Tài liệu Module 4: Administering File Resources docx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.34 MB, 64 trang )
Contents
Overview 1
Using NTFS Permissions 2
How Windows 2000 Applies
NTFS Permissions 6
Assigning NTFS Permissions 11
Lab A: Assigning NTFS Permissions 15
Copying and Moving Files and Folders 21
Lab B: Managing NTFS Permissions 25
Sharing Resources 30
Creating Shared Folders 35
NTFS Permissions and Shared Folders 43
Troubleshooting Access Problems 47
Lab C: Sharing and Securing Network
Resources 48
Best Practices 56
Review 57
This course is a prerelease course and is based on
Microsoft Windows 2000 Beta 3 software. Content in the
final release of the course may be different than the content
included in this prerelease version. All labs in the course
are to be completed using the Beta 3 version of
Microsoft Windows 2000 Advanced Server.
Module 4: Administering
File Resources
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
1999 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, MS, Windows, and Windows NT are either registered trademarks or
trademarks of Microsoft Corporation in the U.S.A. and/or other countries.
The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Project Lead/Senior Instructional Designer:
Red Johnston
Instructional Designers:
Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.)
Program Manager:
Jim Cochran (Volt Computer)
Lab Simulations Developers:
David Carlile (ArtSource), Tammy Stockton (Write Stuff)
Technical Contributor:
Kim Ralls
Graphic Artist:
Julie Stone (Independent Contractor)
Editing Manager:
Tina Tsiakalis
Editors:
Wendy Cleary (S&T OnSite), Diana George (S&T OnSite)
Online Program Manager:
Nikki McCormick
Online Support:
Tammy Stockton (Write Stuff)
Compact Disc Testing:
ST Labs
Production Support:
Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser)
Manufacturing Manager:
Bo Galford
Manufacturing Support:
Mimi Dukes (S&T OnSite)
Lead Project Manager, Development Services:
Elaine Nuerenberg
Lead Product Manager:
Sandy Alto
Group Product Manager:
Robert Stewart
Module 4: Administering File Resources iii
Introduction
This module prepares students to share and control access to
Microsoft
®
Windows
®
2000 network files by using shared folders, and to secure
files and folders by assigning shared folder and NTFS file system permissions.
The module discusses how to control access to files and folders by assigning
NTFS permissions to user accounts and groups. It also explains how to provide
users with access to file resources by putting resources in shared folders. At the
end of this module, students will be able to manage file resources in order to
make the appropriate items available to users.
There are three labs in this module. In them, students assign NTFS permissions
for shared folders and files, assign shared folder permissions to users and
groups, share a folder, and connect to a shared folder.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
!"
Microsoft PowerPoint
®
file 1556A_04.ppt
!"
Module 4, “Administering File Resources”
Preparation
To prepare for this module, you should:
!"
Read all the materials for this module.
!"
Review the Delivery Tips and Key Points for each section and topic.
!"
Create two or three folders and assign NTFS permissions (for example Full
Control and Read and perhaps Read & Execute). In the module you will show
the range of access to resources that NTFS permissions provides to users.
!"
Complete the three labs.
!"
Study the review questions and prepare alternative answers for discussion.
!"
Anticipate questions that students may ask. Write out the questions and
provide answers to them.
!"
View the video, “Concepts of Microsoft Windows 2000 Active Directory”
located on the Trainer Materials compact disc.
Presentation:
75 Minutes
Lab:
60 Minutes
iv Module 4: Administering File Resources
Instructor Setup for the Labs
Make sure that you have followed all instructions in the Classroom Setup
Guide. Before students begin lab B, “Managing NTFS Permissions,” be sure
that they have successfully completed lab A, “Assigning NTFS Permissions.”
Module 4: Administering File Resources v
Module Strategy
Use the following strategy to present this module:
!"
Using NTFS Permissions
Provide an overview of using NTFS permissions. Provide a brief
description of file systems, NTFS file systems, and partitions. Describe
NTFS permissions to control access to resources. List and define NTFS
folder and file permissions.
!"
How Windows 2000 Applies NTFS Permissions
Introduce how Windows 2000 applies NTFS permissions to files and
folders. Explain how multiple NTFS permissions combine. Explain how
NTFS permissions are inherited and how inheritance is prevented. Describe
default NTFS permissions. Reinforce students’ understanding of how
Windows 2000 applies NTFS permissions to files and folders.
!"
Assigning NTFS Permissions
Introduce assigning NTFS permissions. Provide students with guidelines for
assigning NTFS permissions. Explain how to assign NTFS permissions, and
how to control permissions inheritance.
!"
Copying and Moving Files and Folders
Introduce how copying and moving files and folders may affect the permissions
assigned to them. Describe what happens to NTFS permissions when students
copy and move files and folders. Reinforce students’ understanding of the
results of copying and moving files on NTFS permissions.
