Chapter 5: Configuring Permissions and File Access – Microsoft Exam MD-100 Windows 10 Certification Guide

Chapter 5: Configuring Permissions and File Access

When users connect to a shared folder over a network, they can access the folders and files that the shared folder contains. Shared folders can contain applications, public data, or a user's personal data. This chapter will discuss the various methods of sharing folders, along with the effect that these methods will have on file and folder permissions when you create shared folders on a New Technology File System (NTFS) formatted partition.

This chapter will also talk about managing and configuring NTFS and sharing permissions on folders and files.

The following topics will be covered in this chapter:

  • Overviewing different types of file systems
  • Configuring and managing file access
  • Understanding shared folder permissions
  • Configuring and managing shared folders

In this chapter, you will learn about the different file systems that you can use in Windows 10. Furthermore, you will learn about the configuration that's available for the NTFS file system and shared folders. You will also learn how to manage file access. This chapter will help you prepare for the MD-100 (Windows 10) exam, which is part of the Microsoft 365 Certified: Modern Desktop Administrator Associate certification.

Technical requirements

In this chapter, you will see various pieces of PowerShell code. These codes are available in this book's GitHub repository: https://github.com/PacktPublishing/Microsoft-Exam-MD-100-Windows-10-Certification-Guide/tree/master/Chapter05

In the Understanding permission inheritance section, you will learn about the difference between permission inheritances. The steps that you will follow have also been recorded. You can find these videos here: https://bit.ly/2LsQDqD

Overviewing different types of file systems

Before you can store data on a volume, you must format it. To format a volume, you must select the file system that the volume should use. Windows 10 supports different file systems, including file allocation table (FAT), FAT32, and extended file allocation table (exFAT); the NTFS file system and the Resilient File System (ReFS).

There is also the Compact Disc File System (CDFS) and the Universal Disk Format (UDF), which are used on optical and read-only media. These two file types are out of the scope of this exam guide.

In this section, you will learn about the differences and benefits of the file systems that Windows 10 supports. Let's learn about all these file systems in detail.

FAT

FAT is the oldest file system that Windows 10 supports. It has a low overhead but many limitations compared to newer file systems. However, enterprises often use it because nearly every operating system supports it. For example, you would use FAT on removable media, such as a USB drive, when you need to transfer data between Windows 10 and a non-Microsoft operating system or on a local hard drive if you have a PC with dual-boot configuration.

Windows 10 supports three versions of FAT, which are FAT, FAT32, and exFAT. The main differences between these three versions are as follows:

  • The size of the largest supported volume
  • The default cluster size
  • The maximum number of files and folders that you can create on the volume

The following table lists the differences between the three FAT versions:

Table 5.1 - Difference between FAT versions

Important Note

A cluster is the smallest unit of disk space that you can allocate to store a file. For example, if a volume cluster is 4 kilobytes (KB) and you store a file that's 100 bytes in size on that volume, it will use one cluster, which is 4 KB.The exFAT file system supports clusters that ranges from 512 bytes to 32 megabytes (MB).

When you must choose between the FAT or NTFS file system to format a volume, you will have to compare the file systems. You will find that many NTFS features are not available with FAT, such as the following:

  • Security: You cannot configure file permissions and limit user actions on a FAT volume.
  • Auditing: You cannot audit user actions on the FAT file system.
  • Compression: The FAT file system does not support compression and each file uses its full original size, rounded to the closest cluster size.
  • Encryption: Encrypting File System (EFS) is not supported, and you cannot use it on exFAT volumes.
  • Disk quota: The FAT file system does not support quotas. This means that you cannot limit the disk space that users can use on a FAT volume.

After you have formatted a volume, you cannot change the file system or cluster size. You can only perform a backup and reformat the volume. The only exception is that you can convert FAT or FAT32 file system volumes into NTFS file system format.

Now, let's learn about the NTFS system.

NTFS

This type of file system is the default file system in Windows 10. The NTFS provides better performance, reliability, and advanced features that are not available in any version of FAT.

The NTFS file system provides the following:

  • Reliability: The NTFS file system uses log file and checkpoint information to restore the consistency of the file system when the computer restarts. In the event of a bad sector error, the NTFS file system dynamically remaps the cluster that contains the bad sector, and it allocates a new cluster for the data. The NTFS file system also marks that cluster as bad and does not use it again.
  • Security: You can set permissions on a file, folder, or the entire NTFS volume, which enables you to control which users, groups, or computers can read, modify, or delete data. You also can enable auditing to log activities on the NTFS volume
  • Data confidentially: The NTFS file system supports the EFS in order to protect file content. If you have EFS enabled, you can encrypt files and folders for one user. Only this user can access these encrypted files. Other users can't access these files.
  • Limit storage growth: The NTFS file system supports the use of disk quotas. With this feature, you enable the amount of disk space that is available to a user. When disk quotas are enabled, you can configure whether to allow users to exceed their limits.
  • Additional space: The NTFS file system allows you to create extra disk space by compressing files, folders, or whole drives. You also can extend an NTFS volume by mounting an additional volume to an empty folder.
  • Support for large volumes: You can format a volume up to 256 terabytes (TB) in size by using the NTFS file system with a 64 KB cluster size. The NTFS file system supports larger files and supports a larger number of files per volume compared to any FAT version. The NTFS file system also manages disk space efficiently by using smaller cluster sizes. For example, a 30 GB NTFS volume uses 4 KB clusters. The same volume formatted with FAT32 uses 16 KB clusters. Using smaller clusters reduces space wastage on hard disks.
  • Advanced features: The NTFS file system includes multiple advanced features, such as distributed link tracking, sparse files, and multiple data streams.

