Windows 2003 Server

Chapter 5

Managing File Access

Home | Chapters | Homework | Grades | Calendar | Forums | Syllabus

Forum Policy | Assignment Policy | E-Mail Mr Hull | FTP

Main | Chapter 1 | Chapter 2 | Chapter 3 | Chapter 4 | Chapter 5 | Chapter 6 | Chapter 7

Chapter 8 | Chapter 9 | Chapter 10 | Chapter 11 | Chapter 12 | Chapter 13 | Chapter 14


At the end of this chapter you should be able to:

  • Identify and understand the differences between the various file systems supported in Windows Server 2003

  • Create and manage shared folders

  • Understand and configure the shared folder permissions available in Windows Server 2003

  • Understand and configure the NTFS permissions available in Windows Server 2003

  • Determine the impact of combining shared folder and NTFS permissions

  • Convert partitions and volumes from FAT to NTFS

Windows Server 2003 File Systems

Windows Server 2003 supports three file types, FAT, FAT32, and NTFS.  In a production environment NTFS should be used.



The FAT (File Allocation Table) file system is left over from the DOS days.  It is supported by all versions of Windows.  It used to have a size limit of 2 GB, but with Windows Server 2003 its limit has been moved to 4GB.  This file system was used as the primary file system with DOS, Windows 3.x, 95.



FAT32 was created to address the size limitations of FAT.  It will support partition sizes up to 2 TB (terabytes).  One of FAT and FAT32's bug limitations is the lack of security.  FAT32 was first introduced in Windows 95 OSR2, and is the main file system for Windows 98, 98SE, and ME.



NTFS (New technology File System) is the file system of choice on Windows Server 2003.  It was first introduced in Windows NT and is available with Windows 2000, XP, and 2003.  NTFS supports many things that the FAT file systems do not.  Below is a list of NTFS advantages and facts.

  • Better performance, and handles larger disks better.

  • Required for Active Directory.

  • Permission can be applied from the partition or volume down to the files and folders.

  • Advanced attributes support encryption and compression.  (Not both at once)

  • Disk quotas.

  • The ability to extend disk space with removable media.

  • Journaling - helps you recover data if there are system problems.

Creating and Managing Shared Folders

One of the main reasons we use networks is to share resources.  One of the resources we want to share is data.  Windows Server 2003 allows you to share folders so your clients can access them.  In order to share a folder you have to have the appropriate rights.  Administrators and Server Operators can create shares on Domain Controllers.  Power Users are added to that list on servers not setup as Domain Controllers.  Let's take a look at two ways to setup a shared folder.


Using Windows Explorer

In Windows Explorer you would right click on a folder and choose Sharing and Security.  In the box that comes up click Share this folder and give it a name.  If you wish to hide a share from your users then place a "$" at the end of the name.  Doing this will cause it not to show in Explorer.  (It will be visible using Linux)  There are a number of built in shares with Windows Server 2003, one of them is the C drive.  \\server##\c$


LAB ACTIVITY - Do the lab on page 188. (5 Minutes)


Using Computer Management

Another Method for setting up shares in Windows Server 2003 is using Computer Management.  Using the Shared Folders snap-in you can run a wizard that will step you through the process.


LAB ACTIVITY - Do the lab on page 192. (10 Minutes)


Monitoring Access to Shared Folders

Using the Shared Folder snap-in you can also monitor the shared folders.  There are three sections in the snap-in, they are outlined below.

  • Shares - Display all the shares on your server, from here you can create a new share, stop and existing share, or configure a share.

  • Sessions - This will show you information about who is connected to your server.

  • Open Files - Displays a list of each file open and what user has the file open.

You can also use the snap-in to send a message to all attached users.  This is handy if you need to reboot the server, you can let all your users know.

Managing Shared Folders Permissions

Shared level permissions applied to a folder only affects users coming in from the network.  Each shared folder has a discretionary access control list (DACL) that contains a list of users and groups.  The entries in the DACL are known as access control entries (ACE).  There are three levels of share level permissions that you can set

  • Read - Allows a user to browse files and folders, read data, and execute programs.

  • Change - Same as above plus the ability to change, add, and delete files and folders.

