Category: Network

Hide files and folders which users don’t have permission to

The other day I implemented the Microsoft tool Access-based Enumeration tool for the first time with a customer. The tool installs on Windows Server 2003 and present you with a new tab when you choose Properties on shares on the server. When activated it will make sure that users on their client computers don’t see files and folders in Windows Explorer to which they do not have permission.

Download the Access-based Enumeration tool

Script for enabling Network discovery and File and Printer sharing in Vista

In Windows Vista it might at a first glance appear to be tricky to automatically enable File and Printer sharing and Network discovery. However it is actually very easy when you know what to type. The “netsh” command comes in handy here, and you can use the below strings in a script to enable it on many clients automatically.

To enable File and Printer sharing you run the command:

netsh firewall set service type=fileandprint mode=enable profile=all

To enable Network discovery you run the command:

netsh advfirewall firewall set rule group=”network discovery” new enable=yes

Please note that you can change which profile you want to apply the changes for.

EDIT: First and foremost, I accidently added the “profile=all” to the Network Discovery string which is totally incorrect, as Network discovery is enabled for all profiles when this command is run. Second, if you are using Windows in another language than English you will have to adjust “network discovery” to what it is called in your localized language. For instance on the Swedish version of Vista it would be:

netsh advfirewall firewall set rule group=”nätverksidentifiering” new enable=yes

EDIT 2: The network discovery script only work with Windows Vista with Service Pack 1.

Vista SP1 change causes Kerberos problems

After installing SP1 I can no longer access my network shares which contain my Documents. After contacting Microsoft they have concluded that there actually is a change in the way Windows Vista SP1 handle Kerberos communication. The changes affect only when you use Active Directory to store accounts which is then mapped using altSecurityIdentity to use the password from an external Kerberos server. In my case we are using a Heimdal Kerberos server but the problem might affect users of MIT Kerberos as well. Logging in to the Windows system itself is not a problem, the only problem seems to be when accessing file shares (using CIFS).

Until the Heimdal Kerberos is patched to solve this problem there is a work around for the problem. On the client computer you have to add a registry key with your domain name and then add a REG_SZ value named “SpnMappings” with the value “” in the registry key below:


After restarting the computer you can access the network share as expected.