Lesson 3: Supporting Shared Folders | MCDST Self-Paced Training Exam 70-271(c) Supporting Users and Troubleshooting a Micro[... ]ystem

Shared folders provide users with access to resources across the network. As a DST, you must understand how to share folders, how to manage shared folders, and how to troubleshoot shared folder access issues if the need arises. This lesson covers sharing folders on a computer running Windows XP Professional on which Simple File Sharing is disabled. (You will learn more about Simple File Sharing in Lesson 4.)

After this lesson, you will be able to

Identify basic file and folder permissions.
Configure shared folders.
Control access to shared folders.
Monitor the shared folders on a computer running Windows XP.
Troubleshoot access to shared folders.

Estimated lesson time: 40 minutes

Configuring Shared Folders

The first step of providing network access to file and folder resources is to create shared folders. After you create a shared folder, network users with the appropriate permissions can connect to the folder and access resources. When a shared folder is no longer needed, you should disable the share so that it is no longer accessible from the network.

To create shared folders on a computer running Windows XP Professional, you must be a member of the Administrators or Power Users groups. Also, users who are granted the Create Permanent Shared Objects user right are also allowed to share folders. You can share only folders; you cannot share individual files. If you need to provide users network access to files, you must share the folder that contains the files.

To create a shared folder on a computer running Windows XP Professional on which Simple File Sharing is disabled, follow these steps:

In Windows Explorer, right-click the folder to be shared and select Sharing And Security.
In the Properties dialog box of the folder, on the Sharing tab, select the Share This Folder check box, as shown in Figure 5-12. By default, Windows assigns a Share Name that is the same as the name of the folder. You can change the name if you want and optionally enter a description that helps users further identify the contents of the folder. Click OK.

Figure 5-12: Share a folder by using the Sharing tab of a folder’s Properties dialog box.

After you share a folder, the folder’s icon will change to the shared folder icon (a folder with a hand beneath it). The shared folder icon is visible only to users who have permission to share folders. Users who do not have permission to share folders do not see this visual indicator and therefore are not aware of which folders have been shared.

Note

You can also create shared folders by using Computer Management, which is discussed in the section titled “Managing Shared Folders in Computer Management” later in this chapter, and by using the NET SHARE command-line utility. For help using Netshare, execute NET SHARE /? from a command prompt.

Setting User Limits on Shared Folders

By default, the User Limit option on the Sharing tab of a shared folder’s Properties dialog box is set to the maximum allowed, which indicates that the number of users who can connect to the share is limited only by the number of connections the computer allows. Computers running Windows XP Professional are limited to 10 simultaneous connections. There are some cases in which you may want to limit the number of users who can connect to a shared folder, including the following:

Licensing limits on software If you purchase a limited number of user licenses for a particular software program, limiting the number of users who can connect to the share and therefore run the program can help you stay within your licensing limits.
Performance considerations If an application program’s performance degrades significantly with many users accessing it simultaneously, you can limit the number of users who can connect to the share to keep performance at an acceptable level.

Sharing an Existing Shared Folder with Another Name

You can share the same folder multiple times with different share names and different permissions assignments. This sharing is useful if diverse groups of users would recognize the same data more intuitively under different share names or if different users require different levels of share permissions for the same folder.

Existing shared folders have a New Share button at the bottom of the Sharing tab, as shown in Figure 5-13. This button enables you to share the folder again with a different name and a unique set of properties.

click to expand
Figure 5-13: After a folder is shared, a New Share button is added that lets you create additional shares.

When you click New Share, you simply enter a name and comment, configure user limits, modify the permissions if necessary, and click OK to create the new share.

After you create an additional share, you can choose which share you want to modify by selecting it from the Share Name drop-down list on the shared folder’s Properties dialog box, as shown in Figure 5-14. Also notice the addition of the Remove Share button at the bottom of the Sharing tab, which you can use to remove a selected share. When only one share name remains for a shared folder, the Remove Share button is not present. To remove the last share name, you must stop sharing the folder entirely.

click to expand
Figure 5-14: After creating additional shares, the Sharing tab changes so that you can select and modify each share.

Changing the Share Name of a Shared Folder

You cannot modify the share name of a shared folder. However, you can effectively change the share name by creating a new share name by using one of the following methods:

Stop sharing the folder and then share it again with the new name.
Use the New Share button to share the folder again with the new name. Click the Share Name drop-down list and select the old name. Click Remove Share to remove the old name.

