Monitoring, Managing, and Troubleshooting Access to Files and Folders

The key to understanding how much file and folder management you can accomplish with NTFS in Windows XP Professional is to take a quick look at what the 16-bit File Allocation Table (FAT16) or 32-bit File Allocation Table (FAT32) file systems entail. FAT16 is nearly universally supported by all Microsoft DOS and Windows operating systems and many non-Microsoft operating systems. FAT16 limits a file's size based on the size of the partition on which it is installed. This, based on actual file sizes, usually results in files taking up far more space than they should. Also, because FAT16 is limited to a 4GB partition in Windows XP Professional and 2GB partitions in DOS and Windows 9x operating systems, it can't take advantage of current hard disk sizes that reach up to the tens of gigabytes. In addition to this limitation, FAT16 does not support its own file-level security, encrypted files, or native compression.

Caution

FAT16 is less secure than other file systems FAT16 is considered the least secure of all file systems for booting business-critical computers, whether they are workstations or servers. It is never considered a good practice to install a dual-boot computer in a production environment (although it's acceptable for labs), especially if a dual-boot environment would force you to keep FAT16 as the file system.

FAT32 was launched as the new file system under Windows 95 OSR2 (OEM Service Release 2). By using 32 bits of data instead of 16, FAT32 is able to theoretically support drives up to 2 terabytes (TB) in size. Under Windows XP Professional, the FAT32 file system can format a drive only up to 32GB. It uses smaller clusters, which enables it to make a more economical use of hard disk space. FAT32 is not useful for dual booting because it is supported only by Microsoft operating systems newer than Windows 95 OSR2. Because FAT32 does not provide any native file-level security, encrypted files, or compression, it is not the recommended file system for Windows XP Professional.

Windows XP Professional and Windows 2000 use NTFS version 5. Older versions of Windows NT use NTFS 4. For local file access, a Windows NT 4 computer must be upgraded with its Service Pack 1 (SP1) to be able to read files off a local partition that is formatted with NTFS 5. File access across a network, from a computer using any type of file system, is not affectedit's an issue only for local drive partitions. NTFS 5 in Windows XP provides native file and folder security, encrypted files, support for disk quotas, and compression. Theoretically, NTFS supports a 16-exabyte size drive. The limitations to this theory are found in the hardware because partition tables on disks with master boot records can sustain partition sizes of up to only 2TB. To create a larger disk partition in NTFS, you must use a dynamic volume. Dynamic volumes are not subject to a 2TB limit because they are managed in a database outside the partition table. A brief comparison of all three file systems is described in Table 5.1.

Table 5.1. Comparing FAT16 and FAT32 to NTFS Reveals Its Competencies
Capabilities	FAT16	FAT32	NTFS
Runs on DOS	X
Runs on Win 3.x	X
Runs on non-Microsoft operating systems	X
Runs on Windows NT 3.x	X		X
Runs on Windows NT 4.0	X		X
Runs on Windows 95 (OSR2 and later)	X	X
Runs on Windows 98	X	X
Runs on Windows Me	X	X
Runs on Windows 2000	X	X	X
Runs on Windows XP	X	X	X
Provides efficient use of space		X	X
Provides native file-level security			X
Supports native transparent file compression			X
Supports disk quotas			X
Supports native file encryption			X
Enables physical partitions up to 2TB			X
Can be used as the file system to format a floppy disk	X	X

Although you should have a basic understanding of the differences between FAT16, FAT32, and NTFS, the 70-270 exam concentrates on the file and folder management features that only NTFS provides. Keep in mind that the most basic file and folder management, such as viewing and moving files, is the same regardless of the file system. However, file-level security, permissions, and compression apply only to NTFS-formatted disks.

Configuring, Managing, and Troubleshooting File Compression

Objective:

Monitor, manage, and troubleshoot access to files and folders.

Configure, manage, and troubleshoot file compression.

NTFS supports compression natively. Although you can compress files and folders using a third-party utility such as WinZip on FAT16 and FAT32 drives, the difference in using native file compression is that it is completely transparent to the user. You can open a compressed file in an application the same way that you open a non-compressed file. The process of decompression and recompression is hidden from the user. By contrast, if you are using FAT16 and WinZip, you have to extract the file from the WinZip archive and then open it within the application. Only then can you work on it. After saving your file changes, you need to recompress the file using WinZip and replace the file in the archive manually.

