Managing File and Folder Permissions You can think of fi le and folder permissions as the base-level permissions—the permis- sions that are applied no matter what. For NTFS volumes, you use fi le and folder per- missions and ownership to further constrain actions within the share as well as share permissions. For FAT volumes, share permissions provide the only access controls. The reason for this is that FAT volumes have no fi le and folder permission capabilities. File and folder permissions are much more complex than share permissions, and to really understand how they can be used and applied, you must understand ownership and inheritance as well as the permissions that are available. As administrators, we often forget about the basic fi le and folder attributes that can be assigned. However, basic fi le and folder attributes can affect access, so let’s look at these attributes fi rst and then at the fi le and folder permissions you can apply to NTFS volumes. All fi les and folders have basic attributes regardless of whether you are work- ing with FAT or NTFS. These attributes can be examined in Windows Explorer by right- clicking the fi le or folder icon and then selecting Properties. Folder and fi le attributes include Hidden and Read-Only. Hidden determines whether the fi le is displayed in fi le listings. You can override this by telling Windows Explorer to display hidden fi les. On NTFS, the Read-Only attribute for folders is initially shown as unavailable. Here, this means the attribute is in a mixed state regardless of the current state of fi les in the folder. If you override the mixed state by selecting the Read-Only check box for a folder, all fi les in the folder will be read-only. If you override the mixed state and clear the Read-Only check box for a folder, all fi les in the folder will be writable. File and Folder Ownership Before working with fi le and folder permissions, you should understand the concept of ownership as it applies to fi les and folders. In Windows Server 2008, the fi le or folder owner isn’t necessarily the fi le or folder’s creator. Instead, the fi le or folder owner is the person who has direct control over the fi le or folder. File or folder owners can grant access permissions and give other users permission to take ownership of a fi le or folder. The way ownership is assigned initially depends on where the fi le or folder is being created. By default, the user who created the fi le or folder is listed as the current owner. Ownership can be taken or transferred in several ways. Any administrator can take ownership. Any user or group with the Take Ownership permission can take owner- ship. Any user who has the right to Restore Files And Directories, such as a member of the Backup Operators group, can take ownership as well. Any current owner can trans- fer ownership to another user as well. SIDE OUT Changes to basic fi le and folder attributes are sometimes necessary As administrators, we often forget about the basic fi le and folder attributes that can be assigned. However, basic fi le and folder attributes can affect access, so let’s look at these attributes fi rst and then at the fi le and folder permissions you can apply to NTFS volumes. All fi les and folders have basic attributes regardless of whether you are work- ing with FAT or NTFS. These attributes can be examined in Windows Explorer by right- clicking the fi le or folder icon and then selecting Properties. Folder and fi le attributes include Hidden and Read-Only. Hidden determines whether the fi le is displayed in fi le listings. You can override this by telling Windows Explorer to display hidden fi les. On NTFS, the Read-Only attribute for folders is initially shown as unavailable. Here, this means the attribute is in a mixed state regardless of the current state of fi les in the folder. If you override the mixed state by selecting the Read-Only check box for a folder, all fi les in the folder will be read-only. If you override the mixed state and clear the Read-Only check box for a folder, all fi les in the folder will be writable. Managing File and Folder Permissions 567 Chapter 17 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Taking Ownership of a File or Folder You can take ownership using a fi le or folder’s Properties dialog box. Right-click the fi le or folder, and then select Properties. On the Security tab of the Properties dialog box, display the Advanced Security Settings dialog box by clicking Advanced. Next, on the Owner tab, click Edit to display an editable version of the Owner tab, as shown in Fig- ure 17-17. In the Change Owner To list box, select the new owner. If you’re taking own- ership of a folder, you can take ownership of all subfolders and fi les within the folder by selecting the Replace Owner On Subcontainers And Objects check box. Click OK twice when you are fi nished. Figure 17-17 Taking ownership is done by using the Owner tab. Transferring Ownership If you are an administrator or a current