CHAPTER 15
ADMINISTERING
SHARED FOLDERS
Sharing folders is the only way to make folders and their contents available over the network.
Shared folders also provide another way to secure file resources, one that can be used as
FAT or FAT32 partitions.
Lesson 1:
Understanding Shared folders
You use shared folders to provide network users with access to file resources. When a folder
is shared, users can connect to the folder over the network and gain access to the files that it
contains.
Shared Folder Permissions
A shared folder can contain applications, data or a user’s personal data, called a home
folder. Remember %username% variable. The following are characteristics of shared folder
permissions:
Shared folder permissions apply to folders, not individual files. Since you can apply shared
folder permissions only to the entire shared folder, and not to individual files or subfolders in
the shared folder, shared folder permissions provide less detained security than NTFS permissions.
Shared folder permissions don’t restrict access to users who gain access to the folder at the
computer where the folder is stored. Shared folder permissions are the only way to secure
network resources on a FAT volume. NTFS permissions aren’t available on FAT volumes.
The default shared folder permission is Full Control, and it is assigned to the Everyone group
when you share the folder.
NOTE: A shared folder appears in Windows Explorer as an icon of a hand holding the
shared folder.
To control how users gain access to a shared folder, you assign shared folder permissions.
The permissions are represented from Most Restrictive to Least Restrictive in the table below:
=====================================================================
winpro15.html PAGE
2 2001/12/08
=====================================================================
READ Displays folder names, filenames, file data and attributes, run
Program files, and change folders within the shared folder.
CHANGE Create folders, add files to folders, change data in files,
Append data to files, change file attributes, delete folders
And files,
FULL CONTROL Change file permissions, take ownership of files, and perform
All tasks permitted by the Change permission.
====================================================================
IMPORTANT Do not forget NTFS Permissions do not apply to FAT. Change and Full
Control are almost the same thing, the only difference is that with Full Control you can Take
Ownership and Change file permissions.
You can allow or deny shared folder permissions. Generally, it is best to allow permissions
and to assign permissions to a group rather than to individual users. You deny permissions
only when it is necessary to override permissions that are otherwise applied.
If you deny a shared folder permission to a user, the user won’t have that permission. For
example, to deny all access to a shared folder, deny the Full Control permission.
How Shared Folder Permissions are Applied
Applying shared permissions to user accounts and groups affects access to a shared folder.
Denying permission takes precedence over the permissions that you allow.
Multiple Permissions combine. A User can be a member of multiple groups, each with
different permissions that provide different levels of access to a shared folder. For example
if a user has READ permission and is a member of group with CHANGE permission, the
user’s effective permissions is Change, which includes Read. Shared NTFS
Permissions = Least Restrictive.
Denying Permissions Overrides Other Permissions. Denied permissions take
precedence over any permissions that you have.
NTFS Permissions Are Required on NTFS Volume. Shared folder permissions are
sufficient to gain access to files and folders on a FAT volume but not on an NTFS volume.
On a FAT volume, users can gain access to a shared folder for which they have permissions,
as well as all of the folder’s contents. For example, Everyone = Full Control.
Copied or Moved
Shared Folders Are No Longer Shared.
=====================================================================
winpro15.html PAGE
3 2001/12/08
Guidelines for Shared Folder Permissions
Guidelines for managing your shared folders and assigning shared folder permissions:
Document the groups and their permissions for each resource.
shared and you BROWSE the network. When you BROWSE the network all of the shared
folders are listed. You can go into the Top level shared folder and move through the hierarchy
to the shared folder below it an access it or delete it. It is a type of loop-hole in the
programming of the Operating System.
Lesson Summary:
computer where the folder is stored.
you share the folder.
Lesson 2:
Planning Shared folders
Shared folders can contain applications and data. Use shared application folders to centralize
administration. Use shared data folders to provide a central location for users to store and gain
access to common files.
Application folders
Shared application folders are used for applications that are installed on a network server and
can be used from client computers. The main advantage of shared applications is that you don’t
need to install and maintain most components of the applications on each computer.
=====================================================================
winpro15.html PAGE
4 2001/12/08
they can manage the application software and control user permissions.
permission to the Users group. This provides more security because the Users group
includes any user accounts that you created, whereas the Everyone group includes anyone
who has access to network resources, including the Guest account.
applications. Create a separate shared folder outside your application folder hierarchy for
any application for which you need to assign different permissions. Then assign the appropriate
permissions to that folder.
Data Folders
Users on a network use data folders to exchange public and working data. Working data folders
are used by members of teams who need access to shared files. Public data folders are used by
larger groups of users who all need access to common data.
