Tài liệu Module 4: Administering File Resources docx

Introduction This module prepares students to share and control access to Microsoft® Windows® 2000 network files by using shared folders, and to secure files and folders by assigning sha

Lab A: Assigning NTFS Permissions 15

Copying and Moving Files and Folders 21

Lab B: Managing NTFS Permissions 25

NTFS Permissions and Shared Folders 43

Troubleshooting Access Problems 47

Lab C: Sharing and Securing Network

Resources 48

Review 57

This course is a prerelease course and is based on

Microsoft Windows 2000 Beta 3 software Content in the

final release of the course may be different than the content

included in this prerelease version All labs in the course

are to be completed using the Beta 3 version of

Microsoft Windows 2000 Advanced Server

Module 4: Administering File Resources

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 1999 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, MS, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Project Lead/Senior Instructional Designer: Red Johnston

Instructional Designers: Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.) Program Manager: Jim Cochran (Volt Computer)

Lab Simulations Developers: David Carlile (ArtSource), Tammy Stockton (Write Stuff) Technical Contributor: Kim Ralls

Graphic Artist: Julie Stone (Independent Contractor)

Editing Manager: Tina Tsiakalis

Editors: Wendy Cleary (S&T OnSite), Diana George (S&T OnSite)

Online Program Manager: Nikki McCormick

Online Support: Tammy Stockton (Write Stuff)

Compact Disc Testing: ST Labs

Production Support: Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser)

Manufacturing Manager: Bo Galford

Manufacturing Support: Mimi Dukes (S&T OnSite)

Lead Project Manager, Development Services: Elaine Nuerenberg

Lead Product Manager: Sandy Alto

Group Product Manager: Robert Stewart

Introduction

This module prepares students to share and control access to Microsoft® Windows® 2000 network files by using shared folders, and to secure files and folders by assigning shared folder and NTFS file system permissions The module discusses how to control access to files and folders by assigning NTFS permissions to user accounts and groups It also explains how to provide users with access to file resources by putting resources in shared folders At the end of this module, students will be able to manage file resources in order to make the appropriate items available to users

There are three labs in this module In them, students assign NTFS permissions for shared folders and files, assign shared folder permissions to users and groups, share a folder, and connect to a shared folder

Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Materials

To teach this module, you need the following materials:

!"Microsoft PowerPoint® file 1556A_04.ppt

!"Module 4, “Administering File Resources”

Preparation

To prepare for this module, you should:

!"Read all the materials for this module

!"Review the Delivery Tips and Key Points for each section and topic

!"Create two or three folders and assign NTFS permissions (for example Full Control and Read and perhaps Read & Execute) In the module you will show the range of access to resources that NTFS permissions provides to users

!"Complete the three labs

!"Study the review questions and prepare alternative answers for discussion

!"Anticipate questions that students may ask Write out the questions and provide answers to them

!"View the video, “Concepts of Microsoft Windows 2000 Active Directory” located on the Trainer Materials compact disc

Presentation:

75 Minutes

Lab:

60 Minutes

Instructor Setup for the Labs

Make sure that you have followed all instructions in the Classroom Setup Guide Before students begin lab B, “Managing NTFS Permissions,” be sure that they have successfully completed lab A, “Assigning NTFS Permissions.”

Module Strategy

Use the following strategy to present this module:

!"Using NTFS Permissions Provide an overview of using NTFS permissions Provide a brief description of file systems, NTFS file systems, and partitions Describe NTFS permissions to control access to resources List and define NTFS folder and file permissions

!"How Windows 2000 Applies NTFS Permissions Introduce how Windows 2000 applies NTFS permissions to files and folders Explain how multiple NTFS permissions combine Explain how NTFS permissions are inherited and how inheritance is prevented Describe default NTFS permissions Reinforce students’ understanding of how Windows 2000 applies NTFS permissions to files and folders

!"Assigning NTFS Permissions Introduce assigning NTFS permissions Provide students with guidelines for assigning NTFS permissions Explain how to assign NTFS permissions, and how to control permissions inheritance

!"Copying and Moving Files and Folders Introduce how copying and moving files and folders may affect the permissions assigned to them Describe what happens to NTFS permissions when students copy and move files and folders Reinforce students’ understanding of the results of copying and moving files on NTFS permissions

!"Sharing Resources Introduce sharing files by sharing the folder that contains them

Describe using shared folders to share file resources Define shared folder permissions Explain how shared folder permissions are applied to user accounts and groups Provide guidelines for administering shared folders

!"Creating Shared Folders Introduce creating shared folders to share file resources Outline the requirements for sharing folders Describe how to share a folder Explain how to assign shared folder permissions to user accounts and groups

Explain how to modify a shared folder and how to stop sharing a folder Explain how users gain access to shared folders List and describe hidden administrative shared folders

!"NTFS Permissions and Shared Folders Introduce combining shared folder and NTFS permissions Describe the greater degree of security that is available when students use NTFS permissions to secure file resources in shared folders Present a strategy for using NTFS permissions to secure file resources in shared folders Reinforce students’ understanding of what happens when you combine shared folder and NTFS permissions

!"Troubleshooting Access Problems Present permissions problems that may occur when managing access to files and folders

!"Best Practices Read the Best Practices section before you start the module, and then refer to the appropriate practice as you teach the corresponding module section Then,

at the end of the module, summarize all of the best practices for the module

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at

the end of the Classroom Setup Guide for course 1556A, Administering

of the following actions:

!"Complete module 2 or 3 of course 1556A, Administering

Microsoft Windows 2000

!"From the Trainer Materials compact disc, run the LRights.cmd script

on each domain controller in each child domain

Setup Requirement 2

The labs in this module require the following user accounts: User41, User42, User43 and User44, and the following Global group accounts: Managers and Sales User41 is a member of the Managers group and User42, User43 and User44 are members of the Sales group

To prepare the student computers to meet this requirement,

!"Run the script Lab041.cmd on one of the two domain controllers in each subdomain

If you run the script on both domain controllers, the labs will not function properly

!"If you create the users manually, leave the password blank

Lab Results

Performing the labs in this module introduces the following configuration changes:

!"The assignment of the Log on locally right to the Users group

!"The addition of User41, User42, User43 and User44 to the Users container

!"The addition of the Managers and Sales Global groups

!"The addition of User41 to the Sales group

!"The addition of User42, User43 and User44 to the Managers group

Important

Caution

! Creating Shared Folders

! Best Practices

When providing access to file resources on a computer running Microsoft® Windows® 2000 Server, you control who has access to resources and the nature of the access that they have To control access to files and folders, you assign NTFS file system permissions to user accounts and groups NTFS is

a file system designed for use with Windows 2000 and Windows NT operating systems It supports file system recovery, very large storage media, long file names, and other features NTFS permissions provide security for resources by controlling access to individual files and folders and by specifying which user can access files and folders and the kind of access that users can have

To provide network users with access to file resources, you put the resources in shared folders When a folder is shared, users can connect to the folder over the network and gain access to the files that it contains

Objectives

At the end of this module, you will be able to:

!"Describe the use of NTFS permissions to control access to files and folders

!"Describe how permissions apply to files and folders

!"Assign NTFS file and folder permissions to user accounts and groups

!"Describe the effect on NTFS file and folder permissions of copying and moving files and folders

!"Use shared folders to provide access to network file resources

!"Create shared folders

!"Describe the result of using NTFS permissions to control access to resources contained in shared folders

!"Troubleshoot problems accessing files and folders

!"Apply best practices for administering resources

In this module, we discuss

how to share and control

access to network resources

by using shared folders and

NTFS permissions

To secure files and folders on NTFS partitions, you assign NTFS permissions for each user account and group that needs access to the resource NTFS is the Windows 2000 file system A file system defines the way in which files are named, stored, and organized A file system is used to format a partition A partition is a logical portion of a physical disk that functions as though it were a physically separate unit

If no permissions are assigned to a user or to a group of which the user is a member, the user cannot access the resource NTFS permissions provide security for resources by controlling user access to individual files and folders

and by specifying the level of user access

You use NTFS folder permissions to control access to folders You use NTFS file permissions to control access to files Because of the nature of files and folders, the permissions for files are different than the permissions for folders For example, you assign users permission to view the contents of a folder, which is a permission called List Folder Contents However, there is no comparable permission for a file

control the access of user

accounts and groups to

folders and individual files

Delivery Tip

This is an overview of using

NTFS permissions Prepare

students for the topic by

providing the following key

NTFS Permissions

NTFS Partition C:\

! Specific Permissions Required to Assign Permissions

! Permissions Assigned to User Accounts and Groups

! Permission Can Be Denied

Read

No Permission Assigned

No Permission Assigned

User1

User2

Users must be assigned explicit permission to gain access to resources If no permission is assigned, the user account or group cannot gain access to the file

or folder Permissions can be granted or denied to user accounts and to groups

!"Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to files and folders

!"You can assign NTFS permissions to individual user accounts and groups

A user can be a member of one or more groups, and each group can have different permissions Therefore, a user can have a number of permissions assigned to his or her user account and as a member of one or more groups

!"You can deny permission to a user account or group For example, if you deny Read permission for a file to a user account, or to a group of which the user is a member, the user cannot read the file

When assigning permissions to files, you assign permissions to a folder and place files with the same security requirements in that folder You can also specify permissions on individual files within a folder if you want a user or group to have access only to a particular file

NTFS permissions are only available on NTFS partitions NTFS permissions are not available on partitions that are formatted with the file allocation table (FAT) or FAT32 file systems

Slide Objective

To describe NTFS

permissions

Lead-in

Users must have explicit

permission to gain access to

NTFS Folder Permissions

Folder Permissions

Folder Permissions Read Write List Folder Contents Read & Execute Modify Full Control

You assign folder permissions to control the access that users have to folders and the files and subfolders that are contained within those folders The following table lists the standard NTFS folder permissions that you can assign and the type of access that each permission provides The table lists the permissions from most restrictive to least restrictive

NTFS folder permission Allows the user to

attributes∗, ownership, and permissions

folder attributes, and view folder ownership and permissions

List Folder Contents See the names of files and subfolders in the folder Read & Execute Traverse∗∗ folders plus perform actions permitted by the

Read permission and the List Folder Contents permission

Write permission and the Read & Execute permission Full Control Change permissions, take ownership, delete subfolders

and files, and perform actions permitted by all other NTFS folder permissions

∗Attribute examples: Read-only, Hidden, Archive, and System (file).

∗∗Traverse allows the user to move through folders to reach other files and folderss

folders that you have

created earlier and for which

you have assigned

permissions You can

demonstrate Full Control

and Read, as well as

perhaps Read & Execute, to

show the range of access to

resources that NTFS

permissions provide Assign

permissions and show

students what a user can

and cannot do with each

permission

Key Points

The Read & Execute,

Modify, and Full Control

NTFS folder permissions

are additive For example,

the Modify permission

consists of the ability to

delete a folder, plus the

access that is provided by

both the Write and the Read

& Execute permissions

File Permissions Read Write Read & Execute Modify Full Control

You assign file permissions to control the access that users have to files The following table lists the standard NTFS file permissions that you can assign and the type of access that each permission provides The table lists the permissions from most restrictive to least restrictive

NTFS file permission Allows the user to

permissions

ownership and permissions

Read & Execute Run applications and perform the actions permitted by the

Read permission

permitted by the Write permission and the Read & Execute permission

actions permitted by all other NTFS file permissions

The Read & Execute,

Modify, and Full Control

NTFS file permissions are

additive

Delivery Tip

Demonstrate NTFS file

permissions Assign

permissions and show

students what a user can

and cannot do with each

permission

! Class Discussion: Applying NTFS Permissions

There are several ways that users can obtain permissions to gain access to files and folders You assign permissions directly to individual users to access files and folders Permissions that you assign to groups apply to user accounts that have been added to the groups Subfolders and files in the folder may inherit permissions that you assign to a user or group for a folder

You can assign permissions to a user by assigning permissions to the individual user account or to each group of which the user is a member In this way, users may have multiple permissions to the same resource There are rules and priorities that are associated with how NTFS assigns and combines multiple permissions

When you assign permissions for a folder, the subfolders and files contained in the folder inherit the permissions by default It is important to understand how subfolders and files inherit NTFS permissions from parent folders so that you can use inheritance to propagate permissions to files and folders

When you create files and folders, and when you format a partition with NTFS, Windows 2000 automatically assigns default NTFS permissions

Examples will help you to understand how NTFS applies permissions to files and folders through the combination of multiple permissions and inheritance

There are rules associated

with how NTFS applies

permissions to files and

folders

Delivery Tip

This is an overview of

applying NTFS permissions

Prepare students for the

topic by providing the

following key points of

files, folders, and partitions

when you create them

Examples will help you to

understand how

permissions combine and

are inherited

Multiple NTFS Permissions

! File Permissions Override Folder Permissions

! Deny Overrides Other Permissions

NTFS Partition C:\

File1

File2

FolderA GroupB

GroupA Deny Write to File2

Write

Read / Write

User1 Read

Read / Write

Read

You assign NTFS permissions to individual user accounts and to groups By

assigning permissions to a user and to a group of which the user is a member,

you assign multiple permissions

Permissions Are Cumulative

A user’s effective permissions for a resource are the combination of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs If a user has Read permission for a folder and

is a member of a group with Write permission for the same folder, the user has both Read and Write permissions for that folder

NTFS File Permissions Override NTFS Folder Permissions

NTFS file permissions take priority over folder permissions A user with Change permission to a file will be able to make changes to the file even if he

or she has only Read permission to the folder containing the file

Deny Overrides Other Permissions

You can deny permission to a user account or group for a specific file Even if a user has access permission to the file or folder as a member of a group, denying permission to the user blocks any other permission that the user has Avoid denying permission It is preferable to structure groups and organize resources

in folders so that allowing permissions is sufficient

Example of Multiple Permissions

In the illustration, User1 has Read permission for FolderA and is a member of Group A and Group B Group B has Write permission for FolderA Group A has been denied Write permission for File2 User1 can read File2 but cannot write to File2 because User1 is a member of Group A, which has been denied Write permission for File 2

Demonstrate how multiple

permissions combine, how

file permissions take priority

over folder permissions, and

how Deny overrides other

permissions

By default, permissions that you assign to a parent folder are inherited by and propagated to the subfolders and files that are contained in the parent folder However, you can prevent permissions inheritance You may want folders or files to have different permissions than their parent folder

Permissions Inheritance

Whatever permissions you assign to a parent folder also apply to subfolders and files that are contained within the parent folder When you assign NTFS permissions to give access to a folder, you assign permissions for the folder, for any existing files and subfolders, and for any new files and subfolders that are created in the folder

Controlling Permissions Inheritance

You can prevent subfolders and files from inheriting permissions that are assigned to that folder That is, the subfolders and files will not inherit permissions that are assigned to the parent folder containing them When you prevent permissions inheritance, you can either:

!"Copy inherited permissions from the parent folder, or

!"Remove the inherited permissions and retain only the permissions that were explicitly assigned

The folder at which you prevent permissions inheritance becomes the new parent folder, and the subfolders and files that are contained within it inherit the permissions assigned to it

Example of Permissions Inheritance

In the slide illustration, inheritance is prevented at FolderB FolderB will not inherit any changes that you make to the permissions of FolderA Any subfolders and files that are contained within FolderB will inherit the permissions that you assign

Slide Objective

To explain how NTFS

permissions are inherited

and how inheritance is

prevented

Lead-in

NTFS permissions are

inherited from the folder in

which they are created or

contained

Delivery Tip

Demonstrate how

permissions are inherited

and how to prevent

inheritance

Assign permissions and

show students how

permissions are propagated

from a folder to its

subfolders and files Also,

show how to add

permissions to a file or

folder that has inherited

permissions from a parent

folder

Default NTFS Permissions

! NTFS Permissions Automatically Assigned

When you format a partition or create a file or folder, Windows 2000 automatically assigns default NTFS permissions

!"When you format a partition with NTFS, Windows automatically assigns the Full Control permission for the root folder to the Everyone group Folders and files that are created on the partition inherit this default permission To restrict access to authorized users, you should change the default permissions for folders that you create

!"When you create a new folder or file on an NTFS partition, the folder or file inherits the permissions of its parent folder

!"When you assign a user or group permission for a file or folder, the file or folder is selected, and the user or group is added to the file or folder When

a user or group is added to a folder, the NTFS permissions Read & Execute, List Folder Contents, and Read are assigned to the user account or group by default When a user or group is added to a file, the NTFS permissions Read

& Execute and Read are assigned to the user account or group by default

When Windows 2000 is installed on an NTFS partition, NTFS permissions are automatically assigned to some system folders System folders contain the Windows 2000 operating system files Do not modify any

permissions that Windows 2000 assigns to system files

Class Discussion: Applying NTFS Permissions

!Users Group Write to Folder1

!Sales Group Read to Folder1

!Users Group Write to Folder1

!Sales Group Read to Folder1

!Users Group Read to Folder1

!Sales Group Write to Folder2

!Users Group Read to Folder1

!Sales Group Write to Folder2

!Users Group Modify to Folder1

!Doc2 should only be accessible to Sales Group, and only for read access

!Users Group Modify to Folder1

!Doc2 should only be accessible to Sales Group, and only for read access

NTFS Partition C:\

Doc2

Folder1

Folder2 Doc1 Users Group

Sales Group User1

User1 is a member of the Users group and the Sales group

1 The Users group has Write permission and the Sales group has Read permission for Folder1 What permissions does User1 have for Folder1?

