[mgravenstein]

Everything I can find regarding Windows XP and Access Control Lists (ACL) is with respect to running in a domain with a server. It appears that if you have a network of WinXP machines and you want to share folders your choices are Everyone or no one. Strange since you can have an ACL on the machine that consists of various users on the machine. So to be more specific say you have 4 machines running WinXP Pro all with Simple File Sharing turned off. On PC1 you have user1 and user2 On PC2 you have user3, on PC3 you have user4 and on PC4 you have user5. On PC1 you have share1, On PC2 you have share2, on PC3 you have share3 and on PC4 you share4. I would like users1 and 2 to have access to share1 and share2 but not share3 or share4. I would like user3 and user4 to have access to share1, share2 and share3 but not share4 and I would like user5 to have access to all 4 shares.

I have tried the following:
All shares give the group Everyone modify access and the result is everyone has access regardless of whether they have a user account on the machine or even if the machine they are coming from is in the same Workgroup

A share gives the group Users modify access and the machine with the share has a user account with identical password as the user and machine trying to do the access and the result is the user is denied access from the remote machine

A share gives the localpc/username modify access and the machine with the share has a user account with identical password as the user and machine trying to do the access and the result is the user is denied access to the share from the remote machine

In other words, what I said before: I can completely control access to each and every folder or file on a machine to users or groups on that same machine quit successfully. However, my only choice for shares on a machine to the network is Everyone or no one. Can anyone shed any light or refer to explanations of ACL on a non-domain controlled WinXP network?

[Advertisements]

Yes, workgroups and network file sharing are very annoying. File sharing by itself is often counter-intuitive, but add workgroups in the mix and nothing makes sense once simple file sharing is turned off.

Let's just use two machines for the example and you can extrapolate from there.

Here's the setup
PC1 with a folder called PARENTS that we want only Parent1 and Parent2 to access
PC2 (kids, but sometimes dad needs to use it)

Disable simple file sharing.

On PC1, create user accounts for Parent1 and Parent2. Create identical usernames and passwords on PC2

Now let's create the share on PC1

Right-click My Computer, and select Manage from the menu that appears

In the left pane of the Computer Management dialog box, click the + next to
System Tools (if System Tools is not already expanded). Click the + next to
Shared Folders. Highlight Shares. Select Action > New File Share.

The Create Shared Folder dialog box appears

In this dialog box, enter the full path to the folder you want to share (such
as C:\PARENTS). You can browse for this folder if you don’t know its path.
Enter a share name for the share (cannot be empty). You can also enter a description for the share
if you want to. Click Next.

In the next dialog box, check CUSTOMIZE PERMISSIONS, and click CUSTOM

On the SHARE PERMISSIONS tab, click ADD, and add the user accounts for PARENT1 and PARENT2. Give FULL CONTROL to each. Remove the EVERYONE account. Now, before closing the dialogue box, go to the SECURITY tab. Again, add PARENT1 and PARENT2, and again give full control.

Click OK, NEXT, FINISH

Should be able to access it now, providing a firewall is not blocking you. The reason this works and the normal way does not is that for workgroups, you need to make it appear as if the request to access the folder is coming from the local machine. Setting both folder and network shares seems to trick the PC into believing this is so.

[gerryf]

Yes, workgroups and network file sharing are very annoying. File sharing by itself is often counter-intuitive, but add workgroups in the mix and nothing makes sense once simple file sharing is turned off.

Let's just use two machines for the example and you can extrapolate from there.

Here's the setup
PC1 with a folder called PARENTS that we want only Parent1 and Parent2 to access
PC2 (kids, but sometimes dad needs to use it)

Disable simple file sharing.

On PC1, create user accounts for Parent1 and Parent2. Create identical usernames and passwords on PC2

Now let's create the share on PC1

Right-click My Computer, and select Manage from the menu that appears

In the left pane of the Computer Management dialog box, click the + next to
System Tools (if System Tools is not already expanded). Click the + next to
Shared Folders. Highlight Shares. Select Action > New File Share.

The Create Shared Folder dialog box appears

In this dialog box, enter the full path to the folder you want to share (such
as C:\PARENTS). You can browse for this folder if you don’t know its path.
Enter a share name for the share (cannot be empty). You can also enter a description for the share
if you want to. Click Next.

In the next dialog box, check CUSTOMIZE PERMISSIONS, and click CUSTOM

On the SHARE PERMISSIONS tab, click ADD, and add the user accounts for PARENT1 and PARENT2. Give FULL CONTROL to each. Remove the EVERYONE account. Now, before closing the dialogue box, go to the SECURITY tab. Again, add PARENT1 and PARENT2, and again give full control.

Click OK, NEXT, FINISH

Should be able to access it now, providing a firewall is not blocking you. The reason this works and the normal way does not is that for workgroups, you need to make it appear as if the request to access the folder is coming from the local machine. Setting both folder and network shares seems to trick the PC into believing this is so.

[mgravenstein]

What you suggested is pretty much what I tried but thought had failed. I re-discovered something I think I had learned before but forgot. First, I knew that the username and password on both machines needed to be the same and I was trying to make that happen. You see I started off with one of the accounts not having a password and I knew that for shares to work without the Everyone group, I needed to have passwords. So I was changing and adding a password to the account to match the username and password on the machine with the share. However, the machine still was not gaining access.

What I forgot is when a machine is trying to access a share on a second machine, the first machine must have been logged into with the same username and password as what exists on the second machine. That means if you change the password while logged into the first machine to be consistent with the second machine, you must log out and log back in with the password for it to have access to the second machine. The password that was used to log into the session is what the OS remembers and uses to log into remote machines, not the one stored in the password file that may have change after the log in.