locked
WHS 2011 : users joined in homegroup can't access shares with no homegroup access, but with specific user access RRS feed

  • Question

  • Hi,

    I'm a WHS user for several years and I recently upgraded to WHS 2011. A interesting new feature in WHS 2011 is that the server can join a Windows 7 homegroup.

    On each share you can define if it is accessible by the homegroup. That's great !

    So I joined my new server to the existing homegroup. And I gave the homogroup users read access on the media shares and read-write access on some general shares.

    I myself am also a homegroup user but I have a specific share on which I keep my documents of my business. I do not want other family members messing with this share so I gave the homegroup users no access to that share, but I gave myself read-write access to that share.

    What happens do you think: the homegroup users can't access the specific share. Again that's great ! But I can't access the share either... Not so great !

    It appears that no matter what I do the system always uses the homegroup security and does not look at the specific authority of a user.

    Is this the way it should work, or am I doing something wrong ?

    Help is appreciated !!

     

    kind regards,

     

    David

     

    Saturday, June 18, 2011 7:11 PM

Answers

  • Homegroup security overrides user-based security. This is intentional behavior; in general either you will want to use homegroup security for everything, or you will want security per user for everything. Given the relatively low limit on users, setting up user-based security isn't a particularly onerous chore...
    I'm not on the WHS team, I just post a lot. :)
    • Proposed as answer by Ken Warren Saturday, June 18, 2011 9:15 PM
    • Marked as answer by Ken Warren Thursday, September 8, 2011 11:21 AM
    Saturday, June 18, 2011 8:23 PM

All replies

  • Homegroup security overrides user-based security. This is intentional behavior; in general either you will want to use homegroup security for everything, or you will want security per user for everything. Given the relatively low limit on users, setting up user-based security isn't a particularly onerous chore...
    I'm not on the WHS team, I just post a lot. :)
    • Proposed as answer by Ken Warren Saturday, June 18, 2011 9:15 PM
    • Marked as answer by Ken Warren Thursday, September 8, 2011 11:21 AM
    Saturday, June 18, 2011 8:23 PM
  • Good post Ken, but this really should be clearly stated on WHS 2011.  Not doing so just creates frustration and confusion around the product.  I know you aren't an MS employee, I'm just stating it so that hopefully someone from the WHS team will see it.

     

    I wasted a few days on this myself before turning the homegroup off and giving up.

    Saturday, June 25, 2011 5:14 AM
  • Zeke

    Don't forget WHS is an OEM product and as such you supply the expertise. From the WHS 2011 Online Help:

    "The permissions that are displayed in the folder properties represent only the users which are managed by the Dashboard. They do not include user permissions such as groups, or service accounts, or include any permission that may be set on the folder using other native tools and include users which were not added through the Dashboard."

     


    Phil P.S. If you find my comment helpful or if it answers your question, please mark it as such.
    Saturday, June 25, 2011 7:22 AM
  • What's not clear in the help is that homegroup security is not "... users which are managed by the Dashboard." Homegroup security is also not just a standard NT security group, as far as I know; there's more going on behind the scenes when you put your server (or other computer) into a homegroup than that.
    I'm not on the WHS team, I just post a lot. :)
    Saturday, June 25, 2011 1:32 PM
  • Agreed! I am not sure that I would have realized that from those words unless I had already known!

     


    Phil P.S. If you find my comment helpful or if it answers your question, please mark it as such.
    Saturday, June 25, 2011 2:29 PM
  • I think somewhere there's actually a statement form Microsoft that Homegroup security overrides standard NT security, but I sure can't find it. :)
    I'm not on the WHS team, I just post a lot. :)
    Saturday, June 25, 2011 10:24 PM
  • Homegroup security overrides user-based security. This is intentional behavior; in general either you will want to use homegroup security for everything, or you will want security per user for everything. Given the relatively low limit on users, setting up user-based security isn't a particularly onerous chore...

    OK, I'm getting confused here . . . If I use Homegroup, I can lock everyone including myself out of my private files. So, what's the advantage of Homegroup again? :)


    Nancy Ward
    Sunday, June 26, 2011 12:55 AM
  • Nancy,

    I think you got it backwards.  Homegroup will make everything available and over ride the User permissions set in the Dashboard.  Setting permissions in Dashboard is much more flexible than Homegroup in my opinion.  Just remember to disable/not use Homegroup with WHS 2011 or you might be surprised who can access your files.


    _______________

    BullDawg
    In God We Trust
    _______________
    <Nancy Ward> wrote in message news:6565e574-4d3b-435e-b993-3c705601dff9@communitybridge.codeplex.com...

    Homegroup security overrides user-based security. This is intentional behavior; in general either you will want to use homegroup security for everything, or you will want security per user for everything. Given the relatively low limit on users, setting up user-based security isn't a particularly onerous chore...