If the share has been in existence for some time and users are already using it, you may want to share the folder again with the new name and also leave the old name in place. When you are sure that no one is connecting to the old share name any more, you can remove it.

Hidden Shares

Using a dollar sign ($) at the end of a share name creates a hidden share, which prevents users who are browsing the network from seeing the share. Users have to know the name and location of the share to connect to it. The $ is part of the share name and needs to be specified in the path.

For example, if you share the folder C:\Private with the share name Private$ on a computer named Computer1, the user has to use the following path to access the shared folder:

\\Computer1\Private$

Figure 5-15 illustrates a user connecting to a hidden share by using the Run option from the Start menu.

Figure 5-15: Users must know the exact name of a hidden share to connect to it.

Removing Shared Folders

When network access to a shared folder is no longer needed, you can stop sharing the folder. When you stop sharing a folder, it does not affect the folder’s contents; it affects only users’ ability to connect to the folder across the network.

To stop sharing a folder, select the Do Not Share This Folder option on the Sharing tab of the shared folder’s Properties dialog box, and then click the OK button to continue.

Caution

If any users are connected to the shared folder when you attempt to stop sharing it, you will receive a warning message. Pay careful attention to this warning. If a user is working with files in this folder and you take the share privilege away from that user, data can be lost. If you receive this message, use the Computer Management utility to determine who is connected to the share and then contact that person before you take further action.

Additional Shared Folder Characteristics

Some general characteristics of shared folders to be aware of include the following:

By default, the share name is the same as the name of the folder. However, you can change the share name to anything that you think is appropriate.
Use intuitive share names and include comments that will help users identify the share’s contents.
Do not use spaces in share names if you are working with computers running Microsoft Windows 95, Windows 98, or Microsoft Windows 3.x clients on the network. Share names with spaces do not display appropriately when those types of clients are browsing for network resources.
Computers running Microsoft Windows NT, Microsoft Windows 2000, and Windows XP can recognize 80-character share names; Windows 95 and Windows 98 can recognize 12-character share names; and previous versions of Windows and MS-DOS can recognize only share names that follow the 8.3 naming convention. If you have client computers running previous versions of Windows that support only shorter names, consider using a naming convention that all the operating systems on the network support.
When you copy a shared folder, the shared folder configuration does not copy with it. The new folder will not be shared.
When you move or rename a shared folder, sharing configuration is lost. You will need to share the folder again after a move or rename operation.

Controlling Access to Shared Folders

You have just helped a caller create a shared folder on a volume that is formatted by using NTFS. Now, you need to grant both shared and NTFS permissions so that only selected users have access to the share. You gather information from the user who called with the problem, and now you must assist him with setting permissions.

To grant permissions so that only selected users can access the files, you must know how to control access to shared folders by using permissions. You can protect shared folders by using shared folder permissions or through a combination of shared folder and NTFS permissions. You must understand how shared folder permissions and NTFS permissions interact to ensure that users have the proper level of access to application programs and data on the network.

Shared folder permissions are in effect only when a user connects to the shared folder across the network; they have no effect when the user is accessing a resource when the user is logged on locally to the computer. This is in contrast with NTFS permissions, which are in effect both when the user logs on locally and when the user accesses the resource across the network.

Shared Folder Permissions

Shared folder permissions are simple. Unlike NTFS permissions, there is no differentiation between basic and advanced permissions. Shared folder permissions are described in Table 5-10.

Table 5-10: Shared Folder Permissions
Permission	Allows These Actions
Read	User can view file and folder names, execute applications, open and read data files, view file and folder attributes, and navigate the folder hierarchy from the level of the shared folder down
Change	User can perform all actions that are allowed by the Read permission and create and delete files and folders, edit files, and change file and folder attributes
Full Control	User can perform all actions that are allowed by the Change permission, modify permission assignments, and take ownership

You grant shared folder permissions on the folder that is shared. Shared permissions are automatically inherited by all files and folders contained in the shared folder, and you cannot disable share permission inheritance–all files and folders within the shared folder have the same level of share permissions. If you need varying levels of permissions to files within a shared folder, you have to use a combination of shared folder and NTFS permissions.

Shared folder permissions are in effect only when users connect to the shared folder across the network. If a user logs on to a computer locally, the only permissions that take effect are NTFS permissions.

Viewing Shared Folder Permissions

You can view shared folder permissions on the Sharing tab in the Properties dialog box of a shared folder. To view shared folder permissions, follow these steps:

In Windows Explorer, locate the folder for which you want to view shared folder permissions.
Right-click the folder, and then select Sharing And Security.
Click the Permissions button to view the Share Permissions dialog box, shown in Figure 5-16. In this case, we are viewing the share permissions of a folder called Data.

