Managing Microsoft Server Environment: 2012

Thursday, March 8, 2012

Managing Access to Shared Folders

Managing Access to Shared Folders

Introduction:

The Windows Server organizes files into directories that are graphically

represented as folders. These folders contain all types of files and can contain subfolders. Some of these folders are reserved for operating system files and program files. Shared folders give users access to files and folders over a network. Users can connect to the shared folder over the network to access the folders and files they contain. Shared folders can contain applications, public data, or a user’s personal data.

What Are Shared Folders?

Sharing a folder is when a folder is made accessible to multiple users simultaneously over the network. After a folder is shared, users can access all of the files and subfolders in the shared folder if they are granted permission. You can place shared folders on a file server and also place them on any computer on the network. You can store files in shared folders according to categories or functions. For example, you can place shared data files in one shared folder and shared application files in another.

Characteristics of shared folders

Some of the most common characteristics of shared folders are as follows:

•

A shared folder appears in Windows Explorer as an icon of a hand holding the

folder.

•

You can only share folders, not individual files. If multiple users need access to the

same file, you must place the file in a folder and then share the folder.

•

When a folder is shared, the Read permission is granted to the Everyone group as

the default permission. Remove the default permission and grant the Change

permission or Read permission to groups as needed.

•

When users or groups are added to a shared folder, the default permission is Read.

•

When you copy a shared folder, the original shared folder is still shared, but the

copy is not shared. When a shared folder is moved to another location, the folder is

no longer shared.

•

You can hide a shared folder if you put a dollar sign ($) after the name of the

shared folder. The user cannot see the shared folder in the user interface, but a user

can access the shared folder by typing the Universal Naming Convention (UNC)

name, for example,

\\server\secrets$

Creating a Shared Folder

When you create a shared folder, you give it a shared folder name and provide a comment that describes the folder and its contents. You can also limit the number of users who can access the folder, grant permissions, and share the same folder multiple times.

Procedure using Windows Explorer

To create a shared folder by using Windows Explorer:

1. In Windows Explorer, right-click the folder, and then click

Sharing and Security

2. In the

Properties

dialog box, on the

Sharing

tab, configure the options described in the following:-

•

Share this folder

Click to share the folder.

•

Share name

Enter the name that users from remote locations use to connect to the

shared folder. The default shared folder name is the folder name. This option is

required.

•

Note

: Some client computers that connect to a shared folder only see a limited

number of characters.

•

Description

Enter an optional description for the shared folder. You can use this

comment to identify the contents of the shared folder.

•

User Limit

Enter the number of users who can concurrently connect to the shared folder. This option is not required if you click

•

Maximum Allowed

current Windows client operating systems supports up to 10 concurrent connections.

•

Permissions

Click to set the shared folder permissions that apply only when the

folder is accessed over the network. This option is not required. By default, the

Everyone group is granted the Read permission for all new shared folders

Connecting to Shared Folders

After you create a shared folder, users can access the folder across the network. Users can access a shared folder on another computer by using My Network Places, the Map Network Drive feature, or the Run command on the Start menu.

Procedure using the Run command

When you use the Run command on the Start menu to connect to a network resource, a drive letter is not required. This enables you to connect to the shared folder an unlimited number of times, independent of available drive letters.

1. Click Start, and then click Run

2. In the Run dialog box, enter a UNC path, and then click OK

Reference:

Eng. Eman R. Al-Kurdi

Islamic University of Gaza

Faculty of engineering

Computer Department.

Managing Access to Shared Files Using Offline Caching

Managing Access to Shared Files Using Offline Caching

Offline Files is an important document-management feature that provides the user with

consistent online and offline access to files. When the client disconnects from the network,

anything that has been downloaded to the local cache remains available. Users can

continue working as though they were still connected to the network. They can continue

editing, copying, deleting, and so forth.

Offline File Caching Options:

Offline Files caches files that are often accessed from a shared folder. This is similar to the

way in which a Web browser keeps a cache of recently visited Web sites. When you create

shared folders on the network, you can specify the caching option for the files and

programs in that folder. There are three different caching options.

Manual caching of documents:

Manual caching of documents provides offline access for only the files and programs that

the user specifies will be available. This caching option is ideal for a shared network

folder containing files that several people will access and modify. This is the default

option when you configure a shared folder to be available offline.

Automatic caching of documents:

With automatic caching of documents, all files and programs that users open from the

shared folder are automatically available offline. Files that the user does not open are not

available offline. Older copies are automatically overwritten by newer versions of files.

