File sharing and permissions in Windows XP

Category: XP tips online and network
Reading time: 16 minutes

Post Pages




The information in this article applies to:

Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Summary

Windows XP allows you to share files and documents with other users on your computer and with other users on a network. Windows XP introduces a new user interface in Windows XP Home Edition and Windows XP Professional, known as Simple File Sharing, which includes a new Shared Documents feature.

This article describes the interfaces and surfaces newly introduced in Windows XP and how you can activate, deactivate and configure file sharing in Windows XP and deal with problems accordingly.

Further information
Files on a Windows XP-based computer can be shared with local users of the computer and also with remote users at various different levels of access. The user interface of the "Simple file sharing" function is available in the properties page of a folder. It can be used to set the permissions for the share as well as for the NTFS file system. Local users are users who log on to your computer with their own account or a guest account. Remote users log into your computer over a network and then access the shared files that are stored on your computer.


Access permissions are configured with the "Simple file sharing" function at the folder level and then only apply to the respective folder, all files in this folder, its subfolders, the files in this subfolder, and so on. Files and folders created in or copied to a folder will inherit the permissions set on the parent folder.

This article describes how to configure access to your files with different levels of access. The levels defined in this article are not documented in the operating system or help files. They are documented here for information purposes and in the interest of a better understanding.

Windows XP allows five different levels of permissions. Level 1 is the most confidential and most secure setting, while Level 5 is the most public and easy to change (non-secure) setting. You can configure levels 1, 2, 4, and 5 through the Simple File Sharing feature user interface. To do this, right-click the folder in question, and then click to open the Simple File Sharing feature user interface. To set level 3, copy a file or folder to the "Shared Documents" folder under My Computer. This level is not affected if you then enable or disable Simple File Sharing.


Activate and deactivate "Simple file sharing"

Simple File Sharing is always enabled on computers running Windows XP Home Edition. Windows XP Professional computers that are part of a workgroup have the Simple File Sharing user interface enabled by default. Only the classic user interface for file sharing and security is used on computers with Windows XP Professional that are joined to a domain. Using the user interface of the Simple File Sharing feature (available in a folder's property sheet), you can configure sharing and file permissions alike.

If you turn off Simple File Sharing, although you have more control over individual user permissions, you must have a thorough understanding of NTFS and sharing permissions to keep your files and folders safe. Turning off the Simple File Sharing feature does not turn off the Shared Documents feature.

To activate or deactivate the "Simple file sharing" function in Windows XP Professional, please proceed as follows:

1. Double click on your desktop Workplace
2. On the Tools menu, click folder options
3. Click the tab View and then check the box to enable simple file sharing (or uncheck the box to turn it off).

Access levels

Level 1: My files (private)
Level 2: My files (standard)
Level 3: Files in the Shared Documents folder are available to local users
Level 4: Shared files on the network (read by everyone)
Level 5: Shared files in the network (read and write access for all users)

Notes:

  • For files stored in the "My Documents" folder, level 2 applies by default.
  • Folders with access levels 1, 2, and 3 are only available to users who log on locally.

Note:
Users who log on locally are also users who log on to a Windows XP Professional computer using a Remote Desktop session.

Folders with access levels 4 and 5 are available to both locally logged on users and users who log on from the network.
The following table provides an overview of the various authorizations:

table1.png


 

Level 1: My files (private)


The owner of the file or folder has read and write permissions. Otherwise nobody may read or overwrite the folder or the files in it. All subfolders of a folder marked as "private" are also private until you change the permissions on the parent folder.


If you are a computer administrator and you set a user password using the User Accounts utility in Control Panel, you will be asked if you want to make your files and folders private.

 

Note:
The option to define a folder as "private" (level 1) is only available for a user account in its own folder "My Documents".


To set level 1 for a folder and all files stored in it, please proceed as follows:

 

1. Right-click the folder, and then click Sharing and Security. 2. Select the Don't share this folder check box, and then click OK.



Local NTFS permissions:

  • Owner: full control
  • System: full control


Permissions for network shares:

  • Not released


Level 2 (Standard): My Documents (Standard)

The owner of the file or folder and the local computer administrator have read and write permissions. Otherwise nobody may read or overwrite the folder or the files in it. This is the default setting for all folders and files in a user's My Documents folder.

To set level 2 for a folder and all files stored in it, please proceed as follows:

1. Right-click the folder, and then click Sharing and security.
2. Make sure to check the two boxes Do not share this folder and Share this folder on the network are disabled, and then click OK .