Figure 5-16: Configure share permissions using the Share Permissions dialog box.

Notice the shared folder permissions assignment in Figure 5-16. The group Everyone has been allowed the Full Control permission. This is the default shared folder permission assigned to all shared folders.

Modifying Shared Folder Permissions

You can add, edit, and remove shared folder permissions from the Share Permissions dialog box.

To add shared folder permission assignments, follow these steps:

In the Sharing tab of the folder’s Properties dialog box, click Permissions.
In the Share Permissions dialog box, click Add.
Select the user accounts or groups to which you want to assign permissions and click OK. You are returned to the Share Permissions dialog box.
The default permissions assignment is Read, as shown in Figure 5-17. Modify the permissions as necessary and click OK or Apply.

Figure 5-17: Add user accounts or groups to the Share Permissions list and then assign specific permissions.

Calculating Effective Shared Folder Permissions

The rules for calculating effective shared folder permissions are the same as those used for NTFS permissions:

Allow permissions from all sources are combined, and the user will receive the highest possible level of permission allowed.
Deny permissions override allow permissions.

If a user has not been assigned any permission from any sources, access is denied.

Note

Shared folder permissions are the only way to control network access to resources on non-NTFS volumes. FAT and FAT32 systems do not have any local file and folder security features. When determining effective permissions on FAT or FAT32 volumes, you calculate only effective shared folder permissions.

Calculating Effective Permissions of Shared Folders on NTFS Volumes

When users connect to shared folders that are located on NTFS volumes, share permissions and NTFS permissions will combine to control the actions that a user can perform. Determining effective permissions can be somewhat difficult when both NTFS and shared permissions are involved.

Calculating effective permissions for resources within a shared folder on an NTFS partition is a three-step process:

Calculate the NTFS effective permissions for the user.
Calculate the shared folder effective permissions for the user.
Analyze the results of Steps 1 and 2, and select the result that is the more restrictive of the two. This will be the user’s effective permission for the shared folder.

Table 5-11 illustrates effective permissions calculations for shared folders on NTFS partitions. In these examples, the user JSmith is a member of the groups Managers, IT, and Everyone. For simplicity, all permissions specified are allow permissions.

Table Figure 5-11: Calculating Effective Permissions for Shared Folders on NTFS Partitions
Example Number	User or Group	Share Permissions Allowed	NTFS Permissions Allowed	Effective Permissions
1	JSmith (user) Managers (group) IT (group) Everyone (group)	(None assigned) (None assigned) (None assigned) Full Control	(None assigned) (None assigned) (None assigned) Read	Read
2	JSmith (user) Managers (group) IT (group) Everyone (group)	(None assigned) (None assigned) (None assigned) Read	(None assigned) (None assigned) Write Full Control	Read
3	JSmith (user) Managers (group) IT (group) Everyone (group)	(None assigned) (None assigned) (None assigned) Full Control	(None assigned) Modify Read (None assigned)	Modify
4	JSmith (user) Managers (group) IT (group) Everyone (group)	(None assigned) (None assigned) (None assigned) Full Control	(None assigned) (None assigned) (None assigned) (None assigned)	Access Denied
5	JSmith (user) Managers (group) IT (group) Everyone (group)	(None assigned) Full Control (None assigned) Read	Full Control Read (None assigned) (None assigned)	Full Control
6	JSmith (user) Managers (group) IT (group) Everyone (group)	(None assigned) (None assigned) (None assigned) (None assigned)	(None assigned) (None assigned) (None assigned) Full Control	Access Denied

The effective permission calculations in Table 5-11 are as follows:

