Windows Server 2003 檔案分享管理 林寶森

Introduction to Shared Folders Shared Folders Give Users Centralized Access to Network Files A Folder Must Be Shared Before a User Can Connect to It Permission to Use a Shared Folder Is Assigned to Users and Groups Users User1 User2 User3 User4 User1 User2 User3 User4 Server Shared Folders Data

Who Can Access Shared Folders? Windows Server 2003 Domain Controller –Administrators Group –Server Operators Group A Member Server or Stand-Alone Server Running Windows Server 2003 –Administrators Group –Power Users Group

Sharing a Folder Applications Properties GeneralWeb SharingSharingSecurity You can share this folder among other users on your network. To enable sharing for this folder, click Share this folder. Do not share this folder Share this folder Share name: Comment: User Limit:Maximum allowed AllowUsers To set permissions for how users access this folder over the network, click Permissions. To configure settings for offline access to this shared folder, click Caching. Caching Permissions OKCancelApply Applications Application files Required Optional

Shared Folder Permissions Data Shared Folder Permissions Read Change Full Control User Shared Folder Permissions Are Cumulative Deny: – Overrides all other permissions – Is granted only if necessary

Granting Permissions and Modifying Shared Folder Settings When You Grant Shared Folder Permissions: –A shared folder can reside on an hard disk formatted to NTFS, FAT, or FAT32 file system –Users also need the appropriate NTFS permission on an NTFS volume You Can Modify Shared Folder Settings to: –Stop sharing a folder –Modify permissions –Create multiple shares for a shared folder –Remove a share

What Are Published Shared Folders? A published shared folder is a shared folder object in Active Directory Clients can search Active Directory for shared folders that are published Clients do not need to know the name of the server to connect to a shared folder Publish shared folders that are relatively static and change infrequently Users can easily find shared folders even if the physical location of the folders changes You can publish any shared folders that are accessible by a UNC name

How to Publish a Shared Folder

Administrative Shared Folders Administrators Use Administrative Shared Folders to Perform Administrative Tasks Administrative Shared Folders Are Hidden From Normal Users Only Administrators Have the Full Control PermissionShareSharePurposePurpose C$, D$, E$ The root of each partition is automatically shared Admin$ The C:\Windows folder is shared as Admin$ Print$ The folder containing the printer driver files is shared as Print$ (created when the first printer is created)

Hide a Shared Folder Include a $ after the name of the shared folder Users can only access a hidden shared folder by typing the UNC, for example, \\server\secrets$

Connecting to a Network Resource Windows Based Server My Network Places My Network Places Search on Start Menu Search on Start Menu Internet Explorer Run Command Run Command Map Network Drive Map Network Drive Methods to Use to Connect: Windows XP Professional

Guidelines for Assigning Permissions Determine Which Groups Need Access to a Resource Assign Permissions to Local Groups Instead of Users Assign the Most Restrictive Permissions Change Default Permissions for a New Shared Folder

What Are Permissions? Permissions define the type of access granted to a user, group, or computer for an object You apply permissions to objects such as files, folders, shared folders, and printers You assign permissions to users and groups in Active Directory or on a local computer

Introduction to NTFS Permissions Available Only on NTFS Volumes Secure Files and Folders Effective When a User Accesses the Resource: –Locally (Interactive) –Remotely (Network) NTFS Volume User1 RR User2 User3 R Suggestions C User1 Server

Permissions Can be allowed or denied Can be implicitly or explicitly denied Can be set as standard or special permission Access Control Settings for Domain Controllers PermissionsOwner Permission Entries: TypeNamePermission Allow Authenticated UsersSpecial Domain Admins… SYSTEM Administrators… Enterprise Admins… Special Full Control Special Full Control This permission is defined directly on this object. This permission is not inherited by child objects. Add...RemoveView/Edit... Auditing Apply to This object only This object and all child… Allow inheritable permissions from parent to propagate to this object.