Local NTFS permissions:

  • Owner: full control
  • Administrators: Full Control
  • System: full control


Permissions for network shares:

  • Not released


Level 3: Files in the Shared Documents folder are available to local users

Files are shared with users who log on locally to the computer. Local computer administrators can read, overwrite, and delete files in the Shared Documents folder. Restricted users can only read the files in the Shared Documents folder. In Windows XP Professional, power users can also read, overwrite, and delete files in the Shared Documents folder. The "Power Users" group is only available in Windows XP Professional. Remote users cannot access level 3 folders or files. In order for remote users to be able to access files, they must be shared on the network (level 4 or 5).

In order to configure a file or a folder and all the files in it to level 3, please start Microsoft Windows Explorer and then copy or move the file or folder to the "Common Documents" folder under "My Computer".

Local NTFS permissions:

  • Owner: full control
  • Administrators: Full Control
  • Main user: Change
  • Restricted Users: Read
  • System: full control


Permissions for network shares:

  • Not released


Level 4: Approved in the network (read only)

The files are released for read access by all users in the network. All local users, including users with a guest account, can read the files, but cannot change their contents. Anyone who can connect to your computer over the network can read and change your files.

To set level 4 for a folder and all files stored in it, please proceed as follows:

1. Right-click the folder, and then click Sharing and Security.
2. Check the box.
3. Uncheck the box Allow network users to modify files and click Ok.

Local NTFS permissions:

  • Owner: full control
  • Administrators: Full Control
  • System: full control
  • Everyone: reading


Permissions for network shares:

  • Everyone: reading


Level 5: Approved in the network (read and write)

This level offers the highest availability and the lowest security of all access levels. Every user (local and remote users) can read, overwrite, change or delete a file that is located in a folder with this access level. This level is only recommended for closed and protected networks in which a firewall has been set up. All local users, including users with a guest account, can read the files and change their contents.

To set level 5 for a folder and all files stored in it, please do the following: 1. Right-click the folder and then click Sharing and Security. 2. Select the Share this folder on my network check box, and then click OK.

Local NTFS permissions:

  • Owner: full control
  • Administrators: Full Control
  • System: full control
  • Everyone: Change



Permissions for network shares:

  • Everyone: full control

    Note: All NTFS permissions with the definition "Everyone" also apply to the guest account.


All of the access levels described in this article are mutually exclusive. Private folders (level 1) can only be released if they are no longer marked as "private". Shared folders (levels 4 and 5) can only be marked as "private" if they are no longer shared.

If you create a folder in the "Shared Documents" folder (level 3), share it on the network, and then allow network users to change your files (level 5), the level permissions apply to this folder, the files in it and any subfolders 5. Level 3 continues to apply to the other files and folders in the "Shared Documents" folder.

Note:
The only exception is a folder () that is shared at level 4 and located within a folder () at level 5. Remote users have the correct level of access to each of the shared folders. For locally logged on users, write permissions (level 5) apply equally to the higher-level folder () and the subordinate folder ().


 


Guidelines


It is recommended that you only share those folders within your user profile on the network that remote users need to be able to access on other computers. It is not recommended to share the root folder of your system drive. When you do this, your computer is much more vulnerable to attacks by malicious remote users. Before you can continue, you will be presented with a warning dialog box. Only computer administrators are allowed to share the drive's root folder.


Level 4 or 5 files on read-only media, such as a CD-ROM, are only available when the CD-ROM is in the CD-ROM drive. Any CD-ROM in the CD-ROM drive can be accessed by all users on the network.

 

The permissions for a file can differ from those for the folder in which the file is located if one of the following conditions is true:

 

 

  • You use the Move command from a command prompt to move a file from one folder to another folder on the same drive that has different permissions.
  • You use a script to move a file from one folder to another folder on the same drive that has different permissions.
  • You run the Cacls.exe file from a command prompt or script to change file permissions.
  • Files were already on the hard drive before Windows XP was installed.
  • You changed the permissions on a file while simple file sharing was disabled in Windows XP Professional.

Users with advanced knowledge should note that NTFS permissions are not retained when moving files if you use Windows Explorer to do this with the "Simple file sharing" function activated.

