Active Directory By the Numbers: Windows Server 2003

Onward and Upward: Security, Permissions, and Sharing Stuff

So far, we have added users, groups, and OUs. But now we need to share resources on our server. Otherwise we have what amounts to a store full of shoppers with baron shelves ! We start with shared folders.

Sharing Folders:

Windows Server 2003, like most servers, uses a strategy based on permissions and privileges to grant or restrict access to folders in the Active Directory. For example, Server 2003 uses a two-tiered approach for folder sharing:

• Network Share Permissions

• NTFS File Permissions

The network share permissions act as the "gatekeeper," restricting who can and can't access the shared folder. If a user and/or group is denied access to the shared folder, then any client trying to open the share is given an error message stating that his or her access has been denied . If the user is allowed to enter the share, the NTFS file permissions go to work. These permissions govern what the user and/or group can do once they are inside the initial share. For example, let's say that we have a shared folder containing four subfolders . Now let's say that we give our Marketing group access to enter the shared folder. The network share permissions allow members of the Marketing group inside the share. Now that our Marketing members are inside the share, let's say that we want to lock them out of two of the four folders inside the initial share. The NTFS file permissions allow us to do that. We can lock two of the folders so that the Marketing members are presented with the "access denied" message whenever they try to open the restricted folders. The remaining two folders are left open to Marketing. Again, the NTFS file permissions make this possible.

Figure 3-2: Network Share Permissions and NTFS file permissions. The former allows or denies a user/group access to a network shared folder. The latter dictates what the user/group can do once inside the share.

Network Share Permissions Types

There are three main types of network share permissions: Read, Change, and Full Control.

• Read : Just as its name implies, the Read permission allows a user to read (or view) file names and folder names contained within the network share. It also allows the user to view data contained inside files (such as a Microsoft Word document). The user may also execute (or run) application programs.

• Change : The Change permission grants the same abilities as the Read permission. It also adds the ability to add new folders and subfolders, change the data in files (such as adding more text to a Word file), and it allows a user to delete subfolders and files.

• Full Control : Not to be taken lightly, this permission should normally be granted to the Administrator (and/or members of the Administrators group). Full Control permissions include both Read and Change permissions. It also adds the ability to change NTFS permissions on NTFS formatted drives . This is important, as most of our Active Directory folder/file access is controlled by NTFS file permissions.