File compression provides efficient use of disk space. In an organization in which users share computers, an administrator may need to enforce disk quotas to ensure that there is sufficient space on the hard disks. What you save in space, however, you may lose in performance, especially with certain files.

Note

Measuring available disk space When measuring available disk space, Windows XP measures the size of compressed files as though they were uncompressed.

NTFS offers the following features:

NTFS compression applies to individual files, individual folders, or an entire NTFS volume.
To identify which files are compressed, you can open any Explorer window, click Tools, Folder Options, click the View tab, and then select the Show Encrypted or Compressed NTFS Files in Color option. The names of encrypted or compressed files are displayed in different colored text.
NTFS enables you to compress a folder without compressing the folder's contents.
NTFS does not enable you to encrypt a compressed file or folder.

Exam Alert

Know whether files and folders retain compression after being moved or copied Expect questions that refer to compressed files that are moved or copied. The following rules apply:

A copied file always inherits the new folder's compression state.
A file that has been moved in the same NTFS volume retains the file's original compression state.
A file that has been moved from one NTFS volume to a different NTFS volume inherits the new folder's compression state.
Compressed files that are moved or copied from NTFS to FAT16 or FAT32 volumes will lose compression.

Step by Step 5.1 discusses the process for converting a FAT volume to NTFS and then compressing a file. NTFS is required for native file compression. Prior to running a file system conversion, you should make certain the computer is fully backed up and can be restored.

Step by Step: 5.1 Converting a FAT Volume to NTFS

1.	Click Start, Run, type `cmd` in the Open text box, and click OK. A command prompt window appears.
2.	Type `convert c: /fs:ntfs /v` and press Enter. This command converts the C drive to NTFS in verbose mode, allowing you to see the progression of the conversion.
3.	When the conversion is complete, restart the computer.
4.	Open My Computer by double-clicking the icon on the desktop.
5.	Navigate to the file that you plan to compress, right-click it, and click Properties.
6.	Click the Advanced button in the Attributes section of the General tab, as shown in Figure 5.1. The Advanced Attributes dialog box opens. Figure 5.1. Compression and encryption are both advanced attributes. Exam Alert Convert a volume You will probably run into a scenario that refers to the business objectives that would drive either a conversion to NTFS or a conversion to FAT from NTFS. Remember that if the business objective requires dual-booting, the business objective is pointing to a FAT volume. If the business objective requires permissions, compression or encryption, the business objective is pointing to an NTFS volume.
7.	Select the Compress Contents to Save Disk Space option.
8.	Click OK to close the Advanced Attributes dialog box.
9.	Click OK to close the Properties dialog box.
10.	To identify compressed files, in the Explorer window, click the Tools, Folder Options. The Folder Options dialog box opens.
11.	Click the View tab.
12.	Scroll down the list of view options and select the Show Encrypted or Compressed NTFS Files in Color option, as shown in Figure 5.2. Remember that the encryption and compression file attributes are mutually exclusive; therefore, you will never have a file that can be shown in two colors. Figure 5.2. To quickly locate files that have been compressed, ensure that the Show Encrypted or Compressed NTFS Files in Color option is selected.
13.	Click OK.
14.	In the Explorer window, locate your compressed file and confirm that it is displayed with colored text.

The process to compress a folder is nearly identical to that of compressing a file. The difference is that after you have clicked OK to start the compression, the computer prompts you whether you want to compress just the folder or you want to compress the folder along with its files and subfolders.

As mentioned previously, you can compress an entire NTFS volume. To do so, open My Computer, navigate to the volume you plan to compress, right-click it, and select Properties from the shortcut menu. Select the Compress Volume to Save Disk Space option. Click OK and confirm the attribute changes in the resulting dialog box.

Compressed folders can be password protected. To do this, you need to open the compressed folder, click File, and select Add a Password. Next, type the password, confirm it, and click OK. If anyone attempts to move, delete, or open the folder, a dialog box opens requesting this password.

Caution

Keep track of passwords Write down and safely store the passwords for compressed folders. These passwords are not recoverable, which means that you will not be able to access the folder's contents if you lose the password.

