CHAPTER 9
ESTABLISHING
NETWORK SHARES AND ACCOUNTS
Lesson 1: Creating Network Shares …………………………. 378
Lesson 2: Establishing and Managing Network Accounts ….. 388
INTRODUCTION:
In a peer-to-peer network we share, or make available to the network, any directories or printers to
which we want others to have access. In networks that have client/server configurations, we use
accounts to establish who can access which files, directories, and printers. Determine server or client.
Sharing Resources on a Network
Before you can share resources with another computer, your workstation must have client software
installed and be configured as a network client. You will have to establish the computer’s network
identity, enable sharing, and set access privileges for the resources the computer will share.
Sharing Disks and Files
At its simplest, resource sharing between computers consists of nothing more than passing files from
one computer to another on a floppy disk. Another method is to directly connect two computers
together by means of cable link between the serial communications (COM) ports of each computer.
Communication software is required for each computer in order to make use of the physical
connection between the computers. You must configure one computer as a host, or server, and
one as a client. The client computer will then have a practical method for providing a temporary
connection between computers for the transfer of files. Direct cable connections are most often used
to share files between a desktop computer and a laptop computer.
On a network, connecting computer in this format is not efficient. With many users, you must set-up
access rights, or permissions, for all users.
=======================================================================
netnotes9.html PAGE
2
2001/10/11
Sharing in a Peer-to-Peer Environment
The simplest and most convenient method of networking is peer-to-peer. In this networking environ-
ment,data sharing occurs at the drive or folder level. Any drive or any folder on a drive can be shared.
Each computer shares its drive or folder resources to the network, and each user is responsible for
setting the shares. The user can also choose to share printer resources.
Software
In order to share on a peer-to-peer network, no matter which operating system is being used, file
and print sharing must first be enabled on the computer. Each operating system has its own
methods for enabling sharing.
Sharing Printer, Drives, and Folders
After sharing has been enabled, you can decide which driver, folders, and printers to make available
to the network. Sharing options include hard drives, CD-ROM drives, floppy-disk drives, and
folders. Devices such as scanners and modems cannot be shared. Remember that after a resource
is set-up as shared on a peer-to-peer network, it is available to the entire network.
Microsoft Windows 95 and 98 Networking
Software
Microsoft WIN 95 and 98 have several client software
choices. To install Client for
Microsoft
Networks, open the control panel, and double-click the Network icon. Click add, to display the
Select Network Component Type dialog box. Because you will be adding a Microsoft Network
Client, select client and then click Add.
In the Manufacturers list, select Microsoft and in the Network Client list, select Client for Microsoft
Networks. Select OK to add the client service to the system.
Microsoft uses IPX/SPX, NetBEUI and TCP/IP protocols. Select the protocol appropriate for
your Network.
SMB (Server Message Block)
=======================================================================
netnotes9.html PAGE
3
2001/10/11
Sharing Printer, Drivers and Folders
After networking has been enabled on the computer, directories, folders and printers can be shared
on the network. To share these resources you must enable File and Print Sharing.
Right-Click on the Network Neighborhood icon and click Properties from the menu to open the
Network Properties dialog box. Then click the File and Print Sharing button.
Make your selection from the two boxed selections. Once you have selected one, you can begin
sharing your computers resources.
To share a device or folder, open Windows Explorer, right-click the device or folder icon, and click
Sharing from the menu. This displays the Sharing tab, in the Properties dialog box for the device or
folder. Selecting the Shared as radio button allows you to set the share name and add a brief
description of the shared resource.
In the Access Type, select Read Only restricts access to the shared folder, no copying or deleting.
Full gives all access, and Depends on Passwords will make the user enter a password to access
their rights.
NOTE: When a folder or device is shared, you
will see a hand as part of the icon displayed in
My Computer or Window Explorer.
Software
To install networking software, several protocols are available:
1) Client service for Netware
2) Client for Microsoft Networks
3) NWLink BetBIOS
4) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
5) Internet Protocol (TCP/IP)
You must have
administrative rights in order to enable sharing on a Windows NT Server.
=======================================================================
netnotes9.html PAGE
4
2001/10/11
Sharing Directories and Files
To share a folder locally (you are logged onto the workstation), right-click the folders icon and
selecting the Sharing icon. This will open the Properties dialog box for the directory. The Share
tab will be selected.
