File and Folder Permissions

Configuring access to shared folders

You can use the Share Folder Wizard to set up sharing and share access on your shared folder. You will still have to configure NTFS folder permissions after you have run the wizard. Alternatively, you can use one of Windows Wizards to help you. There is a Run the Share a Folder Wizard available if you select File Server on the Server Role screen. (This is because the purpose of a file server is to share files.) You can access this by clicking Server Manager from the Start menu. The screen shown in below is displayed:


This is a very useful screen. Microsoft have set it up as a portal to a lot of commonly used administration tasks.

Shared Folders

It is recommended that if you are giving users access to shared folders you give them full control across the share and narrow it down with NTFS permission. This makes administration easier. Share and NTFS permissions are cumulative. The wizard for starting a share does not configure shadow copies; they have to be configured separately. Sometimes you may need to store information in a common place or share work with colleagues. For example, if you were both writing a book, you would both need access to it and one way to deal with this is to share folders. To create a shared folder, you first need to create the folder and then share it. To create a folder, navigate to where you want the folder to be, click File, click New and choose Folder. Now give it a name.

If you want to share this folder, you are given the option to give it a more user-friendly name. The default on a shared folder is to allow everyone to access it (the Everyone group). Access to shared folders is controlled by permissions. There are two sets of permissions that apply to shared folders and the results are the most restrictive of the two. Apart from the ubiquitous Deny permission, which overrides all others, there are Share permissions, which apply when users access the shared folder over a network, and NTFS permissions, which apply to all folder access, whether the folder is shared or not. NTFS folder permissions are covered at the beginning of this section.

Shadow copies of shared folders

Shadow Copies is a new Windows feature. Shadow copies provide snapshots of files that are in shared folders. The following are the benefits of shadow copies:

  • If you accidentally delete a file you can recover a previous version.
  • If you have overwritten a file by mistake you can get back the previous version.
  • You can compare previous versions of a file with the current one.

To configure shadow copies on a shared folder, you need administrative rights for the computer where the shared folder is located. Go to Computer Management, right-click Shared Folders, then All Tasks, then Configure Shadow Copies. The screen displayed below is displayed:


Shadow copies

Shadow copies are disabled by default and if you enable them you enable them for the whole volume. If you click Enable, you are warned that the default settings are for servers with high I/O. So you have an option to go back and customise the settings before you enable Shadow Copies. Once enabled, you cannot change the storage area without deleting your previous versions. There is a limit on space for the shadow copies and a limit to how often they can be taken. The default storage is 400 Mb and the default schedule is once a day at 7:00 am.

Note: the system only keeps a maximum of 64 shadow copies subject to space availability and if you take them more frequently, the period of time you can go back to will be shorter. To use shadow copies, you need to install the client software on the client machines. The software is in the \\%systemroot%\system32\clients\twclient directory on the server. One of the easiest ways to deploy this is to use group policy, or you could put it on a network share and give users instructions for navigating to it.

Manage and troubleshoot access to shared folders

Once you have set up your shared folders, there might still be problems with others accessing them. The problems most commonly encountered are :

  • A user cannot see the computer that is hosting the shared folder, and so cannot navigate to it. This could be because of a connectivity problem. To check this, ping the computer hosting the shared folder. If this is OK, the two computers are communicating, so it must be something else causing the problem.
  • If you have network connectivity and there is less than the maximum number of connections, the permissions will be the problem. Share permissions are recommended for everyone and NTFS permissions set on the file or folder. These permissions are cumulative. Remember that share permissions only apply to users that connect over a network, so if someone logs in locally and they are not given access via the share permissions, they will still be able to access the folder if they have the appropriate NTFS permissions.

Configure access to shared folders

Work in groups of two (or three if there is an odd number) and make sure you record all configuration changes in your log book and take appropriate screen prints. You are going to use the Shared Folder Wizard to do the following:

  • Create a shared folder called daytimeyourcomputername.
  • Limit access on the Share permissions.
  • Create a comedy group and put two new users that you have created called Laurel and Hardy in the group.
  • Test that you can access the shared folder from across the network, so one member of the group will boot up as a client to test it and another will boot up the Windows operating system. Make sure everyone in the group has a chance to be the client and to be the server.

Creating a Shared Folder – Worked Example

Follow the step-by-step instructions below to create a shared folder

  1. From the Start menu select Manage Your Server.
  2. Select Add Shared Folders (this opens the Share a Folder Wizard).
  3. Select Browse.
  4. Select Make New Folder and enter daytimeyourcomputername.
  5. Select Next.
  6. Enter TV as the share name and select Next.
  7. Select Administrators have full access; others have read-only access.
  8. Select Next, then Finish.

Create new users and add them to a group

  1. Go into Active Directory and create two users called Stan Laurel and Oliver Hardy and put in them in the Comedy global group. (Follow the instructions for creating a global group from earlier)
  2. Log on as Stan Laurel.

Set Sharing and Security options

  1. From the Start menu, select Windows Explorer.
  2. Select My Network Places.
  3. Select Entire Network.
  4. Select Microsoft Windows Network.
  5. Select the computer you created the shared folder on.
  6. Select TV (note that it is the shared name that is displayed not the path to the folder).
  7. Try creating a document in the shared folder (you do not have write access so it will not let you).
  8. Using My Computer, find the folder daytimeyourname and right-click it.
  9. Select Sharing and Security then the Security tab.
  10. Under User Limit select Allow this number of users and select 1.
  11. Select New Share and give it the share name cable and the description second (leave the user limit as the maximum allowed).

Test access to the shared folder

  1. Two of you navigate to the shared folder TV from My Network Places (on the same server). Can you both access the folder? (The system should only allow the first one as you have set a limit).
  2. Try accessing the cable share (points to the same folder but a different limit). You should both be able to access it at the same time.
  3. Select daytimeyourname folder, right-click it and select Sharing and Security.
  4. If you want to remove one of your shares click Remove Share. (This option is only available if you have more than one share name pointing to the same folder.)
  5. If you do not want to share the folder any longer, select Do not share this folder.
  6. Using My Network Places, see if you can see the shared folder. Neither of the shared folders should now appear.

Next – Physical Server Environment