Chapter 14. Data Sharing, Security, and Auditing

Data sharing allows remote users to access network resources, such as files, folders, and drives. When you share a folder or a drive, you make all its files and subfolders available to a specified set of users. If you want to control access to specific files and subfolders within a shared folder, you can do it only with NTFS volumes. On NTFS volumes, you use access control lists to grant or deny access to files and folders.

Object security applies to all resources on NTFS volumes. It includes files, folders, and Active Directory directory service objects. Normally, only administrators have the right to manage Active Directory objects, but you can delegate to users the authority to manage Active Directory objects. When you do, you make information in Active Directory available for viewing and modification by designated users. You control these users’ permissions through access control lists. By auditing access to objects, you can closely monitor network activity and ensure that only authorized users are accessing resources.

Sharing Folders on Local and Remote Systems

You use shares to control access for remote users. Permissions on shared folders have no effect on users who log on locally to a server or to a workstation that has shared folders.

  • To grant remote users access to files across the network, you use standard folder sharing.

  • To grant remote users access to files from the Web, you use Web sharing. This is available only if the system has Internet Information Services (IIS) installed.

Viewing Existing Shares

You can use both Computer Management and File Server Management to work with shares. You can also view current shares on a computer by typing net share at a command prompt.

In Computer Management, you can view the shared folders on a local or remote computer by completing the following steps:

  1. You’re connected to the local computer by default. If you want to connect to a remote computer, right-click the Computer Management node and select Connect To Another Computer. Choose Another Computer, type the name or Internet Protocol (IP) address of the computer to which you want to connect, and then click OK.

  2. In the console tree, expand System Tools and Shared Folders, and then select Shares. The current shares on the system are displayed, as shown in Figure 14-1.

Available shares are listed in the Shared Folders node.

Figure 14-1. Available shares are listed in the Shared Folders node.

In File Server Management, you can view the shared folders on a local or remote computer by completing the following steps:

  1. You’re connected to the local computer by default. To connect to a remote computer, right-click the File Server Management node and select Connect To Another Computer. Choose Another Computer, type the name or IP address of the computer to which you want to connect, and then click OK.

  2. In the console tree, expand Shared Folder Management and Shared Folders, and then select Shares. The current shares on the system are displayed, as shown previously in Figure 14-1.

The columns of the Shares node provide the following information:

  • Share Name. Name of the shared folder

  • Folder Path. Complete path to the folder on the local system

  • Type. What kind of computers can use the share, such as Macintosh or Windows

  • # Client Connections. Number of clients currently accessing the share

  • Description. Description of the share

Note

An entry of "Windows" in the Type column means that all clients can use the share, including those running Windows or Macintosh operating systems. An entry of "Macintosh" in the Type column means that only Macintosh clients can use the share.

Creating Shared Folders

Microsoft Windows Server 2003 provides several ways to share folders: you can share local folders using Windows Explorer, and you can also share local and remote folders using Computer Management and File Server Management.

Because Computer Management and File Server Management allow you to work with and manage shared resources on any of your network computers, they’re usually the best tools to use. Which of the two consoles you use is a matter of preference, and the techniques for creating and working with shared folders are nearly identical.

To share folders on a server running Windows Server 2003, you must be a member of the Administrators or the Server Operators group. In Computer Management, you share a folder by completing the following steps:

  1. If necessary, connect to a remote computer.

  2. In the console tree, expand System Tools and Shared Folders, and then select Shares. The current shares on the system are displayed.

  3. Right-click Shares and then select New Share. This starts the Share A Folder Wizard. Click Next.

  4. In the Folder Path text box, type the local file path to the folder you want to share. The file path must be exact, such as C:DataCorpDocuments. If you don’t know the full path, click Browse and then use the Browse For Folder dialog box to find the folder you want to share and then click OK. Click Next.

    Tip

    If the file path doesn’t exist, the wizard can create the necessary path for you. Click Yes when prompted to create the necessary folders.

  5. In the Share Name text box, type a name for the share, as shown in Figure 14-2. This is the name of the folder to which users will connect. Share names must be unique for each system.

    Use the Share A Folder Wizard to configure the essential share properties, including name, description, and offline resource usage.

    Figure 14-2. Use the Share A Folder Wizard to configure the essential share properties, including name, description, and offline resource usage.

  6. If you’ve configured Macintosh services, the standard Name, Description, And Settings page is modified, as shown in Figure 14-2, to include Microsoft Windows Users and Apple Macintosh Users check boxes. By selecting Microsoft Windows Users (the default), you allow Windows users to access the share. By selecting Apple Macintosh Users and typing a share name in the field provided, you allow Macintosh users to access the share.

    Tip

    If you want to hide a share from users (which means that they won’t be able to see the shared resource when they try to browse to it in Windows Explorer or at the command line), type $ as the last character of the shared resource name. For example, you could create a share called PrivEngData$, which would be hidden from Windows Explorer, Net View, and other similar utilities. Users can still connect to the share and access its data, provided that they’ve been granted access permission and that they know the share’s name. Note that the $ must be typed as part of the share name when mapping to the shared resource.

  7. If you like, you can type a description of the share in the Description text box. Then, when you view shares on a particular computer, the description is displayed in Computer Management.

  8. By default, the share is configured so that only files and programs that users specify are available for offline use. If you want to prohibit the offline use of files or programs in the share or specify that all files and programs in the share are available for offline use, click Change, and then select the appropriate options in the Offline Settings dialog box.

  9. Click Next and then set basic permissions for the share. You’ll find helpful pointers in the "Managing Share Permissions" section of this chapter. As shown in Figure 14-3, the available options are as follows:

    Use the Permissions page to set permissions for the share.

    Figure 14-3. Use the Permissions page to set permissions for the share.

    • All Users Have Read-Only Access. Gives users access to view files and read data. They can’t create, modify, or delete files and folders.

    • Administrators Have Full Access; Other Users Have Read-Only Access. Gives administrators complete control over the share. Full access allows administrators to create, modify, and delete files and folders. On NTFS, it also gives administrators the right to change permissions and to take ownership of files and folders. Other users can only view files and read data. They can’t create, modify, or delete files and folders.

    • Administrators Have Full Access; Other Users Have Read And Write Access. Gives administrators complete control over the share and allows other users to create, modify, or delete files and folders.

    • Use Custom Share And Folder Permissions. Allows you to configure access for specific users and groups, which is usually the best technique to use. Setting share permissions is discussed fully later in this chapter in the section entitled "Managing Share Permissions."

  10. When you click Finish, the wizard displays a status report, which should state "Sharing Was Successful." Click Close.

Note

If you view the shared folder in Windows Explorer, you’ll see that the folder icon now includes a hand to indicate a share. Through Computer Management, you can also view shared resources. To learn how, see the section of this chapter entitled "Sharing Folders on Local and Remote Systems."

Best Practices

If you’re creating a share that’s for general use and general access, you should publish the shared resource in Active Directory. Publishing the resource in Active Directory makes it easier for users to find the share. To publish a share in Active Directory, right-click the share in Computer Management and then select Properties. On the Publish tab, select the Publish This Share In Active Directory check box, add an optional description and owner information, and then click OK.

Creating Additional Shares on an Existing Share

Individual folders can have multiple shares. Each share can have a different name and a different set of access permissions. To create additional shares on an existing share, simply follow the steps for creating a share outlined in the previous section—with these changes:

In Step 5: When you name the share, make sure that you use a different name.

In Step 6: When you add a description for the share, use a description that explains what the share is used for—and how it’s different from the other share(s) for the same folder.

Managing Share Permissions

Share permissions set the maximum allowable actions available within a shared folder. By default, when you create a share, everyone with access to the network has read access to the share’s contents. This is an important security change—in previous editions, the default permission was full control.

With NTFS volumes you can use file and folder permissions and ownership to further constrain actions within the share as well as share permissions. With file allocation table (FAT) volumes, share permissions provide the only access controls.

The Different Share Permissions

Share permissions available, from the most restrictive to the least restrictive, are:

  • No Access. No permissions are granted for the share.

  • Read. With this permission, users can:

    1. View file and subfolder names.

    2. Access the subfolders of the share.

    3. Read file data and attributes.

    4. Run program files.

  • Change. Users have Read permissions and the additional ability to:

    1. Create files and subfolders.

    2. Modify files.

    3. Change attributes on files and subfolders.

    4. Delete files and subfolders.

  • Full Control. Users have Read and Change permissions, as well as the following additional capabilities on NTFS volumes:

    1. Change file and folder permissions.

    2. Take ownership of files and folders.

You can assign share permissions to users and groups. You can even assign permissions to implicit groups. For details on implicit groups, see the section entitled "Implicit Groups and Special Identities" in Chapter 8.

