required. These permissions apply to everyone accessing the folder either locally or across the network; more restrictive permissions configured here override those configured from the Sharing tab. We discuss these settings in detail later in this chapter.
Figure 14-17. Security Tab of a Folder’s Properties Dialog Box Enabling You to Configure Granular Permissions for Users and Groups Accessing the Folder
Step 9. When you are finished, click OK to close the folder’s Properties dialog box. You can also click Apply to apply your changes and continue making modifications.
Use of the Public Folder for Sharing Files
Windows 10 provides the Public folder as a location for sharing files as a default. By default, Public Folder Sharing is turned off. To use this folder for sharing files, access the Advanced Sharing Settings dialog box shown
previously in Figure 14-11 and specify the desired option in the Public Folder Sharing section. You have the following options at C:\Users\Public:
• Turn on Sharing So Anyone with Network Access Can Read and Write Files in the Public Folders: Shares the folder with Full Control shared folder permission. If password protected sharing is turned on, a password is
required.
• Turn off Public Folder Sharing (People Logged On to This Computer Can Still Access These Folders): Disables sharing of the Public folder.
By default, this folder is located at C:\Users\Public and becomes visible when you select the Turn on Sharing option. You can configure additional
security options on this folder by accessing the Sharing tab of its Properties dialog box from this location and following the procedure outlined earlier in this section.
Mapping a Drive
Mapping a network drive means associating a shared folder on another computer with a drive letter available on your computer. This facilitates access to the shared folder. Proceed as follows to map a drive on a Windows 10 computer:
Step 1. Right-click Start and choose File Explorer.
Step 2. Select This PC.
Step 3. From the ribbon menu, select the Computer tab, and then click the Map Network Drive button.
Step 4. In the Map Network Drive Wizard, select the drive letter to be assigned to the network connection for the shared resource. Drive letters being used by local devices are not displayed in the Drive list. You can assign up to 24 drive letters.
Step 5. Enter the UNC path for the server and share name you want to map.
For example, to connect to the shared folder HRPolicies on a computer named WIN2016SVR01, type \\win2016svr01\HRPolicies, as shown in Figure 14-18. You can also click Browse to find the shared folder, and then select the desired path.
Figure 14-18. Mapping a Network Drive
Step 6. Select a connection option, as follows:
• Reconnect at Sign-In: This option is enabled by default and creates
permanent connections. It reconnects the user to the shared folder each time the user logs on unless the user manually disconnects from the resource.
• Connect Using Different Credentials: Enables you to connect to a shared folder using a different user account. This option is useful if you are at
another user's computer and need to connect to a resource to which the currently logged in user does not have the appropriate access.
Step 7. Click Finish.
Command-Line Administration of Shared Folders
Windows 10 provides the net share command that you can use to manage shared resources. This is useful if you need to use scripts for automating administrative tasks. The syntax is as follows:
net share [sharename] [/parameters]
In this command, sharename is the name of the shared resource, and
/parameters refers to any of a series of parameters that you can use with this command. Table 14-4 describes several of the more common parameters used with this command.
Table 14-4. Several Common Parameters Used with the net share Command
Parameter Description
/users:number
Specifies the maximum number of users who can access the shared resource at the same time. Specify Unlimited to allow the licensed limit of users.
/cache:option
Enables offline caching, according to the value of option:
Documents: Specifies automatic reintegration of documents.
Programs: Specifies automatic reintegration of programs.
Manual: Specifies manual reintegration.
BranchCache: Enables BranchCache and manual caching of documents on the shared folder.
None: Advises the client that caching is inappropriate.
/delete Stops sharing the specified resource.
/remark:"text”Adds a descriptive comment. Enclose the comment (text) in quotation marks.
Note that you can also use this command without any parameters to display information about all the shared resources on the local computer.
Media Streaming
Turning media streaming on enables users and devices on the network to access music, pictures, and videos in Windows Media Player and from devices attached to the computer, such as digital cameras, portable device assistants (PDAs), smartphones, and so on. In addition, the computer can locate these types of shared files on the network. To turn media sharing on, access the Media streaming section of the Advanced sharing settings dialog
box and click Choose Media Streaming Options. In the Choose Media Streaming Options for Computers and Devices dialog box that appears, click Turn on Media Streaming. You can then customize media streaming
options, including selecting a media library and choosing what types of media will be accessible according to star ratings and parental control settings.
Note
For further information on media streaming, consult the Windows 10 Help and Support Center.
Configuring File Libraries
First introduced in Windows 7, a library is a set of virtual folders that is shared by default with other users of the computer. By default, Windows 10 includes six libraries (Camera Roll, Documents, Pictures, Saved Pictures, Music, and Videos). Documents and Pictures libraries are automatically pinned to the File Explorer folder on the taskbar, so you can access those libraries by right-clicking the taskbar folder icon. You can also access the libraries by clicking View on the File Explorer toolbar; then, on the expanded toolbar that appears, click Navigation Pane > Show Libraries. This adds a Libraries entry to the folder list of the File Explorer window. Click this entry to view the libraries, as shown in Figure 14-19. The subfolders you see here are actually pointers to the folder locations on the computer. You can also think of them as the results of search queries. From the Libraries folder, you can create a new library by right-clicking Libraries in the folder list and choosing New > Library in the toolbar and providing a name for your new library.
Figure 14-19. Six Default Libraries in Windows 10
Each library contains a user-based subfolder, located by default at
C:\Users\%username%, as well as a public subfolder from C:\Users\Public, which you can view by right-clicking the library and choosing Properties.
From the dialog box, shown in Figure 14-20, you can add folders by clicking the Add button and navigating to the desired folder; this can even include shared folders located on other computers on the network. You can also add folders to a library from any Explorer window by right-clicking the folder and choosing the Include in Library option from the pop-up window.
Figure 14-20. Library Properties Dialog Box Allowing You to Add Folders to a Library and Change Other Properties
The Properties dialog box shown in Figure 14-20 enables you to change several other properties of the selected library. The check mark indicates the default save location used by programs such as Microsoft Office. To change this location, select the desired location and click the Set Save Location button. You can add additional folders to the library by clicking Add and selecting the desired folder, similar to that discussed in the previous
paragraph. To remove a folder from the library, select it and click Remove.
HomeGroup
First introduced in Windows 7 is the concept of a HomeGroup, which is a small group of Windows 7, 8.1, or 10 computers connected together in a home or small office network that you have designated in the Network and Sharing Center as a home network. Computers running any edition of Windows 7, 8.1, or 10 can join a homegroup, but you must have the Pro, Enterprise, or Ultimate 7 to create a homegroup. Computers running Windows Vista or earlier cannot join a homegroup. To create or join a homegroup, your computer's network location profile setting (discussed in Chapter 16, “Configuring and Maintaining Network Security”) must be set to Private. Refer to the section "Configuring Network Discovery" in Chapter 16 for more information.
Creating a Homegroup
You can create a homegroup from the HomeGroup applet, which is accessed from the Network and Internet category of Control Panel by clicking
HomeGroup. You can also access this applet by accessing the Search bar or Cortana and typing homegroup into the Search field, or by clicking
HomeGroup from the Network and Sharing Center. From the Share with other home computers dialog box shown in Figure 14-21, click Create a Homegroup, and then click Next. As shown in Figure 14-22, the Create a Homegroup Wizard enables you to select the type of resources you want to share with other computers. For each resource listed here, select Shared or Not Shared as required. After making your selections and clicking Next, the wizard provides you with a password that you can use to add other computers to the homegroup (see Figure 14-23). Make note of this password so that you can join other computers to the homegroup, and then click Finish.