Multiple NTFS Permissions NTFS Permissions Are Cumulative File Permissions Override Folder Permissions Deny Overrides Other Permissions File1 File2 Group B Group A Deny Write to File2 Write User1 Read Read/Write Folder A

What Are Standard and Special Permissions? Standard PermissionsSpecial Permissions

Subsystems Overview

Security Components Security Principals – User, security group, service, and computer – Identified by a unique ID Security Identifiers (SIDs) – Uniquely identify security principals – Are never reused Security Descriptors – Security information associated with an object – Contains DACLs and SACLs

Discretionary and System Access Control Lists Discretionary Access Control List (DACL) –Identifies the security principals that are allowed or denied access, and the level of access being allowed or denied System Access Control List (SACL) –Controls how object access will be audited Security Descriptor Header Owner SID Group SID DACL SACL ACEs

What Is Permissions Inheritance? Access to FolderB FolderA FolderB Inherit permissions Read / Write Prevent inheritance No access to FolderB FolderA FolderB FolderC Read / Write

Permissions Inheritance Child containers and their objects inherit permissions set on a parent container Inheritable permissions propagate from a parent object to a child object when: –A child object is created –The permissions on the parent object are modified Parent Container Access User 1 Read Group 1 Full Control User 1 Read Group 1 Full Control Child Container Users Assigned Access Permission for Parent Container Permissions Inherited by Child Containers Permissions

Inheritance Eliminates the need to manually apply permissions to child objects Ensures that the permissions applied to a parent object are applied consistently to all child objects Ensures that when permissions on all objects within a container need to be changed, you only need to change the permissions on the parent object Ensures that when ACEs are directly applied to objects, the ACEs override any conflicting inherited ACEs Users Assigned Access Permission for Parent Object Parent Object Parent Object Child Object DACL User 1 Read Group 1 Full Control DACL User 1 Read Group 1 Full Control DACLs Are Inherited by Child Objects

Setting Permission Inheritance Folder1 Properties GeneralWeb SharingSharing Security Name Everyone Add... Remove Advanced... OKCancel Apply Allow inheritable permissions from parent to propagate to this object. Full Control Modify Read & Execute List Folder Contents Read Write You are preventing any inheritable permissions from propagating to this object. What do you want to do? -To copy previously inherited permissions to this object, click Copy. -To remove the inherited permissions and keep only the permissions explicitly specified on this object, click Remove. -To abort this operation, click Cancel. CopyRemoveCancel Security Permissions

Object Ownership Every Object Has an Owner The Owner Controls How Permissions Are Set on an Object, and to Whom Permissions Are Assigned Object owners can always change permissions If a Member of the Administrators Group Takes Ownership, the Default Owner Is the Group, Not the Individual User Advanced… Allow inheritable permissions from parent to propagate to this object. OKCancel Apply Access Control Settings for System1 Permissions Auditing Owner Current owner of this item: Domain Admins (CONTOSO\Domain\Admins) Change owner to: Administrator (CONTOSO\Administrator) Administrators (CONTOSO\Administrators) Name Owners

Changing Object Ownership Access Control Settings for System2 PermissionsAuditingOwner Current owner of this item: Domain Admins (ASIA1\Domain\Admins) Change owner to: Administrator (ASIA1\Administrator) Administrators (ASIA1\Administrators) Ownership Changes When: The current owner assigns the Modify Ownership permission to other users Members of the Domain Admins group take ownership of any object in the domain

Copying or Moving Folders and Files Copy File-A=New Permissions File-A=RWX Move

Effects on NTFS Permissions When Copying and Moving Files and Folders When you copy files and folders, they inherit permissions of the destination folder When you move files and folders within the same partition, they retain their permissions When you move files and folders to a different partition, they inherit the permissions of the destination folder NTFS Partition C:\ NTFS Partition E:\ NTFS Partition D:\ Move Copy Or Move

Combining Shared Folder and NTFS Permissions NTFS Volume File-B R File-A FC Public Shared Folders Public Everyone R User2 \\User2 The Most Restrictive Permission Is the Effective Permission

Combined NTFS and Shared Folder Permissions Users Group Engineer Accountant FC NTFS Partition C:\ Accounting Full Control Engineering No Access Engineering Full Control Accounting No Access Users Read Only ACCTPKG ENGPKG FC Applications RO Share Permissions

The Logon Process User Logs On Local Security Subsystem Obtains a Ticket for the User Local Security Subsystem Requests a Workstation Ticket Kerberos Service Sends a Workstation Ticket Local Security Subsystem Constructs an Access Token Access Token Is Attached to the User’s Process Local Security Subsystem Local Security Subsystem Domain Controller Global Catalog TicketTicket Access Token 11 TicketTicket TicketTicket Constructs Access Token 55 Kerberos Service

