DHSinclair wrote:
> j,
> I've put my comments inline below.......
> At 01:51 12/16/2007 -0800, j maccraw wrote:
>> Non-domain system's volume root shares are
generally local "users"
>> list folder/read data + transverse folder/execute
file for this
>> folder, sub-folder, and files with most user
created subfolders set to
>> inherit those settings.
>
> I do accept that you completely understand this
stuff. I admit that I
> do not. I accept that winXP does this business
'more restrictively'
> than win2k does; as I have seen it in action. Is
this a good place to
> start?
I am always finding something I did not know, it's a
ongoing learning process.
What you need are good books that discuss these topics
in context of 2k, XP, an
how XP/2k interact & differ. All of the MS MCSE
training books for each
operating system and networking/TCPIP are a good
start, so are many of the XP &
2K administration books by authors like Mark Minasi.
> Yes, I did notice that all the "local" users were
all (GXP/-somevalue-).
> Never saw 'workgroup' where I work on all my w2k
machines. If I log on
> to ALL of my machines as UName2/pw2, then I expect
that all of my
> machines accept this "user" as valid. W2k does. XP
does not. Very
> strange. That is all. Just very strange. Still. I
will get over it,
> eventually........... :)
No they don't, you have simply lucked out by having
created same
username/passowrd on all systems in the past. All
"workgroup" machines maintain
their own username/passwords no mater if 2k or XP.
There is no "workgroup"
common user database, they're all stand-alone systems
using the workgroup name
to associate with (see) each other but nothing more.
Main difference vs. 2K is that XP comes with Simple
File Sharing "feature" which
forces all access to shares on a machine through the
machine's "guest" account,
enabled by default. Once SFS is disabled you can
access "machine\share" with any
user account from "machine" with rights mapped to
"share" same as 2K.
Just because you have user "bob" on "machine1" and a
same name user/pw on
"machine2", both machines in same workgroup, does not
mean the user is literally
the same user. If you rename or delete "bob on either
system, then access to
that system by "bob" user will fail because he no
longer exists. There is no
"workgroup\username" method of security.
Now in a domain a centralized database of users is
created and, rights
permitting, have access to any machine in the domain.
So share "machine1\share"
would have "domain\bob" listed for access instead of
"machine1\bob", etc...
Rename "bob" to "jim" on the domain controller and the
shares would
automatically understand that bob is jim and that any
new user named bob is not
the old bob, etc...
>
>
>> Rule of file share rights is most restrictive
settings define the
>> effective rights to a share. So a folder set to
"full control" for
>> "everyone" shared as "read+execute" for "everyone"
will only allow RX.
>> Directory/file security works similarly: Explicit
Deny rights trumps
>> implied or
>> explicit Allow rights.
>
> Perhaps I am confused by the "everyone" label. I
thought that anybody
> in the "workgroup" might be part of "everyone."
Seems not for winXP.
> WinXP seems to focus on itself. And even when it
might be part of a
> larger LAN group of "workgroup." Yes, I remain
stubborn and confused.
No, the workgroup is not a security entity, there is
no "workgroup\username"
account. Everyone on a standalone machine means all
users from that machine's
user database which is not shared with workgroup
member machines. In a domain
Everyone CAN mean all domain users or it could mean
all users of a member
machine depending on how it's declared (i.e.
domain\everyone vs machine1\everyone).
>
>
>> Even with inherit, you can add rights for a
subfolder by simply adding
>> the user/group & setting their ACL's as long as the
parent does not
>> set a Deny, or as you have found you can disable
inheritance & define
>> the ACL explicitly per folder.
>
> Well there is the ACL acronym again. Is this like
Access Control
> License? Admit, I just do not get it, but it might
be why XP does not
> play well with w2k. Perhaps w2k is more liberal. XP
is more locked
> down. OK....... :)
Access Control Lists, the list of who & what they can
do to a resource. XP is
similar to 2K but if SFS is enabled and/or the xp
machine's firewall is setup to
block File & Print Sharing.
>
> I have to live with this situation, or, kill the XP
machine and redo it
> as w2k for basic synergy. Do not wish to do this. I
do know that I have
> to move to XP sooner or later. Perhaps I need to
look at my long range
> LAN plan again........... LOL!
> Ultimately, I do have "it" working, but now when I
view my
> NetNieghborhood for GXP, it now shows me "Documents"
as another 'share'
> directory. More research needed........ I will get
this one day. I know
> I am thick about this. I ask for a bit of
patience..............
> Best,
> Duncan
If you create the same name user on all computers with
same password, then all
should be well. Just like if you used the same
username/pw combo to access a
bunch of websites. BUT change the username and/or
password one any machine you
would run into problems coming to\from that machine
since either username or
password would not match what other machines expect to
hear or to say.
This is why despite all the talk before about not
needing domain controllers,
don't do a domain without 2 controllers, etc...
I still recommend a domain over a workgroup, even if
it only has one DC, because
of the centralized user database.
Whew, ok enough of this for now! ;)
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
