Re: Stupid Question #1
From: Ron Lowe (ron-msng_at_{d.e.l.e.t.e.}lowe-family.me.uk)
Date: 06/08/04
- Previous message: Ron Lowe: "Re: SHARING AN EXTERNAL USB 2.0 DRIVE"
- In reply to: Bill Castner: "Stupid Question #1"
- Next in thread: Bill Castner: "Re: Stupid Question #1"
- Reply: Bill Castner: "Re: Stupid Question #1"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 8 Jun 2004 21:47:59 +0100
See inline....
"Bill Castner" <bcastner@[spam]verizon.net> wrote in message
news:325cc09frunqgeg8kmoegu55805ama6v13@4ax.com...
> An irregular series of questions that I am not sure the answers I have
> are in fact true.
>
> Q1. The Guest Account under XP Pro
>
> I have seen two widely different claims in this NG in the last month:
>
> . Enabling the Guest account on the local machine is a question only
> of whether a Guest can logon, not whether there is an ACL issue;
> . It does matter for remote connections.
Confusion on the definition of 'disabling'.
There are 2 different ways to 'disable' the account, only one of which
really is disabling it.
Using the control panel users applet, is it possible to 'turn the guest
account off'.
This is not 'Disabling the guest account'.
It simply sets it as 'Deny Local Logon'.
It simply prevents someone logging on at the console with the account.
The account is still enabled, and can be used for network logon.
Simple File Sharing, which depends on the Guest account, still functions
normally.
To truly DISABLE the account, you need to go to the 'real' users and groups
control.
Start | Run | enter "lusrmgr.msc" ;
Expand users folder;
Double-click 'Guest' account,
Check box for 'Account is disabled'.
[ When I talk about 'Disabling the Guest Acount'. THIS is what I mean.
Truly Disabling. Not 'Deny Local Logon'. ]
NOW the account is disabled.
NOW guest can't log on across the network.
Also, Simple File Sharing is now broken.
This is because SFS FORCES all incoming connections to authenticate as
Guest,
but the Guest account is now *really* disabled.
So you must disable Simple File Sharing and set up ACLs for real user
accounts.
> MS KB does not help:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;300489
>
> I have always recommended the later course, (enable ForceGuest) when
> Simple file sharing was enabled (or forced, as under XP Home).;
Simple File Sharing = ForceGuest.
> . I have followed the MS KB article, as best I understand the
> ForceGuest issue, even with Simple file sharing disabled in mixed OS
> network settings. Hence the basis of the question: this should be
> unnecessary.
The guest account is only enabled by default to permit SFS to work.
SFS forced all incoming connections to authenticate as guest.
If you DISABLE the guest account whilst SFS (ForceGuest ) is on, then
incoming connections will fail.
You will be met with a password prompt for PCname\Guest ( greyed out. )
> Personally, I have done fine with any network I setup with
> ForceGuest set to disabled; I synch the username and passwrords on
> all machines;
> . As someone who answers 7,000 networking questions a year, I follow
> the MS KB though out of safety and ease for the newsgroup end user.
>
> Now the query: why should I have to enable the Guest Account with
> Pro,; using nothing other than ACL authentication. Why the MS KB
> warning?
You dont have to.
I don't.
Disable it.
Use ACLs as normal.
Just don't have SFS ( ForceGuest ) enabled.
Becuase ForceGuest fails if Guest is disabled.
[snip SP2 stuff, not knowing. ]
> Comments welcomed.
-- Best Regards, Ron Lowe MS-MVP Windows Networking
- Previous message: Ron Lowe: "Re: SHARING AN EXTERNAL USB 2.0 DRIVE"
- In reply to: Bill Castner: "Stupid Question #1"
- Next in thread: Bill Castner: "Re: Stupid Question #1"
- Reply: Bill Castner: "Re: Stupid Question #1"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