    OK, I'm getting confused here . . . If I use Homegroup, I can lock everyone including myself out of my private files. So, what's the advantage of Homegroup again? :)


    Nancy Ward


    BullDawg
    Sunday, June 26, 2011 1:39 AM
  • I'm trying to figure this out too.    Are you sure we can't  use both?   Here's what I'd like to see.

     

    WHS is joined to HomeGroup

    Photos share is set to Read only for HomeGroup, but Read/Write access for my personal laptop account.

    My personal laptop is NOT joined to the HomeGroup, It is connected to WHS and has a username password.  This account allows FULL read/write access to Photos share

    A friend that visits with his laptop Joins the home group.  (read access to Photos share, via HomeGroup share setting)  friend's laptop is NOT a user on WHS

     

    Will the above configuration work?   I can see why I wouldnt want my personal laptop on BOTH the HomeGroup AND WHS User account.   When I have both, I ran into the same problem where I only have Read access to the photos share.   If I unjoin my personal laptop from the HomeGroup, should I then have full read/write access once again?  (or is the only option removing the homegroup from WHS all together?

    Please help us understand what are options are here.

    Sunday, June 26, 2011 11:20 PM
  • By the way, I'm beta testing StableBit Drive Pool.  (so I can get Drive Extender capability back in 2011)  So far so good.

    http://wiki.covecube.com/StableBit_DrivePool

     

    I asked the developer about HomeGroup permision conflicts and here is his response:

    (can someone post links that I can forward to Alex on how this HomeGroup over-ride/limitation works exactly?)

    It seems Drive Pool is possibly capable of over coming this problem with a work around.

     

     

    Reply from Covecube
    Alex
    Product: StableBit DrivePool
    Topic: A problem that I'm experiencing using the product
    Jon,
    I've avoided HomeGroups altogether. In fact, M2 doesn't even use NTFS permissions in order to keep things simple.
    I will look at HomeGroups for M3 and will keep this in mind.
    From what I understand, the problem is HomeGroups override regular per-user permissions.
    I can't really speak as to why this is, and who is placing this limitation on the system (WHS? HomeGroups?). Watch for the M3 release and we can talk about it after it's out.
    Regards,

     


    Monday, June 27, 2011 1:08 AM
  • I think you got it backwards.  Homegroup will make everything available and over ride the User permissions set in the Dashboard.  Setting permissions in Dashboard is much more flexible than Homegroup in my opinion.  Just remember to disable/not use Homegroup with WHS 2011 or you might be surprised who can access your files.

    So, what else is new, BullDawg? :)

    What I want to avoid is what happened to David:

    "I myself am also a homegroup user but I have a specific share on which I keep my documents of my business. I do not want other family members messing with this share so I gave the homegroup users no access to that share, but I gave myself read-write access to that share.

    "What happens do you think: the homegroup users can't access the specific share. Again that's great ! But I can't access the share either... Not so great !

    "It appears that no matter what I do the system always uses the homegroup security and does not look at the specific authority of a user."

    What I don't understand is why, if the Dashboard and Homegroup don't "play nice" together, why WHS 2011 asks the installer to use Homegroup.

    I'm due for a reinstall, and you can betcher boots I ain't agonna let Homegroup within a country mile of my server!


    Nancy Ward
    Monday, June 27, 2011 1:10 AM
  • Nancy,

    I've done quite a few installs on my test box while testing the DE replacements.  To my recollection, during the setup, user names and passwords are recommended, not Homegroup.  I haven't played around with Homegroup much since Win7 RTM, as it does not play well with my Hamachi VPN, so I always use the old user name/password method.


    _______________

    BullDawg
    In God We Trust
    _______________
    <Nancy Ward> wrote in message news:4e14f979-f0af-483c-9ab5-c3ea38b851d3@communitybridge.codeplex.com...

    I think you got it backwards. Homegroup will make everything available and over ride the User permissions set in the Dashboard. Setting permissions in Dashboard is much more flexible than Homegroup in my opinion. Just remember to disable/not use Homegroup with WHS 2011 or you might be surprised who can access your files.

    So, what else is new, BullDawg? :)

    What I want to avoid is what happened to David:

    "I myself am also a homegroup user but I have a specific share on which I keep my documents of my business. I do not want other family members messing with this share so I gave the homegroup users no access to that share, but I gave myself read-write access to that share.

    "What happens do you think: the homegroup users can't access the specific share. Again that's great ! But I can't access the share either... Not so great !

    "It appears that no matter what I do the system always uses the homegroup security and does not look at the specific authority of a user."

    What I don't understand is why, if the Dashboard and Homegroup don't "play nice" together, why WHS 2011 asks the installer to use Homegroup.

    I'm due for a reinstall, and you can betcher boots I ain't agonna let Homegroup within a country mile of my server!


    Nancy Ward


    BullDawg
    Monday, June 27, 2011 1:29 AM
  • Here's some confusion created by the Windows Home Server 2011 Online Help > Online Help for Administrators > Manage HomeGroup >Share a folder with homegroup help topic:

    "If a person who does not have permission to access a shared folder signs on to a homegroup computer that has either Read only or Full access permission for the folder, the most restrictive permission applies. In this case, even though the person signed on to a homegroup computer, they would not be able to access the shared folder because their user account is assigned the No access permission. "

    This suggests that the NTFS access control overrides the homegroup access control, yet that's not the case.  MS may want to update the documentation. 

