Subscribe to Windows IT Pro
April 25, 2007 12:00 AM

Let’s Get Organized: File Server Basics

Follow this plan for an organized, no-hassle file server
Eric B. Rux
Windows IT Pro
InstantDoc ID #95354
Rating: (3)

Share and NTFS Permission Confusion
So how do I teach junior administrators how to troubleshoot folder-security problems? In class, it goes a little something like this.

First, a little history. The notion of a share (from Microsoft, anyway) first debuted in 1987 with LAN Manager, which lets users connect to a hard drive on a server. Administrators then assign to the share permissions such as Full Control, Change, or Read. The concept seems simple now, and shares work the same today as they did back then.

With Windows NT 3.0, Microsoft introduced NTFS. Unlike FAT, which doesn't have any security features, NTFS lets you secure folders and files by using granular security. Thus, multiple users can log on to the same machine but have separate, secure work areas that other users can't access.

So now that we know that shares and NTFS both have security permissions that can be assigned to a folder (even though their original uses were different), what's the best way to proceed? One thought is to simply open up the share to Everyone with Full Control, then lock down security by using NTFS permissions. Another option is to use share and NTFS permissions together. Either way, you must be able to determine what a particular user's access to the data is.

Figure 6 shows an example of how you can choose the best security for a given user. In Figure 6's D:\data folder, Bob has the following NTFS permissions: Full Control, Modify, Read & Execute, and Read. Of these permissions, Full Control is the least restrictive. Bob also has Read permission on the data share. Because this is the only permission Bob has, it's the least restrictive permission he has on the share. (If Bob had Read and Change permissions on the share, then Change would be the least restrictive.)

Now that we know Bob's least restrictive NTFS and share permissions, we must find his resultant permission by finding the most restrictive permission between the least restrictive NTFS and share permissions. If Bob attempts to access this share from the network, he'd have Read permission. He wouldn't be able to change, delete, or add new files.

Troubleshooting mixed NTFS and share security permissions can be a challenge. That's why many companies just configure the share by giving Everyone Full Control, then lock down the files and folders by using NTFS permissions.

Go Forth and Organize
Perhaps you know of a file server or two that looks a lot like the ones I describe in this article. If so, then it's time to set up a practice lab and configure a file server the right way. Once you have a clear understanding of how the technologies work, go forth and organize!

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Duncan
    5 years ago
    Jun 08, 2007

    "Be sure to teach users the difference between moving and copying" - good point. However its worth noting the technical issue that a file/folder move from one folder to another on the same server will also bring the existing NTFS permissions and potentially undo all your good set up work, wherea a copy will leave these behind. Perhaps users should be encouraged to move files/folders to a structure that is used as a staging area and then IT staff peform a copy & delete to the final destination to cleanse unwanted permissions.

  • norris.norman.c2@edumail.vic.gov.au
    5 years ago
    May 24, 2007

    Good artical, but in the printer frendly version Figure 6 is cut off!!

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.