The NTFS file system format has been around, essentially unchanged, since the original version of Windows NT. With Windows 2000, Microsoft has made substantial changes to NTFS to support the new features that administrators and users have been asking for. These new features include disk quotas—finally—and the ability to encrypt files and whole file systems at the physical disk level.
The new version of NTFS, known as NTFS version 5, is a logical extension of the original NTFS but is not completely compatible with it. If you're going to use NTFS in a dual-boot configuration with Windows NT 4 on the same machine as Windows 2000, you must install Windows NT 4 Service Pack 4 or later to permit your Windows 2000 NTFS partitions to be seen when booted into Windows NT 4. Also keep in mind that the quotas and encryption available in NTFS version 5 are not supported under Windows NT 4 and are not enforced or available in it.
Probably the most annoying missing piece of the disk management equation for most Windows NT administrators has been the inability to manage and limit the disk resources of users without buying an add-on product. Windows 2000 finally addresses this rather glaring omission and provides for either advisory or absolute quotas on disk usage by user or group. However, each volume or partition is treated as a separate entity—there's no way to limit a user or group of users to a total amount of disk usage across the entire server or enterprise. (Sounds like an opportunity for a third-party solution, doesn't it?)
By default, disk quotas are turned off for all partitions and volumes. You must enable them for each volume on which you want a quota. Quotas are available only for volumes that are assigned a drive letter. You can set different quotas for individual users or for groups of users, or you can set them the same for all users. Follow these steps to enable quotas on each volume where you want them:
Figure 15-32. The Quota tab of the Properties dialog box for a logical drive.
There's one catch with quotas enabled as described in the previous procedure: they apply only to users. Administrators slip by without having quotas enforced unless you explicitly set them in a separate quota entry. To set quotas on administrators, or to tweak the quotas for individual users, you need to perform these additional steps:
Figure 15-33. The Quota Entries window.
Figure 15-34. Quota settings and status for a user.
The Quota Entries window lets you sort by any of the columns to make it easy to quickly identify problem areas or to locate an individual entry. You can also use the Find function to locate a specific entry.
Avoid Individual Quotas
Resist the temptation to fine-tune a disk's quotas for each individual. Giving in will lead to an administrative nightmare, especially because you then cannot manage quotas for the all-users audience, only for individual users. Make changes to the quotas for an individual only when there is a compelling reason to do so, and then keep careful records so that all administrators have ready access to the information.
If you have a complicated quota system set up so that some users get more space than others, implementing that system on a new volume can be a pain. However, Windows 2000 lets you export the quotas from one volume to another. If there isn't an entry for a user on the new volume yet, one is created. If a user already has a quota entry, you'll be asked if you want to overwrite it with the imported quota entry for that user (Figure 15-35). Avoid importing quota settings onto an existing drive unless you're changing your overall quotas across the entire server. Any customizations you've made on the current drive could be lost, and having to acknowledge each change that affects an existing user lends itself to mistakes. In addition, any special limits set for specific users on the source volume are applied to the target volume.
Figure 15-35. Confirmation message for overwriting a quota entry with an imported entry.
There are two ways to import quotas from one volume to another. You can open the Quota Entries window for the source volume, click Quota, and then choose Export to save the entry to a file. Next, open the Quota Entries window for the target volume and choose Import from the Quota menu. Or you can simply open both Quota Entries windows and drag the entries you want to import from the source window to the target window.
You can use the Quota Entries window to create reports on disk usage. Select the accounts you want to include in the report and drag them into the reporting tool you'll be using. The supported formats include Rich Text Format, Comma Separated Value, CF_UNICODETEXT, and CF_TEXT. If you drag the entries into Microsoft Excel, for example, you'll get not only the entries but the column headings as well. This makes whipping out a disk usage report pretty trivial.
Version 5 of NTFS adds the ability to encrypt individual files or entire subdirectories in a totally transparent way. To their creator, encrypted files look exactly like regular files—no changes to applications are required to use them. However, to anyone except the creator or encryptor, the files are unavailable, and even if someone did manage to gain access to them, they would be gibberish, as they're stored in encrypted form.
Encryption is simply an advanced attribute of the file, as compression is. However, a file cannot be both compressed and encrypted at the same time—the attributes are mutually exclusive. Encrypted files are available only to the encryptor, but the domain or machine recovery agent can recover them if necessary. Encrypted files can be backed up by normal backup procedures if the backup program is Windows 2000-aware. Files remain encrypted when backed up, and restored files retain their encryption.
Under normal circumstances, no user except the actual creator of an encrypted file has access to the file. Even a change of ownership does not remove the encryption. This prevents sensitive data, such as payroll, annual reviews, and so on, from being accessed by the wrong users, even those with administrative rights.
Encryption is available only on the NTFS version 5 file system. If you copy the file to a floppy disk or to any file system other than NTFS version 5, the file is no longer encrypted. This is true even of NTFS file systems on earlier versions of Windows NT.
When you encrypt a folder, all new files created in that folder are encrypted from that point forward. You can also elect to encrypt the current contents when you perform the encryption. Be warned, however: if you choose to encrypt the contents of a folder when it already contains files or subfolders, those files and subfolders are encrypted for the user performing the encryption only. This means that even files that are owned by another user are encrypted, and available for your use only.
When new files are created in an encrypted folder, the files are encrypted for use by the creator of the file, not the user who first enabled encryption on the folder. Unencrypted files in an encrypted folder can be used by all users who have security rights to use files in that folder, and the encryption status of the file does not change unless the filename itself is changed. Users can read, modify, and save the file without converting it to an encrypted file, but any change in the name of the file triggers an encryption, and the encryption makes the file available only to the person that triggers the encryption. To encrypt a file or folder, follow these steps:
Figure 15-36. The Advanced Attributes dialog box.
Figure 15-37. Choosing whether to encrypt the files already in a folder or just new files.