2021-11-24

Windows Share You Don't Have Permission

Imperfect Solution - Windows Disk Shares - You do not have permission:  Windows cannot access Share.

Windows Share "You don't have permissions"
"Windows cannot access Share"
Cannot map a share drive

when sharing a folder between two Windows PC's in the same local network. 

2021.11.24 - Still work in progress.  Steps are not yet working in all cases.  Works sometimes.

There are three common issues: 
* The Share was not built properly or Network Settings were not enabled
* Default Services do not auto-start
* Use fully-qualified credentials when logging in


I have spent days on this problem and have given up.  The solution(s) below sometimes work, and are certainly needed, but the peer-to-peer sharing is broken, with intermittent and unpredictable failures.  Dear Microsoft, this is embarrassing.  Too many people are having this problem.

Comments:

  • Having all machines on the same version of Windows does not seem to help
  • It does not seem to matter if users have administrative rights
  • The following items are definitely required to even have a hope

Prerequisites

On all computers attempting to share, you must do these one-time-steps.  Much fiddling is needed:

A.  Click Start,
      Type "Sharing"  (a search)
      Launch "Manage Advanced Sharing Settings"
 
B.  In the Private Network(current Profile)
      [x] Turn on Network Discovery
      [x] Turn on Automatic setup of network connected devices

      In File and Printer sharing
      [x] Turn on file and Printer Sharing

C.  On the same screen, scroll down to "All Networks"
      [x] Use 128-bit encryption
      [x] Turn off password protected sharing  (if you trust all PCs in your network)

D.  Click Start, type "workgroup"
      Launch "Change Workgroup Name"

      Click button "To rename this computer, click Change"

      Note each computer's name
      Note the "Workgroup" name  (illustrated as "Wolfhouse")
           Windows default name is "Workgroup"

      *Using same steps for each computer,
        Confirm all computers have unique names (e.g. Nancy, Mary, etc.)
        Confirm all computers are in same Workgroup.

E.  Starting Services.

These little-known services may not be set to run by default.  Starting them is geeky.  Unclear why these are not started automatically when File and Printer sharing is enabled.  On some Windows machines, these were started; on others not.  Curse the complexity here.  This makes you think about Macintoshes.

1)  Click Start.
     Type "services.msc"  (find Services)

2)  Single-click "services.msc", choose "Run as Administrator"

3)  In the list, locate "Function Discovery Provider Host"
     Right-mouse-click, Properties
     Choose Startup Type:  "Automatic (delayed Start)" or set as "Automatic"

     Repeat for four more services, next. 

Click for Larger View

4)  Locate "Function Discovery Resource Publication"
     Similarly, set as Automatic (delayed start)

5)  Locate "TCP/IP NetBIOS Helper"
     Set Automatic (delayed start)

Documentation:
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cannot-access-shared-folder-file-explorer.  

Note: This article recommends turning on the SMB 1.0.  Do not do this.  Huge security risk. 

Note: Technically, these services are only needed on the workstation that hosts the share.  But I recommend doing this on all workstations; this way they can host shares too.  Invariably you will want this.



F.  Network Adapter Settings

1)  Start.  Type "Network Connections".
     (Note either Ethernet or Wireless/Wifi)


2)  Right-mouse-click "Ethernet" (or Wireless/WiFi),
     Select "Properties"

     If Windows 10, uncheck [  ] "Internet Protocol Version 6 (TCP/IPv6)

     Double-click "Internet Protocol Version 4 (TCP/IPv4)
     Click button "Advanced"

Click to Enlarge

 4)  In the Advanced TCP/IP window,

      Click the [WINS] tab
      Select "Enable NETBIOS over TCP/IP"
      Click OK, OK, OK to close all dialogs


G.  Continue with Firewall changes
     (this step is only needed if this PC does not appear in File Explorer.  Safe to run unconditionally.)

