Permissions Question

[Corpsecrank]

So I ran into an issue today. I wanted to make a folder and share it on a network. However I did not want more than 2 specific computers to be able to access this share. I wanted to restrict the permissions down to just the computer hosting the shared folder and another computer with which the folder was to be shared.

For the life of me I could not add a new permission for just the second machine. I tried adding the computer by name and it would not go I also tried a whole lot of other things with no luck.

Could someone please explain how setting up a new permission for just a single computer on the network is done? I just want to add and allow access for one specific machine other than the host to be able to access this share.

 

[Barman58]

Although this type of permission is possible with a client-server system I do not think it is possible with a workgroup.

The correct tokens are not available in the normal workgroup to allow this and although the computer nome is part of the id of the user it is not the separate object as it is with for example windows server.

 

[chev65]

So I ran into an issue today. I wanted to make a folder and share it on a network. However I did not want more than 2 specific computers to be able to access this share. I wanted to restrict the permissions down to just the computer hosting the shared folder and another computer with which the folder was to be shared.

For the life of me I could not add a new permission for just the second machine. I tried adding the computer by name and it would not go I also tried a whole lot of other things with no luck.

Could someone please explain how setting up a new permission for just a single computer on the network is done? I just want to add and allow access for one specific machine other than the host to be able to access this share.

This question comes up pretty often and there seems to be a couple ways to do this. The popular way involves setting up some extra user accounts on the machine you need to share from. That way you can designate who you can share with in your network. Follow the steps below. This does work when using Workgroups. Posted by Tom Stitt awhile back.

When the users connect, you need to have password sharing enabled (i.e. they must put in a password to enter the shared computer (they can always save this so they need not enter it next time).

You now need 2 local users on the Windows 7 computer, e.g. call them user1 and user2 with their own respective passwords. Don't make them ADMIN users.

Note that you also need to remap the drives and use these logins and passwords for the drive mapping.

Now user1 has access to everything, so on the outside folder give them complete access (or read only as you desire, including access to the special folder inside). Repeat this action for user2.

Now go to the special folder that you only want user1 to have access to. Right click on it and select properties/security. On the permissions tab, have a look and write down the current permission settings (this is an important reducndancy step should something you do fail later). Now look for a tickbox to inherit parent permissions and untick this. Now give permissions only to those users that you want to access this folder. Be aware that you probably need SYSTEM and CREATOR OWNER on there.

Like all good plans, switch user to user1 on the Windows 7 box and test that they can locally access what they are supposed to. Repeat with User2. Now remap the drives with the new passwords and give the passwords out to the users.

This should fix your issue.

 

[Corpsecrank]

Putting a password on the computers in question or changing anything for that matter is not an option because those computers are not mine and are part of a business.

Basically I was asked if there was some way that 2 of the computers in the one office could bounce files quickly and easily without other machines on the network being able to see those files. I figured that making a shared folder on one machine and then restricting access to that folder to only the other computer in the room might be the best idea.

Little did I know that you could not simply restrict access to a specific computer and that you had to add an entire group of some type.

The problem for me is that I can only seem to add everyone if I want anyone outside of the host computer to be able to access the share.

If I were able to make a new group and add the second computer to that group I might be able to allow just that one new group to access the share. The problem is that I don't know anything about creating a new group for that and even if I did create that group how would that affect the way that computer acts on the network. I have to make sure that I am not causing any problems on this network while trying to make this happen.

 

[KiwiME]

Can't you simply make the shares invisible using a $ in the name like you could in XP? Map the shares on the client machines to a drive letter which requires typing in the path explicitly.

 

[chev65]

Putting a password on the computers in question or changing anything for that matter is not an option because those computers are not mine and are part of a business.

Basically I was asked if there was some way that 2 of the computers in the one office could bounce files quickly and easily without other machines on the network being able to see those files. I figured that making a shared folder on one machine and then restricting access to that folder to only the other computer in the room might be the best idea.

Little did I know that you could not simply restrict access to a specific computer and that you had to add an entire group of some type.

The problem for me is that I can only seem to add everyone if I want anyone outside of the host computer to be able to access the share.

If I were able to make a new group and add the second computer to that group I might be able to allow just that one new group to access the share. The problem is that I don't know anything about creating a new group for that and even if I did create that group how would that affect the way that computer acts on the network. I have to make sure that I am not causing any problems on this network while trying to make this happen.

Just adding the special Users to the machine being shared from isn't all that difficult. And the passwords can be remembered by the machine if you choose that option. The directions make it look harder than it really is. It's very simple once you do it the first time. The method I posted is the only way far as I know.

But I agree there should be an easier way. Individual users would need to show up on the permissions list without adding those users to the machine account. For some reason it doesn't work like that, it's either everyone or nobody otherwise. The method I posted has been tried and was proven to work by the way.

There may be a way to set up dual ownership on a file but I havn't tried that yet.

 

[Barman58]

All access in a workgroup is user based - computers do not have the Tokens required to be given access permissions.

Depending on which OS and SKU you may be able to add an additional group on the sharing machine allocate the access rights to that group and then add the users from the second machine. this would ease the management of the access.

How many users are involved on the machine that needs access (these need to be duplicated on the sharing machine) ?

If you had the centralized control provided by a Server then this matter would be a relatively simple one

 

[WindowsStar]

Putting a password on the computers in question or changing anything for that matter is not an option because those computers are not mine and are part of a business.

Basically I was asked if there was some way that 2 of the computers in the one office could bounce files quickly and easily without other machines on the network being able to see those files. I figured that making a shared folder on one machine and then restricting access to that folder to only the other computer in the room might be the best idea.

Little did I know that you could not simply restrict access to a specific computer and that you had to add an entire group of some type.

The problem for me is that I can only seem to add everyone if I want anyone outside of the host computer to be able to access the share.

If I were able to make a new group and add the second computer to that group I might be able to allow just that one new group to access the share. The problem is that I don't know anything about creating a new group for that and even if I did create that group how would that affect the way that computer acts on the network. I have to make sure that I am not causing any problems on this network while trying to make this happen.

You could do this with a portable 3rd party software. If that is an option???

Or

If the computers are close to each other you could put a USB External hard drive on a USB hub between the machines. You would both be able to access the files on the external hard drive. Or simpler yet a USB Flash drive.

 

[chev65]

Looks like even when the Op gets exactly the correct responce sometimes it's still not the right answer.

I think I'm going to experiment by setting up a shared folder with dual ownership and see if that might work.

 

[WindowsStar]

Looks like even when the Op gets exactly the correct responce sometimes it's still not the right answer.

Lol....

I think I'm going to experiment by setting up a shared folder with dual ownership and see if that might work.

Let us know how this works.

 

[Corpsecrank]

Yeah it's basically an issue of myself not having enough control over the machines this is being done on to alter anything. I think making a new group that only those 2 machines are part of and then restricting access to the new group should do the trick.

 

[chev65]

Yeah it's basically an issue of myself not having enough control over the machines this is being done on to alter anything. I think making a new group that only those 2 machines are part of and then restricting access to the new group should do the trick.

That is correct and so far thats the only way to accomplish the task that I know of.

I havn't had much time to experiment with the dual ownership yet but I think that may be another way to make it work. Maybe I'll do that today.

No luck with dual ownership, I believe that creating seperate user accounts for private sharing is the only way. And the way to restrict access to those new user accounts is to use passwords that only the admin and the special shared user knows about.