User Level Access Control -- Win 98 & XP (Follow up)

In an earlier post, I wrote:

I have a small network consisting of three machines and a Linksys Router.
Two Machines, a Dell Dimension and Dell Latitude are running Win98 SE and
the Third, a Carillon is running XP Pro. All Three machines are present in
Network Neighborhood on each machine and can. User Level Access Control is
implemented on all the machines and all three supposedly obtain the list of
authorized users from the Carillon running XP. The Dimension and Carillon
can communicate with no problem, sharing resources etc. However, the
Latitude is another story. Though it appears in Network Neighborhood on the
other two machines, neither can access its resources because the Latitude
will not retrieve the list of authorized users. Whenever the attempt to add
authorized users to any share on the Latitude is made, I get the error
message "You Cannot view the list of users at this time. Please try later."
MS Knowledge base does have an article dealing with that error, but it is of
no help. From my reading I have about concluded that the problem has
something to do with MAPI but I can neither find a workaround or a
resolution. As well, when I try to map a drive on one of the other computers
to the Latitude, I get a message to the effect the share cannot be found. I
have gone so far as to reinstall windows on the Latitude, but no change.
If any of you have any idea as to what I can do to make things work, I would
certainly appreciate hearing from you.

-------------------------
Steve Winograd replied:

To the best of my knowledge, it isn't possible to use User Level Access
Control on a Windows 98/XP network. That requires a server operating system
to maintain the user list, and both 98 and XP are client operating systems.

------------------------

Microsoft Windows XP Inside Out in Cahpter 31 at Page 947 says:

Windows XP, by contrast, always uses user-level access control, which means
each shared resource allows access only by specified user accounts. To gain
access to a shared resource over the network, a user must log on using an
account that has access to the share.
You cannot set a password for a particular folder or printer in Windows XP;
all access is controlled by permissions granted to specified users.

------------------------

I am not sure whethr Steve and I are talking about the same thing. If we
are, his reply would indicate peer to peer networking between Win 98 and XP
machines is not possible. One of the 98 machines in my network does interact
with the XP machine just fine.

If any of you have any other suggestions as to how I can get the Latitude to
access the list of authorized users on the XP machine, or of any literature
that might help me, I will certainly appreciate it.

Thank You

_DAVID R. WARNER, JR.

In article <(E-Mail Removed)>, "David R. Warner,
Jr." <(E-Mail Removed)> wrote:
>In an earlier post, I wrote:
>
>I have a small network consisting of three machines and a Linksys Router.
>Two Machines, a Dell Dimension and Dell Latitude are running Win98 SE and
>the Third, a Carillon is running XP Pro. All Three machines are present in
>Network Neighborhood on each machine and can. User Level Access Control is
>implemented on all the machines and all three supposedly obtain the list of
>authorized users from the Carillon running XP. The Dimension and Carillon
>can communicate with no problem, sharing resources etc. However, the
>Latitude is another story. Though it appears in Network Neighborhood on the
>other two machines, neither can access its resources because the Latitude
>will not retrieve the list of authorized users. Whenever the attempt to add
>authorized users to any share on the Latitude is made, I get the error
>message "You Cannot view the list of users at this time. Please try later."
>MS Knowledge base does have an article dealing with that error, but it is of
>no help. From my reading I have about concluded that the problem has
>something to do with MAPI but I can neither find a workaround or a
>resolution. As well, when I try to map a drive on one of the other computers
>to the Latitude, I get a message to the effect the share cannot be found. I
>have gone so far as to reinstall windows on the Latitude, but no change.
>If any of you have any idea as to what I can do to make things work, I would
>certainly appreciate hearing from you.
>
>-------------------------
>Steve Winograd replied:
>
>To the best of my knowledge, it isn't possible to use User Level Access
>Control on a Windows 98/XP network. That requires a server operating system
>to maintain the user list, and both 98 and XP are client operating systems.
>
>------------------------
>
>Microsoft Windows XP Inside Out in Cahpter 31 at Page 947 says:
>
>Windows XP, by contrast, always uses user-level access control, which means
>each shared resource allows access only by specified user accounts. To gain
>access to a shared resource over the network, a user must log on using an
>account that has access to the share.
>You cannot set a password for a particular folder or printer in Windows XP;
>all access is controlled by permissions granted to specified users.
>
>------------------------
>
>I am not sure whethr Steve and I are talking about the same thing. If we
>are, his reply would indicate peer to peer networking between Win 98 and XP
>machines is not possible. One of the 98 machines in my network does interact
>with the XP machine just fine.
>
>If any of you have any other suggestions as to how I can get the Latitude to
>access the list of authorized users on the XP machine, or of any literature
>that might help me, I will certainly appreciate it.
>
>Thank You
>
>_DAVID R. WARNER, JR.

