Share and User Level access

by Johannes Helmig [Published on 17 Aug. 1999 / Last Updated on 17 Aug. 1999]

In a Microsoft network, "Access Control" to shared resources is set by default in the
Network-applet of the Control-panel to "Share-level access control":

When Sharing now a resource by selecting it with a RIGHT-click to get the content menu:


there are some limited selections to allow "Full Access" (which allows to read, write, delete, create file) or just "Read-Only Access". A password can be defined, but this will be valid for ALL users:


More flexibility is possible by selecting "User-level Access Control" in the Network-applet of the Control-panel:

You need to define the name of a system,
from which to "obtain the list of Users".
In this case, I defined the name of the
Windows95 system itself.

A warning will be displayed:

that any previously defined share will be removed, then you need to reboot the system.

When now selecting to Share a resource
(with right-click and selecting from the
Context-menu the option: Sharing )
an (empty) list of Usernames with their
Access Rights is displayed.

To add a new name, click on "Add"


"You cannot view the list of users at this time. Please try again later."
This message indicate, that either the system with the user database is down (maybe not powered on ) or that is not a qualifying system to provide a User-database (like when trying to use a Windows95/98 system)(if the User-database is located on an NT-system and the NT-system is running / accessable via the network, then you have a different problem).


It's time to look into the Microsoft Resource Kit for Windows95/98:

Windows 95 provides shared-level and user-level security for protecting shared resources on computers running Windows 95 with File and Printer Sharing services.

-Share-level security protects shared network resources on the computer running Windows 95 with individually assigned passwords. For example, you can assign a password to a directory or a locally attached printer. If other users want to access it, they need to type in the appropriate password. If you do not assign a password to a shared resource, every user with access to the network can access that resource. (This option is not supported with File and Printer Sharing for NetWare Networks.)
-Pass-through user-level security protects shared network resources by requiring that a security provider authenticate a user’s request to access resources. The security provider, such as a Windows NT domain control or NetWare server, grants access to the shared resource by verifying that the user name and password are the same as those on the user account list stored on the network security provider. Because the security provider maintains a network-wide list of user accounts and passwords, each computer running Windows 95 does not have to store a list of accounts.

Note If you are running File and Printer Sharing for Microsoft Networks, the security provider must be the name of a Windows NT domain or Windows NT workstation.
If you are running Microsoft File and Printer Sharing for NetWare Networks, the security provider must be either a NetWare server or a NetWare 4.x server running bindery emulation.

The following illustration shows how user-level security works on a computer running File and Printer Sharing service and Client for Microsoft Networks. The numbers are explained following the illustration.


1.)A user tries to access a shared resource protected by pass-through user-level security.
2.)A request is passed to the security provider to verify the user’s identity.
3.)The security provider sends a verification to the computer running Windows 95 if the user name and password combination is valid
4.)Windows 95 grants access to the shared resource, and gives permission to use the resource according to rights assigned to the user in Sharing properties for that Windows 95 resource. The user’s rights are stored on the computer running Windows 95.

In a Microsoft network, you need now access to a Windows NT system (workstation or
server), providing the User-database and User-management: the NT4 User Manager:


With an NT4 system on the network, providing the User database, we can get now more flexibility by selecting "User-level Access Control" in the Network-applet of the Control-panel:

You need to define the name of a system,
from which to "obtain the list of Users",
type the name of the Windows NT Domain
or Windows NT workstation.
When now selecting to Share a resource
(with right-click and selecting from the
Context-menu the option: Sharing )
an (empty) list of Usernames with their
Access Rights is displayed.

To add a new name, click on "Add"
The list of users is displayed,
select the user and define the
Access Mode:
- Full Access
- Read Only
- Custom
When selecting for a User
"Custom", then on exiting
(by selecting the "OK" button)
be presented with the
"Change Access Rights",
allow now to define each
right separately.
The selected users with the
Access rights are then displayed.


When now a user NOT listed with proper rights tries to access the shared resource:


I am not sure, but I think that an NT Administrator has ALWAYS the "Full Access" rights,
regardless if defined (or not) in the user-list for the shared resource.


You defined an NT system as source for the User-database and this NT-system is running / accessable on the network, but you still get the error-message:

"You cannot view the list of users at this time. Please try again later."
Searching the Microsoft Knowledge base for this error message results to the article Q177607, showing a mismatch/problem in the "Outlook Express for Windows98":
"This behavior can occur if Outlook Express is installed on your computer and the "Make
Outlook Express my default Simple MAPI client" check box is selected".


If you are NOT using Outlook Express, Microsoft suggests to restore the original version of the MAPI32.DLL (as delivered/installed from the Windows CD-ROM, it may have been replaced by a different version during the installation of a new software program)

See Also

Featured Links