The (common) question:
- How can one access network share on workgroup computer?
usually has the (common) answer:
- One should add ("the same") local account with the same username and password on all interacting (accessing) computers
Don't all Windows have the common built-in users and groups accounts of Well-Known Security Identifiers?
Cannot these built-in accounts be used for this?
Edit1 (Added later) on domain context:
Let's say that I want to share files from workgroup computer.
Either to
(1) to workgroup computers.
or to
(2) to joined to domain computers.
Is there any difference between (1) and (2)?
If there is no difference, then it is better to avoid deviating the discussion/consideration to domain computers.
Edit2 (Added later) on security:
Workgroup computers lack security at large.
With adding of accounts or without.
I do not see any change in security additions from adding accounts.
So, the question is: WHY to add accounts?
Edit3 (Further Questions), 8/4/2010:
Ok, I simply do not have space in comments.
Hi, laurent-rpnet!
I did not quite understand "only one Domain acount for all machines in the Domain".
The question is about sharing files on workgroup computer and accessing them from workgroup computers (aka non-joined-to-domain computers which cannot be part of domain as soon as they are in workgroup).
1) Is it possible to share files in workgroup (aka non-joined-to-domain) computer with domain (or LDAP, or ADAM) account?
2) Is it possible to access shared with domain account permissions files from workgroup (non-joined-to-domain) computer (again, using domain account)?
I asked it earlier in other forums and I understood thу possibility as negative/impossible
Edit4, viii/6/2010:
It happened that I cannot mark more than 1 answer and I really do care more about my own understanding + practical conveniencies than stating to the world what is correct or wrong (answer and attitudes). That should ne simple for sysadmins, having access to resources (including domain administration), but I am developer, i.e. contaxt is workgroup (in order to fully administrate) + access to domain (in which I have NO access to administration).
Hi, laurent-rpnet!
I also understood your answer 2) to my Edit3 as possibility of file/folder sharing from workgroup computer to domain accounts by creating on workgroup computer the users coinciding by username+password with those of domain users.
Correct?
Assuming that you're logging-on with the same built-in user (say "Administrator") with the same password on all your machines in the "workgroup" you certainly can use the built-in "Administrator" user, "Administrators" group, and other built-in groups to transparently authenticate to remote computers in the "workgroup". If you use a different password, though, authentication won't be transparent-- users will be prompted for credentials when they access remote computers.
The problem with only using the built-in users and groups is that there isn't a built-in "standard user" account ("Guest" is special, too) and using "Administrator" is often sub-optimal. As a result, you end up needing to create additional user accounts, which aren't built-in, almost immediately.
Edit:
Using multiple user accounts on workgroup PCs when an individual PC is shared by multiple users is nice because they get separate user profiles. It has nothing to do with security but it's nice.
If you're adding user accounts to workgroup PCs that are members of the "Administrators" group then using individual user accounts is completely needless.
If you're not doing any shared resources on a peer-to-peer basis then creating individual user accounts on the workgroup PCs is probably also needless.
On the other hand, if you limit the users' ability to boot another OS, physically disassemble the computer, and give them non-Administrator accounts on the workgroup PCs then, in theory, you can have security for shared resources hosted on peer-to-peer networks. The NTFS ACLs on the files stored on the hard disk drives of the workgroup PCs will apply and, provided the user can't subvert the trusted computing base in some way, you'll actually have a pretty decent measure of peer-to-peer security (albeit at the expense of cumbersome manual credential synchronization issues).
The Well-Known Security Identifiers are not users but groups and you can't login as a group. As Evan Anderson said the only built-in users on all windows are Administrator and Guest. The only way to avoid creating identical users on all the machines is to use Administrator or to build a DOMAIN but you'll need one windows server (or a linux/samba/ldap machine) and your other windows versions cannot be HOME (HOME editions do not connect do DOMAIN).
Adding a second answer to comments 1 and 2:
1) yes there is a difference and the difference is the point of the discussion.
If you share files on a workgroup computer, they have access permissions to account(s) or group(s).
If you don't have a Domain, the accounts are local to the machine so each user will need an acount on the sharing machine, even if you use groups, you can only add local acounts in the group.
If you have a Domain, the accounts and groups are global to the Domain so you don't need an acount on the local machine sharing the files, only one Domain acount for all machines in the Domain. The difference is that a Domain is a central authentication system (one server for all users on all machines) and a Workgroup is a local authentication system (each machine has its own users that can be differents). When you want to access a Workgroup machine, your computer sends its credentials (login/password you used) and they have to be the same as the ones existing on the remote machine for your connection to be accepted. On a Domain they are the same always as they are "checked by the server" and not the local machine.
2) Nothing prevents you from using the same login on all computers and for all users but you can't use windows without an account (or any modern OS I know). When you install it, it has already an account (and it's an Admin account). If you have only one user and without password, windows won't ask for user/password and will enter alone but it will use the account.
With accounts you can have security if you use it like making user's files private, using limited accounts instead of the Admin account used by windows (with admin, a virus or a bad user has access to your whole computer AND network if you have the same account on all machines), each account has it's own outlook configuration, not all users in the same inbox.
You can also use the windows account to access remote software like a database server for example without the user having to login. If you have the same account for all, all will have the same rights on the database.
Last but not least to prevent a visitor to use the machine as an Admin.
These are the reasons that came to my mind while writing but I'm sure there are a lot more.
Comments on Edit 3 from OP (lack of space... :))
"only one Domain acount for all machines in the Domain" was part of the answer to your Comment 1 asking if there were differences between sharing a folder to a workgroup or to a domain machine so if not we could leave the domain out of the discussion.
Now, on Edit 3: for 1): the common answer from the beginning (as always) yes if you make an account with the same login/password on the workgroup computer as the LDAP account. I use this every day from a linux machine joined to openLDAP on linux server accessing files and printer shared in a XP Home standalone machine (this is the only way as XP Home won't enter a Domain).
2): the situation is not possible, you can't use a domain account on a machine not joined to a domain. What you can do, is again, making an account on the workgroup machine with same login/password as a domain account and yes, you'll access the files on a domain share with domain groups permissions if the domain account you have "replicated" on you machine is in the right groups, even if your machine is not on the domain. I had this situation some years ago as I had a notebook and didn't want to change config every time I was login so I had the same login as my domain account on the notebook and was using it with a normal login (no domain) to connect on the network and it was working exactly as the desktop connected to the domain.
What I am saying in the whole thing is that the common answer is perfectly right, you have only 3 possibilities if you want to make a "real" network (opposed to simple networks like internet connection sharing for example):