Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

While defining a share, the user can also specify a connection limit—for example, to prevent too many users from simultaneously accessing a piece of software. Note that after a folder is shared, a new button, New Share, appears when you return to the Sharing tab. This button enables you to share the same folder with another name and, optionally, apply different permissions. (See Figure 8.3)

Figure 8.3.  You can create more than one share that points to the same folder.

If you want to make your share names descriptive, but you still must support DOS clients, you can share the folder twice, once with a long name for the 95/NT clients and once for the DOS, Windows 3.x, and Windows for Workgroups clients.

The final thing you must do when sharing a file is to set permissions. As mentioned previously, the default is to give everyone full control. As shown in Figure 8.4, click the Permissions button and change the default for Everyone, or add or remove groups and permissions as needed.

To grant permissions to a new user or group, click the Add button as shown in Figure 8.4 and the Add Users and Groups dialog box will appear.

In this box, add groups or click the Show Users button and choose the users you want. You may also pick global groups and users from other trusted domains by clicking the down arrow next to List Names From box (see Figure 8.5).

Figure 8.4.  The Permissions button enables you to limit access to the newly created share.

Figure 8.5.  You can add users and groups from trusted domains.

The permission shown in the Type of Access combo box at the bottom of the dialog box applies to all the users and groups you are currently selecting. If one permission will apply to most of the users and groups, set it here now. When you have finished, click OK.

You are presented with the Access Through Share Permissions dialog box shown in Figure 8.6. You can remove unwanted users or groups by clicking the Remove button. You also can change permissions for individual users or groups by first selecting that user or group and then clicking the down arrow next to the permission you want to assign.

Figure 8.6.  Use the Access Through Share Permissions dialog box to remove unwanted users or groups or change permissions.

When you have finished, click OK to return to the main sharing dialog box, and then click OK again to finish. When you look at that folder now in Windows Explorer, it is being held by a hand as if it were a platter being served up (see Figure 8.7).

Figure 8.7.  The Msdos share has been created.

You will see the hand only if you have the right to share or stop sharing directories. The average user will not see the hand under any folder.

8.5. Calculating Effective Rights

Calculating effective rights is an important aspect in ensuring that the proper permissions have been applied to a resource. Calculating the effective rights takes into account the total set of permissions granted and denied, both individually and as a group member.

When a user accesses resources interactively, only the NTFS permissions come into play.

8.5.1. Combining NTFS and Share Permissions

Now turn your attention to the issue of how NTFS and share permissions work together. When a user accesses a resource via the network, the combined NTFS and the combined share permissions contained in the ACL (Access Control List) are compared and the most restrictive permission applies. Recall that both NTFS and share permissions are calculated by looking at the user and all group accounts to which the user may belong and taking the sum of permissions, with the exception of No Access, which overrides all other permissions.

The net or effective permissions of NTFS and share permissions is always the most restrictive of the two.

8.5.2. Examples of Combined Permissions

Now look at a few examples of combining share and NTFS permissions, beginning with some fairly easy ones and moving on to some more complex ones.

Example 1

Joe belongs to the group Sales, which has been assigned Read permission to the share and the NTFS permission of Change. What can Joe do across the network? Interactively?

Across the network Joe will have the lesser permission of Read and Change, which is Read. He will have read-only access to any of the data on that share. If he accesses the resource interactively (at the machine with the share), he will have no restrictions from the share, so the local NTFS permissions of Change will be the only restrictions in place.

Example 2

This scenario is just the opposite of Example 1. This time, Sales has Change permission on the share and the NTFS permission of Read. What can Joe do across the network? Interactively?

The answer is similar to Answer 1. Across the network Joe will have the lesser permission of Read and Change, which is Read. He will have read-only access to any of the data on that share. If he sits at the machine with the share (interactive access), he will also have read-only permission.

Example 3

Mary belongs to the group Accountants and the group Sales. She needs access to a share with Account Receivable information, called AR. The following share permissions have been assigned: Accountants have Change and Sales has No Access. In addition, the data is stored on an NTFS partition, and the following NTFS permissions have been assigned: Accountants has Full Control and Sales has Read. What can Mary do across the network? Interactively?

Both NTFS and share permissions must be calculated independently. The net result of each of these calculations is compared to get the effective permissions. For the share permissions, Mary will get Change plus No Access, yielding No Access. For NTFS permissions, however, Mary will have Read plus Full Control, netting Full Control. Her effective permissions, however, are No Access across the network but Full Control locally. You might want to use this approach if, for example, you wanted to allow the sales people to access the data in a controlled manner, for example in the accountant’s office.