Is there something special that needs to be done to share folders that are sub-folders of My Documents? I got some of these folders in my Win 7 desktop, which I share out. They show up as shared folders in the network scan, but when I try to mount these on an XP laptop, I get an access denied error.

It's not a straight forward capablility between Windows 7 & XP. See the article @ http://www.howtogeek.com/howto/windows-7/share-files-and-printers-between-windows-7-and-xp/ on how to accomplish it.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Here's the standard procedure to setup the Shared folder properly. If you don't have a Home Group setup and/or you don't have the same user account and password on both computers, then follow Rick Dee's advice and link in addition to checking the steps below: 1) Right click the folder you want to share in your My Documents folder. 2) Click Share With... and then click Advanced Sharing. 3) The initial state will show that the folder is not shared (yet). 4) Click Advanced Sharing (I know.. redundant isn't it) again. 5) Check to enable the option Share This Folder. 6) Change the Share Name (optional) and set the max number of simultaneous connections to the Share (default is 20). 7) Now (here's the crucial part) click Permissions. 8) In the Permissions setting window, you will find that the only Group or User name listed is Everyone. This is fine. However, Everyone (by default) only has Read permission enabled. NOTE: This permission setting only applies to the "Share" permissions and not to NTFS permissions of files and folders within the share. 9) Check to enable Full Control share permissions. This is the standard best practice. You will control who actually has access to any files and folders within the Shared folder by setting NTFS permissions on the files and folders contained in the share. 10) Click OK to back out of all open windows. 11) Now, Everyone has access to the Shared folder. You will now need to enable NTFS permissions on the files and folders in the Share so that other users on network computers can do more than just see and read the files and folders. 12) Windows 7 computers that are in a Home Group will have a Group NTFS membership (Home Users) that is set to Read Only by default. You must enable Modify permissions in order for other Home Group members to add and edit files and folders. 13) If the same exact User Account and Password exists on both computers, the NTFS permissions will apply equally to the user connecting to the share over the network. 14) If the User on the remote computer is different, then things start getting a little more interesting as Rick Dee has pointed out. Jagade "It's a tough life... but someone has to enjoy it!"

Here's the standard procedure to setup the Shared folder properly. If you don't have a Home Group setup and/or you don't have the same user account and password on both computers, then follow Rick Dee's advice and link in addition to checking the steps below: 1) Right click the folder you want to share in your My Documents folder. 2) Click Share With... and then click Advanced Sharing. 3) The initial state will show that the folder is not shared (yet). 4) Click Advanced Sharing (I know.. redundant isn't it) again. 5) Check to enable the option Share This Folder. 6) Change the Share Name (optional) and set the max number of simultaneous connections to the Share (default is 20). 7) Now (here's the crucial part) click Permissions. 8) In the Permissions setting window, you will find that the only Group or User name listed is Everyone. This is fine. However, Everyone (by default) only has Read permission enabled. NOTE: This permission setting only applies to the "Share" permissions and not to NTFS permissions of files and folders within the share. 9) Check to enable Full Control share permissions. This is the standard best practice. You will control who actually has access to any files and folders within the Shared folder by setting NTFS permissions on the files and folders contained in the share. 10) Click OK to back out of all open windows. 11) Now, Everyone has access to the Shared folder. You will now need to enable NTFS permissions on the files and folders in the Share so that other users on network computers can do more than just see and read the files and folders. 12) Windows 7 computers that are in a Home Group will have a Group NTFS membership (Home Users) that is set to Read Only by default. You must enable Modify permissions in order for other Home Group members to add and edit files and folders. 13) If the same exact User Account and Password exists on both computers, the NTFS permissions will apply equally to the user connecting to the share over the network. 14) If the User on the remote computer is different, then things start getting a little more interesting as Rick Dee has pointed out. Jagade "It's a tough life... but someone has to enjoy it!" Okay, everything until step 11 was already set like that. So the network side was already taken care of. Starting with step 12, the NTFS permissions, things seem to be a little screwed up. When I go into these permissions, I see two separate users named "HomeUsers", one with "Full Control" permissions, and the other with only "Read & Execute". The first one with Full Control is also listed as "not inherited" in the "Inherited from" field. The other one is listed as inherited from "C:\Users\myusername\Documents". The first HomeUsers is also the only one that is removable, whereas with the other one the "remove" option is grayed out (in fact, it's grayed out for all other usernames, other than this first HomeUsers entry). All other usernames also seem to inherit their permissions from either "C:\Users\myusername", or "C:\Users\myusername\Documents". Any ideas what I should do now?

