You can make resources available to others by sharing folders containing those resources. To share a folder, you must be a member of one of several groups, depending on the role of the computer where the shared folder resides. When you share a folder, you can control access to the folder by limiting the number of users who can simultaneously gain access to it, and you can also control access to the folder and its contents by assigning permissions to selected users and groups. Once you have shared a folder, users must connect to the shared folder and must have the appropriate permissions to gain access to it. After you have shared a folder, you might want to modify it. You can stop sharing it, change its share name, and change user and group permissions to gain access to it.
After this lesson, you will be able to
Estimated lesson time: 35 minutes
In Windows 2000 Professional, members of the built-in Administrators and Power Users groups are able to share folders. Which groups can share folders and on which computers they can share them depends on what type of computer the shared folder resides, and whether it resides on a workgroup or a domain. The following list describes which group can share folders when they are in a domain or workgroup.
If the folder to be shared resides on an NTFS volume, users must also have at least the Read permission for that folder to be able to share it.
By default, Windows 2000 shares certain folders for administrative purposes. The share names of these folders consist of the folder name appended with dollar signs ($), which hide the shared folders from users who browse the computer. The root of each volume, the system root folder, and the location of the printer drivers are all hidden shared folders that you can gain access to across the network.
Table 3.9 describes the purpose of the administrative shared folders that Windows 2000 provides by default.
Table 3.9 Windows 2000 Administrative Shared Folders
|C$, D$, E$, and so on||The administrative shares are used to remotely connect to the computer to perform administrative tasks. Windows 2000 assigns the Full Control permission to the Administrators group. The root of each volume on a hard disk shared by default, and the share name is the drive letter appended with a dollar sign ($). When you connect to this shared folder, you have access to the entire volume. |
CD-ROM drives are also shared by default and their share names are created by appending the dollar sign to the CD-ROM drive letter.
|Admin$||The system root folder, which is C:\Winnt by default, is shared as Admin$. Only members of the Administrators group have access to this share. Windows 2000 assigns the Full Control permission to the Administrators group. Administrators can gain access to this shared folder to administer Windows 2000 without knowing which folder it is installed in.|
|Print$||When you install the first shared printer, the systemroot\ System32\Spool\Drivers folder is shared as Print$. This folder provides access to printer driver files for clients. Only members of the Administrators, Server Operators, and Print Operators groups have the Full Control permission. The Everyone group has the Read permission.|
Hidden shared folders aren't limited to those that the system creates by default. You can create additional hidden shares by appending a dollar sign to the end of the share name. Then only users who know the folder name can gain access to it, if they also have the appropriate permissions.
When you share a folder, you can give it a share name, create comments to describe the folder and its content, limit the number of users who have access to the folder, assign permissions, and share the same folder multiple times.
Follow these steps to share a folder:
Figure 3.7 The Sharing tab of a folder's Properties dialog box
Table 3.10 Sharing Tab Options
|Share Name||The name that users from remote locations use to make a connection to the shared folder. You must enter a share name.|
|Comment||An optional description for the share name. The comment appears in addition to the share name when users at client computers browse the server for shared folders. This comment can be used to identify contents of the shared folder.|
|User Limit||The number of users who can concurrently connect to the shared folder. If you click Maximum Allowed as the user limit, Windows 2000 Professional will support 10 connections. Windows 2000 Server can support an unlimited number of connections, but the number of Client Access Licenses (CALs) that you purchased limits the number of connections you can make.|
|Permissions||The shared folder permissions that apply only when the folder is accessed over the network. By default, the Everyone group is assigned Full Control for all new shared folders.|
|Caching||The settings to configure offline access to this shared folder.|
Copies of the files are stored in a reserved portion of disk space on your computer called a cache, which makes shared folders available offline. Since the cache is on your hard disk, the computer can access this cache regardless of whether it is connected to the network. By default, the cache size is set to 10 percent of the available disk space. You can change the size of the cache on the Offline Files tab of the Folder Options dialog box. You can also see how much space the cache is using by opening the Offline Files folder and clicking Properties on the File menu.
