Re: Manage 30 XP, 2000, 98 without Domain Controller

Comments inline.


"CCC" <hkcat0@xxxxxxxxx> wrote in message
news:1144121007.483747.123410@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thank you so much Steve

Your explaination and the links provide information on why my last
attempt to setup a XP File server cause so many access problems. For
example mentioned by
http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm

Unable to Browse the Network
On a Windows 95/98/Me machine, the most common cause of this is that
the user isn't logged on. (This mean I still need to create the same
account on 98 machines)

User is prompted for IPC$ Password
Your current user name doesn't exist on the XP machine.? To fix this,
either enable the Guest account, or log in with a user name which has a
valid account on the XP machine. (This also mean I still need to create
the same account on 98 machines)

I think the solution is
1)create 40 accounts on the XP File Server and 98 machine. Create 40
folders on the File Server, setup NTFS permission on each folder.
2)Give new user ID and password to 40 teachers.
3)Log in with the ID and PW when using 98 machine
4)Log in as usual when using 2000, XP machine

I am not sure what you mean logon as usual but it usually makes sense to
have each user who uses a computer to have their own user account to logon
to with credentials that match their user accounts on the computer with the
shares though they could logon with a common acount and then provide
credentials
to access a folder that needs such.

5)Teach them how to open and save files to their own folder on the File
Server. If prompt for a password, use the new ID and PW given.

My new questions are
1) How to prevent them from share out local folders, is a restricted
user account a solution? how about on 98 machine?

Windows 98 is not a secure operating system and you can not restrict who
creates shares. For XP only
power users [in XP Pro/Windows 2000 only] or administrators can create
shares - not regular users.

2) I would like to map all 40 folders to each machine in order to make
the change easier to comply. How to map 40 network folders to each
machine, there are only 26 drive letters and some of them have been
used. I think I can nest 40 folders under TeachFolder and map only the
TeachFolder to Drive X:. Any disadvantage? I heard that it slow down a
lot software, especially Ms Office when open and save file.

It would be best to have one share with user folders in the share. Make sure
that the mapped drive does NOT connect at logon
as the XP computer can only take 10 connections at a time. Maybe you want to
divide the load between two or so XP Pro computers.
Train users to only use the mapped network drive when needed and disconnect
when done or others can be denied access.

3) All machine is under the same workgroup "abcschool" now. By
assigning diferent workgroup the machine will not be able to
communicate right? So is it possible to make the workgroup change
according to who is logged in, eg when a student login, the workgroup
of the machine automatically became "abcschool_student" so that he will
not be able to see the File Server. When later a teacher login on the
same machine, the workgroup change to "abcschool_teacher" and he is
able to access the File Server. Is this possible?


That is not possible. The computer belongs to the workgroup - not users.
Also workgroups are NOT security boundaries as
they are strictly for conveinece for browsing network resources. Rely on
share and NTFS permissions to manage who can access a share along with the
user right for access this computer from the network [Windows 2000 and XP
Pro]. For instance if you have a share just for teachers then create a group
on the computer with the share that contains only the teacher accounts. Then
give only that group access to the share [and administrators if
appropriate]. I would also
make sure that auditing for logon events is enabled on the XP Pro computer
that will contain shares in Local Security Policy. Then you can
view the security log for logon failures to see if unathorized users are
trying to access the computer and the computer they are trying such
rom. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
-- applying principle of least privilige to users in Wndows XP


.

Relevant Pages

  • Re: Manage 30 XP, 2000, 98 without Domain Controller
    ... account on 98 machines) ... folders on the File Server, setup NTFS permission on each folder. ... How to prevent them from share out local folders, ... All machine is under the same workgroup "abcschool" now. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Networking shares problem!!
    ... I will create the "laptop account" on the file server. ... Most of the PC's are set to workgroup MSHOME, and one PC which acts as ... caused by 1) a misconfigured firewall; ...
    (microsoft.public.windowsxp.general)
  • Re: How can I securing/share folders selectively
    ... The only way to do this is to use either the win2K or the winXPpro ... Then setup matching accounts on the file server for the other two ... account "foo" for the foo account on win2K and set up "bar" for the bar ... Now create shared folders and grant permissions to specific accounts ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Moving local user profile over to domain profile -- moveusers.exe?
    ... with new companies coming from a workgroup and going to a domain is ... tool that will take a workgroup local user account plus settings and ... Windows XP and going to a domain profile locally via AD on an Windows ... and I don't use the profile folders to store any data. ...
    (microsoft.public.windows.server.active_directory)
  • Re: PC folder has stopped sharing over network!
    ... So following Jim's principle I've just tried creating a new user account on the PC - "Kids2", and enabled sharing on its component folders. ... There is a security tab that lists the access permissions and you can add to these to "open" the account in any way you wish. ... I've just been in to the security tab, and the access permissions for both kids and administrator are set to "Full Control". ... I browsed around all the tabs, and can't see any differences at all between the settings for kids and administrator. ...
    (uk.comp.misc)