Network shared files and access permissions - WTF Windows?

FosterK · 14 May 2011 at 01:49

First a bit of background:

In order to share files with my housemates at uni, I've set up a second user account (called NetworkUser) on my PC (Win7), and set security permissions so it can only access one drive on my computer.

Access to C drive is also permitted so everything works, but with my account in the users folder being blocked. D:/, with my personal stuff, is not viewable by NetworkUser, while E:/ is accessible.

With two accounts on my PC (Admin/me, and NetworkUser, both passworded appropriately), the idea is that I can give the NetworkUser account name and password to my flatmates who can then access over the network my shared files. I've gone about it this way so that other people in the building can't access these files, and so that my flatmates can contribute through read and write permissions, where applicable.

If I log into NetworkUser on my PC, D:/ is not accessible, and C:/Users/Kev is also not accessible, while E:/ is accessible. Which is exactly what I wanted. Permissions and security setting worked fine, it seems.

I've just set up the network drive on my flatmate's PC. Read/write permissions are fine, and the only thing viewable through Run>"\\nameofmyPC\", and logging in using NetworkUser, is the E:/ drive, which is good.

However, and this is where the issue is, typing "\\nameofmyPC\D$" into run and hitting enter takes you straight to the root of D:/, which NetworkUser does not have privileges to read/write/access in any way.
The same applies to "\\nameofmyPC\C$" and navigating to the C:/Users/Kev" - it lets you straight in.

Granted, I don't think anyone in my flat is technically minded enough to even figure out how to use run to access my files, and those outside of the flat don't stand a chance without the password for NetworkUser, but it still makes me uncomfortable.

So my questions:
1) Why are the permissions working when logging in using NetworkUser on my PC, but not when connecting to my PC from another PC, using the very same account?

2) How can I properly secure C:/Users/Kev and D:/ so that NetworkUser, when used to connect from another PC on the local network, can't view/access/change the contents of those two locations?

So far, google's not throwing up anything useful - just stuff I've already done that has worked locally, but not from another PC. Maybe my google-fu is weak

If anyone has any insights into this, I'd really appreciate hearing! Many thanks!

Kev

ns400r · 14 May 2011 at 10:02

Is the NetworkUser account a 'user' or 'administrator' type account?

dynamis_dk · 14 May 2011 at 14:55

On your machine, logon as networkuser and do start --> run --> \\%computername%\d$

Does it let you in??

If not, now goto your friends machine (reboot if you can just to make sure theres no cached passwords for the network share), logon and map drive using network user/pass combo and try start --> run --> \\your-pc\d$

What happens??

My guess is theres an admin or everyone setting which maybe giving networkuser inherited permission or something not quite 'in your face' obviously...

ps: I hate permissions, makes working in a AD enviroment much more fun compared to at home lol

Failing all else, you can always go into computer management --> shared folders --> shares --> right click on the C$ and D$ etc, then stop sharing (know this is ok for Win7, not 100% on XP / others)

Sin_Chase · 14 May 2011 at 17:11

Pro Tip - Windows File Sharing sucks. Use an FTP server, get more control, more security, much better speeds and full resume support.

dynamis_dk · 14 May 2011 at 17:59

Depends on what the OP want the share for... as far as I know if you setup a FTP is would stop things like media playback over the network unless theres a way to do it via FTP that i've never come across.

FosterK · 14 May 2011 at 21:38

dynamis_dk said:
On your machine, logon as networkuser and do start --> run --> \\%computername%\d$

Does it let you in??

Nope, says it's blocked.

dynamis_dk said:
If not, now goto your friends machine (reboot if you can just to make sure theres no cached passwords for the network share), logon and map drive using network user/pass combo and try start --> run --> \\your-pc\d$

What happens??

Lets you in!

My guess is theres an admin or everyone setting which maybe giving networkuser inherited permission or something not quite 'in your face' obviously...

ps: I hate permissions, makes working in a AD enviroment much more fun compared to at home lol

Failing all else, you can always go into computer management --> shared folders --> shares --> right click on the C$ and D$ etc, then stop sharing (know this is ok for Win7, not 100% on XP / others)[/quote]

This seems to do the trick, but I'll have to do this every time I turn my PC on by the look of it; the message when I do this says it's only temporary. Any way I can make it permanent?

ns400r said:
Is the NetworkUser account a 'user' or 'administrator' type account?

Standard User

dynamis_dk said:
Depends on what the OP want the share for... as far as I know if you setup a FTP is would stop things like media playback over the network unless theres a way to do it via FTP that i've never come across.

For media streaming, amongst other things, so yes.

Cheers for all your help everyone!

bledd · 14 May 2011 at 22:06

Make sure the 'network type' on both is Private/Home and not public

Public causes weird issues for file sharing

Sin_Chase · 15 May 2011 at 00:30

I imagine NetworkUser is inheriting permissions from the root drive, specifically or via a group.

Remove all NetworkUser group memberships, remove inheritance on the folder you want to share and define this users permissions here. C/D/admin$ shares are administrative shares, a standard user should have no access to these, are you sure it's not part of the local admin group?

Failing that add NetworkUser specifically to the root of your drives and Deny Full Access > propagate it downwards (Overwrites ANY allow from ANY source). Remove the shared folder's inheritance and add an allow here.

FosterK · 15 May 2011 at 01:26

Sin_Chase said:
I imagine NetworkUser is inheriting permissions from the root drive, specifically or via a group.

Remove all NetworkUser group memberships, remove inheritance on the folder you want to share and define this users permissions here. C/D/admin$ shares are administrative shares, a standard user should have no access to these, are you sure it's not part of the local admin group?

Failing that add NetworkUser specifically to the root of your drives and Deny Full Access > propagate it downwards (Overwrites ANY allow from ANY source). Remove the shared folder's inheritance and add an allow here.

This sounds like it will work. But frankly, well... if you'd be so kind as to point me in the right direction of how to do this?

Sin_Chase · 15 May 2011 at 02:22

Click me.

Replace User 'Luke' for your NetworkUser.

Repeat blue bounded sections for Root Drives you want locked down. Repeat Purple bounded sections for folders you want to remove locks from.

FosterK · 15 May 2011 at 02:35

Ah right.

Well erm, the stuff in the blue bounded boxes is what I did in the first place that hasn't worked

Blocks it locally, but not to an outside PC.

Sin_Chase · 15 May 2011 at 14:25

Sounds like the HomeGroup is doing something whack then and 'proxying' the access via a service acocunt for HomeGroup itself.

I would go into your advanced HomeGroup settings and fiddle. I do not use it so am not that savvy with it but I would start here and try different combos:

You could also try disabling HomeGroup altogether (Services the lot) and using sharing as with Windows XP.