I develop "task specific" software, so ignoring IT fundamentals with respect to file sharing usually comes back to haunt me. I'm running Windows 2008R2 Standard on an HP Proliant ML350 G6 server. (Non-domain) The network hardware is WiFi. The network is private. User accounts are set up for Windows Authentication. I can share files easily as long as the "Everyone" Account is added, however; "right clicking" and selecting "Share with -> Specific People" does not allow the selected client with a user account to share the file on the network. (Access is denied) It makes no sense to me that the client could be recognized by Windows Authentication in the "Everyone" account but not "Share With". It would seem to the casual observer that Windows Server would have some recognition of the client or the "Everyone" account should deny service. I decided to "go with the flow" and just deny permissions to those in the "Everyone" Account for certain folders that are restricted. When I "edit" all other people in the "Everyone Account" and select "deny" they can still see the files and operate on them! What am I doing wrong? It is as if Windows considers all users who pass the router to be a "trusted user" even though the file share permission was marked as deny. (As a side note, Sql 2008R2 does seem to discriminate whether the user is authenticated or not. Adding or removing clients to the sql role does cause proper Windows Authentication / denial. I realize these are different systems, however; to the casual observer, the expectation should be the same for file sharing; adding or removing users and/or groups should authenticate or deny respectively.)

Hi, The problem you encountered is odd. To allow a user access a shared resource, you need to configure both Share and NTFS permissions. I would like to suggest you perform the following steps to troubleshoot it: Suggestion 1: Disable User Account Controller (UAC) temporarily to test the result. Suggestion 2: Test the issue in Safe Mode. Suggestion 3: Test the issue in Clean Boot. For the detailed steps, please refer to the following Microsoft KB article: How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7 http://support.microsoft.com/kb/929135 What are the results? Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

What are the Share Permissions? and are you trying to be granular with permissions within the same Share? When you say you removed the users from "Everyone" what do you mean?

I meant to say that unless I selected the "Everyone" object, nothing gets shared. If I added a specific user but set the permissions to "deny", Windows still alows that user access.

It would be interesting to have the user from a workstation open a file - then look to see who windows thinks has that file open.

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you for your kind reply. I had been attached by vb.gen earlier in the year and thought this might be related. Nothing has changed. I tried UAC, Safe Mode (with networking?), and Clean Boot(rediculous on an HP Server!). I have user accounts with matching passwords for each user and have never actively set out to apply a domain. Disk Managment from Server Manager reports that my C: is NTFS. It seems as if I have DNS running that is confusing? The event log states that there is no DNS name, however; I don't wish to run anthing "domain related" to keep the "surface area" exposure to the Sql Database low. (I became concerned there still is another DNS in the registry left over from vb.gen trojan, but this may be over my head to resolve.) Nevertheless, I followed the help suggestion from this error report that suggests going to the control panel and adding the workgroup name(again). Of course, no effect with respect to granting only an individual rights to a specific folder. Oddly enough, I cleared the log, but the error keeps returning. Computer name is EADB. Workgroup is Evans. Nothing else should be required if I understand the literature correctly. Usually, such an odd behavior is simple. Without "Everyone" in the Share and NTFS permissions for "Users" in "Share and Storage Management", access is denied to anyone. With "Everyone" added to "Users" in "Share and Storage Management", access is granted to everyone, regardless of the "Share With..." selection. Is my expectation of "Share with specific users" a myth?

Thank you for your kind response. Took me a bit to get all other causes eliminated. (Still worried about Vb.gen. It is as if the maker of the trojan gave a simple fix as a decoy to hide that it "tunneled/ diverted/ or changed the registry to convert all user accounts and groups to the everyone account. I say this because nothing functions without the everyone account being present. This is kind of clever because the casual user wouldn't discover you may be infected until you tried "denying" user accounts because your access is still granted. The inability to get Windows Updates due to "denied access" has no reared it's ugly head once again.) From the client side, I would right-click on the network folder and select properties as if I had authorization to change the permissions. When I actually tried to change the security settings by clicking the "Security" tab, the object name appears to be correct(*\\Server\Folder Name). How do I obtain information from the client side to see what "Windows Authentication" was used to try and gain access to the object/folder? I think I can see where you are heading. For instance, I may be "translated" from (*\\Workstation\Frank) to (*\\Server\Guest) by the router and/or Windows Authentication. I suppose the same concept could also apply to a default, for instance, if the Workstation wasn't recognized to allow it to come in under the Guest account. P.S. The "*" does not belong in the parenthesis. It is only used to prevent a link from being formed by the editor.