Im trying to restrict VPN users from accessing the local file shares, however im having trouble making a distinct separation, the shares are open to everyone, so i dont have to setup the local computers, but im trying to restrict VPN users from accessing the shares..the problem here is VPN users are logged in as GUEST accounts when they try to view a share, it would be nice to be able to DENY access to JUST the VPN GROUP

not possible unless you are running active directory and a server. appears you are doing peer to peer networking. Normally guest is not enabled anywhere. Users would logon via their AD accounts. If you want to create a vpn group you can do so but you would also need to make secondary accounts for vpn users to use and these accounts would be included in the vpn group for share assignments.

what do you mean peer to peer? the file shares are enabled to allow EVERYONE to read, VPN users when accessing the file shares are logged on as GUESTs, even though they have their own username and a vpn group which is denied to access these shares

peer to peer is defined as all hosts share among themselves [distributed] server/client is defined as all hosts talk to a primary host [the server] and the server houses the shares [centralized] Active Directory, which is server based, has groups. Peer to peer does not have groups. Guest and Everyone access is peer to peer configuration Server/client guest account is disabled on all hosts. If restrictions are desired on a share the share is NOT shared to everyone. Before I explain further please answer the following questions 1. are you running active directory? 2. how long have you been in IT/familar with MS server? 3. how/what did you use for the vpn access [software]? 4. why did you enable the guest account?

1. no im not 2. fairly familiar 3. ICS, routing and remote access 4. makes things easier (lazy), all pcs on local network get access to the files without any specific setup... i guess i expected vpn to login to these shares under the vpn user, not a guest

OK thanks. You can't have restrictions when you have everything wide open. You mention ICS and RRAS. Your server have two nic cards? You configure RRAS as vpn server and to access the network? You have two major issues, one is you can't do restrictions with guest and everyone. You would need to properly setup accounts, their passwords and permissions. Your second issue is you desire to differenciate between vpn users accounts/access and local user accounts/access Normally it does not matter if access via the network or vpn. Users would get the permissions they were given via either access. If you want to differenciate between vpn users and local users you will need two accounts for each user. John Lan is local access. John VPN would be vpn access. You would put local into a localgroup and vpn users in a vpn group. This would give you the ability to adjust rights assignments via the two groups like localgroup gets full access and vpngroup only gets readonly. You would remove everyone from the share(s). You would assign the two groups setting their security access levels accordingly.

If you turn off all of Windows Security and wonder why you can't secure then this is a nobrainer. I would suggest setting up a VPN user or group then remove the "everyone" from you share and only add the administrator, local users and the VPN. Then with the VPN you can set it to be readonly. It is not that hard to do.