!"
Sharing Resources
Introduce sharing files by sharing the folder that contains them.
Describe using shared folders to share file resources. Define shared folder
permissions Explain how shared folder permissions are applied to user
accounts and groups. Provide guidelines for administering shared folders.
!"
Creating Shared Folders
Introduce creating shared folders to share file resources. Outline the
requirements for sharing folders. Describe how to share a folder. Explain
how to assign shared folder permissions to user accounts and groups.
Explain how to modify a shared folder and how to stop sharing a folder.
Explain how users gain access to shared folders. List and describe hidden
administrative shared folders.
!"
NTFS Permissions and Shared Folders
Introduce combining shared folder and NTFS permissions. Describe the
greater degree of security that is available when students use NTFS
permissions to secure file resources in shared folders. Present a strategy for
using NTFS permissions to secure file resources in shared folders. Reinforce
students’ understanding of what happens when you combine shared folder
and NTFS permissions.
!"
Troubleshooting Access Problems
Present permissions problems that may occur when managing access to files
and folders.
!"
Best Practices
Read the Best Practices section before you start the module, and then refer to
the appropriate practice as you teach the corresponding module section. Then,
at the end of the module, summarize all of the best practices for the module.
vi Module 4: Administering File Resources
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on the student computers during the labs.
This information is provided to assist you in replicating or customizing
Microsoft Official Curriculum (MOC) courseware.
The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at
the end of the Classroom Setup Guide for course 1556A, Administering
Microsoft Windows 2000.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup Requirement 1
The labs in this module require the Users group to have the Log on locally
right. To prepare the student computers to meet this requirement, perform one
of the following actions:
!"
Complete module 2 or 3 of course 1556A, Administering
Microsoft Windows 2000.
!"
From the Trainer Materials compact disc, run the LRights.cmd script
on each domain controller in each child domain
Setup Requirement 2
The labs in this module require the following user accounts: User41, User42,
User43 and User44, and the following Global group accounts: Managers and
Sales. User41 is a member of the Managers group and User42, User43 and
User44 are members of the Sales group.
To prepare the student computers to meet this requirement,
!"
Run the script Lab041.cmd on one of the two domain controllers in each
subdomain.
If you run the script on both domain controllers, the labs will not
function properly.
!"
If you create the users manually, leave the password blank.
Lab Results
Performing the labs in this module introduces the following configuration
changes:
!"
The assignment of the Log on locally right to the Users group.
!"
The addition of User41, User42, User43 and User44 to the Users container.
!"
The addition of the Managers and Sales Global groups.
!"
The addition of User41 to the Sales group.
!"
The addition of User42, User43 and User44 to the Managers group.
Important
Caution
Module 4: Administering File Resources 1
Overview
!
Using NTFS Permissions
!
How Windows 2000 Applies NTFS Permissions
!
Assigning NTFS Permissions
!
Copying and Moving Files and Folders
!
Sharing Resources
!
Creating Shared Folders
!
NTFS Permissions and Shared Folders
!
Troubleshooting Access Problems
!
Best Practices
When providing access to file resources on a computer running
Microsoft
®
Windows
®
2000 Server, you control who has access to resources and
the nature of the access that they have. To control access to files and folders,
you assign NTFS file system permissions to user accounts and groups. NTFS is
a file system designed for use with Windows 2000 and Windows NT operating
systems. It supports file system recovery, very large storage media, long file
names, and other features. NTFS permissions provide security for resources by
controlling access to individual files and folders and by specifying which user
can access files and folders and the kind of access that users can have.
To provide network users with access to file resources, you put the resources in
shared folders. When a folder is shared, users can connect to the folder over the
network and gain access to the files that it contains.
Objectives
At the end of this module, you will be able to:
!"
Describe the use of NTFS permissions to control access to files and folders.
!"
Describe how permissions apply to files and folders.
!"
Assign NTFS file and folder permissions to user accounts and groups.
!"
Describe the effect on NTFS file and folder permissions of copying and
moving files and folders.
!"
Use shared folders to provide access to network file resources.
!"
Create shared folders.
!"
Describe the result of using NTFS permissions to control access to resources
contained in shared folders.
!"
Troubleshoot problems accessing files and folders.
!"
Apply best practices for administering resources.
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, we discuss
how to share and control
access to network resources
by using shared folders and
NTFS permissions.
2 Module 4: Administering File Resources
#
##
#
Using NTFS Permissions
!
NTFS Permissions
!
NTFS Folder Permissions
!
NTFS File Permissions
NTFS Partition
C:\
To secure files and folders on NTFS partitions, you assign NTFS permissions
for each user account and group that needs access to the resource. NTFS is the
Windows 2000 file system. A file system defines the way in which files are
named, stored, and organized. A file system is used to format a partition. A
partition is a logical portion of a physical disk that functions as though it were a
physically separate unit.
If no permissions are assigned to a user or to a group of which the user is a
member, the user cannot access the resource. NTFS permissions provide
security for resources by controlling user access to individual files and folders
and by specifying the level of user access.
You use NTFS folder permissions to control access to folders. You use NTFS
file permissions to control access to files. Because of the nature of files and
folders, the permissions for files are different than the permissions for folders.
For example, you assign users permission to view the contents of a folder,
which is a permission called List Folder Contents. However, there is no
comparable permission for a file.
Slide Objective
To introduce NTFS
permissions.
Lead-in
Use NTFS permissions to
control the access of user
accounts and groups to
folders and individual files.
Delivery Tip
This is an overview of using
NTFS permissions. Prepare
students for the topic by
providing the following key
points of information.
Key Points
Use NTFS permissions to
control access to file
resources.
You use NTFS folder
permissions to control
access to folders.
You use NTFS file
permissions to control
access to files.
Module 4: Administering File Resources 3
NTFS Permissions
NTFS Partition
C:\
!
Specific Permissions Required to Assign Permissions
!
Permissions Assigned to User Accounts and Groups
!
Permission Can Be Denied
Read
Read
No Permission
Assigned
No Permission
Assigned
User1
User1
User2
User2
Users must be assigned explicit permission to gain access to resources. If no
permission is assigned, the user account or group cannot gain access to the file
or folder. Permissions can be granted or denied to user accounts and to groups.
!"
Administrators, the owners of files or folders, and users with Full Control
permission can assign NTFS permissions to files and folders.
!"
You can assign NTFS permissions to individual user accounts and groups.
A user can be a member of one or more groups, and each group can have
different permissions. Therefore, a user can have a number of permissions
assigned to his or her user account and as a member of one or more groups.
!"
You can deny permission to a user account or group. For example, if you
deny Read permission for a file to a user account, or to a group of which the
user is a member, the user cannot read the file.
When assigning permissions to files, you assign permissions to a folder and
place files with the same security requirements in that folder. You can also
specify permissions on individual files within a folder if you want a user or
group to have access only to a particular file.
NTFS permissions are only available on NTFS partitions. NTFS
permissions are not available on partitions that are formatted with the file
allocation table (FAT) or FAT32 file systems.
Slide Objective
To describe NTFS
permissions.
Lead-in
Users must have explicit
permission to gain access to
a resource.
Key Points
Users need NTFS
permissions to access
resources on NTFS
partitions.
You can deny permission for
a file or folder.
Note
4 Module 4: Administering File Resources
NTFS Folder Permissions
Folder
Permissions
Folder
Permissions
Read
Read
Write
Write
List Folder Contents
List Folder Contents
Read & Execute
Read & Execute
Modify
Modify
Full Control
Full Control
You assign folder permissions to control the access that users have to folders
and the files and subfolders that are contained within those folders. The
following table lists the standard NTFS folder permissions that you can assign
and the type of access that each permission provides. The table lists the
permissions from most restrictive to least restrictive.
NTFS folder permission Allows the user to
Read See files and subfolders in the folder and view folder
attributes
∗
, ownership, and permissions.
Write Create new files and subfolders within the folder, change
folder attributes, and view folder ownership and
permissions.
List Folder Contents See the names of files and subfolders in the folder.
Read & Execute Traverse
∗∗
folders plus perform actions permitted by the
Read permission and the List Folder Contents permission.
Modify Delete the folder and perform actions permitted by the
Write permission and the Read & Execute permission.
Full Control Change permissions, take ownership, delete subfolders
and files, and perform actions permitted by all other NTFS
folder permissions.
∗
Attribute examples: Read-only, Hidden, Archive, and System (file).
∗∗
Traverse allows the user to move through folders to reach other files and folderss.
Slide Objective
To list and define NTFS
folder permissions.
Lead-in
Use NTFS folder
permissions to secure
access to individual folders
on NTFS formatted
partitions.
Delivery Tip
Demonstrate two or three
NTFS folder permissions on
folders that you have
created earlier and for which
you have assigned
permissions. You can
demonstrate Full Control
and Read, as well as
perhaps Read & Execute, to
show the range of access to
resources that NTFS
permissions provide. Assign
permissions and show
students what a user can
and cannot do with each
permission.
Key Points
The Read & Execute,
Modify, and Full Control
NTFS folder permissions
are additive. For example,
the Modify permission
consists of the ability to
delete a folder, plus the
access that is provided by
both the Write and the Read
& Execute permissions.
Module 4: Administering File Resources 5
NTFS File Permissions
~~~~~~
~~~~~~
~~~~~~
~~~~~~
~~~~
File
Permissions
File
Permissions
Read
Read
Write
Write
Read & Execute
Read & Execute
Modify
Modify
Full Control
Full Control
You assign file permissions to control the access that users have to files. The
following table lists the standard NTFS file permissions that you can assign and
the type of access that each permission provides. The table lists the permissions
from most restrictive to least restrictive.
NTFS file permission Allows the user to
Read Read the file, and view file attributes
∗
, ownership, and
permissions.
Write Overwrite the file, change file attributes, and view file
ownership and permissions.
Read & Execute Run applications and perform the actions permitted by the
Read permission.
Modify Modify and delete the file and perform the actions
permitted by the Write permission and the Read &
Execute permission.
Full Control Change permissions, take ownership, and perform the
actions permitted by all other NTFS file permissions.
∗
Attribute examples: Read-only, Hidden, Archive, and System (file).
Slide Objective
To list and define NTFS file
permissions.
Lead-in
Use NTFS file permissions
to secure access to
individual files on NTFS
formatted partitions.
Key Point
The Read & Execute,
Modify, and Full Control
NTFS file permissions are
additive.
Delivery Tip
Demonstrate NTFS file
permissions. Assign
permissions and show
students what a user can
and cannot do with each
permission.
6 Module 4: Administering File Resources
#
##
#
How Windows 2000 Applies NTFS Permissions
!
Multiple NTFS Permissions
!
NTFS Permissions Inheritance
!
Default NTFS Permissions
!
Class Discussion: Applying NTFS Permissions
There are several ways that users can obtain permissions to gain access to files
and folders. You assign permissions directly to individual users to access files
and folders. Permissions that you assign to groups apply to user accounts that
have been added to the groups. Subfolders and files in the folder may inherit
permissions that you assign to a user or group for a folder.
You can assign permissions to a user by assigning permissions to the individual
user account or to each group of which the user is a member. In this way, users
may have multiple permissions to the same resource. There are rules and
priorities that are associated with how NTFS assigns and combines multiple
permissions.
When you assign permissions for a folder, the subfolders and files contained in
the folder inherit the permissions by default. It is important to understand how
subfolders and files inherit NTFS permissions from parent folders so that you
can use inheritance to propagate permissions to files and folders.
When you create files and folders, and when you format a partition with NTFS,
Windows 2000 automatically assigns default NTFS permissions.
Examples will help you to understand how NTFS applies permissions to files
and folders through the combination of multiple permissions and inheritance.
Slide Objective
To introduce how
Windows 2000 applies
NTFS permissions to files
and folders.
Lead-in
There are rules associated
with how NTFS applies
permissions to files and
folders.
Delivery Tip
This is an overview of
applying NTFS permissions.
Prepare students for the
topic by providing the
following key points of
information.
Key Points
Users and groups may have
multiple permissions to a
resource.
Files and folders contained
in a folder inherit
permissions assigned to the
folder.
NTFS permissions are
assigned automatically to
files, folders, and partitions
when you create them.
Examples will help you to
understand how
permissions combine and
are inherited.
Module 4: Administering File Resources 7
Multiple NTFS Permissions
!
NTFS Permissions Are Cumulative
!
File Permissions Override Folder Permissions
!
Deny Overrides Other Permissions
NTFS Partition C:\
File1
File1
File2
File2
FolderA
FolderA
GroupB
GroupB
GroupA
GroupA
Deny Write to File2
Deny Write to File2
Deny Write to File2
Write
Write
Write
Read / Write
Read / Write
User1
User1
Read
Read
Read
Read / Write
Read / Write
Read
Read
You assign NTFS permissions to individual user accounts and to groups. By
assigning permissions to a user and to a group of which the user is a member,
you assign multiple permissions.
Permissions Are Cumulative
A user’s effective permissions for a resource are the combination of the NTFS
permissions that you assign to the individual user account and to all of the
groups to which the user belongs. If a user has Read permission for a folder and
is a member of a group with Write permission for the same folder, the user has
both Read and Write permissions for that folder.
NTFS File Permissions Override NTFS Folder Permissions
NTFS file permissions take priority over folder permissions. A user with
Change permission to a file will be able to make changes to the file even if he
or she has only Read permission to the folder containing the file.
Deny Overrides Other Permissions
You can deny permission to a user account or group for a specific file. Even if a
user has access permission to the file or folder as a member of a group, denying
permission to the user blocks any other permission that the user has. Avoid
denying permission. It is preferable to structure groups and organize resources
in folders so that allowing permissions is sufficient.
Example of Multiple Permissions
In the illustration, User1 has Read permission for FolderA and is a member of
Group A and Group B. Group B has Write permission for FolderA. Group A
has been denied Write permission for File2. User1 can read File2 but cannot
write to File2 because User1 is a member of Group A, which has been denied
Write permission for File 2.