How Offline Files Are Synchronized?

A user can configure a file on a network to be available offline, provided that Offline Files

is enabled for the folder in which the file resides. When users configure files to be

available offline, the users work with the network version of the files while they are

connected to the network and then with a locally cached version of the files when they are

not connected to the network.

Synchronization events:

When a user configures a file to be available offline, the following synchronization events

occur when the user disconnects from the network:

•

When the user logs off the network, the Windows client operating system

synchronizes the network files with a locally cached copy of the file.

•

While the computer is disconnected from the network, the user works with the

locally cached copy of the file.

•

When the user again logs on to the network, the Windows client operating system

synchronizes any offline file that the user has modified with the network version of

the file. If the file has been modified on both the network and the user’s computer,

the Windows client operating system prompts the user to choose which version of

the file to keep, or the user can rename one file and keep both versions.

How to Use Offline Caching?

To configure offline settings by using Windows Explorer:

1. In Windows Explorer, right-click the shared folder or drive for which you want to

configure offline access, and then click Sharing and Security.

2. In the Properties dialog box, on the Sharing tab, click Offline Settings.

3. In the Offline Settings dialog box, select the option that you want, and then click

OK.

Reference:

Eng. Eman R. Al-Kurdi

Islamic University of Gaza

Faculty of engineering

Computer Department.

Creating a Computer Object

Creating a Computer Object

Computers are represented as accounts and objects in Active Directory, just as users are. In

fact, behind the scenes, a computer logs on to the domain just as a user does. The computer

has a user name—the computer’s name with a dollar sign appended, for instance,

DESKTOP101$—and a password that is established when you join the computer to the

domain, and it’s changed automatically every thirty days or so thereafter. To create a computer

object in Active Directory:

1. Open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the node that represents your domain (such as contoso.com)

and navigate to the OU or container (for instance, Users) in which you want to create the

computer.

3. Right-click the OU or container, choose New, and then select Computer.

The New Object – Computer dialog box appears, as seen in Figure 2-7.

4. In the Computer Name box, type the computer’s name.

Your entry will automatically populate the Computer Name (Pre-Windows 2000) box.

5. Do not change the name in the Computer Name (Pre-Windows 2000) box.

6. The account specified in the User Or Group field will be able to join the computer to the

domain. The default value is Domain Admins. Click Change to select another group or

user.

Generally, you will select a group that represents your deployment, desktop support,

or help desk team. You can also select the user to whom the computer is assigned. You

will explore the issues related to joining the computer to the domain in Chapter 5,

“Computers.”

7. Do not select the check box labeled Assign This Computer Account As A Pre-Windows

2000 Computer unless the account is for a computer running Microsoft Windows NT 4.0.

8. Click OK.

Computer objects have a number of properties that are useful to configure. These can be

specified after the object has been created.

9. Right-click the computer and choose Properties.

10. Enter the properties for the computer.

Be sure to follow the naming conventions and other standards of your organization.

The computer’s Description field can be used to indicate who the computer is assigned

to, its role (for instance, a training-room computer), or other descriptive information.

Because Description is visible in the details pane of the Active Directory Users And Computers

snap-in, it is a good place to store the information you find most useful to know

about a computer.

There are several properties that describe the computer, including DNS Name, DC Type,

Site, Operating System Name, Version, and Service Pack. These properties will be populated

automatically when the computer joins the domain.

The Managed By tab can be used to link to the user or group responsible for the computer.

Click the Change button underneath the Name box. To search for groups, you

must first click the Object Types button and select Groups. The Select Users, Contacts,

Or Groups dialog box is discussed later in this lesson. The remaining contact information

on the Managed By tab is populated from the account specified in the Name box.

The Managed By tab is typically used for contact information. Some organizations use

the tab to indicate the support team (group) responsible for the computer. Others use

the information to track the user to whom the computer is assigned.

11. Click OK.

Reference: Configuring Windows Server 2008 Active Directory

Dan Holme, Danielle Ruest, Nelson Ruest, Tony Northrup

Creating a Group Object

Groups are an important class of object because they are used to collect users, computers, and

other groups to create a single point of management. The most straightforward and common

use of a group is to grant permissions to a shared folder. If a group has been given read access

to a folder, for example, then any of the group’s members will be able to read the folder. You

do not have to grant read access directly to each individual member; you can manage access to

the folder simply by adding and removing members of the group.