Example 1 The user’s effective share permission is Full Control, and the effective NTFS permission is Read. The more restrictive of those two permissions is Read, so it is the effective permission. Even if the share permissions allow Full Control, the NTFS permissions further limit access to the resource.
Example 2 The user’s effective share permission is Read, and the effective NTFS permission is Full Control. The more restrictive of those two permissions is Read, so it is the effective permission. Even if the NTFS permission is Full Control, the user never has more permission than the share permissions allow.
Example 3 The user’s effective share permission is Full Control, and the effective NTFS permission to the resource is Modify (Read and Modify combine to allow the user the maximum level). The more restrictive of the two is Modify, so it is the effective permission. Even if the share permissions allow Full Control, the NTFS permissions further limit access to the resource.
Example 4 The user’s effective share permission is Full Control, and the effective NTFS permission is None. The more restrictive of the two permissions is None, so it is the effective permission and access will be denied. A user must be assigned permissions to gain access to a resource.
Example 5 The user’s effective share permission is Full Control (Read and Full Control combine to give the user the maximum level), and the effective NTFS permission is Full Control (Read and Full Control combine to allow the user the maximum level.) Both permissions are equal (neither is more restrictive), and the effective permission is Full Control.
Example 6 The user’s effective share permission is None, and the effective NTFS permission is Full Control. The more restrictive of the two permissions is None, so it is the effective permission and access is denied.

You can assign different levels of NTFS permissions to file and folder resources within the same shared folder, giving users varying levels of permissions in different areas. You may need to do multiple calculations to get a full picture of the actions that a user can perform within a single shared folder.

Real World—Share Permissions on Large Networks

If you are working on home and small business networks, you are likely to find that either Simple File Sharing or share permissions are used to control access to files and folders on the network. Even when drives are formatted with the NTFS file system, most people on small networks just do not use NTFS permissions.

On large company networks, you find just the opposite. Administrators typically rely on NTFS permissions and leave the default share permissions (where Everyone has full access) in place because NTFS permissions do a much better job of securing data. Because of the way that shared permissions and NTFS permissions interact, NTFS permissions secure data for both local and network access. Adding shared permissions is really unnecessary and in fact complicates the permissions that administrators must deal with. The exception to this is on computers running earlier versions of Windows (for example, Windows 98 or Microsoft Windows Me) that do not support the NTFS file system; these systems must use shared permissions if their data is to be shared on the network.

Here are some rules to follow when you are working with different kinds of networks. If you are working on a home network, users are probably using Simple File Sharing. If you are working on a small business network, users might be using Simple File Sharing or shared permissions. If all the computers on the network are running Windows 2000 or Windows XP, you might suggest moving over to the security of NTFS permissions and not worry about share permissions. If you are working on a large network, NTFS permissions are probably used, and shared permissions probably are not used. Make sure that you understand the policies of the network before you make any changes.

Administrative Shares

Several built-in administrative shares exist on all Windows XP computers. These shares are created automatically and cannot be unshared through conventional shared folder administration. The names of these shares all end in $, which means that they are hidden shares and cannot be viewed when users are browsing for shared folder resources.

The root of each volume is shared as drive_letter$ (that is, C$, D$, E$, and so on). Members of the Administrators and Power Users groups can connect to these shares to gain access to the entire volume. Because the shares are hidden, you must specify the path used to connect to them. For example, to connect to the root of the C drive on a server named Computer1, from the Start menu, select Run, and then type \\Computer1\C$ in the Run dialog box.

The following are additional administrative shares:

Admin$ The Windows SystemRoot folder is shared as Admin$. This share allows administrators to connect to the SystemRoot for maintenance purposes without specifically knowing the name of the folder in which Windows is installed.
Print$ The SystemRoot\System32\spool\drivers folder is shared as Print$ when the first printer is shared. Client computers automatically connect to this folder to download print device drivers when connecting to shared printers.
IPC$ IPC$ is the share that is used when connections are established to the computer but not to any particular shared resource. For example, if you connect to a computer by using Computer Management to manage the computer, you are not connecting to a particular shared folder. Instead, you are connecting to the IPC$ share. Interprocess communication (IPC) is a term used to describe connections between applications that are running on different computers across the network.

Managing Shared Folders in Computer Management

You can fully manage shared folders in the Computer Management utility. Available shared folder management options are as follows:

View a list of all folders that are currently shared
Create additional shared folders
View and edit the properties of shared folders
Remove shared folders
View users connected to shared folders
Remotely manage shared folders on other computers

Viewing a List of Shared Folders in Computer Management

You can view all folders that are currently shared in a single location within Computer Management. To view shared folders, follow these steps:

Start Computer Management, either by right-clicking My Computer and selecting Manage, or from the Administrative Tools folder in Control Panel.
Expand the System Tools node.
Under the System Tools node, expand the Shared Folders node, and then select the Shares folder. Shared folders are displayed in the details pane, as shown in Figure 5-18.

Figure 5-18: View shared folders in Computer Management.