owner of a fi le or folder, you can transfer own- ership to another user by using a fi le or folder’s Properties dialog box. In Windows Explorer, right-click the fi le or folder, and then select Properties. On the Security tab of the Properties dialog box, display the Advanced Security Settings dialog box by click- ing the Advanced button. Next, on the Owner tab, click Edit to display an editable ver- sion of the Owner tab, as shown in Figure 17-17. Click Other Users Or Groups to display the Select User, Computer, Or Group dialog box. Type the name of a user or group, and click Check Names. If multiple names match the value you entered, you’ll see a list of names and will be able to choose the one you want to use. Otherwise, the name will be fi lled in for you, and you can click OK to close the Select User, Computer, Or Group dialog box. Under Change Owner To on the Owner tab of the Advanced Security Settings dialog box, the user you added is listed and selected. When you click OK, ownership is transferred to this user. Chapter 17 568 Chapter 17 File Sharing and Security Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Permission Inheritance for Files and Folders By default, when you add a folder or fi le to an existing folder, the folder or fi le inherits the permissions of the existing folder. For example, if the Domain Users group has access to a folder and you add a fi le to this folder, members of the Domain Users group will be able to access the fi le. Inherited permissions are automatically assigned when fi les and folders are created. When you assign new permissions to a folder, the permissions propagate down and are inherited by all subfolders and fi les in the folder and supplement or replace exist- ing permissions. If you add permissions on a folder to allow a new group to access a folder, these permissions are applied to all subfolders and fi les in the folder, meaning the additional group is granted access. On the other hand, if you were to change the permissions on the folder so that, for instance, only members of the Engineering group could access the folder, these permissions would be applied to all subfolders and fi les in the folder, meaning only members of the Engineering group would have access to the folder, its subfolders, and its fi les. Inheritance is automatic. If you do not want the permissions of subfolders and fi les within folders to supplement or replace existing permissions, you must override inheri- tance starting with the top-level folder from which the permissions are inherited. A top-level folder is referred to as a parent folder. Files and folders below the parent folder are referred to as child fi les and folders. This is identical to the parent/child structure of objects in Active Directory. Changing Shaded Permissions and Stopping Inheritance If a permission you want to change is shaded, the fi le or folder is inheriting the permis- sion from a parent folder. To change the permission, you must do one of the following:  Access the parent folder and make the desired changes. These changes will then be inherited by child folders and fi les.  Select the opposite permission to override the inherited permission if possible. In most cases, Deny overrides Allow, so if you explicitly deny permission to a user or group for a child folder or fi le, this permission should be denied to that user or group of users.  Stop inheriting permissions from the parent folder and then copy or remove exist- ing permissions as appropriate. To stop inheriting permissions from a parent folder, right-click the fi le or folder in Windows Explorer and then select Properties. On the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box. On the Permissions tab, click Edit to display an editable version of the Permissions tab, as shown in Figure 17-18. Managing File and Folder Permissions 569 Chapter 17 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 17-18 Change inheritance as necessary. Clear the Include Inheritable Permissions From This Object’s Parent check box. As shown in Figure 17-19, you now have the opportunity to copy over the permissions that were previously applied or remove the inherited permissions and apply only the permissions that you explicitly set on the folder or fi le. Click Copy or Remove as appropriate. Figure 17-19 Copy over or remove the inherited permissions. Resetting and Replacing Permissions Another way to manage permissions is to reset the permissions of subfolders and fi les within a folder, replacing their permissions with the current permissions assigned to the folder you are working with. In this way, subfolders and fi les get all inheritable permissions from the parent folder and all other explicitly defi ned permissions on the individual subfolders and fi les are removed. To reset permissions for subfolders and fi les of a folder, right-click the fi le or folder in Windows Explorer, and then select Properties. On the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box. On the