Greg M wrote:


Hi Richard,

Complicateder and complicateder!

Security is a PITA.

Greg M wrote:

Thanks for your reply, but it seems I'm not out of the woods yet.

The home network is quite simple - pc A and pc B connected directly using a crossover cable.  Pc A connects directly to the internet, pc B connects to the internet via pc A.  Windows XP with SP2 is installed on both pc's.

What versions of XP: Home, Professional, Media Center ?

This can be important because Home has limited networking features. For example, all Network accesses get  'down-graded' to "Guest" user account access. You can see this yourself using the "Sessions" console, under Shared Folders of the Managment Console - right-click My Computer, Manage, then drill down to it on the left.

Greg M wrote:

There are two folders on pc A, called A1 and A2, and two folders on pc B, called B1 and B2.

Folder A1 was set as shared using Explorer, with the sharename A1share; folder A2 was set as shared using the command line statement: Net Share A2share=G:\A2

Folder B1 was set as shared using Explorer, with the sharename B1share; folder B2 was set as shared using the command line statement: Net Share B2share=G:\B2

OK, so clearly the NET SHARE command is not a replacement for the Shell's Share wizard. I've not experimented to confirm this, but it appears that it simply retains any existing 'default' permissions. Those defaults will then depend upon what folder your sharing, and whether it's been though the Shell's Sharing wizard already or not.

Greg M wrote:

Folders A1share and A2share are visible and "openable" on pc B

Folders B1share and B2share are visible on pc A, but
Folder B1share is "openable" on pc A
Folder B2share is NOT "openable" on pc A

[snip]
Greg M wrote:

On pc B the command Cacls G:\B1 produces the following output:
g:\B1 Everyone:(OI)(CI)C
      BUILTIN\Administrators:(OI)(CI)F
      NT AUTHORITY\SYSTEM:(OI)(CI)F
      GREGSCOMPUTER\Greg:F
      CREATOR OWNER:(OI)(CI)(IO)F
      BUILTIN\Users:(OI)(CI)R
      BUILTIN\Users:(CI)(special access:)
            FILE_APPEND_DATA
      BUILTIN\Users:(CI)(special access:)
            FILE_WRITE_DATA

On pc B the command Cacls G:\B2 produces the following output:
g:\B2 BUILTIN\Administrators:(OI)(CI)F
      NT AUTHORITY\SYSTEM:(OI)(CI)F
      GREGSCOMPUTER\Greg:F
      CREATOR OWNER:(OI)(CI)(IO)F
      BUILTIN\Users:(OI)(CI)R
      BUILTIN\Users:(CI)(special access:)
            FILE_APPEND_DATA 
      BUILTIN\Users:(CI)(special access:)
            FILE_WRITE_DATA
 
Any suggestions regarding the different output from the Cacls command on the two pc's, or regarding what needs to be tweaked in order to have folder B2share "openable" on pc A?

Best regards,

Greg M



I've highlighted the fact that B1 has the 'Everyone' user account listed in it's ACL, with change permissions. As mentioned earlier, XP Home wil downgrade the user account being used via the Network, back to Guest account access.

If my memory is correct, the 'Everyone' user account usually includes Guests, though with recent security updates (perhaps not with Home, I'm not sure), Guest accounts are specifically excluded from the 'Everyone' account via Group Policy. On an XP Pro system, you can check this via the Group Policy console: Start, Run: gpedit.msc

When I do this on one of my XP Pro systems, I can't find a specific entry that I remember (I'm getting old, though). I did find this one, though, under Security options: