Contents Overview 1 Using NTFS Permissions 2 How Windows 2000 Applies NTFS Permissions 6 Assigning NTFS Permissions 11 Lab A: Assigning NTFS Permissions 15 Copying and Moving Files and Folders 21 Lab B: Managing NTFS Permissions 25 Sharing Resources 30 Creating Shared Folders 35 NTFS Permissions and Shared Folders 43 Troubleshooting Access Problems 47 Lab C: Sharing and Securing Network Resources 48 Best Practices 56 Review 57 This course is a prerelease course and is based on Microsoft Windows 2000 Beta 3 software. Content in the final release of the course may be different than the content included in this prerelease version. All labs in the course are to be completed using the Beta 3 version of Microsoft Windows 2000 Advanced Server. Module 4: Administering File Resources Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  1999 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, MS, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead/Senior Instructional Designer: Red Johnston Instructional Designers: Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.) Program Manager: Jim Cochran (Volt Computer) Lab Simulations Developers: David Carlile (ArtSource), Tammy Stockton (Write Stuff) Technical Contributor: Kim Ralls Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Editors: Wendy Cleary (S&T OnSite), Diana George (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Tammy Stockton (Write Stuff) Compact Disc Testing: ST Labs Production Support: Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Project Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 4: Administering File Resources iii Introduction This module prepares students to share and control access to Microsoft ® Windows ® 2000 network files by using shared folders, and to secure files and folders by assigning shared folder and NTFS file system permissions. The module discusses how to control access to files and folders by assigning NTFS permissions to user accounts and groups. It also explains how to provide users with access to file resources by putting resources in shared folders. At the end of this module, students will be able to manage file resources in order to make the appropriate items available to users. There are three labs in this module. In them, students assign NTFS permissions for shared folders and files, assign shared folder permissions to users and groups, share a folder, and connect to a shared folder. Materials and Preparation This section provides you with the materials and preparation needed to teach this module. Materials To teach this module, you need the following materials: !" Microsoft PowerPoint ® file 1556A_04.ppt !" Module 4, “Administering File Resources” Preparation To prepare for this module, you should: !" Read all the materials for this module. !" Review the Delivery Tips and Key Points for each section and topic. !" Create two or three folders and assign NTFS permissions (for example Full Control and Read and perhaps Read & Execute). In the module you will show the range of access to resources that NTFS permissions provides to users. !" Complete the three labs. !" Study the review questions and prepare alternative answers for discussion. !" Anticipate questions that students may ask. Write out the questions and provide answers to them. !" View the video, “Concepts of Microsoft Windows 2000 Active Directory” located on the Trainer Materials compact disc. Presentation: 75 Minutes Lab: 60 Minutes iv Module 4: Administering File Resources Instructor Setup for the Labs Make sure that you have followed all instructions in the Classroom Setup Guide. Before students begin lab B, “Managing NTFS Permissions,” be sure that they have successfully completed lab A, “Assigning NTFS Permissions.” Module 4: Administering File Resources v Module Strategy Use the following strategy to present this module: !" Using NTFS Permissions Provide an overview of using NTFS permissions. Provide a brief description of file systems, NTFS file systems, and partitions. Describe NTFS permissions to control access to resources. List and define NTFS folder and file permissions. !" How Windows 2000 Applies NTFS Permissions Introduce how Windows 2000 applies NTFS permissions to files and folders. Explain how multiple NTFS permissions combine. Explain how NTFS permissions are inherited and how inheritance is prevented. Describe default NTFS permissions. Reinforce students’ understanding of how Windows 2000 applies NTFS permissions to files and folders. !" Assigning NTFS Permissions Introduce assigning NTFS permissions. Provide students with guidelines for assigning NTFS permissions. Explain how to assign NTFS permissions, and how to control permissions inheritance. !" Copying and Moving Files and Folders Introduce how copying and moving files and folders may affect the permissions assigned to them. Describe what happens to NTFS permissions when students copy and move files and folders. Reinforce students’ understanding of the results of copying and moving files on NTFS permissions. !" Sharing Resources Introduce sharing files by sharing the folder that contains them. Describe using shared folders to share file resources. Define shared folder permissions Explain how shared folder permissions are applied to user accounts and groups. Provide guidelines for administering shared folders. !" Creating Shared Folders Introduce creating shared folders to share file resources. Outline the requirements for sharing folders. Describe how to share a folder. Explain how to assign shared folder permissions to user accounts and groups. Explain how to modify a shared folder and how to stop sharing a folder. Explain how users gain access to shared folders. List and describe hidden administrative shared folders. !" NTFS Permissions and Shared Folders Introduce combining shared folder and NTFS permissions. Describe the greater degree of security that is available when students use NTFS permissions to secure file resources in shared folders. Present a strategy for using NTFS permissions to secure file resources in shared folders. Reinforce students’ understanding of what happens when you combine shared folder and NTFS permissions. !" Troubleshooting Access Problems Present permissions problems that may occur when managing access to files and folders. !" Best Practices Read the Best Practices section before you start the module, and then refer to the appropriate practice as you teach the corresponding module section. Then, at the end of the module, summarize all of the best practices for the module. vi Module 4: Administering File Resources Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for course 1556A, Administering Microsoft Windows 2000. Lab Setup The following list describes the setup requirements for the labs in this module. Setup Requirement 1 The labs in this module require the Users group to have the Log on locally right. To prepare the student computers to meet this requirement, perform one of the following actions: !" Complete module 2 or 3 of course 1556A, Administering Microsoft Windows 2000. !" From the Trainer Materials compact disc, run the LRights.cmd script on each domain controller in each child domain Setup Requirement 2 The labs in this module require the following user accounts: User41, User42, User43 and User44, and the following Global group accounts: Managers and Sales. User41 is a member of the Managers group and User42, User43 and User44 are members of the Sales group. To prepare the student computers to meet this requirement, !" Run the script Lab041.cmd on one of the two domain controllers in each subdomain. If you run the script on both domain controllers, the labs will not function properly. !" If you create the users manually, leave the password blank. Lab Results Performing the labs in this module introduces the following configuration changes: !" The assignment of the Log on locally right to the Users group. !" The addition of User41, User42, User43 and User44 to the Users container. !" The addition of the Managers and Sales Global groups. !" The addition of User41 to the Sales group. !" The addition of User42, User43 and User44 to the Managers group. Important Caution Module 4: Administering File Resources 1 Overview ! Using NTFS Permissions ! How Windows 2000 Applies NTFS Permissions ! Assigning NTFS Permissions ! Copying and Moving Files and Folders ! Sharing Resources ! Creating Shared Folders ! NTFS Permissions and Shared Folders ! Troubleshooting Access Problems ! Best Practices When providing access to file resources on a computer running Microsoft ® Windows ® 2000 Server, you control who has access to resources and the nature of the access that they have. To control access to files and folders, you assign NTFS file system permissions to user accounts and groups. NTFS is a file system designed for use with Windows 2000 and Windows NT operating systems. It supports file system recovery, very large storage media, long file names, and other features. NTFS permissions provide security for resources by controlling access to individual files and folders and by specifying which user can access files and folders and the kind of access that users can have. To provide network users with access to file resources, you put the resources in shared folders. When a folder is shared, users can connect to the folder over the network and gain access to the files that it contains. Objectives At the end of this module, you will be able to: !" Describe the use of NTFS permissions to control access to files and folders. !" Describe how permissions apply to files and folders. !" Assign NTFS file and folder permissions to user accounts and groups. !" Describe the effect on NTFS file and folder permissions of copying and moving files and folders. !" Use shared folders to provide access to network file resources. !" Create shared folders. !" Describe the result of using NTFS permissions to control access to resources contained in shared folders. !" Troubleshoot problems accessing files and folders. !" Apply best practices for administering resources. Slide Objective To provide an overview of the module topics and objectives. Lead-in In this module, we discuss how to share and control access to network resources by using shared folders and NTFS permissions. 2 Module 4: Administering File Resources # ## # Using NTFS Permissions ! NTFS Permissions ! NTFS Folder Permissions ! NTFS File Permissions NTFS Partition C:\ To secure files and folders on NTFS partitions, you assign NTFS permissions for each user account and group that needs access to the resource. NTFS is the Windows 2000 file system. A file system defines the way in which files are named, stored, and organized. A file system is used to format a partition. A partition is a logical portion of a physical disk that functions as though it were a physically separate unit. If no permissions are assigned to a user or to a group of which the user is a member, the user cannot access the resource. NTFS permissions provide security for resources by controlling user access to individual files and folders and by specifying the level of user access. You use NTFS folder permissions to control access to folders. You use NTFS file permissions to control access to files. Because of the nature of files and folders, the permissions for files are different than the permissions for folders. For example, you assign users permission to view the contents of a folder, which is a permission called List Folder Contents. However, there is no comparable permission for a file. Slide Objective To introduce NTFS permissions. Lead-in Use NTFS permissions to control the access of user accounts and groups to folders and individual files. Delivery Tip This is an overview of using NTFS permissions. Prepare students for the topic by providing the following key points of information. Key Points Use NTFS permissions to control access to file resources. You use NTFS folder permissions to control access to folders. You use NTFS file permissions to control access to files. Module 4: Administering File Resources 3 NTFS Permissions NTFS Partition C:\ ! Specific Permissions Required to Assign Permissions ! Permissions Assigned to User Accounts and Groups ! Permission Can Be Denied Read Read No Permission Assigned No Permission Assigned User1 User1 User2 User2 Users must be assigned explicit permission to gain access to resources. If no permission is assigned, the user account or group cannot gain access to the file or folder. Permissions can be granted or denied to user accounts and to groups. !" Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to files and folders. !" You can assign NTFS permissions to individual user accounts and groups. A user can be a member of one or more groups, and each group can have different permissions. Therefore, a user can have a number of permissions assigned to his or her user account and as a member of one or more groups. !" You can deny permission to a user account or group. For example, if you deny Read permission for a file to a user account, or to a group of which the user is a member, the user cannot read the file. When assigning permissions to files, you assign permissions to a folder and place files with the same security requirements in that folder. You can also specify permissions on individual files within a folder if you want a user or group to have access only to a particular file. NTFS permissions are only available on NTFS partitions. NTFS permissions are not available on partitions that are formatted with the file allocation table (FAT) or FAT32 file systems. Slide Objective To describe NTFS permissions. Lead-in Users must have explicit permission to gain access to a resource. Key Points Users need NTFS permissions to access resources on NTFS partitions. You can deny permission for a file or folder. Note 4 Module 4: Administering File Resources NTFS Folder Permissions Folder Permissions Folder Permissions Read Read Write Write List Folder Contents List Folder Contents Read & Execute Read & Execute Modify Modify Full Control Full Control You assign folder permissions to control the access that users have to folders and the files and subfolders that are contained within those folders. The following table lists the standard NTFS folder permissions that you can assign and the type of access that each permission provides. The table lists the permissions from most restrictive to least restrictive. NTFS folder permission Allows the user to Read See files and subfolders in the folder and view folder attributes ∗ , ownership, and permissions. Write Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions. List Folder Contents See the names of files and subfolders in the folder. Read & Execute Traverse ∗∗ folders plus perform actions permitted by the Read permission and the List Folder Contents permission. Modify Delete the folder and perform actions permitted by the Write permission and the Read & Execute permission. Full Control Change permissions, take ownership, delete subfolders and files, and perform actions permitted by all other NTFS folder permissions. ∗ Attribute examples: Read-only, Hidden, Archive, and System (file). ∗∗ Traverse allows the user to move through folders to reach other files and folderss. Slide Objective To list and define NTFS folder permissions. Lead-in Use NTFS folder permissions to secure access to individual folders on NTFS formatted partitions. Delivery Tip Demonstrate two or three NTFS folder permissions on folders that you have created earlier and for which you have assigned permissions. You can demonstrate Full Control and Read, as well as perhaps Read & Execute, to show the range of access to resources that NTFS permissions provide. Assign permissions and show students what a user can and cannot do with each permission. Key Points The Read & Execute, Modify, and Full Control NTFS folder permissions are additive. For example, the Modify permission consists of the ability to delete a folder, plus the access that is provided by both the Write and the Read & Execute permissions. [...]... 24 Module 4: Administering File Resources Class Discussion: Copying and Moving Files Slide Objective NTFS Partition To reinforce students’ understanding of the results of copying and moving files on NTFS partitions NTFS Partition (C:) (D:) FC Users Lead-in Data Data None Let’s look at some examples of what happens when you copy or move files on NTFS partitions Mary Mary Move FileA FileA FileA FileA.. .Module 4: Administering File Resources 5 NTFS File Permissions Slide Objective To list and define NTFS file permissions Lead-in File File Permissions Permissions Use NTFS file permissions to secure access to individual files on NTFS formatted partitions Read Read Write Write Read & Execute Read & Execute ~~~~~~... permissions when you copy a file You may lose permissions that you had Module 4: Administering File Resources 29 !!To copy a file to another folder within an NTFS partition 1 Copy Database.txt in the C:\MOC\WIN1556A\Labfiles\Lab04\User44 folder to C:\MOC\WIN1556A\Labfiles\Lab04\storage 2 Double-click C:\MOC\WIN1556A\Labfiles\Lab04\storage Were you able to access the folder to see your file? No You have Write... the file that the administrator created 6 Close all applications, and then log off Windows 2000 Module 4: Administering File Resources 21 # Copying and Moving Files and Folders Slide Objective To introduce copying and moving files and folders Lead-in Copying or moving files or folders within and between NTFS partitions may affect permissions Delivery Tip This is an overview of copying and moving files... to educate users about the effects on permissions when files and folders are copied or moved Also, you may have to resolve access problems for files and folders that have been copied or moved Examples will help you to understand how NTFS permissions change when you copy or move files and folders 22 Module 4: Administering File Resources Copying Files and Folders Slide Objective NTFS Partition To describe... partitions do not support NTFS permissions To copy files and folders within a single NTFS partition or between NTFS partitions, you must have the Read permission for the origination folder and Write permission for the destination folder Note When you copy a file or folder, you become the owner of that file or folder Module 4: Administering File Resources 23 Moving Files and Folders Slide Objective NTFS Partition... member of Group A and Group B Group B has Write permission for FolderA Group A has been denied Write permission for File2 User1 can read File2 but cannot write to File2 because User1 is a member of Group A, which has been denied Write permission for File 2 8 Module 4: Administering File Resources NTFS Permissions Inheritance Slide Objective To explain how NTFS permissions are inherited and how inheritance... folders and files on NTFS file system partitions and non-NTFS partitions Prerequisites Before working on this lab, you must have: !" Successfully completed Lab A, “Assigning NTFS Permissions.” Estimated time to complete this lab: 15 minutes 26 Module 4: Administering File Resources Exercise 1 Copying and Moving Files User44 has information to which other users need access Currently, the files are in... access the file? User44 could change the permissions on the file to allow access to others 9 Close Windows Explorer, and then log off Windows 2000 28 Module 4: Administering File Resources !!To copy a file to another folder within an NTFS partition 1 Log on as User44 with no password 2 Copy Contacts.txt in the C:\MOC\WIN1556A\Labfiles\Lab04\User44... actions permitted by all other NTFS file permissions ∗ Attribute examples: Read-only, Hidden, Archive, and System (file) 6 Module 4: Administering File Resources # How Windows 2000 Applies NTFS Permissions Slide Objective To introduce how Windows 2000 applies NTFS permissions to files and folders Lead-in There are rules associated with how NTFS applies permissions to files and folders Delivery Tip This . corresponding module section. Then, at the end of the module, summarize all of the best practices for the module. vi Module 4: Administering File Resources. Execute permissions. Module 4: Administering File Resources 5 NTFS File Permissions ~~~~~~ ~~~~~~ ~~~~~~ ~~~~~~ ~~~~ File Permissions File Permissions Read Read Write Write Read