Administering Shared Folders

  • Article

Chapter 15 of MCSE Training Kit Microsoft Windows 2000 Professional is reprinted with permission from Microsoft Press. For more information, go to https://www.microsoft.com/mspress/.

By Microsoft Consulting Services
ISBN: 1-57231-901-1

Your official Microsoft study guide for MCSE Exam 70-210.

Learn how to set up and support the Windows 2000 Professional operating systemand prepare for the Microsoft Certified Professional (MCP) examwith this official Microsoft study guide. Work through the modular system of lessons and exercises for practical experience installing, administering, and troubleshooting this next-generation desktop environment. As you build these real-world system support skills, you're also preparing for MCP Exam 70-210a core requirement on the new MCSE track for Windows 2000.

HERE'S WHAT YOU'LL LEARN:

  • Installing or upgrading to Windows 2000 Professional using automated and remote setup tools

  • Administering access to shared files, folders, and printers

  • Configuring and managing hardware devices, drivers, network adapters, and remote mobile hardware

  • Troubleshooting the Windows 2000 desktop environmentuser profiles, desktop settings, multiple locations, fax support, and other services

  • Monitoring system memory, disk, and application performance

  • Implementing the TCP/IP network protocol; linking computers and shared resources using dial-up and virtual private network connections

  • Helping ensure data and system security through Group Policy, Encrypting File System, and local shares and accounts

HERE'S WHAT'S INSIDE:

  • Comprehensive self-paced training manual that maps to MCP exam goals and objectives

  • Skill-building practice exercises that help you apply what you learn to the job

  • Lesson summaries and end-of-chapter review questions to help gauge your progress

Chapter 15 - Administering Shared Folders

About This Chapter

In Chapter 14, "Securing Resources with NTFS Permissions," you learned about Microsoft Windows 2000 File System (NTFS) permissions. You use NTFS permissions to specify which users and groups can gain access to files and folders, and what these permissions allow users to do with the contents of the file or folder. NTFS permissions are available only on NTFS volumes. NTFS security is effective whether a user gains access to the file or folder at the computer or over the network.

In this chapter, you will learn how to make folders accessible over the network. You can access a computer's folders and their contents only by physically sitting at the computer and logging on to it or by accessing a shared folder on a remote computer. Sharing folders is the only way to make folders and their contents available over the network. Shared folders also provide another way to secure file resources, one that can be used on FAT or FAT32 partitions. In this chapter, you will also learn how to share file resources, secure them with permissions, and provide access to them.

Before You Begin

To complete this chapter, you must have

  • A computer that meets the minimum hardware requirements listed in "Hardware Requirements."

  • Microsoft Windows 2000 Professional installed on the computer.

Lesson 1: Understanding Shared Folders

You use shared folders to provide network users with access to file resources. When a folder is shared, users can connect to the folder over the network and gain access to the files that it contains. However, to gain access to the files, users must have permissions to access the shared folders.

After this lesson, you will be able to

  • Use shared folders to provide access to network resources.

  • Describe how permissions affect access to shared folders.

Estimated lesson time: 15 minutes

Shared Folder Permissions

A shared folder can contain applications, data, or a user's personal data, called a home folder. Each type of data requires different shared folder permissions.

The following are characteristics of shared folder permissions:

  • Shared folder permissions apply to folders, not individual files. Since you can apply shared folder permissions only to the entire shared folder, and not to individual files or subfolders in the shared folder, shared folder permissions provide less detailed security than NTFS permissions.

  • Shared folder permissions don't restrict access to users who gain access to the folder at the computer where the folder is stored. They apply only to users who connect to the folder over the network.

  • Shared folder permissions are the only way to secure network resources on a FAT volume. NTFS permissions aren't available on FAT volumes.

  • The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.

Note: A shared folder appears in Windows Explorer as an icon of a hand holding the shared folder. (Figure 15.1 shows the sharing icon.)

To control how users gain access to a shared folder, you assign shared folder permissions.

Table 15.1 explains what each of the shared folder permissions allows a user to do. The permissions are presented from most restrictive to least restrictive.

Bb727040.f15tk01x(en-us,TechNet.10).gif

Figure 15.1: Shared folders in Windows Explorer

Table 15.1 Shared Folder Permissions

Shared folder permission

Allows the user to

Read

Display folder names, filenames, file data, and attributes; run program files; and change folders within the shared folder.

Change

Create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files, plus, it allows the user to perform actions permitted by the Read permission.

Full Control

Change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.