Slide Objective
To explain how multiple
NTFS permissions combine.
Lead-in
It is important to understand
how NTFS permissions
combine and take priority.
Delivery Tip
Demonstrate how multiple
permissions combine, how
file permissions take priority
over folder permissions, and
how Deny overrides other
permissions.
8 Module 4: Administering File Resources
NTFS Permissions Inheritance
FolderA
FolderA
FolderB
FolderB
Read / Write
Read / Write
Access to FolderB
FolderC
FolderC
FolderA
FolderA
FolderB
FolderB
No access to FolderB
Read / Write
Read / Write
Prevent Inheritance
Prevent Inheritance
Inherit Permissions
Inherit Permissions
By default, permissions that you assign to a parent folder are inherited by and
propagated to the subfolders and files that are contained in the parent folder.
However, you can prevent permissions inheritance. You may want folders or
files to have different permissions than their parent folder.
Permissions Inheritance
Whatever permissions you assign to a parent folder also apply to subfolders and
files that are contained within the parent folder. When you assign NTFS
permissions to give access to a folder, you assign permissions for the folder, for
any existing files and subfolders, and for any new files and subfolders that are
created in the folder.
Controlling Permissions Inheritance
You can prevent subfolders and files from inheriting permissions that are
assigned to that folder. That is, the subfolders and files will not inherit
permissions that are assigned to the parent folder containing them. When
you prevent permissions inheritance, you can either:
!"
Copy inherited permissions from the parent folder, or
!"
Remove the inherited permissions and retain only the permissions that were
explicitly assigned.
The folder at which you prevent permissions inheritance becomes the new
parent folder, and the subfolders and files that are contained within it inherit the
permissions assigned to it.
Example of Permissions Inheritance
In the slide illustration, inheritance is prevented at FolderB. FolderB will
not inherit any changes that you make to the permissions of FolderA. Any
subfolders and files that are contained within FolderB will inherit the
permissions that you assign.
Slide Objective
To explain how NTFS
permissions are inherited
and how inheritance is
prevented.
Lead-in
NTFS permissions are
inherited from the folder in
which they are created or
contained.
Delivery Tip
Demonstrate how
permissions are inherited
and how to prevent
inheritance.
Assign permissions and
show students how
permissions are propagated
from a folder to its
subfolders and files. Also,
show how to add
permissions to a file or
folder that has inherited
permissions from a parent
folder.
Module 4: Administering File Resources 9
Default NTFS Permissions
!
NTFS Permissions Automatically Assigned
$
When a partition is formatted with NTFS
$
When a folder or file is created
$
When a user account is added to a folder
When you format a partition or create a file or folder, Windows 2000
automatically assigns default NTFS permissions.
!"
When you format a partition with NTFS, Windows automatically assigns
the Full Control permission for the root folder to the Everyone group.
Folders and files that are created on the partition inherit this default
permission. To restrict access to authorized users, you should change the
default permissions for folders that you create.
!"
When you create a new folder or file on an NTFS partition, the folder or file
inherits the permissions of its parent folder.
!"
When you assign a user or group permission for a file or folder, the file or
folder is selected, and the user or group is added to the file or folder. When
a user or group is added to a folder, the NTFS permissions Read & Execute,
List Folder Contents, and Read are assigned to the user account or group by
default. When a user or group is added to a file, the NTFS permissions Read
& Execute and Read are assigned to the user account or group by default.
When Windows 2000 is installed on an NTFS partition, NTFS
permissions are automatically assigned to some system folders. System folders
contain the Windows 2000 operating system files. Do not modify any
permissions that Windows 2000 assigns to system files.
Slide Objective
To describe default NTFS
permissions.
Lead-in
NTFS permissions are
automatically assigned in
some situations.
Caution
10 Module 4: Administering File Resources
Class Discussion: Applying NTFS Permissions
!
Users Group
Write to Folder1
!
Sales Group
Read to Folder1
!
Users Group
Write to Folder1
!
Sales Group
Read to Folder1
!
Users Group
Read to Folder1
!
Sales Group
Write to Folder2
!
Users Group
Read to Folder1
!
Sales Group
Write to Folder2
!
Users Group
Modify to Folder1
!
Doc2 should only be
accessible to Sales
Group, and only for
read access
!
Users Group
Modify to Folder1
!
Doc2 should only be
accessible to Sales
Group, and only for
read access
NTFS Partition
C:\
Doc2
Doc2
Folder1
Folder1
Folder2
Folder2
Doc1
Doc1
Users Group
Users Group
Sales Group
Sales Group
User1
User1
User1 is a member of the Users group and the Sales group.
1. The Users group has Write permission and the Sales group has Read
permission for Folder1. What permissions does User1 have for Folder1?
