way to create a single user entity for each
>>>>> employee that could operate across the whole Workgroup.
>>>>>
>>>>> I know how to add in snap-ins to MMC on the file servers but am
>>>>> not sure which ones to add and how to configure them to achieve
>>>>> the above.
>>>>>
>>>>> Any help would be appreciated.
>>>>
>>>> Group policy isn't necessary -- you can set the permissions
>>>> directly in XP Pro. Ron Lowe and I have written a web page with
>>>> full details:
>>>>
>>>> Windows XP Professional File Sharing
>>>> http://www.practicallynetworked.com/sharing/xp_fileshar...
>>>>
>>>> Access control in XP Pro is based on user accounts, not on computer
>>>> names.
>>>> --
>>>> Best Wishes,
>>>> Steve Winograd, MS-MVP (Windows Networking)
>>>>
>>>> Please post any reply as a follow-up message in the news group
>>>> for everyone to see. I'm sorry, but I don't answer questions
>>>> addressed directly to me in E-mail or news groups.
>>>>
>>>> Microsoft Most Valuable Professional Program
>>>> http://mvp.support.microsoft.com
Anonymous
June 28, 2005 7:07:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

--

David M


"Lanwench [MVP - Exchange]" wrote:

>
>
> In news:1BF2A2F8-BFDE-4FA5-B378-945C96BE7B9B@microsoft.com,
> David M <DavidM@discussions.microsoft.com> typed:
> > Implemented as per Steve's web site and all working OK.
> >
> > I agree Lanwench - I think a PDC will be the better long term outcome.
> >
> > One problem has arisen though - I have shared printers on the file
> > server and they are now unavailable to users unless they jave already
> > logged in to that machine.
>
> What do you mean by already logged in - to what machine? They're logging
> into *their* machines, right - and the permissions on their *identical*
> accounts on the server are set correctly?


Yes - they log into their local PC however on the first attempt of the day
to access a resource on a different workgroup PC to which they have
permission they are prompted for a uname & pwd log in. Once they does this
once they don't have to do it again until they reboot their PC.



> >
> > This is not a major problem but it would be nice to not have to do
> > that.
>
> But they already need to log into their workstations anyway <is puzzled>

See above.


> >
> > I guess I could alter the Security and Permissions on the printer
> > shares to allow Everyone?
>
> Sure.
> >
> > Do you think that doing this is a security risk on the LAN?
>
> You don't really have much in the way of security now, to be honest.
> <whispers: build your sbs box>

Yeah - you're right. I know.