To create a group:

1. Open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the node that represents your domain (for instance, contoso.

com) and navigate to the OU or container (such as Users) in which you want to create

the group.

3. Right-click the OU or container, choose New, and then select Group.

The New Object – Group dialog box appears, as shown in Figure 2-6.

4. Type the name of the new group in the Group Name box.

Most organizations have naming conventions that specify how group names should be

created. Be sure to follow the guidelines of your organization.

By default, the name you type is also entered as the pre-Windows 2000 name of the new

group. It is very highly recommended that you keep the two names the same.

5. Do not change the name in the Group Name (Pre-Windows 2000) box.

6. Choose the Group type.

❑ A Security group can be given permissions to resources. It can also be configured

as an e-mail distribution list.

❑ A Distribution group is an e-mail–enabled group that cannot be given permissions

to resources and is, therefore, used only when a group is an e-mail distribution list

that has no possible requirement for access to resources.

Figure 2-6 The New Object – Group dialog box

7. Select the Group Scope.

❑ A Global group is used to identify users based on criteria such as job function, location,

and so on.

❑ A Domain local group is used to collect users and groups who share similar

resource access needs, such as all users who need to be able to modify a project

report.

❑ A Universal group is used to collect users and groups from multiple domains.

Group scope will be discussed in more detail in Chapter 4, “Groups.”

Note that if the domain in which you are creating the group object is at a mixed or

interim domain functional level, you can select only Domain Local or Global scopes for

security groups. Domain functional levels will be discussed in Chapter 13, “Domains

and Forests.”

8. Click OK.

Group objects have a number of properties that are useful to configure. These can be

specified after the object has been created.

9. Right-click the group and choose Properties.

10. Enter the properties for the group.

Be sure to follow the naming conventions and other standards of your organization.

The group’s Members and Member Of tabs specify who belongs to the group and what

groups the group itself belongs to. Group membership will be discussed in Chapter 4.

The group’s Description field, because it is easily visible in the details pane of the Active

Directory Users And Computers snap-in, is a good place to summarize the purpose of

the group and the contact information for the individual(s) responsible for deciding

who is and is not a member of the group.

The group’s Notes field can be used to provide more detail about the group.

The Managed By tab can be used to link to the user or group that is responsible for the

group. Click the Change button underneath the Name box. To search for a group, you

must first click the Object Types button and select Groups. The Select User, Contact, Or

Group dialog box will be discussed later in this lesson.

The remaining contact information on the Managed By tab is populated from the account

specified in the Name box. The Managed By tab is typically used for contact information

so that if a user wants to join the group, you can decide who in the business should be

contacted to authorize the new member. However, if you select the Manager Can Update

Membership List option, the account specified in the Name box will be given permission

to add and remove members of the group. This is one method to delegate administrative

control over the group. Other delegation options are discussed in Lesson 3.

11. Click OK.

Reference: Configuring Windows Server 2008 Active Directory

Dan Holme, Danielle Ruest, Nelson Ruest, Tony Northrup

Creating a User Object

Creating a User Object

To create a new user in Active Directory, perform the following steps. Be certain to follow the

naming conventions and processes specified by your organization.

1. Open the Active Directory Users And Computers snap-in.

2. In the console tree, expand the node that represents your domain (for instance, contoso.

com) and navigate to the OU or container (for example, Users) in which you want to

create the user account.

3. Right-click the OU or container, choose New, and then select User.

The New Object – User dialog box appears, as shown in Figure 2-5.

4. In First Name, type the user’s first name.

5. In Initials, type the user’s middle initial(s).

Note that this property is, in fact, meant for the initials of a user’s middle name, not the

initials of the user’s first and last name.

6. In Last Name, type the user’s last name.

7. The Full Name field is populated automatically. Make modifications to it if necessary.

The Full Name field is used to create several attributes of a user object, most notably the common

name (CN), and to display name properties. The CN of a user is the name displayed in

the details pane of the snap-in. It must be unique within the container or OU. Therefore, if

you are creating a user object for a person with the same name as an existing user in the

same OU or container, you will need to enter a unique name in the Full Name field.

8. In User Logon Name, type the name that the user will log on with and, from the dropdown

list, select the user principle name (UPN) suffix that will be appended to the user

logon name following the @ symbol.

User names in Active Directory can contain some special characters (including periods,

hyphens, and apostrophes), which enable you to generate accurate user names such as

O’Hara and Smith-Bates. However, certain applications can have other restrictions, so it is

recommended to use only standard letters and numerals until you have fully tested the

applications in your enterprise for compatibility with special characters in logon names.

