Re: Stupid Question #1

From: Bill Castner (bcastner_at_[spam)
Date: 06/09/04

• Next message: Erik Merk: "network failure after SP1a install"
• Previous message: RPM: "Re: can ping but cannot browse"
• In reply to: Bill Castner: "Re: Stupid Question #1"
• Next in thread: Ron Lowe: "Re: Stupid Question #1"
• Reply: Ron Lowe: "Re: Stupid Question #1"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 08 Jun 2004 21:13:24 -0400

I should be clearer here about my concern.

As you said: "Using the control panel users applet, is it possible to
'turn the guest account off'.
This is not 'Disabling the guest account'.
It simply sets it as 'Deny Local Logon'.
It simply prevents someone logging on at the console with the account.

The account is still enabled, and can be used for network logon.
Simple File Sharing, which depends on the Guest account, still
functions normally."

And this has been my understanding and experience.

But the MS KB article suggests otherwise, or implies at the least that
without an active Guest user account, that authentication by a remote
user can be troublesome.

Unless I suppose the ACL reflects Group Guest as part of Group
Everyone and not Guest as user to authenticate.

I am less confused about this in practice than I am in trying to sort
such notions as that under XP the 'Authenticated User' group is not
automaticly part of Group Everyone. That make sense to me as well,
but I still find the MS KB comment about user Guest difficult to
reconcile in the whole schema.

Your comments appreciated.

On Tue, 08 Jun 2004 20:40:54 -0400, Bill Castner
<bcastner@[spam]verizon.net> wrote:

>Ron ,
>
>Thank yoiu. I believe we are exactly on the same page on the
>'disabling' issue.
>
>If you have the chance, comment on the MS KB article I quote.
>
>Thanks,
>Bill
>
>
>On Tue, 8 Jun 2004 21:47:59 +0100, "Ron Lowe"
><ron-msng@{d.e.l.e.t.e.}lowe-family.me.uk> wrote:
>
>>See inline....
>>
>>
>>"Bill Castner" <bcastner@[spam]verizon.net> wrote in message
>>news:325cc09frunqgeg8kmoegu55805ama6v13@4ax.com...
>>> An irregular series of questions that I am not sure the answers I have
>>> are in fact true.
>>>
>>> Q1. The Guest Account under XP Pro
>>>
>>> I have seen two widely different claims in this NG in the last month:
>>>
>>> . Enabling the Guest account on the local machine is a question only
>>> of whether a Guest can logon, not whether there is an ACL issue;
>>> . It does matter for remote connections.
>>
>>Confusion on the definition of 'disabling'.
>>There are 2 different ways to 'disable' the account, only one of which
>>really is disabling it.
>>
>>Using the control panel users applet, is it possible to 'turn the guest
>>account off'.
>>This is not 'Disabling the guest account'.
>>It simply sets it as 'Deny Local Logon'.
>>It simply prevents someone logging on at the console with the account.
>>
>>The account is still enabled, and can be used for network logon.
>>Simple File Sharing, which depends on the Guest account, still functions
>>normally.
>>
>>To truly DISABLE the account, you need to go to the 'real' users and groups
>>control.
>>Start | Run | enter "lusrmgr.msc" ;
>>Expand users folder;
>>Double-click 'Guest' account,
>>Check box for 'Account is disabled'.
>>
>>[ When I talk about 'Disabling the Guest Acount'. THIS is what I mean.
>>Truly Disabling. Not 'Deny Local Logon'. ]
>>
>>NOW the account is disabled.
>>NOW guest can't log on across the network.
>>
>>Also, Simple File Sharing is now broken.
>>This is because SFS FORCES all incoming connections to authenticate as
>>Guest,
>>but the Guest account is now *really* disabled.
>>So you must disable Simple File Sharing and set up ACLs for real user
>>accounts.
>>
>>
>>
>>
>>> MS KB does not help:
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;300489
>>>
>>> I have always recommended the later course, (enable ForceGuest) when
>>> Simple file sharing was enabled (or forced, as under XP Home).;
>>
>>Simple File Sharing = ForceGuest.
>>
>>
>>> . I have followed the MS KB article, as best I understand the
>>> ForceGuest issue, even with Simple file sharing disabled in mixed OS
>>> network settings. Hence the basis of the question: this should be
>>> unnecessary.
>>
>>The guest account is only enabled by default to permit SFS to work.
>>SFS forced all incoming connections to authenticate as guest.
>>If you DISABLE the guest account whilst SFS (ForceGuest ) is on, then
>>incoming connections will fail.
>>You will be met with a password prompt for PCname\Guest ( greyed out. )
>>
>>
>>> Personally, I have done fine with any network I setup with
>>> ForceGuest set to disabled; I synch the username and passwrords on
>>> all machines;
>>> . As someone who answers 7,000 networking questions a year, I follow
>>> the MS KB though out of safety and ease for the newsgroup end user.
>>>
>>> Now the query: why should I have to enable the Guest Account with
>>> Pro,; using nothing other than ACL authentication. Why the MS KB
>>> warning?
>>
>>
>>You dont have to.
>>I don't.
>>
>>Disable it.
>>Use ACLs as normal.
>>
>>Just don't have SFS ( ForceGuest ) enabled.
>>Becuase ForceGuest fails if Guest is disabled.
>>
>>
>>[snip SP2 stuff, not knowing. ]
>>
>>> Comments welcomed.

• Next message: Erik Merk: "network failure after SP1a install"
• Previous message: RPM: "Re: can ping but cannot browse"
• In reply to: Bill Castner: "Re: Stupid Question #1"
• Next in thread: Ron Lowe: "Re: Stupid Question #1"
• Reply: Ron Lowe: "Re: Stupid Question #1"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint