- Microsoft® Windows Server™ 2003 Inside Out
- SPECIAL OFFER: Upgrade this ebook with O’Reilly
- A Note Regarding Supplemental Files
- Acknowledgments
- We'd Like to Hear from You!
- About the CD
- Conventions and Features Used in this Book
- About the Author
- 1. Windows Server 2003 Overview and Planning
- 1. Introducing Windows Server 2003
- What's New in Windows Server 2003
- 64-Bit Computing
- .NET Technologies
- Windows XP and Windows Server 2003
- Windows XP Editions
- Increased Support for Standards
- Interface and Tool Improvements
- Active Directory Improvements
- Domains Can Be Renamed
- Active Directory Can Replicate Selectively
- Active Directory–Integrated DNS Zones Can Forward Conditionally
- Active Directory Schema Objects Can Be Deleted
- Active Directory and Global Catalog Are Optimized
- Active Directory Can Compress and Route Selectively
- Forest-to-Forest Trusts
- Active Directory Migration Made Easier
- Group Policy Improvements
- Management and Administration Extras
- Security Advances
- Reliability and Maintenance Enhancements
- 2. Planning for Windows Server 2003
- Overview of Planning
- Identifying Your Organizational Teams
- Assessing Project Goals
- Analyzing the Existing Network
- Defining Objectives and Scope
- Defining the New Network Environment
- Selecting a Software Licensing Program
- Final Considerations for Planning and Deployment
- 1. Introducing Windows Server 2003
- 2. Windows Server 2003 Installation
- 3. Preparing for the Installation and Getting Started
- 4. Managing Interactive Installations
- 5. Managing Unattended Installations
- 6. Using Remote Installation Services
- Introduction to RIS
- Installing RIS
- Configuring RIS Clients
- Preparing RIS-Based Installations
- Using RIS for Automated Installations
- Working with Sysprep
- 3. Windows Server 2003 Upgrades and Migrations
- 7. Preparing for Upgrades and Migration
- 8. Upgrading to Windows Server 2003
- General Considerations for Upgrades
- Upgrading from Windows 2000
- Upgrading from Windows NT 4
- 9. Migrating to Windows Server 2003
- Selecting the Migration Tools
- ADMT
- General Considerations for Migrations
- Determining the Approach to Migration
- Preparing for Migration
- Migrating Security Principals
- Performing the Migration: An Overview
- Migrating Group Accounts
- Migrating User Accounts
- Migrating Passwords
- Migrating the Computers
- Merging Groups during Migration
- Migrating Domain Trusts
- Migrating Service Accounts
- Security Translation
- Generating Migration Reports
- 4. Managing Windows Server 2003 Systems
- 10. Configuring Windows Server 2003
- 11. Windows Server 2003 MMC Administration
- 12. Managing Windows Server 2003
- Using the Administration Tools
- Using the Control Panel Utilities
- Using the Add Hardware Utility
- Using the Add or Remove Programs Utility
- Using the Date and Time Utility
- Using the Display Utility
- Using the Folder Options Utility
- Using the Licensing Utility
- Using the Network Connections Utility
- Using the Regional and Language Options Utility
- Using the Scheduled Tasks Utility
- Using the System Utility
- Using Support Tools
- Using Resource Kit Tools
- Using the Secondary Logon
- 13. Managing and Troubleshooting Hardware
- 14. Managing the Registry
- 15. Performance Monitoring and Tuning
- 16. Comprehensive Performance Analysis and Logging
- 5. Managing Windows Server 2003 Storage and File Systems
- 17. Planning for High Availability
- 18. Preparing and Deploying Server Clusters
- 19. Storage Management
- Essential Storage Technologies
- Configuring Storage
- Managing MBR Disk Partitions on Basic Disks
- Managing GPT Disk Partitions on Basic Disks
- Managing Volumes on Dynamic Disks
- Creating a Simple or Spanned Volume
- Extending a Simple or Spanned Volume
- Recovering a Failed Simple or Spanned Disk
- Moving Dynamic Disks
- Configuring RAID 1: Disk Mirroring
- Mirroring Boot and System Volumes
- Configuring RAID 5: Disk Striping with Parity
- Breaking or Removing a Mirrored Set
- Resolving Problems with Mirrored Sets
- Repairing a Mirrored System Volume to Enable Boot
- Resolving Problems with RAID-5 Sets
- 20. Managing Windows Server 2003 File Systems
- 21. File Sharing and Security
- File Sharing Essentials
- Creating and Publishing Shared Folders
- Managing Share Permissions
- Managing File and Folder Permissions
- Managing File Shares After Configuration
- Sharing Files on the Web
- Auditing File and Folder Access
- 22. Using Volume Shadow Copy
- 23. Using Removable Media
- Introducing Removable Media
- Managing Media Libraries and Media
- Inserting Media into a Library
- Ejecting Media from a Library
- Mounting and Dismounting Media in Libraries
- Enabling and Disabling Media
- Enabling and Disabling Drives
- Cleaning Drives
- Working with Library Doors and Ports
- Configuring Library Inventory
- Starting Library Inventory
- Changing Library Media Types
- Enabling and Disabling Libraries
- Managing Media Pools
- Managing Work Queues, Requests, and Security
- Using the Work Queue
- Troubleshooting Waiting Operations
- Changing Mount Operations
- Controlling When Operations Are Deleted
- Using the Operator Requests Queue
- Notifying Operators of Requests
- Completing or Refusing Requests
- Controlling When Requests Are Deleted
- Setting Access Permissions for Removable Storage
- 6. Managing Windows Server 2003 Networking and Print Services
- 24. Managing TCP/IP Networking
- Understanding IP Addressing
- Special IP Addressing Rules
- Using Subnets and Subnet Masks
- Getting and Using IP Addresses
- Understanding Name Resolution
- Configuring TCP/IP Networking
- 25. Managing DHCP
- DHCP Essentials
- DHCP Security Considerations
- Planning DHCP Implementations
- Setting Up DHCP Servers
- Configuring TCP/IP Options
- Levels of Options and Their Uses
- Options Used by Windows Clients
- Using Userand Vendor-Specific TCP/IP Options
- Settings Options for All Clients
- Settings Options for Routing and Remote Access Clients Only
- Setting Add-On Options for Directly Connected Clients
- Defining Classes to Get Different Option Sets
- Advanced DHCP Configuration and Maintenance
- Setting Up DHCP Relay Agents
- 26. Architecting DNS Infrastructure
- 27. Implementing and Managing DNS
- 28. Implementing and Maintaining WINS
- 29. Installing and Maintaining Print Services
- Understanding Windows Server 2003 Print Services
- Print Services Changes for Windows Server 2003
- Upgrading Windows NT 4 Print Servers to Windows Server 2003
- Migrating Print Servers from One System to Another
- Planning for Printer Deployments and Consolidation
- Setting Up Printers
- Managing Printer Permissions
- Managing Print Server Properties
- Managing Printer Properties
- Setting General Properties, Printing Preferences, and Document Defaults
- Setting Overlays and Watermarks for Documents
- Installing and Updating Print Drivers on Clients
- Configuring Printer Sharing and Publishing
- Optimizing Printing Through Queues and Pooling
- Configuring Print Spooling
- Viewing the Print Processor and Default Data Type
- Configuring Separator Pages
- Configuring Color Profiles
- Managing Print Jobs
- Printer Maintenance and Troubleshooting
- 30. Using Remote Desktop for Administration
- 31. Deploying Terminal Services
- Using Terminal Services
- Designing the Terminal Services Infrastructure
- Setting Up Terminal Services
- Using the Terminal Services Configuration Tool
- Using the Terminal Services Manager
- Managing Terminal Services from the Command Line
- Other Useful Terminal Services Commands
- Configuring Terminal Services Per-User Settings
- 24. Managing TCP/IP Networking
- 7. Managing Active Directory and Security
- 32. Active Directory Architecture
- 33. Designing and Managing the Domain Environment
- Design Considerations for Active Directory Replication
- Design Considerations for Active Directory Search and Global Catalogs
- Design Considerations for Compatibility
- Design Considerations for Active Directory Authentication and Trusts
- Universal Groups and Authentication
- NTLM and Kerberos Authentication
- Authentication and Trusts Across Domain Boundaries
- Authentication and Trusts Across Forest Boundaries
- Examining Domain and Forest Trusts
- Establishing External, Shortcut, Realm, and Cross-Forest Trusts
- Verifying and Troubleshooting Trusts
- Delegating Authentication
- Design Considerations for Active Directory Operations Masters
- Operations Master Roles
- Using, Locating, and Transferring the Schema Master Role
- Using, Locating, and Transferring the Domain Naming Master Role
- Using, Locating, and Transferring the Relative ID Master Role
- Using, Locating, and Transferring the PDC Emulator Role
- Using, Locating, and Transferring the Infrastructure Master Role
- 34. Organizing Active Directory
- 35. Configuring Active Directory Sites and Replication
- 36. Implementing Active Directory
- Preinstallation Considerations for Active Directory
- Installing Active Directory
- Uninstalling Active Directory
- Creating and Managing Organizational Units (OUs)
- Delegating Administration of Domains and OUs
- 37. Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Managing User Profiles
- Managing User Data
- Maintaining User Accounts
- Managing Groups
- Managing Computer Accounts
- 38. Managing Group Policy
- Understanding Group Policy
- Implementing Group Policy
- Working with Local Group Policy
- Working with the Group Policy Object Editor
- Working with the Group Policy Management Console
- Installing and Running the Group Policy Management Console
- Using the Group Policy Management Console
- Accessing Forests, Domains, and Sites in Group Policy Management Console
- Creating and Linking a New GPO in Group Policy Management Console
- Editing an Existing GPO in the Group Policy Management Console
- Linking to an Existing GPO in the Group Policy Management Console
- Deleting an Existing GPO in the Group Policy Management Console
- Managing Group Policy Inheritance and Processing
- Using Scripts in Group Policy
- Applying Group Policy Through Security Templates
- Maintaining and Troubleshooting Group Policy
- 39. Active Directory Site Administration
- 8. Windows Server 2003 Disaster Planning and Recovery
- Index to Troubleshooting Topics
- Index
- SPECIAL OFFER: Upgrade this ebook with O’Reilly
As discussed previously, Windows Server 2003 has two levels of permissions for shared folders: share permissions and file and folder permissions. Share permissions are applied any time you access a file or folder over the network. These top-level permissions set the maximum allowable actions available within a shared folder. Although share permissions can get you in the door when you work remotely, the file and folder permissions can further constrain access and the allowable actions.
When accessing files locally, only the file and folder permissions are applied. However, when accessing files remotely, first the share permissions are applied and then the file and folder permissions. In the case of file allocation table (FAT) volumes, the share permissions are the only permissions, and if a user has local access to the folder, the user can perform any action.
With shared folders, you use share permissions to set the maximum allowed access level. Share permissions are applied only when you access a folder remotely, and they can be used to grant access directly to users or implicitly through the groups to which users belong.
The share permissions available are as follows:
Full Control By granting this permission, users have Read and Change permissions, as well as the following additional capabilities to change file and folder permissions and take ownership of files and folders.
Change By granting this permission, users have Read permissions and the additional capability to create files and subfolders, modify files, change attributes on files and subfolders, and delete files and subfolders.
Read By granting this permission, you allow users to view file and subfolder names, access the subfolders of the share, read file data and attributes, and run program files.
If you have Read permissions on a share, the most you can do is perform read operations. If you have Change permissions on a share, the most you can do is perform read operations and change operations. If you have Full Control, you have full access. However, in any case, file and folder permissions can further constrain access.
Permissions assigned to groups work like this: If a user is a member of a group that is granted share permissions, the user also has those permissions. If a user is a member of multiple groups, the permissions are cumulative. This means that if one group of which the user is a member has Read access and another has additional access, the user has additional access as well.
Inside Out: Changes might be needed to enhance security
When you create a shared folder, default access permissions are assigned. Watch out, though, because the default in most cases is to give Read access to the special group Everyone, which means that even Guests have access to shares—it doesn't mean they can read files, however, because this is determined by the base-level file and folder permissions. In most cases, it is more prudent to lock down access and only grant permissions to those users that truly need access to a shared folder. If you really want to grant wide access to a shared folder, you might want to use the Domain Users group to do this rather than the Everyone group. In this case, you would remove the Everyone group and add the Domain Users group. By using Domain Users, you require users to have a logon account to access the shared folder, which excludes Guests.
To override this behavior, you must specifically deny an access permission. Denying permission is the trump card—it takes precedence and overrides permissions that have been granted. When you want to single out a user or group and not let it have a permission, configure the share permissions to specifically deny that permission to the user or group. For example, if a user is a member of a group that has been granted Full Control over a share, but the user should have only Change permissions, configure the share to deny Full Control to that user.
The easiest way to configure share permissions is to use Computer Management. After you start Computer Management, connect to the computer you want to work with by right-clicking Computer Management in the console tree and then selecting Connect To Another Computer. Then use the Select Computer dialog box to choose the computer you want to work with. When you are finished, expand System Tools And Shared Folders, and then select Shares to display the current shares on the system you are working with.
To view or manage the permissions of a share, right-click the share, and then select Properties. In the share Properties dialog box, select the Share Permissions tab, as shown in Figure 21-14. You can now view the users and groups that have access to the share and the type of access they have.
In this example, members of the Domain Admins group have Full Control over the share and members of the Domain Users group have Change access. The group Everyone was removed to enhance security as discussed in the sidebar "Changes Might Be Needed to Enhance Security" earlier in this chapter.
You can grant or deny permission to access a share by following these steps:
In Computer Management, right-click the share, and then select Properties. In the share Properties dialog box, select the Share Permissions tab.
In the Share Permissions tab, choose Add. This opens the Select Users, Computers, Or Groups dialog box, as shown in Figure 21-15.
The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domains, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest.
Type the name of a user or group account in the selected or default domain, and then click Check Names. The options available depend on the number of matches found, as follows:
When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.
When no matches are found, you've either entered an incorrect name part or you're working with an incorrect location. Modify the name and try again, or click Locations to select a new location.
If multiple matches are found, select the name(s) you want to use, and then click OK.
To add additional users or groups, type a semicolon (;), and then repeat this process. 6 When you click OK, the users and groups are added to the Name list for the share.
Configure access permissions for each user and group added by selecting an account name and then allowing or denying access permissions. If a user or group should be granted access permissions, select the permission in the Allow column. If a user or group should be denied access permissions, select the permission in the Deny column.
When you're finished, click OK.
-
No Comment