DHSinclair wrote: > j, > I've put my comments inline below....... > At 01:51 12/16/2007 -0800, j maccraw wrote: >> Non-domain system's volume root shares are generally local "users" >> list folder/read data + transverse folder/execute file for this >> folder, sub-folder, and files with most user created subfolders set to >> inherit those settings. > > I do accept that you completely understand this stuff. I admit that I > do not. I accept that winXP does this business 'more restrictively' > than win2k does; as I have seen it in action. Is this a good place to > start?
I am always finding something I did not know, it's a ongoing learning process. What you need are good books that discuss these topics in context of 2k, XP, an how XP/2k interact & differ. All of the MS MCSE training books for each operating system and networking/TCPIP are a good start, so are many of the XP & 2K administration books by authors like Mark Minasi. > Yes, I did notice that all the "local" users were all (GXP/-somevalue-). > Never saw 'workgroup' where I work on all my w2k machines. If I log on > to ALL of my machines as UName2/pw2, then I expect that all of my > machines accept this "user" as valid. W2k does. XP does not. Very > strange. That is all. Just very strange. Still. I will get over it, > eventually........... :) No they don't, you have simply lucked out by having created same username/passowrd on all systems in the past. All "workgroup" machines maintain their own username/passwords no mater if 2k or XP. There is no "workgroup" common user database, they're all stand-alone systems using the workgroup name to associate with (see) each other but nothing more. Main difference vs. 2K is that XP comes with Simple File Sharing "feature" which forces all access to shares on a machine through the machine's "guest" account, enabled by default. Once SFS is disabled you can access "machine\share" with any user account from "machine" with rights mapped to "share" same as 2K. Just because you have user "bob" on "machine1" and a same name user/pw on "machine2", both machines in same workgroup, does not mean the user is literally the same user. If you rename or delete "bob on either system, then access to that system by "bob" user will fail because he no longer exists. There is no "workgroup\username" method of security. Now in a domain a centralized database of users is created and, rights permitting, have access to any machine in the domain. So share "machine1\share" would have "domain\bob" listed for access instead of "machine1\bob", etc... Rename "bob" to "jim" on the domain controller and the shares would automatically understand that bob is jim and that any new user named bob is not the old bob, etc... > > >> Rule of file share rights is most restrictive settings define the >> effective rights to a share. So a folder set to "full control" for >> "everyone" shared as "read+execute" for "everyone" will only allow RX. >> Directory/file security works similarly: Explicit Deny rights trumps >> implied or >> explicit Allow rights. > > Perhaps I am confused by the "everyone" label. I thought that anybody > in the "workgroup" might be part of "everyone." Seems not for winXP. > WinXP seems to focus on itself. And even when it might be part of a > larger LAN group of "workgroup." Yes, I remain stubborn and confused. No, the workgroup is not a security entity, there is no "workgroup\username" account. Everyone on a standalone machine means all users from that machine's user database which is not shared with workgroup member machines. In a domain Everyone CAN mean all domain users or it could mean all users of a member machine depending on how it's declared (i.e. domain\everyone vs machine1\everyone). > > >> Even with inherit, you can add rights for a subfolder by simply adding >> the user/group & setting their ACL's as long as the parent does not >> set a Deny, or as you have found you can disable inheritance & define >> the ACL explicitly per folder. > > Well there is the ACL acronym again. Is this like Access Control > License? Admit, I just do not get it, but it might be why XP does not > play well with w2k. Perhaps w2k is more liberal. XP is more locked > down. OK....... :) Access Control Lists, the list of who & what they can do to a resource. XP is similar to 2K but if SFS is enabled and/or the xp machine's firewall is setup to block File & Print Sharing. > > I have to live with this situation, or, kill the XP machine and redo it > as w2k for basic synergy. Do not wish to do this. I do know that I have > to move to XP sooner or later. Perhaps I need to look at my long range > LAN plan again........... LOL! > Ultimately, I do have "it" working, but now when I view my > NetNieghborhood for GXP, it now shows me "Documents" as another 'share' > directory. More research needed........ I will get this one day. I know > I am thick about this. I ask for a bit of patience.............. > Best, > Duncan If you create the same name user on all computers with same password, then all should be well. Just like if you used the same username/pw combo to access a bunch of websites. BUT change the username and/or password one any machine you would run into problems coming to\from that machine since either username or password would not match what other machines expect to hear or to say. This is why despite all the talk before about not needing domain controllers, don't do a domain without 2 controllers, etc... I still recommend a domain over a workgroup, even if it only has one DC, because of the centralized user database. Whew, ok enough of this for now! ;) ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