The other day I implemented the Microsoft tool Access-based Enumeration tool for the first time with a customer. The tool installs on Windows Server 2003 and present you with a new tab when you choose Properties on shares on the server. When activated it will make sure that users on their client computers don’t see files and folders in Windows Explorer to which they do not have permission.
In Windows Vista it might at a first glance appear to be tricky to automatically enable File and Printer sharing and Network discovery. However it is actually very easy when you know what to type. The “netsh” command comes in handy here, and you can use the below strings in a script to enable it on many clients automatically.
To enable File and Printer sharing you run the command:
netsh firewall set service type=fileandprint mode=enable profile=all
To enable Network discovery you run the command:
netsh advfirewall firewall set rule group=”network discovery” new enable=yes
Please note that you can change which profile you want to apply the changes for.
EDIT: First and foremost, I accidently added the “profile=all” to the Network Discovery string which is totally incorrect, as Network discovery is enabled for all profiles when this command is run. Second, if you are using Windows in another language than English you will have to adjust “network discovery” to what it is called in your localized language. For instance on the Swedish version of Vista it would be:
netsh advfirewall firewall set rule group=”nätverksidentifiering” new enable=yes
EDIT 2: The network discovery script only work with Windows Vista with Service Pack 1.
After installing SP1 I can no longer access my network shares which contain my Documents. After contacting Microsoft they have concluded that there actually is a change in the way Windows Vista SP1 handle Kerberos communication. The changes affect only when you use Active Directory to store accounts which is then mapped using altSecurityIdentity to use the password from an external Kerberos server. In my case we are using a Heimdal Kerberos server but the problem might affect users of MIT Kerberos as well. Logging in to the Windows system itself is not a problem, the only problem seems to be when accessing file shares (using CIFS).
Until the Heimdal Kerberos is patched to solve this problem there is a work around for the problem. On the client computer you have to add a registry key with your domain name and then add a REG_SZ value named “SpnMappings” with the value “.your.domain.com” in the registry key below:
After restarting the computer you can access the network share as expected.