Lesson 5: Sharing Folders

You can make resources available to others by sharing folders containing those resources. To share a folder, you must be a member of one of several groups, depending on the role of the computer where the shared folder resides. When you share a folder, you can control access to the folder by limiting the number of users who can simultaneously gain access to it, and you can also control access to the folder and its contents by assigning permissions to selected users and groups. Once you have shared a folder, users must connect to the shared folder and must have the appropriate permissions to gain access to it. After you have shared a folder, you might want to modify it. You can stop sharing it, change its share name, and change user and group permissions to gain access to it.


After this lesson, you will be able to

  • Create and modify shared folders
  • Make a connection to a shared folder
  • Combine shared folder permissions and NTFS permissions

Estimated lesson time: 35 minutes


Requirements for Sharing Folders

In Windows 2000 Professional, members of the built-in Administrators and Power Users groups are able to share folders. Which groups can share folders and on which computers they can share them depends on what type of computer the shared folder resides, and whether it resides on a workgroup or a domain. The following list describes which group can share folders when they are in a domain or workgroup.

  • In a Windows 2000 domain, the Administrators and Server Operators groups can share folders residing on any machines in the domain. The Power Users group is a local group and can share folders residing only on the standalone server or computer running Windows 2000 Professional where the group is located.
  • In a Windows 2000 workgroup, the Administrators and Power Users groups on a Windows 2000 Server standalone server or on a computer running Windows 2000 Professional can share folders on those individual computers.

NOTE


If the folder to be shared resides on an NTFS volume, users must also have at least the Read permission for that folder to be able to share it.

Administrative Shared Folders

By default, Windows 2000 shares certain folders for administrative purposes. The share names of these folders consist of the folder name appended with dollar signs ($), which hide the shared folders from users who browse the computer. The root of each volume, the system root folder, and the location of the printer drivers are all hidden shared folders that you can gain access to across the network.

Table 3.9 describes the purpose of the administrative shared folders that Windows 2000 provides by default.

Table 3.9 Windows 2000 Administrative Shared Folders

Share Purpose
C$, D$, E$, and so on The administrative shares are used to remotely connect to the computer to perform administrative tasks. Windows 2000 assigns the Full Control permission to the Administrators group. The root of each volume on a hard disk shared by default, and the share name is the drive letter appended with a dollar sign ($). When you connect to this shared folder, you have access to the entire volume.

CD-ROM drives are also shared by default and their share names are created by appending the dollar sign to the CD-ROM drive letter.

Admin$ The system root folder, which is C:\Winnt by default, is shared as Admin$. Only members of the Administrators group have access to this share. Windows 2000 assigns the Full Control permission to the Administrators group. Administrators can gain access to this shared folder to administer Windows 2000 without knowing which folder it is installed in.
Print$ When you install the first shared printer, the systemroot\ System32\Spool\Drivers folder is shared as Print$. This folder provides access to printer driver files for clients. Only members of the Administrators, Server Operators, and Print Operators groups have the Full Control permission. The Everyone group has the Read permission.

Hidden shared folders aren't limited to those that the system creates by default. You can create additional hidden shares by appending a dollar sign to the end of the share name. Then only users who know the folder name can gain access to it, if they also have the appropriate permissions.

Sharing a Folder

When you share a folder, you can give it a share name, create comments to describe the folder and its content, limit the number of users who have access to the folder, assign permissions, and share the same folder multiple times.

Follow these steps to share a folder:

  1. Log on with a user account that is a member of a group that is able to share folders.
  2. Right-click the folder that you want to share, and then click Sharing.
  3. On the Sharing tab select Share This Folder and configure the options shown in Figure 3.7 and described in Table 3.10.

Figure 3.7 The Sharing tab of a folder's Properties dialog box

Table 3.10 Sharing Tab Options

Option Description
Share Name The name that users from remote locations use to make a connection to the shared folder. You must enter a share name.
Comment An optional description for the share name. The comment appears in addition to the share name when users at client computers browse the server for shared folders. This comment can be used to identify contents of the shared folder.
User Limit The number of users who can concurrently connect to the shared folder. If you click Maximum Allowed as the user limit, Windows 2000 Professional will support 10 connections. Windows 2000 Server can support an unlimited number of connections, but the number of Client Access Licenses (CALs) that you purchased limits the number of connections you can make.
Permissions The shared folder permissions that apply only when the folder is accessed over the network. By default, the Everyone group is assigned Full Control for all new shared folders.
Caching The settings to configure offline access to this shared folder.