Question: do both of those entries for HomeUsers (Under Apply To) show as "This Folder, Subfolders, and Files"? If so, then note: When you have more than one entry that sets permissions on a folder or file for a User or Group, the entry with the most restrictive permission rules the day. So, in your case, the entry that says Read and Execute overrides the permission for Full Control. Permissions are either "inherited" from the parent folder (ex: C:\Users\myusername\Documents" or they are explicity set by the administrator or owner of the file/folder. In the latter case, you will see that the permissions are listed as "<not inherited>". If you are in the Advanced Security Settings window, then any "Name" listed under the NAME column that has "inherited" permissions will be shown as "grayed out" when you try to Edit the permissions because you cannot by default change inherited permissions. If you want to make changes to these permissions, you have to disable inheritance on the folder or file and then set explicit permissions. And, you need to optionally set inheritance on child objects by setting the "Replace all child object permissions with inheritable..." checkbox on the folder that has had explicit permissions set. If you are thoroughly confused by now, it would be good for you to use the Technet documents to study up on file and folder permissions. It can be complex and confusing until you take the time to understand how it works. Then, everything becomes clear and you can confidently set permissions under NTFS properly. Too many people don't take the time to learn how to do this and end up just setting permissions to allow Everyone Full Control over the top level folder and everything underneath. This defeats the purpose of NTFS and opens up a major security hole in your file structure. If you want to, post screen shots of the various permissions windows so that I can see what you currently have and I will try to help you set them correctly. Otherwise, I am kind of flying blind here and would not want to suggest anything else that might mess you up. Jagade "It's a tough life... but someone has to enjoy it!"

On 03/01/2011 1:07 PM, Jagade wrote: > Question: do both of those entries for HomeUsers (Under Apply To) show > as "This Folder, Subfolders, and Files"? Yes, they both show this. > If so, then note: When you have more than one entry that sets > permissions on a folder or file for a User or Group, the entry with the > most restrictive permission rules the day. So, in your case, the entry > that says Read and Execute overrides the permission for Full Control. Makes sense. > Permissions are either "inherited" from the parent folder (ex: > C:\Users\myusername\Documents" or they are explicity set by the > administrator or owner of the file/folder. In the latter case, you will > see that the permissions are listed as "<not inherited>". > > If you are in the Advanced Security Settings window, then any "Name" > listed under the NAME column that has "inherited" permissions will be > shown as "grayed out" when you try to Edit the permissions because you > cannot by default change inherited permissions. If you want to make > changes to these permissions, you have to disable inheritance on the > folder or file and then set explicit permissions. And, you need to > optionally set inheritance on child objects by setting the "Replace all > child object permissions with inheritable..." checkbox on the folder > that has had explicit permissions set. > > If you are thoroughly confused by now, it would be good for you to use > the Technet documents to study up on file and folder permissions. It can > be complex and confusing until you take the time to understand how it > works. Then, everything becomes clear and you can confidently set > permissions under NTFS properly. Too many people don't take the time to > learn how to do this and end up just setting permissions to allow > Everyone Full Control over the top level folder and everything > underneath. This defeats the purpose of NTFS and opens up a major > security hole in your file structure. Don't worry about me, I can understand permissions, since I have come from the Unix world, not just the Windows desktop world. It sounds a lot like the problems that occurred when they tried to add the newer Access Control Lists in Unix over top of their existing UGO permission system. Lots of conflicting permissions states to sort through. So what technet documents are you referring to about NTFS permissions? > If you want to, post screen shots of the various permissions windows so > that I can see what you currently have and I will try to help you set > them correctly. Otherwise, I am kind of flying blind here and would not > want to suggest anything else that might mess you up. > > Jagade Okay, let's see if this NNTP bridge allows me to do that. If not then the link below should work. Yousuf Khan Uploaded with ImageShack.us

The Advanced Security Settings windows has a link at the bottom left called "managing permission entries". This Help File will give you a good explanation about NTFS permissions and how to use them. Also, if you go to Microsoft Technet site (which this forum is part of) and search for NTFS permissions, you will find a lot of info as well. Ok, to your permissions (listed in the screenshot). You have "Explicit" permission of Full Control assigned to the HomeUsers group. This overrides the "Inherited" Read & Execute permission also assigned to the HomeUsers group. So, any member of the HomeUsers group should have Full Control of the folder and any child objects created in the folder. If a network user (on a computer that has a HomeGroup setup) is still having issues with Access Denied when trying to create files/folders in the Shared folder, then be sure to check the User account in question and ensure that the User account belongs to the HomeUsers group. Jagade"It's a tough life... but someone has to enjoy it!"

If a network user (on a computer that has a HomeGroup setup) is still having issues with Access Denied when trying to create files/folders in the Shared folder, then be sure to check the User account in question and ensure that the User account belongs to the HomeUsers group. Jagade "It's a tough life... but someone has to enjoy it!" Well, as I said the network user is on an XP laptop, so there is no Homegroup setup on that. The user gets access denied right away when attempting to mount that folder over the network. However other folders on the exact same Win 7 machine can be mounted on the exact same XP laptop, but they are not folders that are under the My Documents hierarchy. Yousuf Khan

My bad. You did say that the problem was with the XP machine... which does not support Home Groups. We/I got off on dealing with HomeGroup member access when we are really talking about just general access to the Shared folder. Ok then. In a non-domain security environment (aka a Workgroup), if the User Account on the XP machine does not exist on the Windows 7 machine (exact same User Name and Password), then when the XP user attempts to access the Shared folder on the Win7 machine, a box will pop up asking for credentials (Username and Password). You must enter a valid User Name and Password that exists on the Win7 machine. For instance. let's say that Folder1 on Win7 under My Documents has been Shared with Everyone Read Only permission (default Share permission). Then, let's say that the XP machine logged in as XPUser tries to access Folder1 over the network (he can "see" Folder1). However, XPUser will get an immediate "Access Denied" pop up. Now, if the Win7 owner changes the "Share" permission on the Folder to Everyone Full Access, then XPUser will get a pop up asking for UserName and Password when trying to open the Shared Folder. If XPUser knows the UserName and Password of an account that exists on the Win7 machine, he will be granted access to the Shared Folder. He can then create folders and files and edit and delete them in the Shared folder because he is now running under the context of the logged in account. Once authenticated, XPUser will be able to work with this Shared folder until he logs out of XP machine, logs back in on XP, and then attempts to access the Shared folder again... at which time he will be required to authenticate again (hint you can check the "Remember my Password" checkbox to make login easier next time. To avoid having to authenticate every time XPUser wants to access the Shared folder, you would have to create the same exact user account and password for XPUser on the Win7 machine. In essence, the two machines will be in the same exact Workgroup and the two exact User Accounts and Passwords will exist on both machines which creates a trust relationship between the two computers. Jagade"It's a tough life... but someone has to enjoy it!"

I discovered the solution to it now. I compared the difference between the folder that was not mounting vs. the one that was, and discovered that the mountable folder had "Everyone" permissions, but not the one which was not mountable. I added the Everyone user and its appropriate permissions, and it immediately began working. In fact, once adding the Everyone user and permissions, I got a warning from Windows saying that this will remove all inherited permissions on that folder. Which is exactly what I want anyways.

I discovered the solution to it now. I compared the difference between the folder that was not mounting vs. the one that was, and discovered that the mountable folder had "Everyone" permissions, but not the one which was not mountable. I added the Everyone user and its appropriate permissions, and it immediately began working. In fact, once adding the Everyone user and permissions, I got a warning from Windows saying that this will remove all inherited permissions on that folder. Which is exactly what I want anyways. If you read my January 03 post, next to last paragraph, you will see that I mentioned that opening up the folder to Full Control for the Everyone Group will allow... well... everyone access to the folder... which completely defeats the purpose of using NTFS permissions to protect files and folders appropriately. The fact is, that if you don't care about security, then there is no need to even use an NTFS file system because it just gets in your way from an administrative standpoint. Wide open permissions gets the job done (folder access for everyone), but it creates a security hole because you are allowing everyone unfettered access to the folder. This does not solve your access problem in the correct manner nor are you learning anything by doing it this way. You mentioned that you are familiar with Unix permissions. Giving the Everyone Group Full Control access to the folder is the Unix equivalent of setting drwxrwxrwx permissions on the folder... a bad idea. Also, if you re-read one of my above posts, you will see that I made mention that setting explicit permissions overrides inherited permissions. This is the natural behavior because Windows understands what to do with a manual override. "It's a tough life... but someone has to enjoy it!"

