Re: Stupid Question #1

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Ron Lowe (ron-msng_at_{d.e.l.e.t.e.}lowe-family.me.uk)
Date: 06/09/04 

Date: Wed, 9 Jun 2004 10:05:21 +0100

> But the MS KB article suggests otherwise, or implies at the least that
> without an active Guest user account, that authentication by a remote
> user can be troublesome.

Not true.
Disabling ( in the true sense ) the guest account will only cause
authentication trouble if SFS is in force.

> Unless I suppose the ACL reflects Group Guest as part of Group
> Everyone and not Guest as user to authenticate.
>
> I am less confused about this in practice than I am in trying to sort
> such notions as that under XP the 'Authenticated User' group is not
> automaticly part of Group Everyone. That make sense to me as well,
> but I still find the MS KB comment about user Guest difficult to
> reconcile in the whole schema.

IMHO the article is grossly oversimplistic to the point of being wrong.

> Your comments appreciated.
>

The everyone group includes just that - everyone.
It includes the group 'Guests', which in turn includes the user 'Guest'.

The group 'Everyone is the default share permission.

So for SFS, all users authenticate as Guest ( as long as the Guest account
has not been disabled ), and the default permissions for the share will
contain Everyone which in turn will include guest, and access is granted.

If you are not using SFS, then go ahead and:

0) Disable the Guest account.
1) Create user accounts;
2) Create groups for them if you wish;
3) Add them to the share ACL;
4) Remove 'Everyone' form the ACL, unless you want all users ( except the
disabled guest, obviously ) to access the share.

Re: use of Everyone group:
You may want to use the Everyone group in your share permissions, even with
Guest disabled.
As an example, I have a share on a server which I use for staff to make
files available to anyone on the network.
All the saff accounts belong to a group called 'Staff'.
So I have the share permissions set to
   Staff: Change permission ( read/write )
   Everyone: Read permission only.

( The guest account is disabled. )

Now, all users can read the files, but only the staff can change them. 

-- 
Best Regards,
Ron Lowe
MS-MVP Windows Networking

Relevant Pages

  • Re: Login failed for ServerGuest
    ... | guest and the use of the same account/password does not ... |>I think it is not a limitation in Windows 2000. ... |>use same password for Administrator account on both Win2000 and WinXP ... although Windows Authentication is more secure than ...
    (microsoft.public.sqlserver.connect)
  • Re: Login failed for ServerGuest
    ... Not in terms of the same type of thing with the guest ... account.When it's a specific account failing, ... > I have noticed that when I try to log in using Windows Authentication to ...
    (microsoft.public.sqlserver.connect)
  • Re: Windows XP Advanced Filesharing
    ... Be consistent how you setup authentication on each computer. ... If neither automatic non-Guest, nor Guest, access is possible, you will ... interactively, using an activated non-Guest account, with correct password. ... Disable that account for local access, and Enable it for network access. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Help with Guest account
    ... Account and created a new User Account. ... Same thing in the Guest ... problem accessing the internet with it as it uses that same network ... enable the Guest Account is "an" administrator account. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Login failed for ServerGuest
    ... authentication is not an option when logging in remotely to Xp Home since it ... authentication is done using the guest account ... >>a windows user account on both machines with the same password. ...
    (microsoft.public.sqlserver.connect)