Controlling Access to Files and Folders by Using Permissions

Objective:

Monitor, manage, and troubleshoot access to files and folders.

Control access to files and folders by using permissions.

When you share files and folders in a workgroup in Windows XP Professional where the disk partition is formatted with NTFS, you can use simple file sharing (as in Windows XP Home Edition) or NTFS permissions. For granular control, NTFS permissions is the only way to control file and folder access.

By default, a computer running Windows XP Professional in a workgroup uses Simple File Sharing. Simple File Sharing provides for a Shared Documents folder that contains the Shared Pictures and Shared Music subfolders. When a user wants to share a file, the user simply moves or copies the file to the Shared Documents folder or one of its subfolders.

Also, when you're using Simple File Sharing, users who connect to the computer across the network automatically authenticate as the Guest accountthis is called ForceGuest. You cannot set NTFS permissions separately from shared folder permissions. Instead, you are allowed to establish a new share with only Full Control or Read access.

Because of the limitations within Simple File Sharing, you must disable Simple File Sharing to have granular control over files and folders shared either locally or across the network.

Simple File Sharing, by default, prevents you from seeing the Security tab where you can assign specific permissions. When you are connected to a domain, the advanced options for permissions are automatically provided on the Security tab. To configure a standalone or workgroup computer so that you can see and utilize the Security tab, you need to turn Simple File Sharing off. You can do this by opening the My Computer icon, clicking Tools, Folder Options, clicking the View tab, and then clearing the Use Simple File Sharing option in the Advanced Settings section.

Note

Some folders don't exist for domain members When a Windows XP Professional computer is a member of a domain, there are no Shared Documents, Shared Music, or Shared Pictures folders.

Understanding NTFS

Windows XP Professional NTFS volumes enable you to grant or refuse access to files or folders by applying permissions. Table 5.2 explains NTFS permissions.

Table 5.2. NTFS Permissions Are Applicable to Files and Folders
NTFS Permission	File or Folder Permission	Result When Granted
Full Control	Both	Grants full access to a file or to a folder's contentsRead, Write, Modify, Change Permissions, Take Ownership, and Delete.
Modify	Both	Grants Read, Write, Modify, and Delete rights, as well as the right to read permissions of a file or folder.
Read & Execute	Both	Grants the right to execute an application (*.exe) or open a file and to read it, as well as the right to read its attributes and permissions. For a folder, this right applies to all the files within the folder.
List Folder Contents	Folder	Grants the right to open a folder, read its attributes and permissions, and to list the files and subfolders within it. Does not allow the user to execute any files within the folder.
Read	Both	Grants the right to list a file or folder and read its attributes and permissions. Does not allow the user to execute a file or any files within a folder.
Write	Both	Grants the right to save changes to a file, to create new files, and to change attributes of a file.

Assigning Permissions to Files and Folders

When you create a new file in Windows XP Professional, you are given Full Control of that file. If you want to grant access for that file to another user, you need to assign permissions. To make these changes, you can follow the process in Step by Step 5.2.

Step by Step: 5.2 Enabling the Security Tab to View or Change File and Folder Permissions

1.	Double-click the My Computer icon on the desktop.
2.	Navigate to the file or folder on which you want to set permissions and right-click it.
3.	Select Properties from the shortcut menu.
4.	Click the Security tab.
5.	The Properties dialog box opens, similar to that shown in Figure 5.3. Figure 5.3. The Security tab displays the available users, groups, and permissions.
6.	Select the user or group to whom you will be granting or denying access by clicking the object. If a user or group does not appear in the list, you may search for the user by clicking the Add button. Use the resulting search dialog box to search for users and groups.
7.	Click the user or group object to view the object's existing permissions in the lower portion of the dialog box. The permissions that are already granted or denied appear dimmed with checked boxes. Those that are unavailable are dimmed with unchecked boxes.
8.	To grant a permission, select the option in the Allow column for that permission. To deny a permission, select the option in the Deny column for that permission. Note that when a permission includes other automatic rights, those rights are automatically selected. For example, if you select the Read & Execute option, the Read option becomes selected.
9.	If you need to grant or deny permissions to several different users or groups, click Apply after changing each user or group.
10.	When finished with your task, click OK to close the Properties dialog box.