Permissions tab, click Edit to display an editable version of the Permissions tab. Chapter 17 570 Chapter 17 File Sharing and Security Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Select Replace All Existing Inheritable Permissions…, and then click OK. As shown in Figure 17-20, you will see a prompt explaining that this action will remove all explicitly defi ned permissions and enable propagation of inheritable permissions. Click Yes. Figure 17-20 Confirm that you want to replace the existing permissions on subfolders and files. Confi guring File and Folder Permissions On NTFS volumes, you can assign access permissions to fi les and folders. These per- missions grant or deny access to users and groups. Basic Permissions In Windows Explorer you can view basic permissions by right-clicking the fi le or folder you want to work with, selecting Properties on the shortcut menu, and then in the Properties dialog box selecting the Security tab, as shown in Figure 17-21. The Group Or User Names list shows groups and users with assigned permissions. If you select a group or user in this list, the applicable permissions are shown in the Permissions For list. If permissions are unavailable, it means the permissions are inherited from a par- ent folder as discussed previously. Figure 17-21 The Security tab shows the basic permissions assigned to each user or group. Managing File and Folder Permissions 571 Chapter 17 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. The basic permissions you can assign to folders and fi les are shown in Table 17-1 and Table 17-2. These permissions are made up of multiple special permissions. Table 17-1 Basic Folder Permissions Permission Description Full Control This permission permits reading, writing, changing, and deleting fi les and subfolders. If a user has Full Control over a folder, she can delete fi les in the folder regardless of the permission on the fi les. Modify This permission permits reading and writing to fi les and subfolders; allows deletion of the folder. List Folder Contents This permission permits viewing and listing fi les and subfolders as well as executing fi les; inherited by folders only. Read & Execute This permission permits viewing and listing fi les and subfolders as well as executing fi les; inherited by fi les and folders. Write This permission permits adding fi les and subfolders. Read This permission permits viewing and listing fi les and subfolders. Table 17-2 Basic File Permissions Permission Description Full Control This permission permits reading, writing, changing, and deleting the fi le. Modify This permission permits reading and writing of the fi le; allows deletion of the fi le. Read & Execute This permission permits viewing and accessing the fi le’s contents as well as executing the fi le. Write This permission permits writing to a fi le. Giving a user permission to write to a fi le but not to delete it doesn’t prevent the user from deleting the fi le’s contents. Read This permission permits viewing or accessing the fi le’s contents. Read is the only permission needed to run scripts. Read access is required to access a shortcut and its target. You can set basic permissions for fi les and folders by following these steps: 1. In Windows Explorer, right-click the fi le or folder you want to work with, and select Properties. In the Properties dialog box, select the Security tab, shown previously in Figure 17-21. 2. Click Edit to display an editable version of the Security tab. Users or groups that already have access to the fi le or folder are listed in the Name list box. You can change permissions for these users and groups by selecting the user or group you want to change and then using the Permissions list box to grant or deny access permissions. Chapter 17 572 Chapter 17 File Sharing and Security Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 3. To set access permissions for additional users, computers, or groups, click Add. This displays the Select Users, Computers, Or Groups dialog box. 4. The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domain, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2008, you can usually access all the domains in the domain tree or forest. 5. Type the name of a user or group account in the selected or default domain, and then click Check Names. The options available depend on the number of matches found as follows:  When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.  When no matches are found, you’ve either entered an incorrect name part or you’re working with an incorrect location. Modify the name and try again, or click Locations to select a new location.  If multiple matches are found, select the name(s) you want to use, and then click OK. 6. To add additional users or groups, type a semicolon (;), and then repeat this process. 