Creating New Shared Folders in Computer Management

You can easily share folders by using Computer Management. To share a folder, complete the following steps:

In Computer Management, right-click the Shares folder (in the Shared Folders node) and select New File Share.
In the Create Shared Folder dialog box, type the path to be shared, the share name, and the share description. Click Next to continue.
If the folder to be shared does not exist, Windows opens a dialog box asking whether or not you want to create the folder. Click Yes to create the folder and continue.
In the Create Shared Folder dialog box, select the appropriate permissions option and click Finish to create the shared folder.

Viewing and Editing the Properties of Shared Folders in Computer Management

You can view and edit the properties of any shared folder through Computer Management by right-clicking the shared folder and selecting Properties. Figure 5-19 shows the Properties dialog box of a shared folder named Public. Notice the Security tab; you can also manage the NTFS permissions of the folder.

click to expand
Figure 5-19: Use Computer Management to modify the properties of a shared folder.

Managing Users That Are Connected to Shared Folders

To view the users that are connected to the server, expand the Shared Folders node in Computer Management and then select the Sessions folder. Occasionally, you may need to disconnect users from the computer so that you can perform maintenance tasks on hardware or software. To disconnect users from the server, do one of the following:

To disconnect a single user, right-click the user name in the Sessions folder and then select the Close Session option from the action menu.
To disconnect all users from the server, right-click the Sessions folder and then select the Disconnect All Sessions option from the action menu.

To view users who have shared files and folders open, select the Open Files option under the Shared Folders entry, as illustrated in Figure 5-20. The details pane displays the files and folders that are currently in use on the server. This information is valuable if you are trying to work with a shared folder or file and need to know who is currently accessing the resource so that you can ask that person to disconnect.

click to expand
Figure 5-20: View open files and folders by using Computer Management.

Troubleshooting Access to Shared Folders in Windows XP

When you troubleshoot access to shared folders, you must examine several issues. Most of the time, you should check share permissions first. If the share permissions are not granted so that the user has at least the Read permission, the user cannot access the resource. If the folder is on an NTFS volume, examine the security settings to ensure that the user has proper permissions. Finally, determine if the share is available. (Has someone disabled sharing on the folder, or is the computer that is sharing the resource still available on the network?)

Practice: Share a Folder

Note

These practices require that you have a computer running Windows XP Professional and that you have a volume formatted using NTFS. You must also have disabled Simple File Sharing.

Log on to Windows XP using an account with administrator privileges.
From the Start menu, select My Documents.
In My Documents, from the File menu, point to New and select Folder.
Type Documents For Administrators for the name of the folder and press Enter.
Right-click the new folder and select Sharing And Security.
In the Documents For Administrators Properties dialog box, on the Sharing tab, select Share This Folder. Click Permissions.
In the Permissions For Documents For Administrators dialog box, ensure that Everyone is selected in the Group Or User Names window. Click Remove and then click Add.
In the Select Users Or Groups dialog box, click Advanced.
In the second Select Users Or Groups dialog box, click Find Now.
In the search pane, select Administrators and click OK. (Make sure that you select the Administrators group and not the Administrator user.)
In the first Select Users Or Groups dialog box, click OK.
In the Permissions For Documents For Administrators dialog box, under Permissions For Administrators, select the Change check box in the Allow column, and then click OK.
In the Documents For Administrators Properties dialog box, click OK.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.

Which of the following built-in groups in Windows XP Professional have the permissions to create shared folders by default?
1. Administrators
2. Backup Operators
3. Power Users
4. Users
One of your users is a sales executive with a folder on her computer named Customers, and she wants to share the folder with other sales executives on the network. She understands that she can secure the folder by assigning permission to access the folder to only the appropriate users. However, she prefers that other users on the network not even see the folder when they browse My Network Places on their computers. What would you name the share for this folder so that it is hidden?
1. Customers#
2. #Customers
3. Customers$
4. $Customers

Lesson Summary

To create shared folders on a computer running Windows XP Professional, you must be a member of the Administrators or Power Users groups. Also, users that are granted the Create Permanent Shared Objects user right can share folders.
Using a $ at the end of a share name creates a hidden share, which prevents users who are browsing the network from seeing the share. Users have to know the name and location of the share to connect to it.
You can share the same folder multiple times with different share names and different permissions assignments. This feature is useful if diverse groups of users would recognize the same data more intuitively under different share names or if different users require different levels of share permissions for the same folder.
You can protect shared folders through shared folder permissions or through a combination of shared folder and NTFS permissions. When shared and NTFS permissions are applied, the cumulative permissions of both are determined, and the most restrictive of those create the user’s effective permission.