Administering Windows 2000 Professional Resources

This chapter is from the book

Core MCSE: Windows 2000 Edition, 2nd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book 

Core MCSE: Windows 2000 Edition, 2nd Edition

Learn More Buy

Introduction

In this chapter, we examine the some of the administration topics covered in the Implementing and Conducting Administration of Resources section of Microsoft's Installing, Configuring, and Administering Microsoft Windows 2000 Professional exam (70-210).

The following material is designed to make you comfortable with establishing file and folder access, as well as sharing files and folders on a local network or the Web. Similarly, you will know how to connect to and share printers. You must also understand how administration differs between file systems.

MCSE 2.1 File and Folder Access

In this section, we look at issues surrounding file and folder access, including moving and copying, naming, compression, permissions, and optimization.

Copying Files vs. Moving Files

Under Windows 2000 Professional, you can either copy or move files. These commands are accessible on any folder menu bar and from the Edit menu bar item, as shown in Figure 2.1.

Figure 2.1 Selecting to move or copy files.

When you use the Copy command to move files within or between partitions, new files are created that inherit the security characteristics and compression status of the destination parent directory. When you use the Move command to move files between partitions, the same thing occurs. The only difference is that the original files are then deleted. When you use the Move command to move files within partitions, however, the files are not altered, and so they retain their original security and compression characteristics.

Naming Folders and Files

Windows 2000 supports file names that do not adhere to the limitations of the old DOS 8.3 naming convention (e.g., eight characters plus a three-character extension). This so-called long file name support is available under both the NTFS and FAT32 file systems.

Windows 2000 also provides an algorithm to convert long files to the 8.3 naming convention standard to accommodate operating systems that do not provide long file name support. The first six characters of the name, minus any spaces, remain the same. The seventh character becomes the tilde character (~). The eighth character becomes a numeric increment to accommodate for files that have the same first six characters.

After the first four iterations in a volume, however, Windows 2000 changes its tack and no longer converts with the numeric increment. Instead, it keeps only the first two characters, and then inserts five random characters (see Table 2.1).

Table 2.1 Truncated File Names

You should be aware of this if you plan to share files and folders with computers running other operating systems, such as MS-DOS.

Working with File Compression

Windows 2000 Professional provides file and folder compression on NTFS formatted partitions. Compression is allowed for individual files and folders, as well as whole volumes. Any NTFS formatted disk or folder has the ability to contain both compressed and noncompressed files.

Window 2000 file compression can provide up to 2:1 compression. Once enabled, compression takes place automatically and is transparent to both applications and users. NTFS can compress all files in the partition, including hidden and system files (except NTLDR and Pagefile.sys).

Besides being automatic, NTFS compression is optimized for performance. When you select a file to compress, NTFS first determines how much disk space will be saved and compares that to the resources it will take to do the compression. If NTFS decides it is not worth the effort, it does not compress the file. In addition, NTFS compression ratios are not as dramatic as those achieved by other utilities, but neither is performance compromised.

Configuring File Compression

To enable this feature, select a file that you wish to compress, then right-click and select the Properties command to open the Properties dialog box, as shown in Figure 2.2.

Figure 2.2 NTFS file Properties dialog box.

Here, select the Advanced button to open the Advanced Attributes button, as shown in Figure 2.3.

Figure 2.3 Enabling file compression.

Next, enable the Compress contents to save disk space checkbox. You may choose to compress entire folders, in which case you are asked if subfolders should be compressed too. You can also compress entire partitions. In truth, however, you are compressing the files within partitions and folders rather than the partitions and folders themselves.

If you enable compression for a folder, then all new files created in that directory are also compressed.

Compression from the Command Line

You can also enable compression from the command prompt using the COMPACT.EXE utility. It reports compression status, ratio, and file size for compressed files in the file list. It can also be used with a number of switches in the format:

COMPACT /<switch> file/folder_name

The possible switches include the following:

/C Compresses files

/U Uncompresses files

/S Compresses all files in a directory (and subdirectories)

/I Continues compression after errors have occurred

/F Forces compression on all files, even if already compressed

/A Compresses hidden and system files

Managing File Compression

The previously mentioned difference between the Copy and Move commands becomes evident when working with compressed files. If you create a file in a compressed directory, it becomes a compressed file. If you use the Copy command to move the file to an uncompressed directory, then the file becomes uncompressed. This is because a new instance of the file has been created that adopts the characteristics of its parent directory.

When the Move command is used, however, a file created in a compressed directory and moved to an uncompressed directory remains compressed. This is because the Move command does not actually move anything, it only directs the source and destination directories to swap pointers, making it appear to move. Since the file does not change, it does not lose its original characteristics.