If you want to deny only a specific right, such as the Write permission, simply click the Deny check box for that permission because it overrides the Allow permission. If a user has been denied access to a file, you can take ownership of the file as a troubleshooting method. To do this, you must be logged on to the computer as an administrator and Simple File Sharing must be disabled. To take ownership of a file or folder, click the Security tab in the Properties dialog box for that particular file or folder. Click the Advanced button and then click the Owner tab.

For a file, under the list of names, select Administrator or the Administrators group and click OK. The administrator now owns the file and can apply further permissions as needed.

For a folder named FOLDERX where you need to take ownership of the contents of the folder as well as the folder itself, under the list of names, select Administrator or the Administrators group, then select the Replace Owner on Subcontainers and Objects option and click OK. A message appears stating You do not have permission to read the contents of directory FOLDERX. Do you want to replace the directory permissions with permissions granting you Full Control? Click Yes to replace all permissions, and then click OK.

Note

Permissions are cumulative When you assign permissions, remember that they are cumulative. A user's actual permissions are the resulting collective allowed rights that have flowed down from upper-level folders, plus explicitly assigned permissions at that level, as long as there are no denied rights. Denied rights override allowed rights.

Handling Permission Inheritance

As you can see, the process of granting and denying specific permissions to different users, especially if the permissions vary by user, can require hours of your time if you have to do this to each and every file on the computer. Thankfully, folder permissions can be inherited by the files and subfolders within them. Plus, you can create groups for users that are granted the same permissions. The combination of these two faculties in Windows XP Professional, along with a well-organized hierarchy of folders and files, can greatly reduce the time and effort it takes to administer the computer.

Exam Alert

Stopping automatic inheritance It is possible to stop the inheritance of permissions by clicking the This Folder Only option when you establish special permissions for a parent folder. Otherwise, the permissions are inherited.

If you want to remove any inheritance for a folder that has already been established, right-click the folder, select Properties, click the Security tab, and click the Advanced button. The Advanced Security Settings dialog box opens, similar to the one shown in Figure 5.4. Clear the Inherit From Parent The Permission Entries That Apply To Child Objects check box. Include these with entries explicitly defined here.

Figure 5.4. You can remove permission inheritance from a folder.

Securing the %systemroot% Folder and Subfolders

To ensure that the Windows XP Professional operating system performs correctly, you should retain the default security settings on the %systemroot% folder and subfolders. If you modify these permissions, you may cause unpleasant problems for users attempting to log on or for applications that attempt to run.

Handling Conflicting Permissions

When a user is a member of multiple groups, that user may have conflicting permissions for a file. For example, John is a member of GRP1 and GRP2. GRP1 is given Read access to FOLDER1 and GRP2 is granted Modify access to FOLDER1. As a result, John is automatically given the Modify access to FOLDER1. The only time this doesn't work in a cumulative manner is when there is an explicitly denied permission. If John had been denied the Modify permission to FOLDER1, he would not be able to Read or Modify it because the Modify right incorporates the ability to Read the file.

Exam Alert

Understand conflicting permissions Conflicting permissions for users who are members of multiple groups is a common problem to encounter on the exam. Not only should you be aware that Deny permissions always override Allow permissions, but explicit permissions always override inherited permissions.

Calculating How Permissions Change When Moving or Copying a File

Just as compression attributes may change when moving or copying a file, permissions can also change when moved or copied. The obvious changes happen when you copy or move a file from an NTFS volume to a FAT16 or FAT32 volume. Because neither FAT16 nor FAT32 support native file security, all permissions are lost.

If you move or copy a file from one NTFS volume to another, you can get a variety of results based on whether the file retains the former permissions or inherits new ones. Table 5.3 shows the results based on the type of file operation.

Table 5.3. Moving and Copying Files on NTFS Volumes May Change Permissions
Operation	Resulting Permissions
Move a file or folder to another location on the same NTFS volume	File or folder retains its original permissions
Move a file or folder to a different NTFS volume	File or folder inherits new permissions from the new parent folder
Copy a file or folder to another location on the same NTFS volume	File or folder inherits new permissions from the new parent folder
Copy a file or folder to a different NTFS volume	File or folder inherits new permissions from the new parent folder

You can override the default results for permissions when you use the Xcopy command-line utility. The /o switch for the Xcopy command copies the file access control list (ACL), which includes all the permissions along with the file. In addition, you can use the /x switch with Xcopy, which copies the audit information in addition to the ACL.

