Win2k8 in a workgroup - share permissions

Hi,
A friend bought a Windows 2008 server to start a small business.
It is the only server and it is in a Workgroup.

I created a folder on the server called "Finance"
This server has 3 user accounts, User1, User2, and User2
I created a Group called "Financial Admins"
I put all 3 user accounts in this group called Financial Admins
I went to provision a share
I changed the NTFS permissions to Financial Admins = Full Control
I changed the share permissoins to Everyone = Full Control

With a laptop in the same workgroup and logging on as User1 (with the same
password as set on the server) I try to access the Finance folder.
I get Access Denied.
If I add my account User1 to the NTFS permissions, I can access it no
problem.

So when I try to control permission with Groups it is not working. But
specifically putting in individual user accounts it works just fine.
So what am I missing?
Thanks in advance!

"msnews.microsoft.com" <> wrote in message
news:%23yg5rf$...
> Hi,
> A friend bought a Windows 2008 server to start a small business.
> It is the only server and it is in a Workgroup.
>
> I created a folder on the server called "Finance"
> This server has 3 user accounts, User1, User2, and User2
> I created a Group called "Financial Admins"
> I put all 3 user accounts in this group called Financial Admins
> I went to provision a share
> I changed the NTFS permissions to Financial Admins = Full Control
> I changed the share permissoins to Everyone = Full Control
>
> With a laptop in the same workgroup and logging on as User1 (with the same
> password as set on the server) I try to access the Finance folder.
> I get Access Denied.
> If I add my account User1 to the NTFS permissions, I can access it no
> problem.
>
> So when I try to control permission with Groups it is not working. But
> specifically putting in individual user accounts it works just fine.
> So what am I missing?
> Thanks in advance!

It would appear that the trick of having identically named and passworded
accounts on different computers in order to simulate a trust environment
works only when the accounts are used directly. But a local group on a
machine in a workgroup can only contain local accounts (and groups) on the
same machine.

I'd recommend that you convert the workgroup to a domain.

/Al

Al Dunbar" <> wrote in message
news:%...
>
> "msnews.microsoft.com" <> wrote in message
> news:%23yg5rf$...
>> Hi,
>> A friend bought a Windows 2008 server to start a small business.
>> It is the only server and it is in a Workgroup.
>>
>> I created a folder on the server called "Finance"
>> This server has 3 user accounts, User1, User2, and User2
>> I created a Group called "Financial Admins"
>> I put all 3 user accounts in this group called Financial Admins
>> I went to provision a share
>> I changed the NTFS permissions to Financial Admins = Full Control
>> I changed the share permissoins to Everyone = Full Control
>>
>> With a laptop in the same workgroup and logging on as User1 (with the
>> same password as set on the server) I try to access the Finance folder.
>> I get Access Denied.
>> If I add my account User1 to the NTFS permissions, I can access it no
>> problem.
>>
>> So when I try to control permission with Groups it is not working. But
>> specifically putting in individual user accounts it works just fine.
>> So what am I missing?
>> Thanks in advance!
>
> It would appear that the trick of having identically named and passworded
> accounts on different computers in order to simulate a trust environment
> works only when the accounts are used directly. But a local group on a
> machine in a workgroup can only contain local accounts (and groups) on the
> same machine.
>
> I'd recommend that you convert the workgroup to a domain.
>
> /Al
>

I guess that doesn't make sense to me. They only have 3 employees. Domains
are for 50 or more people.
How do small companies that use a workgroup handle security like this then,
just forget about using groups for security?
Thanks.

As you have found out workgroups can be harder to manage than a simple AD
domain, even for three users.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

>
> I guess that doesn't make sense to me. They only have 3 employees.
> Domains are for 50 or more people.
> How do small companies that use a workgroup handle security like this
> then, just forget about using groups for security?
> Thanks.
>
>
>

Exactly. Three workgroup computers, a server, and three users. With a
domain, three accounts; with a workgroup, twelve accounts, plus the users
need to coordinate their password changes.

/Al

"Kerry Brown" <*a*m> wrote in message
news:...
> As you have found out workgroups can be harder to manage than a simple AD
> domain, even for three users.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
>
>>
>> I guess that doesn't make sense to me. They only have 3 employees.
>> Domains are for 50 or more people.
>> How do small companies that use a workgroup handle security like this
>> then, just forget about using groups for security?
>> Thanks.
>>
>>
>>

The problem lies in NTFS permissions. If possible set permissions on the
filesystem to Everyone>Full and use share permissions to control access.

BTW, I've seen far too many small systems (in one office, three users and a
server!) setup as a domain, and basically the problems this creates far, far
outweigh any advantages. Key issue with domains is the inability to
subsequently change anything (domain name, server name, computer name, user
account) without this causing a spate of domino-effect problems. These kinds
of problems maybe don't create such an issue for the corporate site with
highly-qualified onsite IT, but for small businesses running the likes of SBS
they are a total headbanger. Even a trivial issue like a user marrying can
lead to an IT firm having to be called-in to change the username without, in
the process, losing all of the user's settings, files and email.

