Chapter 5

Configuring a File Server

IN THIS CHAPTER

Looking at file server settings

Sharing folders

Setting permissions

In this chapter, you discover how to set up and manage file and print servers for Windows Server 2016. Because the features for file and print servers are essentially the same for previous versions of Windows Server, the techniques presented in this chapter should work for older versions as well.

Understanding Permissions

Before I get into the details of setting up a file server, you need to have a solid understanding of the concept of permissions. Permissions allow users to access shared resources on a network. Simply sharing a resource such as a disk folder or a printer doesn’t guarantee that a given user is able to access that resource. Windows makes this decision based on the permissions that have been assigned to various groups for the resource and group memberships of the user. If the user belongs to a group that has been granted permission to access the resource, the access is allowed. If not, access is denied.

In theory, permissions sound pretty simple. In practice, however, they can get pretty complicated. The following paragraphs explain some of the nuances of how access control and permissions work:

• Every object — that is, every file and folder — on an NTFS volume has a set of permissions called the Access Control List (ACL) associated with it.
• The ACL identifies the users and groups who can access the object and specifies what level of access each user or group has. A folder’s ACL may specify that one group of users can read files in the folder, whereas another group can read and write files in the folder, and a third group is denied access to the folder.

• Container objects — files and volumes — allow their ACLs to be inherited by the objects that they contain. As a result, if you specify permissions for a folder, those permissions extend to the files and child folders that appear within it.

  Table 5-1 describes the six permissions that can be applied to files and folders on an NTFS volume.

• Actually, the six file and folder permissions comprise various combinations of special permissions that grant more detailed access to files or folders. Table 5-2 lists the special permissions that apply to each of the six file and folder permissions.

• It’s best to assign permissions to groups rather than to individual users. Then if a particular user needs access to a particular resource, add that user to a group that has permission to use the resource.

TABLE 5-1 File and Folder Permissions

Permission	Description
Full Control	The user has unrestricted access to the file or folder.
Modify	The user can change the file or folder’s contents, delete the file or folder, read the file or folder, or change the attributes of the file or folder. For a folder, this permission allows you to create new files or subfolders within the folder.
Read & Execute	For a file, this permission grants the right to read or execute the file. For a folder, this permission grants the right to list the contents of the folder or to read or execute any of the files in the folder.
List Folder Contents	This permission applies only to folders; it grants the right to list the contents of the folder.
Read	This permission grants the right to read the contents of a file or folder.
Write	This permission grants the right to change the contents of a file or its attributes. For a folder, this permission grants the right to create new files and subfolders within the folder.

TABLE 5-2 Special Permissions

Special Permission	Full Control	Modify	Read & Execute	List Folder Contents	Read	Write
Traverse Folder/Execute File	*	*	*	*
List Folder/Read Data	*	*	*	*	*
Read Extended Attributes	*	*	*	*	*
Create Files/Write Data	*	*				*
Create Folders/Append Data	*	*				*
Write Attributes	*	*				*
Write Extended Attributes	*	*				*
Delete Subfolders and Files	*
Delete	*	*
Read Permissions	*	*	*	*	*	*
Change Permissions	*
Take Ownership	*
Synchronize	*	*	*	*	*	*

Understanding Shares

A share is simply a folder that is made available to other users via the network. Each share has the following elements:

• Share name: The name by which the share is known over the network. To make the share name compatible with older computers, you should stick to eight-character share names whenever possible.
• Path: The path to the folder on the local computer that’s being shared, such as C:\Accounting.
• Description: An optional one-line description of the share.
• Permissions: A list of users or groups who have been granted access to the share.

When you install Windows and configure various server roles, special shared resources are created to support those roles. You shouldn't disturb these special shares unless you know what you’re doing. Table 5-3 describes some of the most common special shares.

TABLE 5-3 Special Shares

Share Name	Description
drive$	The root directory of a drive; for example, C$ is the root share for the C: drive.
ADMIN$	Used for remote administration of a computer. This share points to the operating system folder (usually, C: \Windows).
IPC$	Used by named pipes, a programming feature that lets processes communicate with one another.
NETLOGON	Required for domain controllers to function.
SYSVOL	Another required domain controller share.
PRINT$	Used for remote administration of printers.
FAX$	Used by fax clients.

Notice that some of the special shares end with a dollar sign ($). These shares are hidden shares that aren't visible to users. You can still access them, however, by typing the complete share name (including the dollar sign) when the share is needed. The special share C$, for example, is created to allow you to connect to the root directory of the C: drive from a network client. You wouldn't want your users to see this share, would you? (Shares such as C$ are also protected by privileges, of course, so if an ordinary user finds out that C$ is the root directory of the server's C: drive, he or she still can’t access it.)

Managing Your File Server

To manage shares on a Windows Server 2016 system, open the Server Manager, and select File and Storage Services in the task pane on the left side of the window. Then click Shares to reveal the management console shown in Figure 5-1.

FIGURE 5-1: Managing shares in Windows Server 2016.

The following sections describe some of the most common procedures that you’ll use when managing your file server.

Using the New Share Wizard

To be useful, a file server should offer one or more shares — folders that have been designated as publicly accessible via the network. To create a new share, use the New Share Wizard, as described in the following procedure:

1. In Server Manager, click File and Storage Services, click Shares, and then choose New Share from the Tasks drop-down menu.

   The opening screen of the New Share Wizard appears, as shown in Figure 5-2. Here, the wizard asks you what folder you want to share.

2. Select SMB Share – Quick in the list of profiles and then click Next.

   Next, the New Share Wizard asks for the location of the share, as shown in Figure 5-3.