Viewing Share Permissions

To view share permissions, follow these steps:

  1. In Computer Management, connect to the computer on which the share is created.

  2. In the console tree, expand System Tools and Shared Folders, and then select Shares.

  3. Right-click the share you want to view, and then select Properties.

  4. In the Properties dialog box, click the Share Permissions tab, shown in Figure 14-4. You can now view the users and groups that have access to the share and the type of access they have.

The Share Permissions tab shows which users and groups have access to the share and what type of access they have.

Figure 14-4. The Share Permissions tab shows which users and groups have access to the share and what type of access they have.

Configuring Share Permissions

In Computer Management, you can add user, computer, and group permissions to shares by completing the following steps:

  1. Right-click the share you want to manage and then select Properties.

  2. In the Share Properties dialog box, click the Share Permissions tab.

  3. Click Add. This opens the Select Users, Computers, Or Groups dialog box shown in Figure 14-5.

    Add users and groups to the share using the Select Users, Computers, Or Groups dialog box.

    Figure 14-5. Add users and groups to the share using the Select Users, Computers, Or Groups dialog box.

  4. Type the name of a user, computer, or group in the current domain and then click Check Names.

    1. If a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.

    2. If no matches are found, you’ve either entered an incorrect name part or you’re working with an incorrect location. Modify the name and try again, or click Locations to select a new location.

    3. If multiple matches are found, select the name(s) you want to use and then click OK. To assign permissions to other users, computers, or groups, type a semicolon (;), and then repeat this step.

    Note

    The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domain, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest.

  5. Click OK. The users and groups are added to the Name list for the share.

  6. Configure access permissions for each user, computer, and group by selecting an account name and then allowing or denying access permissions. Keep in mind that you’re setting the maximum allowable permissions for a particular account.

  7. Click OK when you’re finished. To assign additional security permissions for NTFS, see the section of this chapter entitled "File and Folder Permissions."

Modifying Existing Share Permissions

You can change the share permissions you assign to users, computers, and groups by using the Share Properties dialog box. In Computer Management, follow these steps:

  1. Right-click the share you want to manage, and then select Properties.

  2. In the Share Properties dialog box, click the Share Permissions tab.

  3. In the Name list box, select the user, computer, or group you want to modify.

  4. Use the check boxes in the Permissions area to allow or deny permissions.

  5. Repeat for other users, computers, or groups, and then click OK when you’re finished.

Removing Share Permissions for Users and Groups

You also remove share permissions assigned to users, computers, and groups with the Share Permissions dialog box. In Computer Management, follow these steps:

  1. Right-click the share you want to manage and then select Properties.

  2. In the Share Properties dialog box, click the Share Permissions tab.

  3. In the Name list box, select the user, computer, or group you want to remove, and then click Remove.

  4. Repeat for other users or groups, as necessary, and then click OK when you’re finished.

Managing Existing Shares

As an administrator, you’ll often have to manage shared folders. The common administrative tasks of managing shares are covered in this section.

Understanding Special Shares

When you install Windows Server 2003, the operating system creates special shares automatically. These shares are also known as administrative shares and hidden shares. These shares are designed to help make system administration easier. You can’t set access permissions on automatically created special shares; Windows Server 2003 assigns access permissions. (You can create your own hidden shares by typing $ as the last character of the resource name.)

You can delete special shares temporarily if you’re certain the shares aren’t needed. However, the shares are recreated automatically the next time the operating system starts. To permanently disable the administrative shares change the following registry values to 0 (zero):

  • HKLMSYSTEMCurrentControlSetServiceslanmanserverparametersAutoShareServer

  • HKLMSYSTEMCurrentControlSetServiceslanmanserverparametersAutoShareWks

Which special shares are available depends on your system configuration. Table 14-1 lists special shares you might see and how they’re used.

Table 14-1. Special Shares Used by Windows Server 2003

Special Share Name

Description

Usage

ADMIN$

A share used during remote administration of a system. Provides access to the operating system %SystemRoot%.

On workstations and servers, administrators and backup operators can access these shares. On domain controllers, server operators also have access.

FAX$

Supports network faxes.

Used by fax clients when sending faxes.

IPC$

Supports named pipes during remote interprocess communications (IPC) access.

Used by programs when performing remote administration and when viewing shared resources.

NETLOGON

Supports the Net Logon service.

Used by the Net Logon service when processing domain logon requests. Everyone has Read access.

Microsoft UAM Volume

Supports Macintosh file and printer services.

Used by File Server For Macintosh and Print Server For Macintosh.

PRINT$

Supports shared printer resources by providing access to printer drivers.

Used by shared printers. Everyone has Read access. Administrators, server operators, and printer operators have full control.

SYSVOL

Supports Active Directory.

Used to store data and objects for Active Directory.

Driveletter$

A share that allows administrators to connect to a drive’s root folder. These shares are shown as C$, D$, E$, and so on.

On workstations and servers, administrators and backup operators can access these shares. On domain controllers, server operators also have access.

Connecting to Special Shares

Special shares end with the $ symbol. Although these shares aren’t displayed in Windows Explorer, administrators and certain operators can connect to them. To connect to a special share, follow these steps:

  1. In Windows Explorer, from the Tools menu, select Map Network Drive. This opens the page shown in Figure 14-6.

    Connect to special shares by mapping them with the Map Network Drive page.

    Figure 14-6. Connect to special shares by mapping them with the Map Network Drive page.

  2. From the Drive drop-down list, select a free drive letter. This drive letter is used to access the special share.

  3. In the Folder text box, type the Universal Naming Convention (UNC) path to the desired share. For example, to access the C$ share on a server called Twiddle, you’d use the path \TWIDDLEC$. Click Finish.

After you connect to a special share, you can access it as you would any other drive. Because special shares are protected, you don’t have to worry about ordinary users accessing these shares. The first time you connect to the share, you might be prompted for a user name and password. If you are, provide that information.

Viewing User and Computer Sessions

You can use Computer Management to track all connections to shared resources on a Windows Server 2003 system. Whenever a user or computer connects to a shared resource, Windows Server 2003 lists a connection in the Sessions node.

To view connections to shared resources, type net session at a command prompt or follow these steps:

  1. In Computer Management, connect to the computer on which you created the shared resource.

  2. In the console tree, expand System Tools and Shared Folders, and then select Sessions.

  3. As shown in Figure 14-7, you can now view connections to shares for users and computers.

Use the Sessions node to view user and computer connections.

Figure 14-7. Use the Sessions node to view user and computer connections.

The Sessions node provides important information about user and computer connections. The columns of this node provide the following information:

  • User. The names of users or computers connected to shared resources. Computer names are shown with a $ suffix to differentiate them from users.

  • Computer. The name of the computer being used.

  • Type. The type of network connection being used.

  • # Open Files. The number of files with which the user is actively working. For more detailed information, access the Open Files node.

  • Connected Time. The time that has elapsed since the connection was established.

  • Idle Time. The time that has elapsed since the connection was last used.

  • Guest. Whether the user is logged on as a guest.

Managing Sessions and Shares

Managing sessions and shares is a common administrative task. Before you shut down a server or an application running on a server, you might want to disconnect users from shared resources. You might also need to disconnect users when you plan to change access permissions or delete a share entirely. Another reason to disconnect users is to break locks on files. You disconnect users from shared resources by ending the related user sessions.

Ending Individual Sessions

To disconnect individual users from shared resources, type net session \ComputerName /delete at a command prompt or follow these steps:

  1. In Computer Management, connect to the computer on which you created the share.

  2. In the console tree, expand System Tools and Shared Folders, and then select Sessions.

  3. Right-click the user sessions you want to end and then choose Close Session.

  4. Click Yes to confirm the action.

Ending All Sessions

To disconnect all users from shared resources, follow these steps:

  1. In Computer Management, connect to the computer on which you created the share.

  2. In the console tree, expand System Tools and Shared Folders, and then right-click Sessions.

  3. Choose Disconnect All Sessions and then click Yes to confirm the action.

Note

Keep in mind that you’re disconnecting users from shared resources and not from the domain. You can only force users to log off once they’ve logged on to the domain through logon hours and Group Policy. Thus, disconnecting users doesn’t log them off the network. It simply disconnects them from the shared resource.

Managing Open Resources

Any time users connect to shares, the individual file and object resources with which they’re actively working are displayed in the Open Files node. The Open Files node might show the files the user has open but isn’t currently editing.

You can access the Open Files node by completing the following steps:

  1. In Computer Management, connect to the computer on which you created the share.

  2. In the console tree, expand System Tools and Shared Folders, and then select Open Files. This displays the Open Files node, shown in Figure 14-8. The Open Files node provides the following information about resource usage:

  • Open File. The file or folder path to the open file on the local system. It might also be a named pipe, such as PIPEspools, which is used for printer spooling.

