Depending upon your specific needs, you can get Windows XP in any one of five editions. Of those five, the choice of the two best known ones - XP Home and XP Pro - will differently affect your ability to share files. Both the Home and Pro editions have their advantages and disadvantages. There are also 5 well known editions of Windows Vista, though the distinctions between the Home and Business (not Professional) edition groups will be less relevant to Windows Networking issues.
This article will focus on how Windows XP and Vista are similar, with specific differences noted. In Windows XP And Vista On The LAN Together, I focus on differences in Windows Vista.
Please spend a few minutes deciding how you wish to use your computer, and whether you wish others to use your computer. If your computer is running Windows XP, make sure that you know which edition of Windows XP it is.
Windows XP Home has few options, and is easier for the typical home user to setup. Windows XP Pro / Vista (in its various editions) is more versatile, and can be used in different ways, depending upon what other computers are on the LAN, and how secure you want your shared data to be.
Simple File SharingIf your computer runs XP Home, then it has Simple File Sharing already. SFS, which only uses
Guest authentication, cannot be disabled under XP Home, without
some work.
If your computer runs XP Pro, or XP Media Center Edition, it may have SFS. If you want to enable Simple File Sharing on a computer running XP Pro or MCE, from Windows Explorer:
- Select Tools - Folder Options.
- On the Views tab, scroll to the end of the long Advanced settings list.
- Check "Use simple file sharing".
To use Simple File Sharing on any XP
server, Home or Pro, make sure that the Guest account is
properly activated, and the password is
consistently set (blank or non-blank), on both the client and the server.
On a computer running Windows Vista, you
disable Password Protected Sharing, giving the equivalent of Simple File Sharing.
Please note the limitations of
Guest authentication, when working with Simple File Sharing / PPS Disabled.
>> TopAdvanced aka Classic File SharingAdvanced aka Classic File Sharing is available, as an alternative to Simple File Sharing, on XP Pro or MCE. To use AFS to it's full advantage, you need to have formatted the drives, on
the server, with NTFS. You then need to disable Simple File Sharing. From
Windows Explorer:
- Select Tools - Folder Options.
- On the Views tab, scroll to the end of the long Advanced settings list.
- Uncheck "Use simple file sharing".
On a computer running Windows Vista, you
enable Password Protected Sharing, giving the equivalent of Advanced File Sharing. Unlike Windows XP, the option to enable PPS is
available in all editions of Windows Vista.
Next, identify a folder that you want to share on the network, but share selectively.
- Setup and use an account (with matching password) on both the client and the server.
- Make sure that the account is properly activated on the server.
- In Windows Explorer, right click on the folder in question, and select Properties.
- On the Sharing tab, select "Share this folder" and give the share a name.
- Hit Permissions, and make sure Everyone has full rights.
- On the Security tab, find and select your account in the "Group or user names" list. If your account isn't in the list, Add it.
- In the Permissions list, make sure your account has the appropriate permissions. And make sure that no other accounts have inappropriate permissions.
Note that, if you want some openly available shares also, this can be done quite easily.
- On the Sharing tab, select "Share this folder" and give the public share a name.
- Hit Permissions, and make sure Everyone has full rights.
- On the Security tab, find and select the group "All Users", "Everyone", or "Users", in the "Group or user names" list.
- In the Permissions list, make sure the group selected has the appropriate permissions.
- Setup Guest, (with matching or no password) on both the client and the server.
- Make sure that Guest is properly activated on the server.
Please note the limitations of
Guest authentication, when setting up any share for non-selective access. And if you have a LAN with both XP Home and XP Pro systems, be careful when enabling Advanced File Sharing on an XP Pro system. Unbalanced authentication can have complex results.
>> TopGet The Terminology Right HereWhen you look at the Welcome screen, and you have multiple users setup on your computer, you'll see a list (or group) of users, identified by User Name. When you change a password, or the picture associated with that user, you'll use the User Accounts wizard in Control Panel. Here too, you'll see a list of users, identified by User Name.
If you rename a user, or if you use any advanced procedures or wizards, there is another very relevant term - account. When you setup a user, using the User Accounts wizard in Control Panel, Account = User Name. For each account / user, a set of subfolders, under "C:\Documents and Settings" is created. This is the user profile.