If a user experiences errors when attempting to access a file or folder, and you can't immediately determine the cause of the problem, check the user's effective permissions. Effective permissions are the actual permissions that the user has based on group membership, explicitly allowed or denied rights, and inherited allowed or denied rights. To determine what the effective permissions are for a particular user, you do not need to add the explicit and inherited permissions manually. Instead, Windows XP Professional allows you to view the effective permissions on each file or folder for any user or group. To do this, follow the process in Step by Step 5.3.

Step by Step: 5.3 Viewing a User's or Group's Effective Permissions

1.	In an Explorer window, navigate to the file or folder, right click-it, and select Sharing and Security.
2.	Click the Security tab.
3.	Click the Advanced button.
4.	In the Advanced Security Settings dialog box, click the Effective Permissions tab. The Advanced Security Settings dialog box opens, similar to the one shown in Figure 5.5. Figure 5.5. The Effective Permissions tab displays actual permissions for users and groups.
5.	Click the Select button to choose the user or group.
6.	Type the name of the user or group and click OK. The effective permissions are displayed.

Challenge

You are a network administrator for ALSO Services. You have 12 main network sites with between 300 and 1,500 users at each location. In response to a last-minute request, ALSO is rolling out a new site to support a large oil exploration corporate client in Barrows, Alaska. This location is extremely remote and the best wide area network (WAN) link that ALSO has been able to obtain is a satellite link, which frequently drops the connection. You have decided to roll out a temporary workgroup of three computers running Windows XP Professional, which are upgraded with SP2 and running Transmission Control Protocol (TCP/IP) until a better link can be acquired. You must now configure all the computers so that each has three user accounts, and then configure one computer with ALSO's standard file system hierarchy that includes the correct NTFS and sharing permissions for those users. This is in preparation for when a server is placed onsite, at which point you will be able to migrate the files onto a domain member server. You need to make certain that User1, a member of the Acctg group, has Full Control to all accounting files and is denied access to HR files; User2, a member of the Admins group, has the ability to take ownership of all files and has Read access to the Site files and List Folder Contents to access HR files; User3, a member of HR, should have Full Control to HR, Site, and Accounting files. All users are members of the ALSO group, and should be able to run applications that are in the Apps folder, but only User2 should be able to add, change, or delete them and be able to change or delete subfolders and their contents. The folder hierarchy is standard for your company and shown in Figure 5.6. You will be sharing three folders: Groups, Admin, and Apps. The Admin share will be hidden.

Figure 5.6. The folder hierarchy for ALSO Services is the starting point for applying NTFS permissions.

You need three computers for this exercise, each running Windows XP Professional with SP2 and configured with TCP/IP. These computers should not have any data of value stored on them, and the partitions should be formatted with the FAT32 file system.

With what you have learned so far, you should be able to work through the required steps on your own. If you need to check your work, follow the steps presented here.