  • Accessed By. The name of the user accessing the file.

  • Type. The type of network connection being used.

  • # Locks. The number of locks on the resource.

  • Open Mode. The access mode used when the resource was opened, such as read, write, or write+read mode.

You can manage open resources using the Open Files node.

Figure 14-8. You can manage open resources using the Open Files node.

Close an Open File

To close an open file on a computer’s shares, follow these steps:

  1. In Computer Management, connect to the computer with which you want to work.

  2. In the console tree, expand System Tools and Shared Folders, and then select Open Files.

  3. Right-click the open file you want to close, and then choose Close Open File.

  4. Click Yes to confirm the action.

Close All Open Files

To close all open files on a computer’s shares, follow these steps:

  1. In Computer Management, connect to the computer on which the share is created.

  2. In the console tree, expand System Tools and Shared Folders and then right-click Open Files.

  3. Choose Disconnect All Open Files and then click Yes to confirm the action.

Stopping File and Folder Sharing

To stop sharing a folder, follow these steps:

  1. In Computer Management, connect to the computer on which you created the share and then access the Shares node.

  2. Right-click the share you want to remove and then choose Stop Sharing. Click Yes to confirm the action.

Caution

You should never delete a folder containing shares without first stopping the shares. If you fail to stop the shares, Windows Server 2003 attempts to reestablish the shares the next time the computer is started, and the resulting error is logged in the System event log.

Using Shadow Copies

Any time your organization uses shared folders you might want to consider creating shadow copies of these shared folders as well. Shadow copies are point-in-time backups of data files that users can access directly in shared folders. These point-in-time backups can save you and the other administrators in your organization a lot of work, especially if you routinely have to retrieve lost, overwritten, or corrupted data files from backup. The normal procedure for retrieving shadow copies is to use the Previous Versions or Shadow Copy client. Windows Server 2003 R2 includes a feature enhancement that allows you to revert an entire (nonsystem) volume to a previous shadow copy state.

Understanding Shadow Copies

You can create shadow copies only on NTFS volumes. On NTFS volumes, you use the Shadow Copy feature to create automatic backups of the files in shared folders on a per volume basis. For example, if a file server has three NTFS volumes, each containing shared folders, you’d need to configure this feature for each volume separately.

If you enable this feature in the default configuration, shadow copies are created twice each weekday (Monday–Friday) at 7:00 A.M. and 12:00 P.M. You need at least 100 megabytes (MB) of free space to create the first shadow copy on a volume. The total disk space used beyond this depends on the amount of data in the volume’s shared folders. You can restrict the total amount of disk space used by Shadow Copy by setting the allowable maximum size of the point-in-time backups.

You configure and view current Shadow Copy settings using the Shadow Copies tab of the disk properties dialog box. Right-click the icon for the disk you want to work with in Windows Explorer or Computer Management, select Properties, and then click the Shadow Copies tab. The Select A Volume panel shows:

  • Volume. Volume label of NTFS volumes on the selected disk drive

  • Next Run Time. The status of Shadow Copy as Disabled or the next time a Shadow Copy of the volume will be created

  • Shares. Number of shared folders on the volume

  • Used. Amount of disk space used by Shadow Copy

Individual shadow copies of the currently selected volume are listed in the Shadow Copies Of Selected Volume panel by date and time.

Creating Shadow Copies

To create a shadow copy on an NTFS volume with shared folders, follow these steps:

  1. Start Computer Management. If necessary, connect to a remote computer.

  2. In the console tree, expand Storage and then select Disk Management. The volumes configured on the selected computer are displayed in the details pane.

  3. Right-click Disk Management, point to All Tasks, and then select Configure Shadow Copies.

  4. In the Shadow Copies tab, select the volume with which you want to work in the Select A Volume list.

  5. Click Settings to configure the maximum size of all shadow copies for this volume and to change the default schedule. When you’re finished, click OK twice.

  6. If necessary, click Enable after you’ve configured the volume for shadow copying. When prompted to confirm this action, click Yes. This creates the first shadow copy and sets the schedule for later shadow copies.

Note

If you create a run schedule when configuring the shadow copy settings, shadow copying is enabled automatically for the volume when you click OK to close the Settings dialog box.

Restoring a Shadow Copy

Users on client computers access shadow copies of individual shared folders using the Previous Versions or Shadow Copy client. The Previous Versions client is stored in the %SystemRoot%System32ClientsTwclientX86 folder and its installer is named Twcli32.msi. The Shadow Copy client can be downloaded from the Microsoft Web site and its installer is named ShadowCopyClient.msi. After you install these clients, the best way to access shadow copies on a client computer is to follow these steps:

  1. In My Network Places, expand Entire Network and Microsoft Windows Network to display the available domains, and then expand the domain node to display servers on the network.

  2. When you expand a server node, any publicly shared resources on that server are listed. Right-click the share for which you want to access previous file versions, choose Properties, and then click the Previous Versions tab.

  3. After you access the Previous Versions tab, select the folder version that you want to work with. Each folder has a date and time stamp. Then click the button corresponding to the action you want to perform:

    1. Click View to open the shadow copy in Windows Explorer.

    2. Click Copy to display the Copy Items dialog box, which lets you copy the snapshot image of the folder to the location you specify.

    3. Click Restore to roll back the shared folder to its state as of the snapshot image you selected.

Reverting An Entire Volume to a Previous Shadow Copy

Windows Server 2003 R2 features a shadow copy enhancement that allows you to revert an entire volume to the state it was in when a particular shadow copy was created. As volumes containing operating system files can’t be reverted, the volume you want to revert must not be a system volume.

To revert an entire volume to a previous state, follow these steps:

  1. Start Computer Management. If necessary, connect to a remote computer.

  2. In the console tree, expand Storage. Right-click Disk Management, point to All Tasks, and then select Configure Shadow Copies.

  3. In the Shadow Copies tab, select the volume you want to work with in the Select A Volume list.

  4. Individual shadow copies of the currently selected volume are listed in the Shadow Copies Of Selected Volume panel by date and time. Select the shadow copy with the date and timestamp to which you want to revert and then click Revert. To confirm this action, select the Check Here If You Want To Revert This Volume check box and then click Revert Now. Click OK to close the Shadow Copies dialog box.

Deleting Shadow Copies

Each point-in-time backup is maintained separately. You can delete individual shadow copies of a volume as necessary. This recovers the disk space used by the shadow copies.

To delete a shadow copy, follow these steps:

  1. Start Computer Management. If necessary, connect to a remote computer.

  2. In the console tree, expand Storage. Right-click Disk Management, point to All Tasks, and then select Configure Shadow Copies.

  3. In the Shadow Copies tab, select the volume you want to work with in the Select A Volume list.

  4. Individual shadow copies of the currently selected volume are listed in the Shadow Copies Of Selected Volume panel by date and time. Select the shadow copy you want to delete and then click Delete Now.

Disabling Shadow Copies

If you no longer want to maintain shadow copies of a volume, you can disable the Shadow Copy feature. Disabling this feature turns off the scheduling of automated point-in-time backups and removes any existing shadow copies.

To disable shadow copies of a volume, follow these steps:

  1. Start Computer Management. If necessary, connect to a remote computer.

  2. In the console tree, expand Storage. Right-click Disk Management, point to All Tasks, and then select Configure Shadow Copies.

  3. In the Shadow Copies tab, select the volume you want to work with in the Select A Volume list and then click Disable.

  4. When prompted, confirm the action by clicking Yes. Click OK to close the Shadow Copies dialog box.

Connecting to Network Drives

Users can connect to a network drive and to shared resources available on the network. This connection is shown as a network drive that users can access like any other drive on their systems.

Note

When users connect to network drives, they’re subject not only to the permissions set for the shared resources, but also to Windows Server 2003 file and folder permissions. Differences in these permission sets are usually the reason users might not be able to access a particular file or subfolder within the network drive.

Mapping a Network Drive

In Windows Server 2003, you connect to a network drive by mapping to it using NET USE and the following syntax:

net use Device \ComputerNameShareName

where Device specifies the drive letter or * to use the next available drive letter and \ComputerNameShareName is the UNC path to the share, such as:

net use g: \ROMEODOCS

Or

net use * \ROMEODOCS

Note

To ensure the mapped drive is available each time the user logs in, make the mapping persistent by adding the /Persistent:Yes option.

Another way to map network drives is to follow these steps:

  1. While the user is logged on, start Windows Explorer on the user’s computer.

  2. From the Tools menu, select Map Network Drive. This opens the Map Network Drive page.

  3. Using the Drive drop-down list, you can now create a network drive for a shared resource. Select a free drive letter to create a network drive that can be accessed in Windows Explorer and My Computer. Select (None) to create a network drive without assigning a drive letter. This drive is opened in its own Windows Explorer window and can’t be accessed from My Computer.

