Managing Existing Shares

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 10, Windows NT Administrator's Pocket Consultant by William R. Stanek.

As an administrator, you'll often have to manage shared directories. The common administrative tasks of managing shares are covered in this section.

Understanding Special Shares

When you install Windows NT, the operating system creates special shares automatically. These shares area also known as Administrative shares and Hidden shares. These shares are designed to help make system administration easier. You can't set access permissions on special shares; Windows NT assigns access permissions. However, you can delete special shares if you are certain the share isn't needed.

Which special shares are available depends on system configuration. Table 10-1 shows special shares you may see and how they are used.

Table 10-1 Special Shares Used by Windows NT

Special Share Name

Description

Usage

ADMIN$

A share used during remote administration of a system. Provides access to the operating system %SystemRoot%.

On workstations and servers, Administrators and Backup Operators can access these shares. On domain controllers, Server Operators also have access.

IPC$

Supports named pipes during remote IPC access.

Used by programs when performing remote administration and when viewing shared resources.

NETLOGON

Supports the Net Logon service and access to logon scripts.

Used by the Net Logon service. Everyone has Read access.

PRINT$

Supports shared printer resources by providing access to printer drivers.

Used by shared printers. Everyone has Read access. Administrators, Server Operators, and Printer Operators have full control.

REPL$

Supports directory replication. Required for exporting directories that are replicated.

Used by the replication service.

driveletter$

A share that allows administrators to connect to the root directory of a drive. These shares are shown as C$, D$, E$, and so on.

On workstations and servers. Administrators and Backup Operators can access these shares. On domain controllers, Server Operators also have access.

Connecting to Special Shares

Special shares end with the $ symbol. While these shares are not displayed in Windows NT Explorer, administrators and certain operators can connect to them. To connect to a special share, follow these steps:

  1. In Windows NT Explorer, select Map Network Drive from the Tools menu. This opens the dialog box shown in Figure 10-6.

  2. In the Drive field, select a free drive letter. This drive letter is used to access the special share.

  3. In the Path field, enter the UNC path to the desired share. For example, to access the D$ share on a server called TWIDDLE, you would use the path \\TWIDDLE\D$.

  4. Click OK.

    Cc722490.10wnta06(en-us,TechNet.10).gif

    Figure 10-6: Connect to special shares by mapping them with the Map Network Drive dialog box.

Once you connect to a special share, you can access it as you would any other drive. Because special shares are protected, you don't have to worry about ordinary users accessing these shares and running amuck. The first time you connect to the share, you may be prompted for a user name and password. If you are, provide that information.

Viewing Shares on Local and Remote Systems

Using Server Manager, you can view all the shares on a Windows NT server or workstation. There are two ways to do this:

  • In Server Manager, select the computer on which the share is created and then select Shared Directories from the Computer menu.

  • In Server Manager, select the computer on which the share is created and then select Properties from the Computer menu. Then click on the Shares button.

Stop Sharing Files and Directories

To stop sharing a directory, follow these steps:

  1. In Server Manager, select the computer on which the share is created and then select Shared Directories from the Computer menu.

  2. Select the share you want to remove.

  3. Choose Stop Sharing.

Caution: Windows NT does not ask you to confirm that you want to remove a share. Further, you should never delete a directory containing shares without first stopping the shares. If you fail to stop the shares, Windows NT will attempt to reestablish the share the next time the computer is started, and the resulting error will be logged in the System event log.

Connecting to Network Drives

Users can connect to a network drive and to shared resources available on the network. This connection is shown as a network drive that users can access like any other drive on their system.

Note: When users connect to network drives, they are subject not only to the permissions set for the shared resource, but also to Windows NT file and directory permissions. Differences in these permission sets are usually the reason users may not be able to access a particular file or subdirectory within the network drive.

Mapping a Network Drive

On Windows NT you connect to a network drive by mapping to it. On other systems, you connect to a network drive using the procedure specific to the operating system.

To connect to a shared resource on Windows NT, follow these steps:

  1. While the user is logged on, start Windows NT Explorer on the user's computer.

  2. Select Map Network Drive from the Tools menu. This opens the Map Network Drive dialog box.

  3. In the Drive field, select a free drive letter. This drive letter is used to access the share.

  4. In the Path field, enter the UNC path to the desired share. For example, to access a share called DOCS on a server called ROMEO, you would use the path \\ROMEO\DOCS.

