18. Shared Folder Permissions
To share resources such as folders and applications you assign the following share permissions:
- Full control - This is the default and is assigned to the Everyone Group and allows
users to take ownership of files on NTFS volumes, change file permissions and so on.
- Change - The user can add files, folders, change and delete files.
- Read - The user can only read the files and directory listings and run the programs.
- No access - The user can connect to the folder but see nothing in it.
A shared folder is indicated by a hand holding the folder.
If the user has the right to log on locally, then they can bypass the share permissions.
If a user has been assigned read permission to a particular folder, but is a member of
the Everyone group that has full control on that folder, then the effective permissions
are cumulative such that the user has full control and read access. The exception to this
rule is if the permission is No access, in which case the No access permission overrides
all other permissions.
Use intuitive share names (up to 12 characters, the actual folder name can be up to 255 characters)
and organise the folders such that the same security arrangements are within one folder
hierarchy.
The Everyone Group contains the Guest account and all user accounts, so for security it is best
to remove the group. It is a good idea to assign permissions to groups rather than individual
users as this is less work. Assign the most restrictive permissions and remove default permissions
for a new folder.
Public folders should be on a separate volume from the operating system as public
expands and contracts.
For home folders it is probably best to create them on an NTFS volume (see later)
so that the users can assign their own permissions to individual files, however the
following guidelines are useful if creating them on a FAT volume (NT does not recognise
FAT 32):
- On a server create a folder called \Users.
- Create a home folder for each user.
- Share each home folder.
- Assign full control control only to the individual.
- Do not share the \Users folder.
A Universal Naming Convention (UNC) path is used in User Manager for Domains for the home folder when
a user logs in, e.g. \\server_name\Users\%Username%.
The Administrators group can share a folder on any NT machine.
The Server Operators group can share folders only on NT Server Domain controllers.
The Power Users group can only share folders on member servers and NT workstation clients.
The root of a volume is shared as C$, D$ etc. This is an administrative share used to connect to
a remote computer and perform administrative tasks. The C:\winnt folder is shared as Admin$.
To share a folder:
- Right-click on the folder
- Click Sharing (there is no security tab for a folder on a FAT partition)
- Choose the share name, comments, user limit, permissions and a new share under a different
name if you wish.
To assign shared folder permissions:
- Right-click on the folder
- Click Sharing
- Click Permissions
- When you click Add, the Add Users and Groups box appears
- Select the User or group(s)
- In the Type of Access box select either No Access, Read, Change or Full control.
You can access a shared folder by clicking Map Network Drive in the NT Explorer tools menu.
designate the drive letter, the UNC path and the user account. If an Administrator is at another
machine that does not normally have access to a particular resource, then the administrator
would need to enter the domain name and user account name (Domain/User_name) plus the
password. You can make this connection a one off or you can click the Reconnect at Logon box.
Using the Run command means that you do not need to use a drive letter and the user can
browse all shared folders on a computer. Just type in the UNC, i.e. \\server_name\share_name.
To see all the shared folders on a particular computer then just type \\server_name.
|
