workgroup file sharing without the everyone group...possible?


  1. Posts : 6
    win7 pro 32 bit
       #1

    workgroup file sharing without the everyone group...possible?


    I have two computers in a work group. Both computers see the other in the network. All computers have the same OS(win7 pro)and the same workgroup name and the same users/same passwords. NTFS and Share permissions on the file A are the same.

    I want to share the file with specific users in the work group. not EVERYONE. I can access the share and the file only if I add the everyone group... I don't want this. just specific users

    Advanced file sharing settings: network discovery is on; file sharing and printer sharing is on; public folder sharing is on; both are using 128 bit; turn on password protected sharing is on(so I shouldn't need to enter any user name or passwords...

    I always get the Windows Cannot access \\computer A\File A... You don't have permissions to access

    I have a homegroup set up... is that conflicting with the workgroup share?

    what have I missed... ?
      My Computer


  2. Posts : 8,870
    Windows 7 Ult, Windows 8.1 Pro,
       #2

    As you found out, nothing will be sharable unless the Everyone share is in it's default location at the C: Users folder.

    For sharing with specific machines you need to basically use the Homegroup but there are limitations on what you can do.

    The restricted access machines would need to be in the local Workgroup but not allowed to join the common Homegroup.

    The machines that require full access to all folders and files on the entire LAN are allowed to join the Homegroup.

    At this point the Homegroup machines would have access to all shared files and folders on all Workgroup machines while none of the local Workgroup machines would have access to any of the files and folders on the Homegroup machines unless you add the "Everyone" share to a particular Library as is showing in the picture.

    So basically adding the Everyone share to a particular Library folder allows access to only that folder for all Workgroup machines.
    Attached Thumbnails Attached Thumbnails workgroup file sharing without the everyone group...possible?-share-everyone.png  
      My Computer


  3. Posts : 6
    win7 pro 32 bit
    Thread Starter
       #3

    Well was a test to see if I could apply some fashion of NTFS permissions to shares in a workgroup with out a server. AD DS on a server handles this with out any problem. However the business owner doesn't want a server and I said I would see what I could do to make what he has work somewhat similar.

    That being said... I did find that you can still access a share without everyone. You can't list specific users... but you can use the GROUP USERS. The file will be shared again... I need to disable the home group and try again to make sure I am not gaining access through the homegroupuser user account.

    What I have learned is that EVERYONE is required to share the folder and gain access. Share permissions apply to the folders only. NTFS permissions apply to the files with in the folder. That being said I am going to try and limit access to files but not the folders. See what happens.
      My Computer


  4. Posts : 6
    win7 pro 32 bit
    Thread Starter
       #4

    I got it worked out now... You can accomplish this with out the EVERYONE group. Use the USERS group.

    2 Reasons this works... 1) Share Permissions are Different than NTFS permissions. Share Permissions apply only to the share folder. NTFS permissions apply to both the folder and the files within. With that being said I can now control who has what permission to the files while still allowing them to navigate the folders. 2nd) USERS group allows the all users on the machine with a user name and password to view the files. Not everyone on on the network. This give a minor layer of security. if someone manages to gain access to the network they would need to also know and add every user and which groups that user was a member of to gain access to the shares because individual users don't have permissions just the group.

    How to:
    1) go to computer managment console>users and groups and create groups that you want to segregate out and add users.
    2)create and share a folder; Add USERS group with change and Read Permissions and then Remove the Everyone Group.
    3) on the Security TAB go to Advanced security and add the Groups... Give the parent group full control... give the other groups Read only access and deny write, Delete, change Owner, and change permissions. Pay attention to the top drop down and how you are applying these settings. it could be folder only and this folder, subfolders and files and multiple variations there of. Play with it on a test files and folders until you have it the way you want it then apply the same settings to actual folders you want to share and protect.

    With mine I was able to create three shares. group 1,2,3 was able to see Files A,B,C... Group 1 had full control of A and Read only access to files B, C (look but don't touch/change)

    If your not comfortable with NTFS permissions go to the NTFS website and study up... it's a very good site to walk you through the differences with simple explanations. It takes a little practice but it can be done.

    It's alot more work for initial set up for a workgroup administrator but you can control who can do what in your folders and files while still providing access where needed.

    Hope this helps, there were alot of posts that didn't have solid endings
      My Computer


  5. Posts : 8,870
    Windows 7 Ult, Windows 8.1 Pro,
       #5

    Just to clarify. Now is a good time to do this as anyone else finding this post would find the precise information handy for setting up separate shares for every user in the LAN.

    This is a poorly explained aspect of Windows and some more precise directions complete with pictures would come in handy in the future as these types of questions come up fairly often.

    1) go to computer management console>users and groups and create groups that you want to segregate out and add users.

    For this first one did you use one of the predefined Groups or did you create a new group for each user?

    "first picture shows predefined Groups".

    Assuming you created a User Group for each User that requires different levels of access. Do the User Groups that were created show up on the list per the second picture so you can add them to the permissions list?

    3) on the Security TAB go to Advanced security and add the Groups... Give the parent group full control... give the other groups Read only access and deny write, Delete, change Owner, and change permissions.

    Pay attention to the top drop down and how you are applying these settings. it could be folder only and this folder, subfolders and files and multiple variations there of. Play with it on a test files and folders until you have it the way you want it then apply the same settings to actual folders you want to share and protect.

    In reference to #3> How would you define the Parent Group here? Are you using a predefined Group or is the Parent group just a designation for the Group with the most access?
    Attached Thumbnails Attached Thumbnails workgroup file sharing without the everyone group...possible?-predefined-groups.png   workgroup file sharing without the everyone group...possible?-user-groups-showing-up-list.png  
      My Computer


  6. Posts : 6
    win7 pro 32 bit
    Thread Starter
       #6

    update to correct missing component of the config


    I had to create this again at work and found I had left one important step out when I reviewed this for a how to.

    How to set up an NTFS managed network share in a non-server workgroup environment.

    1) Go to computer management console>users and groups and create groups / users that you want to segregate out and add applicable users to their groups.

    **2) ** important** Open local security policy editor (type "local" in start search menu), and run as administrator if not already logged in as such.
    Select> Local Policies\User Rights Assignment> select "Access this computer from the network" and adjust the properties to include the specific users and groups that require access to the specified computer. Do not add anyone who doesn't need it, and never use the Everyone group.. if there is a specific user in a group that needs to be denied access to a specific computer over the network just look further down the GP list and locate the deny access to this computer from the network and add the user there. It will override the user but not the group. and keep them from accessing that specific computer.

    3) Create and share folders the group requires: Add the newly created groups or users with change and Read Permissions and then Remove the Everyone Group. Ensure the Administrators group is also included with full permissions.

    4) Access the security tab on the properties of the newly shared folder: Go to Advanced security and add the Groups or users as applicable... Give the administrators group full control... give the Newly created group/users the minimum permissions they require. Pay attention to the top drop down and how you are applying these settings. it could be folder only and this folder, subfolders and files and multiple variations there of. Play with it on test files and folders until you have it the way you want it then apply the same settings to actual folders you want to share and protect.

    ** The crappy part (it's a workgroup): you just have to repeat all of the above on every single machine that will require shared access across the workgroup. remember that any single user that requires access to a machine in a workgroup must have an activated unlocked account on that machine. so this is a bad idea for anything but a small office workgroup that wants to share secured files to a small # of computers and people. Keep administrative rights and privileges to a minimum.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:04.
Find Us