by MS
To better understand inheritance, consider the following examples:
On drive C, you create a folder named Data and then create a subfolder named CurrentProjects. By default, Data inherits the permissions of the C: folder, and these permissions are in turn inherited by the CurrentProjects folder. Any files you add to the C:, C:Data, and C:DataCurrentProjects folders will have the same permissions—those inherited from the C: folder.
On drive C, you create a folder named Docs and then create a subfolder named Working. You stop inheritance on the Working folder by removing the inherited permissions of the parent. Any files you add to the C:DocsWorking folder inherit the permissions of the C:Docs folder and no other.
On drive C, you create a folder named Backup and then create a subfolder named Sales. You add permissions to the Sales folder that grant access to members of the Sales group. Any files added to the C:BackupSales folder inherit the permissions of the C: folder and also have additional access permissions for members of the Sales group.
Real World
Many new administrators wonder what the advantage of inheritance is and why it is used. Although it occasionally seems inheritance is more trouble than it's worth, inheritance enables you to very efficiently manage permissions. Without inheritance, you'd have to configure permissions on every file and folder you created. If you wanted to change permissions later, you'd have to go through all your files and folders again. With inheritance, all new files and folders automatically inherit a set of permissions. If you need to change permissions, you can make the changes in a top-level or parent folder and the changes can be automatically applied to all subfolders and files in that folder. In this way, a single permission set can be applied to many files and folders without editing the security of individual files and folders.
Viewing Inherited Permissions
To view the inherited permissions on a file or a folder, right-click the file or folder in Windows Explorer and then select Properties. On the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box, shown previously in Figure 10-4. The Permission column lists the current permissions assigned to the resource. If the permission is inherited, the Inherited From column shows the parent folder from which the permission has been inherited. If the permission will be in turn inherited by other resources, the Apply To column shows the types of resources that will inherit the permission.
Stopping Inheritance
If you want a file or a folder to stop inheriting permissions from a parent folder, follow these steps:
In Windows Explorer, right-click the file or folder and then select Properties. On the Security tab, click Advanced.
On the Permissions tab, click Edit. This opens the Advanced Security Settings dialog box for editing.
Clear Include Inheritable Permissions From This Object's Parent.
As shown in Figure 10-7, you now have the opportunity to copy over the permissions that were previously applied or remove the inherited permissions and apply only the permissions that you explicitly set on the folder or file. Click Copy or Remove as appropriate. Assign additional permissions as necessary.
Figure 10-7: Copy or remove the inherited permissions.
Tip
If you remove the inherited permissions and there are no other permissions assigned, everyone but the owner of the resource will be denied access. This effectively locks everyone except the owner out of a folder or file. However, administrators still have the right to take ownership of the resource regardless of the permissions. Thus, if an administrator was locked out of a file or a folder and truly needed access, she could take ownership and then have unrestricted access.
Restoring Inherited Permissions
Over time, the permissions on files and subfolders can become so dramatically different from those of a parent folder that it is nearly impossible to effectively manage access. To make it easier to manage file and folder access, you might want to take the drastic step of restoring the inherited permissions to all resources contained in a parent folder. In this way, subfolders and files get all inheritable permissions from the parent folder, and all other explicitly defined permissions on the individual subfolders and files are removed.
To restore the inherited permissions of a parent folder, follow these steps:
In Windows Explorer, right-click the file or folder and then select Properties. On the Security tab, click Advanced.
On the Permissions tab, click Edit. This opens the Advanced Security Settings dialog box for editing.
Select Replace All Existing Inheritable Permissions and click OK.
As shown in Figure 10-8, you will see a prompt explaining that this action will replace all explicitly defined permissions and enable propagation of inheritable permissions. Click Yes.
Figure 10-8: Click Yes to confirm that you want to replace the existing permissions.
Determining the Effective Permissions and Troubleshooting
NTFS permissions are complex and can be difficult to manage. Sometimes a change—even a very minor one—can have unintended consequences. Users might suddenly find they are denied access to files they could previously access, or they might suddenly find they have access to files to which access should never have been granted. In either scenario, something has gone wrong with permissions. You have a problem, and you need to fix it.
You should start troubleshooting these or other problems with permissions by determining the effective permissions for the files or the folders in question. As the name implies, the effective permissions tell you exactly which permissions are in effect with regard to a particular user or group. The effective permissions are important because they enable you to quickly determine the cumulative set of permissions that apply.