User1 has Write and Read permissions for Folder1, because User1 is a member of the Users group, which has Write permission, and the Sales group, which has Read permission

2 The Users group has Read permission for Folder1 The Sales group has Write permission for Folder2 What permissions does User1 have for Doc2?

User1 has Read and Write permissions for Doc2, because User1 is a member of the Users group, which has Read permission to Folder1, and the Sales group, which has Write permission to Folder2 Doc2 inherits permissions from both Folder2 and Folder1

3 The Users group has Modify permission for Folder1 Doc2 should only be accessible to the Sales group, and only for reading What steps should you take to ensure that the Sales group has only Read permission for Doc2?

Disable permissions inheritance for Folder2 or Doc2 Remove permissions for Folder2 or Doc2 that Folder2 has inherited from Folder1 Assign only the Read permission to the Sales group for Folder2 or Doc2

Let’s look at some examples

of the results of applying

NTFS permissions to files

and folders

Delivery Tip

Discuss each of these

examples with students In

each example, review the

permissions assigned to

each group Discuss how

multiple permissions

combine, and the effective

permissions that User1 has

to resources

# Assigning NTFS Permissions

! Guidelines for Assigning NTFS Permissions

! Setting NTFS Permissions

! Controlling Permissions Inheritance

When you assign NTFS permissions, you should follow certain guidelines to help you make the assignments in an effective way Administrators, users with Full Control permission, and owners of files or folders assign permissions to user accounts and groups for those files and folders Assign permissions to groups according to group and user needs To control the propagation of assigned permissions, you allow or prevent permissions inheritance from parent folders to subfolders and files that are contained in the parent folder

Slide Objective

To introduce assigning

NTFS permissions

Lead-in

Administrators and owners

of files and folders control

access to files and folders

Delivery Tip

This is an overview of

assigning NTFS

permissions Prepare

students for the topic by

providing the following key

according to user needs

Set permission inheritance

to allow or prevent

permissions from

propagating to files and

folders

Guidelines for Assigning NTFS Permissions

Group Resources to Simplify Administration Assign Only the Permissions That Users Need Create Groups According to Resource Access Needs Assign Read & Execute Permissions for Application Folders

Assign Permissions Rather Than Deny Permissions Assign Appropriate Permissions to Users and File Owner for Public Data

Consider the following guidelines when you assign NTFS permissions:

!"To simplify administration, group files into application folders where commonly used applications are kept, data folders containing data files shared by multiple users, and home folders that contain each individual user’s files Centralize home folders and data folders on a separate partition This provides the following benefits:

• You assign permissions only to folders, not to individual files

• Backup is less complex, because there is no need to back up application files and all home and data folders are in one location

!"Create groups according to the access that the group members require for resources, and then assign the appropriate permissions to the groups Assign permissions to individual user accounts only when necessary

!"Allow users only the level of access that they require If a user only needs to read a file, assign the user, or group to which the user has been added, Read permission for the file

!"When you assign permissions for application folders, assign the Read & Execute permission to the Users and Administrators groups This prevents data and application files from being accidentally deleted or damaged by users or viruses

!"When you assign permissions for data folders, assign Read & Execute and Write permissions to the Users group and Full Control permission to Creator Owner This gives users the ability to read and modify documents that other users create, and the ability to read, modify, and delete the files and folders that they themselves create

!"Deny permissions only when it is essential to deny access to a specific user account or group

Administrators, users with Full Control permission, and owners of files and folders (Creator Owner) can assign permissions to user accounts and groups When you assign or modify NTFS permissions for a file or a folder, you can either add or remove users or groups for the file or folder In addition, by selecting a user or group, you can modify the permissions for the user or group

On the Security tab of the Properties dialog box for the file or folder,

configure the options that the following table describes

Option Description Name Selects the user account or group for which you want to change

permissions or that you want to remove from the list

Permissions To allow a permission, select the Allow check box

To deny a permission, select the Deny check box

you use to select user accounts and groups to add to the Name list

Remove Removes the selected user account or group and the associated

permissions for the file or folder

assigns the Full Control

permission when you

create a file or folder or

when you format a partition

with NTFS

Delivery Tip

Demonstrate assigning

permissions to a folder

Then, demonstrate blocking

permissions inheritance for

a file that is contained in the

folder Finally, assign new

permissions to the file on

which you blocked

permissions inheritance

Controlling Permissions Inheritance

Write

You are preventing any inheritable permissions from propagating to this object What do you want to do?

