NOTE If the share will be used for hyper-V, you might need to enable constrained delegation for remote management of the hyper-V host.
9. If you are using the advanced profile, optionally set the folder management properties, and then tap or click Next. These properties specify the purpose of the folder and the type of data stored in it so that data management policies, such as classification rules, can then use these properties.
10. If you are using the advanced profile, optionally apply a quota based on a template to the folder, and then tap or click Next. You can select only quota templates that have already been created. For more information, see “Managing disk quota templates” in Chapter 4.
11. On the Confirm Selections page, review your selections. When you tap or click Create, the wizard creates the share, configures it, and sets permissions. The status should state, “The share was successfully created.” If an error is displayed instead, note the error and take corrective action as appropriate before repeating this procedure to create the share. Tap or click Close.
Changing shared folder settings
When you create a share, you can configure many basic and advanced settings, including those for access-based enumeration, encrypted data access, offline settings for caching, and management properties. In Server Manager, you can modify these settings by following these steps:
1. The Shares subnode of the File And Storage Services node shows existing shares for file servers that have been added for management. Press and hold or right-click the share with which you want to work, and then tap or click Properties.
2. In the Properties dialog box, shown in Figure 3–6, you have several options panels that can be accessed by using controls in the left pane. You can expand the panels one by one or tap or click Show All to expand all the panels at the same time.
FIGURE 3–6 Modify share settings by using the options provided.
3. Use the options provided to modify the settings as necessary, and then tap or click OK. The options available are the same whether you use the basic, advanced, or applications profile to create the shared folder.
TIP If you’re creating a share for general use and general access, you can publish the shared resource in Active Directory. Publishing the resource in Active Directory makes finding the share easier for users; however, this option is not available in Server Manager. To publish a share in Active Directory, press and hold or right-click the share in Computer Management, and then tap or click Properties. On the Publish tab, select the Publish This Share In Active Directory check box, add an optional description and owner information, and then tap or click OK.
Managing share permissions
Share permissions set the maximum allowable actions available within a shared folder. By default, when you create a share, everyone with access to the network has Read access to the share’s contents. This is an important security change-in previous editions of Windows Server, the default permission was Full Control.
With NTFS and ReFS volumes, you can use file and folder permissions and ownership, in addition to share permissions, to further constrain actions within the share. With FAT volumes, share permissions control only access.
Understanding the various share permissions
From the most restrictive to the least restrictive, the share permissions available are as follows:
■ No Access No permissions are granted for the share.
■ Read Users can do the following:
• View file and subfolder names
• Access the subfolders in the share
• Read file data and attributes
• Run program files
■ Change Users have Read permission and the ability to do the following:
• Create files and subfolders
• Modify files
• Change attributes on files and subfolders
• Delete files and subfolders
■ Full Control Users have Read and Change permissions, in addition to the following capabilities on NTFS volumes:
• Change file and folder permissions
• Take ownership of files and folders
You can assign share permissions to users and groups. You can even assign permissions to implicit groups. For details on implicit groups, see Chapter 9, “Creating user and group accounts” In Windows Server 2012 R2 Pocket Consultant: Essentials & Configuration.
Viewing and configuring share permissions
You can view and configure share permissions in Computer Management or Server Manager. To view and configure share permissions in Computer Management, follow these steps:
1. In Computer Management, connect to the computer on which the share is created. In the console tree, expand System Tools, expand Shared Folders, and then select Shares.
2. Press and hold or right-click the share with which you want to work, and then tap or click Properties.
3. In the Properties dialog box, tap or click the Share Permissions tab, shown in Figure 3–7. You can now view the users and groups that have access to the share and the type of access they have.
FIGURE 3–7 The Share Permissions tab shows which users and groups have access to the share and what type of access they have.
4. Users or groups that already have access to the share are listed in the Group Or User Names list. You can remove permissions for these users and groups by selecting the user or group you want to remove, and then tapping or clicking Remove. You can change permissions for these users and groups by doing the following:
a. Select the user or group you want to change.
b. Allow or deny access permissions in the Permissions list box.
5. To add permissions for another user or group, tap or click Add. This opens the Select Users, Computers, Service Accounts, Or Groups dialog box, shown in Figure 3–8.
FIGURE 3–8 Add users and groups to the share.
6. Enter the name of a user, computer, or group in the current domain, and then tap or click Check Names. This produces one of the following results:
■ If a single match is found, the dialog box is automatically updated and the entry is underlined.
■ If no matches are found, you either entered an incorrect name part or you’re working with an incorrect location. Modify the name and try again, or tap or click Locations to select a new location.
■ If multiple matches are found, select the name or names you want to use, and then tap or click OK. To assign permissions to other users, computers, or groups, enter a semicolon (;) and then repeat this step.
NOTE The Locations button enables you to access account names in other domains. Tap or click Locations to find a list of the current domains, trusted domains, and other resources you can access. Because of the transitive trusts in Windows Server, you can usually access all the domains in the domain tree or forest.