1)  Click Start
2)  Type "CMD" (no quotes)
3)  Highlight the found DOS Command Prompt, click "Run as administrator"

4)  Type this one-line command, no quotes:
      (I found this was needed on Windows 10 computers)

netsh advfirewall firewall set rule
     group="Network Discovery" new enable=Yes

      Should report back:  "updated (52) rule(s)".

5)  Press Enter to run the command.  When done, close the command prompt window.


H.  Reboot

Repeat A-H for other workstations on the network.

From a remote machine, test by opening File Explorer's NETWORK folder (illustrated below), and look for the workstation's name and Share.  Open the Share to confirm.  You may be prompted for credentials; see below.


Building the Share

To do this right, build the share manually and do not use the Sharing Wizard.

Illustration shows Left-Nav with the "Nancy" computer expanded to show is broadcasted share-name.

1.  Open File Explorer. 
     Right-mouse-click the folder to share.  Illustrated here, C:\Data
     Select "Properties"

Click for larger view


2.  In Properties, click the [Sharing] Tab
      Note:  "Network path Not Shared"

      Click "Advanced Sharing"
      [x] Share this folder
      Share  name:  "Data"  (no quotes, no spaces, no punctuation, any name)
      Click "Permissions" button
      Grant Everyone [x] Full Control

Click for larger view

3.  Return to File Explorer, re-highlight the shared folder.

     Right-mouse click folder (e.g. C:\Data)
     Select "Properties"
     Select "[Security]" tab
     Click button "Edit"

4.  In the [Security] tab's EDIT
     "Add" 
     Type "Everyone"  (no quotes). 
     Click check names.  Underlined when found.
     Grant Everyone [x] Full Control  (or at least Modify, Read/Execute/List/Read)

Click for larger view

Since this is only allowed for Private Networks, "[x] Full Control" is okay.
Why such busy steps to set a share?  Microsoft has always done it this way.


Using the Share:

Use one of two methods.  This is the key to the login problem.

x.  On File Explorer's URL line, type a UNC path    " \\Nancy\Data "
     ! This does not work in Windows 10/11.  Credentials are now required!
     From File Explorer, type "\\Nancy\Data" on the top url-line.  Press Enter.

2.  Instead, use File Explorer's Left-Nav
     (this prompts for credentials)

     From the Workstation that wants to see the share, use File Explorer's left-nav
     On the Left-Nav, locate "Network"
     Expand the Workstation (illustrated "Nancy").  Double-click the share.

    (illustrated:"\\Nancy\Data")

Wait for the credential (login) prompt.
When prompted, type the remote workstation's name and a user-id

For example, 

From a laptop named "MaryLeno", expand the "Nancy"'s share, double-clicking on "Data".
If prompted for credentials, type the remote-server's name, slash, and the remote user-id (do not type the share name!):

\\nancy\trayw

where: 

  • "\\nancy" is the computer where the share was built.
  • "trayw" is the name of a user on that box (and that user presumably has rights to see "Data")

  • Type the "trayw"'s password, as it exists on that box

  • Do not use a user-ID/password from your box, instead, use the user-ID on the remote machine -- This may or may not be the same ID/password.

  • Optionally, check [x] Remember Credentials.
    By typing credentials each time, this helps protect the remote machine from ransom-ware attacks.


Finding a User-ID:

On the workstation with the \Data-share, launch File Explorer.
Tunnel to folder C:\users
Note the name of the sub-folders.  For example, mine is "trayw"  (traywolf).  The folder-name is the login account.  The name is almost always shortened from what you would expect.

Optionally:
Launch a DOS command Prompt.
The >carrot icon is your user ID.

Remember, you are looking for the User-ID on the remote computer!  It may be different than the ID on your local box.

There are concerns if "[x] Remember Credentials" and the remote user changes their password.  Consider building a dummy-user-id on the remote box, whose sole purpose is to map drives.  Login one time to set that User-ID.  Steps not described here.

 -end


No comments:

Post a Comment

Comments are moderated and published upon review. (As an aside, not a single spam has been allowed through; why bother?)