7. When you click OK, the users and groups are added to the Name list for the fi le or folder. Confi gure access permissions for each user and group added by selecting an account name and then allowing or denying access permissions. If a user or group should be granted access permissions, select the check box for the permission in the Allow column. If a user or group should be denied access permissions, select the check box for the permission in the Deny column. 8. When you’re fi nished, click OK. Special Permissions In Windows Explorer you can view special permissions by right-clicking the fi le or folder you want to work with and selecting Properties on the shortcut menu. In the Properties dialog box, select the Security tab, and then click Advanced to display the Advanced Security Settings dialog box, as shown in Figure 17-22. The special permissions available are as follows:  Traverse Folder/Execute File Traverse Folder lets you directly access a folder even if you don’t have explicit access to read the data it contains. Execute File lets you run an executable fi le.  List Folder/Read Data List Folder lets you view fi le and folder names. Read Data lets you view the contents of a fi le.  Read Attributes Lets you read the basic attributes of a fi le or folder. These attri- butes include Read-Only, Hidden, System, and Archive. Managing File and Folder Permissions 573 Chapter 17 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 17-22 The Advanced Security Settings dialog box can be used to access the special permissions assigned to each user or group.  Read Extended Attributes Lets you view the extended attributes (named data streams) associated with a fi le. As discussed in Chapter 16, “Managing Windows Server 2008 File Systems,” these include Summary fi elds, such as Title, Subject, and Author, as well as other types of data.  Create Files/Write Data Create Files lets you put new fi les in a folder. Write Data allows you to overwrite existing data in a fi le (but not add new data to an existing fi le because this is covered by Append Data).  Create Folders/Append Data Create Folders lets you create subfolders within folders. Append Data allows you to add data to the end of an existing fi le (but not to overwrite existing data because this is covered by Write Data).  Write Attributes Lets you change the basic attributes of a fi le or folder. These attributes include Read-Only, Hidden, System, and Archive.  Write Extended Attributes Lets you change the extended attributes (named data streams) associated with a fi le. As discussed in Chapter 16, these include Sum- mary fi elds, such as Title, Subject, and Author, as well as other types of data.  Delete Subfolders And Files Lets you delete the contents of a folder. If you have this permission, you can delete the subfolders and fi les in a folder even if you don’t specifi cally have Delete permission on the subfolder or fi le.  Delete Lets you delete a fi le or folder. If a folder isn’t empty and you don’t have Delete permission for one of its fi les or subfolders, you won’t be able to delete it. You can do this only if you have the Delete Subfolders And Files permission. Chapter 17 574 Chapter 17 File Sharing and Security Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.  Read Permissions Lets you read all basic and special permissions assigned to a fi le or folder.  Change Permissions Lets you change basic and special permissions assigned to a fi le or folder.  Take Ownership Lets you take ownership of a fi le or folder. By default, admin- istrators can always take ownership of a fi le or folder and can also grant this permission to others. Tables 17-3 and 17-4 show how special permissions are combined to make the basic permissions for fi les and folders. Because special permissions are combined to make the basic permissions, they are also referred to as atomic permissions. Table 17-3 Special Permissions for Folders Special Permissions Full Control Modify Read & Execute List Folder Contents Read Write Traverse Folder/ Execute File XXXX List Folder/Read Data XXXXX Read Attributes XXXXX Read Extended Attributes XXXXX Create Files/Write Data XX X Create Folders/ Append Data XX X Write Attributes XX X Write Extended Attributes XX X Delete Subfolders And Files X Delete XX Read Permissions XXXXXX Change Permissions X Take Ownership X Managing File and Folder Permissions 575 Chapter 17 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Table 17-4 Special Permissions for Files Special Permissions Full Control Modify Read & Execute Read Write Traverse Folder/ Execute File XXX List Folder/Read Data X X X X Read Attributes X X X X Read Extended Attributes XXXX Create Files/Write Data X X X Create Folders/ Append Data XX X Write Attributes XX X Write Extended Attributes XX X Delete Subfolders And Files X Delete XX Read Permissions X X X X X Change Permissions X Take Ownership X You can set special permissions for fi les and folders in Windows Explorer. Right-click the fi le or folder you want to work with and then select Properties. In the Properties dialog box, click the Security tab, and then click Advanced. This displays the Advanced Security Settings