267 Chapter 17: Administering Windows Server 2008: The Basics TIP Don’t worry if you create a group with the wrong scope. You can easily change the group’s scope, provided its membership doesn’t violate the new scope’s rules for membership. To change a domain scope, select the group and open its Properties dialog box (right-click and then choose Properties from the pop-up menu). If the group membership allows the change, you can select a different Group Scope option button. After you set the group’s scope, you can also select whether it will be a security group or a distribution group. Distribution groups are used only to maintain e-mail distribution lists for e-mail applications such as Microsoft Exchange Server. They have no security impact in Windows Server 2008. Finally, click OK to create the group. Now you can add members to the group, as described in the next section. Maintaining Group Membership A new group starts out without any members. To set the membership for a group, follow these steps: 1. Select the group and open its Properties dialog box (by right-clicking it and choosing Properties from the pop-up menu). Then click the Members tab, as shown in Figure 17-11. Figure 17-11. A brand-new group does not have any members. 268 Networking: A Beginner’s Guide 2. Click the Add button. You see the Select Users, Contacts, Computers, or Groups dialog box, as shown in Figure 17-12. 3. Type in enough of a user or another group’s name to identify it, and then click the Check Names button. If you type in too few characters to uniquely identify the user or group, Windows will show you a list of the possible matches from which you can select the correct one. 4. Choose the member you want to add, and then click OK. 5. Repeat steps 3 and 4 to complete the group membership. Working with Shares Drives and folders under Windows Server 2008 are made available to users over the network as shared resources, simply called shares in Windows networking parlance. You select a drive or folder, enable it to be shared, and then set the permissions for the share. Figure 17-12. Adding a member to a group 269 Chapter 17: Administering Windows Server 2008: The Basics Understanding Share Security You can set both drives and folders as distinct shared resources, whether they are located on a FAT-formatted drive or on an NTFS-formatted drive. In the case of an NTFS-formatted drive (but not a FAT-formatted drive), you can also set permissions on folders and files within the share that are separate from the permissions on the share itself. Understanding how Windows Server 2008 handles security for shares, folders, and files on NTFS drives is important. Suppose that you created a share called RESEARCH and you gave the R&D security group read-only access to the share. Within the share, you set the permissions on a folder called PROJECTS to allow full read and write access (called change permission) for the R&D security group. Will the R&D group have read-only permission to that folder or change permission? The group will have read-only permission. This is because when security permissions differ between folders within a share and the share itself, the most restrictive permissions apply. A better way to set up share permissions is to allow everyone change permission to the share and then control the actual permissions by setting them on the folders within the share itself. This way, you can assign any combination of permissions you want; then the users will receive the permissions that you set on those folders, even though the share is set to change permission. Also, remember that users receive permissions based on the groups of which they are members, and these permissions are cumulative. So, if you are a member of the Everyone group who has read-only permission for a particular file, but you’re also a member of the Admins group who has full control permission for that file, you’ll have full control permission in practice. This is an important rule: Permissions set on folders and files are always cumulative and take into account permissions set for the user individually as well as any security groups of which the user is a member. Another important point is that you can set permissions within a share (sometimes called NTFS permissions) on both folders and files, and these permissions are also cumulative. So, for instance, you can set read-only permission on a folder for a user, but change permission for some specific files. The user then has the ability to read, modify, and even delete those files without having that ability with other files in the same folder. There’s a special permission called no access, which overrides all other permissions, no matter what. If you set no access permission for a user on a file or folder, then that’s it—the user will not be able to access that file or folder. An extremely important corollary to this rule is that no access permission is also cumulative and overriding. So, if the Everyone security group has change permission for a file, but you set a particular user to no access for that file, that user will receive no access permission. If you set no access permission for the Everyone group, however, then all members of that group will also receive the no access permission, because it overrides any other permissions they have. Be careful about using no access with security groups! 270 Networking: A Beginner’s Guide To summarize, you can resolve most permission problems if you remember the rules discussed here: N When share permissions conflict compared to the file or folder permissions, the most restrictive one always wins. N Aside from the preceding rule, permissions are cumulative, taking into account permissions assigned to users and groups as well as files and folders. N When a permission conflict occurs, the no access permission always wins if it is set. Creating Shares As a network administrator, you will frequently create and manage the shares on the network. The following steps walk you through creating a new share. 1. Open either My Computer or Windows Explorer on the server. 2. Right-click the folder or drive you want to share, and then choose Share from the pop-up menu. You will see the File Sharing dialog box, as shown in Figure 17-13. 3. In the field provided, enter enough of a user’s name to identify that person in the system, and then click Add. 4. Click the down arrow next to the user’s name to set that user’s permission level. The permission levels available are Owner, for full read and write access, plus the ability to grant permissions to other users; Contributor, for full read and write access; and Reader, for read-only access. 5. Click the Share button to create the share. You will see a confirmatory dialog box. Click OK, and the share will be created. By default, the share uses the folder’s name as the share name. Figure 17-13. Creating a share 271 Chapter 17: Administering Windows Server 2008: The Basics Once a share is created and the share information has propagated through the domain (usually within several minutes), users can browse it through Network Neighborhood (Windows 9x and NT), My Network Places (Windows 2000 and XP), or Network (Windows Vista). Double-clicking the share will open it (if allowed by the permissions). Mapping Drives You can use shares by opening them through Network Neighborhood, My Network Places, or Network, and they function just like the folders in My Computer. However, you might frequently want to simulate a connected hard disk on your computer with a share from the network. For example, many applications that store files on the network require that the network folders be accessible as normal drive letters. The process of simulating a disk drive with a network share is called mapping. You create a map (link) between the drive letter you want to use and the actual network share to remain attached to that drive letter. You can create a drive mapping in many ways. The easiest way is to open Network from the client computer, locate the share you want to map, right-click it, and choose Map Network Drive. In the dialog box that appears, the name of the domain and share will already be filled in for you. Simply select an appropriate drive letter for the mapping and click OK. From then on, the share will appear to your computer as that drive letter, and users will see this share’s letter in My Computer. You can also map drives using a command-line utility called NET. The NET command takes a variety of forms and can fulfill many different needs, depending on the parameters you give it. To map a drive, you use the NET USE command. Typing NET USE by itself and pressing ENTER will list all currently mapped drives. (You can type NET HELP USE for more detailed help on the command.) To add a new drive mapping, you would type the following: NET USE drive_letter: UNC_for_share Most network resources in a Windows network use a naming system called the Universal Naming Convention (UNC). To supply a UNC, you start with two backslashes, then the name of the server, another backslash, and the name of the share. (Additional backslashes and names can refer to folders and files within the share.) For example, to map drive G: to a share called EMPLOYEES located on the server SERVER, use the following command: NET USE G:\\SERVER\EMPLOYEES TIP You can use the NET command from any Windows client for any Windows network. Type NET by itself to list all of the different forms of the command. Type NET command HELP to see detailed help on the different NET commands. . the server, another backslash, and the name of the share. (Additional backslashes and names can refer to folders and files within the share.) For example, to map drive G: to a share called EMPLOYEES. network share to remain attached to that drive letter. You can create a drive mapping in many ways. The easiest way is to open Network from the client computer, locate the share you want to map,. default, the share uses the folder’s name as the share name. Figure 17-13. Creating a share 271 Chapter 17: Administering Windows Server 2008: The Basics Once a share is created and the share