Shared network files are stored in the root folder of your hard disk. If you want to change the location of the cache you can do so using, the Offline Files Mover (Cachemov.exe), which is available on the Windows 2000 Professional Resource Kit, to change the cache location.
When you share a folder, you can allow others to make the shared folder available offline by clicking Caching in the folder's Properties dialog box. In the Caching Settings dialog box (see Figure 3.8), the Allow Caching Of Files In This Shared Folder check box allows you to turn caching on and off.
Figure 3.8 The Caching Settings dialog box
The Caching Settings dialog box contains the following three caching options:
After you have shared a folder, the next step is to specify which users have access to the shared folder by assigning shared folder permissions to selected user accounts and groups.
Follow these steps to assign permissions to user accounts and groups for a shared folder:
Figure 3.9 Setting permissions for a shared folder
You can modify shared folders, stop sharing a folder, modify the share name, and modify shared folder permissions.
Follow these steps to modify a shared folder:
|Modifying a Shared Folder|
|Stop sharing a folder||Click Do Not Share This Folder.|
|Modify the share name||Click Do Not Share This Folder to stop sharing the folder; click Apply to apply the change; click Share This Folder, and then enter the new share name in the Share Name box.|
|Modify shared folder permissions||Click Permissions. In the Permissions dialog box, click Add or Remove. In the Select Users, Computers, Or Groups dialog box, click the user account or group whose permissions you want to modify.|
|Share folder multiple times||Click New Share to share a folder with an additional shared folder name. Do so to consolidate multiple shared folders into one while allowing users to continue to use the same shared folder name that they used before you consolidated the folders.|
|Remove a share name||Click Remove Share. This option appears only after the folder has been shared more than once.|
If you stop sharing a folder while a user has a file open, the user might lose data. If you click Do Not Share This Folder and a user has a connection to the shared folder, Windows 2000 displays a dialog box notifying you that a user has a connection to the shared folder.
You share folders to provide network users with access to resources. If you are using a FAT volume, the shared folder permissions are the only resource available to provide security for the folders you have shared and the folders and files they contain. If you are using an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.
One strategy for providing access to resources on an NTFS volume is to share folders with the default shared folder permissions and then control access by assigning NTFS permissions. When you share a folder on an NTFS volume, both shared folder permissions and NTFS permissions combine to secure file resources.
Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network.
When you use shared folder permissions on an NTFS volume, the following rules apply:
In Figure 3.10, the Users group has the shared folder Full Control permission for the Public folder and the NTFS Read permission for FileA. The Users group's effective permission for FileA is Read because Read is the more restrictive permission. The effective permission for FileB is Full Control because both the shared folder permission and the NTFS permission allow this level of access.
Figure 3.10 Combining shared folder permissions and NTFS permissions
In this practice, you determine users' effective permissions, plan shared folders, plan permissions, share a folder, assign shared folder permissions, connect to a shared folder, stop sharing a folder, and test the combined effects of shared folder permissions and NTFS permissions.
Figure 3.11 shows examples of shared folders on NTFS volumes. These shared folders contain subfolders that have also been assigned NTFS permissions. In this exercise, you determine a user's effective permissions for each example.
Figure 3.11 Combined permissions
What are the Sales group's effective permissions for the Sales subfolder when they gain access to the Sales subfolder by making a connection to the Data shared folder?
What permissions does User1 have when he or she accesses the User1 subfolder by making a connection to the Users shared folder? What are User1's permissions for the User2 subfolder?
In this exercise, you plan how to share resources on servers in the main office of a manufacturing company. Record your decisions in the table at the end of this exercise.
Figure 3.12 illustrates a partial folder structure for the servers at the manufacturing company.
Figure 3.12 A partial folder structure for the servers at a manufacturing company
You need to make resources on these servers available to network users. To do this, determine which folders to share and which permissions to assign to groups, including the appropriate built-in groups.
Base your planning decisions on the following criteria:
Record your answers in the following table.
|Folder name and location||Shared name||Groups and permissions|
|Management Guidelines||MgmtGd||Managers: Full Control|
In this lesson, you learned that you share folders to provide network users with access to resources. On a FAT volume, the shared folder permissions are all that is available to provide security for the folders you have shared and for the folders and files they contain. On an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.