Managing and Troubleshooting Access to Shared Folders

Shared folders are folders on the local hard drive that have been shared so that users on a network can connect to those shares. For the exam, it is critical that you understand how to manage and troubleshoot connections to shared resources, how to create new shared resources, and how to set permissions on shared resources. The process that both Windows XP and Windows Server 2003 use to share folders is that an administrator selects a folder, regardless of its location in the local folder hierarchy, and shares it through the Sharing tab of the folder's Properties dialog box. Shares can be managed through the Computer Management console snap-in.

Administrators may find that the Computer Management snap-in is helpful in file and folder security management. You can open Computer Management from within Administrative Tools, which is found in Control Panel. To manage file and folder security, navigate to the Shared Folders node in the left pane. Double-click Shares to see the shared folders. All hidden administrative shares are those that are followed by a dollar sign ($). These cannot be modified. From the remaining shared folders, select one to double-click and view the security settings on the folder.

Connecting to a Shared Resource in Windows XP

There are several ways to connect to a shared resource. A user can browse the network via My Network Places and look for the resources. A user can map a drive either from a command line or using an Explorer command. A user can even connect to network resources from within applications.

You need the Universal Naming Convention (UNC) for command-line usage or even to connect to a network share from within Explorer or the Run dialog box. A UNC path consists of two backslashes followed by the name of the computer (considered to be the server, because it is providing a file service to the network), which is followed by another backslash and then the name of the share. UNC names can pinpoint through several subfolder layers of the share if necessary; however, the basic format of a UNC name is as follows:

 \\servername\sharename 

If you were going to connect directly to a subfolder, you would use the name as the following naming format:

 \\servername\sharename\subfoldername 

To connect to a network share from an Explorer window, simply type the UNC name in the address bar of the window.

To connect to a network share from the Run dialog box, click Start, Run. Type the UNC name of the share in the Open text box and press Enter.

To map a network drive, you can right-click My Computer or My Network Places and select Map Network Drive. The Map Network Drive dialog box opens, as shown in Figure 5.8. Type the UNC name of the share in the Folder list box and click OK. Alternatively, from this dialog box, you can click the Browse button and search for the share to which you want to connect.

From a command prompt, you can issue the net use command to map a drive to a shared folder. For example, to open a command-prompt window, click Start, Run, type cmd in the Open text box, and press Enter. At the command prompt, issue the following command:

 net use m: \\servername\sharename 

To access the shared folder, type M: at the command prompt to change to drive M, which is now the shared folder. The net use command has several other options. To see the syntax, type net use /? at the command prompt, which yields the results shown in Figure 5.9.

Figure 5.9. The net use command has several options for use in mapping a network drive.

If you do not have the proper permissions to connect to a share, you will experience errors regardless of which method you employ in connecting.

Creating and Removing Shared Folders

Objective:

Manage and troubleshoot access to shared folders.

• Create and remove shared folders.

Aside from the default administrative shares, there are no folders that are automatically shared with the network. To share files with other users across the network, you must manually do so for each folder containing the files that you want to share. To share a folder with other network users, you can open any Explorer window and then follow the process shown in Step by Step 5.4.

Exam Alert

IIS maximum connections A frequent exam question requires you to know that the maximum number of connections per share for IIS on a Windows XP Professional computer is 10.

To delete a share on the network yet leave the folder intact, right-click the shared folder and select Sharing and Security from the shortcut menu. Select the Do Not Share This Folder option and click OK. To create or remove shared folders, you must be logged on as a member of one of the local groupsAdministrators, Server Operators, or Power Usersthat has the right to share folders.

The Windows XP Server Service

The Windows XP Server service is responsible for sharing folders. If the service has been disabled for any reason, you cannot see the Sharing tab. To restart the Server service, logon as an Administrator, open Control Panel, click Performance and Maintenance Administrative Tools, and double-click. Right-click the Server service and click Start.

Using Net Share to Create or Delete Shared Folders

You can use the net share command to create or delete a shared folder. To create a new shared folder, type

 net share MYSHARE=c:\mydata 

This command tells the computer to share the folder C:\mydata as a shared folder named MYSHARE.

Working with Share Permissions

Objective:

Manage and troubleshoot access to shared folders.

• Control access to shared folders by using permissions.

Until this point, we have discussed NTFS permissions as they apply to users who log on to the same computer. Share permissions are those that apply to users who connect to a share across a network. Share permissions are applied on top of NTFS security permissions, which complicates access somewhat.

