7. Tap or click OK. The users and groups are added to the Group Or User Names list for the share.
8. Configure access permissions for each user, computer, and group by selecting an account name and then allowing or denying access permissions. Keep in mind that you’re setting the maximum allowable permissions for a particular account.
9. Tap or click OK. To assign additional security permissions for NTFS, see “File and folder permissions” in Chapter 4.
IMPORTANT Keep in mind that you can select the opposite permission to override an inherited permission. Note also that Deny typically overrides Allow, so if you explicitly deny permission to a user or group for a child folder or file, this permission should be denied to that user or group of users.
To view and configure share permissions in Server Manager, follow these steps:
1. The Shares subnode of the File And Storage Services node shows existing shares for file servers that have been added for management.
2. Press and hold or right-click the share with which you want to work, and then tap or click Properties.
3. In the Properties dialog box, tap or click the Permissions in the left pane. You can now view the users and groups that have access to the share and the type of access they have.
4. To change share, folder, or both permissions, tap or click Customize Permissions. Next, select the Share tab in the Advanced Security Settings dialog box, as shown in Figure 3–9.
FIGURE 3–9 The Share tab shows which users and groups have access to the share and what type of access they have.
5. Users or groups that already have access to the share are listed in the Permission Entries list. You can remove permissions for these users and groups by selecting the user or group you want to remove, and then tapping or clicking Remove. You can change permissions for these users and groups by doing the following:
a. Select the user or group you want to change, and then select Edit.
b. Allow or deny access permissions in the Permission Entries list, and then tap or click OK.
6. To add permissions for another user or group, tap or click Add. This opens the Permission Entry dialog box, shown in Figure 3-10.
FIGURE 3-10 Add permission entries for a particular user or group.
7. Tap or click Select A Principal to display the Select User, Computer, Service Account Or Group dialog box. Enter the name of a user or a group account. Be sure to reference the user account name rather than the user’s full name. Only one name can be entered at a time.
8. Tap or click Check Names. If a single match is found for each entry, the dialog box is automatically updated, and the entry is underlined. Otherwise, you’ll get an additional dialog box. If no matches are found, you either entered the name incorrectly or you’re working with an incorrect location. Modify the name in the Name Not Found dialog box and try again, or tap or click Locations to select a new location. When multiple matches are found, in the Multiple Names Found dialog box, select the name you want to use, and then tap or click OK.
9. Tap or click OK. The user and group is added as the Principal, and the Permission Entry dialog box is updated to show this.
10. Use the Type list to specify whether you are configuring allowed or denied permissions, and then select the permissions you want to allow or deny.
11. Tap or click OK to return to the Advanced Security Settings dialog box. To assign additional security permissions for NTFS, see “File and folder permissions” in Chapter 4.
Managing existing shares
As an administrator, you often have to manage shared folders. This section covers the common administrative tasks of managing shares.
Understanding special shares
When you install Windows Server, the operating system creates special shares automatically. These shares are known as administrative shares and hidden shares, and they are designed to help make system administration easier. You can’t set access permissions on automatically created special shares; Windows Server assigns access permissions. You can create your own hidden shares by adding the $ symbol as the last character of the share name.
You can delete special shares temporarily if you’re certain the shares aren’t needed; however, the shares are re-created automatically the next time the operating system starts. To permanently disable the administrative shares, change the following registry values to 0 (zero):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks
Which special shares are available depends on your system configuration. Table 3–2 lists special shares you might find and how they’re used.
TABLE 3–2 Special shares used by Windows Server 2012 R2
| SHARE NAME | DESCRIPTION | USAGE |
|---|---|---|
| ADMIN$ | A share used during remote administration of a system. It provides access to the operating system %SystemRoot%. | On workstations and servers, administrators and backup operators can access these shares. On domain controllers, server operators also have access. |
| FAX$ | Supports network faxes. | Used by fax clients when sending faxes. |
| IPC$ | Supports named pipes during remote interprocess communications (IPC) access. | Used by programs when performing remote administration and when viewing shared resources. |
| NETLOGON | Supports the Net Logon service. | Used by the Net Logon service when processing domain logon requests. Everyone has Read access. |
| PRINT$ | Supports shared printer resources by providing access to printer drivers. | Used by shared printers. Everyone has Read access. Administrators, server operators, and printer operators have Full Control. |
| SYSVOL | Supports Active Directory. | Used to store data and objects for Active Directory. |
| Driveletter$ | A share that allows administrators to connect to a drive’s root folder. These shares are shown as C$, D$, E$, and so on. | On workstations and servers, administrators and backup operators can access these shares. On domain controllers, server operators also have access. |