课程: Windows Server 2019: Storage Services
Configure file sharing
- [Instructor] In order for users to gain access to shared data on a file server, we need to create folder shares and set up the proper security to go with them. Our first step in sharing a folder is to right-click on the folder. There's more than one way to set up a share, we're going to demonstrate that in upcoming videos, but this is the simplest way to get a share going on a server. After we right-click on the folder, we set up the sharing permissions. We add either individuals or we add groups to the shared folder. One of the questions is, what happens if a user is also a member of a group and the user has different permissions than the groups to the share? Well, we need to add up all the rights. We can add up read/write access to the security group and the read access to the user, and we add those together to get read/write access. Now, we need to move on to the Security tab. The Security tab is located to the right of the Sharing tab, and we click on Security and add users and security groups, just like we did in the Sharing tab. And once again, we add up all the rights. So, if an individual has different rights than that individual as member of a group who also has rights, then we add up all those rights together to get our total rights for the security. Then, we do something really different. We compare the rights between the Share and the Security tab, and in the beginning, we added up those rights, but now, we take the least permissions between the Share and Security. You could also refer to it as the most restrictive to get the effective rights. So, this can be kind of confusing, so let's take a look at what this means in a demonstration on our Windows server. We're in Windows Explorer on Windows Server 2019, and I've created a folder called Data, which is highlighted at the top. I'm going to right-click on that folder and go to Properties. I can also just right-click on that folder and go to Give Access To, and we see we have Specific People or Remove Access. Let's go ahead and click on Properties, and we'll go to Sharing. In that Give Access To option, it would be the same as Sharing, but this way, we get more options, so let's go and choose both the Share and the Advanced Sharing buttons and see the difference. By clicking the Share This Folder button, we see the share name is Data. I can go into Permissions, and by default, the Everyone group has read access. So, if I give the Everyone group full control, then obviously everyone's going to have full control, but this is not a good security move. So, what I like to do is to go in and replace Everyone with Domain Users. That way, if someone's not on the domain, then they won't have access to these file shares. We'll go ahead and remove that, and we'll give the Domain Users change and read access. Let's go ahead and hit Apply and OK, and we'll click OK again. Now, if we go to the Share button, we see that the administrator has read rights and the Administrators group is the owner. So, we don't see the share permissions that we just added. Let's go ahead and cancel that, and click Close. The reason we don't see that is because the simple sharing option and the Advanced Sharing option are exclusive, you can choose one or the other. Let's go ahead and right-click on, and choose Properties once again, and we're going to click on Security. So, under Security, we see that the Administrators have full control, as well as the server, the Local Server Users group as well. Let's go ahead and click Edit, and we'll click Add. So if, once again, we put in Domain Users and we click Check Names, and this time, we're going to give Domain Users full control, so they've got every different type of right available. So, under the Share permissions, they have read/write, and under the Security permissions, they have full control. So, what does that mean, according to our slide demonstration? Well, if we add up all the permissions on the Share side, in this case, it's just the Domain Users, and we add up all the permissions on the Security side, and in that case it's, again, the Domain Users with full control, then we take the most restrictive, and the most restrictive is change and read, as opposed to full control. So, if we go to our Security tab, we go to Advanced, we can show what's called effective access. So, we select a user, and let's go ahead and put in Domain Users, and we select a device. And we're going to put in Sever2, as that is the name of the server that we're on. Now, we'll choose View Effective Access. I'll scroll down, and look at that. It shows the most restrictive, also known as the least permissions between Sharing and Security. Let's go ahead and make a change by going into the Sharing tab and clicking Advanced Sharing, and clicking Permissions and giving full control on the Share side. Now, the most restrictive is going to be full control because they have full control on both sides. Let's go back to Security, click on Advanced, and we'll click on Effective Access once again and put in the same information. Now, we'll go ahead and click on View Effective Access, and we scroll down and we see that everyone in the Domain Users group has all of the different rights. Let's go ahead and click OK, and OK. Now, we'll do a UNC path back to the server, and it'll show us our Data share. And there it is, there's our Data share, and we see a file that's inside the Data share. If we right-click on that file, go to Properties, and go to Security, it tells us that it inherited the permissions from the parent for the Domain Users group. So, any other files and folders that we put into this Data folder will also inherit the Security permissions from that group. By properly applying shares and security rights, administrators can securely allow access to users on the network.