If you read my January 03 post, next to last paragraph, you will see that I mentioned that opening up the folder to Full Control for the Everyone Group will allow... well... everyone access to the folder... which completely defeats the purpose of using NTFS permissions to protect files and folders appropriately. The fact is, that if you don't care about security, then there is no need to even use an NTFS file system because it just gets in your way from an administrative standpoint. Yes, you're right, that solution was buried within your last explanation, so I'll give you the "mark as answer". I did discover the "Everyone" solution independently after reading your previous postings about the security settings, by comparing the security settings between the two different folders. Wide open permissions gets the job done (folder access for everyone), but it creates a security hole because you are allowing everyone unfettered access to the folder. This does not solve your access problem in the correct manner nor are you learning anything by doing it this way. You mentioned that you are familiar with Unix permissions. Giving the Everyone Group Full Control access to the folder is the Unix equivalent of setting drwxrwxrwx permissions on the folder... a bad idea. Also, if you re-read one of my above posts, you will see that I made mention that setting explicit permissions overrides inherited permissions. This is the natural behavior because Windows understands what to do with a manual override. "It's a tough life... but someone has to enjoy it!" But of course it solves my problem, as this folder is meant to be a shared folder and have full access by everyone. Otherwise why would I share it, if I wanted it locked down tight? Your original solution was to give full control only to the HomeUsers group, but quite obviously that didn't work with the XP machines, since they couldn't access it. I don't see much difference between Windows 7's HomeUsers group and the standard Everyone group, as HomeUsers is just Windows 7's own private Everyone group.

Thank you for the "marked as answered" on the previous post. I appreciate that. Sometimes I wish that Windows permissions were as straightforward as Unix. In Windows there is a lot more going on. Microsoft's implementation is often seen as a less than elegant (or easy to understand) methodology for protecting a system. It was not designed with the average home user in mind. It was designed for use in business where data and systems need to be protected at a very high level. This is why Windows now comes in the Home Premium version vs. the Professional and Ultimate versions (the Home versions all have the majority of the system "management" tools stripped out - such as Domain membership and Group Policy - because it simplifies the system for a home user). On the other hand for the Pro and Ultimate versions, if one takes the time to study the management features thoroughly and experiment enough to learn about what's going on, it makes complete sense as to why they are there. Microsoft found that even the Home versions of the OS were still too complicated for the average user when it came to configuring Shared folders and NTFS permissions (keep in mind that Share vs. NTFS permissions are distinctly different from each other). That's why they created the concept of Home Groups with Windows 7. Only Windows 7 machines can participate in a Home Group (no XP or Vista machines allowed). And, you will only see the HomeUsers "group" on a Win7 machine. All flavors of Windows 7 can "join" in a Home Group but only the Pro and Ultimate flavors can "create" a Home Group. Still, I think that this technology could have been better implemented by Microsoft. It is not nearly intuitive enough nor is it explained well enough in the setup screens for the average user to configure it properly. Now. Back to our conversation above. Since we are dealing with both Win7 and XP, then HomeGroups and HomeUsers, etc. are out of the conversation for now. We are left with having to use Share and NTFS permissions to accomplish our goals. What I'm attempting to do thru my explanation then is to point out why having wide open Share and NTFS permissions is both a procedural and a security problem. I'd like to elaborate on that from both perspectives: One: sure it solves your problem by opening up the folder for Everyone. But, you arrived there not really understanding how to use the available tools to resolve the access issue by using the correct set of User and Group permissions to open the folder up for just those who needed access. Two: Wide open for Everyone means that any intruder on your system will also have access to that folder and its files. Maybe you don't have anything in that particular folder to be concerned about. But, what about the next folder you share? If you don't know how to properly set permissions, you may likely repeat your process and just give in to opening up all your shared folders to Everyone in order to defeat the protection on the folder. This leads to eventually compromising your system. It is the same reasoning behind not running your system while logged in as an Administrator all the time. Once malware gains access to your system, it runs under the security context of the logged in user with the same access rights as that user. A lot of damage can occur very quickly. Take care my friend. It's been nice trading conversations with you. Jagade "It's a tough life... but someone has to enjoy it!"

