Windows 10 Professional Workgroup Setup IssuesWindows 7 -Can't get access to shared folder from one computer...

Book where a space ship journeys to the center of the galaxy to find all the stars had gone supernova

What language shall they sing in?

Why is the "Domain users" group missing from this Powershell AD Query?

How do you get out of your own psychology to write characters?

Why is one not obligated to give up his life rather than violate Lashon Hara?

I have trouble understanding this fallacy: "If A, then B. Therefore if not-B, then not-A."

Subsurf on a crown. How can I smooth some edges and keep others sharp?

Why avoid shared user accounts?

If angels and devils are the same species, why would their mortal offspring appear physically different?

Categorical Unification of Jordan Holder Theorems

A fantasy book with seven white haired women on the cover

"Starve to death" Vs. "Starve to the point of death"

Cat is tipping over bed-side lamps during the night

What is the difference between "...", '...', $'...', and $"..." quotes?

Does an Eldritch Knight's Weapon Bond protect him from losing his weapon to a Telekinesis spell?

How can the probability of a fumble decrease linearly with more dice?

How would an AI self awareness kill switch work?

Why do we have to make "peinlich" start with a capital letter and also end with -s in this sentence?

How do you funnel food off a cutting board?

Do authors have to be politically correct in article-writing?

Why are carbons of Inositol chiral centers?

Translation needed for 130 years old church document

How can I play a serial killer in a party of good PCs?

Integration of two exponential multiplied by each other



Windows 10 Professional Workgroup Setup Issues


Windows 7 -Can't get access to shared folder from one computer to anotherWorkgroup connection: You may not have permissionAccessing workgroup computer using lusrmgr.mscAccess workgroup share from domain clientLocked out from Windows 8.1 administrator account being disabledWorkgroup LogonHow to share files between administrator and standard account?PSEXEC OpenSCManager fails when execute command for workgroup from domainUsing wmic to get workgroup in a batch fileLost administrator rights on windows 10













0















I will soon embark on a task of upgrading the IT infrastructure of a company's head office. I briefly considered hiring an IT administrator to do this part of the job, but after assessing what they have, I am inclined to think that may be overkill. That being said, I also don't know exactly what I'm doing and I'm trying to learn. They currently have 6 workstation computers all running windows 7 (one of which is running as a server for file sharing, among a few other things).



In preparation I've installed windows 10 professional on a spare computer I have at home and I am trying to implement the same type of setup here using whatever (probably outdated) best practices I know. But I'm running into issues already.



For example, I cannot create a user called "administrator". I had always thought that you are going to want an administrator account for all things admin and a regular user account for daily use. Yet I get an error telling me that account cannot be made. I know this can be done, as the machines at my workplace have an administrator account, but that may be something related to the domain, which I do not have.



I think all of this can be managed simply by understanding how to set up and administer a "workgroup" with filesharing from the server machine, but my first basic task of creating an administrator has already gone wrong. As it is I had to turn on SMBv1 on each machine just to get the computers to show up on the "Workgroup" in the navigator.



Can someone point me to a good and current best practices resource I can follow for setting up a workgroup with some basic features, like file sharing, etc?










share|improve this question







New contributor




Matt1776 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 2





    A quick nudge in the direction of a partial answer: On Windows 7, at least, you can’t create a user called “Administrator” because the system creates one automatically.   You can’t see it (unless you look very hard) or login as it because it’s disabled.   You should create an administrator user with some non-reserved name (e.g., “SuperMatt”, or whatever you want) and a non-administrator account.   (The difference, or at least a difference, is that the administrator user is in the “Administrators” group.)   … (Cont’d)

    – Scott
    1 hour ago






  • 1





    (Cont’d) …   Then, if you want, you can enable the disabled, built-in “Administrator” account — but you probably shouldn’t do this unless you have a really good reason.

    – Scott
    1 hour ago











  • Thank you - that is very helpful from a practical standpoint. My information is very old, I have left the IT stuff to the "IT guys" for a long time so this is the first time in a long time I've had to ask these kinds of questions.

    – Matt1776
    40 mins ago
















0















I will soon embark on a task of upgrading the IT infrastructure of a company's head office. I briefly considered hiring an IT administrator to do this part of the job, but after assessing what they have, I am inclined to think that may be overkill. That being said, I also don't know exactly what I'm doing and I'm trying to learn. They currently have 6 workstation computers all running windows 7 (one of which is running as a server for file sharing, among a few other things).



In preparation I've installed windows 10 professional on a spare computer I have at home and I am trying to implement the same type of setup here using whatever (probably outdated) best practices I know. But I'm running into issues already.



For example, I cannot create a user called "administrator". I had always thought that you are going to want an administrator account for all things admin and a regular user account for daily use. Yet I get an error telling me that account cannot be made. I know this can be done, as the machines at my workplace have an administrator account, but that may be something related to the domain, which I do not have.



I think all of this can be managed simply by understanding how to set up and administer a "workgroup" with filesharing from the server machine, but my first basic task of creating an administrator has already gone wrong. As it is I had to turn on SMBv1 on each machine just to get the computers to show up on the "Workgroup" in the navigator.



Can someone point me to a good and current best practices resource I can follow for setting up a workgroup with some basic features, like file sharing, etc?










share|improve this question







New contributor




Matt1776 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 2





    A quick nudge in the direction of a partial answer: On Windows 7, at least, you can’t create a user called “Administrator” because the system creates one automatically.   You can’t see it (unless you look very hard) or login as it because it’s disabled.   You should create an administrator user with some non-reserved name (e.g., “SuperMatt”, or whatever you want) and a non-administrator account.   (The difference, or at least a difference, is that the administrator user is in the “Administrators” group.)   … (Cont’d)

    – Scott
    1 hour ago






  • 1





    (Cont’d) …   Then, if you want, you can enable the disabled, built-in “Administrator” account — but you probably shouldn’t do this unless you have a really good reason.

    – Scott
    1 hour ago











  • Thank you - that is very helpful from a practical standpoint. My information is very old, I have left the IT stuff to the "IT guys" for a long time so this is the first time in a long time I've had to ask these kinds of questions.

    – Matt1776
    40 mins ago














0












0








0








I will soon embark on a task of upgrading the IT infrastructure of a company's head office. I briefly considered hiring an IT administrator to do this part of the job, but after assessing what they have, I am inclined to think that may be overkill. That being said, I also don't know exactly what I'm doing and I'm trying to learn. They currently have 6 workstation computers all running windows 7 (one of which is running as a server for file sharing, among a few other things).



In preparation I've installed windows 10 professional on a spare computer I have at home and I am trying to implement the same type of setup here using whatever (probably outdated) best practices I know. But I'm running into issues already.



For example, I cannot create a user called "administrator". I had always thought that you are going to want an administrator account for all things admin and a regular user account for daily use. Yet I get an error telling me that account cannot be made. I know this can be done, as the machines at my workplace have an administrator account, but that may be something related to the domain, which I do not have.



I think all of this can be managed simply by understanding how to set up and administer a "workgroup" with filesharing from the server machine, but my first basic task of creating an administrator has already gone wrong. As it is I had to turn on SMBv1 on each machine just to get the computers to show up on the "Workgroup" in the navigator.



Can someone point me to a good and current best practices resource I can follow for setting up a workgroup with some basic features, like file sharing, etc?










share|improve this question







New contributor




Matt1776 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I will soon embark on a task of upgrading the IT infrastructure of a company's head office. I briefly considered hiring an IT administrator to do this part of the job, but after assessing what they have, I am inclined to think that may be overkill. That being said, I also don't know exactly what I'm doing and I'm trying to learn. They currently have 6 workstation computers all running windows 7 (one of which is running as a server for file sharing, among a few other things).



In preparation I've installed windows 10 professional on a spare computer I have at home and I am trying to implement the same type of setup here using whatever (probably outdated) best practices I know. But I'm running into issues already.



For example, I cannot create a user called "administrator". I had always thought that you are going to want an administrator account for all things admin and a regular user account for daily use. Yet I get an error telling me that account cannot be made. I know this can be done, as the machines at my workplace have an administrator account, but that may be something related to the domain, which I do not have.



I think all of this can be managed simply by understanding how to set up and administer a "workgroup" with filesharing from the server machine, but my first basic task of creating an administrator has already gone wrong. As it is I had to turn on SMBv1 on each machine just to get the computers to show up on the "Workgroup" in the navigator.



Can someone point me to a good and current best practices resource I can follow for setting up a workgroup with some basic features, like file sharing, etc?







networking windows-10 administrator file-sharing workgroup






share|improve this question







New contributor




Matt1776 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Matt1776 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Matt1776 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 3 hours ago









Matt1776Matt1776

1032




1032




New contributor




Matt1776 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Matt1776 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Matt1776 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 2





    A quick nudge in the direction of a partial answer: On Windows 7, at least, you can’t create a user called “Administrator” because the system creates one automatically.   You can’t see it (unless you look very hard) or login as it because it’s disabled.   You should create an administrator user with some non-reserved name (e.g., “SuperMatt”, or whatever you want) and a non-administrator account.   (The difference, or at least a difference, is that the administrator user is in the “Administrators” group.)   … (Cont’d)

    – Scott
    1 hour ago






  • 1





    (Cont’d) …   Then, if you want, you can enable the disabled, built-in “Administrator” account — but you probably shouldn’t do this unless you have a really good reason.

    – Scott
    1 hour ago











  • Thank you - that is very helpful from a practical standpoint. My information is very old, I have left the IT stuff to the "IT guys" for a long time so this is the first time in a long time I've had to ask these kinds of questions.

    – Matt1776
    40 mins ago














  • 2





    A quick nudge in the direction of a partial answer: On Windows 7, at least, you can’t create a user called “Administrator” because the system creates one automatically.   You can’t see it (unless you look very hard) or login as it because it’s disabled.   You should create an administrator user with some non-reserved name (e.g., “SuperMatt”, or whatever you want) and a non-administrator account.   (The difference, or at least a difference, is that the administrator user is in the “Administrators” group.)   … (Cont’d)

    – Scott
    1 hour ago






  • 1





    (Cont’d) …   Then, if you want, you can enable the disabled, built-in “Administrator” account — but you probably shouldn’t do this unless you have a really good reason.

    – Scott
    1 hour ago











  • Thank you - that is very helpful from a practical standpoint. My information is very old, I have left the IT stuff to the "IT guys" for a long time so this is the first time in a long time I've had to ask these kinds of questions.

    – Matt1776
    40 mins ago








2




2





A quick nudge in the direction of a partial answer: On Windows 7, at least, you can’t create a user called “Administrator” because the system creates one automatically.   You can’t see it (unless you look very hard) or login as it because it’s disabled.   You should create an administrator user with some non-reserved name (e.g., “SuperMatt”, or whatever you want) and a non-administrator account.   (The difference, or at least a difference, is that the administrator user is in the “Administrators” group.)   … (Cont’d)

– Scott
1 hour ago





A quick nudge in the direction of a partial answer: On Windows 7, at least, you can’t create a user called “Administrator” because the system creates one automatically.   You can’t see it (unless you look very hard) or login as it because it’s disabled.   You should create an administrator user with some non-reserved name (e.g., “SuperMatt”, or whatever you want) and a non-administrator account.   (The difference, or at least a difference, is that the administrator user is in the “Administrators” group.)   … (Cont’d)

– Scott
1 hour ago




1




1





(Cont’d) …   Then, if you want, you can enable the disabled, built-in “Administrator” account — but you probably shouldn’t do this unless you have a really good reason.

– Scott
1 hour ago





(Cont’d) …   Then, if you want, you can enable the disabled, built-in “Administrator” account — but you probably shouldn’t do this unless you have a really good reason.

– Scott
1 hour ago













Thank you - that is very helpful from a practical standpoint. My information is very old, I have left the IT stuff to the "IT guys" for a long time so this is the first time in a long time I've had to ask these kinds of questions.

– Matt1776
40 mins ago





Thank you - that is very helpful from a practical standpoint. My information is very old, I have left the IT stuff to the "IT guys" for a long time so this is the first time in a long time I've had to ask these kinds of questions.

– Matt1776
40 mins ago










1 Answer
1






active

oldest

votes


















1














This isn't a place for "best practice resources"; it's a forum for solving specific problems. (Ideally one problem per thread.)




For example, I cannot create a user called "administrator".




It already exists; see lusrmgr.msc if you want to unlock and use it. The built-in account is somewhat special, e.g. it bypass UAC, and it's recognized by the login screen as always a local (non-domain) account.



For local use, UAC somewhat mitigates the problem – even if you're logged in as an admin, you don't actually get admin access until you go through the elevation prompt ("run as administrator"). Unfortunately there's no such thing for network privileges; if you log in as a domain admin, there are no prompts or blocks whatsoever preventing malware from performing AD administration as you. So the practice is still relevant.




I think all of this can be managed simply by understanding how to set up and administer a "workgroup"




Workgroups don't actually affect accounts at all; users continue using their local accounts, and log in to servers using accounts on that server. To be clear – in Windows, a "workgroup" isn't something you separately enable, and it doesn't give you any new features. It's just the default mode of standalone (non-domain) PCs.



(Not to be confused with "workgroup name", which is a NetBIOS Browsing parameter that tells it which computers to show/discover and which ones to ignore.)



You might be thinking of domains (Active Directory), which do centralize authentication and do provide central management features (via Group Policy, etc).



Or you might be confusing workgroups with HomeGroups, which used to be an actual workgroup-oriented feature in Windows 7–8.1 that automatically configured a shared account for the whole LAN on all computers joined to the homegroup. (As the name says, homegroups were meant for home use where all machines are trusted. Homegroups were removed in Windows 10.1803.)




As it is I had to turn on SMBv1 on each machine just to get the computers to show up on the "Workgroup" in the navigator.




This is actually the last thing to deal with from the technical side – it involves the most complex protocols and is furthest away from the actual file-server connection. (For clarity, note that enabling "SMBv1" in Windows features actually enables two protocols at once – the second is the whole NetBIOS suite, and that's what gives you these features.)




  1. Actually accessing another computer's files is the simplest part, all you need is regular SMBv2/3 and that computer's IP address. Open \192.168.x.y in the navigator and you have it.



  2. Accessing other computers by name needs additional protocols but still tends to be simple technically. It can be handled by DNS on your router, or by LLMNR on WinVista+, or by mDNS in Win10.1803+, or finally by NetBIOS' NBNS if you've enabled the "SMBv1" feature.



    This lets you use \computername in the navigator. But in the end, all it does is convert the name to an IP address, so you have to get #1 working first anyway




  3. Finally, discovering other computers requires more complex protocols and even features that the network needs to support. Windows has two protocols which can be used for this (simultaneously): WS-Discovery from the SMBv2/3 era and NetBIOS Browsing from the SMBv1 era.



    NetBIOS Browsing was designed for LANs in the 1990s and although it specifically tried hard to be less fragile, on modern LANs it tends to achieve the opposite result. Besides, to enable NetBIOS at all, you had to enable SMBv1 as well – and SMBv1 is considered a major attack vector even by Microsoft themselves. So you should first try to get WS-Discovery working without SMBv1/NetBIOS enabled.