- To copy previously inherited permissions to this object, click Copy.

- To Remove the inherited permissions and keep only the permissions explicitly specified on this object, click Remove.

- To abort this operation, click Cancel.

Security

In general, you should allow Windows 2000 to propagate permissions from a parent folder to subfolders and files contained in the parent folder Permissions propagation simplifies the assignment of permissions for resources However, there are times when you may want to prevent inheritance so that permissions

do not propagate from a parent folder to subfolders and files

For example, you may need to keep all sales department files in one sales folder

to which everyone in the sales department has Write permission However, you need to limit access for a few files in the folder to Read To do so, you prevent inheritance so that the Write permission does not propagate to the files contained in the folder

By default, subfolders and files inherit permissions that you assign to their

parent folders This is indicated on the Security tab in the Properties dialog box when the Allow inheritable permissions from parent to propagate to this object check box is selected To prevent a subfolder or file from inheriting permissions from a parent folder, clear the Allow inheritable permissions from parent to propagate to this object check box Then, select one of the

two options described in the following table

Option Description Copy Copies previously inherited permissions that are assigned to the parent

folder to the subfolder or file and denies subsequent permissions inheritance from the parent folder

Remove Removes the inherited permission that is assigned to the parent folder from

the subfolder or file and retains only the permissions that you explicitly assign to the subfolder or file

Slide Objective

To explain how to control

permissions inheritance

Lead-in

By default, the permissions

that you assign for a folder

are inherited by subfolders

and files contained in the

folder You can control

inheritance

Lab A: Assigning NTFS Permissions

Objectives

After completing this lab, you will be able to:

!"Assign NTFS file system folder and file permissions to user accounts and groups

!"Test the NTFS folder and file permissions that you assign

Prerequisites

Before working on this lab, you must have:

!"Knowledge of users and groups in Microsoft® Windows® 2000

Estimated time to complete this lab: 30 minutes

Slide Objective

To prepare students for

the lab

Lead-in

In this lab, you will assign

NTFS folder and file

permissions to user

accounts and groups, and

you will test the permissions

that you assign

Delivery Tips

Review the lab answers

Ask students if they

encountered any problems

during the lab

Exercise 1

Assigning NTFS Permissions for the Data Folder

You are setting up a server that will contain files and folders that users will need to be able to access from anywhere in the network You have already created a folder structure, and the next step is to assign permissions so that the users will have just enough permissions to accomplish their work You must be careful not to assign inappropriate permissions (permissions at a higher level than is necessary for the users)

You have a data folder into which users will be saving their work Users need the ability to save and modify their own work but not to change files that belong to other users You also want to ensure that only authorized users on the network can access the folder

The default permissions to the Data folder is Full Control for the Everyone group These permissions are more than users will need The first step is to remove these default permissions The permissions that you assign to the data folder are based on the following criteria:

!"All users in the domain should be able to read documents and files in the Data folder

!"All users in the domain should be able to create documents in the Data folder

!"All users in the domain should be able to modify the contents, properties, and permissions of the documents that they create in the Data folder

!!To remove default permissions from the Data folder

1 Log on to your domain as Administrator, and then start Windows Explorer

2 Right-click the C:\MOC\WIN1556A\Labfiles\Data folder, and then click

What are the existing folder permissions?

The Everyone group has Full Control

Notice that the currently allowed permissions cannot be modified

Why are you not able to modify the current permissions? What must you do

to modify the permissions for the Data folder?

The current permissions are being inherited from the parent To modify the permissions for the Data folder, clear the Allow inheritable permissions from parent to propagate to this object check box

4 Under Name, select the Everyone group, and then click Remove

What do you see?

Windows 2000 displays a message box, indicating that the folder is inheriting the permissions for Everyone from its parent folder To change permissions for Everyone, you must first block inheritance

5 Click OK to close the message box

6 Clear the Allow inheritable permissions from parent to propagate to this object check box to block permissions from being inherited

Windows 2000 displays the Security dialog box, prompting you to copy the

currently inherited permissions to the folder or to remove all permissions for the folder except those that you explicitly specify

7 Click Remove

What are the existing folder permissions?

No permissions are currently assigned

!!To assign permissions to the Users group for the Data folder

1 In the Data Properties dialog box, click Add

Windows 2000 displays the Select Users, Computers, or Groups

dialog box

2 In the Look in box at the top of the dialog box, select your domain

The Look in box allows you to select the computer or domain from which

to select user accounts, groups, or computers when you assign permissions Make sure that your domain is selected

3 Select Users, and then click Add

The dialog box displays Users under Name at the bottom of the dialog box

4 Click OK to return to the Data Properties dialog box

What are the existing allowed folder permissions?

