Win2k8 in a workgroup - share permissions

Discussion in 'Server Security' started by msnews.microsoft.com, Apr 8, 2009.

  1. Hi,
    A friend bought a Windows 2008 server to start a small business.
    It is the only server and it is in a Workgroup.

    I created a folder on the server called "Finance"
    This server has 3 user accounts, User1, User2, and User2
    I created a Group called "Financial Admins"
    I put all 3 user accounts in this group called Financial Admins
    I went to provision a share
    I changed the NTFS permissions to Financial Admins = Full Control
    I changed the share permissoins to Everyone = Full Control

    With a laptop in the same workgroup and logging on as User1 (with the same
    password as set on the server) I try to access the Finance folder.
    I get Access Denied.
    If I add my account User1 to the NTFS permissions, I can access it no
    problem.

    So when I try to control permission with Groups it is not working. But
    specifically putting in individual user accounts it works just fine.
    So what am I missing?
    Thanks in advance!
     
    msnews.microsoft.com, Apr 8, 2009
    #1
    1. Advertisements

  2. msnews.microsoft.com

    Al Dunbar Guest

    It would appear that the trick of having identically named and passworded
    accounts on different computers in order to simulate a trust environment
    works only when the accounts are used directly. But a local group on a
    machine in a workgroup can only contain local accounts (and groups) on the
    same machine.

    I'd recommend that you convert the workgroup to a domain.

    /Al
     
    Al Dunbar, Apr 9, 2009
    #2
    1. Advertisements

  3. I guess that doesn't make sense to me. They only have 3 employees. Domains
    are for 50 or more people.
    How do small companies that use a workgroup handle security like this then,
    just forget about using groups for security?
    Thanks.
     
    msnews.microsoft.com, Apr 9, 2009
    #3
  4. msnews.microsoft.com

    Kerry Brown Guest

    As you have found out workgroups can be harder to manage than a simple AD
    domain, even for three users.
     
    Kerry Brown, Apr 9, 2009
    #4
  5. msnews.microsoft.com

    Al Dunbar Guest

    Exactly. Three workgroup computers, a server, and three users. With a
    domain, three accounts; with a workgroup, twelve accounts, plus the users
    need to coordinate their password changes.

    /Al
     
    Al Dunbar, Apr 10, 2009
    #5
  6. msnews.microsoft.com

    Anteaus Guest

    The problem lies in NTFS permissions. If possible set permissions on the
    filesystem to Everyone>Full and use share permissions to control access.

    BTW, I've seen far too many small systems (in one office, three users and a
    server!) setup as a domain, and basically the problems this creates far, far
    outweigh any advantages. Key issue with domains is the inability to
    subsequently change anything (domain name, server name, computer name, user
    account) without this causing a spate of domino-effect problems. These kinds
    of problems maybe don't create such an issue for the corporate site with
    highly-qualified onsite IT, but for small businesses running the likes of SBS
    they are a total headbanger. Even a trivial issue like a user marrying can
    lead to an IT firm having to be called-in to change the username without, in
    the process, losing all of the user's settings, files and email.

    As with so many systems touted to streamline or integrate administration,
    these shortcomings are not apparent until you've tried to use the thing for a
    while in a production environment,
     
    Anteaus, Apr 14, 2009
    #6
  7. msnews.microsoft.com

    Kerry Brown Guest

    Your experience is very different from mine. It is much harder to change a
    user name (or even a password) in a workgroup instead of a domain. In the
    domain one change and it's done. In a workgroup you have to know all of the
    computers that have shared resources the user accesses and change the
    account on every one of them. I have many businesses with small networks
    that I manage/oversee for them. On none of them would they call me to change
    a user account. I have delegated that authority (with the built in wizard)
    and showed them (about five minutes) how to do this. As a backup they have a
    half page written procedure they can look at. I have however been called in
    many times to businesses with a workgroup based network when all of a sudden
    a user can't access a printer or share they used to use just fine. The only
    problematic things to change are the domain name and the domain controller
    name. That's easily mitigated by using generic names from the start. It does
    take a bit of work at the start to set up an Active Directory based network.
    Once it's setup properly it's much easier to manage than a work group. The
    only time I ever use workgroups is if there is no Windows server in the
    network. Once there is a Windows server AD is a no brainer.

    As for setting NTFS security so that anybody has access and using share
    permissions to control access, that has so many bad security implications
    it's laughable. I guess you've never heard of a disgruntled employee looking
    up payroll data, stealing company information, etc. If a user logs on
    locally you have no control over what they can access on the computer if you
    use your security model. Even in a workgroup this is a very poor security
    practice.
     
    Kerry Brown, Apr 14, 2009
    #7
  8. msnews.microsoft.com

    Al Dunbar Guest

    Are you sure you have that the right way around? share permissions are not
    granular enough, so if one use needs read/write access to one file in a
    share he must be given read/write access to all files in the share.
    I can't really argue with you there, as the only domain-based environments I
    have had experience with are on the "corporate" side of things. I suspect
    that the problems you mention with renaming an account may have resulted
    from either some poor choices having been made earlier on in the design, or
    from there not being a good mix between the available admin tools and the
    available, and perhaps not highly qualified, IT support (who might just be
    the owner's nephew or something).

    That is too bad, as the domain environment does have advantages in some
    areas. Too bad they couldn't come up with a hybrid approach. But wait, isn't
    that what SBS is supposed to be?

    /Al
     
    Al Dunbar, Apr 15, 2009
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.