Friday, 12 March 2010

Granting permissions to another computer in Windows

Hello there!

Do you ever get confused about which user to grant permission to on a specific folder?

What if you want to simply want to grant any access requests from another computer? (perhaps the other computer is a front end server - in web hosting, it's common practice to store your static files on another server).

One other reason to do this is so that you don't have to set up impersonation to give your website access to a network resource (the most common way of doing impersonation is storing cleartext passwords in web.config, which is kinda frowned upon).

Well, all you need to do to work around all the above issues is give the other computer itself permissions, then any user on the other computer will inherit the permissions (like the network service/aspnet user, for example):

  1. Open up the permissions/properties dialog for the folder (XP/2003 dialog shown below - in Vista/2008 you would right click and go to Sharing/Permissions).
  2. Click Add.
  3. By Default, the only "objects" you can share with are Users, Groups and Security Principals.
  4. Click on the "Object Types" button and check "Computers".
  5. Under "Enter the object names to select", type the other computer's name followed by a dollar ($) sign. For example "WEB$".
  6. Click "Check Names".
  7. Once the name is verified, click OK. You will now see something like this:

Now just set up your permission - this depends on what you want the other computer's users to be able to do (in my case any user on the WEB server). At the most, you should only need to give read and write access. Higher permissions like List Folder Contents, Modify and Full Control should only be granted to the Administrators group.

By the way, if you're running IIS7 remember to set the Application Pool to use the NETWORK SERVICE user, not the default IUSR, or this won't work. I'll detail how and why in a future post.


zig13 said...

For me "Computers" does not appear as an option in Object Types. Do you know why this might be and how it could be rectified. This is the exact functionality I have been looking for

Windows Linux Admin said...

Not sure. What OS are you running? Is your PC in a domain or just a workgroup?

zig13 said...

Just a workgroup. Running XP Home fiddled to think it's professional to get access to non-simple sharing. I live in a shared house with shared wifi so I can't just share things outright. My computers are crossover networked in the same workgroup and I want so share stuff between them for synchronization purposes.

Windows Linux Admin said...

Needs to be in a domain... computer object types don't exist in a workgroup.

Anonymous said...

I really want this to work, but it doesn't appear to. I shared a folder on my Windows 7 desktop with another Windows 7 desktop on the domain. However, navigating to the \{computername}\{share} in explorer gives me access denied every time. The only way I get access is if permission is granted at the user or group level. Any thoughts?