The Users group has the Read & Execute, List Folder Contents, and Read permissions These are the default permissions that Windows 2000 assigns when you add a user account or group to the list of permissions

5 Make sure that Users is selected, and then next to Write, click the Allow

check box

6 Click Apply to save your changes

How do you give users the ability to modify only the files that they created?

You assign the full control permissions to the Creator Owner group This way, any file that a user creates in the folder will be owned by that user and given full control

!!To assign permissions to the Creator Owner group for the Data folder

1 In the Data Properties dialog box, click Add

Windows 2000 displays the Select Users, Groups, or Computers

dialog box

2 In the Look in box at the top of the dialog box, select your domain

3 In the Name list, select Creator Owner, and then click Add

Creator Owner appears under Name at the bottom of the dialog box

4 Click OK to return to the Data Properties dialog box

What are the existing allowed folder permissions?

Users has the Read & Execute, List Folder Contents, Read, and Write permissions

Creator Owner has the Read & Execute, List Folder Contents, and Read permissions

5 Make sure that Creator Owner is selected, and next to Full Control, select the Allow check box Then click Apply to save your changes

When you applied the changes, why did the Administrators group appear

information You will need to give the Administrators group the ability to

do this This group should have full control over the folder and its contents

!!To assign permissions to the Administrators group for the Data folder

1 Right-click the C:\MOC\WIN1556A\Labfiles\Data folder, and select

Properties

2 Select the Security tab

3 In the Data Properties dialog box, make sure that Administrators is selected, and then next to Full Control, select the Allow check box

4 Click OK to apply your changes and close the Data Properties dialog box

5 Create a text file named Admin.txt in the C:\MOC\WIN1556A\Labfiles\Data folder

The file that you create will be used to test the permissions that you just assigned

6 Close all applications, and then log off Windows 2000

!!To test the folder permissions that you assigned for the Data folder

1 Log on to your domain as User41 with no password, and then start

Windows Explorer

2 Expand the C:\MOC\WIN1556A\Labfiles\Data folder

3 In the Data folder, attempt to create a text file named User41.txt Were you successful? Why or why not?

Yes, because the Users group is assigned the Write permission for the Data folder

The tasks that you can complete are opening, modifying, and deleting the file because Creator Owner has been assigned the NTFS Full Control permission for the Data folder

5 Attempt to perform the following tasks for the file that the administrator created, and then record the tasks that you are able to complete

Task Successful?

Open the file Modify the file Delete the file

The tasks that you can complete are opening and modifying the file because you are logged on as a member of Domain Users, which is a member of the Users group The Users group has been assigned the NTFS Read & Execute, List Folder Contents, Read, and Write permissions for the Data folder Files that are created in the folder inherit these folder permissions Therefore, User41 can only read and modify the file that the administrator created

6 Close all applications, and then log off Windows 2000

# Copying and Moving Files and Folders

! Copying Files and Folders

! Moving Files and Folders

! Class Discussion: Copying and Moving Files

You may need to copy or move files and folders from one folder to another folder on the same partition You may need to copy or move files and folders from one partition to another partition Copying and moving files and folders may affect the permissions that are assigned to them Users may discover that they no longer have permissions for files and folders that have been copied or moved Users also may discover that they have access to files and folders that have been copied or moved to which they are not supposed to have access You should know what happens to file and folder permissions when a file or folder

is copied or moved

You may need to educate users about the effects on permissions when files and folders are copied or moved Also, you may have to resolve access problems for files and folders that have been copied or moved Examples will help you to understand how NTFS permissions change when you copy or move files and folders

Slide Objective

To introduce copying and

moving files and folders

Lead-in

Copying or moving files or

folders within and between

NTFS partitions may affect

permissions

Delivery Tip

This is an overview of

copying and moving files

and folders Prepare

students for the topic by

providing the following key

points of information

Key Points

When you copy or move

files and folders, the

permissions assigned for

them may change

Examples will help you to

understand how copying

and moving files and folders

affects permissions

Copying Files and Folders

Permissions = Full Control

NTFS Partition

C:\

Permissions = Full Control

Permissions = Full Control

Non-NTFS Partition

Copy

Lose NTFS Permissions

Lose NTFS Permissions

NTFS Partition

C:\

Permissions = Full Control

Permissions = Full Control

Read, Write Permission

When you copy files or folders from one folder to another folder, or from one partition to another partition, permissions may change:

