Home  
  Microsoft  
  Practice Exams  
  TechNotes  
  Links  
  Forums  
  Blogs  
  Topsites  
  Search the Web  
  Watch free videos online  
     
  Subnet Calculator  
  Online Degrees  
  Exam Vouchers  
  Free Magazines  

   
70-215 Windows 2000 TechNote:
Access to Resources
Index
- Local Folder Access
- Shared Folder Access
- Distributed File System


LOCAL FOLDER ACCESS    Back to top

One of the main reasons to use NTFS is the possibility to assign permissions for individual files and folders. Each file and folder on an NTFS volume contains an Access Control List (ACL), this list is filled with entries for groups and individual user accounts and their permissions. When a user tries to access a resource, Windows 2000 checks the ACL if the user it listed and what type of permission is assigned.

The following permissions can be assigned for files and folders:

Read Allows user to see and read files and list the contents of folders, subfolders and volumes, including the attributes, permissions and ownership of the files.
Write Allows the same as Read and additionally allows the user to modify and create files and (sub-)folders as well as changing attributes.
Read and Execute Allows the same as Read and additionally allows users to run applications.
Modify Same as Read plus Write and and additionally allows executing applications as well.
Full Control Allows everything permitted by the other permissions and and additionally a user with Full Control can change permissions and take ownership of file.

For folders only, the following additional permission can be assigned:

List Contents Allows user to read files and list the contents of folders and volumes, user with this permissions can only see the files and folders, not read or change them.

To assign NTFS permissions in Windows Explorer/My Computer right-click a file, folder or drive, and then click Properties and then the Security tab. Under Group or user names: on the Security tab, select or add a group or user, and allow or deny one of the permissions listed in the table above. Denying permissions is usually only done to make an exception, for example, you could allow Modify permission for the Sales group and deny the same permission for certain people in the Sales department.

Allow permissions are cumulative, for example, John is a member of the Sales group and the Management group. Sales has been allowed Modify Permissions for the folder SalesReports and its files, Management has been allowed Read permissions for the same folder and the files in it. John's effective permissions in this case is Modify.

File permissions override folder permissions, for example, if user David has been allowed Read permissions for the folder and Full Control permissions for a file work.doc, his effective permissions for the work.doc file is Full Control.

Besides the permissions listed in the tables above, you can also assign special permissions by clicking the Advanced button on the Security tab.

When a user creates a file or folder Windows 2000 automatically assigns Full Control permissions to the creator/owner. You can take ownership of a file by replacing the owner with your own account or with one of the groups you are a member of. You must have Full Control or the special permissions Take Ownership to be able to take ownership of a file or folder.


SHARED FOLDER ACCESS    Back to top

A shared folder (typically called share) is a folder or complete drive that is published on the network and can be remotely accessed by other users. The shared folder can be used as if it were a local folder; to store data, as well as some applications that can be run from the share over the network. Members of the built-in group Administrators, Server Operators and Power Users can share folders. If the folder that needs to be shared is located on an NTFS volume, you also need at least the NTFS permission Read for the folder.

Here are a couple of common ways to create a shared folder:
1. Using the Shared Folders snap-in, which is included by default in the Computer Management console. In the console tree, click Shares (below Computer Management|System Tools|Shared Folders). On the Action menu, click New File Share. You will be prompted to select the folder or drive, enter the share name and description, and set permissions.
2. Using the following command at the command prompt: net share sharename=drive:path
3. In Windows Explorer/My Computer right-click the folder or drive, click Properties and then the Sharing tab. Enable the option Share this folder, enter a name for the share, an optional description and configure other settings.

When you share a folder, you can also set a User limit to allow a maximum amount of users to be connected to the share simultaneously.

You can assign three different share permissions to groups and individual user accounts, these permissions only apply when connecting to the share over the network. The share permissions do not apply to users who logon interactively, if you want local security use NTFS file and folder permissions.

Share permissions:
Read Allows user to read files and list the contents of folders and volumes. This allows executing applications as well.
Change Allows the same as Read and allows the user to modify and create files and folders.
Full Control
Allows the same as Change and allows the user to modify Share permissions as well.

When you set permissions you can either Allow or Deny them to a user or group. Typically you would allow a group share permissions and deny the same permissions to certain members of that group. The default permissions for new shares is Read to Everyone.

When you combine NTFS permissions and share permissions the most restrictive permission counts. For example if you create a folder with files and assign them Full Control NTFS permissions to Everyone and share the same folder and assign the share permission Read to Everyone, users connecting through the network will have Read permissions.

