لطفا منتظر باشید ...
Lesson 1: Understanding Shared Folders
Microsoft Windows 2000 allows you to designate folders to share with others. For example, when a
folder is shared, authorized users can make connections to the folder (and access its files) from
their own computers. This lesson introduces shared folders and shared folder permissions.
After this lesson, you will be able to
Use shared folders to provide access to network resourcesDescribe how permissions affect access to shared folders
Estimated lesson time: 15 minutes
Shared Folders
Shared folders provide network users centralized access to network files. When a folder is
shared, all users by default can connect to the shared folder and gain access to the folder's
content. A shared folder can contain applications, data, or a user's personal data in a home
directory. Each type of data requires different shared folder permissions.
Shared Folder Permissions
You can assign shared folder permissions to user and group accounts to control what users can do
with the content of a shared folder. The following are characteristics of shared folder
permissions:
Shared folder permissions apply to folders, not individual files. Because you can only apply
shared folder permissions to the entire shared folder, and not to individual files or subfolders in
the shared folder, shared folder permissions provide less detailed security than NTFS
permissions.Shared folder permissions do not restrict access to users who gain access to the folder at
the computer where the folder is stored. They only apply to users who connect to the folder over
the network.Shared folder permissions are the only way to secure network resources on a FAT volume. NTFS
permissions are not available on FAT volumes.The default shared folder permission is Full Control, and it is assigned to the Everyone
group when you share the folder.
NOTE
By default, a shared folder appears in Microsoft Windows Explorer as an icon of a hand holding the
shared folder (Figure 10.1 shows the default sharing icon).To control how users gain access to a shared folder, you assign shared folder permissions.
Figure 10.1 Shared Folders in Windows Explorer
Table 10.1 explains what each of the shared folder permissions allows a client to do.
Permissions are presented in order from the most restrictive to the least restrictive.Table 10.1 Shared Folder Permissions
| Shared Folder Permission | Allows the User To |
|---|---|
| Read | View file names and subfolder names, view data in files, traverse to subfolders, and run programs |
| Change | Add files and subfolders to the shared folder, change data in files, delete subfolders and files, plus perform actions permitted by the Read permission |
| Full Control | Change file permissions (NTFS only), take ownership of files (NTFS only), and perform all tasks permitted by the Change permission |
to assign permissions to a group rather than to individual users. Deny permissions only when it is
necessary to override permissions that are otherwise applied. In most cases, you should deny
permissions only when it is necessary to deny permission to a specific user who belongs to a group
to which you have given the permission. If you deny a shared folder permission to a user, the user
will not have that permission. For example, to deny all access to a shared folder, deny Full
Control permission.
How Shared Folder Permissions Are Applied
Applying shared permissions to user accounts and groups affects access to a shared folder.
Denying permission takes precedence over the permissions that you allow.
Multiple Permissions Combine for Effective Permissions
A user can be a member of multiple groups, each with different permissions that provide
different levels of access to a shared folder. When you assign permission to a user for a shared
folder, and that user is a member of a group to which you assigned a different permission, the
user's effective permissions are the combination of the user and group permissions. For
example, if a user has Read permission and is a member of a group with Change permission, the
user's effective permission is Change, which includes Read.
Deny Overrides Other Permissions
Denied permissions take precedence over any permissions that you otherwise allow for user
accounts and groups. If you deny a shared folder permission to a user, the user will not have that
permission, even if you allow the permission for a group of which the user is a member.
NTFS Permissions Are Required on NTFS Volumes
Shared folder permissions are sufficient to gain access to files and folders on a FAT volume,
but not on an NTFS volume. On a FAT volume, users can gain access to a shared folder for which they
have permissions, as well as all of the folder's contents. When users gain access to a shared
folder on an NTFS volume, they need the shared folder permission and also the appropriate NTFS
permissions for each file and folder to which they gain access.
Copied, Moved, or Renamed Shared Folders Are No Longer Shared
When you copy a shared folder, the original shared folder is still shared, but the copy is not
shared. When you move or rename a shared folder, it is no longer shared.
Guidelines for Shared Folder Permissions
The following list provides some general guidelines for managing your shared folders and
assigning shared folder permissions:
Determine which groups need access to each resource and the level of access that they
require. Document the groups and their permissions for each resource.Assign permissions to groups instead of user accounts to simplify access
administration.Assign to a resource the most restrictive permissions that still allow users to perform
required tasks. For example, if users need only to read information in a folder and they will never
delete or create files, assign the Read permission.Organize resources so that folders with the same security requirements are located within a
folder. For example, if users require Read permission for several application folders, store the
application folders within the same folder. Then share this folder instead of sharing each
individual application folder.Use intuitive share names so that users can easily recognize and locate resources. For
example, for the Applications folder, use Apps for the share name. You should also use share names
that all client operating systems can use.
Table 10.2 describes share and folder naming conventions for different client computer operating
systems.Table 10.2 Shared Folder Naming Conventions
| Client Computer Operating System | Share Name Length | Folder Name Length |
|---|---|---|
| Windows 2000, Windows NT, Windows 98, and Windows 95 | 80 characters | 255 characters |
| MS-DOS, Windows 3.1, and Windows for Workgroups | 8.3 characters | 8.3 characters |
intuitive to users. For example, a Windows 2000 folder named Accountants Database would appear as
Account~1 on client computers running MS-DOS, Windows 3.1, and Windows for Workgroups.
Practice: Applied Permissions
In the following practice User1 has local access to files and has been assigned permissions to
gain access to resources as an individual and as a member of a group, as shown in Figure 10.2.
Determine what effective permissions User1 has in each situation:
User1 is a member of Group1, Group2, and Group3. Group1 has Read permission and Group3 has
Full Control permission for FolderA. Group2 has no permissions for FolderA. What are User1's
effective permissions for FolderA?User1 is also a member of the Sales group, which has Read permission for FolderB. User1 has
been denied the shared folder permission Full Control for FolderB as an individual user. What are
User1's effective permissions for FolderB?Answers
Figure 10.2 Applied permissions
Lesson Summary
In this lesson you learned that you can make a folder and its contents available to other users
over a network by sharing the folder. Shared folder permissions are the only way to secure file
resources on FAT volumes. Shared folder permissions apply to folders, not individual files. You
also learned that shared folder permissions do not restrict access to users who gain access to the
folder at the computer where the folder is stored. They only apply to users who connect to the
folder over the network.The shared folder permissions are Read, Change, and Full Control. Read permission allows users
to view file names and subfolder names and view data in files. Read permission also allows users to
run programs and to traverse to subfolders. Change permission allows users to add files and folders
to the shared folder, change data in files, and delete subfolders and files. It also allows the
user to perform actions permitted by the Read permission. Full Control permission allows users to
change file permissions and take ownership of files on NTFS volumes, and to perform all tasks
permitted by the Change permission. The default shared folder permission is Full Control, and it is
assigned to the Everyone group when you share the folder.
