uncommon Workstation Sharing

Hello,

I have a small network which consists of 1 server and 2 XP Pro SP2 and I am
successfully sharing what I need. However problem has just arrived in which
I have not come accross.

All machines including the server are in the same workgroup and I have "My
Documents" from Both PC's targeted on the server.

So when someone saves their documents it is automatically saved to the
server and the mass confusion of duplicate files is minimized.

Problem is:

I want to encrypt the documents via windows but I cannot do this for some
reason.

E.G. If open My Documents from one of the XP machines I can go through the
process of encrypting the document but when I save the changes it gives an
error (The Logon Session is not in a state that is consistant with the
requested operation)

Ok so I decided to logon to the server and Then do the encryption it works
of course, but now I cannot open it from the XP machines.

I want to access the data on the server form the XP machines that are
encrypted.

Thanks for your help in advance

I'm afraid you'll need to setup a small AD domain to do the encryption the
way you want. In a workgroup environment, you can only encrypt documents to
the local machine - part of the encryption key resides in the user account
token which has no meaning beyond the local machine in a workgroup
environment. You can fool it by creating same username/password account on
remote machine but this works for regular shared files not encrypted ones
IIRC.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.

Thanks very much Tom for your reply,

I have already done the "fooling" I forgot to tell you before.

Can you direct me to a KB article or website to get this done please?


Thanks Very Much

Joe

"Todd J Heron" wrote:

> I'm afraid you'll need to setup a small AD domain to do the encryption the
> way you want. In a workgroup environment, you can only encrypt documents to
> the local machine - part of the encryption key resides in the user account
> token which has no meaning beyond the local machine in a workgroup
> environment. You can fool it by creating same username/password account on
> remote machine but this works for regular shared files not encrypted ones
> IIRC.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights.
>
>

But do you have Active Directory or not?

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.

Hello Todd,

Yes, I have Server 2003 Enterptise but it ia not a DC at this time Just web
and mail and Workgroup with TS installed.

Sorry this does help to say my OS.

Thanks
Joe

"Todd J Heron" wrote:

> But do you have Active Directory or not?
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights.
>
>

You'll need to promote that server to an Active Directory DC to leverage the
use of users encrypting files on machines other than the local workstation,
unless you go with a third-party solution. Such as Entrust, for example.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.

Hello Todd,

I have been reading up on this Active Directory and I have a question about
the DNS part. I see that DNA is going to be installed with Domain Controller
anyhow if it is not already.

My concern is this DNS going to be seen publically? My server is serving 5
websites now. HOw do I just use this DNS locally?

Thanks very Much
Joe

"Todd J Heron" wrote:

> But do you have Active Directory or not?
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights.
>
>

Put the server behind a router/firewall and forward just tcp port 80 to the
machine. The server must point to itself only for it's preferred DNS server
under TCP/IP properties of the network adapter. All internal AD domain
clients must point only to the AD/DNS server for their preferred DNS server.
On your DNS server, in the DNS MMC, add a Forwarder (which is the IP address
of your ISP's DNS server). This way, only your internal clients will be
using (and "see") your DNS. No one from the outside will.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.

Thanks Todd for your reply,

I began the Configure your server wizard and saw that the forwarder was
asked for.
Since I was unsure of this I cancelled my install and waited for your
reply.(Good Thing)

I also saw the server recommending I use the .local extension so I chose this?

So as your are saying here I need to point the server to itself
e.g preffered should be what IP or netbios name?

I see this can't be done not being behind a router. Correct? I only have a
public IP.

I might be a little off track here can you get me on this because I can't
put this behind a router right now.

Thanks
Joe

"Todd J Heron" wrote:

> Put the server behind a router/firewall and forward just tcp port 80 to the
> machine. The server must point to itself only for it's preferred DNS server
> under TCP/IP properties of the network adapter. All internal AD domain
> clients must point only to the AD/DNS server for their preferred DNS server.
> On your DNS server, in the DNS MMC, add a Forwarder (which is the IP address
> of your ISP's DNS server). This way, only your internal clients will be
> using (and "see") your DNS. No one from the outside will.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights.
>
>

You may use .local for your internal domain name. Microsoft used to
recommend that, they don't currently but there's nothing wrong with it for
small implementations like yours.

Under the network adapter TCP/IP properties point the server to itself for
it's preferred DNS server. This is an absolute must for AD (actually it can
point to another DNS server supporting the same AD but for you just go ahead
and point it to itself). The preferred DNS server IP should be either be
the IP address of the server itself i.e. 192.168.0.1. Even 127.0.0.1 will
work on Windows Server 2003.

Best to do this *behind* a router. Let the malicious Internet traffic
bounce off a hardware router rather then a NIC of an AD server.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights.