1

I have been doing some troubleshooting of my home network lately and have come to an odd conclusion that I was hoping to get some clarification on.

I'm used to managing share permissions in a domain environment via groups instead of individual user accounts. I have a box at home running windows 7 ultimate and I decided to share some directories on that machine. I set it up to disallow guest access and require specifically granted permissions. (password moe?). Anyway, after a whole bunch of time i figured out that even though the shares I created were allowed via a local group i could not access them until i gave specific allowance to the intended user. I just didn't think i would have to do that.

So here is the breakdown.

Network is windows workgroup, not homegroup or nt domain

PC_1 - win 7 ultimate - sharing in classic mode - user BOB - groups Admins

PC_2 - win 7 starter - client - user BOB - groups admins

PC_3 - win xp pro - client - user BOB - groups admins

the share on PC_1 granted permission to only the local group administrators. local user BOB on PC_1 was a member of administrators. Both PC_2 and PC_3 could not browse the intended share on PC_1 because they were denied access. Also, no challenge was presented. They were simply denied. After adding BOB specifically to the intended share everything works just fine.

Remember, its not an nt domain just a workgroup. But still, shouldn't i be able to manage share permissions via groups instead of individual user accounts?

D.

Digital ink
  • 490
  • 10
  • 22

1 Answers1

0

You might be running into this: KB951016

The KB article references Vista, but it applies to Vista/2008 and beyond. Essentially when you were trying to connect to PC_1 with user BOB, the credentials you were connecting with weren't elevated by default. So BOB's administrator group membership didn't apply. Microsoft refers to this as "Remote UAC".

You can make the registry change specified in the KB article to fix it. Or you could likely also create a new local group (that wouldn't be filtered by UAC) and grant the permissions to that group instead of the local admins group. (though you can't do this for the default shares)

Just in case the KB article disappears, here's the registry tweak it mentions: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
LocalAccountTokenFilterPolicy = 1 (DWORD)

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • Damn UAC has got me again! Thanks much Ryan that was exactly it. Since I understand whats going on now and appreciate what UAC tries to accomplish I'll manage access with a group other than administrators. – Digital ink Feb 09 '11 at 00:37