  4. In the Folder text box, type the UNC path to the desired share. For example, to access a share called DOCS on a server called ROMEO, you’d use the path \ROMEODOCS. If you don’t know the share location, click Browse to search for available shares. After selecting the appropriate share, click OK to close the Browse For Folder dialog box.

  5. If you want the network drive to be automatically connected in subsequent sessions, select the Reconnect At Logon check box. Otherwise, clear this check box to later establish a connection whenever you double-click the network drive.

  6. To connect using a different user name from the logon name, click Different User Name, and then type a user name and password for the connection. Click OK to close the Connect As dialog box.

  7. Click Finish to map the network drive.

Disconnecting a Network Drive

To disconnect a network drive, follow these steps:

  1. While the user is logged on, start Windows Explorer on the user’s computer.

  2. From the Tools menu, select Disconnect Network Drive. This opens the Disconnect Network Drive dialog box.

  3. Select the drive you want to disconnect, and then click OK.

Object Management, Ownership, and Inheritance

Windows Server 2003 takes an object-based approach to describing resources and managing permissions. Objects that describe resources are defined on NTFS volumes and in Active Directory. With NTFS volumes, you can set permissions for files and folders. With Active Directory, you can set permissions for other types of objects, such as users, computers, and groups. You can use these permissions to control access with precision.

Objects and Object Managers

Whether defined on an NTFS volume or in Active Directory, each type of object has an object manager and primary management tools. The object manager controls object settings and permissions. The primary management tools are the tools of choice for working with the object. Objects, their managers, and management tools are summarized in Table 14-2.

Table 14-2. Windows Server 2003 Objects

Object Type

Object Manager

Management Tool

Files and folders

NTFS

Windows Explorer

Shares

Server service

Windows Explorer; Computer Management

Registry keys

Windows registry

Registry Editor

Services

Service controllers

Security Configuration Tool Set

Printers

Print spooler

Printers in Control Panel

Object Ownership and Transfer

It’s important to understand the concept of object ownership. In Windows Server 2003, the object owner isn’t necessarily the object’s creator. Instead, the object owner is the person who has direct control over the object. Object owners can grant access permissions and give other users permission to take ownership of the object.

As an administrator, you can take ownership of objects on the network. This ensures that authorized administrators can’t be locked out of files, folders, printers, and other resources. After you take ownership of files, however, you can’t return ownership to the original owner (in most cases). This prevents administrators from accessing files and then trying to hide the fact.

The way ownership is assigned initially depends on the location of the resource being created. In most cases, however, the Administrators group is listed as the current owner and the object’s actual creator is listed as a person who can take ownership.

Ownership can be transferred in several ways:

  • If Administrators is initially assigned as the owner, the creator of the object can take ownership, provided he or she does this before someone else takes ownership.

  • The current owner can grant the Take Ownership permission to other users, allowing those users to take ownership of the object.

  • An administrator can take ownership of an object, provided the object is under his or her administrative control.

To take ownership of an object, follow these steps:

  1. Start the management tool for the object. For example, if you want to work with files and folders, start Windows Explorer.

  2. Right-click the object of which you want to take ownership.

  3. From the shortcut menu, select Properties, and then, in the Properties dialog box, click the Security tab.

  4. Display the Access Security Settings dialog box by clicking Advanced. Then click the Owner tab, shown in Figure 14-9.

    Use the Owner tab to change ownership of a file.

    Figure 14-9. Use the Owner tab to change ownership of a file.

  5. Select the new owner in the Change Owner To list box, and then click OK.

Tip

If you’re taking ownership of a folder, you can take ownership of all subfolders and files within the folder by selecting the Replace Owner On Sub-containers And Objects check box. This option also works with objects that contain other objects. Here, you’d take ownership of all child objects.

Object Inheritance

Objects are defined using a parent-child structure. A parent object is a top-level object. A child object is an object defined below a parent object in the hierarchy. For example, the folder C: is the parent of the folders C:data and C:ackups. Any subfolders created in C:data or C:ackups are children of these folders and grandchildren of C:.

Child objects can inherit permissions from parent objects. In fact, all Windows Server 2003 objects are created with inheritance enabled by default. This means that child objects automatically inherit the permissions of the parent. Because of this, the parent object permissions control access to the child object. If you want to change permissions on a child object, you must:

  1. Edit the permissions of the parent object.

  2. Stop inheriting permissions from the parent object, and then assign permissions to the child object.

  3. Select the opposite permission to override the inherited permission. For example, if the parent allows the permission, you’d deny it on the child object.

To start or stop inheriting permissions from a parent object, follow these steps:

  1. Start the management tool for the object. For example, if you want to work with files and folders, start Windows Explorer.

  2. Right-click the object with which you want to work.

  3. From the shortcut menu, select Properties, and then, in the Properties dialog box, click the Security tab.

  4. Display the Advanced Security Settings dialog box by clicking Advanced.

  5. In the Permissions tab, select or clear the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects check box as appropriate. Click OK.

File and Folder Permissions

On NTFS volumes, you can set security permissions on files and folders. These permissions grant or deny access to the files and folders. You can view security permissions for files and folders by completing the following steps:

  1. In Windows Explorer, right-click the file or folder with which you want to work.

  2. From the shortcut menu, select Properties, and then, in the Properties dialog box, click the Security tab.

  3. In the Name list box, select the user, computer, or group whose permissions you want to view. If the permissions are dimmed, it means the permissions are inherited from a parent object.

Understanding File and Folder Permissions

The basic permissions you can assign to files and folders are summarized in Table 14-3. File permissions include Full Control, Modify, Read & Execute, Read, and Write. Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write.

Table 14-3. File and Folder Permissions Used by Windows Server 2003

Permission

Meaning for Folders

Meaning for Files

Read

Permits viewing and listing files and subfolders

Permits viewing or accessing the file’s contents

Write

Permits adding files and subfolders

Permits writing to a file

Read & Execute

Permits viewing and listing files and subfolders as well as executing files; inherited by files and folders

Permits viewing and accessing the file’s contents as well as executing the file

List Folder Contents

Permits viewing and listing files and subfolders as well as executing files; inherited by folders only

N/A

Modify

Permits reading and writing of files and subfolders; allows deletion of the folder

Permits reading and writing of the file; allows deletion of the file

Full Control

Permits reading, writing, changing, and deleting files and subfolders

Permits reading, writing, changing, and deleting the file

Anytime you work with file and folder permissions, you should keep the following in mind:

  1. Read is the only permission needed to run scripts. Execute permission doesn’t matter.

  2. Read access is required to access a shortcut and its target.

  3. Giving a user permission to write to a file but not to delete it doesn’t prevent the user from deleting the file’s contents. A user can still delete the contents.

  4. If a user has full control over a folder, the user can delete files in the folder regardless of the permission on the files.

The basic permissions are created by combining special permissions in logical groups. Table 14-4 shows special permissions used to create the basic permissions for files. Using advanced permission settings, you can assign these special permissions individually, if necessary. As you study the special permissions, keep the following in mind:

  1. By default, if no access is specifically granted or denied, the user is denied access.

  2. Actions that users can perform are based on the sum of all the permissions assigned to the user and to all the groups of which the user is a member. For example, if the user GeorgeJ has Read access and is a member of the group Techies that has Change access, GeorgeJ will have Change access. If Techies is in turn a member of Administrators, which has Full Control, GeorgeJ will have complete control over the file.

Table 14-4. Special Permissions for Files

Special Permissions

Basic Permissions

 

Full Control

Modify

Read & Execute

Read

Write

Traverse Folder/Execute File

Yes

Yes

Yes

  

List Folder/Read Data

Yes

Yes

Yes

Yes

 

Read Attributes

Yes

Yes

Yes

Yes

 

Read Extended Attributes

Yes

Yes

Yes

Yes

 

Create Files/Write Data

Yes

Yes

  

Yes

Create Folders/Append Data

Yes

Yes

  

Yes

Write Attributes

Yes

Yes

  

Yes

Write Extended Attributes

Yes

Yes

  

Yes

Delete Subfolders and Files

Yes

    

Delete

Yes

Yes

   

Read Permissions

Yes

Yes

Yes

Yes

Yes

Change Permissions

Yes

    

Take Ownership

Yes

    

Table 14-5 shows special permissions used to create the basic permissions for folders. As you study the special permissions, keep the following in mind:

  • When you set permissions for parent folders, you can force all files and subfolders within the folder to inherit the permissions. You do this by selecting Reset Permissions On All Child Objects And Enable Propagation Of Inheritable Permissions.

  • When you create files in folders, these files inherit certain permission settings. These permission settings are shown as the default file permissions.

