Data sharing allows remote users to access network resources, such as files, folders, and drives. When you share a folder or a drive, you make all its files and subfolders available to a specified set of users. If you want to control access to specific files and subfolders within a shared folder, you can do it only with NTFS volumes. On NTFS volumes, you use access control lists to grant or deny access to files and folders.
Object security applies to all resources on NTFS volumes. It includes files, folders, and Active Directory directory service objects. Normally, only administrators have the right to manage Active Directory objects, but you can delegate to users the authority to manage Active Directory objects. When you do, you make information in Active Directory available for viewing and modification by designated users. You control these users’ permissions through access control lists. By auditing access to objects, you can closely monitor network activity and ensure that only authorized users are accessing resources.
You use shares to control access for remote users. Permissions on shared folders have no effect on users who log on locally to a server or to a workstation that has shared folders.
You can use both Computer Management and File Server Management to work with shares. You can also view current shares on a computer by typing net share at a command prompt.
In Computer Management, you can view the shared folders on a local or remote computer by completing the following steps:
You’re connected to the local computer by default. If you want to connect to a remote computer, right-click the Computer Management node and select Connect To Another Computer. Choose Another Computer, type the name or Internet Protocol (IP) address of the computer to which you want to connect, and then click OK.
In the console tree, expand System Tools and Shared Folders, and then select Shares. The current shares on the system are displayed, as shown in Figure 14-1.
In File Server Management, you can view the shared folders on a local or remote computer by completing the following steps:
You’re connected to the local computer by default. To connect to a remote computer, right-click the File Server Management node and select Connect To Another Computer. Choose Another Computer, type the name or IP address of the computer to which you want to connect, and then click OK.
In the console tree, expand Shared Folder Management and Shared Folders, and then select Shares. The current shares on the system are displayed, as shown previously in Figure 14-1.
The columns of the Shares node provide the following information:
Share Name. Name of the shared folder
Folder Path. Complete path to the folder on the local system
Type. What kind of computers can use the share, such as Macintosh or Windows
# Client Connections. Number of clients currently accessing the share
Description. Description of the share
Microsoft Windows Server 2003 provides several ways to share folders: you can share local folders using Windows Explorer, and you can also share local and remote folders using Computer Management and File Server Management.
Because Computer Management and File Server Management allow you to work with and manage shared resources on any of your network computers, they’re usually the best tools to use. Which of the two consoles you use is a matter of preference, and the techniques for creating and working with shared folders are nearly identical.
To share folders on a server running Windows Server 2003, you must be a member of the Administrators or the Server Operators group. In Computer Management, you share a folder by completing the following steps:
If necessary, connect to a remote computer.
In the console tree, expand System Tools and Shared Folders, and then select Shares. The current shares on the system are displayed.
Right-click Shares and then select New Share. This starts the Share A Folder Wizard. Click Next.
In the Folder Path text box, type the local file path to the folder you want to share. The file path must be exact, such as C:DataCorpDocuments. If you don’t know the full path, click Browse and then use the Browse For Folder dialog box to find the folder you want to share and then click OK. Click Next.
In the Share Name text box, type a name for the share, as shown in Figure 14-2. This is the name of the folder to which users will connect. Share names must be unique for each system.
If you’ve configured Macintosh services, the standard Name, Description, And Settings page is modified, as shown in Figure 14-2, to include Microsoft Windows Users and Apple Macintosh Users check boxes. By selecting Microsoft Windows Users (the default), you allow Windows users to access the share. By selecting Apple Macintosh Users and typing a share name in the field provided, you allow Macintosh users to access the share.
If you want to hide a share from users (which means that they won’t be able to see the shared resource when they try to browse to it in Windows Explorer or at the command line), type $ as the last character of the shared resource name. For example, you could create a share called PrivEngData$, which would be hidden from Windows Explorer, Net View, and other similar utilities. Users can still connect to the share and access its data, provided that they’ve been granted access permission and that they know the share’s name. Note that the $ must be typed as part of the share name when mapping to the shared resource.
If you like, you can type a description of the share in the Description text box. Then, when you view shares on a particular computer, the description is displayed in Computer Management.
By default, the share is configured so that only files and programs that users specify are available for offline use. If you want to prohibit the offline use of files or programs in the share or specify that all files and programs in the share are available for offline use, click Change, and then select the appropriate options in the Offline Settings dialog box.
Click Next and then set basic permissions for the share. You’ll find helpful pointers in the "Managing Share Permissions" section of this chapter. As shown in Figure 14-3, the available options are as follows:
All Users Have Read-Only Access. Gives users access to view files and read data. They can’t create, modify, or delete files and folders.
Administrators Have Full Access; Other Users Have Read-Only Access. Gives administrators complete control over the share. Full access allows administrators to create, modify, and delete files and folders. On NTFS, it also gives administrators the right to change permissions and to take ownership of files and folders. Other users can only view files and read data. They can’t create, modify, or delete files and folders.
Administrators Have Full Access; Other Users Have Read And Write Access. Gives administrators complete control over the share and allows other users to create, modify, or delete files and folders.
Use Custom Share And Folder Permissions. Allows you to configure access for specific users and groups, which is usually the best technique to use. Setting share permissions is discussed fully later in this chapter in the section entitled "Managing Share Permissions."
When you click Finish, the wizard displays a status report, which should state "Sharing Was Successful." Click Close.
If you view the shared folder in Windows Explorer, you’ll see that the folder icon now includes a hand to indicate a share. Through Computer Management, you can also view shared resources. To learn how, see the section of this chapter entitled "Sharing Folders on Local and Remote Systems."
If you’re creating a share that’s for general use and general access, you should publish the shared resource in Active Directory. Publishing the resource in Active Directory makes it easier for users to find the share. To publish a share in Active Directory, right-click the share in Computer Management and then select Properties. On the Publish tab, select the Publish This Share In Active Directory check box, add an optional description and owner information, and then click OK.
Individual folders can have multiple shares. Each share can have a different name and a different set of access permissions. To create additional shares on an existing share, simply follow the steps for creating a share outlined in the previous section—with these changes:
In Step 5: When you name the share, make sure that you use a different name.
In Step 6: When you add a description for the share, use a description that explains what the share is used for—and how it’s different from the other share(s) for the same folder.
Share permissions set the maximum allowable actions available within a shared folder. By default, when you create a share, everyone with access to the network has read access to the share’s contents. This is an important security change—in previous editions, the default permission was full control.
With NTFS volumes you can use file and folder permissions and ownership to further constrain actions within the share as well as share permissions. With file allocation table (FAT) volumes, share permissions provide the only access controls.
Share permissions available, from the most restrictive to the least restrictive, are:
No Access. No permissions are granted for the share.
Read. With this permission, users can:
Change. Users have Read permissions and the additional ability to:
Full Control. Users have Read and Change permissions, as well as the following additional capabilities on NTFS volumes:
You can assign share permissions to users and groups. You can even assign permissions to implicit groups. For details on implicit groups, see the section entitled "Implicit Groups and Special Identities" in Chapter 8.
To view share permissions, follow these steps:
In Computer Management, connect to the computer on which the share is created.
In the console tree, expand System Tools and Shared Folders, and then select Shares.
Right-click the share you want to view, and then select Properties.
In the Properties dialog box, click the Share Permissions tab, shown in Figure 14-4. You can now view the users and groups that have access to the share and the type of access they have.
In Computer Management, you can add user, computer, and group permissions to shares by completing the following steps:
Right-click the share you want to manage and then select Properties.
In the Share Properties dialog box, click the Share Permissions tab.
Click Add. This opens the Select Users, Computers, Or Groups dialog box shown in Figure 14-5.
Type the name of a user, computer, or group in the current domain and then click Check Names.
If a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.
If no matches are found, you’ve either entered an incorrect name part or you’re working with an incorrect location. Modify the name and try again, or click Locations to select a new location.
If multiple matches are found, select the name(s) you want to use and then click OK. To assign permissions to other users, computers, or groups, type a semicolon (;), and then repeat this step.
The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domain, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest.
Click OK. The users and groups are added to the Name list for the share.
Configure access permissions for each user, computer, and group by selecting an account name and then allowing or denying access permissions. Keep in mind that you’re setting the maximum allowable permissions for a particular account.
Click OK when you’re finished. To assign additional security permissions for NTFS, see the section of this chapter entitled "File and Folder Permissions."
You can change the share permissions you assign to users, computers, and groups by using the Share Properties dialog box. In Computer Management, follow these steps:
Right-click the share you want to manage, and then select Properties.
In the Share Properties dialog box, click the Share Permissions tab.
In the Name list box, select the user, computer, or group you want to modify.
Use the check boxes in the Permissions area to allow or deny permissions.
Repeat for other users, computers, or groups, and then click OK when you’re finished.
You also remove share permissions assigned to users, computers, and groups with the Share Permissions dialog box. In Computer Management, follow these steps:
Right-click the share you want to manage and then select Properties.
In the Share Properties dialog box, click the Share Permissions tab.
In the Name list box, select the user, computer, or group you want to remove, and then click Remove.
Repeat for other users or groups, as necessary, and then click OK when you’re finished.
As an administrator, you’ll often have to manage shared folders. The common administrative tasks of managing shares are covered in this section.
When you install Windows Server 2003, the operating system creates special shares automatically. These shares are also known as administrative shares and hidden shares. These shares are designed to help make system administration easier. You can’t set access permissions on automatically created special shares; Windows Server 2003 assigns access permissions. (You can create your own hidden shares by typing $ as the last character of the resource name.)
You can delete special shares temporarily if you’re certain the shares aren’t needed. However, the shares are recreated automatically the next time the operating system starts. To permanently disable the administrative shares change the following registry values to 0 (zero):
HKLMSYSTEMCurrentControlSetServiceslanmanserverparametersAutoShareServer
HKLMSYSTEMCurrentControlSetServiceslanmanserverparametersAutoShareWks
Which special shares are available depends on your system configuration. Table 14-1 lists special shares you might see and how they’re used.
Table 14-1. Special Shares Used by Windows Server 2003
Special Share Name | Description | Usage |
---|---|---|
ADMIN$ | A share used during remote administration of a system. Provides access to the operating system %SystemRoot%. | On workstations and servers, administrators and backup operators can access these shares. On domain controllers, server operators also have access. |
FAX$ | Supports network faxes. | Used by fax clients when sending faxes. |
IPC$ | Supports named pipes during remote interprocess communications (IPC) access. | Used by programs when performing remote administration and when viewing shared resources. |
NETLOGON | Supports the Net Logon service. | Used by the Net Logon service when processing domain logon requests. Everyone has Read access. |
Microsoft UAM Volume | Supports Macintosh file and printer services. | Used by File Server For Macintosh and Print Server For Macintosh. |
PRINT$ | Supports shared printer resources by providing access to printer drivers. | Used by shared printers. Everyone has Read access. Administrators, server operators, and printer operators have full control. |
SYSVOL | Supports Active Directory. | Used to store data and objects for Active Directory. |
Driveletter$ | A share that allows administrators to connect to a drive’s root folder. These shares are shown as C$, D$, E$, and so on. | On workstations and servers, administrators and backup operators can access these shares. On domain controllers, server operators also have access. |
Special shares end with the $ symbol. Although these shares aren’t displayed in Windows Explorer, administrators and certain operators can connect to them. To connect to a special share, follow these steps:
In Windows Explorer, from the Tools menu, select Map Network Drive. This opens the page shown in Figure 14-6.
From the Drive drop-down list, select a free drive letter. This drive letter is used to access the special share.
In the Folder text box, type the Universal Naming Convention (UNC) path to the desired share. For example, to access the C$ share on a server called Twiddle, you’d use the path \TWIDDLEC$. Click Finish.
After you connect to a special share, you can access it as you would any other drive. Because special shares are protected, you don’t have to worry about ordinary users accessing these shares. The first time you connect to the share, you might be prompted for a user name and password. If you are, provide that information.
You can use Computer Management to track all connections to shared resources on a Windows Server 2003 system. Whenever a user or computer connects to a shared resource, Windows Server 2003 lists a connection in the Sessions node.
To view connections to shared resources, type net session at a command prompt or follow these steps:
In Computer Management, connect to the computer on which you created the shared resource.
In the console tree, expand System Tools and Shared Folders, and then select Sessions.
As shown in Figure 14-7, you can now view connections to shares for users and computers.
The Sessions node provides important information about user and computer connections. The columns of this node provide the following information:
User. The names of users or computers connected to shared resources. Computer names are shown with a $ suffix to differentiate them from users.
Computer. The name of the computer being used.
Type. The type of network connection being used.
# Open Files. The number of files with which the user is actively working. For more detailed information, access the Open Files node.
Connected Time. The time that has elapsed since the connection was established.
Idle Time. The time that has elapsed since the connection was last used.
Guest. Whether the user is logged on as a guest.
Managing sessions and shares is a common administrative task. Before you shut down a server or an application running on a server, you might want to disconnect users from shared resources. You might also need to disconnect users when you plan to change access permissions or delete a share entirely. Another reason to disconnect users is to break locks on files. You disconnect users from shared resources by ending the related user sessions.
To disconnect individual users from shared resources, type net session \ComputerName /delete at a command prompt or follow these steps:
To disconnect all users from shared resources, follow these steps:
In Computer Management, connect to the computer on which you created the share.
In the console tree, expand System Tools and Shared Folders, and then right-click Sessions.
Choose Disconnect All Sessions and then click Yes to confirm the action.
Keep in mind that you’re disconnecting users from shared resources and not from the domain. You can only force users to log off once they’ve logged on to the domain through logon hours and Group Policy. Thus, disconnecting users doesn’t log them off the network. It simply disconnects them from the shared resource.
Any time users connect to shares, the individual file and object resources with which they’re actively working are displayed in the Open Files node. The Open Files node might show the files the user has open but isn’t currently editing.
You can access the Open Files node by completing the following steps:
In Computer Management, connect to the computer on which you created the share.
In the console tree, expand System Tools and Shared Folders, and then select Open Files. This displays the Open Files node, shown in Figure 14-8. The Open Files node provides the following information about resource usage:
Open File. The file or folder path to the open file on the local system. It might also be a named pipe, such as PIPEspools, which is used for printer spooling.
Accessed By. The name of the user accessing the file.
Type. The type of network connection being used.
# Locks. The number of locks on the resource.
Open Mode. The access mode used when the resource was opened, such as read, write, or write+read mode.
To close all open files on a computer’s shares, follow these steps:
Any time your organization uses shared folders you might want to consider creating shadow copies of these shared folders as well. Shadow copies are point-in-time backups of data files that users can access directly in shared folders. These point-in-time backups can save you and the other administrators in your organization a lot of work, especially if you routinely have to retrieve lost, overwritten, or corrupted data files from backup. The normal procedure for retrieving shadow copies is to use the Previous Versions or Shadow Copy client. Windows Server 2003 R2 includes a feature enhancement that allows you to revert an entire (nonsystem) volume to a previous shadow copy state.
You can create shadow copies only on NTFS volumes. On NTFS volumes, you use the Shadow Copy feature to create automatic backups of the files in shared folders on a per volume basis. For example, if a file server has three NTFS volumes, each containing shared folders, you’d need to configure this feature for each volume separately.
If you enable this feature in the default configuration, shadow copies are created twice each weekday (Monday–Friday) at 7:00 A.M. and 12:00 P.M. You need at least 100 megabytes (MB) of free space to create the first shadow copy on a volume. The total disk space used beyond this depends on the amount of data in the volume’s shared folders. You can restrict the total amount of disk space used by Shadow Copy by setting the allowable maximum size of the point-in-time backups.
You configure and view current Shadow Copy settings using the Shadow Copies tab of the disk properties dialog box. Right-click the icon for the disk you want to work with in Windows Explorer or Computer Management, select Properties, and then click the Shadow Copies tab. The Select A Volume panel shows:
Volume. Volume label of NTFS volumes on the selected disk drive
Next Run Time. The status of Shadow Copy as Disabled or the next time a Shadow Copy of the volume will be created
Shares. Number of shared folders on the volume
Used. Amount of disk space used by Shadow Copy
Individual shadow copies of the currently selected volume are listed in the Shadow Copies Of Selected Volume panel by date and time.
To create a shadow copy on an NTFS volume with shared folders, follow these steps:
Start Computer Management. If necessary, connect to a remote computer.
In the console tree, expand Storage and then select Disk Management. The volumes configured on the selected computer are displayed in the details pane.
Right-click Disk Management, point to All Tasks, and then select Configure Shadow Copies.
In the Shadow Copies tab, select the volume with which you want to work in the Select A Volume list.
Click Settings to configure the maximum size of all shadow copies for this volume and to change the default schedule. When you’re finished, click OK twice.
If necessary, click Enable after you’ve configured the volume for shadow copying. When prompted to confirm this action, click Yes. This creates the first shadow copy and sets the schedule for later shadow copies.
Users on client computers access shadow copies of individual shared folders using the Previous Versions or Shadow Copy client. The Previous Versions client is stored in the %SystemRoot%System32ClientsTwclientX86 folder and its installer is named Twcli32.msi. The Shadow Copy client can be downloaded from the Microsoft Web site and its installer is named ShadowCopyClient.msi. After you install these clients, the best way to access shadow copies on a client computer is to follow these steps:
In My Network Places, expand Entire Network and Microsoft Windows Network to display the available domains, and then expand the domain node to display servers on the network.
When you expand a server node, any publicly shared resources on that server are listed. Right-click the share for which you want to access previous file versions, choose Properties, and then click the Previous Versions tab.
After you access the Previous Versions tab, select the folder version that you want to work with. Each folder has a date and time stamp. Then click the button corresponding to the action you want to perform:
Click View to open the shadow copy in Windows Explorer.
Click Copy to display the Copy Items dialog box, which lets you copy the snapshot image of the folder to the location you specify.
Click Restore to roll back the shared folder to its state as of the snapshot image you selected.
Windows Server 2003 R2 features a shadow copy enhancement that allows you to revert an entire volume to the state it was in when a particular shadow copy was created. As volumes containing operating system files can’t be reverted, the volume you want to revert must not be a system volume.
To revert an entire volume to a previous state, follow these steps:
Start Computer Management. If necessary, connect to a remote computer.
In the console tree, expand Storage. Right-click Disk Management, point to All Tasks, and then select Configure Shadow Copies.
In the Shadow Copies tab, select the volume you want to work with in the Select A Volume list.
Individual shadow copies of the currently selected volume are listed in the Shadow Copies Of Selected Volume panel by date and time. Select the shadow copy with the date and timestamp to which you want to revert and then click Revert. To confirm this action, select the Check Here If You Want To Revert This Volume check box and then click Revert Now. Click OK to close the Shadow Copies dialog box.
Each point-in-time backup is maintained separately. You can delete individual shadow copies of a volume as necessary. This recovers the disk space used by the shadow copies.
To delete a shadow copy, follow these steps:
Start Computer Management. If necessary, connect to a remote computer.
In the console tree, expand Storage. Right-click Disk Management, point to All Tasks, and then select Configure Shadow Copies.
In the Shadow Copies tab, select the volume you want to work with in the Select A Volume list.
Individual shadow copies of the currently selected volume are listed in the Shadow Copies Of Selected Volume panel by date and time. Select the shadow copy you want to delete and then click Delete Now.
If you no longer want to maintain shadow copies of a volume, you can disable the Shadow Copy feature. Disabling this feature turns off the scheduling of automated point-in-time backups and removes any existing shadow copies.
To disable shadow copies of a volume, follow these steps:
Start Computer Management. If necessary, connect to a remote computer.
In the console tree, expand Storage. Right-click Disk Management, point to All Tasks, and then select Configure Shadow Copies.
In the Shadow Copies tab, select the volume you want to work with in the Select A Volume list and then click Disable.
When prompted, confirm the action by clicking Yes. Click OK to close the Shadow Copies dialog box.
Users can connect to a network drive and to shared resources available on the network. This connection is shown as a network drive that users can access like any other drive on their systems.
When users connect to network drives, they’re subject not only to the permissions set for the shared resources, but also to Windows Server 2003 file and folder permissions. Differences in these permission sets are usually the reason users might not be able to access a particular file or subfolder within the network drive.
In Windows Server 2003, you connect to a network drive by mapping to it using NET USE and the following syntax:
net use Device \ComputerNameShareName
where Device specifies the drive letter or * to use the next available drive letter and \ComputerNameShareName is the UNC path to the share, such as:
net use g: \ROMEODOCS
Or
net use * \ROMEODOCS
To ensure the mapped drive is available each time the user logs in, make the mapping persistent by adding the /Persistent:Yes option.
Another way to map network drives is to follow these steps:
While the user is logged on, start Windows Explorer on the user’s computer.
From the Tools menu, select Map Network Drive. This opens the Map Network Drive page.
Using the Drive drop-down list, you can now create a network drive for a shared resource. Select a free drive letter to create a network drive that can be accessed in Windows Explorer and My Computer. Select (None) to create a network drive without assigning a drive letter. This drive is opened in its own Windows Explorer window and can’t be accessed from My Computer.
In the Folder text box, type the UNC path to the desired share. For example, to access a share called DOCS on a server called ROMEO, you’d use the path \ROMEODOCS. If you don’t know the share location, click Browse to search for available shares. After selecting the appropriate share, click OK to close the Browse For Folder dialog box.
If you want the network drive to be automatically connected in subsequent sessions, select the Reconnect At Logon check box. Otherwise, clear this check box to later establish a connection whenever you double-click the network drive.
To connect using a different user name from the logon name, click Different User Name, and then type a user name and password for the connection. Click OK to close the Connect As dialog box.
Click Finish to map the network drive.
To disconnect a network drive, follow these steps:
Windows Server 2003 takes an object-based approach to describing resources and managing permissions. Objects that describe resources are defined on NTFS volumes and in Active Directory. With NTFS volumes, you can set permissions for files and folders. With Active Directory, you can set permissions for other types of objects, such as users, computers, and groups. You can use these permissions to control access with precision.
Whether defined on an NTFS volume or in Active Directory, each type of object has an object manager and primary management tools. The object manager controls object settings and permissions. The primary management tools are the tools of choice for working with the object. Objects, their managers, and management tools are summarized in Table 14-2.
Table 14-2. Windows Server 2003 Objects
Object Type | Object Manager | Management Tool |
---|---|---|
Files and folders | NTFS | Windows Explorer |
Shares | Server service | Windows Explorer; Computer Management |
Registry keys | Windows registry | Registry Editor |
Services | Service controllers | Security Configuration Tool Set |
Printers | Print spooler | Printers in Control Panel |
It’s important to understand the concept of object ownership. In Windows Server 2003, the object owner isn’t necessarily the object’s creator. Instead, the object owner is the person who has direct control over the object. Object owners can grant access permissions and give other users permission to take ownership of the object.
As an administrator, you can take ownership of objects on the network. This ensures that authorized administrators can’t be locked out of files, folders, printers, and other resources. After you take ownership of files, however, you can’t return ownership to the original owner (in most cases). This prevents administrators from accessing files and then trying to hide the fact.
The way ownership is assigned initially depends on the location of the resource being created. In most cases, however, the Administrators group is listed as the current owner and the object’s actual creator is listed as a person who can take ownership.
Ownership can be transferred in several ways:
If Administrators is initially assigned as the owner, the creator of the object can take ownership, provided he or she does this before someone else takes ownership.
The current owner can grant the Take Ownership permission to other users, allowing those users to take ownership of the object.
An administrator can take ownership of an object, provided the object is under his or her administrative control.
To take ownership of an object, follow these steps:
Start the management tool for the object. For example, if you want to work with files and folders, start Windows Explorer.
Right-click the object of which you want to take ownership.
From the shortcut menu, select Properties, and then, in the Properties dialog box, click the Security tab.
Display the Access Security Settings dialog box by clicking Advanced. Then click the Owner tab, shown in Figure 14-9.
Select the new owner in the Change Owner To list box, and then click OK.
Objects are defined using a parent-child structure. A parent object is a top-level object. A child object is an object defined below a parent object in the hierarchy. For example, the folder C: is the parent of the folders C:data and C:ackups. Any subfolders created in C:data or C:ackups are children of these folders and grandchildren of C:.
Child objects can inherit permissions from parent objects. In fact, all Windows Server 2003 objects are created with inheritance enabled by default. This means that child objects automatically inherit the permissions of the parent. Because of this, the parent object permissions control access to the child object. If you want to change permissions on a child object, you must:
Edit the permissions of the parent object.
Stop inheriting permissions from the parent object, and then assign permissions to the child object.
Select the opposite permission to override the inherited permission. For example, if the parent allows the permission, you’d deny it on the child object.
To start or stop inheriting permissions from a parent object, follow these steps:
Start the management tool for the object. For example, if you want to work with files and folders, start Windows Explorer.
Right-click the object with which you want to work.
From the shortcut menu, select Properties, and then, in the Properties dialog box, click the Security tab.
Display the Advanced Security Settings dialog box by clicking Advanced.
In the Permissions tab, select or clear the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects check box as appropriate. Click OK.
On NTFS volumes, you can set security permissions on files and folders. These permissions grant or deny access to the files and folders. You can view security permissions for files and folders by completing the following steps:
In Windows Explorer, right-click the file or folder with which you want to work.
From the shortcut menu, select Properties, and then, in the Properties dialog box, click the Security tab.
In the Name list box, select the user, computer, or group whose permissions you want to view. If the permissions are dimmed, it means the permissions are inherited from a parent object.
The basic permissions you can assign to files and folders are summarized in Table 14-3. File permissions include Full Control, Modify, Read & Execute, Read, and Write. Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.
Table 14-3. File and Folder Permissions Used by Windows Server 2003
Permission | Meaning for Folders | Meaning for Files |
---|---|---|
Read | Permits viewing and listing files and subfolders | Permits viewing or accessing the file’s contents |
Write | Permits adding files and subfolders | Permits writing to a file |
Read & Execute | Permits viewing and listing files and subfolders as well as executing files; inherited by files and folders | Permits viewing and accessing the file’s contents as well as executing the file |
List Folder Contents | Permits viewing and listing files and subfolders as well as executing files; inherited by folders only | N/A |
Modify | Permits reading and writing of files and subfolders; allows deletion of the folder | Permits reading and writing of the file; allows deletion of the file |
Full Control | Permits reading, writing, changing, and deleting files and subfolders | Permits reading, writing, changing, and deleting the file |
Anytime you work with file and folder permissions, you should keep the following in mind:
Read is the only permission needed to run scripts. Execute permission doesn’t matter.
Read access is required to access a shortcut and its target.
Giving a user permission to write to a file but not to delete it doesn’t prevent the user from deleting the file’s contents. A user can still delete the contents.
If a user has full control over a folder, the user can delete files in the folder regardless of the permission on the files.
The basic permissions are created by combining special permissions in logical groups. Table 14-4 shows special permissions used to create the basic permissions for files. Using advanced permission settings, you can assign these special permissions individually, if necessary. As you study the special permissions, keep the following in mind:
By default, if no access is specifically granted or denied, the user is denied access.
Actions that users can perform are based on the sum of all the permissions assigned to the user and to all the groups of which the user is a member. For example, if the user GeorgeJ has Read access and is a member of the group Techies that has Change access, GeorgeJ will have Change access. If Techies is in turn a member of Administrators, which has Full Control, GeorgeJ will have complete control over the file.
Table 14-4. Special Permissions for Files
Special Permissions | Basic Permissions | ||||
---|---|---|---|---|---|
Full Control | Modify | Read & Execute | Read | Write | |
Traverse Folder/Execute File | Yes | Yes | Yes | ||
List Folder/Read Data | Yes | Yes | Yes | Yes | |
Read Attributes | Yes | Yes | Yes | Yes | |
Read Extended Attributes | Yes | Yes | Yes | Yes | |
Create Files/Write Data | Yes | Yes | Yes | ||
Create Folders/Append Data | Yes | Yes | Yes | ||
Write Attributes | Yes | Yes | Yes | ||
Write Extended Attributes | Yes | Yes | Yes | ||
Delete Subfolders and Files | Yes | ||||
Delete | Yes | Yes | |||
Read Permissions | Yes | Yes | Yes | Yes | Yes |
Change Permissions | Yes | ||||
Take Ownership | Yes |
Table 14-5 shows special permissions used to create the basic permissions for folders. As you study the special permissions, keep the following in mind:
When you set permissions for parent folders, you can force all files and subfolders within the folder to inherit the permissions. You do this by selecting Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions.
When you create files in folders, these files inherit certain permission settings. These permission settings are shown as the default file permissions.
Table 14-5. Special Permissions for Folders
Special Permissions | Basic Permissions | |||||
---|---|---|---|---|---|---|
Full Control | Modify | Read & Execute | List Folder Contents | Read | Write | |
Traverse Folder/Execute File | Yes | Yes | Yes | Yes | ||
List Folder/Read Data | Yes | Yes | Yes | Yes | Yes | |
Read Attributes | Yes | Yes | Yes | Yes | Yes | |
Read Extended Attributes | Yes | Yes | Yes | Yes | Yes | |
Create Files/Write Data | Yes | Yes | Yes | |||
Create Folders/Append Data | Yes | Yes | Yes | |||
Write Attributes | Yes | Yes | Yes | |||
Write Extended Attributes | Yes | Yes | Yes | |||
Delete Subfolders And Files | Yes | |||||
Delete | Yes | Yes | ||||
Read Permissions | Yes | Yes | Yes | Yes | Yes | Yes |
Change Permissions | Yes | |||||
Take Ownership | Yes |
To set permissions for files and folders, follow these steps:
In Windows Explorer, right-click the file or folder with which you want to work.
From the shortcut menu, select Properties, and then, in the Properties dialog box, click the Security tab, shown in Figure 14-10.
Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for these users and groups by doing the following:
Select the user or group you want to change.
Use the Permissions list box to grant or deny access permissions.
To set access permissions for additional users, computers, or groups, click Add. This displays the Select Users, Computers, Or Groups dialog box shown in Figure 14-11.
Type the name of a user, computer, or group in the current domain and then click Check Names.
If a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.
If no matches are found, you’ve either entered an incorrect name part or you’re working with an incorrect location. Modify the name and try again, or click Locations to select a new location.
If multiple matches are found, select the name(s) you want to use and then click OK. To add more users, computers, or groups, type a semicolon (;) and then repeat this step.
The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domain, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest.
In the Name list box, select the user, computer, or group you want to configure, and then use the check boxes in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups. Click OK when you’re finished.
Auditing is the best way to track what’s happening on your Windows Server 2003 systems. You can use auditing to collect information related to resource usage, such as file access, system logon, and system configuration changes. Any time an action occurs that you’ve configured for auditing, the action is written to the system’s security log, where it’s stored for your review. The security log is accessible from Event Viewer.
For most auditing changes, you’ll need to be logged on using an account that’s a member of the Administrators group or be granted the Manage Auditing And Security Log right in Group Policy.
Auditing policies are essential to ensure the security and integrity of your systems. Just about every computer system on the network should be configured with some type of security logging. You configure auditing policies for individual machines with local Group Policy and for all machines in domains with Active Directory Group Policy. Through Group Policy, you can set auditing policies for an entire site, domain, or organizational unit. You can also set policies for an individual workstation or server.
After you access the Group Policy container with which you want to work, you can set auditing policies by completing the following steps:
As shown in Figure 14-12, access the Audit Policy node by working your way down through the console tree. Expand Computer Configuration, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.
The auditing options are as follows:
Audit Account Logon Events. Tracks events related to user logon and logoff.
Audit Account Management. Tracks account management by means of Active Directory Users And Computers. Events are generated any time user, computer, or group accounts are created, modified, or deleted.
Audit Directory Service Access. Tracks access to Active Directory. Events are generated any time users or computers access the directory.
Audit Logon Events. Tracks events related to user logon, logoff, and remote connections to network systems.
Audit Object Access. Tracks system resource usage for files, directories, shares, printers, and Active Directory objects.
Audit Policy Change. Tracks changes to user rights, auditing, and trust relationships.
Audit Privilege Use. Tracks the use of user rights and privileges, such as the right to back up files and directories.
Audit Process Tracking. Tracks system processes and the resources they use.
Audit System Events. Tracks system startup, shutdown, and restart, as well as actions that affect system security or the security log.
To configure an auditing policy, double-click its entry or right-click and select Properties. This opens a properties dialog box for the policy.
Select the Define These Policy Settings check box, and then select either the Success check box or the Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.
Click OK when you’re finished.
When auditing is enabled, the Security Event log will reflect the following:
If you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for individual folders and files. This allows you to control precisely how folder and file usage is tracked. Auditing of this type is available only on NTFS volumes.
You can configure file and folder auditing by completing the following steps:
In Windows Explorer, right-click the file or folder to be audited, and then, from the shortcut menu, select Properties.
Click the Security tab and then click Advanced.
In the Access Control Settings dialog box, click the Auditing tab, shown in Figure 14-13.
If you want to inherit auditing settings from a parent object, ensure that the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects check box is selected.
If you want child objects of the current object to inherit the settings, select the Replace Auditing Entries On All Child Objects With Entries Shown Here That Apply To Child Objects check box.
Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box, and then click Remove.
To add specific accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add. When you click OK, you’ll see the Auditing Entry For ... dialog box, shown in Figure 14-14.
As necessary, use the Apply Onto drop-down list to specify where objects are audited.
Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions. The events you can audit are the same as the special permissions listed in Table 14-5—except you can’t audit synchronizing of offline files and folders. For essential files and folders, you’ll typically want to track:
Write Attributes – Successful
Write Extended Attributes – Successful
Delete Subfolders and Files – Successful
Delete – Successful
Change Permissions – Successful
Clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object checkbox.
Click OK when you’re finished. Repeat this process to audit other users, groups, or computers.
If you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for keys within the Registry. This allows you to track when key values are set, when subkeys are created, and when keys are deleted.
You can configure Registry auditing by completing the following steps:
At a command prompt, type regedit.
Browse to a key you want to audit. On the Edit menu, select Permissions.
Click Advanced. In the Advanced Security Settings For ... dialog box, select the Auditing tab.
Click Add. In the Select User, Computer, Or Group dialog box, type Everyone, click Check Names, and then click OK.
In the Auditing Entries For ... dialog box, choose the actions you want to audit. Typically, you’ll want to track:
Set Value – Successful and Failed
Create Subkey – Successful and Failed
Delete – Successful and Failed
Click OK.
Clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box.
Click OK twice to close all open dialog boxes and apply the auditing settings.
If you configure a group policy to enable the Audit Directory Service Access option, you can set the level of auditing for Active Directory objects. This allows you to control precisely how object usage is tracked.
To configure object auditing, follow these steps:
In Active Directory Users And Computers, access the container for the object.
Right-click the object to be audited, and then, from the shortcut menu, select Properties.
Click the Security tab, and then click Advanced.
In the Access Security Settings dialog box, click the Auditing tab. To inherit auditing settings from a parent object, make sure that the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects check box is selected.
Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box and then click Remove.
To add specific accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add. When you click OK, the Auditing Entry For dialog box is displayed.
Use the Apply Onto drop-down list to specify where objects are audited.
Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as a successful attempt to modify an object’s permissions. Failed logs failed events, such as a failure to modify an object’s owner.
Click OK when you’re finished. Repeat this process to audit other users, groups, or computers.
Windows Server 2003 supports two different types of disk quotas:
NTFS Disk Quotas. NTFS disk quotas are supported with all versions of Windows Server 2003 and allow you to manage disk space usage by users. You configure quotas on a per volume basis. Although users who exceed limits will see warnings, administrator notification is primarily through the event logs.
Storage Resource Manager Disk Quotas. Storage Resource Manager disk quotas are supported in Windows Server 2003 R2 and allow you to manage disk space usage by folder and by volume. Users who are approaching or have exceeded a limit can be automatically notified by e-mail. The notification system also allows for notifying administrators by e-mail, triggering incident reporting, running commands, and logging related events.
The sections that follow discuss NTFS disk quotas.
Regardless of the quota system being used, you can configure quotas only for NTFS volumes. You can’t create quotas for FAT or FAT32 volumes.
Administrators use NTFS disk quotas to manage disk space usage for critical volumes, such as those that provide corporate data shares or user data shares. When you enable NTFS disk quotas, you can configure two values:
Disk quota limit. Sets the upper boundary for space usage, which you can use to prevent users from writing additional information to a volume and to log events regarding the user exceeding the limit, or both.
Disk quota warning. Warns users and logs warning events when users are getting close to their disk quota limit.
You can set disk quotas but not enforce them, but you might be wondering why you’d do this. Sometimes you want to track disk space usage on a per-user basis and know when they’ve exceeded some predefined limit, but instead of denying them additional disk space, you log an event in the application log to track the overage. You can then send out warning messages or figure out other ways to reduce the space usage.
NTFS disk quotas apply only to end users. NTFS disk quotas don’t apply to administrators. Administrators can’t be denied disk space even if they exceed enforced disk quota limits.
