0

We are currently running a group of machines where (for now) everybody logs in locally, with no network accounts, and no active directory (as of yet), there are generic usernames and passwords on all the machines.

We have a machine in our server room that we use as a share - how can I password protect a shared folder on this machine so that only 1 or 2 users (out of 30) will be able to access?

Please bare in mind that

  1. Everybody uses the same user log ins for their machine (WorkUser1) - so I cannot simply add the WorkUser1 account as having shared/owner access

  2. The machine was part of a different build process - so doesn't initially have any of the same local admin accounts that everything else has.

I want someone to have a shortcut on their desktop (not RDP) and be able to drop their confidential files into the folder, though naturally I don't want the rest of the company to be able to see the contents of this folder

It seems I can only choose users from the parent object (the server) to give access to - or 'Everyone' which I have now.

I know, the setup is far from optimal..for now.

Any help appreciated

Vincent Black Shadow
  • 11
  • 1

3 Answers3

1

Everybody uses the same user log ins for their machine (WorkUser1) - so I cannot simply add the WorkUser1 account as having shared/owner access

This is your problem which you must fix first:

  • If you use a workgroup, you create user accounts with the same usernames and password combinations like on your local PCs and optionally create groups where those users are members (on the server). Then you can give permissions to the server users/groups and if a user connects from the network with existing username/password combination, access is granted. If all your users have the same credentials, you cannot distinguish between them.

  • If you use a domain, the user management is centralized and you don't need to create all those accounts in two places (also password changes are easier), but the rest is the same: If only one user account exists, you cannot decide which user is which.

A non-Windows alternative may be the creation of another service, like an SFTP server for file access, where you can define new usernames that are independent of the Windows accounts. I would only go this route if you cannot change anything on the username/password policy and just need it for dropoff. You could create a directory with subdirectories for each user and then only give those users write permissions for their own subdirectory. Then, collect the dropped files via a recursive find & move.

Edit: This solution would work even with your current Windows network - you would need to create new user accounts on the server and then map a network share to a local drive letter. There is an option Connect using different credentials where you can specify name and password of the new user(s). I believe you could even just use one new user, ShareUser1, only allow creation of new files and directory listing. Have a look at this thread - while it is about a Solaris server, the second screenshot shows you the permissions that can also be found in the security tab of the properties window on your Windows server or share (the ACL settings are NFSv4 compatible).

Community
  • 1
user121391
  • 2,452
  • 12
  • 31
  • As a reply to everyone, we are in the process of implementing Active Directory, but we're going things from the ground up here, so while it is just around the corner, it won't be done before things like this are needed, unfortunately. – Vincent Black Shadow Apr 21 '16 at 13:46
0

Create a new user on the server and give that user the access and not 'everybody' then pass around the credentials like currency

EDIT - actually just for giggles goto start run //serverip/c$

Sum1sAdmin
  • 1,914
  • 1
  • 11
  • 20
  • Problem with this is, in order to access the share, the user accessing it would need to be accessing from the same account as the user the share folder belongs to. – Vincent Black Shadow Apr 21 '16 at 13:47
  • Which isn't possible given the current setup. IE someone trying to access a folder of the user 'ServerAccount' would be unable to read/write to the folder, as soon as they double clicked on it they would receive a message saying 'You do not have permission to access this folder' The only way to change that AFAIK is to edit the sharing permissions, to which, I would have to share with 'Everybody' as all our users use the same account (WorkUser1)and WorkUser1 does not exist as an account on the server, and if it did, everyone could access it anyway.. – Vincent Black Shadow Apr 21 '16 at 13:56
0

You do this by having Active Directory.

If you've got 30 computers and users, I'd say that's above the threshold where you'd want to, or be able to, manage them independently in any kind of effective way.

Rob-d's solution will work, but only if you don't want any kind of accountability for those confidential files.

GregL
  • 9,030
  • 2
  • 24
  • 35