Table 14-5. Special Permissions for Folders

Special Permissions

Basic Permissions

 

Full Control

Modify

Read & Execute

List Folder Contents

Read

Write

Traverse Folder/Execute File

Yes

Yes

Yes

Yes

  

List Folder/Read Data

Yes

Yes

Yes

Yes

Yes

 

Read Attributes

Yes

Yes

Yes

Yes

Yes

 

Read Extended Attributes

Yes

Yes

Yes

Yes

Yes

 

Create Files/Write Data

Yes

Yes

   

Yes

Create Folders/Append Data

Yes

Yes

   

Yes

Write Attributes

Yes

Yes

   

Yes

Write Extended Attributes

Yes

Yes

   

Yes

Delete Subfolders And Files

Yes

     

Delete

Yes

Yes

    

Read Permissions

Yes

Yes

Yes

Yes

Yes

Yes

Change Permissions

Yes

     

Take Ownership

Yes

     

Setting File and Folder Permissions

To set permissions for files and folders, follow these steps:

  1. In Windows Explorer, right-click the file or folder with which you want to work.

  2. From the shortcut menu, select Properties, and then, in the Properties dialog box, click the Security tab, shown in Figure 14-10.

    Use the Security tab to configure basic permissions for the file or folder.

    Figure 14-10. Use the Security tab to configure basic permissions for the file or folder.

  3. Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for these users and groups by doing the following:

    1. Select the user or group you want to change.

    2. Use the Permissions list box to grant or deny access permissions.

    Tip

    Inherited permissions are shaded. If you want to override an inherited permission, select the opposite permission.

  4. To set access permissions for additional users, computers, or groups, click Add. This displays the Select Users, Computers, Or Groups dialog box shown in Figure 14-11.

    Use the Select Users, Computers, Or Groups dialog box to select users, computers, and groups that should be granted or denied access.

    Figure 14-11. Use the Select Users, Computers, Or Groups dialog box to select users, computers, and groups that should be granted or denied access.

  5. Type the name of a user, computer, or group in the current domain and then click Check Names.

    1. If a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.

    2. If no matches are found, you’ve either entered an incorrect name part or you’re working with an incorrect location. Modify the name and try again, or click Locations to select a new location.

    3. If multiple matches are found, select the name(s) you want to use and then click OK. To add more users, computers, or groups, type a semicolon (;) and then repeat this step.

    Note

    The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domain, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest.

  6. In the Name list box, select the user, computer, or group you want to configure, and then use the check boxes in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups. Click OK when you’re finished.

Auditing System Resources

Auditing is the best way to track what’s happening on your Windows Server 2003 systems. You can use auditing to collect information related to resource usage, such as file access, system logon, and system configuration changes. Any time an action occurs that you’ve configured for auditing, the action is written to the system’s security log, where it’s stored for your review. The security log is accessible from Event Viewer.

Note

For most auditing changes, you’ll need to be logged on using an account that’s a member of the Administrators group or be granted the Manage Auditing And Security Log right in Group Policy.

Setting Auditing Policies

Auditing policies are essential to ensure the security and integrity of your systems. Just about every computer system on the network should be configured with some type of security logging. You configure auditing policies for individual machines with local Group Policy and for all machines in domains with Active Directory Group Policy. Through Group Policy, you can set auditing policies for an entire site, domain, or organizational unit. You can also set policies for an individual workstation or server.

After you access the Group Policy container with which you want to work, you can set auditing policies by completing the following steps:

  1. As shown in Figure 14-12, access the Audit Policy node by working your way down through the console tree. Expand Computer Configuration, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.

    Set auditing policies using the Audit Policy node in Group Policy.

    Figure 14-12. Set auditing policies using the Audit Policy node in Group Policy.

  2. The auditing options are as follows:

    • Audit Account Logon Events. Tracks events related to user logon and logoff.

    • Audit Account Management. Tracks account management by means of Active Directory Users And Computers. Events are generated any time user, computer, or group accounts are created, modified, or deleted.

    • Audit Directory Service AccessTracks access to Active Directory. Events are generated any time users or computers access the directory.

    • Audit Logon Events. Tracks events related to user logon, logoff, and remote connections to network systems.

    • Audit Object Access. Tracks system resource usage for files, directories, shares, printers, and Active Directory objects.

    • Audit Policy Change. Tracks changes to user rights, auditing, and trust relationships.

    • Audit Privilege Use. Tracks the use of user rights and privileges, such as the right to back up files and directories.

      Note

      The Audit Privilege Use policy doesn’t track system access–related events, such as the use of the right to log on interactively or the right to access the computer from the network. You track these events with Logon and Logoff auditing.

    • Audit Process Tracking. Tracks system processes and the resources they use.

    • Audit System Events. Tracks system startup, shutdown, and restart, as well as actions that affect system security or the security log.

  3. To configure an auditing policy, double-click its entry or right-click and select Properties. This opens a properties dialog box for the policy.

  4. Select the Define These Policy Settings check box, and then select either the Success check box or the Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.

  5. Click OK when you’re finished.

When auditing is enabled, the Security Event log will reflect the following:

  1. Event ID of 560 and 562 detailing User audits

  2. Event ID of 592 and 593 detailing Process audits

Auditing Files and Folders

If you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for individual folders and files. This allows you to control precisely how folder and file usage is tracked. Auditing of this type is available only on NTFS volumes.

You can configure file and folder auditing by completing the following steps:

  1. In Windows Explorer, right-click the file or folder to be audited, and then, from the shortcut menu, select Properties.

  2. Click the Security tab and then click Advanced.

  3. In the Access Control Settings dialog box, click the Auditing tab, shown in Figure 14-13.

    After you audit object access, you can use the Auditing tab to set auditing policies on individual files and folders.

    Figure 14-13. After you audit object access, you can use the Auditing tab to set auditing policies on individual files and folders.

  4. If you want to inherit auditing settings from a parent object, ensure that the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects check box is selected.

  5. If you want child objects of the current object to inherit the settings, select the Replace Auditing Entries On All Child Objects With Entries Shown Here That Apply To Child Objects check box.

  6. Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box, and then click Remove.

  7. To add specific accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add. When you click OK, you’ll see the Auditing Entry For ... dialog box, shown in Figure 14-14.

    Use the Auditing Entry For... dialog box to set auditing entries for a user, computer, or group.

    Figure 14-14. Use the Auditing Entry For... dialog box to set auditing entries for a user, computer, or group.

    Tip

    If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups or users, or both, that you want to audit.

  8. As necessary, use the Apply Onto drop-down list to specify where objects are audited.

  9. Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions. The events you can audit are the same as the special permissions listed in Table 14-5—except you can’t audit synchronizing of offline files and folders. For essential files and folders, you’ll typically want to track:

    1. Write Attributes – Successful

    2. Write Extended Attributes – Successful

    3. Delete Subfolders and Files – Successful

    4. Delete – Successful

    5. Change Permissions – Successful

  10. Clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object checkbox.

  11. Click OK when you’re finished. Repeat this process to audit other users, groups, or computers.

Auditing the Registry

If you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for keys within the Registry. This allows you to track when key values are set, when subkeys are created, and when keys are deleted.

You can configure Registry auditing by completing the following steps:

  1. At a command prompt, type regedit.

  2. Browse to a key you want to audit. On the Edit menu, select Permissions.

  3. Click Advanced. In the Advanced Security Settings For ... dialog box, select the Auditing tab.

  4. Click Add. In the Select User, Computer, Or Group dialog box, type Everyone, click Check Names, and then click OK.

  5. In the Auditing Entries For ... dialog box, choose the actions you want to audit. Typically, you’ll want to track:

    1. Set Value – Successful and Failed

    2. Create Subkey – Successful and Failed

    3. Delete – Successful and Failed

  6. Click OK.

  7. Clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box.

  8. Click OK twice to close all open dialog boxes and apply the auditing settings.

Auditing Active Directory Objects

If you configure a group policy to enable the Audit Directory Service Access option, you can set the level of auditing for Active Directory objects. This allows you to control precisely how object usage is tracked.

To configure object auditing, follow these steps:

  1. In Active Directory Users And Computers, access the container for the object.

  2. Right-click the object to be audited, and then, from the shortcut menu, select Properties.

  3. Click the Security tab, and then click Advanced.

  4. In the Access Security Settings dialog box, click the Auditing tab. To inherit auditing settings from a parent object, make sure that the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects check box is selected.

  5. Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box and then click Remove.

  6. To add specific accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add. When you click OK, the Auditing Entry For dialog box is displayed.

  7. Use the Apply Onto drop-down list to specify where objects are audited.

  8. Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as a successful attempt to modify an object’s permissions. Failed logs failed events, such as a failure to modify an object’s owner.