The maximum number of connections that can be set for Window NT Workstation is 10,
regardless of the setting. The setting is optional. By using the New Share button, you can
configure multiple shares using different names and assign different levels of permissions.
To share folders and drives in Window 2000, you must be logged on as a member of the
Administrators, Server Operators, or Power Users group.
To share a Window 2000 folder or drive with other users, open Windows Explorer, and then
locate the folder or drive you want to share. Start/Programs/Accessories/Windows Explorer.
Right-click then select Sharing. On the Sharing
tab, click Share this folder.
To change the name of the shared folder or drive, type a new name in Share Name.
To add a comment about the shared folder or drive, type the text in Comment. You can also
add a User Limit, click allow, and enter the number of users.
Sharing Printers
To share a Windows NT/Windows 2000 printer on a Windows NT network, click
Start/Settings/Printers. Right-click the printer to be shared, and click Sharing. Select the
Share as button and enter a name that will clearly identify the printer to the network.
UNIX
The UNIX operating system exists in a number of configurations and is available from a variety
of manufacturers or, in the case of Linux, from no corporate entity at all. UNIX support for
interoperability with other network operating systems varies with the manufacturer. Sun’s
Solaris Easy Access Server, included native support for many Window NT network services
including authentication, file and print services, and directory services. Linux distributions include
Apple Access modules for AppleTalk, access, third-party software such as Samba, which makes
UNIX file systems available to any network computer using the SMB file-sharing protocol, and
modules for NTFS and MS-DOS file-system accessibility.
=======================================================================
netnotes9.html PAGE
5
2001/10/11
Linux distributions include Apple access modules for AppleTalk access, third-party software
such as Samba, which makes UNIX file systems available to any networked computer using
the SMB file-sharing protocol, and modules for NTFS and MS-DOS file-system accessibility.
Samba links into MS Network.
Windows NT 6-8,000 maximum users, not large companies.
Sharing in a Client/Server Environment
Sharing folders on a server-based network is similar to sharing on a peer-to-peer network.
Microsoft NT Server and Novell NetWare provide file-level permissions in addition to printer,
drive and directory permissions.
Novell
Enable sharing is the default setting for a NetWare network.
The second difference is that access to shared resources is set entirely through user and group
account rights. Printer, directories, and files are not themselves restricted.
Lesson 2:
Establishing and Managing Network Accounts
As the size of the network increases, the concept of sharing to the entire network can begin to
present some problems. Peer-to-peer networks, sacrifice a degree of security in order to offer
simplicity. You cannot share accounting information with all the users on the network. For this
reason, large networks employ server-based networking. In a client/server environment,
sharing is managed through accounts. By creating accounts and then grouping the individual
accounts, a network manager has the tools necessary to provide a higher level of security.
Network Accounts
Accounts are the means by which users are given access to printer, file, and directory shares.
These accounts are created and managed by the network administrator. An account is make
up of username, logon parameters established for that user. This information is entered by the
administrator.
NDS Novell Directory Services, unique identity. The user has no rights until you assign them.
=======================================================================
netnotes9.html PAGE
6
2001/10/11
Planning for Groups
By default all user accounts have no rights, you need to assign them a group to be part of then
you can set up their rights. For example, if you have 3 departments such as Sales, Marketing
and Accounting within your company, you can set up 3 groups, Sales Marketing, and Accounting.
Then once you have the groups set up, you can put the appropriate users in the group and give
them rights.
Groups are used to:
1) Grant access to resources such as files, directories and printers. The
permissions granted to a group are automatically granted to its members.
2) Give rights to perform system tasks, such as to back up and restore files
or change the system time.
3) Simplify communications by reducing the number of messages that need
to be created and sent.
Creating Group Accounts
Networks can support hundreds of accounts. By grouping a similar type of user into a Group,
you can reduce your amount of work. If you need to send a message to 100 users, you need to
do it individually, but if this 100 users were a group, simply send one message to that group.
Networks offer a way to gather many separate user accounts into one type of account called
a group. A group is nothing more than an account that contains other accounts. The primary
reason for implementing groups is the ease of administration. Groups make it possible for an
administrator to manage large numbers of users as one account.
The easiest way to grant a large number of users similar permissions is to assign these permissions
to a group. The users are then added to the group. The same process applies to adding users
to an existing group. For example, it the administrator wanted a certain user to have
administrative capabilities on the network, the administrator would make that user a member
of the Administrators group.