User1 has Write and Read permissions for Folder1, because User1 is a
member of the Users group, which has Write permission, and the Sales
group, which has Read permission.
2. The Users group has Read permission for Folder1. The Sales group has
Write permission for Folder2. What permissions does User1 have for Doc2?
User1 has Read and Write permissions for Doc2, because User1 is a
member of the Users group, which has Read permission to Folder1, and
the Sales group, which has Write permission to Folder2. Doc2 inherits
permissions from both Folder2 and Folder1.
3. The Users group has Modify permission for Folder1. Doc2 should only be
accessible to the Sales group, and only for reading. What steps should you
take to ensure that the Sales group has only Read permission for Doc2?
Disable permissions inheritance for Folder2 or Doc2. Remove
permissions for Folder2 or Doc2 that Folder2 has inherited from
Folder1. Assign only the Read permission to the Sales group for
Folder2 or Doc2.
Slide Objective
To reinforce students’
understanding of how
Windows 2000 applies
NTFS permissions to files
and folders.
Lead-in
Let’s look at some examples
of the results of applying
NTFS permissions to files
and folders.
Delivery Tip
Discuss each of these
examples with students. In
each example, review the
permissions assigned to
each group. Discuss how
multiple permissions
combine, and the effective
permissions that User1 has
to resources.
Module 4: Administering File Resources 11
#
Assigning NTFS Permissions
!
Guidelines for Assigning NTFS Permissions
!
Setting NTFS Permissions
!
Controlling Permissions Inheritance
When you assign NTFS permissions, you should follow certain guidelines to
help you make the assignments in an effective way. Administrators, users with
Full Control permission, and owners of files or folders assign permissions to
user accounts and groups for those files and folders. Assign permissions to
groups according to group and user needs. To control the propagation of
assigned permissions, you allow or prevent permissions inheritance from
parent folders to subfolders and files that are contained in the parent folder.
Slide Objective
To introduce assigning
NTFS permissions.
Lead-in
Administrators and owners
of files and folders control
access to files and folders.
Delivery Tip
This is an overview of
assigning NTFS
permissions. Prepare
students for the topic by
providing the following key
points of information.
Key Points
Follow guidelines when
assigning NTFS
permissions.
Assign permissions
according to user needs.
Set permission inheritance
to allow or prevent
permissions from
propagating to files and
folders.
12 Module 4: Administering File Resources
Guidelines for Assigning NTFS Permissions
Group Resources to Simplify Administration
Group Resources to Simplify Administration
Assign Only the Permissions That Users Need
Assign Only the Permissions That Users Need
Create Groups According to Resource Access Needs
Create Groups According to Resource Access Needs
Assign Read & Execute Permissions for Application Folders
Assign Permissions Rather Than Deny Permissions
Assign Permissions Rather Than Deny Permissions
Assign Appropriate Permissions to Users and File Owner for Public Data
Assign Appropriate Permissions to Users and File Owner for Public Data
Consider the following guidelines when you assign NTFS permissions:
!"
To simplify administration, group files into application folders where
commonly used applications are kept, data folders containing data files
shared by multiple users, and home folders that contain each individual
user’s files. Centralize home folders and data folders on a separate partition.
This provides the following benefits:
•
You assign permissions only to folders, not to individual files.
•
Backup is less complex, because there is no need to back up application
files and all home and data folders are in one location.
!"
Create groups according to the access that the group members require for
resources, and then assign the appropriate permissions to the groups. Assign
permissions to individual user accounts only when necessary.
!"
Allow users only the level of access that they require. If a user only needs to
read a file, assign the user, or group to which the user has been added, Read
permission for the file.
!"
When you assign permissions for application folders, assign the Read &
Execute permission to the Users and Administrators groups. This prevents
data and application files from being accidentally deleted or damaged by
users or viruses.
!"
When you assign permissions for data folders, assign Read & Execute and
Write permissions to the Users group and Full Control permission to Creator
Owner. This gives users the ability to read and modify documents that other
users create, and the ability to read, modify, and delete the files and folders
that they themselves create.
!"
Deny permissions only when it is essential to deny access to a specific user
account or group.
Slide Objective
To provide guidelines for
assigning NTFS
permissions.
Lead-in
Before you begin assigning
NTFS permissions, consider
these guidelines.
Module 4: Administering File Resources 13
Setting NTFS Permissions
Folder1 Properties
General Web Sharing Sharing
Security
Name
Everyone
Add
Remove
Advanced
OK Cancel
Apply
Apply
Allow inheritable permissions from parent to propagate
to this object.