    To do this, uninstall SMBv1 client & server again, then enable the two "Function Discovery" services via services.msc. See this Microsoft KB article for more information (scroll down to "Explorer Network Browsing").



    (Note: WS-Discovery and the aforementioned LLMNR may need IPv6 to be enabled on the systems. If you're disabling IPv6...don't disable IPv6.)




On a "file server" environment you don't really need to bother with discovery – people won't be connecting to each other's PCs randomly, they'll just be connecting to specific shares on your designated server. You can just make desktop shortcuts or map network drives for those.






share|improve this answer


























  • This is exactly the type and quality of information that I'm looking for, thank you! I will try and make my questions more specific, but from what I'm reading, it looks like a lot of the best-practice information I have is years old and already built into newer versions of windows (which is great news). So if I'm only dealing with 5-6 computers, a domain is overkill - and if I don't need a workgroup to achieve the basic configuration I'm looking for, perhaps its best to just tackle any issues that come up on a case by case basis. Thanks again

    – Matt1776
    41 mins ago











  • To clarify, a "workgroup" is practically the default mode that Windows works in. It's not something you enable, and it's not something that gives you additional management tools or features – it's just a bunch of standalone (non-domain-joined) PCs. Are you thinking of Win7 "Homegroups"?

    – grawity
    30 mins ago











  • Well, tbh I just thought it was something I wanted to set up because it would "group" the machines together on the network, but as I'm learning more about it, it appears to really only be a display thing and what I'm thinking about is setting up a domain - which again for 5/6 machines isn't worth the trouble, they have only one group of people and so needing more than one workgroup doesn't make sense either. Just trying to be as prepared as possible before I begin. And yes as I understand I think workgroups used to be called homegroups, they've had many names apparently over the years

    – Matt1776
    3 mins ago











  • I also just read your edit - yes all these machines are trusted, there are no knowledge users so to speak, on the network. So once I set it up there will be very little need from an everyday admin point of view.

    – Matt1776
    46 secs ago











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






Matt1776 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1409411%2fwindows-10-professional-workgroup-setup-issues%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














This isn't a place for "best practice resources"; it's a forum for solving specific problems. (Ideally one problem per thread.)




For example, I cannot create a user called "administrator".




It already exists; see lusrmgr.msc if you want to unlock and use it. The built-in account is somewhat special, e.g. it bypass UAC, and it's recognized by the login screen as always a local (non-domain) account.



For local use, UAC somewhat mitigates the problem – even if you're logged in as an admin, you don't actually get admin access until you go through the elevation prompt ("run as administrator"). Unfortunately there's no such thing for network privileges; if you log in as a domain admin, there are no prompts or blocks whatsoever preventing malware from performing AD administration as you. So the practice is still relevant.




I think all of this can be managed simply by understanding how to set up and administer a "workgroup"




Workgroups don't actually affect accounts at all; users continue using their local accounts, and log in to servers using accounts on that server. To be clear – in Windows, a "workgroup" isn't something you separately enable, and it doesn't give you any new features. It's just the default mode of standalone (non-domain) PCs.



(Not to be confused with "workgroup name", which is a NetBIOS Browsing parameter that tells it which computers to show/discover and which ones to ignore.)



You might be thinking of domains (Active Directory), which do centralize authentication and do provide central management features (via Group Policy, etc).



Or you might be confusing workgroups with HomeGroups, which used to be an actual workgroup-oriented feature in Windows 7–8.1 that automatically configured a shared account for the whole LAN on all computers joined to the homegroup. (As the name says, homegroups were meant for home use where all machines are trusted. Homegroups were removed in Windows 10.1803.)




As it is I had to turn on SMBv1 on each machine just to get the computers to show up on the "Workgroup" in the navigator.




This is actually the last thing to deal with from the technical side – it involves the most complex protocols and is furthest away from the actual file-server connection. (For clarity, note that enabling "SMBv1" in Windows features actually enables two protocols at once – the second is the whole NetBIOS suite, and that's what gives you these features.)




  1. Actually accessing another computer's files is the simplest part, all you need is regular SMBv2/3 and that computer's IP address. Open \192.168.x.y in the navigator and you have it.



  2. Accessing other computers by name needs additional protocols but still tends to be simple technically. It can be handled by DNS on your router, or by LLMNR on WinVista+, or by mDNS in Win10.1803+, or finally by NetBIOS' NBNS if you've enabled the "SMBv1" feature.



    This lets you use \computername in the navigator. But in the end, all it does is convert the name to an IP address, so you have to get #1 working first anyway




  3. Finally, discovering other computers requires more complex protocols and even features that the network needs to support. Windows has two protocols which can be used for this (simultaneously): WS-Discovery from the SMBv2/3 era and NetBIOS Browsing from the SMBv1 era.



    NetBIOS Browsing was designed for LANs in the 1990s and although it specifically tried hard to be less fragile, on modern LANs it tends to achieve the opposite result. Besides, to enable NetBIOS at all, you had to enable SMBv1 as well – and SMBv1 is considered a major attack vector even by Microsoft themselves. So you should first try to get WS-Discovery working without SMBv1/NetBIOS enabled.