The list of available UPN suffixes can be managed using the Active Directory Domains

And Trusts snap-in. Right-click the root of the snap-in, Active Directory Domains And

Trusts, choose Properties, and then use the UPN Suffixes tab to add or remove suffixes.

The DNS name of your Active Directory domain will always be available as a suffix and

cannot be removed.

9. In the User logon name (Pre-Windows 2000) box of the Active Directory Users And

Computers snap-in, enter the pre-Windows 2000 logon name, often called the downlevel

logon name.

In Chapter 3, “Users,” you will learn about the two different logon names.

10. Click Next.

11. Enter an initial password for the user in the Password and Confirm Password boxes.

12. Select User Must Change Password At Next Logon.

It is recommended that you always select this option so that the user can create a new

password unknown to the IT staff. Appropriate support staff members can always reset

the user’s password at a future date if they need to log on as the user or access the user’s

resources. However, only users should know their passwords on a day-to-day basis.

13. Click Next.

14. Review the summary and click Finish.

The New Object – User interface enables you to configure a limited number of accountrelated

properties such as name and password settings. However, a user object in Active

Directory supports dozens of additional properties. These can be configured after the

object has been created.

15. Right-click the user object you created and choose Properties.

16. Configure user properties.

Be certain to follow the naming conventions and other standards of your organization.

You will learn more about many of the user properties in Chapter 3 and Chapter 8,

“Authentication.”

17. Click OK.

Reference: Configuring Windows Server 2008 Active Directory

Dan Holme, Danielle Ruest, Nelson Ruest, Tony Northrup

Creating an Organizational Unit

Organizational units (OUs) are administrative containers within Active Directory that are used

to collect objects that share common requirements for administration, configuration, or visibility.

What this means will become clearer as you learn more about OU design and management.

For now, just understand that OUs provide an administrative hierarchy similar to the

folder hierarchy of a disk drive: OUs create collections of objects that belong together for administration.

The term administration is emphasized here because OUs are not used to assign permissions

to resources—that is what groups are for. Users are placed into groups that are given

permission to resources. OUs are administrative containers within which those users and

groups can be managed by administrators.

To create an organizational unit:

1. Open the Active Directory Users And Computers snap-in.

2. Right-click the Domain node or the OU node in which you want to add the new OU,

choose New, and then select Organizational Unit.

Lesson 2: Creating Objects in Active Directory 47

3. Type the name of the organizational unit.

Be sure to follow the naming conventions of your organization.

4. Select Protect Container From Accidental Deletion.

You’ll learn more about this option later in this section.

5. Click OK.

OUs have other properties that can be useful to configure. These properties can be set

after the object has been created.

6. Right-click the OU and choose Properties.

Follow the naming conventions and other standards and processes of your organization.

You can use the Description field to explain the purpose of an OU.

If an OU represents a physical location, such as an office, the OU’s address properties

can be useful.

The Managed By tab can be used to link to the user or group that is responsible for the

OU. Click the Change button underneath the Name box. By default, the Select User,

Contact, Or Group dialog box that appears does not, despite its name, search for groups;

to search for groups, you must first click the Object Types button and select Groups.

You’ll learn about the Select Users, Contacts, Or Groups dialog box later in this lesson.

The remaining contact information on the Managed By tab is populated from the

account specified in the Name box. The Managed By tab is used solely for contact information—

the specified user or group does not gain any permissions or access to the OU.

7. Click OK.

The Windows Server 2008 administrative tools add a new option: the Protect Container From

Accidental Deletion. This option adds a safety switch to the OU so that it cannot be accidentally

deleted. Two permissions are added to the OU: Everyone::Deny::Delete and Everyone::

Deny::Delete Subtree. No user, not even an administrator, will be able to delete the OU and its

contents accidentally. It is highly recommended that you enable this protection for all new OUs.

If you want to delete the OU, you must first turn off the safety switch. To delete a protected

OU, follow these steps:

1. In the Active Directory Users And Computers snap-in, click the View menu and select

Advanced Features.

2. Right-click the OU and choose Properties.

3. Click the Object tab.

If you do not see the Object tab, you did not enable Advanced Features in step 1.

4. Clear the check box labeled Protect Object From Accidental Deletion.

5. Click OK.

6. Right-click the OU and choose Delete.

7. You will be prompted to confirm that you want to delete the OU. Click Yes.

8. If the OU contains any other objects, you will be prompted by the Confirm Subtree Deletion

dialog box to confirm that you want to delete the OU and all the objects it contains. Click Yes.

