|
|
| 70-215
Windows 2000 TechNote: |
| Access
to Resources |
LOCAL FOLDER ACCESS
Back to top
One of the main reasons to use NTFS is the possibility to assign
permissions for individual files and folders. Each file and
folder on an NTFS volume contains an Access Control List (ACL),
this list is filled with entries for groups and individual user
accounts and their permissions. When a user tries to access
a resource, Windows 2000 checks the ACL if the user it listed
and what type of permission is assigned.
The following permissions can be assigned for files and folders:
| Read |
Allows user to see and
read files and list the contents of folders, subfolders
and volumes, including the attributes, permissions and
ownership of the files. |
| Write |
Allows the same as Read
and additionally allows the user to modify and create
files and (sub-)folders as well as changing attributes. |
| Read and Execute |
Allows the same as Read
and additionally allows users to run applications. |
| Modify |
Same as Read plus Write
and and additionally allows executing applications as
well. |
| Full Control |
Allows everything permitted
by the other permissions and and additionally a user with
Full Control can change permissions and take ownership
of file. |
For folders only, the following additional permission can be
assigned:
| List Contents
|
Allows user to read files
and list the contents of folders and volumes, user with
this permissions can only see the files and folders, not
read or change them. |
To assign NTFS permissions in Windows Explorer/My Computer right-click
a file, folder or drive, and then click Properties and then
the Security tab. Under Group or user names: on the
Security tab, select or add a group or user, and allow
or deny one of the permissions listed in the table
above. Denying permissions is usually only done to make an exception,
for example, you could allow Modify permission for
the Sales group and deny the same permission for certain
people in the Sales department.
Allow permissions are cumulative, for example, John
is a member of the Sales group and the Management group. Sales
has been allowed Modify Permissions for the folder SalesReports
and its files, Management has been allowed Read permissions
for the same folder and the files in it. John's effective permissions
in this case is Modify.
File permissions override folder permissions, for example, if
user David has been allowed Read permissions for the folder
and Full Control permissions for a file work.doc, his effective
permissions for the work.doc file is Full Control.
Besides the permissions listed in the tables above, you can
also assign special permissions by clicking the Advanced
button on the Security tab.
When a user creates a file or folder Windows 2000 automatically
assigns Full Control permissions to the creator/owner. You can
take ownership of a file by replacing the owner with
your own account or with one of the groups you are a member
of. You must have Full Control or the special permissions Take
Ownership to be able to take ownership of a file or folder.
SHARED FOLDER ACCESS
Back to top
A shared folder (typically called share) is a folder
or complete drive that is published on the network and can be
remotely accessed by other users. The shared folder can be used
as if it were a local folder; to store data, as well as some
applications that can be run from the share over the network.
Members of the built-in group Administrators, Server Operators
and Power Users can share folders. If the folder that needs
to be shared is located on an NTFS volume, you also need at
least the NTFS permission Read for the folder.
Here are a couple of common ways to create a shared folder:
1. Using the Shared Folders snap-in, which is included by default
in the Computer Management console. In the console tree, click
Shares (below Computer Management|System Tools|Shared Folders).
On the Action menu, click New File Share. You will be prompted
to select the folder or drive, enter the share name and description,
and set permissions.
2. Using the following command at the command prompt: net
share sharename=drive:path
3. In Windows Explorer/My Computer right-click the folder or
drive, click Properties and then the Sharing tab. Enable the
option Share this folder, enter a name for the share, an optional
description and configure other settings.
When you share a folder, you can also set a User limit to allow
a maximum amount of users to be connected to the share simultaneously.
You can assign three different share permissions to groups and
individual user accounts, these permissions only apply when
connecting to the share over the network. The share permissions
do not apply to users who logon interactively, if you
want local security use NTFS file and folder permissions.
Share permissions:
| Read |
Allows user to read files
and list the contents of folders and volumes. This allows
executing applications as well. |
| Change |
Allows the same as Read
and allows the user to modify and create files and folders. |
Full Control
|
Allows the same as Change
and allows the user to modify Share permissions as well. |
When you set permissions you can either Allow or Deny them to
a user or group. Typically you would allow a group share permissions
and deny the same permissions to certain members of that group.
The default permissions for new shares is Read to Everyone.
When you combine NTFS permissions and share permissions the
most restrictive permission counts. For example if you create
a folder with files and assign them Full Control NTFS permissions
to Everyone and share the same folder and assign the share permission
Read to Everyone, users connecting through the network will
have Read permissions.
