> -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 24 June 2008 5:22 AM > To: NT System Admin Issues > Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? > > Where I actually disagree with the method here; I don't think a local user > of one server or computer should be granted rights to a folder on yet > another computer rather than a domain member, I agree it _should_ function.
No, it shouldn't function. You can't add local users from one machine to another machine. The only security principals you can add are the ones that the server *hosting* the share knows about: local users on the remote server, or domain users. If there is an "IUSR_PC1" account, it must have been created as a local account on Server1, and the passwords synched between the two local accounts. That is one way of getting a web server's default anonymous user account to be able to write to a remote file share (the other is using domain account). > I'm told it has functioned until Friday afternoon I think your co-worker is confused. Cheers Ken > I'm told it has functioned until Friday afternoon. The last time I approved > and applied any MS updates was last Monday. We run a fairly clean > environment as it's only 20 servers and 400 or so desktops, so it's fairly > easy to manage IF they are all relatively similar to each other so we try to > keep them that way. > > Pc1 is a web server with NO file/Print ports open, server1 is a file share > with NO web ports open. Neither is a domain controller. There are no ports > blocked between the two computers and the domain controllers though, the > servers are all on the same switch. > > Thanks for taking an interest! This one has me going mad. "mad I tell ya!" > > > -----Original Message----- > From: Erik Goldoff [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2008 2:48 PM > To: NT System Admin Issues > Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? > > Strange... What level AD are you running(2000, 2003?), and what OS for the > PC1 desktop (2000, XP, Vista) ? You got me curious now, gotta try this in a > lab or VM environment to see > > -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2008 2:34 PM > To: NT System Admin Issues > Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? > > I don't see where anything has changed on pc1, and I've tried this with > several computers and I'm not seeing any difference. Maybe a needed service > on pc1 or server1 has been disabled or corrupted? > > > -----Original Message----- > From: Erik Goldoff [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2008 1:47 PM > To: NT System Admin Issues > Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? > > Well, if the PC1 is a member of the domain computers and you're a domain > administrator then you *should* be able to enumerate the local PC users & > Groups. Can you login locally to PC1 to check users and groups to see if > anything has been changed or deleted ? > > -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2008 1:20 PM > To: NT System Admin Issues > Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? > > If I follow you, you're saying create a group at the domain level and add a > user from a workstation into the domain group? > > I already have a group that has access for other reasons, when I attempt to > add \\pc1\user I get name is not valid. I could add the computer object, > \\pc1, but the application is not using the system account. I don't know > how to add a local machine user to a domain group. > > > -----Original Message----- > From: Erik Goldoff [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2008 1:03 PM > To: NT System Admin Issues > Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? > > Hmmmm, could you not just make a group that has the required rights to the > share, and then explicitly add the local user from PC1 to the group ? > > -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2008 12:58 PM > To: NT System Admin Issues > Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? > > I have been able to duplicate the 'problem' so here is a more detailed > "user" issue: > > I am also a member of Domain Admins and Enterprise Admins in our forest. We > have a simple forest with only one domain. When I log into \\pc1 with full > rights, I map a drive to \\SERVER1\Share and right click "folder1" to gain > properties I can click ADD to add a user or group to the security rights > list, and then click on LOCATIONS to pick users from a specific location. > In the results I see the server hosting the share, SERVER1, and the AD > structure. NOT the local \\pc1 as a choice. > > I am told that I should see the local computer as a choice and be able to > select users that are local to the local computer. Is that correct? > > The account in question is the IUSR_pc1, which is a web user that needs to > write code to the file share. > > > > -----Original Message----- > From: Erik Goldoff [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2008 12:45 PM > To: NT System Admin Issues > Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? > > Are you *sure* the user is part of the lcoal PC1 security and NOT part of > the Domain logging in from PC1 ? > > -----Original Message----- > From: Stephen Wimberly [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2008 12:37 PM > To: NT System Admin Issues > Subject: Can \\pc1\user has rights to \\pc2\share\folder1? > > If I am on a computer, call it "\\pc1" and map a drive to \\SERVER1\share > could I then right click a sub folder to the mapped drive, call it > \\SERVER1\share\folder1 and look at the properties for the folder1, ADD a > user or group and then click LOCATIONS to add local users from \\pc1, the > computer I am locally logged into? Both SERVER1 and pc1 are in the same > windows domain. > > I have a coworker that tells me he has had this setup for years and Friday > it suddenly stopped working, and now pc1 is no longer an option when > clicking on LOCATIONS to add users or groups. He wants me to fix it so that > \\pc1\user can have security rights to \\SERVER1\share\folder1. How is > SERVER1 going to know anything about a local user on a remote machine? > > Is this 'broken'? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