Reference: Configuring Windows Server 2008 Active Directory

Dan Holme, Danielle Ruest, Nelson Ruest, Tony Northrup

Managing Microsoft Server Environment Syllabus

Course Title: Managing Microsoft Server Environment

Course no: CSC-404 Full Marks: 70+10+20

Credit hours: 3 Pass Marks: 28+4+8

Nature of course: Theory (3 Hrs.) + Lab (3 Hrs.)

Course Synopsis: It provides students with the knowledge and skills to manage accounts and resources in a Microsoft Windows Server™ 2003 environment.

Goal: This course is to provide Information Technology (IT) professionals with the knowledge and skills to deploy and managing Microsoft Server environment.

Course Contents:

Unit 1. Introduction to Administering Accounts and Resources 7 Hrs.

Multimedia: Introduction to Administering Accounts and Resources, The Windows Server 2003 Family, Logging on to Windows Server 2003, Installing and Configuring, Administrative Tools, Creating User Accounts, Creating Computer Accounts Creating an Organizational Unit, Creating an Organizational Unit Hierarchy, Creating Computer Accounts Creating User Accounts

Unit 2. Managing User and Computer Accounts 7 Hrs.

Modifying Users and Computer Account Properties, Enabling and Unlocking User and Computer Accounts, Creating a User Account Template, Locating User and Computer, Accounts in Active Directory, Saving Queries, Resetting User and Computer Accounts, Moving Domain Objects, Searching for and Moving User Accounts, Searching for and Moving Computer Accounts Searching for and Enabling User Accounts

Unit 3. Managing Groups 4 Hrs.

Creating Groups, Managing Group Membership, Strategies for Using Groups, Modifying Groups, Using Default Groups Best Practices for Managing Groups

Unit 4. Managing Access to Resources 5 Hrs.

Managing Access to Shared Folders, Managing Access to Files and Folders Using NTFS

Permissions, Determining Effective Permissions, Managing Access to Shared Files Using Offline Caching, Configuring Access for Manufacturing Personnel, Configuring Access for Marketing Personnel Configuring Access for Purchasing Personnel

Unit 5. Implementing Printing 3 Hrs.

Multimedia: Introduction to Printing in the Windows Server 2003 Family, Installing and Sharing Printers, Managing Access to Printers Using Shared Printer, Permissions, Managing Printer Drivers Implementing Printer Locations, Install Printers Browse Network Printers with Locations

Unit 6. Managing Printing 2 Hrs.

Changing the Location of the Print Spooler, Setting Printer Priorities, Scheduling Printer Availability Configuring a Printing Pool, Creating Printing Pools Setting Printer Priorities and Availability

Unit 7. Managing Access to Objects in Organizational Units 4 Hrs.

Multimedia: The Role of the Organizational Unit, Modifying Permissions for Active Directory Objects Delegating Control of Organizational Units, Delegating Administrative Control, Documenting Security of an Object Created in an Organizational Unit

Unit 8. Implementing Group Policy 4 Hrs.

Implementing Group Policy Objects, Implementing Group Policy Objects on a Domain Managing the Deployment of Group Policy, Creating and Linking GPOs, Configuring Group Filtering on GPOs, Configuring the Enforcement of GPOs, Configuring the Blocking of GPOs

Unit 9. Managing the User Environment by Using Group Policy 4 Hrs.

Configuring Group Policy Settings, Assigning Scripts with Group Policy, Configuring Folder Redirection, Determining Applied GPOs, Creating a Group Policy, Generating a Group Policy, Modeling Report, Generating a Group Policy Results Report

Unit 10. Implementing Administrative Templates and Audit Policy 5 Hrs.

Overview of Security in Windows Server 2003, Using Security Templates to Secure Computers, Testing Computer Security Policy, Configuring Auditing Managing Security Logs, Creating a Custom Template, Testing a Custom Template, Deploying a Custom, Template by Using a GPO, Configuring and Testing Security Audits of Organizational Units

Laboratory works: Project on each unit

Text Books: Managing a Microsoft Server 2003 Environment

Homework

Assignment: Assignment should be given from the above units in throughout the semester.

Computer Usage: No Specific

Prerequisite: Student should have a strong understanding of Microsoft Windows Server

Category Content: Science Aspect: 50%

Design Aspect: 50%