In this lesson we're going to learn how to create shared folders and make sure the correct people can access them.
In Windows Lab 4 we created a shared folder that contained our user's home folders. The "Home" folder was created in folder named "Shared Data". (C:\Shared Data\Home) We are going to continue creating our shared folders in the "Shared Data" folder. The advantage of this comes when we want to back up our data. We can tell our backup software to backup the "Shared Data" folder it will get everything we need. This also make migration to a new server easier later on.
Sharing a folder is an easy process. In the properties of the folder click the Sharing tab and click the Advanced Sharing button. Then click the Share this folder checkbox.
When creating a share you can hide the share from normal browsing by adding a dollar sign to the end of the share name. You will need the full path to the share to access it. If you open the server in Windows Explorer the hidden shares will not display.
After sharing a folder you can set the permissions on the share. The share level permissions apply to all files and folders below the shared folder. You can not modify the share level permissions at a lower directory.
The share level permissions are stored in an Access Control List (ACL). The ACL is made up of Access Control Entries (ACE's). Each ACE has a unique set of permissions. In the image below the Staff ACE has the ability to change data in the share. The three permissions for an ACE are "Full Control", "Change", "Read". * Default value when creating an ACE resulting in read only access.
There is another layer of permissions that need to be addressed. These permissions are the file system level permissions called NTFS permissions. NTFS permissions are the permissions on the individual files and folders in the share. They are setup the same way as share level permissions with an Access Control List (ACL) containing Access Control Entries (ACE). The permissions on the ACE's in NTFS are different then share level permissions. * Default value when creating an ACE resulting in read only access.
When you try and edit the NTFS permissions you'll find you are unable to remove the default permissions. This is because the folders inherit their NTFS values from their parent folder. In order to modify the default NTFS settings we first have to disable this inheritance. On the "Security" tab click the "Advanced" button. In the new windows click the "Disable inheritance" button. Once you do this you will be able to change or remove the existing ACE's.
The video below shows you how to remove inherited permissions on a folder and change the permissions to match what we want.
NTFS Permissions exist at the file system which means they are in effect if you're on the server physically, or accessing the server over the network. Share Level permissions are only in effect when you access the server over the network. When you are accessing the data over the network the most restrictive permissions between Share Level and NTFS win. For example if you have full control at the NTFS level and read at the Share the end result will be read since it is the most restrictive.
Within Share Level or NTFS you may be a member of multiple groups that are granted. When you are looking at permissions within either Share Level or NTFS the permissions are cumulative. For example if you are a member of the HR and Accounting groups and the HR group has full control and the Accounting group has read the end result would be full control since the cumulative permissions are full control.
The exception to this rule is an explicit deny. If you deny access to a resource it over rides all over settings.
Users can browse the network and locate the shared drives on our servers, but this may be difficult for some. We can make the process of accessing the shares a lot easier by creating a mapped drive for them. We can do this by using a logon script that will create the drive when they log in. Below is an example of a script that can be used to map the apps drive for our users. Once you have a logon script you can put it in your netlogon folder. Each domain controller has a copy of the netlogon folder. You can access it at \\DCNAME\netlogon. In our envornment it would be \\Server01\netlogon.