  5. Click OK.

Tip On other operating systems, such as Novell NetWare, you could use the Universal Naming Convention (UNC) from the command line as follows:

Net Use K: \\Server1\Public

If you would like to make this mapping permanent, then add the /Persistent:yes to the end of the Net Use statement:

Net Use K: \\Server1\Public /Persistent:yes

This will ensure that the system will try to access the Public folder on the Server1 every time you log on to the system.

Disconnecting a Network Drive

To disconnect a network drive, follow these steps:

  1. While the user is logged in, start Windows NT Explorer on the user's computer.

  2. Select Disconnect Network Drive from the Tools menu. This opens the Disconnect Network Drive dialog box.

  3. Select the drive you want to disconnect, then click on the OK button.

Managing Directory and File Permissions

With NTFS volumes, you can set directory and file permissions. These permissions can be used to control access with precision.

Taking Ownership of Files

It's important to understand the concept of file ownership. File and folder owners have direct control over their files and folders. File owners can grant access permissions and can give other users permission to take ownership of these resources. But they can't assign ownership to other users. This prevents users from creating files and then making it look like they belong to someone else.

Cc722490.10wnta07(en-us,TechNet.10).gif

Figure 10-7: The Owner dialog box tells you the owner of the file or directory.

As an administrator, you can take ownership of any files and directories on the network. This ensures that administrators can't be locked out of files. Once you take ownership of files, however, you can't return ownership to the original owner. This prevents administrators from accessing files and then trying to hide this fact.

To take ownership of a file or directory, follow these steps:

  1. In Windows NT Explorer, right-click on the file or directory you want to take ownership of.

  2. Select Properties from the pop-up menu and then click on the Security tab in the Properties dialog box.

  3. If you are an administrator (or have Take Ownership permission), the Take Ownership button is displayed. Click on it. You'll see the Owner dialog box shown in Figure 10-7, which tells you the name of the file or directory you are working with and the identity of the owner.

  4. Click on the Take Ownership button.

  5. If you are taking ownership of a directory or are attempting to take control of a resource you don't have permission to view, you'll see dialog boxes asking you to confirm the action. Click Yes if you wish to proceed.

File and Directory Permissions

Each file and directory on an NTFS volume has an associated ACL (access control list). Entries in the ACL define the access permissions for users and groups on the network. You can view and modify ACL entries using the File Permissions and Directory Permissions dialog boxes, which are accessed as follows:

  1. In Windows NT Explorer, right-click on the file or directory you want to work with.

  2. Select Properties from the pop-up menu, then click on the Security tab in the Properties dialog box.

  3. Click on the Permissions button.

Assigning Permissions to Files and Directories

The basic permissions that you can assign to any file or directory are shown in Table 10-2. Anytime you work with file and directory permissions, you should keep the following in mind:

  • Execute is the only permission needed to execute program files. Users don't need Read access.

  • Read is the only permission needed to run scripts. Execute permission doesn't matter.

  • Read access is required to access a shortcut and its target.

  • Giving a user permission to write to a file but not to delete it doesn't prevent the user from deleting the file's contents. A user can still delete the contents.

  • Basic permissions are usually combined to form the access types available in the File Permissions and Directory Permissions dialog boxes.

Table 10-2 Basic Permissions Used by Windows NT

Permission

Code Letter

Meaning for Directories

Meaning for Files

Read

R

Permits listing files and subdirectories

Permits viewing or accessing the file's contents

Write

W

Permits adding files and subdirectories

Permits file editing

Execute

X

Permits accessing subdirectories in the directory

Permits running executable files

Delete

D

Permits deleting the directory

Permits deleting the file

Change Permissions

P

Permits changing the directory's permissions

Permits changing the file's permissions

Take Ownership

O

Permits taking ownership of the directory

Permits taking ownership of the file

The basic permissions shown in Table 10-2 are combined to form the basic access types you can assign to files and directories. For example, Read and Execute permissions are combined to form the List access type for directories.

Note: You can assign the basic access permissions to files and directories individually, if necessary. For directories, open the Directory Permissions dialog box, then select Special Directory Access or Special File Access from the Type Of Access drop-down list. For files, open the File Permissions dialog box, then select Special Access from the Type Of Access drop-down list.