You can allow or deny shared folder permissions. Generally, it is best to allow permissions and to assign permissions to a group rather than to individual users. You deny permissions only when it is necessary to override permissions that are otherwise applied. In most cases, you should deny permissions only when it is necessary to deny permission to a specific user who belongs to a group to which you have given the permission. If you deny a shared folder permission to a user, the user won't have that permission. For example, to deny all access to a shared folder, deny the Full Control permission.

How Shared Folder Permissions Are Applied

Applying shared permissions to user accounts and groups affects access to a shared folder. Denying permission takes precedence over the permissions that you allow. The following list describes the effects of applying permissions.

  • Multiple Permissions Combine. A user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder. When you assign permission to a user for a shared folder, and that user is a member of a group to which you assigned a different permission, the user's effective permissions are the combination of the user and group permissions. For example, if a user has Read permission and is a member of a group with Change permission, the user's effective permission is Change, which includes Read.

  • Denying Permissions Overrides Other Permissions. Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. If you deny a shared folder permission to a user, the user won't have that permission, even if you allow the permission for a group of which the user is a member.

  • NTFS Permissions Are Required on NTFS Volumes. Shared folder permissions are sufficient to gain access to files and folders on a FAT volume but not on an NTFS volume. On a FAT volume, users can gain access to a shared folder for which they have permissions, as well as all of the folder's contents. When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and also the appropriate NTFS permissions for each file and folder to which they gain access.

  • Copied or Moved Shared Folders Are No Longer Shared. When you copy a shared folder, the original shared folder is still shared, but the copy is not shared. When you move a shared folder, it is no longer shared.

Guidelines for Shared Folder Permissions

The following list provides some general guidelines for managing your shared folders and assigning shared folder permissions:

  • Determine which groups need access to each resource and the level of access that they require. Document the groups and their permissions for each resource.

  • Assign permissions to groups instead of user accounts to simplify access administration.

  • Assign to a resource the most restrictive permissions that still allow users to perform required tasks. For example, if users need only to read information in a folder, and they will never delete or create files, assign the Read permission.

  • Organize resources so that folders with the same security requirements are located within a folder. For example, if users require Read permission for several application folders, store the application folders within the same folder. Then share this folder instead of sharing each individual application folder.

  • Use intuitive share names so that users can easily recognize and locate resources. For example, for the Application folder, use Apps for the share name. You should also use share names that all client operating systems can use.

Although Windows 2000 allows for very long share names, try to keep share names short, about 12 characters. Shorter names are easier to remember and type. Products such as MS-DOS, Windows 3*.x*, and Windows for Workgroups require an 8.3-character share name.

Microsoft Windows 2000 provides 8.3-character equivalent names, but the resulting names might not be intuitive to users. For example, a Windows 2000 folder named Accountants Database would appear as Account~1 on client computers running MS-DOS, Windows 3.x, and Windows for Workgroups.

practic

Practice: Applied Permissions

In the following practice, User101 has been assigned permissions to gain access to resources as an individual and as a member of a group, as shown in Figure 15.2. Determine which effective permissions User101 has in each situation:

  1. User101 is a member of Group1, Group2, and Group3. Group1 has Read permission and Group3 has Full Control permission for FolderA. Group2 has no permissions assigned for FolderA. What are User101's effective permissions for FolderA?

  2. User101 is also a member of the Sales group, which has the Read permission for FolderB. User101 has been denied the shared folder permission Full Control for FolderB as an individual user. What are User101's effective permissions for FolderB?

Bb727040.f15tk02x(en-us,TechNet.10).gif

Figure 15.2: Applied permissions

Lesson Summary

In this lesson, you learned that you can make a folder and its contents available to other users over the network by sharing the folder. Using shared folder permissions is the only way to secure file resources on FAT volumes. Shared folder permissions apply to folders, not individual files. Shared folder permissions don't restrict access to users who gain access to the folder at the computer where the folder is stored. Shared folder permissions apply only to users who connect to the folder over the network.

You also learned about the three shared folder permissions: Read, Change, and Full Control. The Read permission allows users to display folder names, filenames, file data, and attributes. The Read permission also allows users to run program files and to change folders within the shared folder. The Change permission allows users to create folders, add files to folders, change data in files, append data to files, change file attributes, and delete folders and files, plus it allows the user to perform actions permitted by the Read permission. The Full Control permission allows users to change file permissions, take ownership of files, and perform all tasks permitted by the Change permission. The default shared folder permission is Full Control, and it is assigned to the Everyone group when you share the folder.

Lesson 2: Planning Shared Folders

When you plan shared folders, you can reduce administrative overhead and ease user access. You can organize resources that will be shared and put them into folders according to common access requirements. You can also determine which resources you want shared, organize resources according to function and use, and decide how you will administer the resources.

Shared folders can contain applications and data. Use shared application folders to centralize administration. Use shared data folders to provide a central location for users to store and gain access to common files. If all data files are centralized in one shared folder, users will find them easily. You will be able to back up data folders more easily if data folders are centralized, and you will be able to upgrade application software more easily if applications are centralized.

After this lesson, you will be able to

  • Plan which shared folder permissions to assign to user accounts and groups for application and data folders.

Estimated lesson time: 5 minutes

Application Folders

Shared application folders are used for applications that are installed on a network server and can be used from client computers. The main advantage of shared applications is that you don't need to install and maintain most components of the applications on each computer. While program files for applications can be stored on a server, configuration information for most network applications is often stored on each client computer. The exact way in which you share application folders will vary depending on the application and your particular network environment and company organization.

When you share application folders, consider the points in Figure 15.3. These points are explained in more detail as follows:

  • Create one shared folder for applications and organize all of your applications under this folder. When you combine all applications under one shared folder, you designate one location for installing and upgrading software.

  • Assign the Administrators group the Full Control permission for the applications folder so that they can manage the application software and control user permissions.

  • Remove the Full Control permission from the Everyone group and assign Read permission to the Users group. This provides more security because the Users group includes only user accounts that you created, whereas the Everyone group includes anyone who has access to network resources, including the Guest account.

  • Assign the Change permission to groups that are responsible for upgrading and troubleshooting applications.

  • Create a separate shared folder outside your application folder hierarchy for any application for which you need to assign different permissions. Then assign the appropriate permissions to that folder.

    Bb727040.f15tk03x(en-us,TechNet.10).gif

    Figure 15.3: Creating and sharing application folders

Data Folders

Users on a network use data folders to exchange public and working data. Working data folders are used by members of a team who need access to shared files. Public data folders are used by larger groups of users who all need access to common data.

When you use data folders, create and share common data folders on a volume that is separate from the operating system and applications. Data files should be backed up frequently, and with data folders on a separate volume, you can conveniently back them up. If the operating system requires reinstallation, the volume containing the data folder remains intact.

Public Data

When you share a common public data folder, do the following:

  • Use centralized data folders so that data can be easily backed up.

  • Assign the Change permission to the Users group for the common data folder (see Figure 15.4). This will provide users with a central, publicly accessible location for storing data files that they want to share with other users. Users will be able to gain access to the folder and read, create, or change files in it.

    Bb727040.f15tk04x(en-us,TechNet.10).gif

    Figure 15.4: Public data and working data shared folders

Working Data

When you share a data folder for working files, do the following:

  • Assign the Full Control permission to the Administrators group for a central data folder so that administrators can perform maintenance.

  • Share lower-level data folders below the central folder with the Change permission for the appropriate groups when you need to restrict access to those folders.

For an example, see Figure 15.4. To protect data in the Accountants folder, which is a subfolder of the Data folder, share the Accountants folder and assign the Change permission only to the Accountants group so that only members of the Accountants group can gain access to the Accountants folder.

Lesson Summary

In this lesson, you learned that you use shared application folders to centralize administration and make it easier to upgrade application software. When you use shared application folders, you should assign the Administrators group the Full Control permission for the applications folder so that members of this group can manage the application software and control user permissions. You should also remove the Full Control permission from the Everyone group and assign Read permission to the Users group. This provides more security because the Users group includes only user accounts that you created, whereas the Everyone group includes anyone who has access to network resources, including the Guest account.

You also learned that you use shared data folders to provide a central location for users to store and gain access to common files. When you use data folders, create and share common data folders on a volume that is separate from the operating system and applications. Data files should be backed up frequently, and with data folders on a separate volume, you can conveniently back them up.

Lesson 3: Sharing Folders

You can share resources with others by sharing folders containing those resources. To share a folder, you must be a member of one of several groups, depending on the role of the computer where the shared folder resides. When you share a folder, you can control access to the folder by limiting the number of users who can simultaneously gain access to it, and you can also control access to the folder and its contents by assigning permissions to selected users and groups. Once you have shared a folder, users must connect to the shared folder and must have the appropriate permissions to gain access to it. After you have shared a folder, you might want to modify it. You can stop sharing it, change its share name, and change user and group permissions to gain access to it.

After this lesson, you will be able to

  • Create and modify shared folders.

  • Make a connection to a shared folder.

Estimated lesson time: 20 minutes

Requirements for Sharing Folders

In Windows 2000 Professional, members of the built-in Administrators and Power Users groups are able to share folders. Which groups can share folders and on which machines they can share them depends on whether it is a workgroup or a domain and the type of computer on which the shared folders reside:

  • In a Windows 2000 domain, the Administrators and Server Operators groups can share folders residing on any machines in the domain. The Power Users group is a local group and can share folders residing only on the stand-alone server or computer running Windows 2000 Professional where the group is located.

  • In a Windows 2000 workgroup, the Administrators and Power Users groups can share folders on the Windows 2000 Server stand-alone server or the computer running Windows 2000 Professional on which the group exists.

Note: If the folder to be shared resides on an NTFS volume, users must also have at least the Read permission for that folder to be able to share it.

Administrative Shared Folders

Windows 2000 automatically shares folders for administrative purposes. These shares are appended with a dollar sign ($), which hides the shared folder from users who browse the computer. The root of each volume, the system root folder, and the location of the printer drivers are all hidden shared folders that you can gain access to across the network.

Table 15.2 describes the purpose of the administrative shared folders that Windows 2000 automatically provides.

Table 15.2 Windows 2000 Administrative Shared Folders

Share

Purpose

C$, D$, E$, and so on

The root of each volume on a hard disk is automatically shared, and the share name is the drive letter appended with a dollar sign ($). When you connect to this folder, you have access to the entire volume. You use the administrative shares to remotely connect to the computer to perform administrative tasks. Windows 2000 assigns the Full Control permission to the Administrators group.
Windows 2000 also automatically shares CD-ROM drives and creates the share name by appending the dollar sign to the CD-ROM drive letter.

Admin$

The system root folder, which is C:\Winnt by default, is shared as Admin$. Administrators can gain access to this shared folder to administer Windows 2000 without knowing in which folder it is installed. Only members of the Administrators group have access to this share. Windows 2000 assigns the Full Control permission to the Administrators group.

Print$

When you install the first shared printer, the systemroot\ System32\Spool\Drivers folder is shared as Print$. This folder provides access to printer driver files for clients. Only members of the Administrators, Server Operators, and Print Operators groups have the Full Control permission. The Everyone group has the Read permission.

Hidden shared folders aren't limited to those that the system automatically creates. You can share additional folders and append a dollar sign to the end of the share name. Then only users who know the folder name can gain access to it if they also possess the proper permissions to it.

Sharing a Folder

When you share a folder, you can give it a share name, provide comments to describe the folder and its content, limit the number of users who have access to the folder, assign permissions, and share the same folder multiple times.

You can share a folder as follows:

  1. Log on with a user account that is a member of a group that is able to share folders.

  2. Right-click the folder that you want to share, and then click Properties.

  3. On the Sharing tab of the Properties dialog box, configure the options shown in Figure 15.5 and described in Table 15.3.

    Bb727040.f15tk05(en-us,TechNet.10).gif

    Figure 15.5: The Sharing tab of a folder's Properties dialog box

Table 15.3 Sharing Tab Options

Option

Description

Share Name

The name that users from remote locations use to make a connection to the shared folder. You must enter a share name.

Comment

An optional description for the share name. The comment appears in addition to the share name when users at client computers browse the server for shared folders. This comment can be used to identify contents of the shared folder.

User Limit

The number of users who can concurrently connect to the shared folder. If you click Maximum Allowed as the user limit, Windows 2000 Professional supports up to 10 connections. Windows 2000 Server can support an unlimited number of connections, but the number of Client Access Licenses (CALs) that you purchased limits the connections.

Permissions

The shared folder permissions that apply only when the folder is accessed over the network. By default, the Everyone group is assigned Full Control for all new shared folders.

Caching

The settings to configure offline access to this shared folder.

Caching

To make shared folders available offline, copies of the files are stored in a reserved portion of disk space on your computer called a cache. Since the cache is on your hard disk, the computer can access this cache regardless of whether it is connected to the network. By default, the cache size is set to 10 percent of the available disk space. You can change the size of the cache on the Offline Files tab of the Folder Options dialog box. You can also see how much space the cache is using by opening the Offline Files folder and clicking Properties on the File menu.

Note: Shared network files are stored in the root folder of your hard disk. If you want to change the location of the cache, the Offline Files Mover (Cachemov.exe) is available in the Windows 2000 Professional Resource Kit to change the cache location.

When you share a folder, you can allow others to make the shared folder available offline by clicking Caching in the folder's Properties dialog box. In the Caching Settings dialog box (see Figure 15.6), the Allow Caching Of Files In This Shared Folder check box allows you to turn caching on and off.

Bb727040.f15tk06x(en-us,TechNet.10).gif

Figure 15.6: The Caching Settings dialog box

The Caching Settings dialog box contains three caching options:

  • Manual Caching For Documents. The files that someone using your shared folder specifically (or manually) identifies are the only ones available offline. This caching option is recommended for a shared network folder containing files that are to be accessed and modified by several people. This option is the default.

  • Automatic Caching For Documents. Makes every file that someone opens from your shared folder available to him or her offline. Files that aren't opened are not available offline.

  • Automatic Caching For Programs. Provides offline access to shared folders containing files that are read, referenced, or run, but that are not changed in the process. This setting reduces network traffic because offline files are opened directly without accessing the network versions in any way, and generally start and run faster than the network versions.

Note: For more information on caching and Offline Folders, see Chapter 24, "Configuring Windows 2000 for Mobile Computers."

Assigning Shared Folder Permissions

After you share a folder, the next step is to specify which users have access to the shared folder by assigning shared folder permissions to selected user accounts and groups.

You can assign permissions to user accounts and groups for a shared folder, as follows:

  1. On the Sharing tab of the Properties dialog box of the shared folder, click Permissions.

  2. In the Permissions dialog box, ensure that the Everyone group is selected and then click Remove.

  3. In the Permissions dialog box, click Add (see Figure 15.7).

    Bb727040.f15tk07x(en-us,TechNet.10).gif

    Figure 15.7: Setting permissions for a shared folder

  4. In the Select Users, Computers, Or Groups dialog box, click the user accounts and groups to which you want to assign permissions.

  5. Click Add to add the user account or group to the shared folder. Repeat this step for all user accounts and groups to which you want to assign permissions.

  6. Click OK.

  7. In the Permissions dialog box for the shared folder, click the user account or group, and then, under Permissions, select the Allow check box or the Deny check box for the appropriate permissions for the user account or group.

Modifying Shared Folders

You can modify shared folders, stop sharing a folder, modify the share name, and modify shared folder permissions.

You can modify a shared folder as follows:

  1. Click the Sharing tab in the Properties dialog box of the shared folder.

  2. To complete the appropriate task, use the steps in Table 15.4.

Table 15.4 Steps to Modify a Shared Folder

To

Do this

Stop sharing a folder

Click Do Not Share This Folder.

Modify the share name

Click Do Not Share This Folder to stop sharing the folder; click Apply to apply the change; click Share This Folder, and then enter the new share name in the Share Name box.

Modify shared folder permissions

Click Permissions. In the Permissions dialog box, click Add or Remove. In the Select Users, Computers, Or Groups dialog box, click the user account or group whose permissions you want to modify.

Share folder multiple times

Click New Share to share a folder with an additional shared folder name. Do so to consolidate multiple shared folders into one while allowing users to continue to use the same shared folder name that they used before you consolidated the folders.

Remove a share name

Click Remove Share. This option appears only after the folder has been shared more than once.

Note: If you stop sharing a folder while a user has a file open, the user might lose data. If you click Do Not Share This Folder and a user has a connection to the shared folder, Windows 2000 displays a dialog box notifying you that a user has a connection to the shared folder.

Connecting to a Shared Folder

You can gain access to a shared folder on another computer by using the Map Network Drive wizard, the Run command, or My Network Places. If you want to connect to a shared folder by using the Map Network Drive wizard, you can do the following:

  1. Right-click the My Network Places icon on your desktop, and then click Map Network Drive.

  2. In the Map Network Drive wizard, shown in Figure 15.8, click Folder, and then type a UNC path to the folder (for example, \\computer_name\sharedfolder_name).

  3. Enter a drive letter for the shared folder in the Drive list box.

  4. Select the Reconnect At Logon check box if you want to reconnect to the shared folder each time that you log on.

  5. Click the link labeled Connect Using A Different User Name to connect to a shared folder with a different user account, and then enter the user name and password in the Connect As dialog box.

You can connect to a shared folder by using the Run command, as follows:

  1. Click the Start button, click Run, and then type \\computer_name in the Open box.

    Windows 2000 displays shared folders for the computer.

  2. Double-click the shared folder to which you want to connect.

You can connect to a shared folder by using My Network Places, as follows:

  1. Double-click the My Network Places icon.

  2. Locate the computer on which the shared folder is located.

  3. Double-click the shared folder to which you want to connect.

    Bb727040.f15tk08x(en-us,TechNet.10).gif

    Figure 15.8: The Map Network Drive wizard

Lesson Summary

In this lesson, you learned that you can share resources with others by sharing folders containing those resources. To share a folder, you must be a member of one of several groups, depending on the role of the computer where the shared folder resides. You can control access to a shared folder by limiting the number of users who can simultaneously gain access to it, and you can also control access to the folder and its contents by assigning permissions to selected users and groups. To access a shared folder, users must connect to it and must have the appropriate permissions. You can modify a shared folder, stop sharing it, change its share name, and change user and group permissions to gain access to it.

Lesson 4: Combining Shared Folder Permissions and NTFS Permissions

You share folders to provide network users with access to resources. If you are using a FAT volume, the shared folder permissions are the only resource available to provide security for the folders you have shared and the folders and files they contain. If you are using an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

After this lesson, you will be able to

  • Combine shared folder permissions and NTFS permissions.

Estimated lesson time: 45 minutes

Strategies for Combining Shared Folder Permissions and NTFS Permissions

One strategy for providing access to resources on an NTFS volume is to share folders with the default shared folder permissions and then control access by assigning NTFS permissions. When you share a folder on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure file resources.

Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network.

When you use shared folder permissions on an NTFS volume, the following rules apply:

  • You can apply NTFS permissions to files and subfolders in the shared folder. You can apply different NTFS permissions to each file and subfolder that a shared folder contains.

  • In addition to shared folder permissions, users must have NTFS permissions for the files and subfolders that shared folders contain to gain access to those files and subfolders. This is in contrast to FAT volumes where permissions for a shared folder are the only permissions protecting files and subfolders in the shared folder.

  • When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

In Figure 15.9, the Everyone group has the shared folder Full Control permission for the Public folder and the NTFS Read permission for FileA. The Everyone group's effective permission for FileA is Read because Read is the more restrictive permission. The effective permission for FileB is Full Control because both the shared folder permission and the NTFS permission allow this level of access.

Bb727040.f15tk09x(en-us,TechNet.10).gif

Figure 15.9: Combining shared folder permissions and NTFS permissions

practic

Practice: Managing Shared Folders

In this practice, you will determine users' effective permissions, plan shared folders, plan permissions, share a folder, assign shared folder permissions, connect to a shared folder, stop sharing a folder, and test the combined effects of shared folder permissions and NTFS permissions.

Important: To complete the optional exercises (5 and 8), you must have two networked computers. One computer must be running Windows 2000 Professional and the other must be running one of the following Windows 2000 products: Windows 2000 Professional, Windows 2000 Server, or Windows 2000 Advanced Server. Both computers should have the Administrator user account using password for the Administrator account password.

Exercise 1 Combining Permissions

Figure 15.10 shows examples of shared folders on NTFS volumes. These shared folders contain subfolders that have also been assigned NTFS permissions. Determine a user's effective permissions for each example.

Bb727040.f15tk10x(en-us,TechNet.10).gif

Figure 15.10: Combined permissions

  1. In the first example, the Data folder is shared. The Sales group has the shared folder Read permission for the Data folder and the NTFS Full Control permission for the Sales subfolder.

    What are the Sales group's effective permissions for the Sales subfolder when they gain access to the Sales subfolder by making a connection to the Data shared folder?

  2. In the second example, the Users folder contains user home folders. Each user home folder contains data that is accessible only to the user for whom the folder is named. The Users folder has been shared, and the Users group has the shared folder Full Control permission for the Users folder. User1 and User2 have the NTFS Full Control permission for only their home folder and no NTFS permissions for other folders. These users are all members of the Users group.

    What permissions does User1 have when he or she accesses the User1 subfolder by making a connection to the Users shared folder? What are User1's permissions for the User2 subfolder?

Exercise 2 Planning Shared Folders

In this exercise, you will plan how to share resources on servers in the main office of a manufacturing company. Record your decisions in the table at the end of this exercise.

Figure 15.11 illustrates a partial folder structure for the servers at the manufacturing company.

Bb727040.f15tk11x(en-us,TechNet.10).gif

Figure 15.11: A partial folder structure for the servers at a manufacturing company

You need to make resources on these servers available to network users. To do this, determine which folders to share and which permissions to assign to groups, including the appropriate built-in groups.

Base your planning decisions on the following criteria:

  • Members of the Managers group need to read and revise documents in the Management Guidelines folder. Nobody else should have access to this folder.

  • Administrators need complete access to all shared folders, except for Management Guidelines.

  • The customer service department requires its own network location to store working files. All customer service representatives are members of the Customer Service group.

  • All employees need a network location to share information with each other.

  • All employees need to use the spreadsheet, database, and word processing software.

  • Only members of the Managers group should have access to the project management software.

  • Members of the CustomerDBFull group need to read and update the customer database.

  • Members of the CustomerDBRead group need to read only the customer database.

  • Each user needs a private network location to store files. This location must be accessible only by that user.

  • Share names must be accessible from Windows 2000, Windows NT, Windows 98, Windows 95, and non-Windows-NT-based platforms.

Record your answers in the following table.

Folder name and location

Shared name

Groups and permissions

Example:

    

Management Guidelines

MgmtGd

Managers: Full Control
     
     
     

Exercise 3 Sharing Folders

In this exercise, you will share a folder.

To share a folder

  1. Log on as Administrator.

  2. Start Windows Explorer, create a C:\MktApps folder, right-click MktApps, and then click Properties.

  3. In the MktApps Properties dialog box, click the Sharing tab.

    Notice that the folder is currently not shared.

  4. Click Share This Folder.

    Notice that Share Name defaults to the name of the folder. If you want the share name to be different from the folder's name, change it here.

  5. In the Comment box, type Shared Marketing Applications and then click OK.

    Notice that Windows Explorer changes the appearance of the Apps folder by placing a hand under it to indicate that it is a shared folder.

Exercise 4 Assigning Shared Folder Permissions

In this exercise, you will determine the current permissions for a shared folder and assign shared folder permissions to groups in your domain.

To determine the current permissions for the MktApps shared folder

  1. In Windows Explorer, right-click C:\MktApps, and then click Properties.

  2. In the MktApps Properties dialog box, click the Sharing tab, and then click Permissions.

    Windows 2000 displays the Permissions For MktApps dialog box.

    Notice that the default permissions for the MktApps shared folder is for the Everyone group to have Full Control permissions.

To remove permissions for a group

  1. Verify that Everyone is selected.

  2. Click Remove.

To assign Full Control to the Administrators group

  1. Click Add.

    Windows 2000 displays the Select Users, Computers, Or Groups dialog box.

  2. Ensure that your computer name, PRO1, is displayed in the Look In box. In the Name box, click Administrators, and then click Add.

  3. Click OK.

    Windows 2000 adds Administrators to the list of names with permissions.

    Which type of access does Windows 2000 assign to Administrators by default?

  4. In the Permissions box, under Allow, click the Full Control check box.

    Why did Windows Explorer also select the Change permission for you?

  5. Click OK to close the Permissions For MktApps dialog box.

  6. Click OK to close the MktApps Properties dialog box.

  7. Close Windows Explorer.

Exercise 5 (Optional) Connecting to a Shared Folder

In this exercise, you will use two methods to connect to a shared folder.

Important: To complete Exercise 5, you must have two networked computers. One computer must be running Windows 2000 Professional, and the other must be running either Windows 2000 Professional, Windows 2000 Server, or Windows 2000 Advanced Server. Both computers should have the Administrator user account using password for the Administrator account password.

To connect to a network drive by using the Run command

  1. Log on as Administrator on your second computer.

  2. Click the Start button, and then click Run.

  3. In the Open box, type \\PRO1. (If you didn't use PRO1 as the name of your computer, use the appropriate name here and in the following steps.) Click OK.

    Windows 2000 displays the PRO1 window. Notice that only the folders that are shared appear to network users.

  4. Double-click MktApps to confirm that you can gain access to its contents.

    MktApps contains no files or folders for you to access, but the system opens the folder and displays the contents of MktApps.

  5. Close the MktApps On PRO1 window.

To connect a network drive to a shared folder by using the Map Network Drive command

  1. Right-click My Network Places, and then click Map Network Drive.

  2. In the Map Network Drive wizard, in the Folder box, type \\PRO1\MktApps (if you didn't use PRO1 as the name of your computer, use the appropriate name here).

  3. In the Drive box, select P.

  4. Clear the Reconnect At Logon check box.

    You will gain access to this shared folder only in this exercise. Disabling the option to reconnect will ensure that Windows 2000 won't automatically attempt to reconnect to this shared folder later.

  5. To complete the connection, click Finish.

    Windows 2000 displays the MktApps On `PRO1' (P:) window.

    How does Windows Explorer indicate that this drive points to a remote shared folder?

  6. Close the MktApps On `PRO1' (P:) window.

To disconnect from a network drive by using Windows Explorer

  1. Start Windows Explorer.

  2. Right-click MktApps On `Pro1' (P:), and then click Disconnect.

    Windows 2000 removes MktApps On `PRO1' (P:) from the Windows Explorer window.

  3. Close Windows Explorer.

Exercise 6 Stopping Folder Sharing

In this exercise, you will stop sharing a shared folder.

To stop sharing a folder

  1. Log on as Administrator on the PRO1 computer (or the computer running Windows 2000 Professional with the name you specified), and then start Windows Explorer.

  2. Right-click C:\MktApps, and then click Properties.

  3. In the MktApps Properties dialog box, click the Sharing tab.

  4. Click Do Not Share This Folder, and then click OK.

    Notice that Windows 2000 no longer displays the hand that identifies a shared folder under the Apps folder. You might need to refresh the screen; if so, press F5.