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write
Select Users, Computers, or Groups
Name In Folder
L
ook in:
Entire Directory
BATCH
INTERACTIVE
SERVICE
Administrator
Guest
IUSR_SERVER1
N
ame:
You have selected the following objects:
Name In Folder
Administrator
C
heck Names
C
heck Names
nwtraders. com
nwtraders. com
nwtraders. com
nwtraders.com
Administrators, users with Full Control permission, and owners of files and
folders (Creator Owner) can assign permissions to user accounts and groups.
When you assign or modify NTFS permissions for a file or a folder, you can
either add or remove users or groups for the file or folder. In addition, by
selecting a user or group, you can modify the permissions for the user or group.
On the Security tab of the Properties dialog box for the file or folder,
configure the options that the following table describes.
Option Description
Name
Selects the user account or group for which you want to change
permissions or that you want to remove from the list.
Permissions
To allow a permission, select the
Allow
check box.
To deny a permission, select the
Deny
check box.
Add
Opens the
Select User, Groups, or Computers
dialog box, which
you use to select user accounts and groups to add to the Name list.
Remove
Removes the selected user account or group and the associated
permissions for the file or folder.
Slide Objective
To explain how to assign
NTFS permissions.
Lead-in
By default, Windows 2000
assigns the Full Control
permission when you
create a file or folder or
when you format a partition
with NTFS.
Delivery Tip
Demonstrate assigning
permissions to a folder.
Then, demonstrate blocking
permissions inheritance for
a file that is contained in the
folder. Finally, assign new
permissions to the file on
which you blocked
permissions inheritance.
14 Module 4: Administering File Resources
Controlling Permissions Inheritance
Folder1 Properties
General Web Sharing Sharing
Security
Name
Everyone
Add
Remove
Advanced
OK Cancel
Apply
Apply
Allow inheritable permissions from parent to propagate
to this object.
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write
You are preventing any inheritable permissions from propagating to this
object. What do you want to do?
- To copy previously inherited permissions to this object, click Copy.
- To Remove the inherited permissions and keep only the permissions
explicitly specified on this object, click Remove.
- To abort this operation, click Cancel.
Copy Remove Cancel
Security
In general, you should allow Windows 2000 to propagate permissions from a
parent folder to subfolders and files contained in the parent folder. Permissions
propagation simplifies the assignment of permissions for resources. However,
there are times when you may want to prevent inheritance so that permissions
do not propagate from a parent folder to subfolders and files.
For example, you may need to keep all sales department files in one sales folder
to which everyone in the sales department has Write permission. However, you
need to limit access for a few files in the folder to Read. To do so, you prevent
inheritance so that the Write permission does not propagate to the files
contained in the folder.
By default, subfolders and files inherit permissions that you assign to their
parent folders. This is indicated on the Security tab in the Properties dialog
box when the Allow inheritable permissions from parent to propagate to
this object check box is selected. To prevent a subfolder or file from inheriting
permissions from a parent folder, clear the Allow inheritable permissions
from parent to propagate to this object check box. Then, select one of the
two options described in the following table.
Option Description
Copy
Copies previously inherited permissions that are assigned to the parent
folder to the subfolder or file and denies subsequent permissions
inheritance from the parent folder
Remove
Removes the inherited permission that is assigned to the parent folder from
the subfolder or file and retains only the permissions that you explicitly
assign to the subfolder or file
Slide Objective
To explain how to control
permissions inheritance.
Lead-in
By default, the permissions
that you assign for a folder
are inherited by subfolders
and files contained in the
folder. You can control
inheritance.
Module 4: Administering File Resources 15
Lab A: Assigning NTFS Permissions
Objectives
After completing this lab, you will be able to:
!"
Assign NTFS file system folder and file permissions to user accounts
and groups.
!"
Test the NTFS folder and file permissions that you assign.
Prerequisites
Before working on this lab, you must have:
!"
Knowledge of users and groups in Microsoft
®
Windows
®
2000.
Estimated time to complete this lab: 30 minutes
Slide Objective
To prepare students for
the lab.
Lead-in
In this lab, you will assign
NTFS folder and file
permissions to user
accounts and groups, and
you will test the permissions
that you assign.
Delivery Tips
Review the lab answers.
Ask students if they
encountered any problems
during the lab.
16 Module 4: Administering File Resources
Exercise 1
Assigning NTFS Permissions for the Data Folder
You are setting up a server that will contain files and folders that users will
need to be able to access from anywhere in the network. You have already
created a folder structure, and the next step is to assign permissions so that the
users will have just enough permissions to accomplish their work. You must be
careful not to assign inappropriate permissions (permissions at a higher level
than is necessary for the users).
You have a data folder into which users will be saving their work. Users need
the ability to save and modify their own work but not to change files that
belong to other users. You also want to ensure that only authorized users on the
network can access the folder.
The default permissions to the Data folder is Full Control for the Everyone
group. These permissions are more than users will need. The first step is to
remove these default permissions. The permissions that you assign to the data
folder are based on the following criteria:
!"