>
> > In other
> > words, I ahve just removed the default Permissions for the Everyone
> > group and now I am about to reinstate it on two shares.
>
> The share permissions should always be everyone=full control (note that
> there is some argument on this point - I do it this way) and the NTFS
> permissions are what control what. You don't need to use Everyone for that.
> You can use individual users, or groups, on the 'host'/server.
> >
> > Cheers
> >
> > David
> >
> >>
> >>
> >> In news:1E775DB4-5C15-4C11-BFBA-43F35D7C9E83@microsoft.com,
> >> David M <DavidM@discussions.microsoft.com> typed:
> >>> Thanks Lanwench & thanks Steve
> >>>
> >>> I am going to persevere with trying user permissions (thanks for the
> >>> url) and hopefully implement my requirements that way.
> >>>
> >>> Thanks for the assistance - it's very much appreciated.
> >>
> >> You're welcome. Best of luck. I do think you should confront your
> >> Fear of Domains, though.....it would make life SO much easier for
> >> you, and your users would benefit from it too. I may be biased, but
> >> I think Exchange is a wonderful thing to use on a network of nearly
> >> any size, and you bought SBS already.
> >>
> >>>
> >>>> In article <EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com>,
> >>>> "David M" <DavidM@discussions.microsoft.com> wrote:
> >>>>> I have a small office network all on XP Pro and all in the same
> >>>>> Workgroup. I do not run Active Server Directory and do not operate
> >>>>> a Domain.
> >>>>>
> >>>>> Two of the PC's operate as file servers. I want to manage access
> >>>>> to folders on the file servers by allowing certain groups and not
> >>>>> others.
> >>>>>
> >>>>> I want the members of the Groups to be Workgroup PC's. In other
> >>>>> words, whomever is logged on to the PC will have access to the
> >>>>> folders.
> >>>>>
> >>>>> I would also consider using Users as the members of a Group if I
> >>>>> could work out an easy way to create a single user entity for each
> >>>>> employee that could operate across the whole Workgroup.
> >>>>>
> >>>>> I know how to add in snap-ins to MMC on the file servers but am
> >>>>> not sure which ones to add and how to configure them to achieve
> >>>>> the above.
> >>>>>
> >>>>> Any help would be appreciated.
> >>>>
> >>>> Group policy isn't necessary -- you can set the permissions
> >>>> directly in XP Pro. Ron Lowe and I have written a web page with
> >>>> full details:
> >>>>
> >>>> Windows XP Professional File Sharing
> >>>> http://www.practicallynetworked.com/sharing/xp_fileshar...
> >>>>
> >>>> Access control in XP Pro is based on user accounts, not on computer
> >>>> names.
> >>>> --
> >>>> Best Wishes,
> >>>> Steve Winograd, MS-MVP (Windows Networking)
> >>>>
> >>>> Please post any reply as a follow-up message in the news group
> >>>> for everyone to see. I'm sorry, but I don't answer questions
> >>>> addressed directly to me in E-mail or news groups.
> >>>>
> >>>> Microsoft Most Valuable Professional Program
> >>>> http://mvp.support.microsoft.com
>
>
>
Anonymous
June 29, 2005 3:59:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:147AC661-86E1-4BEA-AD0E-B7097EED3DC1@microsoft.com,
David M <DavidM@discussions.microsoft.com> typed:
>
>>
>>
>> In news:1BF2A2F8-BFDE-4FA5-B378-945C96BE7B9B@microsoft.com,
>> David M <DavidM@discussions.microsoft.com> typed:
>>> Implemented as per Steve's web site and all working OK.
>>>
>>> I agree Lanwench - I think a PDC will be the better long term
>>> outcome.
>>>
>>> One problem has arisen though - I have shared printers on the file
>>> server and they are now unavailable to users unless they jave
>>> already logged in to that machine.
>>
>> What do you mean by already logged in - to what machine? They're
>> logging into *their* machines, right - and the permissions on their
>> *identical* accounts on the server are set correctly?
>
>
> Yes - they log into their local PC however on the first attempt of
> the day to access a resource on a different workgroup PC to which
> they have permission they are prompted for a uname & pwd log in. Once
> they does this once they don't have to do it again until they reboot
> their PC.
>

Same workgroup, though? Make sure the user name and password exists
identically on the server and any other machine they need to access shares
on. This is yet another reason I prefer domains.
>
>
>>>
>>> This is not a major problem but it would be nice to not have to do
>>> that.
>>
>> But they already need to log into their workstations anyway <is
>> puzzled>
>
> See above.
>
>
>>>
>>> I guess I could alter the Security and Permissions on the printer
>>> shares to allow Everyone?
>>
>> Sure.
>>>
>>> Do you think that doing this is a security risk on the LAN?
>>
>> You don't really have much in the way of security now, to be honest.
>> <whispers: build your sbs box>
>
> Yeah - you're right. I know.

:-)