dialog box with the Permissions tab selected. Click Edit to display an editable version of the Permissions tab. You now have the following options:  Add Adds a user or group. Click Add to display the Select User, Computer, Or Group dialog box. Type the name of a user or group, and click Check Names. If multiple names match the value you entered, you’ll see a list of names and will be able to choose the one you want to use. Otherwise, the name will be fi lled in for you. When you click OK, the Permission Entry For dialog box shown in Figure 17-23 is displayed. Chapter 17 576 Chapter 17 File Sharing and Security Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... copies on a server, the server creates and maintains previous versions of all files and folders created on the volumes you’ve specified It does this by creating snapshots of shared folders at predetermined intervals and storing these images in shadow copy storage in such a way that users and administrators can easily access the data to recover previous versions of files and folders Windows Server 2008 includes... TROUBLESHOOTING Shadow copy relies on the Task Scheduler The schedule you set for shadow copies is set as a scheduled task on the server Scheduled tasks are run by the Task Scheduler service and can be viewed in the Scheduled Tasks folder as discussed in Chapter 4, “Managing Windows Server 2008. ” The Task Scheduler service must be running and properly configured for shadow copying to work correctly In addition,... volumes on which those shares are located Those are the volumes for which you will need to configure shadow copying You might also want to consider changing the way users’ personal data is stored Windows Server 2008 enables you to centrally manage user data folders through file shares, and then if you configure shadow copies on these file shares, users will have access to previous versions of all their data... 592 V Configuring Shadow Copies at the Command Line 599 Using Shadow Copies on Clients 603 olume Shadow Copy Service is a feature of Windows Server 2008 It offers two important features: Shadow copying of files in shared folders Allows you to configure volumes so that shadow copies of fi les in shared folders are created automatically at specific... the shadow copies for the volume This will ensure that error events aren’t written to the system logs when the Scheduled Task service can’t create the snapshot images Reverting an Entire Volume Windows Server 2008 features a shadow copy enhancement that allows you to revert an entire volume to the state it was in when a particular shadow copy was created This comes with a couple of caveats: The volume... audit the root folder of the volume Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Auditing File and Folder Access 583 You specify files and folders to audit using Windows Explorer In Windows Explorer, right-click the file or folder to be audited, and then, from the shortcut menu, select Properties In the Properties dialog box, click the Security tab, and then click Advanced... through the Shadow Copy API The shadow copy driver (Volsnap.sys) and the Volume Shadow Copy Service executable (Vssvc.exe) are key components used by this API When you enable shadow copies on a server, the server is configured to be a client-accessible shadow copy service provider The default provider is the Microsoft Software Shadow Copy Provider, and it is responsible for providing the necessary interface... writer used by other writers to make Registry System Writer The standard shadow copies writer used by the operating system Windows Management Instrumentation (WMI) Writer Standard WMI writer for shadow copies WINS Jet Writer Shadow copies writer used to make backups of fi les in use by the Windows Internet Naming Service (WINS) Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Chapter... 18 To ensure that the VolumeShadowCopy task runs after failover on a clustered file server, the %SystemRoot% should be the same on the cluster to which the service is failed over If it isn’t in the same location and failover occurs, the VolumeShadowCopy task might not run For example, if the %SystemRoot% on node 1 is C: \Windows and the %SystemRoot% on node 2 is C:\Winnt, the task might not run when the... using the environment variable once the task is set See Chapter 39, “Preparing and Deploying Server Clusters,” for more information about clustering 596 Chapter 18 Using Volume Shadow Copy 8 Select the volume on which you want to enable shadow copies and click Enable When prompted, click Yes to confirm the action Windows will then create a snapshot of the volume 9 Configure any additional volumes for shadow . understand the concept of ownership as it applies to fi les and folders. In Windows Server 2008, the fi le or folder owner isn’t necessarily the fi le or folder’s. other resources that you can access. Because of the transitive trusts in Windows Server 2008, you can usually access all the domains in the domain tree or forest.