File Sharing - excluding certain users

[WarMechTU]

I have a 7 computer peer-to-peer network and next week an outside consultant is going to connect to one of the computers with "Remote Desktop Connection" so he can use some software we have. We have a file share where we have all our client files - they are shared and I have the permissions set as EVERYONE can read/write.

I want to block him from reading/writing my client directory. When I try to modify the "permissions", I cannot see any location but the computer - I can't see user names of any other members or see the workgroup computer.

I see that there is a generic NETWORK group name that refers to everyone on the network, I don't want to block everyone, I want to block him.

If you can think of the answer or maybe a different answer on how we can JUST give him access to the program and nothing else, I'd be forever in your debt

 

[ktwebb]

NTFS? Remove Everyone on the NTFS permission security tab and add all your users to a local group on that machine with the share. Give only that group access to the resource. You can do this on a shared resource as well as local volumes/drives/folders.

 

[Nothinman]

I cannot see any location but the computer - I can't see user names of any other members or see the workgroup computer.

Of course you can't, you can't use usernames from other machines, or your situation you'll have to create him an account on the machine with the shares and give that account rights. You would need a proper domain setup and have all of the clients joined to the domain and have the username's in the domain to use them in permissions on local machines. And you're not supposed to do that anyway, global users go in global groups, global groups go in local groups, local groups go in ACLs. Otherwise management of the ACLs becomes a real nightmare.

 

[PowerEngineer]

Originally posted by: Nothinman

I cannot see any location but the computer - I can't see user names of any other members or see the workgroup computer.

Of course you can't, you can't use usernames from other machines, or your situation you'll have to create him an account on the machine with the shares and give that account rights. You would need a proper domain setup and have all of the clients joined to the domain and have the username's in the domain to use them in permissions on local machines. And you're not supposed to do that anyway, global users go in global groups, global groups go in local groups, local groups go in ACLs. Otherwise management of the ACLs becomes a real nightmare.

I believe the key comment is that you "need a proper domain", which I gather you don't have right now.

A workgroup allows you to see and share printers and files between computers in that same workgroup, but the user accounts are specific to each machine. Even if you go to the trouble of adding identically named user accounts on each machine, the accounts are not seen as being the same when dealing with folder security (perhaps akin to having the same street address but in different towns). The special permission like "network" and "everyone" allow access to all comers. You need a domain and therfore a domain server running Windows server software to do what you want to do. At least that's what I've come to believe after banging my novice head against that permission brick wall over and over again...