267
Chapter 17: Administering Windows Server 2008: The Basics
TIP Don’t worry if you create a group with the wrong scope. You can easily change the group’s
scope, provided its membership doesn’t violate the new scope’s rules for membership. To change
a domain scope, select the group and open its Properties dialog box (right-click and then choose
Properties from the pop-up menu). If the group membership allows the change, you can select a
different Group Scope option button.
After you set the group’s scope, you can also select whether it will be a security
group or a distribution group. Distribution groups are used only to maintain e-mail
distribution lists for e-mail applications such as Microsoft Exchange Server. They have
no security impact in Windows Server 2008.
Finally, click OK to create the group. Now you can add members to the group, as
described in the next section.
Maintaining Group Membership
A new group starts out without any members. To set the membership for a group,
follow these steps:
1. Select the group and open its Properties dialog box (by right-clicking it and
choosing Properties from the pop-up menu). Then click the Members tab, as
shown in Figure 17-11.
Figure 17-11. A brand-new group does not have any members.
268
Networking: A Beginner’s Guide
2. Click the Add button. You see the Select Users, Contacts, Computers, or
Groups dialog box, as shown in Figure 17-12.
3. Type in enough of a user or another group’s name to identify it, and then click
the Check Names button. If you type in too few characters to uniquely identify
the user or group, Windows will show you a list of the possible matches from
which you can select the correct one.
4. Choose the member you want to add, and then click OK.
5. Repeat steps 3 and 4 to complete the group membership.
Working with Shares

Drives and folders under Windows Server 2008 are made available to users over the
network as shared resources, simply called shares in Windows networking parlance. You
select a drive or folder, enable it to be shared, and then set the permissions for the share.
Figure 17-12. Adding a member to a group
269
Chapter 17: Administering Windows Server 2008: The Basics
Understanding Share Security
You can set both drives and folders as distinct shared resources, whether they are
located on a FAT-formatted drive or on an NTFS-formatted drive. In the case of an
NTFS-formatted drive (but not a FAT-formatted drive), you can also set permissions on
folders and files within the share that are separate from the permissions on the share
itself. Understanding how Windows Server 2008 handles security for shares, folders,
and files on NTFS drives is important.
Suppose that you created a share called RESEARCH and you gave the R&D security
group read-only access to the share. Within the share, you set the permissions on a
folder called PROJECTS to allow full read and write access (called change permission) for
the R&D security group. Will the R&D group have read-only permission to that folder
or change permission? The group will have read-only permission. This is because when
security permissions differ between folders within a share and the share itself, the most
restrictive permissions apply.
A better way to set up share permissions is to allow everyone change permission to
the share and then control the actual permissions by setting them on the folders within the
share itself. This way, you can assign any combination of permissions you want; then the
users will receive the permissions that you set on those folders, even though the share is
set to change permission.
Also, remember that users receive permissions based on the groups of which they
are members, and these permissions are cumulative. So, if you are a member of the
Everyone group who has read-only permission for a particular file, but you’re also a
member of the Admins group who has full control permission for that file, you’ll have
full control permission in practice. This is an important rule: Permissions set on folders

and files are always cumulative and take into account permissions set for the user
individually as well as any security groups of which the user is a member.
Another important point is that you can set permissions within a share (sometimes
called NTFS permissions) on both folders and files, and these permissions are also
cumulative. So, for instance, you can set read-only permission on a folder for a user,
but change permission for some specific files. The user then has the ability to read,
modify, and even delete those files without having that ability with other files in the
same folder.
There’s a special permission called no access, which overrides all other permissions,
no matter what. If you set no access permission for a user on a file or folder, then that’s
it—the user will not be able to access that file or folder. An extremely important corollary
to this rule is that no access permission is also cumulative and overriding. So, if the
Everyone security group has change permission for a file, but you set a particular user
to no access for that file, that user will receive no access permission. If you set no access
permission for the Everyone group, however, then all members of that group will also
receive the no access permission, because it overrides any other permissions they have.
Be careful about using no access with security groups!
270
Networking: A Beginner’s Guide
To summarize, you can resolve most permission problems if you remember the
rules discussed here:
N When share permissions conflict compared to the file or folder permissions, the
most restrictive one always wins.
N Aside from the preceding rule, permissions are cumulative, taking into account
permissions assigned to users and groups as well as files and folders.
N When a permission conflict occurs, the no access permission always wins if
it is set.
Creating Shares
As a network administrator, you will frequently create and manage the shares on the
network. The following steps walk you through creating a new share.

1. Open either My Computer or Windows Explorer on the server.
2. Right-click the folder or drive you want to share, and then choose Share from the
pop-up menu. You will see the File Sharing dialog box, as shown in Figure 17-13.
3. In the field provided, enter enough of a user’s name to identify that person in
the system, and then click Add.
4. Click the down arrow next to the user’s name to set that user’s permission
level. The permission levels available are Owner, for full read and write access,
plus the ability to grant permissions to other users; Contributor, for full read
and write access; and Reader, for read-only access.
5. Click the Share button to create the share. You will see a confirmatory dialog
box. Click OK, and the share will be created. By default, the share uses the
folder’s name as the share name.
Figure 17-13. Creating a share
271
Chapter 17: Administering Windows Server 2008: The Basics
Once a share is created and the share information has propagated through the domain
(usually within several minutes), users can browse it through Network Neighborhood
(Windows 9x and NT), My Network Places (Windows 2000 and XP), or Network
(Windows Vista). Double-clicking the share will open it (if allowed by the permissions).
Mapping Drives
You can use shares by opening them through Network Neighborhood, My Network
Places, or Network, and they function just like the folders in My Computer. However,
you might frequently want to simulate a connected hard disk on your computer with a
share from the network. For example, many applications that store files on the network
require that the network folders be accessible as normal drive letters. The process
of simulating a disk drive with a network share is called mapping. You create a map
(link) between the drive letter you want to use and the actual network share to remain
attached to that drive letter.
You can create a drive mapping in many ways. The easiest way is to open Network
from the client computer, locate the share you want to map, right-click it, and choose

Map Network Drive. In the dialog box that appears, the name of the domain and
share will already be filled in for you. Simply select an appropriate drive letter for the
mapping and click OK. From then on, the share will appear to your computer as that
drive letter, and users will see this share’s letter in My Computer.
You can also map drives using a command-line utility called NET. The NET
command takes a variety of forms and can fulfill many different needs, depending on
the parameters you give it. To map a drive, you use the NET USE command. Typing
NET USE by itself and pressing ENTER will list all currently mapped drives. (You can
type NET HELP USE for more detailed help on the command.) To add a new drive
mapping, you would type the following:
NET USE drive_letter: UNC_for_share
Most network resources in a Windows network use a naming system called
the Universal Naming Convention (UNC). To supply a UNC, you start with two
backslashes, then the name of the server, another backslash, and the name of the share.
(Additional backslashes and names can refer to folders and files within the share.) For
example, to map drive G: to a share called EMPLOYEES located on the server SERVER,
use the following command:
NET USE G:\\SERVER\EMPLOYEES
TIP You can use the NET command from any Windows client for any Windows network. Type
NET by itself to list all of the different forms of the command. Type NET command HELP to see
detailed help on the different NET commands.