Caching

Copies of the files are stored in a reserved portion of disk space on your computer called a cache, which makes shared folders available offline. Since the cache is on your hard disk, the computer can access this cache regardless of whether it is connected to the network. By default, the cache size is set to 10 percent of the available disk space. You can change the size of the cache on the Offline Files tab of the Folder Options dialog box. You can also see how much space the cache is using by opening the Offline Files folder and clicking Properties on the File menu.

NOTE


Shared network files are stored in the root folder of your hard disk. If you want to change the location of the cache you can do so using, the Offline Files Mover (Cachemov.exe), which is available on the Windows 2000 Professional Resource Kit, to change the cache location.

When you share a folder, you can allow others to make the shared folder available offline by clicking Caching in the folder's Properties dialog box. In the Caching Settings dialog box (see Figure 3.8), the Allow Caching Of Files In This Shared Folder check box allows you to turn caching on and off.

Figure 3.8 The Caching Settings dialog box

The Caching Settings dialog box contains the following three caching options:

  • Manual Caching For Documents. The files that someone using your shared folder specifically (or manually) identifies are the only ones available offline. This caching option is recommended for a shared network folder containing files that are to be accessed and modified by several people. This option is the default.
  • Automatic Caching For Documents. Makes every file that someone opens from your shared folder available to him or her offline. Files that aren't opened are not available offline.
  • Automatic Caching For Programs. Provides offline access to shared folders containing files that are read, referenced, or run, but that are not changed in the process. This setting reduces network traffic because offline files are opened directly without accessing the network versions in any way, and generally start and run faster than the network versions.

Assigning Shared Folder Permissions

After you have shared a folder, the next step is to specify which users have access to the shared folder by assigning shared folder permissions to selected user accounts and groups.

Follow these steps to assign permissions to user accounts and groups for a shared folder:

  1. On the Sharing tab of the Properties dialog box, click Permissions.
  2. In the Permissions dialog box, ensure that the Everyone group is selected and then click Remove.
  3. In the Permissions dialog box, click Add (see Figure 3.9).

Figure 3.9 Setting permissions for a shared folder

  1. In the Select Users, Computers, Or Groups dialog box, click the user accounts and groups to which you want to assign permissions.
  2. Click Add to add the user account or group to the shared folder. Repeat this step for all user accounts and groups to which you want to assign permissions.
  3. Click OK.
  4. In the Permissions dialog box for the shared folder, click the user account or group, and then, under Permissions, select the Allow check box or the Deny check box for the appropriate permissions for the user account or group.

Modifying Shared Folders

You can modify shared folders, stop sharing a folder, modify the share name, and modify shared folder permissions.

Follow these steps to modify a shared folder:

  1. Click the Sharing tab in the Properties dialog box of the shared folder.
  2. To complete the appropriate task, use the steps listed for each task in the following table.
Modifying a Shared Folder
To Do this
Stop sharing a folder Click Do Not Share This Folder.
Modify the share name Click Do Not Share This Folder to stop sharing the folder; click Apply to apply the change; click Share This Folder, and then enter the new share name in the Share Name box.
Modify shared folder permissions Click Permissions. In the Permissions dialog box, click Add or Remove. In the Select Users, Computers, Or Groups dialog box, click the user account or group whose permissions you want to modify.
Share folder multiple times Click New Share to share a folder with an additional shared folder name. Do so to consolidate multiple shared folders into one while allowing users to continue to use the same shared folder name that they used before you consolidated the folders.
Remove a share name Click Remove Share. This option appears only after the folder has been shared more than once.

NOTE


If you stop sharing a folder while a user has a file open, the user might lose data. If you click Do Not Share This Folder and a user has a connection to the shared folder, Windows 2000 displays a dialog box notifying you that a user has a connection to the shared folder.