In a typical environment, you’ll restrict disk space usage in MB or GB. For example, on a corporate data share that’s used by multiple users in a department, you might want to limit disk space usage to 20 to 100 GB. For a user data share, you might want to set the level much lower, such as 5 to 20 GB, which would restrict the user from creating large amounts of personal data. Often you’ll set the disk quota warning as a percentage of the disk quota limit. For example, you might set the warning to 90 to 95 percent of the disk quota limit.
Because NTFS disk quotas are tracked on a per-volume, per-user basis, disk space used by one user doesn’t affect the disk quotas for other users. Thus, if one user exceeds his or her limit, any restrictions applied to this user don’t apply to other users. For example, if a user exceeds a 1 GB disk quota limit and the volume is configured to prevent writing over the limit, the user can no longer write data to the volume. Users can, however, remove files and folders from the volume to free up disk space. They could also move files and folders to a compressed area on the volume, which might free up space, or they could elect to compress the files themselves. Moving files to a different location on the volume doesn’t affect the quota restriction. The amount of file space will be the same unless the user is moving uncompressed files and folders to a folder with compression. In any case, the restriction on a single user doesn’t affect other users’ ability to write to the volume (as long as there’s free space on the volume).
You can enable NTFS disk quotas on the following:
Local volumes. To manage disk quotas on local volumes, you work with the local disk itself. When you enable disk quotas on a local volume, the Windows systems files are included in the volume usage for the user who installed those files. Sometimes this might cause the user to go over the disk quota limit. To prevent this, you might want to set a higher limit on a local workstation volume.
Remote volumes. To manage disk quotas on remote volumes, you must share the root directory for the volume and then set the disk quota on the volume. Remember, quotas are set on a per volume basis, so if a remote file server has separate volumes for different types of data—that is, a corporate data volume and a user data volume—these volumes have different quotas.
Only members of the domain Administrators group or the local system Administrators group can configure disk quotas. The first step in using quotas is to enable quotas in Group Policy. You can do this at two levels:
Local. Through local group policy, you can enable disk quotas for an individual computer.
Enterprise. Through site, domain, and organizational unit policy you can enable disk quotas for groups of users and computers.
Having to keep track of disk quotas does cause some overhead on computers. This overhead is a function of the number of disk quotas being enforced, the total size of volumes and their data, and the number of users to which the disk quotas apply.
Although on the surface disk quotas are tracked per user, behind the scenes Windows Server 2003 manages disk quotas according to security identifiers (SIDs). Because SIDs track disk quotas, you can safely modify user names without affecting the disk quota configuration. Tracking by SIDs does cause some additional overhead when viewing disk quota statistics for users. That’s because Windows Server 2003 must correlate SIDs to user account names so that the account names can be displayed in dialog boxes. This means contacting the local user manager and the Active Directory domain controller as necessary.
After Windows Server 2003 looks up names, it caches them to a local file so that they can be available immediately the next time they’re needed. The query cache is infrequently updated, and if you notice a discrepancy between what’s displayed and what’s configured, you’ll need to refresh the information. Usually, this means selecting Refresh or pressing F5 in the current window.
The best way to configure NTFS disk quotas is through Group Policy. When you configure disk quotas through local policy or through unit, domain, and site policy, you define general policies that are set automatically when you enable quota management on individual volumes. Thus, rather than having to configure each volume separately, you can use the same set of rules and apply them to each volume you want to manage in turn.
Policies that control NTFS disk quotas are applied at the system level. You access these policies through Computer ConfigurationAdministrative TemplatesSystemDisk Quotas. Table 14-6 summarizes the available policies.
Table 14-6. Policies for Setting NTFS Disk Quotas
Policy Name | Description |
---|---|
Enable Disk Quotas | Turns disk quotas on or off for all NTFS volumes of the computer and prevents users from changing the setting. |
Enforce Disk Quota Limit | Specifies whether quota limits are enforced. If quotas are enforced, users will be denied disk space if they exceed the quota. This overrides settings in the Quota tab on the NTFS volume. |
Default Quota Limit And Warning Level | Sets a default quota limit and warning level for all users. This setting overrides other settings and affects only new users. |
Log Event When Quota Limit Exceeded | Determines whether an event is logged when users reach their limit and prevents users from changing their logging options. |
Log Event When Quota Warning Level Exceeded | Determines whether an event is logged when users reach the warning level. |
Apply Policy To Removable Media | Determines whether quota policies apply to NTFS volumes on removable media. If you don’t enable this policy, quota limits apply only to fixed media drives. |
Whenever you work with quota limits, you’ll want to use a standard set of policies on all systems. Typically, you won’t want to enable all the policies. Instead, you’ll selectively enable policies and then use the standard NTFS features to control quotas on various volumes. If you want to enable quota limits, use the following technique:
Access Group Policy for the system with which you want to work, such as a file server. Then, access the Disk Quotas node by expanding Computer ConfigurationAdministrative TemplatesSystem and then selecting Disk Quotas.
Double-click Enable Disk Quotas, and then, in the Setting tab, choose Enabled. Click Next Setting. This displays the Enforce Disk Quota Limit policy.
If you want to enforce disk quotas on all NTFS volumes residing on this computer, click Enabled. Otherwise, click Disabled and then set specific limits on a per volume basis.
Click Next Setting. This displays the Default Quota Limit And Warning Level Properties dialog box. Select Enabled.
Under Default Quota Limit, set a default limit that’s applied to users when they first write to the quota-enabled volume. The limit doesn’t apply to current users or affect current limits in place. On a corporate share, such as a share used by all members of a team, a good limit is between 500 and 1000 MB. Of course, this depends on the size of the data files that the users routinely work with. Graphic designers and data engineers might need much more disk space.
If you scroll down in the subwindow provided in the Setting tab, you’ll be able to set a warning limit as well. A good warning limit is about 90 percent of the default quota limit, which means that if you set the default quota limit to 1000 MB, you’d set the warning limit to 900 MB.
Click Next Setting. This displays the Log Event When Quota Limit Exceeded policy. Select Enabled so that limit events are recorded in the Application log.
Click Next Setting. This displays the Log Event When Quota Warning Level Exceeded policy. Select Enabled so that warning events are recorded in the Application log.
Click Next Setting. This displays the Apply Policy To Removable Media policy. Select Disabled so that the quota limits apply only to fixed media volumes on the computer. Click OK.
To ensure that the policies are enforced immediately, access the Computer ConfigurationAdministrative TemplatesSystemGroup Policy node and then double-click Disk Quota Policy Processing. Next, select Enabled and then select the Process Even If The Group Policy Objects Have Not Changed check box. Click OK.
You can set NTFS disk quotas on a per-volume basis. Only NTFS volumes can have disk quotas. After you’ve configured the appropriate group policies, you can set disk quotas for local and remote volumes using Computer Management.
If quotas are enforced using the Enforce Disk Quota Limit policy setting, users will be denied disk space if they exceed the quota. This overrides settings in the Quota tab on the NTFS volume.
To enable NTFS disk quotas on an NTFS volume, follow these steps:
Start Computer Management. If necessary, connect to a remote computer.
In the console tree, expand Storage and then select Disk Management. The volumes configured on the selected computer are displayed in the details pane.
Using the Volume List or Graphical View, right-click the volume you want to work with and then select Properties.
Click the Quota tab and then select the Enable Quota Management check box, as shown in Figure 14-15. If you’ve already set quota management values through Group Policy, the options are dimmed and you can’t change them. You must modify options through Group Policy instead.