>
>>
>>> In other
>>> words, I ahve just removed the default Permissions for the Everyone
>>> group and now I am about to reinstate it on two shares.
>>
>> The share permissions should always be everyone=full control (note
>> that there is some argument on this point - I do it this way) and
>> the NTFS permissions are what control what. You don't need to use
>> Everyone for that. You can use individual users, or groups, on the
>> 'host'/server.
>>>
>>> Cheers
>>>
>>> David
>>>
>>>>
>>>>
>>>> In news:1E775DB4-5C15-4C11-BFBA-43F35D7C9E83@microsoft.com,
>>>> David M <DavidM@discussions.microsoft.com> typed:
>>>>> Thanks Lanwench & thanks Steve
>>>>>
>>>>> I am going to persevere with trying user permissions (thanks for
>>>>> the url) and hopefully implement my requirements that way.
>>>>>
>>>>> Thanks for the assistance - it's very much appreciated.
>>>>
>>>> You're welcome. Best of luck. I do think you should confront your
>>>> Fear of Domains, though.....it would make life SO much easier for
>>>> you, and your users would benefit from it too. I may be biased, but
>>>> I think Exchange is a wonderful thing to use on a network of nearly
>>>> any size, and you bought SBS already.
>>>>
>>>>>
>>>>>> In article <EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com>,
>>>>>> "David M" <DavidM@discussions.microsoft.com> wrote:
>>>>>>> I have a small office network all on XP Pro and all in the same
>>>>>>> Workgroup. I do not run Active Server Directory and do not
>>>>>>> operate a Domain.
>>>>>>>
>>>>>>> Two of the PC's operate as file servers. I want to manage access
>>>>>>> to folders on the file servers by allowing certain groups and
>>>>>>> not others.
>>>>>>>
>>>>>>> I want the members of the Groups to be Workgroup PC's. In other
>>>>>>> words, whomever is logged on to the PC will have access to the
>>>>>>> folders.
>>>>>>>
>>>>>>> I would also consider using Users as the members of a Group if I
>>>>>>> could work out an easy way to create a single user entity for
>>>>>>> each employee that could operate across the whole Workgroup.
>>>>>>>
>>>>>>> I know how to add in snap-ins to MMC on the file servers but am
>>>>>>> not sure which ones to add and how to configure them to achieve
>>>>>>> the above.
>>>>>>>
>>>>>>> Any help would be appreciated.
>>>>>>
>>>>>> Group policy isn't necessary -- you can set the permissions
>>>>>> directly in XP Pro. Ron Lowe and I have written a web page with
>>>>>> full details:
>>>>>>
>>>>>> Windows XP Professional File Sharing
>>>>>> http://www.practicallynetworked.com/sharing/xp_fileshar...
>>>>>>
>>>>>> Access control in XP Pro is based on user accounts, not on
>>>>>> computer names.
>>>>>> --
>>>>>> Best Wishes,
>>>>>> Steve Winograd, MS-MVP (Windows Networking)
>>>>>>
>>>>>> Please post any reply as a follow-up message in the news group
>>>>>> for everyone to see. I'm sorry, but I don't answer questions
>>>>>> addressed directly to me in E-mail or news groups.
>>>>>>
>>>>>> Microsoft Most Valuable Professional Program
>>>>>> http://mvp.support.microsoft.com
Anonymous
July 1, 2005 10:19:04 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

--

David M


"Lanwench [MVP - Exchange]" wrote:

>
>
> In news:147AC661-86E1-4BEA-AD0E-B7097EED3DC1@microsoft.com,
> David M <DavidM@discussions.microsoft.com> typed:
> >
> >>
> >>
> >> In news:1BF2A2F8-BFDE-4FA5-B378-945C96BE7B9B@microsoft.com,
> >> David M <DavidM@discussions.microsoft.com> typed:
> >>> Implemented as per Steve's web site and all working OK.
> >>>
> >>> I agree Lanwench - I think a PDC will be the better long term
> >>> outcome.
> >>>
> >>> One problem has arisen though - I have shared printers on the file
> >>> server and they are now unavailable to users unless they jave
> >>> already logged in to that machine.
> >>
> >> What do you mean by already logged in - to what machine? They're
> >> logging into *their* machines, right - and the permissions on their
> >> *identical* accounts on the server are set correctly?
> >
> >
> > Yes - they log into their local PC however on the first attempt of
> > the day to access a resource on a different workgroup PC to which
> > they have permission they are prompted for a uname & pwd log in. Once
> > they does this once they don't have to do it again until they reboot
> > their PC.
> >
>
> Same workgroup, though? Make sure the user name and password exists
> identically on the server and any other machine they need to access shares
> on. This is yet another reason I prefer domains.

Same workgroup and identical uname & pwd combos on all machines. I deleted
all printers from each workstation and reinstalled which appears to have
solved this problem.

I am no longer seeing the uname & pwd box when I access a shared folder. I
am hoping this is because XP is smart and knows that I am logged in; my
credentials match and therefore no need to prompt me for authentication
....... then again that could be me just being overly optimistic.