There is an exception. When relocating a file in another partition, the Move command is unable to play its little trick with directory pointers and must instead copy the file (deleting it from the source partition thereafter). Consequently, a file that is moved from a compressed directory on one partition to an uncompressed directory on another partition would be unco_mpressed.

There is a major difference in the way copying files between computers over the network is handled by Windows 2000 Professional vs. Windows NT 4.0. Under Windows NT 4.0, a file would be decompressed on the server computer before being sent over the network. Under Windows 2000 Professional, a file is copied over the network then decompressed on the client machine. This change makes it faster to copy compressed files over the n_etwork.

Viewing Compressed Files

You may change the display of your compressed file and folders to an alternate color, making it easier to differentiate between compressed and uncompressed data. To do this, select the Folder Options command from the Tools menu bar item to open the Folder Options dialog box, as seen in Figure 2.4.

Figure 2.4 Changing compressed file display colors.

Under the View tab, enable the Display compressed files and folders with alternate color checkbox.

Troubleshooting File Compression

Note that only NTFS compression is available under Windows 2000 Professional. You cannot use Microsoft's DriveSpace as you can under Windows 9x/Me, for example.

Note also that Windows 2000 Professional supports file encryption, which cannot be used with file compression. You may compress files or encrypt files, but not both.

Working with Permissions

How you control access to your computer's files and folders depends on whether you intend to share them over a network. If you do, share permissions come into play, as described further on. If you do not, you need only be concerned with local security. This restricts access to anyone sitting down at your machine and logging on directly. With local security, you can determine which of your files and folders others may manipulate.

Local security does not exist on FAT-formatted volumes. You have no control over what others do with your data beyond requiring a user name/password log-on. This is scant protection because anyone savvy enough to boot from a system floppy disk could bypass the Windows 2000 Professional log-on and gain direct access to a FAT partition.

Local security under NTFS is quite another matter. First, the only way to access an NTFS partition is through Windows 2000, so the log-on cannot be bypassed. Second, the data that can be viewed after using a given log-on is subject to a wide range of possible permissions controls. In addition, NTFS permissions can be applied to a user who is accessing either a local resource or a shared network resource.

Special NTFS Permissions

The following NTFS special permissions can be applied to any file or folder:

• Traverse Folder/Execute File. Users with this permission may browse through various folders to locate other folders and files, as well as launch applications.

• List Folder/Read Data. Users with this permission may see folder and subfolder names. They may also view the contents of files.

• Create Folders/Append Data. Users with this permission may create folders within a folder, as well as add new data to a file, as long as it does not change existing data.

• Create Folders/Write Data. Users with this permission may create folders within a folder, as well as add new data to a file that may overwrite existing data.

• Delete Subfolders and Files. Users with this permission may delete subfolders and files.

• Delete. Users with this permission may delete folders and files.

• Read Attributes. Users with this permission may view the system-generated attributes associated with a folder or file.

• Read Extended Attributes. Users with this permission may view the program-generated extended attributes associated with a folder or file.

• Write Attributes. Users with this permission may change the system-generated attributes associated with a folder or file.

• Write Extended Attributes. Users with this permission may change the program-generated extended attributes associated with a folder or file.

• Read Permissions. Users with this permission may view file and folder permissions.

• Change Permissions: Users with this permission may view and modify file and folder permissions.

• Take Ownership: Users with this permission may take ownership of files and folders.

• Synchronize. Permits threads to synchronize with other threads.

Standard NTFS File Permissions

To apply the standard NTFS file permissions, select a file that you wish to secure, then right-click and select the Properties command to open the Properties dialog box. Next, switch to the Security tab, as shown in Figure 2.5.

Figure 2.5 Setting NTFS file permissions.

NTFS file permissions combine several NTFS special permissions that can be allowed or denied in the following categories:

• Full Control
• Modify
• Read & Execute
• Read
• Write

The special permissions associated with each standard file permission are listed in Table 2.2.

Table 2.2 Standard vs. Special NTFS Permissions

NTFS file permissions can be set individually for each file. If you do, the file permissions override NTFS folder permissions that differ.

Standard NTFS Folder Permissions

To apply standard NTFS folder permissions, select a folder that you wish to secure, then right-click and select the Properties command to open the Properties dialog box.

Next, switch to the Security tab, as shown in Figure 2.6.

Figure 2.6 Setting NTFS folder permissions.