- You can change a User Name at any time, but the account, and the user profile, stays the same.
- You can make much more versatile changes using the Control Panel - Administrative Tools - Computer Management - Local Users and Groups - Users wizard. Here you can change the account name, and profile path.
- If you disable the Welcome screen, you login using the account name and password.
So, if you ever rename a User, and see elements of the previous name, you now know why.
>> TopActivate An Account Properly For Network AccessWhether you're depending upon
the Guest account, or
a non-Guest account, for authentication, the account that you use has to be properly activated. You use the
Control Panel - User Accounts applet, to activate (or deactivate) an account for
local use.
There are two possible ways to activate (or deactivate) an account for
network access:
- Run the "net user" command. Enter, in a command window (which will be slightly different, for Windows Vista):
net user AccountName /active:yes
- (Substitute actual account name for "AccountName").
- (Substitute "no" to deactivate).
NOTE:There are 4 "words" (sequences of non-blank characters, separated by spaces) in the command. If you have any doubt about where a space is needed, copy and paste as above (substituting the account name, and "no" or "yes", as appropriate).
- Alternatively, for Vista Business or Ultimate, or XP Pro, run (Control Panel - Administrative Tools - ) Computer Management. Under System Tools - Local Users and Groups - Users, find the account (Guest or non-Guest) in question. Doubleclick (or rightclick, and select Properties), and clear (or check) "Account is disabled".
Finally, for XP Home, for XP Pro using Simple File Sharing, or for Vista with PPS Disabled, make sure that Guest, in addition to being activated,
has the appropriate rights.
>> TopSynchronise Passwords On AccountsAlways synchronise passwords (for the Guest or non-Guest account) on all computers - make them identical (or blank) on each. For best results, make your password policy consistent throughout your network.
To set the password, you need to run the UserPassword applet.
- Enter, in a command window, "control userpasswords2" (less the "").
- Select the account of interest in the User Accounts list.
- Hit the Reset Password button.
- Type either a blank, or non blank password, identically, into both "New password" and "Confirm new password" fields.
- Hit OK twice.
Synchronising passwords can be tricky in a mixed LAN (home and business/pro operating system editions together). With home editions (Vista or XP Home), the default is to have no password on the Guest account (it is, after all, anonymous). With business / professional editions (Vista Business / Enterprise / Ultimate, XP Pro), you have to Disable the
Local Security Policy setting, under Security Options, "Accounts: Limit local account use of blank passwords to console logon only", if your
server is going to allow network access using accounts with blank passwords.
>> TopMaking File Sharing WorkOnce you get past the issues involved in accessing the server, such as browsing and name resolution, there are the issues of accessing the data itself - authentication ("Who are you?"), and authorisation ("Do we want you to have access here?").
What authentication method are you using?
The message
Logon failure: the user has net been granted the requested logon type at this computer.
is easy to resolve under XP / Vista Pro, but
may require extra effort under a home edition. Remember, the edition of the operating system on the server is what's relevant here.
With XP / Vista Pro, there are a pair of
Local Security Policy lists, under User Rights Assignment.
- "Deny access to this computer from the network".
- "Access this computer from the network".
Authentication varies depending whether this is a domain or a workgroup.
- In a domain, you need an activated account on the domain controller.
- In a workgroup, you need identical, activated accounts, with identical passwords, on both the client and the server.
Authorisation is described in
Server Access Authorisation.
If the files and folders in question have been properly setup and shared as above, and you're getting only partial access (maybe Read, although you intend to grant Write access), check both the Share and NTFS Authorisation lists.
Remember that if you grant access, to the share in question, to "Everyone", that refers to Everyone who is properly authenticated. Either a properly setup Guest account (on the server), or non-Guest account (for a workgroup, on both the client and server, with matching passwords), is still required.
Note: Vista uses deny by default, so if you want "Everyone" (Guest) to have access, you have to explicitly add permission - new shares don't give Full permission automatically (though in some cases, "Everyone" may have read access by default). Always check Security and Sharing, when there is a question.
With XP / Vista Home, you don't have the Local Security Policy Editor. And
Simple File Sharing doesn't give you the ability to set access rights either. In that case, you'll have to use
extra software and procedures.