For a user, the effective permissions are based on all the permissions the user has been granted or denied, no matter whether they were applied explicitly or obtained from groups of which the user is a member. For example, if JimB is a member of the Users, Sales, Marketing, SpecTeam, and Managers groups, the effective permissions on a file or a folder would be the cumulative set of permissions that JimB has been explicitly assigned and those permissions assigned to the Users, Sales, Marketing, SpecTeam, and Managers groups.
To determine the effective permissions for a user or a group with regard to a file or a folder, complete the following steps:
In Windows Explorer, right-click the file or folder you want to work with and then select Properties. In the Properties dialog box, select the Security tab and then click Advanced to display the Advanced Security Settings dialog box.
To determine effective permissions that are applied to a user or a group, click the Effective Permissions tab, click Select, type the name of the user or group, and then click OK.
The Effective Permissions for the specified user or group are displayed using the complete set of special permissions. If a user has full control over the selected resource, he or she will have the permissions, as shown in Figure 10-9. Otherwise, you'll see a subset of permissions selected and you'll have to carefully consider whether the user or group has the appropriate permissions. Use Table 10-3 to help you interpret the permissions.
Figure 10-9: Any checked permissions have been granted to the specified user or group.
Note
You must have appropriate permissions to view the effective permissions of any user or group. It is also important to remember that you cannot determine the effective permissions for implicit groups or special identities, such as Authenticated Users or Everyone. Furthermore, the effective permissions do not take into account those permissions granted to a user because he or she is the Creator Owner.
Sharing Files and Folders Over the Network
Windows Vista supports two file sharing models: public file sharing and standard file sharing. Although either or both techniques can be used in both workgroups and domains, standard file sharing is preferred because it is more secure than public file sharin
g. Standard file sharing enables you to use a standard set of permissions to allow or deny initial access to files and folders over the network. Standard file sharing settings are enabled or disabled on a per-computer basis. Click Start and then click Network. On the Explorer toolbar, click Network And Sharing Center. Expand the File Sharing Panel by clicking the related Expand button. To enable file sharing, select Turn On File Sharing. To disable file sharing, select Turn Off File Sharing. Click Apply.
Controlling Access to Network Shares
When a user accesses a file or folder over the network and standard file sharing is enabled, two levels of permissions are used, and together they determine the actions a user can perform with regard to a particular shared file or folder. The first level of permissions comprises those set on the share itself. They define the maximum level of access. A user or a group can never have more permissions than those granted by the share. The second level of permissions are those permissions set on the files and folders. These permissions serve to further restrict the permitted actions.
Three share permissions are available.
Owner/Co-owner Users allowed this permission have Read and Change permissions, as well as the additional capabilities to change file and folder permissions and take ownership of files and folders. If you have Owner/Co-owner permissions on a shared resource, you have full access to the shared resource.
Contributor Users allowed this permission have Read permissions and the additional capability to create files and subfolders, modify files, change attributes on files and subfolders, and delete files and subfolders. If you have Contributor permissions on a shared resource, the most you can do is perform read operations and change operations.
Reader Users with this permission can view file and subfolder names, access the subfolders of the share, read file data and attributes, and run program files. If you have Reader permissions on a shared resource, the most you can do is perform read operations.
Permissions assigned to groups work like this: If a user is a member of a group that is granted share permissions, the user also has those permissions. If a user is a member of multiple groups, the permissions are cumulative. For example, if one group of which the user is a member has Reader access and another has Contributor access, the user will have Contributor access. If one group of which the user is a member has Reader access and another has Owner/Co-owner access, the user will have Owner/Co-owner access.
You can override this behavior by specifically denying an access permission. Denying permission takes precedence and overrides permissions that have been granted. If you don't want a user or a group to have a permission, configure the share permissions so the user or the group is denied that permission. For example, if a user is a member of a group that has been granted Owner/Co-owner permissions for a share, but the user should only have Contributor permissions, configure the share to deny Owner/Co-owner permissions to that user.
Creating a Shared Resource
Files and folders can be shared in both workgroups and domains. To share the first resource on a computer, you must be a local administrator. Sharing the first resource opts in the computer for sharing other resources and allows any user to share resources they own or to which they have appropriate access permissions.
You can create shares using several different tools, including the following:
Windows Explorer Use Windows Explorer when you want to share files and folders on the computer to which you are logged on.
Computer Management Use Computer Management when you want to share folders on any computer to which you can connect.
NET SHARE Use NET SHARE from the command line when you want to use a script to share folders. Type net share /? at the command prompt for the syntax of the command.
Creating a shared resource is a multipart process. First, you share the file so that it can be accessed, then you set the share permissions. Afterward, you should check and modify as necessary the file-system permissions. This section examines sharing a resource and setting its permissions using Windows Explorer and Computer Management. For details on working with file system permissions, see the "Controlling Access to Files and Folders with NTFS Permissions" section of this chapter.