    To do this, uninstall SMBv1 client & server again, then enable the two "Function Discovery" services via services.msc. See this Microsoft KB article for more information (scroll down to "Explorer Network Browsing").



    (Note: WS-Discovery and the aforementioned LLMNR may need IPv6 to be enabled on the systems. If you're disabling IPv6...don't disable IPv6.)




On a "file server" environment you don't really need to bother with discovery – people won't be connecting to each other's PCs randomly, they'll just be connecting to specific shares on your designated server. You can just make desktop shortcuts or map network drives for those.






share|improve this answer


























  • This is exactly the type and quality of information that I'm looking for, thank you! I will try and make my questions more specific, but from what I'm reading, it looks like a lot of the best-practice information I have is years old and already built into newer versions of windows (which is great news). So if I'm only dealing with 5-6 computers, a domain is overkill - and if I don't need a workgroup to achieve the basic configuration I'm looking for, perhaps its best to just tackle any issues that come up on a case by case basis. Thanks again

    – Matt1776
    41 mins ago











  • To clarify, a "workgroup" is practically the default mode that Windows works in. It's not something you enable, and it's not something that gives you additional management tools or features – it's just a bunch of standalone (non-domain-joined) PCs. Are you thinking of Win7 "Homegroups"?

    – grawity
    30 mins ago











  • Well, tbh I just thought it was something I wanted to set up because it would "group" the machines together on the network, but as I'm learning more about it, it appears to really only be a display thing and what I'm thinking about is setting up a domain - which again for 5/6 machines isn't worth the trouble, they have only one group of people and so needing more than one workgroup doesn't make sense either. Just trying to be as prepared as possible before I begin. And yes as I understand I think workgroups used to be called homegroups, they've had many names apparently over the years

    – Matt1776
    3 mins ago











  • I also just read your edit - yes all these machines are trusted, there are no knowledge users so to speak, on the network. So once I set it up there will be very little need from an everyday admin point of view.

    – Matt1776
    46 secs ago
















1














This isn't a place for "best practice resources"; it's a forum for solving specific problems. (Ideally one problem per thread.)




For example, I cannot create a user called "administrator".




It already exists; see lusrmgr.msc if you want to unlock and use it. The built-in account is somewhat special, e.g. it bypass UAC, and it's recognized by the login screen as always a local (non-domain) account.



For local use, UAC somewhat mitigates the problem – even if you're logged in as an admin, you don't actually get admin access until you go through the elevation prompt ("run as administrator"). Unfortunately there's no such thing for network privileges; if you log in as a domain admin, there are no prompts or blocks whatsoever preventing malware from performing AD administration as you. So the practice is still relevant.




I think all of this can be managed simply by understanding how to set up and administer a "workgroup"




Workgroups don't actually affect accounts at all; users continue using their local accounts, and log in to servers using accounts on that server. To be clear – in Windows, a "workgroup" isn't something you separately enable, and it doesn't give you any new features. It's just the default mode of standalone (non-domain) PCs.



(Not to be confused with "workgroup name", which is a NetBIOS Browsing parameter that tells it which computers to show/discover and which ones to ignore.)



You might be thinking of domains (Active Directory), which do centralize authentication and do provide central management features (via Group Policy, etc).



Or you might be confusing workgroups with HomeGroups, which used to be an actual workgroup-oriented feature in Windows 7–8.1 that automatically configured a shared account for the whole LAN on all computers joined to the homegroup. (As the name says, homegroups were meant for home use where all machines are trusted. Homegroups were removed in Windows 10.1803.)




As it is I had to turn on SMBv1 on each machine just to get the computers to show up on the "Workgroup" in the navigator.




This is actually the last thing to deal with from the technical side – it involves the most complex protocols and is furthest away from the actual file-server connection. (For clarity, note that enabling "SMBv1" in Windows features actually enables two protocols at once – the second is the whole NetBIOS suite, and that's what gives you these features.)




  1. Actually accessing another computer's files is the simplest part, all you need is regular SMBv2/3 and that computer's IP address. Open \192.168.x.y in the navigator and you have it.



  2. Accessing other computers by name needs additional protocols but still tends to be simple technically. It can be handled by DNS on your router, or by LLMNR on WinVista+, or by mDNS in Win10.1803+, or finally by NetBIOS' NBNS if you've enabled the "SMBv1" feature.



    This lets you use \computername in the navigator. But in the end, all it does is convert the name to an IP address, so you have to get #1 working first anyway




  3. Finally, discovering other computers requires more complex protocols and even features that the network needs to support. Windows has two protocols which can be used for this (simultaneously): WS-Discovery from the SMBv2/3 era and NetBIOS Browsing from the SMBv1 era.



    NetBIOS Browsing was designed for LANs in the 1990s and although it specifically tried hard to be less fragile, on modern LANs it tends to achieve the opposite result. Besides, to enable NetBIOS at all, you had to enable SMBv1 as well – and SMBv1 is considered a major attack vector even by Microsoft themselves. So you should first try to get WS-Discovery working without SMBv1/NetBIOS enabled.