  9. Click OK when you’re finished. Repeat this process to audit other users, groups, or computers.

Using, Configuring, and Managing NTFS Disk Quotas

Windows Server 2003 supports two different types of disk quotas:

  • NTFS Disk Quotas. NTFS disk quotas are supported with all versions of Windows Server 2003 and allow you to manage disk space usage by users. You configure quotas on a per volume basis. Although users who exceed limits will see warnings, administrator notification is primarily through the event logs.

  • Storage Resource Manager Disk Quotas. Storage Resource Manager disk quotas are supported in Windows Server 2003 R2 and allow you to manage disk space usage by folder and by volume. Users who are approaching or have exceeded a limit can be automatically notified by e-mail. The notification system also allows for notifying administrators by e-mail, triggering incident reporting, running commands, and logging related events.

The sections that follow discuss NTFS disk quotas.

Note

Regardless of the quota system being used, you can configure quotas only for NTFS volumes. You can’t create quotas for FAT or FAT32 volumes.

Understanding NTFS Disk Quotas and How NTFS Quotas Are Used

Administrators use NTFS disk quotas to manage disk space usage for critical volumes, such as those that provide corporate data shares or user data shares. When you enable NTFS disk quotas, you can configure two values:

  • Disk quota limit. Sets the upper boundary for space usage, which you can use to prevent users from writing additional information to a volume and to log events regarding the user exceeding the limit, or both.

  • Disk quota warning. Warns users and logs warning events when users are getting close to their disk quota limit.

Tip

You can set disk quotas but not enforce them, but you might be wondering why you’d do this. Sometimes you want to track disk space usage on a per-user basis and know when they’ve exceeded some predefined limit, but instead of denying them additional disk space, you log an event in the application log to track the overage. You can then send out warning messages or figure out other ways to reduce the space usage.

NTFS disk quotas apply only to end users. NTFS disk quotas don’t apply to administrators. Administrators can’t be denied disk space even if they exceed enforced disk quota limits.

In a typical environment, you’ll restrict disk space usage in MB or GB. For example, on a corporate data share that’s used by multiple users in a department, you might want to limit disk space usage to 20 to 100 GB. For a user data share, you might want to set the level much lower, such as 5 to 20 GB, which would restrict the user from creating large amounts of personal data. Often you’ll set the disk quota warning as a percentage of the disk quota limit. For example, you might set the warning to 90 to 95 percent of the disk quota limit.

Because NTFS disk quotas are tracked on a per-volume, per-user basis, disk space used by one user doesn’t affect the disk quotas for other users. Thus, if one user exceeds his or her limit, any restrictions applied to this user don’t apply to other users. For example, if a user exceeds a 1 GB disk quota limit and the volume is configured to prevent writing over the limit, the user can no longer write data to the volume. Users can, however, remove files and folders from the volume to free up disk space. They could also move files and folders to a compressed area on the volume, which might free up space, or they could elect to compress the files themselves. Moving files to a different location on the volume doesn’t affect the quota restriction. The amount of file space will be the same unless the user is moving uncompressed files and folders to a folder with compression. In any case, the restriction on a single user doesn’t affect other users’ ability to write to the volume (as long as there’s free space on the volume).

You can enable NTFS disk quotas on the following:

  • Local volumes. To manage disk quotas on local volumes, you work with the local disk itself. When you enable disk quotas on a local volume, the Windows systems files are included in the volume usage for the user who installed those files. Sometimes this might cause the user to go over the disk quota limit. To prevent this, you might want to set a higher limit on a local workstation volume.

  • Remote volumes. To manage disk quotas on remote volumes, you must share the root directory for the volume and then set the disk quota on the volume. Remember, quotas are set on a per volume basis, so if a remote file server has separate volumes for different types of data—that is, a corporate data volume and a user data volume—these volumes have different quotas.

Only members of the domain Administrators group or the local system Administrators group can configure disk quotas. The first step in using quotas is to enable quotas in Group Policy. You can do this at two levels:

  • Local. Through local group policy, you can enable disk quotas for an individual computer.

  • Enterprise. Through site, domain, and organizational unit policy you can enable disk quotas for groups of users and computers.

Having to keep track of disk quotas does cause some overhead on computers. This overhead is a function of the number of disk quotas being enforced, the total size of volumes and their data, and the number of users to which the disk quotas apply.

Although on the surface disk quotas are tracked per user, behind the scenes Windows Server 2003 manages disk quotas according to security identifiers (SIDs). Because SIDs track disk quotas, you can safely modify user names without affecting the disk quota configuration. Tracking by SIDs does cause some additional overhead when viewing disk quota statistics for users. That’s because Windows Server 2003 must correlate SIDs to user account names so that the account names can be displayed in dialog boxes. This means contacting the local user manager and the Active Directory domain controller as necessary.

After Windows Server 2003 looks up names, it caches them to a local file so that they can be available immediately the next time they’re needed. The query cache is infrequently updated, and if you notice a discrepancy between what’s displayed and what’s configured, you’ll need to refresh the information. Usually, this means selecting Refresh or pressing F5 in the current window.

Setting NTFS Disk Quota Policies

The best way to configure NTFS disk quotas is through Group Policy. When you configure disk quotas through local policy or through unit, domain, and site policy, you define general policies that are set automatically when you enable quota management on individual volumes. Thus, rather than having to configure each volume separately, you can use the same set of rules and apply them to each volume you want to manage in turn.

Policies that control NTFS disk quotas are applied at the system level. You access these policies through Computer ConfigurationAdministrative TemplatesSystemDisk Quotas. Table 14-6 summarizes the available policies.

Table 14-6. Policies for Setting NTFS Disk Quotas

Policy Name

Description

Enable Disk Quotas

Turns disk quotas on or off for all NTFS volumes of the computer and prevents users from changing the setting.

Enforce Disk Quota Limit

Specifies whether quota limits are enforced. If quotas are enforced, users will be denied disk space if they exceed the quota. This overrides settings in the Quota tab on the NTFS volume.

Default Quota Limit And Warning Level

Sets a default quota limit and warning level for all users. This setting overrides other settings and affects only new users.

Log Event When Quota Limit Exceeded

Determines whether an event is logged when users reach their limit and prevents users from changing their logging options.

Log Event When Quota Warning Level Exceeded

Determines whether an event is logged when users reach the warning level.

Apply Policy To Removable Media

Determines whether quota policies apply to NTFS volumes on removable media. If you don’t enable this policy, quota limits apply only to fixed media drives.

Whenever you work with quota limits, you’ll want to use a standard set of policies on all systems. Typically, you won’t want to enable all the policies. Instead, you’ll selectively enable policies and then use the standard NTFS features to control quotas on various volumes. If you want to enable quota limits, use the following technique:

  1. Access Group Policy for the system with which you want to work, such as a file server. Then, access the Disk Quotas node by expanding Computer ConfigurationAdministrative TemplatesSystem and then selecting Disk Quotas.

  2. Double-click Enable Disk Quotas, and then, in the Setting tab, choose Enabled. Click Next Setting. This displays the Enforce Disk Quota Limit policy.

  3. If you want to enforce disk quotas on all NTFS volumes residing on this computer, click Enabled. Otherwise, click Disabled and then set specific limits on a per volume basis.

  4. Click Next Setting. This displays the Default Quota Limit And Warning Level Properties dialog box. Select Enabled.

  5. Under Default Quota Limit, set a default limit that’s applied to users when they first write to the quota-enabled volume. The limit doesn’t apply to current users or affect current limits in place. On a corporate share, such as a share used by all members of a team, a good limit is between 500 and 1000 MB. Of course, this depends on the size of the data files that the users routinely work with. Graphic designers and data engineers might need much more disk space.

  6. If you scroll down in the subwindow provided in the Setting tab, you’ll be able to set a warning limit as well. A good warning limit is about 90 percent of the default quota limit, which means that if you set the default quota limit to 1000 MB, you’d set the warning limit to 900 MB.

  7. Click Next Setting. This displays the Log Event When Quota Limit Exceeded policy. Select Enabled so that limit events are recorded in the Application log.

  8. Click Next Setting. This displays the Log Event When Quota Warning Level Exceeded policy. Select Enabled so that warning events are recorded in the Application log.

  9. Click Next Setting. This displays the Apply Policy To Removable Media policy. Select Disabled so that the quota limits apply only to fixed media volumes on the computer. Click OK.

Tip

To ensure that the policies are enforced immediately, access the Computer ConfigurationAdministrative TemplatesSystemGroup Policy node and then double-click Disk Quota Policy Processing. Next, select Enabled and then select the Process Even If The Group Policy Objects Have Not Changed check box. Click OK.

Enabling NTFS Disk Quotas on NTFS Volumes

You can set NTFS disk quotas on a per-volume basis. Only NTFS volumes can have disk quotas. After you’ve configured the appropriate group policies, you can set disk quotas for local and remote volumes using Computer Management.