    I tested this by giving my homegroup full control and a user no access.  When logged in as the user with no access on a computer that had joined the homegroup, I was able to create files, save changes, and delete.

    I have similar needs--provide read-only access to some users and full to myself.  For example, I want my kids to be able to view pictures, but not edit or delete them.  Homegroup is convenient, but it ends up restricting my access as well.  I can live with controlling by user just as I did with WHSv1.

    Jamie

     

    Thursday, July 21, 2011 2:12 AM
  • I also am stuck with this exact same issue. I need restrictive permissions on the HomeGroup and less restrictive for myself.

    Unfortunately, it seems the two systems (per user rights and HomeGroup) were not really meant to work together. This is a very unfortunate design decision that does nothing good for customers. Do this means we have to choose between granular security and PlayTo?

    I honnestly am puzzled trying to understand how such a bad decision could end up in the final product. The "server" group clearly has a long way to go before being able to push consumer-level stuff out the door. The WHS front end should be handled by the entertainment division (Zune/XBOX).

     

    Thursday, September 8, 2011 3:35 AM
  • I also am stuck with this exact same issue. I need restrictive permissions on the HomeGroup and less restrictive for myself.

    Unfortunately, it seems the two systems (per user rights and HomeGroup) were not really meant to work together. This is a very unfortunate design decision that does nothing good for customers. Do this means we have to choose between granular security and PlayTo?

    I honnestly am puzzled trying to understand how such a bad decision could end up in the final product. The "server" group clearly has a long way to go before being able to push consumer-level stuff out the door. The WHS front end should be handled by the entertainment division (Zune/XBOX).

     

    Homegroup security is "all or nothing". The HSBS team doesn't have a say in how it works; if enabled, it overrides the security you set "per share" for any computer joined to the homegroup. That's how the Windows 7 team wants it to work; the HSBS team is just along for the ride.

    That they were able to include homegroups at all is something of a surprise to me, since homegroups are disabled in Windows Server 2008 R2. And to be honest, I think the way it works makes perfect sense: if you need to set per-user permissions, you don't use homegroups, which are designed to let a home user of Windows set overall (and generally very relaxed) permissions for everything.


    I'm not on the WHS team, I just post a lot. :)
    Thursday, September 8, 2011 11:32 AM
  • I experimented with this issue and I think in has something to how Windoes connects to a server or share. Windows is unable to connect with different users to the same server. That means if you already connect to the server via Homegroup you can't connect with your specific user anymore and that's why you get just the access rights of the Homegroup. You can get your desired behavior if you do this.

    1. Create a share "work" on the Homeserver and give your user fullaccess and your Homegroup no access
    2. Leave the Homegroup
    3. Disconnect from the network, (that will close all handels to the server)
    4. Reconnect to the network
    5. Open the share via \\myhomeserver\work That will connect you via username/password and you get full access
    6. Join the Homegroup
    7. The folder "work" is not visible via Homegroup because it sis not accessible via Homegroup

    That proves my point that you get the access rigths of the user that connects first to the server. If it's the Homegroup you get the limited access rights. I haven't tested what happens first on the reboot and wheter there is a way to gurantee that the user connects first before the Homegroup.

    Thursday, November 17, 2011 6:47 PM
  • I been hitting myself on the head for the last 2 hours because of the huge flaw.

    I want to use homegroups for my computers.  But I don't was my wife's laptop to see my work files.

    So I created a folder just for me with my user selected.  But it doesn't work, I can't mount the folder on my desktop.

    I just upgraded from WHSv1 which this was easy to do both homegroup and user folders.

    what a bad design.

    Thursday, January 26, 2012 7:13 PM
  • Remove WHS 2011 from Homegroup and let WHS handle share permissions. Homegroup will over ride WHS 2011 shared settings.  For more info see

    http://social.microsoft.com/Forums/en-US/whshardware/thread/7e80c23b-6c92-4f0d-a4fa-802f83b34f88

    http://mykneejerkreaction.wordpress.com/2011/09/02/windows-home-server-and-windows-home-groups/


    ____________

    BullDawg
    In God We Trust
    ____________
    <sam_beckett> wrote in message news:61b2dc27-38ac-4eb4-99c2-86bab2d4375c@communitybridge.codeplex.com...

    I been hitting myself on the head for the last 2 hours because of the huge flaw.

    I want to use homegroups for my computers. But I don't was my wife's laptop to see my work files.

    So I created a folder just for me with my user selected. But it doesn't work, I can't mount the folder on my desktop.

    I just upgraded from WHSv1 which this was easy to do both homegroup and user folders.

    what a bad design.


    BullDawg
    Friday, January 27, 2012 2:45 AM