TechSpot

Guide: Troubleshoot XP File and Printer Sharing Access Errors

By LookinAround
Sep 1, 2008

  1. Troubleshoot XP File/Printer Sharing, Part 3 of 3
    Network Access Errors
    (v1.1 10/08)

    Windows File and Printer Sharing (FPS) must be configured for a “mix-and-match” of machines / components / options. This guide helps troubleshoot XP File Sharing visibility and access problems
    Visibility Errors. Some of your computers can’t see/find all others on your Windows Network
    Access Errors. A user can’t connect to or is denied from using a remote resource​
    This guide has 3 parts
    • Part 1 troubleshoots most visibility issues
    • Part 2 explains/troubleshoots Computer Browser Service which may also cause visibility issues
    • Part 3 (this post) troubleshoots access errors

      NOTES
      [*]Windows FPS access may “simply work” but, if not, there are many variables involved. This is my best shot at pulling (what I know of) them together but “your results may vary”
      [*]This guide is XP specific tho many “things to look for” apply to Vista as well
    OVERVIEW: File Sharing, Authentication and Acccess
    File Sharing uses a client / server model to control shared access
    • User logs on to their computer (client) and requests a resource (on server). The server request includes the user’s credentials: userid and password
    • Server authenticates client credentials and checks them against system policies. Once client completes a network logon to server a “session” is established. Logon account privileges apply
    • A single computer can be both a client and server if it requests resources of others while offering its own
    XP provides two methods of file sharing
    => Simple File Sharing (SFS) and Classic File Sharing (CFS)
    => XP Home only allows SFS. XP Pro allows choice of either
    => Click for illustrated, basic examples of SFS Setup and CFS Setup

    XP file sharing uses two authentication methods
    • Guest Authentication. Server authenticates everyone as Guest (regardless of userid). It checks policy for Guest logon rights and attempts logon using id=Guest and the password found in credentials (more on Guest) On success, Guest account privileges apply. Authentication fails if
      • Guest account disabled
      • Server policy denies Guest or anonymous net logon
      • Guest account is password protected and credentials don’t match the password
    • User Authentication. Server authenticates on a per-user basis. It checks user logon right and attempts logon with user’s credentials. On success, logon account privileges apply. Authentication fails if
      • Server policy denies userid net logon
      • No server account matches id/password credentials
      • Server account has no password when server policy requires one
    CHECKLIST
    => Verify each item. (=value) is value to assign for testing. Restore current value once all works
    => Create a “View Workgroups” shortcut. In Explorer, rt click MyNetworkPlaces->Explore->Entire Network. Drag Microsoft Windows Network to Desktop. Open to view workgroups
    System Settings
    Verify clients see all servers
    On each computer, click View Workgroups shortcut
    => If all servers aren’t visibile must fix networking/visibility issues before proceeding

    Stop frequent system logon
    On each computer, Open Explorer, click Tools->Folder Options->View
    => Scroll to Automatically Search for NetworkFolders. Uncheck​
    User Account Settings
    If you’re restricting access by
    .=> Userid, server must use CFS. Users require accounts on both client and server with matching id/password
    .=> Guest (SFS or CFS), if server Guest account is password protected, clients must send matching passwords
    .=> For initial testing, will be easier if no passwords on user or Guest accounts
    Activate every account
    net user xxxx /active:yes where xxxx is a userid or Guest

    Set matching passwords (= Initially no passwords)
    ….> Enter control userpasswords2
    ….> Select user, click Reset Password. Enter password. Hit Enter for no password​
    Policy Settings
    User Logon Policies
    Guest must have network logon rights
    Download Win2003 Resource Kit. Use ntrights to grant or revoke logon rights. Works on all versions XP and Vista
    Set logon rights for: Guest and Everyone. Copy/paste these commands to command prompt
    ntrights +r SeNetworkLogonRight -u Guest
    ntrights +r SeNetworkLogonRight -u Everyone
    ntrights -r SeDenyNetworkLogonRight -u Guest
    ntrights -r SeDenyNetworkLogonRight -u Everyone
    Security Policies
    Backup registry. Use regedit (Start->Run, regedit) to set (=value) Restore values when working
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\limitblankpassworduse
    Limit local account use of blank passwords (=0) !Must=0 if user’s server account has no password else userid will always fail!
    = 0 (Disable): No password restrictions
    = 1 (Enable): Only Guest allowed no password

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
    Do not allow anonymous enumeration of SAM accounts and shares (=0)
    = 0 (Disable): Guest or non-guest access
    = 1 (Enable): Only non-guest

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymoussam
    = 1 (Do not change)

    HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\RestrictNullSessAccess
    Restrict Null session logon (=0)
    = 0 (Disable): Guest or non-guest access
    = 1 (Enable): Only non-guest​
    Share Settings
    Verify what’s shared
    => On server, use Shared Folders tool (below). and note its Shared Path (Ignore shares ending in $)​
    TROUBLESHOOT: Tools/Tests/Hints
    Testing for Read Access
    Explorer response to a test can be a clue. If you get: usually means
    - Logon prompt: no such userid or password mismatch
    - ErrMsg about “not granted”: rights / policy issue
    - ErrMsg about “access”: permissions issue
    - Drill down: Click your View Workgroups shortcut. Open Workgroups -> Computers -> Shares -> then file
    - Access directly: In Explorer, enter the Shared Path (\\computername\local path]

    Using Shared Folder Tool – know the logon id!
    Server based tool to manage and provide status on Shares, Sessions, and Open Files (more info)
    Hint: Determine logon id for a client/server session. It defines session’s server privileges. e.g. CFS may logon as Guest or with userid
    Start->Run, fsmgmt.msc Under Sessions, look at
    - Userid received from client
    - Guest is a flag. If =Y id was Guest authenticated logon id=Guest else logon id=id received​
    How to verify permissions for access
    User access of a resource requires their credentials meet the defined by the resource’s permissions. There are only Sharing Permissions for SFS. CFS uses both Sharing and Security permissions
    SFS Permissions
    Permissions defined on Sharing tab by selecting the two options under “Network Sharing and Security”
    A folder is
    => Network Shared, Read-Only if Only “Share Folder on Network” checked
    => Network Shared, Read-Write if Both options checked
    => Not network shared if Neither option checked​
    CFS Permissions
    Permissions defined on Sharing and Security tabs. User credentials must meet the more restrictive of the two

    Understanding and managing CFS permissions can be a challenge. For easier management and troubleshooting:
    => Set Sharing for Everyone (so Security always control access) In Sharing tab, include Everyone with Full Control
    => Check Security settings OK. Download accesschk Save in C:\Windows\system32. Use accesschk to report user access based on Security permissions
    Examples: Assume C:\Shared\Stuff is shared
    Check userid joe access to folder (note path in quotes “”) Case sensitive
    accesschk –d joe C:\Shared\Stuff

    Check if anything joe can’t access in the folder
    If everything accessible, returns No objects
    accesschk –sn joe C:\Shared\Stuff
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.