Note

If quotas are enforced using the Enforce Disk Quota Limit policy setting, users will be denied disk space if they exceed the quota. This overrides settings in the Quota tab on the NTFS volume.

To enable NTFS disk quotas on an NTFS volume, follow these steps:

  1. Start Computer Management. If necessary, connect to a remote computer.

  2. In the console tree, expand Storage and then select Disk Management. The volumes configured on the selected computer are displayed in the details pane.

  3. Using the Volume List or Graphical View, right-click the volume you want to work with and then select Properties.

  4. Click the Quota tab and then select the Enable Quota Management check box, as shown in Figure 14-15. If you’ve already set quota management values through Group Policy, the options are dimmed and you can’t change them. You must modify options through Group Policy instead.

    After you enable quota management, you can configure a quota limit and quota warning for all users. If you’ve already set these values through Group Policy, the options are dimmed and you can’t change them.

    Figure 14-15. After you enable quota management, you can configure a quota limit and quota warning for all users. If you’ve already set these values through Group Policy, the options are dimmed and you can’t change them.

    Best Practices

    Whenever you work with the Quota tab, pay particular attention to the Status text and the associated traffic light icon. Both change based on the state of quota management. If quotas aren’t configured, the traffic light icon shows a red light and the status shows as inactive or not configured. If the operating system is working or updating the quotas, the traffic light icon shows a yellow light and the status shows the activity being performed. If quotas are configured, the traffic light icon shows a green light and the status text states that the quota system is active.

  5. To set a default disk quota limit for all users, select Limit Disk Space To and then use the text boxes provided to set a limit in KB, MB, GB, TB, PB, or EB. Afterward, use the Set Warning Level To text boxes to set the default warning limit. Again, you’ll usually want the disk quota warning limit to be 90–95 percent of the disk quota limit.

    Tip

    Although the default quota limit and warning applies to all users, you can configure different levels for individual users. You do this through the Quota Entries dialog box. If you create many unique quota entries and don’t want to recreate them on a volume with similar characteristics and usage, you can export the quota entries and import them on a different volume.

  6. To enforce the disk quota limit and prevent users from going over the limit, select the Deny Disk Space To Users Exceeding Quota Limit check box. Keep in mind that this creates an actual physical limitation for users (but not administrators).

  7. To configure logging when users exceed a warning limit or the quota limit, select the Log Event check boxes. Click OK to save your changes.

  8. If the quota system isn’t currently enabled, you’ll see a prompt asking you to enable the quota system. Click OK to allow Windows Server 2003 to rescan the volume and update disk usage statistics. Actions might be taken against users who exceed the current limit or warning levels. These actions can include preventing additional writing to the volume, notifying them the next time they access the volume, and logging applicable events in the Application log.

Viewing Disk Quota Entries

Disk space usage is tracked on a per user basis. When disk quotas are enabled, each user storing data on a volume has an entry in the disk quota file. This entry is updated periodically to show the current disk space used, the applicable quota limit, the applicable warning level, and the percentage of allowable space being used. As an administrator, you can modify disk quota entries to set different limits and warning levels for particular users. You can also create disk quota entries for users who haven’t yet saved data on a volume. The key reason for creating entries is to ensure that when a user does make use of a volume, the user has an appropriate limit and warning level.

To view the current disk quota entries for a volume, follow these steps:

  1. Start Computer Management. If necessary, connect to a remote computer.

  2. In the console tree, expand Storage and then select Disk Management. The volumes configured on the selected computer are displayed in the details pane.

  3. Using the Volume List or Graphical View, right-click the volume with which you want to work and then select Properties.

  4. In the Quota tab, click Quota Entries. This displays the Quota Entries dialog box. Each quota entry is listed according to a status. The status is meant to quickly depict whether a user has gone over a limit. A status of OK means the user is working within the quota boundaries. Any other status usually means the user has reached the warning level or the quota limit.

Creating Disk Quota Entries

You can create disk quota entries for users who haven’t yet saved data on a volume. This allows you to set custom limits and warning levels for a particular user. You’ll usually use this feature when a user frequently stores more information than other users and you want to allow the user to go over the normal limit or when you want to set a specific limit for administrators. As you might recall, administrators aren’t subject to disk quota limits, so if you want to enforce limits for individual administrators, you must create disk quota entries for each administrator you want to limit.

Real World

You shouldn’t create individual disk quota entries haphazardly. You need to track individual entries carefully. Ideally, you’ll keep a log that details any individual entries so that other administrators understand the policies in place and how those policies are applied. When you modify the base rules for quotas on a volume, you should reexamine individual entries to see if they’re still applicable or need to be updated as well. I’ve found that certain types of users are exceptions more often than not and that it’s sometimes better to put different classes of users on different volumes and then apply disk quotas to each volume. In this way, each class or category of user has a quota limit that’s appropriate for its members’ typical usage and you have fewer (perhaps no) exceptions. For example, you might use separate volumes for executives, managers, and users, or you might have separate volumes for management, graphic designers, engineers, and all other users.

To create a quota entry on a volume, follow these steps:

  1. Access the Quota Entries dialog box as discussed in the section of this chapter entitled "Viewing Disk Quota Entries." Current quota entries for all users are listed. To refresh the listing, press F5 or select Refresh from the View menu.

  2. If the user doesn’t have an existing entry on the volume, you can create it by selecting New Quota Entry from the Quota menu. This opens the Select Users dialog box.

  3. In the Select Users dialog box, type the name of a user you want to use in the Name text box and then click Check Names. If matches are found, select the account you want to use and then click OK. If no matches are found, update the name you entered and try searching again. Repeat this step as necessary and then click OK when you’re finished.

  4. After you’ve selected a user, the Add New Quota Entry dialog box is displayed as shown in Figure 14-16. You have several options. You can remove all quota restrictions for this user by selecting Do Not Limit Disk Usage. Or you can set a specific limit and warning level by selecting Limit Disk Space To and then entering the appropriate values in the fields provided. Click OK.

Use the Add New Quota Entry dialog box to customize the user’s quota limit and warning level or remove quota restrictions altogether.

Figure 14-16. Use the Add New Quota Entry dialog box to customize the user’s quota limit and warning level or remove quota restrictions altogether.

Deleting Disk Quota Entries

When you’ve created disk quota entries on a volume and a user no longer needs to use the volume, you can delete the associated disk quota entry. When you delete a disk quota entry, all files owned by the user are collected and displayed in a dialog box so that you can permanently delete the files, take ownership of the files, or move the files to a folder on a different volume.

To delete a disk quota entry for a user and manage the user’s remaining files on the volume, follow these steps:

  1. Access the Quota Entries dialog box as discussed in the section of this chapter entitled "Viewing Disk Quota Entries." Current quota entries for all users are listed. To refresh the listing, press F5 or select Refresh from the View menu.

  2. Select the disk quota entry that you want to delete and then press the Delete key or select Delete Quota Entry from the Quota menu. You can select multiple entries using the Shift and Ctrl keys.

  3. When prompted to confirm the action, click Yes. This displays the Disk Quota dialog box with a list of current files owned by the selected user or users.

  4. Use the List Files Owned By selection list to display files for a user whose quota entry you’re deleting. You must now specify how the files for the user are to be handled. You can handle each file separately by selecting individual files and then choosing an appropriate option. You can select multiple files using the Shift and Ctrl keys. The options available are as follows:

    • Permanently Delete Files. Select the files to delete and then press Delete. When prompted to confirm the action, click Yes.

    • Take Ownership Of Files. Select the files of which you want to take ownership and then click Take Ownership.

    • Move Files To. Select the files that you want to move and then enter the path to a folder on a different volume in the field provided. If you don’t know the path that you want to use, click Browse to display the Browse For Folder dialog box, which you can use to find the folder. Once you find the folder, click Move.

  5. Click Close when you’re finished managing the files. If you’ve appropriately handled all user files, the disk quota entries will be deleted.

Exporting and Importing NTFS Disk Quota Settings

Rather than recreating custom disk quota entries on individual volumes, you can export the settings from a source volume and then import the settings on another volume. You must format both volumes using NTFS. The steps you follow to export and then import disk quota entries are the following:

  1. Access the Quota Entries dialog box as discussed in the section of this chapter entitled "Viewing Disk Quota Entries." Current quota entries for all users are listed. To refresh the listing, press F5 or select Refresh from the View menu.

  2. Select Export from the Quota menu. This displays the Export Quota Settings dialog box. Use the Save In drop-down list to choose the save location for the file containing the quota settings and then set a name for the file using the File Name text box. Afterward, click Save.

    Note

    If you save the settings file to a mapped drive on the target volume, you’ll have an easier time importing the settings. Quota files are usually fairly small, so you won’t need to worry about disk space usage.

