Networking (2 QU's Answered)

[Brennen]

To put it simply, this happens all the time and I have noticed it on quite a few networks, here are my questions:

(note: The exact question if you will, is italicized***)

[Question #1:] Every so often a few particular computers cannot be reached by UNC paths. Primarily the C$ and D$ Shares, along with remote registry and remote services etc. This poses and annoyance because I use the to gain remote access to the computers when -- well whenever.

During these times I can still ping the computers, as well as RDP to the computer. So; we know the computer is turned on, connected to the network, joined to the Domain, AND registered in DNS/WINS with a static IP address. Does anyone know what causes this to -- well, not work?

[b]Cause[/b]: There are a few causes to this. (1) Some were so simple it embarrassed me, (2) others required a 
little more digging, (3) while others still had one thing I changed that seemed to cause the problem but 
I still cannot guarantee was the actual fix.

[b]Resolution[/b]: 
[b]1.[/b] If the Windows Firewall is on, make sure File and Printer sharing is allowed through firewall. 
(Embarrassing, but a [i]few[/i] PC's had this and I overlooked them.)
[b]2.[/b] The registry value that controls the Admin shares is set to "0", disabling these shares. 
Change them to "1" to enable:
[code][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000001
"AutoShareWKS"=dword:00000001[/code]

[b]3.[/b] Disable "Use Simple File Sharing" from the Folder View.

(Again, this only seemed to smooth things over on one PC.)

[s][[b]Question #2:[/b]] XP Pro workstations by default have the C$/D$/Etc. active upon installation as far as I know, and they are viewable (read: you can see them turned on) via the Management Snap-In. However, on a typical workgroup you cannot access them...or at least, I think the only way TO access them when not joined to a domain is to set a password on the "Guest" account -- which for some reason is the account that authenticates when attempting to connect. (EDIT: Not "for some reason" -- it makes sense.) SO! [i]Anyone know if there is a registry change that can be made to add a DIFFERENT user account to allow access to these shares on a workgroup?[/i][/s]

[codebox][b]Cause[/b]: Simple File sharing controls a registry setting called "ForceGuest" that will allow file sharing
as long as the user authenticating is one of the administrators on the receiving client -- if the user is
NOT an administrator, the computer will prompt for username and password but will [i]force[/i]
using the Guest account.
Changing this key or following the next step is the solution:
[code][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"forceguest"=dword:00000000[/code]

[b]Resolution[/b]: Turn off Simple File Sharing on all computers. Add administrator account with password to

each computer (same username/password).

Hide user profile in registry:

[code][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"USERNAME"=dword:00000000[/code]

; I attempted to make this as simple to read and follow as possible.

; I feel I did the opposite. But I will leave it for anyone who might find this useful.

kthnxbye

Edited August 9, 2007 by Brennen

[nmX.Memnoch]

[Question #2:] XP Pro workstations by default have the C$/D$/Etc. active upon installation as far as I know, and they are viewable (read: you can see them turned on) via the Management Snap-In. However, on a typical workgroup you cannot access them...or at least, I think the only way TO access them when not joined to a domain is to set a password on the "Guest" account -- which for some reason is the account that authenticates when attempting to connect. (EDIT: Not "for some reason" -- it makes sense.) SO! Anyone know if there is a registry change that can be made to add a DIFFERENT user account to allow access to these shares on a workgroup?

To access them when not in a domain (and without using the Guest account...blech) you have to create identical accounts on the workstations. So if machine A has an account called JOHN and JOHN has a password of JOHNPWD, then machine B would need an account called JOHN with a password of JOHNPWD. The default drive shares (C$, D$, ADMIN$, etc) are shared strictly for administrative purposes so anyone accessing them must have Admin privs on the workstation (i.e. JOHN would have to be in the Administrators group on the destination PC).

The same is true of Remote Registry permissions.

Now if you were trying to access a non-admin share then you'd simply need to give JOHN permissions to the non-admin share on the destination PC (and JOHN wouldn't need to be in the Administrators group in this case).

Apply the same rules when attempting to map printers between non-domain PCs.

[Brennen]

Thanks. I have that setup already -- for that reason, but it still forces me to use the Guest account for those built-in shares (ADMIN$/C$/D$/Ttc.) -- which, is why I bring the question up. I thought for sure it would work -- but apparently not. Oops. Yeah, I knew that -- I forgot for a second that the computer I was getting irritated with was my OTHER computer which doesn't have my user account, which was why I wanted to know if there was a way to change which account to login with since I can access that computer by giving the guest account a password -- but I do not want to do it that way if I do not have to.

(Edit: PS - How's that logon script coming??)

Edited July 31, 2007 by Brennen

[nmX.Memnoch]

Using the Guest account is a Bad Idea. Just create the other account on the other workstation.