If you're using Guest authentication, and still getting "access denied" after all of the above steps, check the
restrictanonymous setting.
Even with all of the above advice, there are known scenarios, with varying symptoms, with but one common factor - recent (or not) application of
certain Windows Updates.
Next, look at the
complete and exact text in
any observed error messages. Some very obscure errors have very simple resolutions.
And finally, repeat
Troubleshooting Network Neighborhood.
>> TopWindows XP / Vista In A DomainIf you have a network with more than 3 or 4 computers, running Windows XP or Vista,
a domain is worth considering. Both Windows XP Home and XP Pro (and
their related editions), and the various editions of Vista, can be used in a domain, but in different ways.
A Windows XP / Vista Home edition computer can only join a
workgroup, it can not join a
domain. Windows XP Media Center has the same internal components as XP Pro; however, XP MCE 2005
(KB887212): will not join a domain either.
If a Home edition client computer is on the same network with a domain, the computers in the domain should be visible, in Network Neighborhood, under Entire Network - Microsoft Windows Network - (name of domain). The Home edition computer(s) will not, however, be visible from other clients, or from the servers, in the domain, unless there is a
browser server available for the workgroup of which the computer is a member (or if that computer is running the browser on its own).
If a Home edition client computer is on the network with a domain, the computer can be made a Member of a workgroup, with the workgroup name the same as the domain name. This will allow the servers in the domain to be visible, in Network Neighborhood, and will make the client visible from other clients, or from the servers, in the domain.
Users on a Home edition client will have to authenticate to any domain servers as they would in a workgroup - using accounts defined locally on each client and server.
A Windows XP Professional computer can join a domain, just as any other Windows NT based computer, and can access domain resources in the same way. However, several XP features will be unavailable:
- Fast User Switching.
- Simple File Sharing.
- Logon Welcome Screen.
Depending upon how your domain is setup, an XP / Vista computer may have problems logging in to the domain, and may require
changes in the domain itself.
>> TopGuest AuthenticationGuest authentication is an option under Windows XP Pro with
Advanced File Sharing, and for Windows Vista with Password Protected Sharing Enabled. For Vista with
PPS Disabled, XP Pro with
Simple File Sharing, and XP Home, Guest is the only available authentication. Guest authentication is part of
the authentication decision process, in general.
With Guest authentication, you have normally two choices for any otherwise shareable folder: whether to allow access to it, and whether to allow read-only or read-write access.
All shared folders and files are equally accessible by everybody who has access to the network.If your
server only uses Guest authentication, any shared data is offered, on the network, based upon the status of the Guest account on the server. Other accounts on the server, and on any clients, will not be relevant. Make sure that the Guest account is
properly activated for network access.
The Guest account, by definition, is a limited access account, and is similar to anonymous access under Windows. If your
server only uses Guest authentication, your computer can't be accessed with administrative authority, thru the network.
Shares which require administrative access, such as C$, "C:\Program Files", and "C:\Windows", can't be accessed thru the network, if shared using Guest authentication. No matter what authority you are logged in with, to a client computer, when you access any server using the Guest account, those shares, and any folders and files within those shares, will be inaccessible. Any files that you want to be accessible thru the network should be kept in the Shared Documents folder, and they will be accessible to everybody.
Remember that the various folders in "C:\Documents and Settings" (
"C:\Users" in Windows Vista) contain the personal data for each user of that computer. Those folders, by design, can only be accessed
by the owner of the data, or by an adminstrator. Guest is
neither of those, and shouldn't be expected to have access. The public portions of "C:\Documents and Settings" ("C:\Users"), if at all accessible to Guest, may be read only.
If a computer using Guest authentication is providing browser services for other computers, those other computers, when running
browstat, and having no other errors, will show an "error = 5" (access denied) when trying to access the registry on the browser.
Master browser name is: PChuck1
could not open key in registry, error=5 unable to determine build of browser master:5
Other network related tasks, like remote registry access, and remote shutdown, won't work either. Those tasks require administrative access. Utilities
like CPSServ won't be able to diagnose problems on a computer using Guest-only access, through the network.
The Guest account may not provide network access if the
restrictanonymous setting has the wrong value. The Guest account may not provide network access to specific shares, if the
RestrictNullSessAccess setting has the wrong value.
