Troubleshoot XP File/Printer Sharing, Part 3 of 3
Network Access Errors (v1.1 10/08)
Windows File and Printer Sharing (FPS) must be configured for a “mix-and-match” of machines / components / options. This guide helps troubleshoot XP File Sharing visibility and access problems

Visibility Errors. Some of your computers can’t see/find all others on your Windows Network
Access Errors. A user can’t connect to or is denied from using a remote resource

This guide has 3 parts

• Part 1 troubleshoots most visibility issues
• Part 2 explains/troubleshoots Computer Browser Service which may also cause visibility issues
• Part 3 (this post) troubleshoots access errors
  
  NOTES
• Windows FPS access may “simply work” but, if not, there are many variables involved. This is my best shot at pulling (what I know of) them together but “your results may vary”
• This guide is XP specific tho many “things to look for” apply to Vista as well

OVERVIEW: File Sharing, Authentication and Acccess

File Sharing uses a client / server model to control shared access

• User logs on to their computer (client) and requests a resource (on server). The server request includes the user’s credentials: userid and password
• Server authenticates client credentials and checks them against system policies. Once client completes a network logon to server a “session” is established. Logon account privileges apply
• A single computer can be both a client and server if it requests resources of others while offering its own

XP provides two methods of file sharing
=> Simple File Sharing (SFS) and Classic File Sharing (CFS)
=> XP Home only allows SFS. XP Pro allows choice of either
=> Click for illustrated, basic examples of SFS Setup and CFS Setup

XP file sharing uses two authentication methods

• Guest Authentication. Server authenticates everyone as Guest (regardless of userid). It checks policy for Guest logon rights and attempts logon using id=Guest and the password found in credentials (more on Guest) On success, Guest account privileges apply. Authentication fails if
  • Guest account disabled
  • Server policy denies Guest or anonymous net logon
  • Guest account is password protected and credentials don’t match the password
• User Authentication. Server authenticates on a per-user basis. It checks user logon right and attempts logon with user’s credentials. On success, logon account privileges apply. Authentication fails if
  • Server policy denies userid net logon
  • No server account matches id/password credentials
  • Server account has no password when server policy requires one

CHECKLIST
=> Verify each item. (=value) is value to assign for testing. Restore current value once all works
=> Create a “View Workgroups” shortcut. In Explorer, rt click MyNetworkPlaces->Explore->Entire Network. Drag Microsoft Windows Network to Desktop. Open to view workgroups

System Settings

Verify clients see all servers
On each computer, click View Workgroups shortcut
=> If all servers aren’t visibile must fix networking/visibility issues before proceeding

Stop frequent system logon
On each computer, Open Explorer, click Tools->Folder Options->View
=> Scroll to Automatically Search for NetworkFolders. Uncheck

User Account Settings
If you’re restricting access by
.=> Userid, server must use CFS. Users require accounts on both client and server with matching id/password
.=> Guest (SFS or CFS), if server Guest account is password protected, clients must send matching passwords
.=> For initial testing, will be easier if no passwords on user or Guest accounts

Activate every account
net user xxxx /active:yes where xxxx is a userid or Guest

Set matching passwords (= Initially no passwords)
….> Enter control userpasswords2
….> Select user, click Reset Password. Enter password. Hit Enter for no password

Policy Settings

User Logon Policies
Guest must have network logon rights
Download Win2003 Resource Kit. Use ntrights to grant or revoke logon rights. Works on all versions XP and Vista

Set logon rights for: Guest and Everyone. Copy/paste these commands to command prompt
ntrights +r SeNetworkLogonRight -u Guest
ntrights +r SeNetworkLogonRight -u Everyone
ntrights -r SeDenyNetworkLogonRight -u Guest
ntrights -r SeDenyNetworkLogonRight -u Everyone

Security Policies
Backup registry. Use regedit (Start->Run, regedit) to set (=value) Restore values when working

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\limitblankpassworduse
Limit local account use of blank passwords (=0) !Must=0 if user’s server account has no password else userid will always fail!
= 0 (Disable): No password restrictions
= 1 (Enable): Only Guest allowed no password

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
Do not allow anonymous enumeration of SAM accounts and shares (=0)
= 0 (Disable): Guest or non-guest access
= 1 (Enable): Only non-guest

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymoussam
= 1 (Do not change)

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\RestrictNull SessAccess
Restrict Null session logon (=0)
= 0 (Disable): Guest or non-guest access
= 1 (Enable): Only non-guest

Share Settings
Verify what’s shared
=> On server, use Shared Folders tool (below). and note its Shared Path (Ignore shares ending in $)

TROUBLESHOOT: Tools/Tests/Hints

Testing for Read Access
Explorer response to a test can be a clue. If you get: usually means
- Logon prompt: no such userid or password mismatch
- ErrMsg about “not granted”: rights / policy issue
- ErrMsg about “access”: permissions issue

- Drill down: Click your View Workgroups shortcut. Open Workgroups -> Computers -> Shares -> then file
- Access directly: In Explorer, enter the Shared Path (\\computername\local path]

Using Shared Folder Tool – know the logon id!
Server based tool to manage and provide status on Shares, Sessions, and Open Files (more info)
Hint: Determine logon id for a client/server session. It defines session’s server privileges. e.g. CFS may logon as Guest or with userid

Start->Run, fsmgmt.msc Under Sessions, look at
- Userid received from client
- Guest is a flag. If =Y id was Guest authenticated logon id=Guest else logon id=id received

How to verify permissions for access
User access of a resource requires their credentials meet the defined by the resource’s permissions. There are only Sharing Permissions for SFS. CFS uses both Sharing and Security permissions

SFS Permissions
Permissions defined on Sharing tab by selecting the two options under “Network Sharing and Security”

A folder is
=> Network Shared, Read-Only if Only “Share Folder on Network” checked
=> Network Shared, Read-Write if Both options checked
=> Not network shared if Neither option checked

CFS Permissions
Permissions defined on Sharing and Security tabs. User credentials must meet the more restrictive of the two

Understanding and managing CFS permissions can be a challenge. For easier management and troubleshooting:
=> Set Sharing for Everyone (so Security always control access) In Sharing tab, include Everyone with Full Control
=> Check Security settings OK. Download accesschk Save in C:\Windows\system32. Use accesschk to report user access based on Security permissions

Examples: Assume C:\Shared\Stuff is shared
Check userid joe access to folder (note path in quotes “”) Case sensitive
accesschk –d joe “C:\Shared\Stuff”

Check if anything joe can’t access in the folder
If everything accessible, returns No objects
accesschk –sn joe “C:\Shared\Stuff”