    To do this, uninstall SMBv1 client & server again, then enable the two "Function Discovery" services via services.msc. See this Microsoft KB article for more information (scroll down to "Explorer Network Browsing").



    (Note: WS-Discovery and the aforementioned LLMNR may need IPv6 to be enabled on the systems. If you're disabling IPv6...don't disable IPv6.)




On a "file server" environment you don't really need to bother with discovery – people won't be connecting to each other's PCs randomly, they'll just be connecting to specific shares on your designated server. You can just make desktop shortcuts or map network drives for those.






share|improve this answer


























  • This is exactly the type and quality of information that I'm looking for, thank you! I will try and make my questions more specific, but from what I'm reading, it looks like a lot of the best-practice information I have is years old and already built into newer versions of windows (which is great news). So if I'm only dealing with 5-6 computers, a domain is overkill - and if I don't need a workgroup to achieve the basic configuration I'm looking for, perhaps its best to just tackle any issues that come up on a case by case basis. Thanks again

    – Matt1776
    41 mins ago











  • To clarify, a "workgroup" is practically the default mode that Windows works in. It's not something you enable, and it's not something that gives you additional management tools or features – it's just a bunch of standalone (non-domain-joined) PCs. Are you thinking of Win7 "Homegroups"?

    – grawity
    30 mins ago











  • Well, tbh I just thought it was something I wanted to set up because it would "group" the machines together on the network, but as I'm learning more about it, it appears to really only be a display thing and what I'm thinking about is setting up a domain - which again for 5/6 machines isn't worth the trouble, they have only one group of people and so needing more than one workgroup doesn't make sense either. Just trying to be as prepared as possible before I begin. And yes as I understand I think workgroups used to be called homegroups, they've had many names apparently over the years

    – Matt1776
    3 mins ago











  • I also just read your edit - yes all these machines are trusted, there are no knowledge users so to speak, on the network. So once I set it up there will be very little need from an everyday admin point of view.

    – Matt1776
    46 secs ago














1












1








1







This isn't a place for "best practice resources"; it's a forum for solving specific problems. (Ideally one problem per thread.)




For example, I cannot create a user called "administrator".




It already exists; see lusrmgr.msc if you want to unlock and use it. The built-in account is somewhat special, e.g. it bypass UAC, and it's recognized by the login screen as always a local (non-domain) account.



For local use, UAC somewhat mitigates the problem – even if you're logged in as an admin, you don't actually get admin access until you go through the elevation prompt ("run as administrator"). Unfortunately there's no such thing for network privileges; if you log in as a domain admin, there are no prompts or blocks whatsoever preventing malware from performing AD administration as you. So the practice is still relevant.




I think all of this can be managed simply by understanding how to set up and administer a "workgroup"




Workgroups don't actually affect accounts at all; users continue using their local accounts, and log in to servers using accounts on that server. To be clear – in Windows, a "workgroup" isn't something you separately enable, and it doesn't give you any new features. It's just the default mode of standalone (non-domain) PCs.



(Not to be confused with "workgroup name", which is a NetBIOS Browsing parameter that tells it which computers to show/discover and which ones to ignore.)



You might be thinking of domains (Active Directory), which do centralize authentication and do provide central management features (via Group Policy, etc).



Or you might be confusing workgroups with HomeGroups, which used to be an actual workgroup-oriented feature in Windows 7–8.1 that automatically configured a shared account for the whole LAN on all computers joined to the homegroup. (As the name says, homegroups were meant for home use where all machines are trusted. Homegroups were removed in Windows 10.1803.)




As it is I had to turn on SMBv1 on each machine just to get the computers to show up on the "Workgroup" in the navigator.




This is actually the last thing to deal with from the technical side – it involves the most complex protocols and is furthest away from the actual file-server connection. (For clarity, note that enabling "SMBv1" in Windows features actually enables two protocols at once – the second is the whole NetBIOS suite, and that's what gives you these features.)




  1. Actually accessing another computer's files is the simplest part, all you need is regular SMBv2/3 and that computer's IP address. Open \192.168.x.y in the navigator and you have it.



  2. Accessing other computers by name needs additional protocols but still tends to be simple technically. It can be handled by DNS on your router, or by LLMNR on WinVista+, or by mDNS in Win10.1803+, or finally by NetBIOS' NBNS if you've enabled the "SMBv1" feature.



    This lets you use \computername in the navigator. But in the end, all it does is convert the name to an IP address, so you have to get #1 working first anyway




  3. Finally, discovering other computers requires more complex protocols and even features that the network needs to support. Windows has two protocols which can be used for this (simultaneously): WS-Discovery from the SMBv2/3 era and NetBIOS Browsing from the SMBv1 era.



    NetBIOS Browsing was designed for LANs in the 1990s and although it specifically tried hard to be less fragile, on modern LANs it tends to achieve the opposite result. Besides, to enable NetBIOS at all, you had to enable SMBv1 as well – and SMBv1 is considered a major attack vector even by Microsoft themselves. So you should first try to get WS-Discovery working without SMBv1/NetBIOS enabled.