Figure 14-21. The Homegroup Applet Displaying Option to Create a Homegroup
Figure 14-22. Determining the Type of Resources You Want to Share on the Homegroup
Figure 14-23. Password That Enables You to Join Other Computers to the Homegroup
Joining a Homegroup
After you have created a homegroup, when you move to another computer on the network, the computer recognizes the homegroup and the Share with Other Home Computers dialog box informs you of this (see Figure 14-24).
Click Join Now to join the homegroup, select the libraries you want to share, and then type the homegroup password when requested.
Figure 14-24. If a Homegroup Exists on the Network, You Are Prompted to Join It
Note
If your computer is joined to a domain, you can still join a homegroup.
However, you cannot share libraries or printers to the homegroup, and you cannot create a homegroup. This feature enables you to bring a portable computer home from work and access shared resources on your home network. Furthermore, it is possible to use Group Policy to prevent domain computers from being joined to a homegroup.
After you've joined a homegroup, you receive the Change Homegroup
Settings dialog box shown in Figure 14-25 when you access the HomeGroup option in the Control Panel Network and Internet category. From here you can change the types of libraries and printers that are shared with other homegroup computers. You can also perform any of the other self-
explanatory actions shown in Figure 14-25 under Other Homegroup Actions.
Selecting the Change Advanced Sharing Settings option takes you to the Advanced Sharing Settings dialog box previously shown in Figure 14-11.
Figure 14-25. Change Homegroup Settings Dialog Box Enabling You to Change Which Items You Share on the Homegroup, or Perform Other Configuration Actions
Selecting the Allow All Devices on This Network Such as TVs and Game Consoles to Play My Shared Content option displays the dialog box shown in Figure 14-26. The list includes all computers and other media devices found on the network, including media players, electronic picture frames, and others. You can allow or block media access to each device individually by selecting the drop-down lists provided, or you can allow or block all devices by choosing from the appropriate command buttons.
Figure 14-26. Choose Media Streaming Options for Computers and Devices Dialog Box Enabling You to Choose Which Devices Are Allowed to Access Shared Media
You can also modify the file-sharing options for subfolders located within any of your shared libraries. To do this, navigate to the desired library and select the folder. From the Share With section of the Share tab, choose one of the following:
• Homegroup (View): Shares the file or folder with Read permission to all users in the homegroup.
• Homegroup (View and Edit): Shares the file or folder with Full Control permission to all users in the homegroup.
• Specific People: Displays the Choose People to Share With dialog box previously shown in Figure 14-13. Type the name of the user with whom you want to share the folder, and then click Add.
OneDrive
In Windows 10, you can share files and folders in OneDrive just like any other folder on your local computer. If you have joined a HomeGroup, you can share your OneDrive (or any folders in it) with users on your homegroup.
All the options are the same as any other folder, so you can share as view, as view and edit, or select specific users in your homegroup to share with.
You learned other aspects of OneDrive—how to set it up and configure OneDrive settings, in Chapter 9, “Managing User Data.” Refer to the
“Supporting Data Storage” topic in Chapter 9 for the details on OneDrive.
Troubleshooting Data Access and Usage
Sharing files and folders with other computers on your network, whether using a central server or a distributed set of Windows computers, is a
convenient and efficient way of managing data. Ensuring that users have the level of permissions that they need can become a complex and frustrating task, however, especially when the number of users and computers grows. To deal with these issues, you need an understanding of how permissions work in a Windows network, as well as how NTFS permissions work with share permissions to secure files and folders.
Effective Permissions
Users who belong to more than one group may receive different levels of permission. Both shared folder and NTFS permissions are cumulative. Your effective permissions are a combination of all permissions configured for your user account and for the groups of which you are a member. In other words, the effective permission is the least restrictive of all permissions that you have. For example, if you have Read permissions for a given file, but you are also a member of a group that has Modify permissions for the same file,
your effective permissions for that file or folder would be Modify.
However, there is one important exception to this rule. If you happen to be a member of yet another group that has been explicitly denied permissions to a resource (the permission has been selected in the Deny column), then your effective permissions will not allow you to access that resource at all. Explicit denial of permission always overrides any allowed permissions.