When you use data folders, create and share common data folders on a volume that is separate
from the operating system and applications. Data files should be backed up frequently, and with
data folders on a separate volume, you can conveniently back them up.
Public data
When you share a common public data folder, do the following:
provide users with a central, publicly accessible location for storing data files that they want
to share with other users.
Working Data
When you share a data folder for working files, do the following:
that administrators can perform maintenance.
=====================================================================
winpro15.html PAGE
5 2001/12/08
appropriate groups when you need to restrict access to those folders.
Lesson Summary:
Lesson 3:
Sharing Folders
You can share resources with others by sharing folders containing those resources. To share
a folder, you must be a member of one of several groups, depending on the role of the computer
where the shared folder resides. When you share a folder, you can control access to the folder
by limiting the number of users who can simultaneously gain access to it.
*** You can share out
another Drive or File under a different Name or Permissions. Use the
“New Share” to access
it.
Requirements for Sharing files
In Windows 2000 Professional, members of the built-in Administrators and Power Users groups
are able to share folders. Which groups can share folders and on which machines they can share
them depends on whether it is a workgroup or domain and the type of computer on which the
shared folders reside:
residing on any machines in the domain. Power users group is a local group and can share
folders residing only on the stand-alone server or computer running Windows 2000P where
the group is located.
2000 Server stand-alone server or the computer running Windows 2000P on which the
group exists.
NOTE: If the folder is shared resides on an NTFS volume, users must also have at least the
Read permission for that folder to be able to share it.
=====================================================================
winpro15.html PAGE
6 2001/12/08
Administrative Shared Folders
Windows 2000 automatically shares folders for administrative purposes. These shares are
appended with a dollar sign ($), which hides the shared folder from users who browse the
computer. The root of each volume the system root folder, and the location of the printer
drivers are all hidden shared folders that you can gain access across the network.
A folder becomes hidden share when you add a $ sign. The $ will make it hidden, if you
browse the network you will not see it during your Browse.
Hidden shared folders
aren’t limited to those that the system automatically creates. You
can share additional
folders and append a dollar sign to the end of the share name. Then
only users who know
the folder name can gain access to it if they also possess the proper
permissions to it.
Sharing a Folder
When you share a folder, you can give it a share name, provide comments to describe the
folder and its content, limit the number of users who have access to the folder, assign
permissions, and share the same folder multiple times:
** SEE CHART **
Caching
To make shared folders available offline, copies of the files are stored in a reserved portion
of disk space on your computer call a cache. Since the cache is on your hard disk, the
computer can access this cache regardless of whether it is
connected to the network. By
default the cache size is set to 10% of the available disk space. You can also change the
cache size.
You have three options for caching:
Manual Caching for Document. Use this if several people are assessing the same files.
You must specify you want the file cached. That is why it is referred to as manual.
Automatic Caching for Documents. Makes every file that someone opens from your
shared folder available to him or her offline. Files that aren’t opened are not available offline.
=====================================================================
winpro15.html PAGE
7 2001/12/08
Automatic Caching for Programs. Provides offline access to shared folders containing
files that are read, referenced, or run, but that are not changed in the process. This setting
reduces network traffic because offline files are opened directly without accessing the
network versions in any way, and generally start and run faster than the network versions.
Assigning Shared Folder Permissions
Modifying Shared Folders
You can modify shared folders, stop sharing a folder, modify the share name and modify
shared folder permissions.
NOTE: If you stop sharing a folder while a user has a file open, the user might lose data.
If you click Do Not Share This Folder and a user has a connection to the shared folder,
Windows 2000 displays a dialog box notifying you that a user has a connection to the
shared folder.
Connecting to A Shared Folder
You can gain access to a shared folder on another computer
by using the Map Network
Drive wizard, the Run
command, or My Network Places.
Lesson Summary:
computer where the shared folder resides.
permissions. You can modify a shared folder, stop sharing it, change its share name,
and change user and group permissions to gain access to it.
simultaneously gain access to it, and you can also control access to the folder and its
contents by assigning permissions to selected users and groups.
=====================================================================
winpro15.html PAGE
8 2001/12/08
Lesson 4:
Combining Shared folder Permissions and NTFS Permissions
You share folders to provide network users with access to resources. If you are using FAT volume,
the shared folder permissions are the only resource available to provide security for the folders you
have shared and the folders and files they contain.
If you are using NTFS volume, you can assign NTFS permissions to individual users and
groups to better control access to the files and subfolders
in the shared folders. When you
combine shared folder
permissions and NTFS permissions, the more restrictive permission is
always the overriding
permission.