NTFS folder permissions are also combinations of NTFS special permissions, categorized as follows:

• Full Control
• Modify
• Read & Execute
• List Folder Contents
• Read
• Write

The only difference is the addition of the List Folder Contents permi_ssion.

The special permissions associated with each standard folder permission are listed in Table 2.3.

Table 2.3 Standard vs. Special NTFS Folder Permissions

By default, the Full Control permission is granted to the Everyone group when a folder is created. If the default has been changed, or for whatever reason your account no longer has the Full Control permission, you must either be given Change Permissions or Take Ownership permissions, which includes the right to Change Permissions, to be able to reassign Full Control to yourself. You must either be the creator of the file or folder in question or have Full Control or Change Permissions granted to alter permissions on NTFS partitions.

Advanced NTFS Permissions

Although these standard permissions should cover must security scenarios that you are likely to encounter, you are not restricted to them. To apply advanced NTFS file and folder permissions individually, select an object that you wish to secure, then right-click and select the Properties command to open the Properties dialog box. Next, switch to the Security tab (see Figure 2.6). In the lower left, click the Advanced button to open the Access Control Settings dialog box, as shown in Figure 2.7.

Figure 2.7 Viewing advanced access control.

Double-click any group account in the Access Control Settings window to view and edit special permissions, as shown in Figure 2.8.

Figure 2.8 Viewing special permissions.

File permissions are applied file by file. Folder permissions, however, can be applied to a folder, a folder plus all of its subfolders, or a folder, its subfolders, and all of the files in that folder and subfolders.

You may select the level of security you prefer from the Apply onto drop-down menu in the Permission Entry dialog box (see Figure 2.8).

Optimizing Access

Unless you explicitly change them, files and folders inherit permissions from their parent objects. For example, if you create a "Downloads" folder at the root level of your computer's hard drive (e.g., C:), then copy the file "MCSE.HTM" into that folder, the file adopts the same permissions as the root. In short, \Downloads inherits its permissions from C:\ and MCSE.HTM in turn inherits its permissions from \Downloads.

You may change this behavior by simply deselecting the Allow inheritable permissions from parent to propagate to this object check box in the Properties dialog box (see Figure 2.6) or Access Control Settings dialog box (see Figure 2.7). This enables the previously described Apply onto drop-down menu.

It also opens the Security dialog box shown in Figure 2.9, in which you may choose to forgo inheritance in favor of your own explicit permissions scheme. Choose with care, for you might make data inaccessible to the system or other users that you should have left alone.

Figure 2.9 Choosing to bypass permissions inheritance.

You can tell that a file or folder is inheriting its permissions if the permissions check boxes are grayed out, or the Remove button is unavailable (see Figure 2.6).

If your account has Full Control over a folder, you have the power to delete subfolders and files within that folder regardless of the permissions assigned to those subfolders and files individually.

Combined Permissions

Users and groups can both be granted NTFS permissions. Sometimes a user is a member of multiple groups that have different access levels to a resource through NTFS permissions. In such a case, that user's combined permissions, including the least restrictive level granted by these associations, is the effective permission level. The exception comes into play if the user or one of the groups of which the user is a member has been assigned the Deny permission. The Deny permission overrules any other combination of permissions that user might have otherwise been granted.

Taking Ownership

You can assign the NTFS permission to take ownership of files or folders through special permissions. By default, the creator of a file or folder is its owner and has Full Control over it. In order for another user to take ownership, that user must be given that right through NTFS permissions. If the owner has removed every user but himself, only an Administrator can take ownership. (An Administrator always has this access.)

You can give a user permission to use a resource, but you cannot give away ownership. When an Administrator makes himself owner of a resource, he remains owner until someone else that he permits takes ownership, or takes back ownership. This way, an unsuspecting user cannot be made to look like he made changes to someone else's files or folders. It will be apparent that the administrator has ownership.

You can give someone the right to take ownership by granting Take Ownership or Change Permissions special permissions, or Full Control standard permission.

Denying Permissions

Choosing to Deny a permission overrides all other permissions for all users and groups except Administrators. For instance, a user that is a member of Group One, which has Full Control, will be able to Change Permissions. However, if the user is also a member of Group Two, which has been denied Change Permissions, the user is restricted.

Moving or Copying Files

Copying a file from one folder to another applies the permissions of the new host folder to that file. The original file is deleted, and a new one is created in the new folder. Moving a file between folders allows the file to retain its original permissions. The file stays in the same physical location on the disk. In the target folder, a new pointer to the file is created. If a move is made across partitions, however, the file is actually deleted and recreated in the new folder, thus assuming the permissions of the new folder.