When share permissions conflict with NTFS permissions, the resulting permissions are those that are most limiting. For example, if a user named Joe has the NTFS permission of Full Control for FILE1, but Joe has only the share permission of Read for FILE1, when Joe accesses FILE1 across the network he is allowed only to read it because the Read permission is the most restricting. If Joe had the NTFS permission of Read for FILE1 and the share permission of Full Control, Joe would still only be able to Read FILE1.

Exam Alert

NTFS and share permissions conflicts Be on the lookout for questions that say that a user can access a file locally, but not across the network. These situations are indicative of NTFS and share permission conflicts.

Establishing Share Permissions

When granting access to your local files to other users across a network, your computer becomes vulnerable to both unintentional and intentional attacks. Not only can the data simply be viewed for malicious purposes, such as corporate spying, but it can be altered or destroyed on purpose or accidentally. For this reason alone, you should always grant the most restrictive permissions necessary for a network user to conduct work on those files. Granting just enough permission without being too lenient is a fine line to walk. If you are too stringent, users can't get their jobs done. If you are too lenient, the data is at risk.

To set shared folder permissions, you must first access the Sharing tab of the folder's Properties dialog box. On the Sharing tab, click the Permissions button. The Permissions dialog box opens, similar to the one shown in Figure 5.11. There are three possible share permissions to grant or deny:

• Full Control

• Change

• Read

The default share permission for an NTFS share is Everyone: Full Control. If you established granular NTFS permissions directly on the files and are confident of that security, the default share permission should be sufficient. However, if you are using Simple File Sharing or wish to be absolutely certain that no one can modify, delete, or add new files to your shared folder without appropriate permissions, you should deny the Everyone group all permissions, click Add, and select each group with which you want to share the folder and grant it its own permissions.

From within Computer Management, you can create a share and establish permissions. To do this, open the Computer Management snap-in from within Administrative Tools. Expand the Shared Folders node, right-click the Shares node, and select New File Share from the shortcut menu. In the resulting dialog box, type the path to the directory that you are sharing in the Folder to Share text box. Type a name in the Share Name text box and click Next. You can now select a basic share permission from the list, or you can customize the list to define a more granular share permission set. When you are finished, click Finish.

To remove a shared folder in the Computer Management console, right-click the share, which appears in the right pane when the Shares node is selected, and select Stop Sharing from the shortcut menu. Answer Yes and the share will be gone.

Managing Hidden Folders

Every time the computer starts, Windows XP Professional automatically generates administrative shared folders. These folders are hidden from the casual network browser because they contain files that, if damaged, can cause the computer to fail. However, they also contain files that an administrator may need to access in the event of a problem with the computer, hence the name "administrative shares." The default administrative shares include

• C$ For each hard disk volume, an administrative share is generated that consists of a dollar sign appended to the drive letter.

• ADMIN$ This is the share for the %systemroot% folder, which is typically C:\WINDOWS or C:\WINNT, depending on where you installed Windows XP.

• IPC$ This is the share used by applications and objects for interprocess communications (IPCs).

• Print$ This contains printer drivers for local printers so that a remote computer can connect and obtain the printer driver appropriate for the shared printer.

• FAX$ This is a folder used by fax clients for sending faxes.

Because administrative folders are hidden, you cannot browse for them as you would browse for a standard shared folder. You can, however, connect using the UNC name for the share.

You can create a hidden share of your own by simply appending a dollar sign ($) to the name of a shared folder. The share will not be visible when users browse the network. Users may still connect to this share, but they must manually type the full name of the share, including the dollar sign, and must have share permissions to access the shared folder.

Handling Offline Files

Offline Files is also known as client-side caching (CSC) because a client computer caches a file that it obtains from a server computer. When you share a folder, you can also make it easier for users to keep a local copy of the folder on their own computer. The process from a user's standpoint is that, even if a computer is down or offline, the folder can still be accessed and the files can be read or modified. At the point that the user's computer and the computer hosting the offline shared folder are both online simultaneously, any changes that the user made to the shared files will synchronize back to the hosting computer.

It is appropriate to create a share that provides offline files, and to configure caching on network client computers when

• A user has two computersa laptop and a workstationand wants to synchronize documents to take home every evening.

• A user travels often and requires a standard set of office files to take on the road, and also wants to synchronize his own updated files with those on the server after returning from trips.

• A group of users is located in a small office site that has an unreliable network connection because of the geography of the location, and they need to be able to work on files whether or not the network connection is functioning.

• A user has developed a business-critical set of files on her laptop computer. Her coworkers want to have access to these files but the user moves about from place to place and often the share is not available.

It is usually not appropriate to create offline files when users are working in a standard office using desktop computers that do not change or disconnect for any reason.