Access Tokens Are created during the logon process and used whenever a user attempts to gain access to an object Contain a SID, a unique identifier used to represent a user or a group Contain Group ID, a list of the groups to which a user belongs Contain user rights, the privileges of a user Access Token Security ID: S Group IDs:Employees EVERYONE LOCAL User Rights: SeChangeNotifyPrivilege - (attributes) 3 SeSecurityPrivilege - (attributes) 0 Security ID: S Group IDs:Employees EVERYONE LOCAL User Rights: SeChangeNotifyPrivilege - (attributes) 3 SeSecurityPrivilege - (attributes) 0

How Windows Grants Access to Resources User Application Sends Read Request DACL Security Subsystem Access File Read Allowed Security Subsystem Checks Appropriate ACE in DACL for File ACE Found Server1 Data APP SID User SID Group ACE Access Allowed User 1 Read

Using Disk Quotas Usage Calculation Based on File and Folder Ownership Compression Ignored When Calculating Usage Free Space for Applications Based on Quota Limit Disk Quotas Tracked for Each NTFS Volume Disk Quotas Available Only on NTFS Volumes

What Is Distributed File System? Users User1 User2 More Users User3 User4 Dfs Share All Users User1 User2 User3 User4 Dfs Root Dfs Links Physical locations of folders: The structure that users see:

Types of Dfs Roots A Dfs Root Represents the Highest Level of the Dfs Topology The Types of Dfs Roots Are: Stand-Alone Dfs Root Is stored on a single computer Does not use Active Directory Cannot have root-level Dfs shared folders Can have only a single level of Dfs links Is stored on a single computer Does not use Active Directory Cannot have root-level Dfs shared folders Can have only a single level of Dfs links Domain-Based Dfs Root Hosted on a domain controllers or member server Has its Dfs topology automatically stored in Active Directory Can have root-level Dfs shared folders Can have multiple levels of Dfs links Hosted on a domain controllers or member server Has its Dfs topology automatically stored in Active Directory Can have root-level Dfs shared folders Can have multiple levels of Dfs links

Accessing File Resources Through Dfs Client connects to a Dfs server Client receives a referral to the Dfs link Dfs client connects to the Dfs link Sales Data South Sales Data North East Server Hosting Dfs Root Server

Adding Replicas for Fault Tolerance Replicas Provide: Fault Tolerance Load Balancing Server2 Sales Data Sales Data North East Server1 Sales Data Sales Data North East Server3 Sales Data Sales Data North East Dfs Share Sales Data North East

Configuring Replication Server1 Hosting Dfs Root (Initial Master) Server2 Hosting Dfs Root Sales Data North East Sales Data North East Active Directory

Introduction to Offline Files User Logs On User Logs Off Local files are synchronized with server files User Is Disconnected from the Network User works with the marked local copy of the file Local files are synchronized with server files Log off SynchronizeSynchronize Log on SynchronizeSynchronize

How Offline Files Are Synchronized Disconnected from the network –Windows Server 2003 synchronizes the network files with a locally cached copy of the file –The user works with the locally cached copy Logged on to the network –Windows Server 2003 synchronizes offline files that the user has modified with the network version of the files If a file has been modified in both locations –The user is prompted to choose which version of the file to keep or to rename one file and keep both versions

Configuring a Server for Offline Files Manual Caching Only Files Specifically Marked by the User Will Be Cached Automatic Caching Files Will Automatically Be Cached When They Are First Opened Program Caching Read-Only Files Will Be Cached Once; Then the Local Copies Will Be Used

Offline File Caching Options Automatic Caching Manual Caching Program Caching

Configuring a Client Computer for Offline Files Folder Options GeneralViewFile Types Offline Files Set up your computer so that the files stored on the network are available when working offline (disconnected from the network). Enable Offline Files Synchronize all offline files before logging off Enable reminders 60Display reminder balloon everyminutes. Place shortcut to Offline Files folder on the desktop Amount of disk space to use for temporary offline files: 205 MB (10% of drive) Delete Files...View FilesAdvanced CancelOKApply