Now. Back to our conversation above. Since we are dealing with both Win7 and XP, then HomeGroups and HomeUsers, etc. are out of the conversation for now. We are left with having to use Share and NTFS permissions to accomplish our goals. What I'm attempting to do thru my explanation then is to point out why having wide open Share and NTFS permissions is both a procedural and a security problem. I'd like to elaborate on that from both perspectives: One: sure it solves your problem by opening up the folder for Everyone. But, you arrived there not really understanding how to use the available tools to resolve the access issue by using the correct set of User and Group permissions to open the folder up for just those who needed access. At some point you have to weigh getting the work done versus the aesthetics, and come to a decision on one side or the other. If this were a homogeneous network of all Windows 7 computers, organized by an Active Directory corporate authentication server, then perhaps being more clean and careful would be the way to go. But it is not such a network, it's a home network with decentralized authentication, and completely heterogeneous machines; some of the machines are Windows 7, some XP, some aren't even Windows at all they are Linux (or Mac), and some aren't even PCs at all, they're game consoles (i.e. Xbox360 & PS3) or multimedia players. You don't have as much flexibility with these other things, so you have to adjust the Windows 7 side to make it work. Two: Wide open for Everyone means that any intruder on your system will also have access to that folder and its files. Maybe you don't have anything in that particular folder to be concerned about. But, what about the next folder you share? If you don't know how to properly set permissions, you may likely repeat your process and just give in to opening up all your shared folders to Everyone in order to defeat the protection on the folder. This leads to eventually compromising your system. It is the same reasoning behind not running your system while logged in as an Administrator all the time. Once malware gains access to your system, it runs under the security context of the logged in user with the same access rights as that user. A lot of damage can occur very quickly. Take care my friend. It's been nice trading conversations with you. I understand exactly what I'm doing, and I'm sharing exactly what I want to share. My system is setup in a hierarchical structure where only subfolders are shared. Stuff in the parent directory aren't shared, just the stuff I've put in these subfolders. Now unless there's a bug in the Microsoft security system which allows an intruder to gain access to the parent directory from a child folder, then I am not really worried about exposing my system's data, since this data is meant to be shared anyways.

Not sure if I can jump in here, or should start a new thread? I have a similar problem... Have a Windows 7 Home Premium PC with a Vista laptop, and an iPhone. I want the PC to be the master, and the Vista laptop to be able to access folders on the network, and both the laptop and iPhone to access files Read Only via VPN (initially). So, I created 2 users on the PC - a read only one and a full access one. I went into the Sharing Permissions, and removed the Everyone, and added read only and full access respectively. I haven't touched the NTFS permissions (didn't know about them until I found this thread!) I seemed to get on ok with folders NOT under Documents, but can't get access with my current set up to a folder under Documents on the PC. So, what is the recommended way to go about this? This is my first time setting up a VPN on my home network, so I'm a little overly cautious ;) thanks in advance, David

Not sure if I can jump in here, or should start a new thread? I have a similar problem... Have a Windows 7 Home Premium PC with a Vista laptop, and an iPhone. I want the PC to be the master, and the Vista laptop to be able to access folders on the network, and both the laptop and iPhone to access files Read Only via VPN (initially). So, I created 2 users on the PC - a read only one and a full access one. I went into the Sharing Permissions, and removed the Everyone, and added read only and full access respectively. I haven't touched the NTFS permissions (didn't know about them until I found this thread!) I seemed to get on ok with folders NOT under Documents, but can't get access with my current set up to a folder under Documents on the PC. So, what is the recommended way to go about this? This is my first time setting up a VPN on my home network, so I'm a little overly cautious ;) thanks in advance, David You might want to fiddle with the NTFS permissions under your My Documents in this case. I might be that the inherited permissions from the My Documents prevents sharing on the network of that subfolder, so you'll have to override it.Yousuf Khan