Hi, David. The excerpt from the Windows XP Inside Out book is not
accurate.

Windows XP Home Edition always allows access to its shared resources
by all users on all computers. By default, Windows XP Professional
allows access to its shared resources by all users on all computers in
a peer-to-peer network.

With Windows XP Professional, you can disable "simple file sharing"
and control access to shared resources based on user names. Ron Lowe
and I have written a web site with details:

Windows XP Professional File Sharing
http://www.practicallynetworked.com/...ring/index.htm

However, to the best of my knowledge, that's not "user-level access
control" in the way that Windows 98 defines the term. Windows XP
Professional validates user access locally. To gain access, a user on
another computer must also have a matching account (same user name and
password) on the XP Professional computer. XP Professional doesn't
maintain a list of all valid network users, and it can't provide such
a list to another computer when another computer requests access.

Peer-to-peer networking works fine between Windows 98 and Windows XP
when you specify share-level user access on Windows 98.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

"Steve Winograd [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> Hi, David. The excerpt from the Windows XP Inside Out book is not
> accurate.
>

Steve, as the author of that book, I have to disagree with you. We said:

>Windows XP, by contrast, always uses user-level access control, which means
>each shared resource allows access only by specified user accounts. To gain
>access to a shared resource over the network, a user must log on using an
>account that has access to the share.

XP assigns security on the basis of user accounts. The default setting uses
Simple File Sharing, which assigns security based on the Guest account. By
default, network access to the Guest account is disabled and can be turned
on by running the Network Setup Wizard. When you run this wizard, network
access is enabled, and any access by any user goes through the Guest
account, which allows everyone access. The name and password that the user
logged on with are ignored. But XP is still using a user account - in this
case the Guest account - to manage access.

If you disable Simple File Sharing, then you can assign more granular
permissions to users and groups. In this case, the user's logon credentials
are used to verify network access, which makes it more obvious that
user-level security is in force. However, in both cases, access to the XP
network share is based on user accounts. This is in contrast to Windows 98,
which allows access to shared resources based on the password(s) assigned to
that resource. Any user can access the shared resource by simply typing the
password.

Your Web site does an excellent job of explaining these complex issues. So
does our book.

Ed Bott
co-author, Windows XP Inside Out

In article <e$(E-Mail Removed)>, "Ed Bott"
<(E-Mail Removed)> wrote:
>"Steve Winograd [MVP]" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>>> Hi, David. The excerpt from the Windows XP Inside Out book is not
>> accurate.
>
>Steve, as the author of that book, I have to disagree with you. We said:
>
>>Windows XP, by contrast, always uses user-level access control, which means
>>each shared resource allows access only by specified user accounts. To gain
>>access to a shared resource over the network, a user must log on using an
>>account that has access to the share.
>
>XP assigns security on the basis of user accounts. The default setting uses
>Simple File Sharing, which assigns security based on the Guest account. By
>default, network access to the Guest account is disabled and can be turned
>on by running the Network Setup Wizard. When you run this wizard, network
>access is enabled, and any access by any user goes through the Guest
>account, which allows everyone access. The name and password that the user
>logged on with are ignored. But XP is still using a user account - in this
>case the Guest account - to manage access.
>
>If you disable Simple File Sharing, then you can assign more granular
>permissions to users and groups. In this case, the user's logon credentials
>are used to verify network access, which makes it more obvious that
>user-level security is in force. However, in both cases, access to the XP
>network share is based on user accounts. This is in contrast to Windows 98,
>which allows access to shared resources based on the password(s) assigned to
>that resource. Any user can access the shared resource by simply typing the
>password.
>
>Your Web site does an excellent job of explaining these complex issues. So
>does our book.
>
>Ed Bott
>co-author, Windows XP Inside Out

Ed, I agree completely with your description of XP network security
above, and I've never seen it stated more clearly or succinctly.

I should have said that the excerpt that David gave was "incomplete",
not "inaccurate". That's the nature of excerpts, and I didn't have
your complete book for reference.

However, David's question was about specifying "user level access
control" on a Windows 98 computer in a 98/XP network. I said:

To the best of my knowledge, it isn't possible to use User Level
Access Control on a Windows 98/XP network. That requires a server
operating system to maintain the user list, and both 98 and XP are
client operating systems.

I stand by that statement. In my experience, neither XP Home Edition
nor XP Professional can provide the user list required by a Windows 98
computer that's configured for "user level access control". You can
specify the name of an XP computer in the "Obtain list of users and
groups from" box on 98, but all attempts to obtain the list of users
when creating a shared disk or folder on 98 fail, with the message
"You cannot view the list of users at this time. Please try again
later."