  • Full Control - Same as above with the ability to change permissions.

When a new folder is created the default setting is Everyone - Read.  This is different then Windows 2000 Server, which had the default setting of Everyone - Full. 


LAB ACTIVITY - Do the lab on page 199. (15 Minutes)

NTFS Permissions

Share level permissions are only in effect when you access the data remotely.  NTFS permissions are the permissions on the files and folders at a file system level.  The NTFS file system is required to use NTFS permissions.


NTFS Permission Concepts

  • NTFS permissions are configured via the Security tab on the properties page of a file or folder.

  • NTFS permission are cumulative.

  • Deny permissions override all other permissions.

  • NTFS folder permissions are inherited by all child files and folders unless otherwise configured.

  • NTFS can be applied to both files and folder.

  • When a new access control entry is added the default permission is Read, Read and Execute, and on folders List Folder Contents.

NTFS includes it's standard permissions and a set of special permissions.  Below is a list of the standard permissions.

  • Full Control - Users can do anything to the data including changing permissions.

  • Modify - Same as full control without the rights to change permissions and take ownership.  Note: In the book on page 201 there is a mistake in table 5-2.  Cross out "delete subfolders and files".

  • Read & Execute - Allows the user to open folders and run applications.

  • List Folder Contents - Allows the user to see the files and folders in a folder.

  • Read - Allows the user to read data, view attributes, ownership, security, and synchronize.

  • Write - Allows the user to change or overwrite a file, view permissions, viewer ownership and change attributes.

LAB ACTIVITY - Do the lab on page 202. (20 Minutes)


Special NTFS Permissions

Special NTFS permissions are used to provide a more granular level of access.  The special permissions are outlined below:

  • Full Control - Users are allowed to do anything to the data.

  • Traverse Folder/Execute File - Allows the user to pass through folders without reading the data within.  A user would be able to open a file as well.

  • List Folder/Read Data - Users can lists the contents of a folder and read files.

  • Read Attributes - Allows the users to read the standard attributes.

  • Read Extended Attributes - Allows the users to read extended attributes.

  • Create Files / Write Data - Allows users to create files in a folders, and modify or overwrite files.

  • Create Folders / Append Data - Allows users to create folders and append to and not change existing data.

  • Write Attributes - Allows the users to change the standard attributes.

  • Write Extended Attributes - Allows the users to change extended attributes.

  • Delete Subfolders and Files - Allows the users to delete subfolders and files even if the delete permission is not assigned.

  • Delete - Allows users to delete a file or folder.

  • Read Permissions - Allows users to read the permissions set on a file or folder.

  • Change Permissions - Allows users to change the permissions set on a file or folder.

  • Take Ownership - Allows the user to take ownership of a file or folder.

LAB ACTIVITY - Do the lab on page 206. (15 Minutes)

LAB ACTIVITY - Do the lab on page 208. (5 Minutes)


Users home folders have the user's account in the DACL.  If you want to add a group to the DACL of all users home folders using the GUI you have to do it manually to each folder.  If you set the permissions at the top level and chose the replace permission entries on all child objects setting then the user's accounts will be removed from their home folder's DACL.  You can purchase third party software that will allow you to modify home folders this way, or you use a script.

Combining Shared Folder and NTFS Permissions

When combining shared folder and NTFS permissions it is important to know that the most restrictive permission will be in affect.  If the user has Full Control on the NTFS level and read on the share level they will only have share access.  When a user accesses a file locally only NTFS permission apply.


LAB ACTIVITY - Do the lab on page 209. (10 Minutes)

Converting a FAT Partition to NTFS

Windows Server 2003 includes CONVERT.EXE that will allow you to convert from FAT or FAT32 to NTFS.  The command is "convert x: /fs:ntfs" where x = the drive letter you wish to convert.


LAB ACTIVITY - Do the lab on page 211. (15 Minutes)

More Information


Click Here to download the slides for this chapter

(NOTE: You must have PowerPoint or PowerPoint Viewer if you don't have  either Click Here to download PowerPoint Viewer.)

wHome | Chapters | Homework | Grades | Calendar | Forums | Syllabus

Forum Policy | Assignment Policy | E-Mail Mr Hull | FTP