Creating User Accounts
There is a utility program to create a new user. There are the standards that no special characters
be
part of a user name, “ / \ ; : + * @ etc.
Keep the names consistent (caps or lower and upper case) DO NOT USE SPACES as part
of a name EVER.
=======================================================================
netnotes9.html PAGE
7
2001/10/11
Passwords
It is important to use effective passwords, it will keep hackers out of your system. Hackers simply
go through a dictionary program till they can find a password that matches. Try some more difficult
ones with upper and lower case, with random numbers and special characters. For example,
ToDay?#8/
Avoid familiar passwords, names, birthdates. Try to memorize it rather than write it down.
Remember the password expiration date.
Audit the system to see if hackers are trying to get in.
The administrator is also responsible for when people are being fired or quit, their account must
be disabled.
Disabling and Deleting Accounts
To perform this you either need to disable the account or delete it. Disabling and account, it still
exists in the network’s account database, but no one can use that account to log on to the network.
A disabled account will appear to exist.
It is best if the administrator disable an account as soon as it is been established that the user will
no longer be using that account.
Deleting an Account
Deleting an account erases the user’s information from the network’s user-account database; the
user no longer has access to the network. A user account should be deleted when:
1) The user has left the organization and will no longer have an occupational
reason to use the network.
2) The user’s employment has been terminated.
3) The user has moved within the organization and no longer needs access to
that network.
Administering Accounts in a Windows NT Environment
Microsoft Windows NT uses four types of group accounts, as described in the following section.
They are Local, Global, System and Built-in groups:
=======================================================================
netnotes9.html PAGE
8 2001/10/11
Local Groups –Implemented in each local computer’s account database,
local groups contain user accounts and other global groups that need to have access, rights, and
permissions assigned to a resource on a local computer. Local Groups are the lowest level, they
cannot contain other local groups.
Global groups – Used across an entire domain, global groups are created
on a primary domain controller (PDC) in the domain in which the user
accounts reside. Global groups can contain only user accounts from the
domain in which the global group is created. Global groups cannot
contain local groups or other global groups. Although permissions to resources can be assigned
to a global group, global groups should be used only to gather domain user accounts. Members
of global groups obtain resource permissions when the global group is added to a local group.
System Groups – These groups automatically organize users for system use. Administrators
do not assign users to them; rather, users are either members by default or become members
during network activity. Membership cannot be changed.
Built-In Groups – Built-in groups are included with the Network Operating System. These
groups are created during installation. Built-in Groups are
divided into three categories:
· Members of the administrator group have full capabilities on a computer
· Members of the operator group have limited administrative capabilities to perform specific tasks.
· Members of other groups have capabilities to perform limited tasks.
Microsoft Windows NT Server offers the following built-in groups:
1) The Administrator Group initially contains local and domain
administrators. Members of this group can create, delete, and
manage user accounts, global groups and local groups. They can
share directories and printer, grant resource permissions and rights, and install operating
system files and programs.
2) The User and Guest Groups, which are global, contain domain users
who can perform tasks for which they have been given rights. They can also access resources
to which they have been given permissions. User groups can be modified by administrators
and account operators.
=======================================================================
netnotes9.html PAGE
9
2001/10/11
3) The Server Operator Group, which can be modified by administrators
Only, can share and stop sharing resources, lock or override the lock of a server, format the server’s
disks, log on at the servers, back up and restore servers, and shut down servers.
4) The Print Operator Group, which can be modified by administrators
only, can share, stop sharing, and manage printers. This group can also log on locally at servers
and shut servers down.
5) Backup operators can log on locally, backup and restore servers, and
Shut down servers.
6) The Account Operator group can create, delete, and modify users,
global groups, and local groups, but cannot modify administrator or server
operator groups.
7) The Replicator group, which can be modified by Administrators, Account
Operators, and Server Operators, is used in conjunction with the Directory
Replicator Service.
Creating Groups in Window NT
Select Start/Programs/Administrative Tools (Common). Once in the User Manager, click New
Local Group on the User menu. The Group Name field identifies the local group. A group name
cannot be identical to any other group or user name of the domain or computer being administered.
It can contain Upper and Lower Case characters, but not any special characters. The Description
field contains text describing the user names of the group members.
A newly created group account will have no members until the administrator assigns one or more
existing users to the group. The administrator does this from the New Local Group dialog box
by clicking Add and selecting eh user account to be added.