Sharing a Resource and Setting Share Permissions in Windows Explorer
To share a file or folder and set its permissions using Windows Explorer, follow these steps:
In Windows Explorer, right-click the file or folder you want to share and select Share. This opens the File Sharing dialog box, shown in Figure 10-10.
Figure 10-10: Use the File Sharing dialog box to configure sharing of the selected file or folder.
Click the selection button (the down arrow) to the right of the text entry field provided and then select Find. This opens the Select Users Or Groups dialog box.
Tip
Be sure to check the value of the From This Location field. In workgroups, computers will always only show local accounts and groups. In domains, this field is changeable and set initially to the default (logon) domain of the currently logged on user. If this isn't the location you want to use for selecting user and group accounts to work with, click Locations to see a list of locations you can search, including the current domain, trusted domains, and other resources that you can access.
In the Enter The Object Names To Select field, type the name of a user or a group account previously defined in the selected or default domain. Be sure to reference the user account name rather than a user's full name. When entering multiple names, separate them with semicolons.
Click Check Names. If a single match is found for each of your entries, the dialog box is automatically updated as appropriate and the entry is underlined. Otherwise, you'll see an additional dialog box. When no matches are found, you've either entered an incorrect name part or you're working with an incorrect location. Modify the name in the Name Not Found dialog box and try again, or click Locations to select a new location. When multiple matches are found, select the name(s) you want to use in the Multiple Names Found dialog box and then click OK.
When you click OK, the users and groups are added to the Name list. You can then configure permissions for each user and group added by clicking an account name to display the Permission Level options and then choosing the appropriate permission level. The options for permission levels are Reader, Contributor, and Co-owner.
Finally, click Share to create the share. After Windows Vista creates the share and makes it available for use, note the share name. This is the name by which the shared resource can be accessed. If you want to e-mail a link to the shared resource to someone, click E-mail These Links. If you want to copy a link to the shared resource to the Windows clipboard, click Copy The Links. Click Done when you are finished.
Changing or Stopping Sharing
If you right-click a file or folder that is shared and select Share, you'll see a different view of the File Sharing dialog box. This view enables you to:
Change sharing permissions Clicking Change Sharing Permissions displays the original view of the File Sharing dialog box. You can grant access to additional users and groups as discussed previously. To remove access for a user or group, click the user or group in the Name list and then select Remove. When you are finished making changes, click Share to reconfigure the sharing options and then click Done.
Stop Sharing Clicking Stop Sharing removes the share configuration. After
Windows Vista removes sharing, click Done to close the File Sharing dialog box.
Sharing a Folder and Setting Share Permissions in Computer Management
Using Computer Management, you can share a folder on any computer to which you have administrator access. By connecting remotely to the computer rather than logging on locally, you typically save time because you don't need to access the computer or leave your desk. Follow these steps to use Computer Management to share a folder:
To start Computer Management, click Start, right-click Computer, and choose Manage. By default, Comp
uter Management connects to the local computer, and the root node of the console tree has the Computer Management (Local) label.
Tip
If you want to use the Create A Shared Folder Wizard to share a folder on a local computer, start the wizard directly and skip steps 1–4. Simply type shrpubw at an elevated command prompt and then click Next when the wizard starts.
Right-click Computer Management in the console tree and then select Connect To Another Computer. In the Select Computer dialog box, the Another Computer option is selected by default. Type the fully qualified domain name of the computer you want to work with, such as http://www.engpc08.microsoft.com, where engpc08 is the computer name and http://www.microsoft.com is the domain name. If you don't know the computer name, click Browse to search for the computer with which you want to work.
Expand System Tools and Shared Folders and then select Shares to display the current shared folders on the system you are working with, as shown in Figure 10-11.
Figure 10-11: All available shared folders on the computer are listed on the Shares node.
To start the Create A Shared Folder Wizard, right-click Shares and then select New Share. Click Next to display the Folder Path page.
In the Folder Path field, type the full path to the folder that you want to share, such as C:Data. If you don't know the full path, click Browse and then use the Browse For Folder dialog box to find the folder you want to share. The Browse For Folder dialog box will also let you create a new folder that you can then share. Click Next to display the Name, Description, And Settings page.
In the Share Name field, type a name for the share. Share names must be unique for each system. They can be up to 80 characters in length and can contain spaces. If you want to provide support for Windows 98, Windows Me, or Windows NT, you should limit the share name to 12 characters or fewer.