To assign share permissions in Windows Explorer/My Computer
right-click the folder or drive, and then click Properties and
then the Permissions button on the Sharing tab. Under Group
or user names: select or add a group or user, and allow
or deny one of the permissions listed in the table
above. Denying permissions is usually only done to make an exception,
for example, you could allow Change permission for
the Sales group and deny the same permission for certain
people in the Sales department.
By default, Windows 2000 creates several hidden administrative
shares:
| Share |
Purpose |
| Admin$ |
This is the system root,
usually C:\Windows, Administrators are assigned Full Control
share permissions. |
| Print$ |
This is the %systemroot%\System32\Spool\Drivers
folder, this folder is created when printers are shared
to allow clients to automatically download the printer
drivers. Administrators and Power users are assigned Full
Control share permissions, Everyone is assigned Read permission. |
C$, D$, E$, etc.
|
Each volume on a hard
disk is shared. to provide easy access of the entire volume
to Administrators. Administrators are assigned Full Control
share permissions. |
You can also create hidden shares yourself by adding a $ sign
to the end of the share's name.
Users can connect to a share in several ways, for example:
1. My Network Places/Windows Explorer you can browse to the
share as you would browse through any folder.
2. Using a direct UNC path, for example: //FileServer12/ShareX
3. Using My Network Places/Windows Explorer or the net
use command to map a drive letter to a share (to the
UNC path. Once a drive is mapped to the share you can open
the share using the drive letter. Supports the option of automatically
reconnecting at logon.
DISTRIBUTED FILE SYSTEM
Back to top
Dfs allows you to group multiple shared folders into a
single hierarchical folder tree. Users connect to a the top
of this tree, called the Dfs Root, in the same way
they connect to a shared folder, using an UNC path. What appear
to be subdirectories (Dfs Links) in the Dfs Root
can actually be shared folders physically located on other
servers. Use the Distributed File System Manager tool to create
and configure Dfs Roots and Dfs Links. The Dfs Root can be
hosted on any domain controller or member server in the domain,
the maximum number of roots per server is 1. There are two
types of Dfs roots which are described below.
Domain-based Dfs roots
The domain-based Dfs
root requires Active Directory Services and NTFS 5.0. Information
about a domain-based Dfs root and its Dfs links is stored
in Active Directory. This does not include the actual content
of the shared folders, only the Dfs topology. This
provides fault-tolerance because the topology is replicated
to other domain controllers in the domain. Fault-tolerance
for the actually data in the shared folders that make up the
Dfs, can be provided by using the File Replication Services
(FRS) to replicate a Dfs Link (shared folder) and its contents
to other servers. When a client connects to a folder (Dfs
Link) in the domain-based Dfs root, it will connect to the
nearest replica based on the site topology. In order to use
FRS to replicate the data, the shared folders must reside
on an NTFS 5.0 volume. Right-click the Dfs root or Dfs link
and select Replication Policy. Inter-site replication can
be configured on the Properties of the appropriate site link.
Stand-alone Dfs roots
Stand-alone Dfs roots do not require ADS,
the information about a stand-alone Dfs root is stored in
the local registry of the server that hosts the Dfs root.
Some primary differences with domain based Dfs roots are:
- Stand-alone Dfs roots can be located
on all file systems supported by Windows 2000.
- Allows only a single level of Dfs Links,
Dfs Links can only be created in the Dfs Root, not in other
Dfs Links.
- A stand-alone Dfs Root represents a single
point of failure because it doesn't offer fault-tolerance
thru replication.
Back to top
|
| |
Current related
skills being measured for the 70-215 exam:
INSTALLING, CONFIGURING, AND TROUBLESHOOTING ACCESS TO RESOURCES
Install and configure network services
for interoperability.
Monitor, configure, troubleshoot, and control access to printers.
Monitor, configure, troubleshoot, and control access to files,
folders, and shared folders.
- Configure, manage, and troubleshoot a stand-alone Distributed
file system (Dfs).
- Configure, manage, and troubleshoot a domain-based Distributed
file system (Dfs).
- Monitor, configure, troubleshoot, and control local security
on files and folders.
- Monitor, configure, troubleshoot, and control access to files
and folders in a shared folder.
- Monitor, configure, troubleshoot, and
control access to files and folders via Web services.
Monitor, configure, troubleshoot, and control access to Web
sites.
|
Click
here for the complete list of Skills Being Measured.
|
Discuss this TechNote here |
Author:
Johan Hiemstra |
|
|
|
Members-only
Printer-friendly version