    To do this, uninstall SMBv1 client & server again, then enable the two "Function Discovery" services via services.msc. See this Microsoft KB article for more information (scroll down to "Explorer Network Browsing").



    (Note: WS-Discovery and the aforementioned LLMNR may need IPv6 to be enabled on the systems. If you're disabling IPv6...don't disable IPv6.)




On a "file server" environment you don't really need to bother with discovery – people won't be connecting to each other's PCs randomly, they'll just be connecting to specific shares on your designated server. You can just make desktop shortcuts or map network drives for those.






share|improve this answer















This isn't a place for "best practice resources"; it's a forum for solving specific problems. (Ideally one problem per thread.)




For example, I cannot create a user called "administrator".




It already exists; see lusrmgr.msc if you want to unlock and use it. The built-in account is somewhat special, e.g. it bypass UAC, and it's recognized by the login screen as always a local (non-domain) account.



For local use, UAC somewhat mitigates the problem – even if you're logged in as an admin, you don't actually get admin access until you go through the elevation prompt ("run as administrator"). Unfortunately there's no such thing for network privileges; if you log in as a domain admin, there are no prompts or blocks whatsoever preventing malware from performing AD administration as you. So the practice is still relevant.




I think all of this can be managed simply by understanding how to set up and administer a "workgroup"




Workgroups don't actually affect accounts at all; users continue using their local accounts, and log in to servers using accounts on that server. To be clear – in Windows, a "workgroup" isn't something you separately enable, and it doesn't give you any new features. It's just the default mode of standalone (non-domain) PCs.



(Not to be confused with "workgroup name", which is a NetBIOS Browsing parameter that tells it which computers to show/discover and which ones to ignore.)



You might be thinking of domains (Active Directory), which do centralize authentication and do provide central management features (via Group Policy, etc).



Or you might be confusing workgroups with HomeGroups, which used to be an actual workgroup-oriented feature in Windows 7–8.1 that automatically configured a shared account for the whole LAN on all computers joined to the homegroup. (As the name says, homegroups were meant for home use where all machines are trusted. Homegroups were removed in Windows 10.1803.)




As it is I had to turn on SMBv1 on each machine just to get the computers to show up on the "Workgroup" in the navigator.




This is actually the last thing to deal with from the technical side – it involves the most complex protocols and is furthest away from the actual file-server connection. (For clarity, note that enabling "SMBv1" in Windows features actually enables two protocols at once – the second is the whole NetBIOS suite, and that's what gives you these features.)




  1. Actually accessing another computer's files is the simplest part, all you need is regular SMBv2/3 and that computer's IP address. Open \192.168.x.y in the navigator and you have it.



  2. Accessing other computers by name needs additional protocols but still tends to be simple technically. It can be handled by DNS on your router, or by LLMNR on WinVista+, or by mDNS in Win10.1803+, or finally by NetBIOS' NBNS if you've enabled the "SMBv1" feature.



    This lets you use \computername in the navigator. But in the end, all it does is convert the name to an IP address, so you have to get #1 working first anyway




  3. Finally, discovering other computers requires more complex protocols and even features that the network needs to support. Windows has two protocols which can be used for this (simultaneously): WS-Discovery from the SMBv2/3 era and NetBIOS Browsing from the SMBv1 era.



    NetBIOS Browsing was designed for LANs in the 1990s and although it specifically tried hard to be less fragile, on modern LANs it tends to achieve the opposite result. Besides, to enable NetBIOS at all, you had to enable SMBv1 as well – and SMBv1 is considered a major attack vector even by Microsoft themselves. So you should first try to get WS-Discovery working without SMBv1/NetBIOS enabled.



    To do this, uninstall SMBv1 client & server again, then enable the two "Function Discovery" services via services.msc. See this Microsoft KB article for more information (scroll down to "Explorer Network Browsing").



    (Note: WS-Discovery and the aforementioned LLMNR may need IPv6 to be enabled on the systems. If you're disabling IPv6...don't disable IPv6.)




On a "file server" environment you don't really need to bother with discovery – people won't be connecting to each other's PCs randomly, they'll just be connecting to specific shares on your designated server. You can just make desktop shortcuts or map network drives for those.







share|improve this answer














share|improve this answer



share|improve this answer








edited 30 mins ago

























answered 1 hour ago









grawitygrawity

239k37506561




239k37506561













  • This is exactly the type and quality of information that I'm looking for, thank you! I will try and make my questions more specific, but from what I'm reading, it looks like a lot of the best-practice information I have is years old and already built into newer versions of windows (which is great news). So if I'm only dealing with 5-6 computers, a domain is overkill - and if I don't need a workgroup to achieve the basic configuration I'm looking for, perhaps its best to just tackle any issues that come up on a case by case basis. Thanks again

    – Matt1776
    41 mins ago











  • To clarify, a "workgroup" is practically the default mode that Windows works in. It's not something you enable, and it's not something that gives you additional management tools or features – it's just a bunch of standalone (non-domain-joined) PCs. Are you thinking of Win7 "Homegroups"?