;-)

> >
> >
> >>>
> >>> This is not a major problem but it would be nice to not have to do
> >>> that.
> >>
> >> But they already need to log into their workstations anyway <is
> >> puzzled>
> >
> > See above.
> >
> >
> >>>
> >>> I guess I could alter the Security and Permissions on the printer
> >>> shares to allow Everyone?
> >>
> >> Sure.
> >>>
> >>> Do you think that doing this is a security risk on the LAN?
> >>
> >> You don't really have much in the way of security now, to be honest.
> >> <whispers: build your sbs box>
> >
> > Yeah - you're right. I know.
>
> :-)
>
> >
> >>
> >>> In other
> >>> words, I ahve just removed the default Permissions for the Everyone
> >>> group and now I am about to reinstate it on two shares.
> >>
> >> The share permissions should always be everyone=full control (note
> >> that there is some argument on this point - I do it this way) and
> >> the NTFS permissions are what control what. You don't need to use
> >> Everyone for that. You can use individual users, or groups, on the
> >> 'host'/server.
> >>>
> >>> Cheers
> >>>
> >>> David
> >>>
> >>>>
> >>>>
> >>>> In news:1E775DB4-5C15-4C11-BFBA-43F35D7C9E83@microsoft.com,
> >>>> David M <DavidM@discussions.microsoft.com> typed:
> >>>>> Thanks Lanwench & thanks Steve
> >>>>>
> >>>>> I am going to persevere with trying user permissions (thanks for
> >>>>> the url) and hopefully implement my requirements that way.
> >>>>>
> >>>>> Thanks for the assistance - it's very much appreciated.
> >>>>
> >>>> You're welcome. Best of luck. I do think you should confront your
> >>>> Fear of Domains, though.....it would make life SO much easier for
> >>>> you, and your users would benefit from it too. I may be biased, but
> >>>> I think Exchange is a wonderful thing to use on a network of nearly
> >>>> any size, and you bought SBS already.
> >>>>
> >>>>>
> >>>>>> In article <EF3EAE7A-5DE6-4491-8C6D-DB7A7166860F@microsoft.com>,
> >>>>>> "David M" <DavidM@discussions.microsoft.com> wrote:
> >>>>>>> I have a small office network all on XP Pro and all in the same
> >>>>>>> Workgroup. I do not run Active Server Directory and do not
> >>>>>>> operate a Domain.
> >>>>>>>
> >>>>>>> Two of the PC's operate as file servers. I want to manage access
> >>>>>>> to folders on the file servers by allowing certain groups and
> >>>>>>> not others.
> >>>>>>>
> >>>>>>> I want the members of the Groups to be Workgroup PC's. In other
> >>>>>>> words, whomever is logged on to the PC will have access to the
> >>>>>>> folders.
> >>>>>>>
> >>>>>>> I would also consider using Users as the members of a Group if I
> >>>>>>> could work out an easy way to create a single user entity for
> >>>>>>> each employee that could operate across the whole Workgroup.
> >>>>>>>
> >>>>>>> I know how to add in snap-ins to MMC on the file servers but am
> >>>>>>> not sure which ones to add and how to configure them to achieve
> >>>>>>> the above.
> >>>>>>>
> >>>>>>> Any help would be appreciated.
> >>>>>>
> >>>>>> Group policy isn't necessary -- you can set the permissions
> >>>>>> directly in XP Pro. Ron Lowe and I have written a web page with
> >>>>>> full details:
> >>>>>>
> >>>>>> Windows XP Professional File Sharing
> >>>>>> http://www.practicallynetworked.com/sharing/xp_fileshar...
> >>>>>>
> >>>>>> Access control in XP Pro is based on user accounts, not on
> >>>>>> computer names.
> >>>>>> --
> >>>>>> Best Wishes,
> >>>>>> Steve Winograd, MS-MVP (Windows Networking)
> >>>>>>
> >>>>>> Please post any reply as a follow-up message in the news group
> >>>>>> for everyone to see. I'm sorry, but I don't answer questions
> >>>>>> addressed directly to me in E-mail or news groups.
> >>>>>>
> >>>>>> Microsoft Most Valuable Professional Program
> >>>>>> http://mvp.support.microsoft.com
>
>
>
Anonymous
July 1, 2005 2:25:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:1561041F-0E6E-4307-8BFD-529BDC687BF4@microsoft.com,
David M <DavidM@discussions.microsoft.com> typed:
>
>>
>>
>> In news:147AC661-86E1-4BEA-AD0E-B7097EED3DC1@microsoft.com,
>> David M <DavidM@discussions.microsoft.com> typed:
>>>
>>>>
>>>>
>>>> In news:1BF2A2F8-BFDE-4FA5-B378-945C96BE7B9B@microsoft.com,
>>>> David M <DavidM@discussions.microsoft.com> typed:
>>>>> Implemented as per Steve's web site and all working OK.
>>>>>
>>>>> I agree Lanwench - I think a PDC will be the better long term
>>>>> outcome.
>>>>>
>>>>> One problem has arisen though - I have shared printers on the file
>>>>> server and they are now unavailable to users unless they jave
>>>>> already logged in to that machine.
>>>>
>>>> What do you mean by already logged in - to what machine? They're
>>>> logging into *their* machines, right - and the permissions on their
>>>> *identical* accounts on the server are set correctly?
>>>
>>>
>>> Yes - they log into their local PC however on the first attempt of
>>> the day to access a resource on a different workgroup PC to which
>>> they have permission they are prompted for a uname & pwd log in.
>>> Once they does this once they don't have to do it again until they
>>> reboot their PC.
>>>
>>
>> Same workgroup, though? Make sure the user name and password exists
>> identically on the server and any other machine they need to access
>> shares on. This is yet another reason I prefer domains.
>
> Same workgroup and identical uname & pwd combos on all machines. I
> deleted all printers from each workstation and reinstalled which
> appears to have solved this problem.
>
> I am no longer seeing the uname & pwd box when I access a shared
> folder. I am hoping this is because XP is smart and knows that I am
> logged in; my credentials match and therefore no need to prompt me
> for authentication ...... then again that could be me just being
> overly optimistic.
>
> ;-)