Figure 14-15. After you enable quota management, you can configure a quota limit and quota warning for all users. If you’ve already set these values through Group Policy, the options are dimmed and you can’t change them.
Whenever you work with the Quota tab, pay particular attention to the Status text and the associated traffic light icon. Both change based on the state of quota management. If quotas aren’t configured, the traffic light icon shows a red light and the status shows as inactive or not configured. If the operating system is working or updating the quotas, the traffic light icon shows a yellow light and the status shows the activity being performed. If quotas are configured, the traffic light icon shows a green light and the status text states that the quota system is active.
To set a default disk quota limit for all users, select Limit Disk Space To and then use the text boxes provided to set a limit in KB, MB, GB, TB, PB, or EB. Afterward, use the Set Warning Level To text boxes to set the default warning limit. Again, you’ll usually want the disk quota warning limit to be 90–95 percent of the disk quota limit.
Although the default quota limit and warning applies to all users, you can configure different levels for individual users. You do this through the Quota Entries dialog box. If you create many unique quota entries and don’t want to recreate them on a volume with similar characteristics and usage, you can export the quota entries and import them on a different volume.
To enforce the disk quota limit and prevent users from going over the limit, select the Deny Disk Space To Users Exceeding Quota Limit check box. Keep in mind that this creates an actual physical limitation for users (but not administrators).
To configure logging when users exceed a warning limit or the quota limit, select the Log Event check boxes. Click OK to save your changes.
If the quota system isn’t currently enabled, you’ll see a prompt asking you to enable the quota system. Click OK to allow Windows Server 2003 to rescan the volume and update disk usage statistics. Actions might be taken against users who exceed the current limit or warning levels. These actions can include preventing additional writing to the volume, notifying them the next time they access the volume, and logging applicable events in the Application log.
Disk space usage is tracked on a per user basis. When disk quotas are enabled, each user storing data on a volume has an entry in the disk quota file. This entry is updated periodically to show the current disk space used, the applicable quota limit, the applicable warning level, and the percentage of allowable space being used. As an administrator, you can modify disk quota entries to set different limits and warning levels for particular users. You can also create disk quota entries for users who haven’t yet saved data on a volume. The key reason for creating entries is to ensure that when a user does make use of a volume, the user has an appropriate limit and warning level.
To view the current disk quota entries for a volume, follow these steps:
Start Computer Management. If necessary, connect to a remote computer.
In the console tree, expand Storage and then select Disk Management. The volumes configured on the selected computer are displayed in the details pane.
Using the Volume List or Graphical View, right-click the volume with which you want to work and then select Properties.
In the Quota tab, click Quota Entries. This displays the Quota Entries dialog box. Each quota entry is listed according to a status. The status is meant to quickly depict whether a user has gone over a limit. A status of OK means the user is working within the quota boundaries. Any other status usually means the user has reached the warning level or the quota limit.
You can create disk quota entries for users who haven’t yet saved data on a volume. This allows you to set custom limits and warning levels for a particular user. You’ll usually use this feature when a user frequently stores more information than other users and you want to allow the user to go over the normal limit or when you want to set a specific limit for administrators. As you might recall, administrators aren’t subject to disk quota limits, so if you want to enforce limits for individual administrators, you must create disk quota entries for each administrator you want to limit.
You shouldn’t create individual disk quota entries haphazardly. You need to track individual entries carefully. Ideally, you’ll keep a log that details any individual entries so that other administrators understand the policies in place and how those policies are applied. When you modify the base rules for quotas on a volume, you should reexamine individual entries to see if they’re still applicable or need to be updated as well. I’ve found that certain types of users are exceptions more often than not and that it’s sometimes better to put different classes of users on different volumes and then apply disk quotas to each volume. In this way, each class or category of user has a quota limit that’s appropriate for its members’ typical usage and you have fewer (perhaps no) exceptions. For example, you might use separate volumes for executives, managers, and users, or you might have separate volumes for management, graphic designers, engineers, and all other users.
To create a quota entry on a volume, follow these steps:
Access the Quota Entries dialog box as discussed in the section of this chapter entitled "Viewing Disk Quota Entries." Current quota entries for all users are listed. To refresh the listing, press F5 or select Refresh from the View menu.
If the user doesn’t have an existing entry on the volume, you can create it by selecting New Quota Entry from the Quota menu. This opens the Select Users dialog box.
In the Select Users dialog box, type the name of a user you want to use in the Name text box and then click Check Names. If matches are found, select the account you want to use and then click OK. If no matches are found, update the name you entered and try searching again. Repeat this step as necessary and then click OK when you’re finished.
After you’ve selected a user, the Add New Quota Entry dialog box is displayed as shown in Figure 14-16. You have several options. You can remove all quota restrictions for this user by selecting Do Not Limit Disk Usage. Or you can set a specific limit and warning level by selecting Limit Disk Space To and then entering the appropriate values in the fields provided. Click OK.
When you’ve created disk quota entries on a volume and a user no longer needs to use the volume, you can delete the associated disk quota entry. When you delete a disk quota entry, all files owned by the user are collected and displayed in a dialog box so that you can permanently delete the files, take ownership of the files, or move the files to a folder on a different volume.
To delete a disk quota entry for a user and manage the user’s remaining files on the volume, follow these steps:
Access the Quota Entries dialog box as discussed in the section of this chapter entitled "Viewing Disk Quota Entries." Current quota entries for all users are listed. To refresh the listing, press F5 or select Refresh from the View menu.
Select the disk quota entry that you want to delete and then press the Delete key or select Delete Quota Entry from the Quota menu. You can select multiple entries using the Shift and Ctrl keys.
When prompted to confirm the action, click Yes. This displays the Disk Quota dialog box with a list of current files owned by the selected user or users.
Use the List Files Owned By selection list to display files for a user whose quota entry you’re deleting. You must now specify how the files for the user are to be handled. You can handle each file separately by selecting individual files and then choosing an appropriate option. You can select multiple files using the Shift and Ctrl keys. The options available are as follows:
Permanently Delete Files. Select the files to delete and then press Delete. When prompted to confirm the action, click Yes.
Take Ownership Of Files. Select the files of which you want to take ownership and then click Take Ownership.
Move Files To. Select the files that you want to move and then enter the path to a folder on a different volume in the field provided. If you don’t know the path that you want to use, click Browse to display the Browse For Folder dialog box, which you can use to find the folder. Once you find the folder, click Move.
Click Close when you’re finished managing the files. If you’ve appropriately handled all user files, the disk quota entries will be deleted.
Rather than recreating custom disk quota entries on individual volumes, you can export the settings from a source volume and then import the settings on another volume. You must format both volumes using NTFS. The steps you follow to export and then import disk quota entries are the following:
Access the Quota Entries dialog box as discussed in the section of this chapter entitled "Viewing Disk Quota Entries." Current quota entries for all users are listed. To refresh the listing, press F5 or select Refresh from the View menu.
Select Export from the Quota menu. This displays the Export Quota Settings dialog box. Use the Save In drop-down list to choose the save location for the file containing the quota settings and then set a name for the file using the File Name text box. Afterward, click Save.
On the Quota menu, select Close to exit the Quota Entries dialog box.
Right-click Computer Management in the console tree. On the shortcut menu, select Connect To Another Computer. In the Select Computer dialog box, choose the computer containing the target volume. The target volume is the one that you want to use the exported settings.
As explained previously, access the Properties dialog box for the target volume. Then click Quota Entries in the Quota tab. This displays the Quota Entries dialog box for the target volume.