!"When you copy a folder or file within a single NTFS partition, the copy of the folder or file inherits the permissions of the destination folder

!"When you copy a folder or file between NTFS partitions, the copy of the folder or file inherits the permissions of the destination folder

!"When you copy files or folders to non-NTFS partitions such as FAT, the folders and files lose their NTFS permissions, because non-NTFS partitions

do not support NTFS permissions

To copy files and folders within a single NTFS partition or between NTFS partitions, you must have the Read permission for the origination folder and Write permission for the destination folder

When you copy a file or folder, you become the owner of that file

When you copy files or

folders from one NTFS

partition to another, the

Windows 2000 treats the file

as a new file As a new file,

it takes on the permissions

of the destination folder

You must have Write

permission for the

destination folder in order to

be able to copy files and

folders

Note

Moving Files and Folders

NTFS Partition

C:\

Permissions = Full Control

Permissions = Full Control

Permissions = Full Control

Permissions = Full Control

Permissions = Full Control

Move

Non-NTFS Partition

Lose NTFS Permissions

Lose NTFS Permissions

NTFS Partition

C:\

Permissions = Full Control

Permissions = Full Control

Move

Write, Modify Permissions

When you move a file or folder, permissions may change, depending on the destination of the file or folder Moving a file or folder has the following effects

To move files and folders within an NTFS partition or between NTFS partitions, you must have both Write permission for the destination folder and Modify permission for the source folder or file The Modify permission is required to move a folder or file because Windows 2000 removes the folder or file from the source folder after it copies it to the destination folder

When you move files or

folders from one NTFS

partition to another, the

permissions may change

Key Point

To move a file or folder, you

must have Write permission

for the destination folder and

the Modify permission for

the source folder

Class Discussion: Copying and Moving Files

1 What permission does Group 1 have for FileA after FileA is copied to the C:\Public folder?

Group 1 has Modify permission for FileA, because FileA inherited the Modify permission from the destination folder after FileA was copied

2 What permission does Group 1 have for FileA after FileA is moved to the C:\Public folder?

Group 1 has no access because a file that is moved between folders on the same NTFS partition retains its permissions Because no

permissions were assigned to the file before it was moved, the file has no permissions after it is moved

3 What permission does Group 1 have for FileA after FileA is moved to the D:\Data folder?

Group 1 has Full Control permission for FileA after FileA is moved to D:\Data, because a move operation between NTFS partitions is treated

as copy and delete operations; therefore, FileA inherits permissions from the destination folder

Slide Objective

To reinforce students’

understanding of the results

of copying and moving files

on NTFS partitions

Lead-in

Let’s look at some examples

of what happens when you

copy or move files on NTFS

partitions

Delivery Tip

Discuss these examples

with students Present each

example, ask students to

predict the effective

permissions, and explain

why the effective

permissions are applied

Lab B: Managing NTFS Permissions

Objectives

After completing this lab, you will be able to:

!"Explain what happens to permissions when you copy and move folders and files on NTFS file system partitions and non-NTFS partitions

Prerequisites

Before working on this lab, you must have:

!"Successfully completed Lab A, “Assigning NTFS Permissions.”

Estimated time to complete this lab: 15 minutes

permissions when you move

folders and files between

NTFS partitions and to

non-NTFS partitions

Delivery Tips

Review the lab answers

Ask students if they

encountered any problems

during the lab

Exercise 1

Copying and Moving Files

User44 has information to which other users need access Currently, the files are in his home folder, and no other users have permissions to that folder

User44 must place the information in a folder to which he has permissions to save files and to which others have access User44 has determined that he has permissions to save files to the Public folder and the Storage folder After copying and moving the files, you will need to verify the permissions to the files to ensure others will have appropriate access

!!To determine current permissions assigned to files and folders

1 Log on as Administrator

2 Run Lab042.cmd in C:\MOC\WIN1556A\Labfiles folder to assign the appropriate permissions used in this exercise

3 Log off and then log on as User44 with no password

4 Open Windows Explorer

Storage Users

Administrators

Write Full Control

What permissions are assigned to the User44 folder and the files in the folder?

User44 has Full Control

What are the permissions that are assigned to the Public folder?

The Users group has Full Control

What are the permissions that are assigned to the Storage folder?

The Users group has Write, and Administrators have Full Control