Questions and Answers
Question: Should you now disable the Guest
account? Having set up explicit share permissions, do you still
need the Guest account enabled?
Answer: Most network administrators would not enable
the Guest account.
If ALL users who you wish to permit to access to your machine have
specific accounts, then you should disable the Guest account.
They will still have access to shares that you created with Simple
File Sharing, because this put the everyone group in
the ACL, and that includes all the users you created, as well as
If you need to allow 'other' unspecified users access to some of
the shares, then you must leave the Guest account enabled.
The guest users will only be granted access to shares with Guest
permissions. That includes any shares with the Everyone group.
They will be unable to access shares without explicit guest permissions.
To disable the Guest account:
- Click Start | Control Panel | Performance
and Maintenance | Administrative Tools | Computer
- Open the Local Users and Groups | Users folder;
- Right-click on Guest and select Properties;
- Check Account is disabled.
- Click OK.
Guest account is disabled, as shown by the red 'X'.
NOTE: In Control Panel | User Accounts,
there is apparently the option to turn the Guest account
This does not disable the Guest account.
It only prevents Guest logins at the console of the
local machine. The Guest account is still enabled for network
Use the method described above to disable the Guest account.
Note also that turning the Guest account on from Control
Panel | User Accounts will both enable the Guest
account and permit local login.
Question: If you have more than one XP Professional
machine, do you need to create user accounts on them all?
Answer: Say you have several XP Professional machines,
each with disks and folders to be shared. When you go to add users
to the ACL, the only users available to be added are from the local
machine! Do you need to create identical user accounts on all the
The basic answer is YES. You need to create identical user accounts
on all machines which a user needs to access. It's best if the
user name and password are the same on all of them. Then, the user
name and password offered by that machine will be accepted by all
of the other computers.
Does this seem messy? Wouldn't it be more sensible if the user
accounts could be created on one central machine, and in the ACL
editor you had the option to select remote users from the central
user list as well as just locally-defined users?
Well, you can, and this is called a domain. A domain is
a group of computers which share a common user account database.
To create a domain, you need a Windows NT or Windows 2000 server
set up as a ‘domain controller'. You then create all the user
accounts on the domain controller. Individual servers (machines
with stuff to share) 'join' the domain. You do not create user accounts
on them. The act of 'Joining the Domain' adds a new option in the
ACL editor. Now, you can add not just local users, but also users
and groups from the domain. Now, we have a single centralised set
of user accounts which can be used across multiple servers.
It is beyond the scope of this article to describe domains.