To assign share permissions in Windows Explorer/My Computer right-click the folder or drive, and then click Properties and then the Permissions button on the Sharing tab. Under Group or user names: select or add a group or user, and allow or deny one of the permissions listed in the table above. Denying permissions is usually only done to make an exception, for example, you could allow Change permission for the Sales group and deny the same permission for certain people in the Sales department.

By default, Windows 2000 creates several hidden administrative shares:

Share Purpose
Admin$ This is the system root, usually C:\Windows, Administrators are assigned Full Control share permissions.
Print$ This is the %systemroot%\System32\Spool\Drivers folder, this folder is created when printers are shared to allow clients to automatically download the printer drivers. Administrators and Power users are assigned Full Control share permissions, Everyone is assigned Read permission.
C$, D$, E$, etc.
Each volume on a hard disk is shared. to provide easy access of the entire volume to Administrators. Administrators are assigned Full Control share permissions.


You can also create hidden shares yourself by adding a $ sign to the end of the share's name.

Users can connect to a share in several ways, for example:
1. My Network Places/Windows Explorer you can browse to the share as you would browse through any folder.
2. Using a direct UNC path, for example: //FileServer12/ShareX
3. Using My Network Places/Windows Explorer or the net use command to map a drive letter to a share (to the UNC path. Once a drive is mapped to the share you can open the share using the drive letter. Supports the option of automatically reconnecting at logon.


DISTRIBUTED FILE SYSTEM    Back to top

Dfs allows you to group multiple shared folders into a single hierarchical folder tree. Users connect to a the top of this tree, called the Dfs Root, in the same way they connect to a shared folder, using an UNC path. What appear to be subdirectories (Dfs Links) in the Dfs Root can actually be shared folders physically located on other servers. Use the Distributed File System Manager tool to create and configure Dfs Roots and Dfs Links. The Dfs Root can be hosted on any domain controller or member server in the domain, the maximum number of roots per server is 1. There are two types of Dfs roots which are described below.

Domain-based Dfs roots

The domain-based Dfs root requires Active Directory Services and NTFS 5.0. Information about a domain-based Dfs root and its Dfs links is stored in Active Directory. This does not include the actual content of the shared folders, only the Dfs topology. This provides fault-tolerance because the topology is replicated to other domain controllers in the domain. Fault-tolerance for the actually data in the shared folders that make up the Dfs, can be provided by using the File Replication Services (FRS) to replicate a Dfs Link (shared folder) and its contents to other servers. When a client connects to a folder (Dfs Link) in the domain-based Dfs root, it will connect to the nearest replica based on the site topology. In order to use FRS to replicate the data, the shared folders must reside on an NTFS 5.0 volume. Right-click the Dfs root or Dfs link and select Replication Policy. Inter-site replication can be configured on the Properties of the appropriate site link.

Stand-alone Dfs roots

Stand-alone Dfs roots do not require ADS, the information about a stand-alone Dfs root is stored in the local registry of the server that hosts the Dfs root. Some primary differences with domain based Dfs roots are:

  • Stand-alone Dfs roots can be located on all file systems supported by Windows 2000.
  • Allows only a single level of Dfs Links, Dfs Links can only be created in the Dfs Root, not in other Dfs Links.
  • A stand-alone Dfs Root represents a single point of failure because it doesn't offer fault-tolerance thru replication.


    Back to top

Microsoft Virtualization Training Videos – Demand for Virtualization is escalating because it saves money, time, and makes testing and disaster recovery easier. Train Signal’s Microsoft Virtualization Course teaches you everything you need to know to utilize Virtual PC and Virtual Server!


 
Current related skills being measured for the 70-215 exam:

INSTALLING, CONFIGURING, AND TROUBLESHOOTING ACCESS TO RESOURCES

Install and configure network services for interoperability.

Monitor, configure, troubleshoot, and control access to printers.


Monitor, configure, troubleshoot, and control access to files, folders, and shared folders.

- Configure, manage, and troubleshoot a stand-alone Distributed file system (Dfs).
- Configure, manage, and troubleshoot a domain-based Distributed file system (Dfs).
- Monitor, configure, troubleshoot, and control local security on files and folders.
- Monitor, configure, troubleshoot, and control access to files and folders in a shared folder.
- Monitor, configure, troubleshoot, and control access to files and folders via Web services.

Monitor, configure, troubleshoot, and control access to Web sites.




Click here for the complete list of Skills Being Measured.

Discuss this TechNote here Author: Johan Hiemstra




 
 
 

All images and text are copyright protected, violations of these rights will be prosecuted to the full extent of the law.
2002-2015 TechExams.Net | Advertise | Disclaimer