For more information about the Guest account, see Microsoft:
Description of the Guest account in Windows XP.
If you need to do so, you can give additional authority to Guest. How to add authority will depend upon your edition and file sharing.
- If your computer is running XP Professional and has Simple File Sharing disabled, just edit the Security and Sharing permissions settings.
- If your computer is running XP Professional with Simple File Sharing enabled, you have two choices.
- If your computer is running XP Home or Vista Home Basic, you'll need extra software and procedures, to edit the permissions settings.
>> TopNon-Guest AuthenticationNon-Guest authentication is much more granular than
Guest authentication, on a server using NTFS. It is possible on a server running Windows 2000, Windows XP Pro, with
Advanced File Sharing, or Windows Vista with Password Protected Sharing (PPS) enabled. If your server has XP Home, XP Pro with
Simple File Sharing, or Vista with PPS disabled, you'll be using
Guest authentication. Like Guest authentication, it's part of
the same decision process.
Once you're authenticated, whether with a Guest or a non-Guest account,
you need to be authorised. Authorisation, under AFS / PPS, is much more granular than Guest authorisation under SFS.
>> TopThe Authentication Process - Step By StepYou authenticate in 4 possible scenarios, based upon the status of both
the client and the server
- If
- The client is running Windows Vista Pro (Business, Enterprise, or Ultimate), XP Pro, or Windows 2000.
- You previously logged in to this server from this client, and selected "Reconnect at login".
your computer will have cached a token for server access. Your computer will supply the token, and you will be given server access transparently ("transparent token caching"). - IfYour computer will supply the token, and you will be given server access transparently ("transparent first time login").
- If automatic non-Guest authentication is not possible, the server is checked for the Guest account having been activated for network access. If Guest is activated, and has no password, you will be given automatic Guest access.
- If neither automatic non-Guest, nor Guest, access is possible, you will have to supply the token manually. You will have to login to the server, interactively, using an account that is activated for network access on the server, with correct password. You may have the opportunity, here, to select "Reconnect at login" (based on Rule 1).
- If there is no account activated for network access, you will see the old
... access denied.
or similar well-known error.
>> TopWindows XP And Other Operating SystemsWindows XP was designed to allow the merger of the two older operating system families - Windows 9x (Windows 95 / 98 / ME - predominantly home systems), and Windows NT (NT / 2000 / 2003 - predominantly business systems). By carefully choosing Advanced vs Simple File Sharing on your computer, it can better operate on the LAN with your computers running older systems. And, looking forward, it can operate fine on the LAN with your computers running Vista.
Simple File Sharing, which is selectable under XP Pro but not under XP Home, uses
Guest authentication only. It makes it easier to setup sharing with Windows 9x systems, by simply creating openly available shares.
Advanced aka Classic File Sharing is directly compatible to file sharing under Windows NT / 2000 / Server 2003. It can use
Guest, or it can use
non-Guest, authentication.
Windows XP will share files with an XBox 360, given
a small amount of work.
For additional details describing file sharing issues relevant to Windows XP and to other operating systems, see:
>> TopAuthentication ProtocolsAs described above, any connection created between a client and a server involves some form of authentication. The person using a client computer must prove who he / she is, so the server can decide whether to allow access. The simplest form of authentication is a simple account / password exchange. The user inputs the account (public secret) and password (private secret), these are passed to the server, which matches the two against its database.
Original versions of Windows, before NT V4.0, used LAN Manager Authentication, which used this strategy. Starting with Windows NT V4.0,
authentication protocols of increasing complexity have been used.
>> TopLocal Access IssuesIf you follow recommended procedures, and setup your accounts to allow file sharing, you will have
identical, non-blank passwords on the accounts. As I said above, by default, Windows XP Pro requires non-blank passwords for accounts used for network access.
Maybe you're accustomed to not logging in at all when you turn your computer on - just start it, it comes up with the desktop, and you get to work. Or maybe you'd like to do this, but don't know how. Well, Ramesh, another MVP, has written up the procedure for making your computer login automatically, in his article
Configure Windows XP to Automatically Login.
>> Top
Del.icio.us
Digg
Facebook
StumbleUpon
Technorati
Twitter
Posts
