Windows Lesson 7 - Creating Shared Folders


A common thing to do on a larger network is share data between users. When setting this up you want to make sure the correct people can access the data. In this lesson we're going to learn how to create shared folders and make sure the correct people can access them.

Creating a Shared Folder

Sharing a folder is an easy process. In the properties of the folder click the Sharing tab and click the Advanced Sharing button.

Then click the Share this folder checkbox. Click Ok on the two open windows and that's it, the folder is shared.

When creating a share you can hide the share from normal browsing by adding a dollar sign to the end of the share name. You will need the full path to the share to access it. If you open the server in Windows Explorer the hidden shares will not display.

If you type in two backslashes followed by the name of the server you will see all the shares on the server. On this server we can see the Apps share, but can't see the hidden share. The SYSVOL and NETLOGON shares are there because this server is a Domain Controller. They exist on all domain controllers.

Share Level Permissions

After sharing a folder you can set the permissions on the share. The share level permissions apply to all files and folders below the shared folder. You can not modify the share level permissions at a lower directory.

The share level permissions are stored in an Access Control List (ACL). The ACL is made up of Access Control Entries (ACE's). Each ACE has a unique set of permissions. In the image below the Staff ACE has the ability to change data in the share. The three permissions for an ACE are "Full Control", "Change", "Read". * Default value when creating an ACE resulting in read only access.

    • Full Control - Modify permissions

    • Change - Create and modify data

    • * Read - View and open data

NTFS Permissions

There is another layer of permissions that need to be addressed. These permissions are the file system permissions called NTFS permissions. NTFS permissions are the permissions on the individual files and folders in the share. They're setup the same way as share level permissions with an Access Control List (ACL) containing Access Control Entries (ACE). The permissions on the ACE's in NTFS are different then share level permissions. * Default value when creating an ACE resulting in read only access.

    • Full Control - Modify permissions and take ownership

    • Modify - Delete and modify data

    • *Read & Execute - Run programs

    • *List Folder Contents - View what's in a folder

    • *Read - Open files

    • Write - Create and append data

When you try and edit the NTFS permissions you'll find you are unable to remove the default permissions. This is because the folders inherit their NTFS values from their parent folder. In order to modify the default NTFS settings we first have to disable this inheritance. On the "Security" tab click the "Advanced" button. In the new windows click the "Disable inheritance" button.

Once you click the Disable inheritance button you'll be asked if you want to keep the existing ACEs and be able to modify them, or do you want to remove all the inherited permissions. Since you're disabling the permissions from being pushed to this ACL from above this is it's way of asking you what to do with the existing inherited permissions.

If you have a shared folder that contains home folders for each user you're going to want all members of the Staff group to access the shared folder. In that shared folder there will be a folder for each user to store their work. That folder is designed to be a private spot for users to save their data. The Staff group should not have access to the home folders because everyone will be able to get into each others home folder. When adding an ACE to the ACL using the advanced panel you'll be given an option for where you want to apply the permissions. This will let us give the Staff group access to the shared folder, but not subfolders.

Share Level vs NTFS Permissions

NTFS Permissions exist at the file system which means they are in effect if you're on the server physically, or accessing the server over the network. Share Level permissions are only in effect when you access the server over the network. When you are accessing the data over the network the most restrictive permissions between Share Level and NTFS win. For example if you have full control at the NTFS level and read at the Share the end result will be read since it is the most restrictive.

Within Share Level or NTFS you may be a member of multiple groups that are granted. When you are looking at permissions within either Share Level or NTFS the permissions are cumulative. For example if you are a member of the HR and Accounting groups and the HR group has full control and the Accounting group has read the end result would be full control since the cumulative permissions are full control.

The exception to this rule is an explicit deny. If you deny access to a resource it over rides all over settings.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10