Access Types for Files

Table 10-3, on the following page, lists the access types for files. As you read the access types, note which basic permissions are combined to form a specific access type. These basic permissions tell you the actions users and groups can perform. As you study the access types, keep the following in mind:

  • If no access is specifically granted or denied, the user is denied access.

  • Actions that users can perform are based on the sum of all the permissions assigned to the user and to all the groups the user is a member of. For example, if the user GIJOE has Read access and is a member of the group TECHIES that has Change access, GIJOE will have Change access. If TECHIES is in turn a member of ADMINISTRATORS, which has Full Control, GIJOE will have complete control over the file.

  • The exception to the permission rule is the No Access type. If a user or any group the user is a member of is specifically denied access to a file with the No Access type, the user is denied access to the file.

  • If the No Access type is assigned to the group EVERYONE, no one is allowed to access the file and the file is locked. To unlock the file, you'll need to take ownership of the file and then change the access permissions.

Table 10-3 Access Types Used with Files

Access Type

Associated Basic Permissions

Description

No Access

None

Denies access to the file

Read

RX

Provides permissions necessary to read files and to execute scripts and programs

Change

RWXD

Provides permissions needed for creating, editing, and deleting files

Full Control

RWXDPO

Provides complete control over the file

Special Access

Variable

Enables you to assign the basic permissions individually

Access Types for Directories

Table 10-4 lists the access types for directories. As you study the access types, keep the following in mind:

  • When you set permissions for directories, you can force all files and subdirectories within the directory to inherit the permissions. You do this with the check boxes labeled Replace Permissions On Subdirectories and Replace Permissions On Existing Files.

  • When you create files in directories, these files can inherit certain permission settings. These permission settings are shown in the Default File Permissions column.

Table 10-4 Access Types Used with Directories

Access Type

Associated Basic Permissions

Default File Permissions

Description

No Access

None

None

Denies access to the file.

Read

RX

RX

Provides permissions necessary to list directory contents and access subdirectories.

Add

WX

Not Specified

Provides permission to create files and subdirectories. However, users have no access to existing files or to newly created files.

Add & Read

RWX

RX

Provides permission to create and access files and subdirectories.

Change

RWXD

RWXD

Provides permissions needed for creating and deleting directories.

Full Control

RWXDPO

RWXDPO

Provides complete control over the directory.

Special Directory Access

Variable

N/A

Enables you to assign the basic permissions individually for directories.

Special File Access

N/A

Variable

Enables you to assign the basic permissions individually for files created in the directory.

Setting File and Directory Permissions

To set permissions for files and directories, follow these steps:

  1. In Windows NT Explorer, right-click on the file or directory you want to work with.

  2. Select Properties from the pop-up menu and then click on the Security tab in the Properties dialog box.

  3. Click on the Permissions button to open the File Permissions dialog box or the Directory Permissions dialog box. Figure 10-8, on the following page, shows the Directory Permissions dialog box.

  4. Users or groups that already have access to the file or directory are listed in the Name field. You can change permissions for these users and groups by doing the following:

    • Select the user or group you want to change.

    • Use the Type Of Access drop-down list box to change the access permissions.

  5. To grant access permissions to additional users or groups, click on the Add button and then use the Add Users and Groups dialog box to grant access permissions.

    Cc722490.10wnta08(en-us,TechNet.10).gif

    Figure 10-8: You can view and modify directory permissions with the Directory Permissions dialog box.

  6. You can now grant access to users and groups. The fields of this dialog box are used as follows:

    • List Name From To access account names from other domains, click on the List Name From drop-down list box. You should now see a list that shows the current domain, trusted domains, and other computers that you can access.

    • Names Shows the available accounts on the currently selected domain or computer. For a domain, user accounts and global group accounts are shown. For a computer, only user accounts are shown.

    • Add Add selected names to the Add Names list.

    • Members Shows the members of a global group. When you select a global group in the Names list box, you can use this button to show group members. You can then select individual members of the group and add them to the Add Names list.

    • Search Allows you to search for a user or group name.

    • Show Users Shows user accounts in the current domain.

    • Add Names The list of users and groups to add to the local group.

    • Type Of Access The type of access the user or group is granted.

  7. Select the user(s) and group(s) you want to have access permissions.

  8. Use the Type Of Access drop-down list box to select the access to be granted to the users and groups in the Add Names area.

  9. Choose OK. The users and groups are added to the Names list for the file or directory.

from Windows NT Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order