Re: Limited Access



For users that you want to logon to a computer via Remote Desktop you need
to add that user account or group that the account is a member of to the
Remote Desktop Users group. You can do that using lusrmgr.msc - groups or by
going to Control Panel/system/remote - select remote users. That should
allow the user to logon via Remote Desktop. You also should check Local
Security Policy to make sure that Remote Desktop Users is included in the
user right for allow logon through terminal services.

Again you can not change the location on permissions in a non domain
computer as you can only select users/groups from the local computer. Then
when you logon to another computer of yours as a user in the local users on
the computer with the share and are using the same password you should get
seamless access to the share. For example computer A with the share has a
local user named Bob with the password xxg5. Share named public on computer
A has permissions for user Bob and the folder that is shared has NTFS
permissions for user Bob. You need to configure two types of permissions for
a share for network users - share permissions and the folder NTFS
permissions and simple file sharing needs to be disabled on the computer
with the share named public. Then when you logon to computer B as user Bob
with password xxg5 you should get access to share named public with no
prompt for credentials.

You can create as many user accounts on computer A as needed and no matter
what other computer you logon to in your network as long as you logon as an
account that also exists on computer A with the same password as the user
account on computer A you should get seamless access to shares that you have
both share and folder/NTFS permissions to assuming you have file and print
sharing to the computer not impeded by a firewall and the user account also
has the user right for access this computer from the network and does not
explicitly or by group membership have the user right for deny access to
this computer from the network. What may trip you up on trying to access
shares is if any "stored" credentials are using on the client computer you
logon to. You can check that for the logged on user account by using Control
Panel/user accounts and then selecting your user account and select manage
my network passwords. The link below explains more on share and NTFS
permissions. --- Steve

http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml


"mchjr01" <mchjr01@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AF1A17BF-8243-4202-B25E-F9FBB863215E@xxxxxxxxxxxxxxxx
Steve,

Thanks again for your quick reply. Let me give you my actual scenario:

Within my LAN:

I have a desktop that I use as my fax server, running Win XP-Pro SP2. I
also
have 2 - laptops, one I am using as a desktop hard wired to my router and
the
other one is my portable that I use when I travel. Again both laptops are
running Win XP Pro SP2. On my desktop and wired laptop the hard drives are
partitioned with my data separated from the C drives. Moreover, on my
wired
laptop, I attached a 300GB hard drive through a firewire for my data
storage.
None of my C - drives on these workstations are shared but all the other
drives are shared. I changed the permissions on these shared drives
showing
me as the only one who can access the folders through remote desktop. My
ISP
is DSL with static IP.

After changing the permissions, I am being prompted for a userid and a
password to access the hard drive on the wired laptop from my portable
laptop. What I would like to accomplish is being able to add my userid
from
my portable laptop to access my data drivers on my desktop and wired
laptop
without being prompted for a password. That is the reason why I want to
know
on how to change the Loacation on the permissions. Examples: On my
desktop, I
would like to add my userid from my portable laptop to read as
vaio\userid.
From my wired laptop, I would like to add my userid on my desktop to read
dell\userid.

Outside of my LAN:

I opened Port 3389 on my router for remote desktop connection. From
anywhere
I just type my IP address of which is forwarded to my desktop's IP (which
I
made it static as well) to login and access my files on my desktop (like
retrieving my faxes). Moreover, from my desktop remotely connected, I can
access the external hard drive connected to my wired laptop. By the way
access to my desktop and wired laptop are all accessible through a userid
and
a password.

With the above scenario, on my desktop, I would like to have my children
and
friends to be able to login to my desktop with limited access to only the
shared directory on my desktop. As I mentioned earlier, I created a userid
with a password on my desktop, as limited user, for them to be able to
login
remotely and that is when I was getting the error mesage. To remote
connect
from the login screen they will type the IP address of my ISP then the
desktop login screen comes up and that where they are supposed to type in
the
id I created.

Again , you have been very helpful and I hope you'll never get tired of my
dumbness on this. Your help is very much appreciated.