  3. On the Quota menu, select Close to exit the Quota Entries dialog box.

  4. Right-click Computer Management in the console tree. On the shortcut menu, select Connect To Another Computer. In the Select Computer dialog box, choose the computer containing the target volume. The target volume is the one that you want to use the exported settings.

  5. As explained previously, access the Properties dialog box for the target volume. Then click Quota Entries in the Quota tab. This displays the Quota Entries dialog box for the target volume.

  6. Select Import on the Quota menu. Then, in the Import Quota Settings dialog box, select the quota settings file that you saved previously. Click Open.

  7. If the volume had previous quota entries, you’ll have the opportunity to replace existing entries or keep existing entries. When prompted about a conflict, click Yes to replace an existing entry or click No to keep the existing entry. You can apply the option to replace or keep existing entries to all entries on the volume by selecting the Do This For All Quota Entries check box prior to clicking Yes or No.

Disabling NTFS Disk Quotas

You can disable quotas for individual users or all users on a volume. When you disable quotas for a particular user, the user is no longer subject to the quota restrictions but disk quotas are still tracked for other users. When you disable quotas on a volume, quota tracking and management are completely removed. To disable quotas for a particular user, follow the technique outlined in the section of this chapter entitled "Creating Disk Quota Entries." To disable quota tracking and management on a volume, follow these steps:

  1. Start Computer Management. If necessary, connect to a remote computer.

  2. Display the Properties dialog box for the volume on which you want to disable NTFS quotas.

  3. In the Quota tab, clear the Enable Quota Management check box. Click OK. When prompted to confirm, click OK again.

Using, Configuring, and Managing Storage Resource Manager Disk Quotas

Windows Server 2003 R2 supports an enhanced quota management system called Storage Resource Manager Disk Quotas. Using Storage Resource Manager Disk Quotas, you can mange disk space usage by folder and by volume.

Tip

Because you manage Storage Resource Manager disk quotas separately from NTFS disk quotas, you can in fact configure a single volume to use both quota systems. However, it’s recommended that you use one quota system or the other rather than both. Alternately, if you’ve already configured NTFS disk quotas, you might want to continue using NTFS disk quotas on a per-volume basis and supplement this quota management with Storage Resource Manager disk quotas for important folders.

Understanding Storage Resource Manager Disk Quotas

When you’re working with Windows Server 2003 R2, Storage Resource Manager disk quotas are another tool you can use to manage disk usage. You can configure Storage Resource Manager disk quotas on a per-volume basis and on a per-folder basis. You can set disk quotas with a specific limit as a hard limit, meaning a limit can’t be exceeded, or a soft limit, meaning a limit can be exceeded.

Generally, you’ll use hard limits when you want to prevent users from exceeding a specific disk usage limitation. You’ll use soft limits when you want to monitor usage and simply warn users who exceed or are about to exceed usage guidelines. All quotas have a quota path, which designates the base file path on the volume or folder to which the quota is applied. The quota applies to the designated volume or folder and all subfolders of the designated volume or folder. The particulars of how quotas work and how users are limited or warned are derived from a source template that defines the quota properties.

Windows Server 2003 R2 includes the quota templates listed in Table 14-7. Using the File Server Resource Manager, you can easily define additional templates that would then be available whenever you define quotas or you can set single-use custom quota properties when defining a quota.

Table 14-7. Disk Quota Templates

Quota Template

Limit

Quota Type

Description

100 MB Limit

100 MB

Hard

Sends warnings to users as the limit is approached and exceeded.

200 MB Limit Reports to User

200 MB

Hard

Sends storage reports to the users who exceed the threshold.

200 MB Limit With 50 MB Extension

200 MB

Hard

Uses the DIRQUOTA command to grant an automatic one-time 50 MB extension to users who exceed the quota limit.

250 MB Extended Limit

250 MB

Hard

Meant to be used by those whose limit has been extended from 200 MB to 250 MB.

Monitor 200 GB Volume Usage

200 GB

Soft

Monitors volume usage and warns when the limit is approached and exceeded.

Monitor 500 MB Share

500 MB

Soft

Monitors share usage and warns when the limit is approached and exceeded.

Quota templates or custom properties define the following:

  • Limit. The disk space usage limit

  • Quota type. Hard or soft

  • Notification thresholds. The types of notification that occur when usage reaches a specific percentage of the limit

Although each quota has a specific limit and type, you can define multiple notification thresholds as either a warning threshold or a limit threshold. Warning thresholds are considered to be any percentage of the limit that is less than 100 percent. Limit thresholds occur when the limit reached is 100 percent. For example, you could define warning thresholds that were triggered at 85 percent and 95 percent of the limit and a limit threshold that is triggered when 100 percent of the limit is reached.

Users who are approaching or have exceeded a limit can be automatically notified by e-mail. The notification system also allows for notifying administrators by e-mail, triggering incident reporting, running commands, and logging related events.

Managing Disk Quota Templates

You use disk quota templates to define quota properties, including the limit, quota type, and notification thresholds. In File Server Management, you can view the currently defined disk quota templates by expanding the File Server Resource Manager and Quota Management nodes and then selecting Quota Templates. Table 14-7 provided a summary of the default disk quota templates.

You can modify existing disk quota templates by completing the following steps:

  1. In File Server Management, expand the File Server Resource Manager and Quota Management nodes and then select Quota Templates.

  2. Currently defined disk quota templates are listed by name, limit, and quota type.

  3. To modify disk quota template properties, double-click the disk quota template name. This displays a related properties dialog box, as shown in Figure 14-17.

    Use disk quota properties to configure the limit, quota type, and notification thresholds.

    Figure 14-17. Use disk quota properties to configure the limit, quota type, and notification thresholds.

  4. In the Settings tab, you can set the template name, limit, and quota type. Current notification thresholds are listed. To modify an existing threshold, select it and then click Edit. To define a new threshold, click Add.

  5. When you’re finished modifying the quota template, click OK to save the changes.

You can create a new disk quota template by completing the following steps:

  1. In File Server Management, expand the File Server Resource Manager and Disk Management nodes and then select Quota Templates.

  2. On the Action menu or in the Actions pane, select Create Quota Template. This displays the Create Quota Template dialog box.

  3. In the Settings tab, set the template name, limit, and quota type.

  4. A limit threshold is already created. You should edit this threshold first and then create additional warning thresholds as necessary. Select Limit and then click Edit to define the limit threshold.

  5. Click Add to add warning thresholds. In the Add Threshold dialog box, enter a percentage value under Generate Notifications When Usage Reaches (%). Warning thresholds are considered to be any percentage of the limit that is less than 100 percent. Limit thresholds occur when the limit reached is 100 percent.

  6. In the E-mail Message tab, you can configure notification as follows:

    1. To notify an administrator when the disk quota is triggered, select the Send E-Mail To The Following Administrators check box and then type the e-mail address or addresses to use. Be sure to separate multiple e-mail addresses with a semicolon. Use the value [Admin Email] to specify the default administrator as configured previously under the global options.

    2. To notify users, select the Send E-Mail To The User Who Attempted To Save An Unauthorized File check box.

    3. To specify the contents of the notification message, use the Subject and Message Body text boxes. Table 13-6, in Chapter 13, lists available variables and their meaning.

  7. In the Event Log tab, you can configure event logging. Select the Send Warning To Event Log check box to enable logging and then use the Log Entry text box to specify the text of the log entry. Table 13-6 in Chapter 13 lists available variables and their meaning.

  8. In the Report tab, select the Generate Reports check box to enable incident reporting and then select the types of reports to generate. Incident reports are stored under %SystemDrive%StorageReportsIncident by default, and they can also be sent to designated administrators. Use the value [Admin Email] to specify the default administrator as configured previously under the global options.

  9. Repeat Steps 5–8 to define additional notification thresholds. Click OK when you’re finished creating the template.

Creating Disk Quotas

You use disk quotas to designate file paths that have specific usage limits. In File Server Management, you can view current disk quotas by expanding the File Server Resource Manager and Quota Management nodes and then selecting Quotas. Before you define disk quotas, you should specify screening file groups and disk quota templates that you will use, as discussed in Chapter 13 under "Managing the File Groups to Which Screens Are Applied" and in this chapter under "Managing Disk Quota Templates," respectively.

After you’ve defined the necessary file groups and disk quota templates, you can create a disk quota by completing the following steps:

  1. In File Server Management, expand the File Server Resource Manager and Quota Management nodes and then select Quotas.

  2. Select Create Quota on the Action menu or in the Actions pane.

  3. In the Create Quota dialog box, set the local computer path for the quota by clicking Browse and then using the Browse For Folder dialog box to select the desired path, such as C:Data. Click OK.

  4. Use the Derive Properties From This Quota Template drop-down list to choose the disk quota template that defines the quota properties you want to use. Click Create.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.238.31