Simple W7 Networking Issue

[Mainstay]

Background: All computers in a small network exist in a Workgroup running W7 Pro/Ult. All computers have the same username and password (let's call the username: CompanyName).

A simple network folder has been used to share common company data on a promoted workstation as the "server".

No issues to date.

Now: They want to segment out a set of data into a new share that is confidential.

Implementation: I created a new local account on that "server" called "Confidential", logged into that account, and shared that folder ONLY with users "Confidential" using advanced sharing.

I set NTFS permissions w/ owner "Confidential" and users "Confidential" w/ full read/write access.

I then set the username / password combo in >> control userpasswords2 >> advanced >> Manage Passwords >> Add a Windows credential on the local "server" on the original user profile (CompanyName).

Problem: I cannot access this shared folder from the profile "CompanyName". Access denied. Yes, the username and password are entered correctly.

If I add Administrators to the ACL then everyone on the bloody network can access that share.

If I add Local Accounts to the ACL then everyone on the bloody network can access that share.

HELP!: I am losing what is left of my hair here. What am I overlooking?

Also adding to the mix: I don't know whether it is working or not unless I do a reboot of the server + test workstation(s).... all done remotely. argh!

Help us, Technibble, you're our only hope.

 

[glricht]

If EVERYBODY on a workgroup (non-domain) network has the SAME userid/password, then there's no way to identify individual users and the customer will never be able to accomplish what he's asking. Sharing worked up to now because everybody was allowed to have the same access-type (read-only, r/w, etc). But now the customer is asking to setup a folder that some users can see, but others can't (or some can read but not write, and others can read and write).

I've done this for a number of SMB customers and the first thing is that EACH user must have his own unique userid/password (which must also be defined in the "server"). Multiple users sharing the same userid/password is NOT allowed.

In a nutshell:
1. Define each user's id and password on the server. (I define them as part of the Remote Desktop User group, so they won't appear on the server's logon screen.)
2. For "globally shared" folders (folder that can be accessed by anybody), assign the appropriate sharing permission to the [EVERYBODY] built-in id. (This will allow the specified sharing permission to all userids defined on the server itself.)
3. For non-globally shared folders -- such as confidential folders -- set the permissions by userid. For example, if a folder can be read by Mary and Sally, updated only by John, and nobody else can access it all: then set sharing for Mary and Sally to read-only, John to full-control, and the default [Everybody] to "denied".

The above assumes you are NOT using HomeGroups!

p.s. I'm assuming that the user has never had a Data Security audit as they would have failed it as soon as the auditor discovered that everybody was using the same userid/password!


Hope this helps.

 

[Mainstay]

Thank you @glricht ! I was hoping to avoid this as I don't have remote access to all systems... so will have to arrange a weekend visit to their site (too disruptive during business hours).

p.s. I'm assuming that the user has never had a Data Security audit as they would have failed it as soon as the auditor discovered that everybody was using the same userid/password!

Their company is not one that needs to meet any sort of regulatory conditions... and the situation has sort of evolved / snuck up on them.

But your comments are very much appreciated =)

 

[glricht]

You probably already know this, but remember that you have to change the user's PROFILE name, not just the displayed name.