Chapter 10: Shares, Permissions, and Group Policy

If you think all this talk of shares, permissions, rights, and privileges is confusing— you’re right. All the terms appear to be nearly synonymous. However, just as you learned that words like inflammable and sanction can mean completely opposite things depending on context, you can also learn to distinguish among these words.

Sharing Resources

Shared resources are folders, files, printers, devices, or applications that are available to users over a network. Until a drive or folder is shared over the network, users can’t see it or gain access to it. After a folder is shared, everyone on the network has, by default, read access to all files in the folder, and to all subfolders of that folder, and so on. After a drive or folder is shared, restrictions can be added or removed in the form of share permissions. These permissions apply only at the drive or folder level—not at the file level—and are limited to allowing or denying Full Control, Read, and Change. Table 10-1 summarizes the three types of access, from most restrictive to least restrictive.

Folder Sharing

To share a folder, you have only to open Server Management and select Shares (Local) in the console tree, and then complete the following steps:

1. Click Add A Shared Folder to launch the Share a Folder Wizard.

2. On the Folder Path page, type in the path to the folder you want to share. Better yet, click Browse and navigate to the folder, as shown in Figure 10-1.

   
   Figure 10-1: Specifying a folder to be shared.

   Tip

   You can create a new folder to share in this process. Just click Browse, navigate to the location for the new folder, and click Make New Folder.

3. On the Name, Description, And Settings page, you can change the default settings for the share. For example, if the original name of the folder isn’t helpful, type in a more comprehensible Share Name that will appear to users as the name of the folder. You can also add a description (always useful) and change the settings for offline use. (See “Setting Offline File Rules” later in this chapter for more information.)

4. On the Permissions page, you can select one of the three preconfigured settings or click the option to Use Custom Share And Folder Permissions and click Customize. (See “Working with NTFS File and Folder Permissions” later in this chapter for details about setting permissions.)

5. The final page of the wizard shows the details of the share and includes an option to run the wizard again to share another folder.

Removing a Share

To turn a shared folder into an unshared one, open Server Management and select Shares (Local) and find the folder in the details pane. Right-click the folder and select Stop Sharing from the shortcut menu.

Moving or Renaming a Shared Folder

After a folder has been shared, if you move or rename it, it loses its shared status. You need to run the Share a Folder Wizard to make the folder shared again.

Using Special Shares

In addition to shares created by a user or administrator, the system creates a number of special shares that shouldn’t be modified or deleted. The special share you’re most likely to see is the ADMIN$ share, which appears as C$, D$, E$, and so on. These shares allow administrators to connect to drives that are otherwise not shared.

Special shares exist as part of the operating system’s installation. Depending on the computer’s configuration, some or all of the following special shares could be present. (None of them should be modified or deleted.)

• ADMIN$ Used during the remote administration of a computer. The path is always the location of the folder in which Windows was installed (that is, the system root).

• driveletter$ The root folder of the named drive. Only Administrators, Backup Operators, and Server Operators can connect to these shares on Windows Server 2003 or Windows 2000 Server. On Microsoft Windows XP Professional and Windows 2000 Professional computers, only Administrators and Backup Operators can connect to these shares.

• IPC$ Used during remote administration and when viewing shared resources. This share is essential to communication and can’t be deleted.

• NETLOGON, SYSVOL Essential to all domain controllers. Do not remove.

• FsxSrvCp$ A shared folder used by fax clients while sending a fax. The folder is used to store shared cover pages and to cache files.

• Resources$ Contains Event Log files.

• PRINT$ A resource that supports shared printers.

To connect to an unshared drive on another computer, you need to be logged on using an account with the necessary rights. Use the address bar in any window and type the address using this syntax:

\\computer_name\[driveletter]$

To connect to the system root folder (the folder in which Windows Small Business Server is installed) on another computer, use this syntax:

\\computer_name\admin$

Other special shares such as IPC$ and PRINT$ are created and used solely by the system. NETLOGON is a special share used while processing domain logon requests. NETLOGON is on Windows Small Business Server, Windows Server 2003, Windows 2000, and Windows NT servers.

Adding a $ character to the end of a share name hides the share from all users. To access a hidden share, you need to specify it explicitly; you can’t browse the network for the share.

Creating a New Share for a Shared Folder

A single folder might be shared more than once. For example, one share might include Full Control for Administrators and another share for users might be more restricted. To add a new share, complete the following steps:

1. Right-click the Start button and select Explore. Navigate to the shared folder.

2. Right-click the folder and select Sharing And Security from the shortcut menu.

3. On the Sharing tab, click the New Share button.

4. In the New Share dialog box, enter a new Share Name. (Each share must have a unique name.) Set a user limit, if necessary.

5. Click Permissions to set permissions for this new share. As you can see in Figure 10-2, in this new share only Administrators and members of the Finance Operators group can connect to it.

Figure 10-2: Setting permissions for a second share of the folder.

The original share of the Macadamias folder (Hawaiian Nuts) now has an additional share called Tropical Nuts—though both shares access the same folder (Figure 10-3).

Figure 10-3: A shared folder can be shared under more than one name.