Mapping a network drive? (1 Viewer)

[Gasman]

Hi all,
I have done this countless times in the past, but this one has got me.

A PC at work that we used as an FTP server for our scanner printer died. So I put a spare PC in and put the FTP software on it and configured it for the same static IP address.
If I scan a document, it goes to the correct folder as before.

Then I map that folder with a dedicated account name and password, and use those details to map the folder as a drive from other PCs. Then anyone can scan and then pick up their scan from that folder/drive.

This is all working, but, I cannot see the scanned documents.
I can put files into that folder and they are visible on the scanner pc, but the scanned files are not visible to others PCS. I can browse to that shared folder via the network, but still no scanned files, which are pdfs. i even changed one to txt as I had created two text files as a test in that folder and they still were not visible.
All PCs are windows 10.

I have no clue as to how this is happening, as I said, I have done this countless times previously and never had this issue?

Does anyone have an inkling of what might be happening please.
I can only get to the PCs on a Friday morning, so will take time to try any advice offered.

TIA

 

[The_Doc_Man]

OK, understand that the machine hosting a particular folder to the network is that machine's File Locking manager because Windows uses the Distributed File Manager concept as a way to load-share network access. Therefore, your replacement machine is where you will do the work I'm about to describe. This has nothing to do with an Access lock file like an .LDB or .LACCDB! This is all about WINDOWS file sharing.

Windows file access arbitration will look at the permissions attached to a file or folder in order to decide what a user can see and do. The trick for a machine being used (in part) as a file server is that the shared folder must allow multiple users whatever file permissions are appropriate for that function. Off-hand, I'm thinking Modify-level access rights.

So go to the folder in question with the normal Windows File Explorer. That folder resides as a file in a higher-level folder, so go there. Identify that folder icon. Right-click on the folder and look at Properties >> Security. You will see identifiers enumerating who has access rights. If you click on the individual identifier, you will see WHICH rights that identifier conveys. You are looking at what is called an Access Control List, which is comprised of a bunch of Access Control Entries. Anyone can normally see this because by default the parent folder for the drive has a "Read" entry for identifier Everyone, and that identifier is further tagged with "all files in this folder and all files in child folders" or words to that effect; i.e. Read access is inherited from the root folder of the drive and distributed automatically.

The identifiers in a list CAN be individual names or they can be explicit group identifiers (which are created by the domain admin) or they can be Windows group identifiers from a pre-defined list, such as "Everyone" "Administrator" "Authenticated Users" "Operators" etc.

If you want anyone who has legitimately logged in to the domain to have access, you need "Authenticated Users" to be in the list and it has to associate with whatever permission you want all users to have. If you want the users to be able to copy files and delete them, you might need Modify as the generic permission. (Modify is the same generic permission required for sharing Access files, so not uncommon.) Note, however, that you must have elevated control over the folder (that is another permission), at least enough to Set Permissions.

You can set one of several generic permissions or any of 22 individual permissions. I recommend the generic permissions.

Here is a link if you need a refresher course in permissions.

Access Control overview - Windows Security

Learn about access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.

learn.microsoft.com

 

[Gasman]

Thanks Doc,
I'll try that out next Friday.
Still strange how I can put files in there, but not see the other files. I made sure the dedicated user had read/write permissions on the share.

 

[The_Doc_Man]

As an addendum, IF you decide to add some kind of identifier/permission pair (=an Access Control Entry or ACE), remember this rule: First match wins starting from the top down. So if you happen to have TWO rights identifiers that apply to the same folder, the rights you get will be the ones that match the first item in the list for which you hold the matching identifier. EVEN if the second identifier conveys more lenient permissions. OR more stringent permissions.

The general design rule for an Access Control List (ACL) is that the MOST SPECIFIC ACEs come first in the list. For a domain-based list that is widely shared, it is not unusual to see the LAST entry in the list as <Everybody:NO ACCESS> because you give other permissions first, and someone who isn't in the "other permissions" list gets nothing.

Note that it is possible that you would also see inherited ACEs, particularly in a domain environment with folder sharing. Let's say you have a user named George who will manage the folder. Your ACL might look like this:

#1: <George, FULL CONTROL>
#2: <Authenticated Users, MODIFY>
#3: <All Users, READ> - inherited
#4: <Everybody, NO ACCESS>

This way, George gets FULL CONTROL because his ACE came first. If that first ACE were moved down to 2nd place (under Authenticated Users) he would get MODIFY because George, to even have a Domain Login ID, would count as an authenticated user. It IS possible to rearrange the order of an ACL but beware of that last one. If it is present, it is for security to protect against network users who are browsing from a guest account. If you move it, the file with that ACL could be exposed to network hackers.

 

[Gasman]

I have never had to do any of that doc.
I create a dedicated account, lets call it scanner and a password. Then everyone maps using those credentials.
That user has read/write access to the scans folder. That is it.

 

[The_Doc_Man]

It is unfortunate that your prior machine died on you because you would have been able to examine the security configuration of the relevant folder and just re-create it. However, the description of your problem still makes me think "permissions."

Here is a fairly simple test you can try. When you connect to this machine, move to the shared folder, find a couple of different files and do that right-click>>properties>>security for each file. Then click the Advanced button in the lower right quadrant. The next box includes the details of the ACL but it ALSO tells you who owns the file.

In the circumstances that you have described, the file owner would be one of a limited number of possibilities. One is SYSTEM, because the FTP program is probably owned by SYSTEM (though it COULD be ADMINISTRATOR or a local intrinsic group). Another is the scanner account you created as a login surrogate. If ANY of the files have that ownership, ALL of them should have that ownership. The third possibility is that you would see the domain account names of each of your users who use that facility.

To do this more easily, you can open the Command Prompt, use the CD command to navigate to this shared folder, and then from the CMD> prompt, type

DIR /Q

which will give you a list of files and each file's owner. IF you see ownership as "machine-name/username" then a domain environment doesn't exist and some of those special intrinsic names won't matter. If you see each individual username (rather than the scanner account), you know that your ploy to establish that sharing didn't work as planned because their security profile in that context still matches their local logins.

 

[Gasman]

Will do Doc.

Thank you.

 

[Gasman]

OK, in the office today.
I mapped the C drive to everyone, with read and write permissions.
That allows me to get into the C drive from my laptop and get to the Scans folder and see ALL the files.
However if I try an find the owner, it tells me it is unable to determine owner.

We lent these PCs to a small firm and god knows what they have done with them.
I think I will just reinstall windows from scratch and start afresh.

Even taking ownership of the folder does not help.