To configure offline settings, right-click a shared folder and select Sharing from the shortcut menu. Click the Caching button. The Cache Settings dialog box opens. The default cache setting is to allow caching. To disable it, you must clear the Allow Caching of Files in this Shared Folder check box. If you do not disable caching, you can configure one of three options:

• Automatic Caching of Documents

• Automatic Caching of Programs and Documents

• Manual Caching of Documents (the default setting)

The Automatic Caching of Documents setting enables the server (the computer providing the shared folder) and the workstation to synchronize shared files without human intervention.

The Automatic Caching of Programs and Documents option is designed for the offline sharing of read-only data because any files on the workstation computer are replaced by the files on the server when a newer server file is available.

The default setting, Manual Caching of Documents, requires a user to specify which files to cache.

The default location where Windows XP Professional stores cached files is %systemroot%\CSC.

When a shared folder is available for CSC, you must enable the client to use offline files. Clients are not enabled to store offline files by default. To do so, open My Computer and click Tools, Folder Options, and click the Offline Files tab. Select the Enable Offline Files option and click OK.

After making certain that a shared folder providing offline files is available and that the client computer is enabled to use Offline Files, you can select the files or folders that the client will cache. To do this, follow Step by Step 5.5.

Although offline files are automatically synchronized when you log on and log off, you may need to synchronize a file at another point during the day. To manually synchronize an offline file, from the client computer, right-click the offline file and select Synchronize from the shortcut menu. This functions only while the host computer and the client are online and functioning on the network at the same time.

If you have Fast User Switching enabled on your computer, you cannot use Offline Files until you disable Fast User Switching.

When two users change an offline file, a file conflict occurs when the second person synchronizes. When this happens, a Resolve File Conflicts dialog box opens, in which you have the option of saving the conflicting file or discarding it. The dialog box allows you to establish the same resolution method for all offline file conflicts.

You can use the Synchronization Manager to automatically or manually synchronize offline files. You can schedule automatic synchronization to take place at intermittent intervals when your computer is otherwise idle.

To configure synchronization, click Start, All Programs, Accessories, and then click Synchronize. The Synchronization Manager starts. Select the items to synchronize and click the Idle tab. Select the intervals at which to synchronize while the computer is idle and click OK.

Managing and Troubleshooting Web Server Resources

Objective:

Manage and troubleshoot access to shared folders.

• Manage and troubleshoot Web server resources.

Windows XP Professional does not include web server software by default. You must install IIS manually through the Add/Remove Programs utility in Control Panel. (See the "Apply Your Knowledge" section later in this chapter for complete instructions for installing IIS.) IIS is considered a Windows component that you can add after the operating system is installed. IIS works only if the computer is using TCP/IP.

With IIS installed, you can share folders with other computers over the web instead of sharing them as shared folders. The benefit of doing so is that nearly any computer that has TCP/IP installed and a browser can access a web folder from anywhere in the world. To access a shared folder, that computer must have the client software for a Microsoft Windows network installed. Therefore, you can use the Web Folders feature to share files with non-Microsoft client computers. Step by Step 5.6 shows the process of sharing a web folder on Windows XP Professional.

After you share a web folder, the Web Folders protocolWeb Distributed Authoring and Versioning (WebDAV)acts as a redirector to enable users to read and save documents via the HyperText Transfer Protocol (HTTP). An application must be able to support retrieving documents via HTTP to use Web Folders.

Web Folders supports encrypted files and, when you use encrypted files, the data that traverses the network cannot be deciphered, which adds protection when sharing a file across an open Internet connection. You should use the Secure Sockets Layer (SSL) protocol to protect passwords and encrypted data. When you use SSL, the Uniform Resource Locator (URL) to the web folder begins with https:// instead of http://, plus you will see a yellow lock in the bottom of the web browser.

To troubleshoot web folder access problems, your first test should be to see whether IIS is running in standard form. The simple method is to open Internet Explorer on another computer on the network and type the URL for the home directory of your IIS server. If that succeeds, you should test the same URL on a computer that is connected on a different local area network (LAN).

If your tests are unsuccessful, you should test whether you can connect to the server's IP address if you use ping. You need to open a command-prompt window on the client computer to execute the command. The syntax for this command is

 ping 123.45.67.89 

The next test determines whether the server's name is being resolved. Try using ping with the server's DNS name in place of the IP address. In addition, you can use Nslookup. From the client computer, open a command-prompt window, type nslookup, and press Enter. Next, type the DNS name of the server and see whether it is found.

If the server appears to be in working order for all except access to the web folders, you should try restarting the server or just the IIS service. In addition, you should verify the location of the web folder.