Turning the Simple File Sharing feature on and off does not change the permissions on files. The NTFS and share permissions will not change until you change them in the user interface. If you set permissions with Simple File Sharing turned on, only access control entries for files that are using Simple File Sharing will be affected. Operations in the user interface of the simple file sharing feature affect the following access control entries in the access control list:

  • owner
  • administrators
  • Each
  • System





Troubleshoot file sharing in Windows XP

Behavior to be expected during an update

A Windows 2000 Professional computer joined to a domain or workgroup that is upgraded to Windows XP Professional remains a member of the domain or workgroup. In addition, the classic user interface for file sharing and security is enabled on such a computer. Such an update will not change NTFS and share permissions.

A Windows NT Workstation computer that is joined to a domain or workgroup and upgraded to Windows XP Professional retains its membership of the domain or workgroup. In addition, the classic user interface for file sharing and security is still enabled on such a computer. The update will not change NTFS and share permissions.

On a Windows 98, Windows 98 Second Edition, or Windows Millennium Edition (Me) computer with Per Share permissions upgrading to Windows XP, Simple File Sharing is enabled by default. Shares that have passwords assigned are removed, and shares with blank passwords remain shared after the upgrade.

A computer running Windows 98, Windows 98 Second Edition, or Windows Millennium Edition (Me) with Share Level Access Control that is domain joined, upgraded to Windows XP, and then rejoined to the domain while Setup is running, starts with deactivated "Simple file sharing" function.
On a Windows 98, Windows 98 Second Edition, or Windows Millennium Edition (Me) computer that is being upgraded to Windows XP Home Edition, Simple File Sharing is turned on by default.

known problems

In order for remote users to be able to access files from the network (levels 4 and 5), the Internet connection firewall must be deactivated on the network interface through which the remote user is connecting.

For more information, see the following Microsoft Knowledge Base article:
Q298804 Internet Connection Firewall Can Prevent Browsing and File Share.


When Simple File Sharing is enabled, remote administration and registry editing from a remote computer will not work as expected because all remote users authenticate as "guests" and do not have administrator privileges.

If simple file sharing is enabled and you configure specific access control entries for users, remote users are not affected because all remote users authenticate as guests when simple file sharing is enabled.

Remote users may see an "Access Denied" message on a share that they successfully connected to before the hard drive was converted to the NTFS file system. This behavior occurs on Windows XP computers with Simple File Sharing enabled that have been upgraded from Windows 98, Windows 98 Second Edition, or Windows Me. The cause of this behavior is that the default permissions of a hard drive converted to the NTFS file system do not include the Everyone group, which is required for users using the guest account to access files. To correct this behavior, you must first undo the sharing of the affected folders and then share those folders again. This will reset the permissions and allow users to reconnect.


Behavior influenced by activating the "Simple file sharing" function

  • The user interface of the Simple File Sharing feature can be used to set permissions for both the share and files.
  • Remote users always authenticate with the guest account. For more information, see the following article in the Microsoft Knowledge Base: Q302927 Computer Management Displays User Account Names When Logged on as Guest
  • Windows Explorer does not retain permissions on files if they are moved within the same NTFS drive. The authorizations are always taken from the respective higher-level folder.
  • On Windows XP Professional computers with Simple File Sharing enabled and on Windows XP Home Edition computers, the Shared Folders (Fsmgmt.msc) and Computer Management (Compmgmt.msc) utilities provide an easier-to-use sharing and user interface Safety.
  • In the Shared Folders and Computer Management consoles, the New File Share command is not available when you right-click the Shares icon. In addition, if you right-click a listed share, the Properties and Stop Share commands are not available.

Behavior not influenced by activating the "Simple file sharing" function

  • In Windows XP Home Edition, the Computer Management snap-in does not display the Local Users and Groups node. The Local Users and Groups snap-in cannot be added to a custom snap-in.
  • If you switch off the guest account under User Accounts in the Control Panel, this only affects the guest's ability to log on locally. The account itself is not deactivated.
  • Remote users cannot authenticate using an account with a blank password. This authentication is configured separately.
  • Windows XP Home Edition cannot be joined to a domain; it can only be configured as a member of a workgroup.

For more information, see the following Microsoft Knowledge Base article:
Q303606 Can Log On Without Password by Using Guest Account After Upgrade from Windows 2000


Source: Microsoft Knowledgebase article d304040

Transparency: This article may contain affiliate links. These lead directly to the provider. If a purchase is made through this, we receive a commission. There are no additional costs for you! These links help us to refinance the operation of win-tipps-tweaks.de.

___________________________________________________
This tip comes from www.win-tipps-tweaks.de
© Copyright Michael Hille

Warning:
Using Registry Editor or its tips incorrectly can cause serious system problems that may require you to reinstall your operating system. Tampering with the registry files and using the tips is at your own risk.