LookinAround
Posts: 6,429 +186
[CENTER]Troubleshoot XP File/Printer Sharing, Part 3 of 3
Network Access Errors (v1.1 10/08)[/center]
Windows File and Printer Sharing (FPS) must be configured for a “mix-and-match” of machines / components / options. This guide helps troubleshoot XP File Sharing visibility and access problems
Visibility Errors. Some of your computers can’t see/find all others on your Windows Network
Access Errors. A user can’t connect to or is denied from using a remote resource
This guide has 3 partsAccess Errors. A user can’t connect to or is denied from using a remote resource
- Part 1 https://www.techspot.com/vb/topic106417.html troubleshoots most visibility issues
- Part 2 explains/troubleshoots Computer Browser Service which may also cause visibility issues
- Part 3 (this post) troubleshoots access errors
NOTES
[*]Windows FPS access may “simply work” but, if not, there are many variables involved. This is my best shot at pulling (what I know of) them together but “your results may vary”
[*]This guide is XP specific tho many “things to look for” apply to Vista as well
File Sharing uses a client / server model to control shared access
=> Simple File Sharing (SFS) and Classic File Sharing (CFS)
=> XP Home only allows SFS. XP Pro allows choice of either
=> Click for illustrated, basic examples of SFS Setup and CFS Setup
XP file sharing uses two authentication methods
CHECKLIST- User logs on to their computer (client) and requests a resource (on server). The server request includes the user’s credentials: userid and password
- Server authenticates client credentials and checks them against system policies. Once client completes a network logon to server a “session” is established. Logon account privileges apply
- A single computer can be both a client and server if it requests resources of others while offering its own
=> Simple File Sharing (SFS) and Classic File Sharing (CFS)
=> XP Home only allows SFS. XP Pro allows choice of either
=> Click for illustrated, basic examples of SFS Setup and CFS Setup
XP file sharing uses two authentication methods
- Guest Authentication. Server authenticates everyone as Guest (regardless of userid). It checks policy for Guest logon rights and attempts logon using id=Guest and the password found in credentials (more on Guest On success, Guest account privileges apply. Authentication fails if
- Guest account disabled
- Server policy denies Guest or anonymous net logon
- Guest account is password protected and credentials don’t match the password
- User Authentication. Server authenticates on a per-user basis. It checks user logon right and attempts logon with user’s credentials. On success, logon account privileges apply. Authentication fails if
- Server policy denies userid net logon
- No server account matches id/password credentials
- Server account has no password when server policy requires one
=> Verify each item. (=value) is value to assign for testing. Restore current value once all works
=> Create a “View Workgroups” shortcut. In Explorer, rt click MyNetworkPlaces->Explore->Entire Network. Drag Microsoft Windows Network to Desktop. Open to view workgroups
System Settings
If you’re restricting access by
.=> Userid, server must use CFS. Users require accounts on both client and server with matching id/password
.=> Guest (SFS or CFS), if server Guest account is password protected, clients must send matching passwords
.=> For initial testing, will be easier if no passwords on user or Guest accounts
Verify what’s shared
=> On server, use Shared Folders tool (below). and note its Shared Path (Ignore shares ending in $)
TROUBLESHOOT: Tools/Tests/HintsVerify clients see all servers
On each computer, click View Workgroups shortcut
=> If all servers aren’t visibile must fix networking/visibility issues before proceeding
Stop frequent system logon
On each computer, Open Explorer, click Tools->Folder Options->View
=> Scroll to Automatically Search for NetworkFolders. Uncheck
User Account SettingsOn each computer, click View Workgroups shortcut
=> If all servers aren’t visibile must fix networking/visibility issues before proceeding
Stop frequent system logon
On each computer, Open Explorer, click Tools->Folder Options->View
=> Scroll to Automatically Search for NetworkFolders. Uncheck
If you’re restricting access by
.=> Userid, server must use CFS. Users require accounts on both client and server with matching id/password
.=> Guest (SFS or CFS), if server Guest account is password protected, clients must send matching passwords
.=> For initial testing, will be easier if no passwords on user or Guest accounts
Activate every account
net user xxxx /active:yes where xxxx is a userid or Guest
Set matching passwords (= Initially no passwords)
….> Enter control userpasswords2
….> Select user, click Reset Password. Enter password. Hit Enter for no password
Policy Settingsnet user xxxx /active:yes where xxxx is a userid or Guest
Set matching passwords (= Initially no passwords)
….> Enter control userpasswords2
….> Select user, click Reset Password. Enter password. Hit Enter for no password
User Logon Policies
Guest must have network logon rights
Download Win2003 Resource Kit. Use ntrights to grant or revoke logon rights. Works on all versions XP and Vista
Backup registry. Use regedit (Start->Run, regedit) to set (=value) Restore values when working
Share SettingsGuest must have network logon rights
Download Win2003 Resource Kit. Use ntrights to grant or revoke logon rights. Works on all versions XP and Vista
Set logon rights for: Guest and Everyone. Copy/paste these commands to command prompt
ntrights +r SeNetworkLogonRight -u Guest
ntrights +r SeNetworkLogonRight -u Everyone
ntrights -r SeDenyNetworkLogonRight -u Guest
ntrights -r SeDenyNetworkLogonRight -u Everyone
Security Policiesntrights +r SeNetworkLogonRight -u Guest
ntrights +r SeNetworkLogonRight -u Everyone
ntrights -r SeDenyNetworkLogonRight -u Guest
ntrights -r SeDenyNetworkLogonRight -u Everyone
Backup registry. Use regedit (Start->Run, regedit) to set (=value) Restore values when working
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\limitblankpassworduse
Limit local account use of blank passwords (=0) !Must=0 if user’s server account has no password else userid will always fail!