All users in the domain should be able to read documents and files in the
Data folder.
!"
All users in the domain should be able to create documents in the Data
folder.
!"
All users in the domain should be able to modify the contents, properties,
and permissions of the documents that they create in the Data folder.
!!
To remove default permissions from the Data folder
1. Log on to your domain as Administrator, and then start Windows Explorer.
2. Right-click the C:\MOC\WIN1556A\Labfiles\Data folder, and then click
Properties.
Windows 2000 displays the Data Properties dialog box with the General
tab active.
3. Click the Security tab to display the permissions for the Data folder.
Windows 2000 displays the Data Properties dialog box with the Security
tab active.
What are the existing folder permissions?
The Everyone group has Full Control.
____________________________________________________________
____________________________________________________________
Module 4: Administering File Resources 17
Notice that the currently allowed permissions cannot be modified.
Why are you not able to modify the current permissions? What must you do
to modify the permissions for the Data folder?
The current permissions are being inherited from the parent. To
modify the permissions for the Data folder, clear the Allow inheritable
permissions from parent to propagate to this object check box.
____________________________________________________________
____________________________________________________________
4. Under Name, select the Everyone group, and then click Remove.
What do you see?
Windows 2000 displays a message box, indicating that the folder is
inheriting the permissions for Everyone from its parent folder. To
change permissions for Everyone, you must first block inheritance.
____________________________________________________________
____________________________________________________________
5. Click OK to close the message box.
6. Clear the Allow inheritable permissions from parent to propagate to this
object check box to block permissions from being inherited.
Windows 2000 displays the Security dialog box, prompting you to copy the
currently inherited permissions to the folder or to remove all permissions for
the folder except those that you explicitly specify.
7. Click Remove.
What are the existing folder permissions?
No permissions are currently assigned.
____________________________________________________________
____________________________________________________________
!!
To assign permissions to the Users group for the Data folder
1. In the Data Properties dialog box, click Add.
Windows 2000 displays the Select Users, Computers, or Groups
dialog box.
2. In the Look in box at the top of the dialog box, select your domain.
The Look in box allows you to select the computer or domain from which
to select user accounts, groups, or computers when you assign permissions.
Make sure that your domain is selected.
3. Select Users, and then click Add.
The dialog box displays Users under Name at the bottom of the dialog box.
18 Module 4: Administering File Resources
4. Click OK to return to the Data Properties dialog box.
What are the existing allowed folder permissions?
The Users group has the Read & Execute, List Folder Contents,
and Read permissions. These are the default permissions that
Windows 2000 assigns when you add a user account or group to
the list of permissions.
____________________________________________________________
____________________________________________________________
5. Make sure that Users is selected, and then next to Write, click the Allow
check box.
6. Click Apply to save your changes.
How do you give users the ability to modify only the files that they created?
You assign the full control permissions to the Creator Owner group.
This way, any file that a user creates in the folder will be owned by that
user and given full control.
____________________________________________________________
____________________________________________________________
!!
To assign permissions to the Creator Owner group for the Data folder
1. In the Data Properties dialog box, click Add.
Windows 2000 displays the Select Users, Groups, or Computers
dialog box.
2. In the Look in box at the top of the dialog box, select your domain.
3. In the Name list, select Creator Owner, and then click Add.
Creator Owner appears under Name at the bottom of the dialog box.
4. Click OK to return to the Data Properties dialog box.
What are the existing allowed folder permissions?
Users has the Read & Execute, List Folder Contents, Read, and Write
permissions.
Creator Owner has the Read & Execute, List Folder Contents, and
Read permissions.
____________________________________________________________
____________________________________________________________
Module 4: Administering File Resources 19
5. Make sure that Creator Owner is selected, and next to Full Control,
select the Allow check box. Then click Apply to save your changes.
When you applied the changes, why did the Administrators group appear
under Name?
The folder was created while logged on as an administrator; therefore,
members of the Administrators group are owners of the folder.
____________________________________________________________
____________________________________________________________
You need someone to administer the folder where users will be saving
information. You will need to give the Administrators group the ability to
do this. This group should have full control over the folder and its contents.
!!
To assign permissions to the Administrators group for the Data folder
1. Right-click the C:\MOC\WIN1556A\Labfiles\Data folder, and select
Properties.
2. Select the Security tab.
3. In the Data Properties dialog box, make sure that Administrators is
selected, and then next to Full Control, select the Allow check box.
4. Click OK to apply your changes and close the Data Properties dialog box.
5. Create a text file named Admin.txt in the
C:\MOC\WIN1556A\Labfiles\Data folder.
The file that you create will be used to test the permissions that you just
assigned.
6. Close all applications, and then log off Windows 2000.