Select Import on the Quota menu. Then, in the Import Quota Settings dialog box, select the quota settings file that you saved previously. Click Open.
If the volume had previous quota entries, you’ll have the opportunity to replace existing entries or keep existing entries. When prompted about a conflict, click Yes to replace an existing entry or click No to keep the existing entry. You can apply the option to replace or keep existing entries to all entries on the volume by selecting the Do This For All Quota Entries check box prior to clicking Yes or No.
You can disable quotas for individual users or all users on a volume. When you disable quotas for a particular user, the user is no longer subject to the quota restrictions but disk quotas are still tracked for other users. When you disable quotas on a volume, quota tracking and management are completely removed. To disable quotas for a particular user, follow the technique outlined in the section of this chapter entitled "Creating Disk Quota Entries." To disable quota tracking and management on a volume, follow these steps:
Windows Server 2003 R2 supports an enhanced quota management system called Storage Resource Manager Disk Quotas. Using Storage Resource Manager Disk Quotas, you can mange disk space usage by folder and by volume.
Because you manage Storage Resource Manager disk quotas separately from NTFS disk quotas, you can in fact configure a single volume to use both quota systems. However, it’s recommended that you use one quota system or the other rather than both. Alternately, if you’ve already configured NTFS disk quotas, you might want to continue using NTFS disk quotas on a per-volume basis and supplement this quota management with Storage Resource Manager disk quotas for important folders.
When you’re working with Windows Server 2003 R2, Storage Resource Manager disk quotas are another tool you can use to manage disk usage. You can configure Storage Resource Manager disk quotas on a per-volume basis and on a per-folder basis. You can set disk quotas with a specific limit as a hard limit, meaning a limit can’t be exceeded, or a soft limit, meaning a limit can be exceeded.
Generally, you’ll use hard limits when you want to prevent users from exceeding a specific disk usage limitation. You’ll use soft limits when you want to monitor usage and simply warn users who exceed or are about to exceed usage guidelines. All quotas have a quota path, which designates the base file path on the volume or folder to which the quota is applied. The quota applies to the designated volume or folder and all subfolders of the designated volume or folder. The particulars of how quotas work and how users are limited or warned are derived from a source template that defines the quota properties.
Windows Server 2003 R2 includes the quota templates listed in Table 14-7. Using the File Server Resource Manager, you can easily define additional templates that would then be available whenever you define quotas or you can set single-use custom quota properties when defining a quota.
Table 14-7. Disk Quota Templates
Quota Template | Limit | Quota Type | Description |
---|---|---|---|
100 MB Limit | 100 MB | Hard | Sends warnings to users as the limit is approached and exceeded. |
200 MB Limit Reports to User | 200 MB | Hard | Sends storage reports to the users who exceed the threshold. |
200 MB Limit With 50 MB Extension | 200 MB | Hard | Uses the DIRQUOTA command to grant an automatic one-time 50 MB extension to users who exceed the quota limit. |
250 MB Extended Limit | 250 MB | Hard | Meant to be used by those whose limit has been extended from 200 MB to 250 MB. |
Monitor 200 GB Volume Usage | 200 GB | Soft | Monitors volume usage and warns when the limit is approached and exceeded. |
Monitor 500 MB Share | 500 MB | Soft | Monitors share usage and warns when the limit is approached and exceeded. |
Quota templates or custom properties define the following:
Limit. The disk space usage limit
Quota type. Hard or soft
Notification thresholds. The types of notification that occur when usage reaches a specific percentage of the limit
Although each quota has a specific limit and type, you can define multiple notification thresholds as either a warning threshold or a limit threshold. Warning thresholds are considered to be any percentage of the limit that is less than 100 percent. Limit thresholds occur when the limit reached is 100 percent. For example, you could define warning thresholds that were triggered at 85 percent and 95 percent of the limit and a limit threshold that is triggered when 100 percent of the limit is reached.
Users who are approaching or have exceeded a limit can be automatically notified by e-mail. The notification system also allows for notifying administrators by e-mail, triggering incident reporting, running commands, and logging related events.
You use disk quota templates to define quota properties, including the limit, quota type, and notification thresholds. In File Server Management, you can view the currently defined disk quota templates by expanding the File Server Resource Manager and Quota Management nodes and then selecting Quota Templates. Table 14-7 provided a summary of the default disk quota templates.
You can modify existing disk quota templates by completing the following steps:
In File Server Management, expand the File Server Resource Manager and Quota Management nodes and then select Quota Templates.
Currently defined disk quota templates are listed by name, limit, and quota type.
To modify disk quota template properties, double-click the disk quota template name. This displays a related properties dialog box, as shown in Figure 14-17.
In the Settings tab, you can set the template name, limit, and quota type. Current notification thresholds are listed. To modify an existing threshold, select it and then click Edit. To define a new threshold, click Add.
When you’re finished modifying the quota template, click OK to save the changes.
You can create a new disk quota template by completing the following steps:
In File Server Management, expand the File Server Resource Manager and Disk Management nodes and then select Quota Templates.
On the Action menu or in the Actions pane, select Create Quota Template. This displays the Create Quota Template dialog box.
In the Settings tab, set the template name, limit, and quota type.
A limit threshold is already created. You should edit this threshold first and then create additional warning thresholds as necessary. Select Limit and then click Edit to define the limit threshold.
Click Add to add warning thresholds. In the Add Threshold dialog box, enter a percentage value under Generate Notifications When Usage Reaches (%). Warning thresholds are considered to be any percentage of the limit that is less than 100 percent. Limit thresholds occur when the limit reached is 100 percent.
In the E-mail Message tab, you can configure notification as follows:
To notify an administrator when the disk quota is triggered, select the Send E-Mail To The Following Administrators check box and then type the e-mail address or addresses to use. Be sure to separate multiple e-mail addresses with a semicolon. Use the value [Admin Email] to specify the default administrator as configured previously under the global options.
To notify users, select the Send E-Mail To The User Who Attempted To Save An Unauthorized File check box.
To specify the contents of the notification message, use the Subject and Message Body text boxes. Table 13-6, in Chapter 13, lists available variables and their meaning.
In the Event Log tab, you can configure event logging. Select the Send Warning To Event Log check box to enable logging and then use the Log Entry text box to specify the text of the log entry. Table 13-6 in Chapter 13 lists available variables and their meaning.
In the Report tab, select the Generate Reports check box to enable incident reporting and then select the types of reports to generate. Incident reports are stored under %SystemDrive%StorageReportsIncident by default, and they can also be sent to designated administrators. Use the value [Admin Email] to specify the default administrator as configured previously under the global options.
Repeat Steps 5–8 to define additional notification thresholds. Click OK when you’re finished creating the template.
You use disk quotas to designate file paths that have specific usage limits. In File Server Management, you can view current disk quotas by expanding the File Server Resource Manager and Quota Management nodes and then selecting Quotas. Before you define disk quotas, you should specify screening file groups and disk quota templates that you will use, as discussed in Chapter 13 under "Managing the File Groups to Which Screens Are Applied" and in this chapter under "Managing Disk Quota Templates," respectively.
After you’ve defined the necessary file groups and disk quota templates, you can create a disk quota by completing the following steps:
In File Server Management, expand the File Server Resource Manager and Quota Management nodes and then select Quotas.
Select Create Quota on the Action menu or in the Actions pane.
In the Create Quota dialog box, set the local computer path for the quota by clicking Browse and then using the Browse For Folder dialog box to select the desired path, such as C:Data. Click OK.
Use the Derive Properties From This Quota Template drop-down list to choose the disk quota template that defines the quota properties you want to use. Click Create.