3. Select the server you want the share to reside on.

   For this example, I chose the server named win1601.

4. Select the location of the share by choosing one of these two options:

   • Select by Volume: This option selects the volume on which the shared folder will reside while letting the New Share Wizard create a folder for you. If you select this option, the wizard will create the shared folder on the designated volume. Use this option if the folder doesn't yet exist and you don’t mind Windows placing it in the default location, which is inside a folder called Shares on the volume you specify.
   • Type a Custom Path: Use this option if the folder exists or if you want to create one in a location other than the Shares folder.

   For this example, I chose the Select by Volume example to allow the wizard to create the share in the Shares folder on the C: drive.

5. Click Next.

   The dialog box shown in Figure 5-4 appears.

6. Type the name that you want to use for the share in the Share Name box.

   The default name is the name of the folder being shared. If the folder name is long, you can use a more succinct name here.

   For this example, I entered the share name Data.

7. Enter a description for the share.

   For this example, I left the description blank.

8. Click Next.

   The dialog box shown in Figure 5-5 appears.

9. Select the share settings you’d like to use:
   • Enable Access-Based Enumeration: Hides files that the user does not have permission to access
   • Allow Caching of Share: Makes the files available to offline users
   • Encrypt Data Access: Encrypts files accessed via the share

10. Click Next.

    The wizard displays the default permissions that will be used for the new share, as shown in Figure 5-6.

11. If you want to customize the permissions, click Customize Permissions.

    This button summons the Advanced Security Settings for Data dialog box, which lets you customize both the NTFS and the share permissions.

12. Click Next.

    The confirmation page appears, as shown in Figure 5-7.

13. Verify that all the settings are correct and then click Create.

    The share is created, and a results dialog box is displayed, as shown in Figure 5-8.

FIGURE 5-2: The New Share Wizard comes to life.

FIGURE 5-3: The wizard asks where you’d like to locate the share.

FIGURE 5-4: The wizard asks for the share name and description.

FIGURE 5-5: Specifying the share settings.

FIGURE 5-6: Setting the share permissions.

FIGURE 5-7: Confirming your share settings.

FIGURE 5-8: You’re done!

Sharing a folder without the wizard

If you think wizards should be confined to Harry Potter movies, you can set up a share without bothering with the wizard. Just follow these steps:

1. Press the Windows key, click Computer, and navigate to the folder that you want to share.

2. Right-click the folder, and choose Properties from the contextual menu.

   This action brings up the Properties dialog box for the folder.

3. Click the Sharing tab.

   The Sharing tab comes to the front, as shown in Figure 5-9.

4. Click the Advanced Sharing button.

   The dialog box shown in Figure 5-10 appears.

5. Select the Share This Folder check box to designate the folder as shared.

   The rest of the controls in this dialog box will be unavailable until you select this check box.

6. Type the name that you want to use for the share in the Share Name box, and type a description of the share in the Comments box.

   The default name is the name of the folder being shared. If the folder name is long, you can use a more succinct name here.

   The description is strictly optional but sometimes helps users determine the intended contents of the folder.

7. If you want to specify permissions now, click Permissions.

   This button brings up a dialog box that lets you create permissions for the share. For more information, see the next section, “Granting permissions.”

8. Click OK.

   The folder is now shared.

FIGURE 5-9: Manually sharing a folder.

FIGURE 5-10: Setting the share name.

Granting permissions

When you first create a file share, all users are granted read-only access to the share. If you want to allow users to modify files in the share or allow them to create new files, you need to add permissions. Here’s how to do this via Windows Explorer:

1. Open Windows Explorer by pressing the Windows key and clicking Computer; then browse to the folder whose permissions you want to manage.

2. Right-click the folder you want to manage, and choose Properties from the contextual menu.

   The Properties dialog box for the folder appears.

3. Click the Sharing tab; then click Advanced Sharing.

   The Advanced Sharing dialog box appears.

4. Click Permissions.

   The dialog box shown in Figure 5-11 appears. This dialog box lists all the users and groups to whom you’ve granted permission for the folder. When you select a user or group from the list, the check boxes at the bottom of the list change to indicate which specific permissions you’ve assigned to each user or group.

5. Click Add.

   The dialog box shown in Figure 5-12 appears.

6. Type the name of the user or group to whom you want to grant permission and then click OK.

   If you’re not sure of the name, click Advanced. This action brings up a dialog box that lets you search for existing users. You can click the Find Now button to display a list of all users and groups in the domain. Alternatively, you can enter the first part of the name that you’re looking for before you click Find Now to search more specifically.

   When you click OK, you return to the Share Permissions tab, with the new user or group added.

7. Select the appropriate Allow and Deny check boxes to specify which permissions to allow for the user or group.
8. Repeat Steps 5 through 7 for any other permissions that you want to add.
9. When you’re done, click OK.

FIGURE 5-11: Setting the share permissions.

FIGURE 5-12: The Select Users, Computers, Service Accounts, or Groups dialog box.

Here are a few other thoughts to ponder concerning adding permissions:

• If you want to grant full access to everyone for this folder, don’t bother adding another permission. Instead, select the Everyone group and then select the Allow check box for each permission type.

• You can remove a permission by selecting the permission and then clicking Remove.

• The permissions assigned in this procedure apply only to the share itself. The underlying folder can also have permissions assigned to it. If that’s the case, whichever of the restrictions is most restrictive always applies. If the share permissions grant a user Full Control permission but the folder permission grants the user only Read permission, for example, the user has only Read permission for the folder.