So, while XP controls network access to its own shared resources based
on user names, I say that it doesn't provide "user level access
control" in the way that Windows 98 uses that term. In a Windows
98/XP network, the 98 computer must be configured for "share level
access control".
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional - Windows Networking
http://mvp.support.microsoft.com

Steve Winograd's Networking FAQ
http://www.bcmaven.com/networking/faq.htm

"Steve Winograd [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Ed, I agree completely with your description of XP network security
> above, and I've never seen it stated more clearly or succinctly.
>
Thank you!

> However, David's question was about specifying "user level access
> control" on a Windows 98 computer in a 98/XP network. I said:
>
> To the best of my knowledge, it isn't possible to use User Level
> Access Control on a Windows 98/XP network. That requires a server
> operating system to maintain the user list, and both 98 and XP are
> client operating systems.
>
Actually, it requires more than jsut a server OS. You need a security
database from a Windows domain. This is not an XP issue. The procedure fails
with the same error message when using Windows 2000 (Professional and
Server) and Windows Server 2003 as well. Even with a server OS, the 9X
machine must connect to a domain controller to get the security database.

> I stand by that statement. In my experience, neither XP Home Edition
> nor XP Professional can provide the user list required by a Windows 98
> computer that's configured for "user level access control". You can
> specify the name of an XP computer in the "Obtain list of users and
> groups from" box on 98, but all attempts to obtain the list of users
> when creating a shared disk or folder on 98 fail, with the message
> "You cannot view the list of users at this time. Please try again
> later."
>
This is correct but incomplete. Using a Windows 98 SE box here, I get the
same error message when I specify the name of any computer that is not a
Windows 2000 or Windows 2003 server running as a domain controller. I have a
hazy memory that NT4 workstation was able to perform this function, but I
don't have test boxes to confirm that.

> So, while XP controls network access to its own shared resources based
> on user names, I say that it doesn't provide "user level access
> control" in the way that Windows 98 uses that term.

This is correct when referring to Windows XP Home Edition but not when
referring to Windows XP Professional with Simple File Sharing disabled. See
my summary below.

> In a Windows 98/XP network, the 98 computer must be configured
> for "share level access control".

This is true on a network that contains ONLY Windows 98 and XP computers.
However, if you add a computer that is a Windows domain controller (or of
you have a Netware server on the network) it can provide a security database
that can be employed for user-level security.

The label "user level" or "share level" access control refers to the client
computer on which the shared resources are located. Let's try this summary
and see if it helps:

* Share level access control allows the user to specify one or two passwords
that allow network access to a shared resource. In its default
configuration, Windows 9X/Me uses this feature. No version of Windows XP
allows share level access control.

* On Windows XP Home Edition, Simple File Sharing cannot be disabled. All
access to shared network resources is through the Guest account. A computer
running Windows XP Home Edition cannot join a Windows domain (although it
can access shared resources if the user provides a valid username/password
when connecting to that resource). Thus, although this OS technically
provides user-level access control, the list of allowed users contains only
one account, the Guest account, and this list cannot be modified.

* On Windows XP Professional, Simple File Sharing can be disabled. This is
done automatically if the machine joins a Windows domain. In this
configuration, the OS provides user-level access control and the user can
specify granular access controls for each resource (users and groups). The
user-level access control list can come from the local computer or from a
Windows domain.

* Windows 9X/Me allows the user to specify user-level access to shared
resources, but only if a Windows domain-based user list is available. If the
user specifies the name of a machine running Windows 2000, Windows XP, or
Windows Server 2003 that is not configured to be a domain controller, the
configuration will appear to be successful, but any attempt to share a
resource will fail with the error message that the user list cannot be
viewed.