1.	Log on to one of the Windows XP Professional computers as an administrator.
2.	Double-click My Computer. Double-click Local Disk (C:\). Right-click an empty space in the window and select New, Folder. Name the folder All Files. Double-click the folder to open it. Create three new folders called Groups, Admin, and Apps. Open the Groups folder and create two new folders called Accounting and HR. Navigate up a level so that you can open the Admin folder, and then create a new folder named Site within it.
3.	Click Start, Run, type cmd in the Open text box, and press Enter. Type `chkdsk` and press Enter to display the file system type. It should be FAT32. When Chkdsk has finished, type `convert c: /fs:ntfs` and press Enter. You are prompted to allow the conversion to take place upon reboot. Click Yes and then click Start, Turn Off Computer, and click Restart.
4.	Log on to the same computer as an administrator. Right-click My Computer and select Manage from the shortcut menu. Navigate in the left pane to the Local Users and Groups node, and then to the Users node. Click the Action menu and select New User from the menu. Create an account for User1. Repeat the process for User2 and User3.
5.	Still in Computer Management, navigate to the Groups node below Local Users and Groups. Click the Action menu and select New Group. Name the group ALSO and add User1, User2, and User3 as members. Create another group named Acctg and add User1 as a member. Create a group named Admins and add User2 as a member. Create a group named HR and add User3 as a member.
6.	Open My Computer. Select the Tools menu and select Folder Options. Click the View tab. Clear the Use Simple File Sharing (Recommended) check box. Click OK.
7.	In Windows Explorer, Navigate to the All Files folder at the top of the hierarchy. Right-click it and select Sharing and Security. Click the Security tab. Click the Users group and then click Remove. Click the Add button and select Admins. Click the Advanced button. Highlight the Admins item and click the Edit button. Under the Allow column select the Take Ownership check box. Click OK. You are returned to the Advanced Security Settings for Groups dialog box. Select the Replace Permission Entries on All Child Objects with Entries Shown Here That Apply to Child Objects option. Click OK. Click OK again.
8.	Navigate to the Accounting folder. Right-click the folder and select Properties. Click the Security tab. Click the Add button and select the Acctg group. Under the Allow column, click Full Control. Click the Add button and select the HR group. Under the Allow column, click Full Control. Click OK.
9.	Navigate to the HR folder. Right-click it and select Sharing and Security from the shortcut menu. Click the Security tab. Click the Add button and select the Acctg group. Under the Deny column, select Full Control. Click the Add button and select the HR group. Under the Allow column, select Full Control. Click the Add button and select the Admins group. Under the Allow column, select List Folder Contents. Click OK.
10.	Navigate to the Site folder. Right-click it and select Properties from the shortcut menu. Click the Security tab. Click the Add button and select the Admins group. Under the Allow column, select Read. Click the Add button and select HR. Under the Allow column, select Full Control. Click OK.
11.	Navigate to the Apps folder. Right-click it and select Properties from the shortcut menu. Click the Security tab. Click the Add button and select ALSO. Under the Allow column, select Read & Execute. Click the Add button and select Admins. Under the Allow column, select Modify and then click the Advanced button. Highlight the Admins entry and click the Edit button. Select the Delete Subfolders and Files option. Click OK. Click OK again.
12.	Navigate to Groups folder. Right-click the folder and select Sharing and Security. Click the Sharing tab. Click Share This Folder. Type the share name Groups. Click the Permissions button. Remove the Everyone group. Click the Add button and add the Acctg, Admins, and HR groups. For each group, select Full Control in the Allow column.
13.	Repeat the process in step 12 for the Apps folder.
14.	Navigate to the Admin folder and right-click it. Select Sharing and Security from the shortcut menu. Click the Sharing tab. Click Share This Folder. Type the share name Admin$. Click the Permissions button. Remove the Everyone group, and then add the Acctg, Admins, and HR groups and allow Full Control.
15.	Log on to each of the other two Windows XP computers. Create the User1, User2, and User3 accounts and configure them with the same password used on the first computer.

Optimizing Access to Files and Folders

Objective:

Monitor, manage, and troubleshoot access to files and folders.

Optimize access to files and folders.

When you set permissions on a folder, all its subfolders inherit the permissions, even if the subfolder is created as a new folder after the fact. One of the easiest ways of granting permissions is to simply give everyone Full Control access at the top folder level. This, however, can cause problems with file management in the long term. Therefore, you should put thought into a folder hierarchy that you can replicate across multiple computers, and that will reduce your overall administration time.

The key to a good folder hierarchy is to think counter-intuitively. Instead of determining how to build your folder structure from the top down, consider how to build it from the bottom up. You want to assign the most permissions to the lowest-level folders, and the fewest permissions to the top-level folders. For example, let's say you have two teamsHuman Resources (HR) and Telemarketing (TELE). Each team uses the same computers at different times of the day and needs to have access to particular files. Obviously, you don't want your telemarketers to have access to sensitive data such as salaries that HR might save to the hard disk. So, you must do two things to avoid any mixups:

Create two separate groups Create one group for HR and the other for TELEand populate them with the correct HR and TELE users. (If you are connected to a domain, you should create the groups on the domain rather than individually on each computer.)
Create two bottom-level folders Create one folder for HR and the other for TELE. Grant the HR group members full access to their own folder and deny all permissions to that folder for TELE and everyone else, for that matter. (Denying a right takes priority over any rights that may accidentally be inherited or granted to a specific individual.) Do the same for the TELE folder.