Glad you got it working....and yes, you're correct in your assumption. Just
remember, when you change passwords (which you & everyone should do
regularly) that you need to change them in two places.

<snip>
Anonymous
July 1, 2005 8:12:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

--

David M


"Lanwench [MVP - Exchange]" wrote:

>
>
> In news:1561041F-0E6E-4307-8BFD-529BDC687BF4@microsoft.com,
> David M <DavidM@discussions.microsoft.com> typed:
> >
> >>
> >>
> >> In news:147AC661-86E1-4BEA-AD0E-B7097EED3DC1@microsoft.com,
> >> David M <DavidM@discussions.microsoft.com> typed:
> >>>
> >>>>
> >>>>
> >>>> In news:1BF2A2F8-BFDE-4FA5-B378-945C96BE7B9B@microsoft.com,
> >>>> David M <DavidM@discussions.microsoft.com> typed:
> >>>>> Implemented as per Steve's web site and all working OK.
> >>>>>
> >>>>> I agree Lanwench - I think a PDC will be the better long term
> >>>>> outcome.
> >>>>>
> >>>>> One problem has arisen though - I have shared printers on the file
> >>>>> server and they are now unavailable to users unless they jave
> >>>>> already logged in to that machine.
> >>>>
> >>>> What do you mean by already logged in - to what machine? They're
> >>>> logging into *their* machines, right - and the permissions on their
> >>>> *identical* accounts on the server are set correctly?
> >>>
> >>>
> >>> Yes - they log into their local PC however on the first attempt of
> >>> the day to access a resource on a different workgroup PC to which
> >>> they have permission they are prompted for a uname & pwd log in.
> >>> Once they does this once they don't have to do it again until they
> >>> reboot their PC.
> >>>
> >>
> >> Same workgroup, though? Make sure the user name and password exists
> >> identically on the server and any other machine they need to access
> >> shares on. This is yet another reason I prefer domains.
> >
> > Same workgroup and identical uname & pwd combos on all machines. I
> > deleted all printers from each workstation and reinstalled which
> > appears to have solved this problem.
> >
> > I am no longer seeing the uname & pwd box when I access a shared
> > folder. I am hoping this is because XP is smart and knows that I am
> > logged in; my credentials match and therefore no need to prompt me
> > for authentication ...... then again that could be me just being
> > overly optimistic.
> >
> > ;-)
>
> Glad you got it working....and yes, you're correct in your assumption. Just
> remember, when you change passwords (which you & everyone should do
> regularly) that you need to change them in two places.
>
> <snip>
>

Thanks Lanwench for all the help. Much appreciated.

Next challenge is my SBS server ....

Ciao


>
>
Anonymous
July 2, 2005 6:01:57 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:B6117150-5DDA-4D2F-9DB8-0E2D886D0636@microsoft.com,
David M <DavidM@discussions.microsoft.com> typed:

<snip>
>>
>
> Thanks Lanwench for all the help. Much appreciated.

Most welcome!
>
> Next challenge is my SBS server ....

Try posting in microsoft.public.windows.server.sbs and you will find a lot
of help there.
>
> Ciao
!