Suppose that you created a share called RESEARCH and you gave the R&D security group read-only access to the share.. Within the share, you set the permissions on a folder called PROJECTS
Trang 1TIP Don’t worry if you create a group with the wrong scope You can easily change the group’s
scope, provided its membership doesn’t violate the new scope’s rules for membership To change
a domain scope, select the group and open its Properties dialog box (right-click and then choose
Properties from the pop-up menu) If the group membership allows the change, you can select a
different Group Scope option button
After you set the group’s scope, you can also select whether it will be a security
group or a distribution group Distribution groups are used only to maintain e-mail
distribution lists for e-mail applications such as Microsoft Exchange Server They have
no security impact in Windows Server 2008
Finally, click OK to create the group Now you can add members to the group, as
described in the next section
Maintaining Group Membership
A new group starts out without any members To set the membership for a group,
follow these steps:
1 Select the group and open its Properties dialog box (by right-clicking it and
choosing Properties from the pop-up menu) Then click the Members tab, as
shown in Figure 17-11
Figure 17-11. A brand-new group does not have any members
Trang 22 Click the Add button You see the Select Users, Contacts, Computers, or Groups dialog box, as shown in Figure 17-12
3 Type in enough of a user or another group’s name to identify it, and then click the Check Names button If you type in too few characters to uniquely identify the user or group, Windows will show you a list of the possible matches from which you can select the correct one
4 Choose the member you want to add, and then click OK
5 Repeat steps 3 and 4 to complete the group membership
Working with Shares
Drives and folders under Windows Server 2008 are made available to users over the
network as shared resources, simply called shares in Windows networking parlance You
select a drive or folder, enable it to be shared, and then set the permissions for the share
Figure 17-12. Adding a member to a group
Trang 3Understanding Share Security
You can set both drives and folders as distinct shared resources, whether they are
located on a FAT-formatted drive or on an NTFS-formatted drive In the case of an
NTFS-formatted drive (but not a FAT-formatted drive), you can also set permissions on
folders and files within the share that are separate from the permissions on the share
itself Understanding how Windows Server 2008 handles security for shares, folders,
and files on NTFS drives is important
Suppose that you created a share called RESEARCH and you gave the R&D security
group read-only access to the share Within the share, you set the permissions on a
folder called PROJECTS to allow full read and write access (called change permission) for
the R&D security group Will the R&D group have read-only permission to that folder
or change permission? The group will have read-only permission This is because when
security permissions differ between folders within a share and the share itself, the most
restrictive permissions apply
A better way to set up share permissions is to allow everyone change permission to
the share and then control the actual permissions by setting them on the folders within the
share itself This way, you can assign any combination of permissions you want; then the
users will receive the permissions that you set on those folders, even though the share is
set to change permission
Also, remember that users receive permissions based on the groups of which they
are members, and these permissions are cumulative So, if you are a member of the
Everyone group who has read-only permission for a particular file, but you’re also a
member of the Admins group who has full control permission for that file, you’ll have
full control permission in practice This is an important rule: Permissions set on folders
and files are always cumulative and take into account permissions set for the user
individually as well as any security groups of which the user is a member
Another important point is that you can set permissions within a share (sometimes
called NTFS permissions) on both folders and files, and these permissions are also
cumulative So, for instance, you can set read-only permission on a folder for a user,
but change permission for some specific files The user then has the ability to read,
modify, and even delete those files without having that ability with other files in the
same folder
There’s a special permission called no access, which overrides all other permissions,
no matter what If you set no access permission for a user on a file or folder, then that’s
it—the user will not be able to access that file or folder An extremely important corollary
to this rule is that no access permission is also cumulative and overriding So, if the
Everyone security group has change permission for a file, but you set a particular user
to no access for that file, that user will receive no access permission If you set no access
permission for the Everyone group, however, then all members of that group will also
receive the no access permission, because it overrides any other permissions they have
Be careful about using no access with security groups!
Trang 4To summarize, you can resolve most permission problems if you remember the rules discussed here:
N When share permissions conflict compared to the file or folder permissions, the
most restrictive one always wins.
N Aside from the preceding rule, permissions are cumulative, taking into account permissions assigned to users and groups as well as files and folders
N When a permission conflict occurs, the no access permission always wins if
it is set
Creating Shares
As a network administrator, you will frequently create and manage the shares on the network The following steps walk you through creating a new share
1 Open either My Computer or Windows Explorer on the server
2 Right-click the folder or drive you want to share, and then choose Share from the pop-up menu You will see the File Sharing dialog box, as shown in Figure 17-13
3 In the field provided, enter enough of a user’s name to identify that person in the system, and then click Add
4 Click the down arrow next to the user’s name to set that user’s permission level The permission levels available are Owner, for full read and write access, plus the ability to grant permissions to other users; Contributor, for full read and write access; and Reader, for read-only access
5 Click the Share button to create the share You will see a confirmatory dialog box Click OK, and the share will be created By default, the share uses the folder’s name as the share name
Figure 17-13. Creating a share
Trang 5Once a share is created and the share information has propagated through the domain
(usually within several minutes), users can browse it through Network Neighborhood
(Windows 9x and NT), My Network Places (Windows 2000 and XP), or Network
(Windows Vista) Double-clicking the share will open it (if allowed by the permissions)
Mapping Drives
You can use shares by opening them through Network Neighborhood, My Network
Places, or Network, and they function just like the folders in My Computer However,
you might frequently want to simulate a connected hard disk on your computer with a
share from the network For example, many applications that store files on the network
require that the network folders be accessible as normal drive letters The process
of simulating a disk drive with a network share is called mapping You create a map
(link) between the drive letter you want to use and the actual network share to remain
attached to that drive letter
You can create a drive mapping in many ways The easiest way is to open Network
from the client computer, locate the share you want to map, right-click it, and choose
Map Network Drive In the dialog box that appears, the name of the domain and
share will already be filled in for you Simply select an appropriate drive letter for the
mapping and click OK From then on, the share will appear to your computer as that
drive letter, and users will see this share’s letter in My Computer
You can also map drives using a command-line utility called NET The NET
command takes a variety of forms and can fulfill many different needs, depending on
the parameters you give it To map a drive, you use the NET USE command Typing
NET USE by itself and pressing ENTER will list all currently mapped drives (You can
type NET HELP USE for more detailed help on the command.) To add a new drive
mapping, you would type the following:
NET USE drive_letter: UNC_for_share
Most network resources in a Windows network use a naming system called
the Universal Naming Convention (UNC) To supply a UNC, you start with two
backslashes, then the name of the server, another backslash, and the name of the share
(Additional backslashes and names can refer to folders and files within the share.) For
example, to map drive G: to a share called EMPLOYEES located on the server SERVER,
use the following command:
NET USE G:\\SERVER\EMPLOYEES
TIP You can use the NET command from any Windows client for any Windows network Type
NET by itself to list all of the different forms of the command Type NET command HELP to see
detailed help on the different NET commands