Ed

In article <#(E-Mail Removed)>, "Ed Bott"
<(E-Mail Removed)> wrote:>
>"Steve Winograd [MVP]" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> Ed, I agree completely with your description of XP network security
>> above, and I've never seen it stated more clearly or succinctly.
>>
>Thank you!
>
>> However, David's question was about specifying "user level access
>> control" on a Windows 98 computer in a 98/XP network. I said:
>>
>> To the best of my knowledge, it isn't possible to use User Level
>> Access Control on a Windows 98/XP network. That requires a server
>> operating system to maintain the user list, and both 98 and XP are
>> client operating systems.
>>
>Actually, it requires more than jsut a server OS. You need a security
>database from a Windows domain. This is not an XP issue. The procedure fails
>with the same error message when using Windows 2000 (Professional and
>Server) and Windows Server 2003 as well. Even with a server OS, the 9X
>machine must connect to a domain controller to get the security database.
>
>> I stand by that statement. In my experience, neither XP Home Edition
>> nor XP Professional can provide the user list required by a Windows 98
>> computer that's configured for "user level access control". You can
>> specify the name of an XP computer in the "Obtain list of users and
>> groups from" box on 98, but all attempts to obtain the list of users
>> when creating a shared disk or folder on 98 fail, with the message
>> "You cannot view the list of users at this time. Please try again
>> later."
>>
>This is correct but incomplete. Using a Windows 98 SE box here, I get the
>same error message when I specify the name of any computer that is not a
>Windows 2000 or Windows 2003 server running as a domain controller. I have a
>hazy memory that NT4 workstation was able to perform this function, but I
>don't have test boxes to confirm that.
>
>> So, while XP controls network access to its own shared resources based
>> on user names, I say that it doesn't provide "user level access
>> control" in the way that Windows 98 uses that term.
>
>This is correct when referring to Windows XP Home Edition but not when
>referring to Windows XP Professional with Simple File Sharing disabled. See
>my summary below.
>
>> In a Windows 98/XP network, the 98 computer must be configured
>> for "share level access control".
>
>This is true on a network that contains ONLY Windows 98 and XP computers.
>However, if you add a computer that is a Windows domain controller (or of
>you have a Netware server on the network) it can provide a security database
>that can be employed for user-level security.
>
> The label "user level" or "share level" access control refers to the client
>computer on which the shared resources are located. Let's try this summary
>and see if it helps:
>
>* Share level access control allows the user to specify one or two passwords
>that allow network access to a shared resource. In its default
>configuration, Windows 9X/Me uses this feature. No version of Windows XP
>allows share level access control.
>
>* On Windows XP Home Edition, Simple File Sharing cannot be disabled. All
>access to shared network resources is through the Guest account. A computer
>running Windows XP Home Edition cannot join a Windows domain (although it
>can access shared resources if the user provides a valid username/password
>when connecting to that resource). Thus, although this OS technically
>provides user-level access control, the list of allowed users contains only
>one account, the Guest account, and this list cannot be modified.
>
>* On Windows XP Professional, Simple File Sharing can be disabled. This is
>done automatically if the machine joins a Windows domain. In this
>configuration, the OS provides user-level access control and the user can
>specify granular access controls for each resource (users and groups). The
>user-level access control list can come from the local computer or from a
>Windows domain.
>
>* Windows 9X/Me allows the user to specify user-level access to shared
>resources, but only if a Windows domain-based user list is available. If the
>user specifies the name of a machine running Windows 2000, Windows XP, or
>Windows Server 2003 that is not configured to be a domain controller, the
>configuration will appear to be successful, but any attempt to share a
>resource will fail with the error message that the user list cannot be
>viewed.
>
>Ed

Once again, you've made your points clearly and succinctly, Ed, and I
agree with what you say 99.44%. Have you written a book specifically
about networking? I'm sure that I'd benefit from reading it.

However, I still say that Windows XP doesn't provide "user level
access control" in the way that Windows 98 uses that term, regardless
of whether it's XP Home or Pro, and regardless of whether Simple File
Sharing is enabled or disabled. In Windows 98, "user level access
control" implies the presence of a security provider that can supply
the user list. As you've said, that requires a properly configured
domain controller or Netware server.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional - Windows Networking
http://mvp.support.microsoft.com

Steve Winograd's Networking FAQ
http://www.bcmaven.com/networking/faq.htm

"Steve Winograd [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Once again, you've made your points clearly and succinctly, Ed, and I
> agree with what you say 99.44%. Have you written a book specifically
> about networking? I'm sure that I'd benefit from reading it.
>
Thanks for those very kind words. I haven't written a networking book per
se, although we have pretty good coverage in Windows XP Inside Out and also
in Windows Security Inside Out.

> However, I still say that Windows XP doesn't provide "user level
> access control" in the way that Windows 98 uses that term, regardless
> of whether it's XP Home or Pro, and regardless of whether Simple File
> Sharing is enabled or disabled. In Windows 98, "user level access
> control" implies the presence of a security provider that can supply
> the user list. As you've said, that requires a properly configured
> domain controller or Netware server.

We're almost in full agreement. Actually (as I think I noted earlier in
this thread), Windows XP Pro with Simple File Sharing disabled is almost
identical to the Windows 98 user-level access control, with no domain
controller required.

If you install XP Pro and disable SFS, then go to share a folder, you click
a Permissions button that leads to a dialog box showing full control for the
Everyone group. If you click the Add button, you see a list of all users
defined in the current machine's user database. You can assign permissions
individually to those users and groups. If you've joined a domain, the list
of users is drawn from the domain database. Either way, the effect is
exactly the same as the Win98 scenario, even though the user interfaces are
a little different. Try it, and I think you'll agree.

So, to close the loop... On a network containing only Windows 98 and Windows
XP computers (no domain controller), user-level access control is
unsupported on the Windows 98 or Windows XP Home Edition machines but is
available on the XP Pro boxes if SFS is disabled.

Ed