Putting the two types of permissions together, the rules for determining effective permissions are simple:
• At either the shared folder or NTFS permissions level by itself, if a user receives permissions by virtue of membership in one or more groups, the least restrictive permission is the effective permission. For example, if a user has Read permission assigned to his user account and Full Control permission by virtue of membership in a group, he receives Full Control permission on this item.
• If the user is accessing a shared folder over the network and has both shared folder and NTFS permissions applied to it, the most restrictive permission is the effective permission. For example, if a user has Full Control NTFS
permission on a folder but accesses it across the network where she has Read shared folder permission, her effective permission is Read.
• If the user is accessing a shared folder on the computer where it exists, shared folder permissions do not apply. In the previous example, this user would receive Full Control permission when accessing the shared folder locally.
• If the user has an explicit denial of permission at either the shared folder or NTFS level, he is denied access to the object, regardless of any other
permissions he might have to this object.
Tip
It is important to remember that specifically denying permission to a file within a folder overrides all other file and folder permissions configured for a user or for a group that may contain that user’s account. There is no real top- down or bottom-up factor to consider when it comes to denying permissions.
If a user is a member of a group that has been denied a permission to a file or folder, or if a user’s individual account has been denied a permission to a particular resource, that is what counts. If you are denied access to a folder, it does not matter what permissions are attached to a file inside the folder, because you cannot get to it.
Practical Guidelines on Sharing and Securing Folders
When you share folders, it is important to control how they are used. To control the use of shared folders, you should be aware of how shares are applied in Windows 10. The following facts should be kept in mind.
• Denying permissions overrides all other shared permissions that may be applied to a folder: If a user is part of a group that is denied permission to access a particular resource, that user will not be able to access that
resource, even if you grant her user account access to the share.
• Multiple permissions accumulate: You may be a member of multiple groups, each with a different level of permissions for a particular shared resource. Your effective permissions are a combination of all permissions configured for your user account and the groups of which you are a member.
As a user, you may have Read permissions for a folder. You may be a member of a group with Change permissions for the same folder. Your effective permissions for that folder would be Change. If you happen to be made a member of yet another group that has been denied permissions to a folder, your effective permissions will not allow you to access that folder at all. That is the one important exception to this rule.
• Copying or moving a folder alters the shared permissions associated with that folder: When you copy a shared folder, the original shared folder is still shared, but the copied folder is not. When you move a shared folder to a new location anywhere, that folder is no longer shared by anyone.
• When you share a folder that is located on an NTFS volume, you still need to consider the NTFS permissions that apply to that folder: There may already be NTFS permissions in place on a folder that you are in the process of sharing. You will need to consider how your NTFS and shared folder permissions combine. (See the next item.) If there aren’t any NTFS permissions on that folder, you may need to configure NTFS permissions for your shared folder, or it is possible that no one will be able to access it.
• When shared folder and NTFS file and folder permissions combine, the most restrictive permissions apply: When both NTFS and shared folder permissions apply to the same folder, the more restrictive permission is the effective permission for that folder. Do not lose sight of the fact, however, that shared folder permissions have no effect on users who are logged into the computer locally.
• When a folder resides on an NTFS volume: You need at least the NTFS Read permission to be able to share that folder at all.
Configuring Shared Printers
If you have turned on file and printer sharing from the Advanced Sharing Settings dialog box, you can share any printer attached to your computer so that others on the network can print documents to it. Use the following steps to share a printer:
Step 1. From the Search bar or Cortana, type printers, and then select Devices and Printers. You can also access the Hardware and Sound category in Control Panel and select Devices and Printers.
Step 2. In the Devices and Printers Control Panel applet, right-click your printer and choose Printer Properties.
Step 3. Click the Sharing tab to display the dialog box shown in Figure 14- 27.
Figure 14-27. Sharing a Printer