Strategies for Combining Shared Folder Permissions and NTFS Permissions

You share folders to provide network users with access to resources. If you are using a FAT volume, the shared folder permissions are the only resource available to provide security for the folders you have shared and the folders and files they contain. If you are using an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

One strategy for providing access to resources on an NTFS volume is to share folders with the default shared folder permissions and then control access by assigning NTFS permissions. When you share a folder on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure file resources.

Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network.

When you use shared folder permissions on an NTFS volume, the following rules apply:

  • You can apply NTFS permissions to files and subfolders in the shared folder. You can apply different NTFS permissions to each file and subfolder that a shared folder contains.
  • In addition to having shared folder permissions, users must have NTFS permissions for the files and subfolders that shared folders contain to gain access to those files and subfolders. In contrast, on FAT volumes, which have no file level security, permissions for a shared folder are the only permissions protecting files and subfolders in the shared folder.
  • When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.

In Figure 3.10, the Users group has the shared folder Full Control permission for the Public folder and the NTFS Read permission for FileA. The Users group's effective permission for FileA is Read because Read is the more restrictive permission. The effective permission for FileB is Full Control because both the shared folder permission and the NTFS permission allow this level of access.

Figure 3.10 Combining shared folder permissions and NTFS permissions

Practice: Managing Shared Folders

In this practice, you determine users' effective permissions, plan shared folders, plan permissions, share a folder, assign shared folder permissions, connect to a shared folder, stop sharing a folder, and test the combined effects of shared folder permissions and NTFS permissions.

Exercise 1: Combining Permissions

Figure 3.11 shows examples of shared folders on NTFS volumes. These shared folders contain subfolders that have also been assigned NTFS permissions. In this exercise, you determine a user's effective permissions for each example.

Figure 3.11 Combined permissions

  1. In the first example, the Data folder is shared. The Sales group has the shared folder Read permission for the Data folder and the NTFS Full Control permission for the Sales subfolder.

    What are the Sales group's effective permissions for the Sales subfolder when they gain access to the Sales subfolder by making a connection to the Data shared folder?

    Answer

  2. In the second example, the Users folder contains user home folders. Each user home folder contains data that is accessible only to the user for whom the folder is named. The Users folder has been shared, and the Users group has the shared folder Full Control permission for the Users folder. User1 and User2 have the NTFS Full Control permission for only their home folder and no NTFS permissions for other folders. These users are all members of the Users group.

    What permissions does User1 have when he or she accesses the User1 subfolder by making a connection to the Users shared folder? What are User1's permissions for the User2 subfolder?

    Answer

Exercise 2: Planning Shared Folders

In this exercise, you plan how to share resources on servers in the main office of a manufacturing company. Record your decisions in the table at the end of this exercise.

Figure 3.12 illustrates a partial folder structure for the servers at the manufacturing company.

Figure 3.12 A partial folder structure for the servers at a manufacturing company

You need to make resources on these servers available to network users. To do this, determine which folders to share and which permissions to assign to groups, including the appropriate built-in groups.

Base your planning decisions on the following criteria:

  • Members of the Managers group need to read and revise documents in the Management Guidelines folder. Nobody else should have access to this folder.
  • Administrators need complete access to all shared folders, except for Management Guidelines.
  • The customer service department requires its own network location to store working files. All customer service representatives are members of the Customer Service group.
  • All employees need a network location to share information with each other.
  • All employees need to use the spreadsheet, database, and word processing software.
  • Only members of the Managers group should have access to the project management software.
  • Members of the CustomerDBFull group need to read and update the customer database.
  • Members of the CustomerDBRead group need to read only the customer database.
  • Each user needs a private network location to store files. This location must be accessible only by that user.
  • Share names must be accessible from Windows 2000, Windows NT, Windows 98, Windows 95, and non-Windows-NT-based platforms.

Record your answers in the following table.

Folder name and location Shared name Groups and permissions
Example:
Management Guidelines MgmtGd Managers: Full Control

Lesson Summary

In this lesson, you learned that you share folders to provide network users with access to resources. On a FAT volume, the shared folder permissions are all that is available to provide security for the folders you have shared and for the folders and files they contain. On an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.



MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net