The logon script is coming...I haven't forgotten. I've been making some functionality changes. I need to get those tested before cleaning it up for you. The big test is coming tomorrow so I should be able to post it this weekend (provided the new code works like I want it to).

[lingk]

whenever i found that the system is asking me for the guest password this is what i would do:

on the computer I'm trying to access i click on tools then folder options then click the view tab, at the very bottom i uncheck simple file sharing. the prompt for the guest account will go away and i have to provide a user name and password for an account on the computer I'm trying to access.

[Brennen]

on the computer I'm trying to access i click on tools then folder options then click the view tab, at the very bottom i uncheck simple file sharing.

As a habit I try to disable this when I set the computers up -- but on these other computers that aren't my main PC's I wouldn't be surprised if I forgot this. Thanks, I will check this out.

Using the Guest account is a Bad Idea. Just create the other account on the other workstation.

Yeah, I guess I will just have to do that. Thanks!

Still really wanting to know if anyone has any ideas about the first question...

Edited August 1, 2007 by Brennen

[nmX.Memnoch]

On question 1...have you checked the WINS server to see if they are in fact registered? That'd be my first guess.

The other thing to check is if there are any messages in the Event Viewer on those workstations regarding forced browser elections.

[Brennen]

Yeh. All registered in both WINS servers / DNS servers. So far none of the computers have very many common factors that differ from ones that work. Some are on DHCP, others Static. Some HAVE worked, some never have. Nothing in the event viewer. Again, ping does resolve the address and computer name -- and RDP works. Just -- really anything UNC related.

Well -- also, the computer shows up when I browse my Domain under Network Places, but when you try to connect to the computer it gives you:

[JuMz]

I have an idea, don't know if it will help or is what you're looking for but just TRY it anyways...

1. On the remote computer, go to My Comp -> Tools > Folder options -> ENABLE simple file sharing (just bare with me)

2. Now, pick a folder on the machine and share it using the 'simple way' (don't use the wizard, 'just enable file sharing', screenshot below)

3. Now go back and DISABLE simple File sharing

4. Go to the folder you just shared and set Share permissions to everyone and NTFS permissions are you desire...

5. Now you can share folders as you normally would and everything should be back to normal...?

Edited August 2, 2007 by JuMz

[Brennen]

As much as I do appreciate the help on this JuMz, and that DOES get things working in terms of regular share files. But what I am concerned with at the moment are the built in admin shares: ADMIN$ / C$ / D$ / Tec that do not seem to want to let me access them without the Guest account (unless of course I am logged on with the SAME username and password that has access to THAT particular local computers admin privilages -- which I will take as a solution...)

I will have to check on this as I am not home -- and I do not have the time to VPN to my network to play with these settings. Bare with me. Thanks for the help so far guys!! What I am really burning to know is the initial question though lol. Question #1, which is my largest....set back.

[JuMz]

I find it odd that you don't receive a prompt....I am in a workgroup scenario here and I can access the admin shares (all PC's have different usernames / passwords). When accessing an Admin share (usually c$), I get prompted for a username and password (which has to be an Admin account on that machine)...

My understanding is that you do not get this prompt? Just straight denied?

[Brennen]

I get prompted. But my prompt is locked at "Computername\Guest" with a password box. If I manually set the Guest account to use a password then im great. I have access to everything infact. But i would rather not do this -- I would rather be prompted for a user account and password. It isnt a "problem" -- its an annoyance. I figure there is a registry setting that will change this. I just don't know where.

But like I said. My actual "problem" is Question #1. And again, thanks for the support so far.

[JuMz]

Hmm. The ONLY time I have ever seen that is when 1 of the machines is using Simple File sharing (can't remember if it was the computer you're trying to connect to, or the computer you're using)...I don't know what else it could be...did you happen to TRY my suggestion (on your machine and the other one?) just for kicks?

[Brennen]

I figured out the solution. Or rather the reason. (For Question #2). I moved my resolution/answer in my first post.

Still taking suggestions and troubleshooting tips for Question 1.....?

Edited August 3, 2007 by Brennen

[Brennen]

Nothing? Nobody?

Ok. Disregard all posts so far except Post #1 / Question #1 and this post.

I have been troubleshooting this for a while now and the closest lead I have so far is this:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000001
"AutoShareWKS"=dword:00000001

This is what makes the shares visible -- which even without these keys they are visible by default, but changing the value to "0" makes them disappear. Now I ran a scan with GFILanguard on some of the PC's that work -- and I received a "possible security" issue in the registry. That location being the previously mentioned, stating that it allows Domain Admins unlimited access to the hard drive. So I figured, knowing this key already, perhaps forcing this reg value it into one of the clients that seems to deny access -- perhaps I might get somewhere. Imported / Restarted -- Nothing.

So. That's where I am at. Maybe more ideas will spawn from this...Thanks for everything guys!!

Edited August 8, 2007 by Brennen