Windows NT User Accounts
All the network management tools are consolidated in the Start/Programs/Administrative Tools
(Common). The Microsoft Windows NT Server network utility for creating accounts is called
the User Manager for Domains. Select the option New User. A window appears for entering
the information to create a new user. Windows NT Server offers an account-copying feature.
An administrator can create a template that have characteristics and parameters that are common
among multiple users. To create a new account with the template characteristics, the administrator
highlights the template account, select User, then enters the new user name and other identifying
information.
=======================================================================
netnotes9.html PAGE
10
2001/10/11
Profiles
An administrator will find it helpful to structure a network environment for certain users. This is
necessary to administer a certain level of security, or for new users who are just learning.
Profiles used to configure and maintain a user’s logon environment, including network connections
and the appearance of the desktop include:
· Printer connections
· Regional settings
· Sound settings
· Mouse settings
· Display settings
· Other user-definable settings
Microsoft Windows NT Server disable the Guest account by default after installation. The network
administrator must enable the account if it will be used.
Windows NT Server uses the User Properties window in User Manager to disable users. To disable
a user, double-click the name of the account, select the Account Disabled check box, and then click
OK. The account is not disabled.
To delete an account there are several safety features with Windows NT. It gives you several choices
to delete, and several windows warning you that you are deleting.
NOTE: Deleting an account permanently removes the account, along with the permissions and rights
associated with it. Recreating the user account with the same name will not restore the user’s rights
or permissions. Each user
account has a unique security identifier (SID); deleting and recreating a user will generate a new SID,
not reuse the previous one. Internal processes in Windows NT refer to the account’s SID rather
then to the account’s user or group name.
Administering Accounts in an Apple Environment
The default Apple networking environment includes two users: the person who installed the operating
system and a guest. In AppleShare, there are three categories of users: OWNER,
USER/GROUP/EVERYONE.
=======================================================================
netnotes9.html PAGE
11
2001/10/11
Administering Accounts in a NetWare Environment
The basis of NetWare security and accounts is NetWare Directory Services (NDS) is a
hierarchically organized database. Security is provided at three levels:
1) Accounts: This level includes user name, passwords, workstation time, and
other retrictions.
2) Trustee rights: This level control directories and files a user can access. These
rights include creating, reading, erasing, or writing to the files.
3) Directory and file attributes: This level determines what actions users can
perform in the file or directory. These actions can include
sharing, deleting, copying, viewing, or editing.
NetWare uses several naming conventions. Names used must be unique, must include no spaces,
and must be make up of fewer than 64 case-insensitive alphanumeric characters. (Case-insensitive
characters are characters, such as numbers, that cannot appear in both lower and uppercase forms.)
Setting up and Managing Users and Groups
Before you can create, delete or manage users and groups, you must log on to the network at a
workstation or server with administrative privileges. Once logged on, you can launch the Novell
Easy Administration Tool (NEAT) to begin managing users and groups. A view of the directory
tree in the left frame of the user interface shows all the network objects and their relationships to
each other.
Warning: In NetWare (NDS) if you delete a user who has relationships with another object, and
that object relies on the user who is being deleted, you might encounter problems.
Managing Groups is similar to managing users. From the NEAT menu, select Add a New Group.
This will launch the New group Wizard. Be sure to follow the naming conventions when assigning
a group name. You
can add only users that appear in the directory.
Editing User or Group Properties
Open the NEAT administrator tool and select from General, Groups, Applications, Security,
and
Login Script.
=======================================================================
netnotes9.html PAGE
12
2001/10/11
Administering Accounts in a UNIX Environment
Most UNIX configuration information is stored in text files that are read as needed. These text
files can be edited manually to add users and groups and to set their permissions. There are
several different versions of UNIX, so their guidelines are not consistent between Manufacturers.
The same holds true for Linux distributions, in which system directory and file locations can be
quite different. A graphic interface often spares the administrator from having to know these
differences, because user and group parameters can be set from interactive dialog boxes.
UNIX Users and groups
The Administrative user is usually named root. The other name to remember is nobody. Default
UNIX groups can include root,
bin, daemon, tty, disk, lp, mail, news, dialout, trusted,
modem,
users, and so on.
The open-source UNIX incarnation known as Linux creates a number of accounts. Which
accounts are created depends on the base operating system and the software installed. The
administrative user, root is always created. Additional default accounts are used for tasks not
otherwise thought of as meriting accounts at all. These include processes such as file transfer
protocol (ftp) and lp (printers).