After you have created the group-specific folders, you can then consider creating additional folders that may be used by other users or for general use by either HR or TELE. Work your way upward until you reach the top-level folder, where you will likely want to allow access only to administrators of the computer. Figure 5.7 depicts this entire hierarchy.

Figure 5.7. A good folder hierarchy is built from the bottom up.

Keep in mind that Microsoft's recommended practice is to assign permissions as follows when your computer is participating in a domain:

Create domain user objects
Place domain users in domain global groups
Place domain global groups in local groups
Assign permissions to local groups

In this manner, whenever you create a new user object, you can place global groups in the appropriate domain so that they quickly obtain the correct permissions to be functional. The fact that a domain global group can be placed within local groups on any computer in the Active Directory allows a user to be granted permissions to any computer or server. At the same time, removing rights for a user account is just as easily accomplishedsimply delete the user object's group memberships.

For a computer that is in a workgroup rather than a domain, you do not have the luxury of domain global groups or domain users that can be created once and used on every computer. You can simplify administration, however, as follows:

Establish standard user names and create the same user objects on each computer.
Establish standard group names and create the same group objects on each computer.
Apply permissions only to local groups.
Add user objects to local group objects.

Sharing an Encrypted File

You can encrypt files natively in Windows XP Professional using the Encrypting File System (EFS). When you encrypt a file, you are scrambling the data so that no one can read it without having the key to unscramble it. EFS enables you to automatically encrypt data stored on a Windows XP Professional NTFS-formatted hard disk.

A problem arises when a user wants to encrypt files to protect them from most users, and also wants to share those files with a select user or group of users. Because encryption is intended to make files private, it takes an extra step to share them with other usersaside from placing the files in folders to which those users have been granted permissions.

To share a file that has been encrypted with EFS, you must be either an administrator or the user who encrypted the file in the first place. Right-click the encrypted file and select Properties from the shortcut menu. Click the Advanced button and then click Details. Here, you should click Add and select the user or group with which you want to share the file. Click OK several times until all dialog boxes are closed.

In addition to adding users to the encrypted file, you must make certain that the users have been granted NTFS permissions to access the file.

Review Break

You can apply NTFS compression to files, folders, or volumes. When a file is copied to a new folder, the file inherits the new folder's compression state. When a file is moved in the same NTFS volume, the file retains its original compression state. When a file is moved from one NTFS volume to a folder on another NTFS volume, the file inherits the new folder's compression state. When compressed files are moved or copied from NTFS to FAT16 or FAT32 volumes, the files lose compression.

When you're using Simple File Sharing, users who connect to the computer across the network automatically authenticate as the Guest account. You cannot set NTFS permissions separately from shared folder permissions. Because of the limitations within Simple File Sharing, you must disable Simple File Sharing to have granular control over files and folders shared either locally or across the network.

Table 5.1. Comparing FAT16 and FAT32 to NTFS Reveals Its Competencies

Configuring, Managing, and Troubleshooting File Compression

Step by Step: 5.1 Converting a FAT Volume to NTFS

Figure 5.1. Compression and encryption are both advanced attributes.

Figure 5.2. To quickly locate files that have been compressed, ensure that the Show Encrypted or Compressed NTFS Files in Color option is selected.

Controlling Access to Files and Folders by Using Permissions

Understanding NTFS

Table 5.2. NTFS Permissions Are Applicable to Files and Folders

Assigning Permissions to Files and Folders

Step by Step: 5.2 Enabling the Security Tab to View or Change File and Folder Permissions

Figure 5.3. The Security tab displays the available users, groups, and permissions.

Handling Permission Inheritance

Figure 5.4. You can remove permission inheritance from a folder.

Securing the %systemroot% Folder and Subfolders

Handling Conflicting Permissions

Calculating How Permissions Change When Moving or Copying a File

Table 5.3. Moving and Copying Files on NTFS Volumes May Change Permissions

Step by Step: 5.3 Viewing a User's or Group's Effective Permissions

Figure 5.5. The Effective Permissions tab displays actual permissions for users and groups.

Challenge

Figure 5.6. The folder hierarchy for ALSO Services is the starting point for applying NTFS permissions.

Optimizing Access to Files and Folders

Figure 5.7. A good folder hierarchy is built from the bottom up.

Sharing an Encrypted File

Review Break