As with so many systems touted to streamline or integrate administration,
these shortcomings are not apparent until you've tried to use the thing for a
while in a production environment,


"msnews.microsoft.com" wrote:

> Hi,
> A friend bought a Windows 2008 server to start a small business.
> It is the only server and it is in a Workgroup.
>
> I created a folder on the server called "Finance"
> This server has 3 user accounts, User1, User2, and User2
> I created a Group called "Financial Admins"
> I put all 3 user accounts in this group called Financial Admins
> I went to provision a share
> I changed the NTFS permissions to Financial Admins = Full Control
> I changed the share permissoins to Everyone = Full Control
>
> With a laptop in the same workgroup and logging on as User1 (with the same
> password as set on the server) I try to access the Finance folder.
> I get Access Denied.
> If I add my account User1 to the NTFS permissions, I can access it no
> problem.
>
> So when I try to control permission with Groups it is not working. But
> specifically putting in individual user accounts it works just fine.
> So what am I missing?
> Thanks in advance!
>
>
>

"Anteaus" <> wrote in message
news:E25DA4EA-8240-44ED-8518-...
> The problem lies in NTFS permissions. If possible set permissions on the
> filesystem to Everyone>Full and use share permissions to control access.
>
> BTW, I've seen far too many small systems (in one office, three users and
> a
> server!) setup as a domain, and basically the problems this creates far,
> far
> outweigh any advantages. Key issue with domains is the inability to
> subsequently change anything (domain name, server name, computer name,
> user
> account) without this causing a spate of domino-effect problems. These
> kinds
> of problems maybe don't create such an issue for the corporate site with
> highly-qualified onsite IT, but for small businesses running the likes of
> SBS
> they are a total headbanger. Even a trivial issue like a user marrying can
> lead to an IT firm having to be called-in to change the username without,
> in
> the process, losing all of the user's settings, files and email.
>
> As with so many systems touted to streamline or integrate administration,
> these shortcomings are not apparent until you've tried to use the thing
> for a
> while in a production environment,
>

Your experience is very different from mine. It is much harder to change a
user name (or even a password) in a workgroup instead of a domain. In the
domain one change and it's done. In a workgroup you have to know all of the
computers that have shared resources the user accesses and change the
account on every one of them. I have many businesses with small networks
that I manage/oversee for them. On none of them would they call me to change
a user account. I have delegated that authority (with the built in wizard)
and showed them (about five minutes) how to do this. As a backup they have a
half page written procedure they can look at. I have however been called in
many times to businesses with a workgroup based network when all of a sudden
a user can't access a printer or share they used to use just fine. The only
problematic things to change are the domain name and the domain controller
name. That's easily mitigated by using generic names from the start. It does
take a bit of work at the start to set up an Active Directory based network.
Once it's setup properly it's much easier to manage than a work group. The
only time I ever use workgroups is if there is no Windows server in the
network. Once there is a Windows server AD is a no brainer.

As for setting NTFS security so that anybody has access and using share
permissions to control access, that has so many bad security implications
it's laughable. I guess you've never heard of a disgruntled employee looking
up payroll data, stealing company information, etc. If a user logs on
locally you have no control over what they can access on the computer if you
use your security model. Even in a workgroup this is a very poor security
practice.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/

"Anteaus" <> wrote in message
news:E25DA4EA-8240-44ED-8518-...
> The problem lies in NTFS permissions. If possible set permissions on the
> filesystem to Everyone>Full and use share permissions to control access.

Are you sure you have that the right way around? share permissions are not
granular enough, so if one use needs read/write access to one file in a
share he must be given read/write access to all files in the share.

> BTW, I've seen far too many small systems (in one office, three users and
> a
> server!) setup as a domain, and basically the problems this creates far,
> far
> outweigh any advantages. Key issue with domains is the inability to
> subsequently change anything (domain name, server name, computer name,
> user
> account) without this causing a spate of domino-effect problems. These
> kinds
> of problems maybe don't create such an issue for the corporate site with
> highly-qualified onsite IT, but for small businesses running the likes of
> SBS
> they are a total headbanger. Even a trivial issue like a user marrying can
> lead to an IT firm having to be called-in to change the username without,
> in
> the process, losing all of the user's settings, files and email.
>
> As with so many systems touted to streamline or integrate administration,
> these shortcomings are not apparent until you've tried to use the thing
> for a
> while in a production environment,

I can't really argue with you there, as the only domain-based environments I
have had experience with are on the "corporate" side of things. I suspect
that the problems you mention with renaming an account may have resulted
from either some poor choices having been made earlier on in the design, or
from there not being a good mix between the available admin tools and the
available, and perhaps not highly qualified, IT support (who might just be
the owner's nephew or something).

That is too bad, as the domain environment does have advantages in some
areas. Too bad they couldn't come up with a hybrid approach. But wait, isn't
that what SBS is supposed to be?

/Al

> "msnews.microsoft.com" wrote:
>
>> Hi,
>> A friend bought a Windows 2008 server to start a small business.
>> It is the only server and it is in a Workgroup.
>>
>> I created a folder on the server called "Finance"
>> This server has 3 user accounts, User1, User2, and User2
>> I created a Group called "Financial Admins"
>> I put all 3 user accounts in this group called Financial Admins
>> I went to provision a share
>> I changed the NTFS permissions to Financial Admins = Full Control
>> I changed the share permissoins to Everyone = Full Control
>>
>> With a laptop in the same workgroup and logging on as User1 (with the
>> same
>> password as set on the server) I try to access the Finance folder.
>> I get Access Denied.
>> If I add my account User1 to the NTFS permissions, I can access it no
>> problem.
>>
>> So when I try to control permission with Groups it is not working. But
>> specifically putting in individual user accounts it works just fine.
>> So what am I missing?
>> Thanks in advance!
>>
>>
>>