Mike

"Steven L Umbach" wrote:

First off I will make the assumption that by remote connect you mean
access
to a network share through My Network Places and not Remote Desktop. If
that
is not the case then make sure you let me know exactly what you are
attempting to do.

You want to use the computer's name that you are logged onto with the
share
to add a user account to the permissions list. The computer name will be
the
only location unless the computer is a member of an Active Directory
domain
which is not your case. You simply want to add the user name that has the
same name as used by users logging onto your other computers. For
instance
if user Bob wants to access your share you will need to create a user Bob
on
your computer with the share and give it the same password as user Bob
users
to logon to his computer and a password must be use as by default XP Pro
will not allow user account with blank passwords to access the computer
over
the network. You can go to Control Panel - users or enter lusrmgr.msc in
the
run box to manage user accounts.

The local policy of this system does not permit to login interactively
means
that the user does not have the user right for logon locally on the
computer. You can mange user rights in Local Security Policy under local
policies/user rights. Enter secpol.msc in the run box to easily open
Local
Security Policy. The user must either explicitly or by group membership
have
the user right for logon locally and NOT either explicitly or by group
membership have the user right for deny logon locally. Generally I have
authenticated users and administrators listed for the user right for
logon
locally and only have the support_... account listed in deny logon
ocally. --- Steve





"mchjr01" <mchjr01@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DF489691-D18D-4FBF-8787-3E178D0A133B@xxxxxxxxxxxxxxxx
Steve,

Thanks for your help and I followed the link you gave me and was able
to
restrict the shared drives and folders. However, I have another
question,
if
I may:

First off is when I remote connect to my desktop from my laptop within
my
LAN, I cannot access the shared dirve and folders, for my remote id
coming
from my laptop is not recognized. When I try add it to the list I
cannot
change the location name to my laptop and the only name on the list is
my
desktop. I cannot add any id's from my two laptops to my desktop
because I
cannot change the location.

Secondly, when I use the limited user id I created on my desktop for
remote
users to connect to my desktop, it does not work and a message saying
"The
local policy of this system does not permit to login interactively". I
tried
to navigate through the Administrative Tools from the Control Panel but
I
cannot find the place to edit or to alter the permission to allow the
limited
user id - enable to remotely login. Would you be kind enough to help me
again
and direct me where to go.

Again, thanks for your help.

Mike

"Steven L Umbach" wrote:

First you need to disable simple file sharing on your XP Pro computer
with
the share by going to Windows Explorer/tools/folder options - view and
uncheck the last option for use simple file sharing. That will make
sure
that users need to authenticate to your computer. Then create a user
account
[Control Panel/user accounts] on that computer that is NOT a local
administrator or power user and make sure that only the shares that
you
want
that user account to access includes that user account and that other
shares
do not include users or everyone. Then you can also access the
security
tab
in the properties of any folder such as the one you share and grant
the
user
the needed access to that folder. For instance you might want to give
the
user read/list/execute permissions if you want them to see and copy
files
from that folder only. If you want tem to be able to write to it also
grant
them write permissions. Modify permission allows the user to also
delete
files in the folder so be careful with that. The link below explains
more
on
setting folder permissions. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418

"mchjr01" <mchjr01@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1D651E69-FFC0-4FCB-93B4-09919851D8FC@xxxxxxxxxxxxxxxx
I have a Home Network with 2 - laptops and 1 - desktop all running
Win
XP-Pro
SP2. My ISP is DSL with static IP. I have file and printer sharing
enabled
and be able to connect among my laptops and desktop within my LAN. I
have
my
static IP port forwarded to my desktop for remote connection.

I am using my desktop as a fax server and a partition as shared
drive
for
my
children for them to download pictures and whatnot. My question and
please
help me is how do I create a user id and password with limited
access
only
to
my desktop without the capabilty of accessing the other drives in my
network.
My current id, for remote connect on my desktop, has the capability
of
accessing the other workstations within my network. My ultimate wish
is
only
for anybody - just to have access into my shared drive in my
desktop.

Your help on this will be very much appreciated.

Thanks,

Mike











.