    – grawity
    30 mins ago











  • Well, tbh I just thought it was something I wanted to set up because it would "group" the machines together on the network, but as I'm learning more about it, it appears to really only be a display thing and what I'm thinking about is setting up a domain - which again for 5/6 machines isn't worth the trouble, they have only one group of people and so needing more than one workgroup doesn't make sense either. Just trying to be as prepared as possible before I begin. And yes as I understand I think workgroups used to be called homegroups, they've had many names apparently over the years

    – Matt1776
    3 mins ago











  • I also just read your edit - yes all these machines are trusted, there are no knowledge users so to speak, on the network. So once I set it up there will be very little need from an everyday admin point of view.

    – Matt1776
    46 secs ago



















  • This is exactly the type and quality of information that I'm looking for, thank you! I will try and make my questions more specific, but from what I'm reading, it looks like a lot of the best-practice information I have is years old and already built into newer versions of windows (which is great news). So if I'm only dealing with 5-6 computers, a domain is overkill - and if I don't need a workgroup to achieve the basic configuration I'm looking for, perhaps its best to just tackle any issues that come up on a case by case basis. Thanks again

    – Matt1776
    41 mins ago











  • To clarify, a "workgroup" is practically the default mode that Windows works in. It's not something you enable, and it's not something that gives you additional management tools or features – it's just a bunch of standalone (non-domain-joined) PCs. Are you thinking of Win7 "Homegroups"?

    – grawity
    30 mins ago











  • Well, tbh I just thought it was something I wanted to set up because it would "group" the machines together on the network, but as I'm learning more about it, it appears to really only be a display thing and what I'm thinking about is setting up a domain - which again for 5/6 machines isn't worth the trouble, they have only one group of people and so needing more than one workgroup doesn't make sense either. Just trying to be as prepared as possible before I begin. And yes as I understand I think workgroups used to be called homegroups, they've had many names apparently over the years

    – Matt1776
    3 mins ago











  • I also just read your edit - yes all these machines are trusted, there are no knowledge users so to speak, on the network. So once I set it up there will be very little need from an everyday admin point of view.

    – Matt1776
    46 secs ago

















This is exactly the type and quality of information that I'm looking for, thank you! I will try and make my questions more specific, but from what I'm reading, it looks like a lot of the best-practice information I have is years old and already built into newer versions of windows (which is great news). So if I'm only dealing with 5-6 computers, a domain is overkill - and if I don't need a workgroup to achieve the basic configuration I'm looking for, perhaps its best to just tackle any issues that come up on a case by case basis. Thanks again

– Matt1776
41 mins ago





This is exactly the type and quality of information that I'm looking for, thank you! I will try and make my questions more specific, but from what I'm reading, it looks like a lot of the best-practice information I have is years old and already built into newer versions of windows (which is great news). So if I'm only dealing with 5-6 computers, a domain is overkill - and if I don't need a workgroup to achieve the basic configuration I'm looking for, perhaps its best to just tackle any issues that come up on a case by case basis. Thanks again

– Matt1776
41 mins ago













To clarify, a "workgroup" is practically the default mode that Windows works in. It's not something you enable, and it's not something that gives you additional management tools or features – it's just a bunch of standalone (non-domain-joined) PCs. Are you thinking of Win7 "Homegroups"?

– grawity
30 mins ago





To clarify, a "workgroup" is practically the default mode that Windows works in. It's not something you enable, and it's not something that gives you additional management tools or features – it's just a bunch of standalone (non-domain-joined) PCs. Are you thinking of Win7 "Homegroups"?

– grawity
30 mins ago













Well, tbh I just thought it was something I wanted to set up because it would "group" the machines together on the network, but as I'm learning more about it, it appears to really only be a display thing and what I'm thinking about is setting up a domain - which again for 5/6 machines isn't worth the trouble, they have only one group of people and so needing more than one workgroup doesn't make sense either. Just trying to be as prepared as possible before I begin. And yes as I understand I think workgroups used to be called homegroups, they've had many names apparently over the years

– Matt1776
3 mins ago





Well, tbh I just thought it was something I wanted to set up because it would "group" the machines together on the network, but as I'm learning more about it, it appears to really only be a display thing and what I'm thinking about is setting up a domain - which again for 5/6 machines isn't worth the trouble, they have only one group of people and so needing more than one workgroup doesn't make sense either. Just trying to be as prepared as possible before I begin. And yes as I understand I think workgroups used to be called homegroups, they've had many names apparently over the years

– Matt1776
3 mins ago













I also just read your edit - yes all these machines are trusted, there are no knowledge users so to speak, on the network. So once I set it up there will be very little need from an everyday admin point of view.

– Matt1776
46 secs ago





I also just read your edit - yes all these machines are trusted, there are no knowledge users so to speak, on the network. So once I set it up there will be very little need from an everyday admin point of view.

– Matt1776
46 secs ago










Matt1776 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















Matt1776 is a new contributor. Be nice, and check out our Code of Conduct.













Matt1776 is a new contributor. Be nice, and check out our Code of Conduct.












Matt1776 is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1409411%2fwindows-10-professional-workgroup-setup-issues%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...