  5. Close Windows Explorer.

Exercise 7 Assigning NTFS Permissions and Sharing Folders

In this exercise, you will assign NTFS permissions to the MktApps, Public, and Manuals folders. Then you will share the MktApps, Manuals, and Public folders.

To assign NTFS permissions

Use Windows Explorer to create the necessary folders and to assign the NTFS permissions that are listed in the table that follows. For each folder, do not allow inherited permissions to propagate to the object and remove any previously existing NTFS permissions.

Path

Group or user account

NTFS permissions

C:\MktApps

Administrators
Users

Full Control
Read & Execute

C:\MktApps\Manuals

Administrators
Users

Full Control
Read & Execute

C:\MktApps\Public

Administrators
Users

Full Control
Full Control

To share folders and assign shared folder permissions

Share the appropriate application folders and assign permissions to network user accounts based on the information in the table that follows. Remove all other shared folder permissions.

Path and shared folder name

Group or user account

Shared folder permissions

C:\MktApps shared as MktApps

Administrators
Users

Full Control
Full Control

Exercise 8 (Optional) Testing NTFS and Shared Folder Permissions

In this exercise, you will use different user accounts to test the permissions that you assigned in Exercise 1. To answer the questions in this exercise, refer to the tables in Exercise 7.

Important: To complete Exercise 8, you must have two networked computers. One computer must be running Windows 2000 Professional, and the other must be running either Windows 2000 Professional, Windows 2000 Server, or Windows 2000 Advanced Server. Both computers should have the Administrator user account using password for the Administrator account password.

To test permissions for the Manuals folder when a user logs on locally

  1. Log on as User1 with a password of password on the PRO1 computer (or the computer running Windows 2000 Professional with the name you specified).

  2. In Windows Explorer, expand C:\MktApps\Manuals.

  3. In the Manuals folder, attempt to create a file.

    Were you successful? Why or why not?

  4. Close Windows Explorer and log off.

To test permissions for the Manuals folder when a user makes a connection over the network

  1. Log on as Administrator with a password of password on your second computer.

  2. Create a user account, User1, with a password of password and clear the User Must Change Password At Next Logon check box, if necessary.

    Note: In a workgroup, no centralized database of user accounts exists. Therefore, you must create the same user account with the same password on each computer in the workgroup. This applies to the Administrator account as well.

  3. Log off and then log on as User1 at your second computer.

  4. Click the Start button, and then click Run.

  5. In the Open box, type \\PRO1\MktApps and then click OK.

  6. In the MktApps On PRO1 window, double-click Manuals.

  7. In the Manuals window, attempt to create a file.

    Were you successful? Why or why not?

  8. Close all windows and log off.

To test permissions for the Manuals folder when a user logs on over the network as Administrator

  1. Log on as Administrator with a password of password at your second computer, not PRO1.

  2. Make a connection to the shared folder C:\MktApps on PRO1.

  3. In the MktApps On PRO1 window, double-click Manuals.

  4. In the Manuals window, attempt to create a file.

    Were you successful? Why or why not?

  5. Close all windows and log off.

To test permissions for the Public folder when a user makes a connection over the network

  1. Log on as User1 with a password of password on your second computer.

  2. Click the Start button, and then click Run.

  3. In the Open box, type \\PRO1\MktApps and then click OK.

  4. In the MktApps On PRO1 window, double-click Public.

  5. In the Public window, attempt to create a file.

    Were you successful? Why or why not?

  6. Close all windows and log off.

Lesson Summary

In this lesson, you learned that you share folders to provide network users with access to resources. On a FAT volume, the shared folder permissions are all that is available to provide security for the folders you have shared and for the folders and files they contain. On an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

In the practice portion of this lesson, you created and shared folders, stopped sharing a folder, created folders, applied NTFS permissions, and then shared the folders. If you have a second computer, you were able to test how the shared folder permissions and NTFS permissions combined to provide access to resources.

Review

quest

The following questions will help you determine whether you have learned enough to move on to the next chapter. If you have difficulty answering these questions, please go back and review the material in this chapter before beginning the next chapter. See Appendix A, "Questions and Answers," for the answers to these questions.

  1. When a folder is shared on a FAT volume, what does a user with the Full Control shared folder permissions for the folder have access to?

  2. What are the shared folder permissions?

  3. By default, what are the permissions that are assigned to a shared folder?

  4. When a folder is shared on an NTFS volume, what does a user with the Full Control shared folder permissions for the folder have access to?

  5. When you share a public folder, why should you use centralized data folders?

  6. What is the best way to secure files and folders that you share on NTFS partitions?

Link
Click to Order