= 0 (Disable): No password restrictions
= 1 (Enable): Only Guest allowed no password
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
Do not allow anonymous enumeration of SAM accounts and shares (=0)
= 0 (Disable): Guest or non-guest access
= 1 (Enable): Only non-guest
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymoussam
= 1 (Do not change)
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\RestrictNullSessAccess
Restrict Null session logon (=0)
= 0 (Disable): Guest or non-guest access
= 1 (Enable): Only non-guest
Limit local account use of blank passwords (=0) !Must=0 if user’s server account has no password else userid will always fail!
= 0 (Disable): No password restrictions
= 1 (Enable): Only Guest allowed no password
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
Do not allow anonymous enumeration of SAM accounts and shares (=0)
= 0 (Disable): Guest or non-guest access
= 1 (Enable): Only non-guest
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymoussam
= 1 (Do not change)
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\RestrictNullSessAccess
Restrict Null session logon (=0)
= 0 (Disable): Guest or non-guest access
= 1 (Enable): Only non-guest
Verify what’s shared
=> On server, use Shared Folders tool (below). and note its Shared Path (Ignore shares ending in $)
Testing for Read Access
Explorer response to a test can be a clue. If you get: usually means
- Logon prompt: no such userid or password mismatch
- ErrMsg about “not granted”: rights / policy issue
- ErrMsg about “access”: permissions issue
Using Shared Folder Tool – know the logon id!
Server based tool to manage and provide status on Shares, Sessions, and Open Files (more info)
Hint: Determine logon id for a client/server session. It defines session’s server privileges. e.g. CFS may logon as Guest or with userid
User access of a resource requires their credentials meet the defined by the resource’s permissions. There are only Sharing Permissions for SFS. CFS uses both Sharing and Security permissions
Explorer response to a test can be a clue. If you get: usually means
- Logon prompt: no such userid or password mismatch
- ErrMsg about “not granted”: rights / policy issue
- ErrMsg about “access”: permissions issue
- Drill down: Click your View Workgroups shortcut. Open Workgroups -> Computers -> Shares -> then file
- Access directly: In Explorer, enter the Shared Path (\\computername\local path]
- Access directly: In Explorer, enter the Shared Path (\\computername\local path]
Using Shared Folder Tool – know the logon id!
Server based tool to manage and provide status on Shares, Sessions, and Open Files (more info)
Hint: Determine logon id for a client/server session. It defines session’s server privileges. e.g. CFS may logon as Guest or with userid
Start->Run, fsmgmt.msc Under Sessions, look at
- Userid received from client
- Guest is a flag. If =Y id was Guest authenticated logon id=Guest else logon id=id received
How to verify permissions for access- Userid received from client
- Guest is a flag. If =Y id was Guest authenticated logon id=Guest else logon id=id received
User access of a resource requires their credentials meet the defined by the resource’s permissions. There are only Sharing Permissions for SFS. CFS uses both Sharing and Security permissions
SFS Permissions
Permissions defined on Sharing tab by selecting the two options under “Network Sharing and Security”
Permissions defined on Sharing and Security tabs. User credentials must meet the more restrictive of the two
Understanding and managing CFS permissions can be a challenge. For easier management and troubleshooting:
=> Set Sharing for Everyone (so Security always control access) In Sharing tab, include Everyone with Full Control
=> Check Security settings OK. Download accesschk Save in C:\Windows\system32. Use accesschk to report user access based on Security permissions
Permissions defined on Sharing tab by selecting the two options under “Network Sharing and Security”
A folder is
=> Network Shared, Read-Only if Only “Share Folder on Network” checked
=> Network Shared, Read-Write if Both options checked
=> Not network shared if Neither option checked
CFS Permissions=> Network Shared, Read-Only if Only “Share Folder on Network” checked
=> Network Shared, Read-Write if Both options checked
=> Not network shared if Neither option checked
Permissions defined on Sharing and Security tabs. User credentials must meet the more restrictive of the two
Understanding and managing CFS permissions can be a challenge. For easier management and troubleshooting:
=> Set Sharing for Everyone (so Security always control access) In Sharing tab, include Everyone with Full Control
=> Check Security settings OK. Download accesschk Save in C:\Windows\system32. Use accesschk to report user access based on Security permissions
Examples: Assume C:\Shared\Stuff is shared
Check userid joe access to folder (note path in quotes “”) Case sensitive
accesschk –d joe “C:\Shared\Stuff”
Check if anything joe can’t access in the folder
If everything accessible, returns No objects
accesschk –sn joe “C:\Shared\Stuff”
Check userid joe access to folder (note path in quotes “”) Case sensitive
accesschk –d joe “C:\Shared\Stuff”
Check if anything joe can’t access in the folder
If everything accessible, returns No objects
accesschk –sn joe “C:\Shared\Stuff”