In Windows 10, there is a utility called Convert.exe that you can use to convert FAT or FAT32 file systems into the NTFS file system type on data volumes. The benefit of using this utility is that you will not have downtime or data loss.

We will not go too deep into Convert.exe as it is beyond the scope of this book, but in the following example, you will see that the convert command is used to convert the volume on drive F into ntfs with messages during the conversion process:

convert F: /fs:ntfs /v

As mentioned earlier in this chapter, you cannot convert NTFS into FAT. First, you must backup your data, reformat the volume by using the NTFS file system, and then restore the data.

Next, we will look at the ReFS system.

ReFS

Resilient File System (ReFS) was introduced in Windows Server 2012. It is also available in Windows 8.1, Windows Server 2012 R2, and in all newer Microsoft operating systems, including Windows 10. ReFS is built on top of the NTFS file system and is designed to provide the highest level of resiliency, integrity, and scalability, regardless of software or hardware failures.

ReFS includes only some of the NTFS features, such as security and auditing, but does not support others, such as quota, compression, and EFS. ReFS is especially useful for data volumes in multi-terabyte (TB) file servers and for cluster-shared volumes in failover clusters.

The ReFS file system has the following benefits:

  • ReFS is designed to provide the highest level of protection for data from common errors that can cause corruption, such as unexpected loss of power or disk failure.
  • The ReFS system periodically scans volumes. If it detects corruption within volumes, ReFS tries to correct the corruption automatically. If it cannot repair the corruption automatically, ReFS localizes the salvaging process to the corruption area.
  • ReFS supports extremely large volumes, even larger than the NTFS file system, without impacting performance. ReFS volumes can contain petabytes of data with ease.

Windows 10 provides limited support for ReFS. You can use it only with two-way or three-way storage spaces. You cannot format ReFS for non-mirrored storage spaces, such as simple or parity storage spaces.

In this section, you learned about the three most common file systems for Windows 10. In the next section, we will look at how you can configure and manage file access and NTFS permissions.

Configuring and managing file access

You can control user access to files by configuring file and folder permissions. If file permissions are supported by the file system, such as the NTFS or ReFS file systems, you can configure permissions at the volume (root folder), folder, and file levels. You can also assign permissions explicitly or you can inherit them from the higher levels.

Understanding tools for managing files and folders

You can store data as files on local storage or remote storage. To manage these files, you can use several tools in Windows 10, such as File Explorer, Command Prompt, and PowerShell. Let's learn about each of them in the following sections.

File Explorer

File Explorer is a tool that you typically use to manage files and folders. In the previous editions of Windows, File Explorer was called Windows Explorer. File Explorer provides a simple interface that is familiar to most Windows users. By using File Explorer, you can perform several functions, some of which are as follows:

  • Creating files and folders
  • Accessing files and folders
  • Managing the properties of files and folders
  • Searching for content in files and folders
  • Previewing content of files and folders

If you need to manage file permissions in File Explorer, right-click the object and then select Properties. You can configure permissions on the Security tab of the Properties dialog box.

Now, we'll move on to the Command Prompt tool.

Command Prompt

You can use the Command Prompt to access files and folders. To open the Command Prompt, click on the Start menu icon and start typing cmd.

Some common commands for managing files and folders are as follows:

  • cd: Changes the parent directory
  • md: Creates a directory
  • del: Deletes one or more files
  • move: Moves one or multiple files
  • dir: Displays a list of files and subdirectories in a directory
  • icacls: Displays or modifies permissions by using access control lists (ACLs)

Now, let's learn about the PowerShell tool.

PowerShell

You can use PowerShell to access and manage files and folders. To open PowerShell, click on the Start menu icon and start typing PowerShell. PowerShell provides many cmdlets that you can use to manage files and folders, as follows:

  • Get-Childitem: This displays a directory's list of files and subdirectories.
  • Set-Location: This changes the parent directory.
  • Get-Alias: This is used to view a list of all aliases.

It also includes many aliases, which are the same as the familiar tools in the Command Prompt, such as dir and cd, and you can use them instead of the PowerShell cmdlets.

To manage file permissions, you can use the Get-ACL and Set-ACL cmdlets. For example, to see the current ACL on the C:\Windows\regedit.exe file with the output in list format, run the following command:

Get-ACL C:\Windows\regedit.exe | Format-List

To modify a file or folder's ACL, use the Set-ACL cmdlet. You also can use the Get-ACL cmdlet in conjunction with the Set-ACL cmdlet. You can use the Get-ACL cmdlet to provide the input by getting the object that represents the file or folder's ACL, and then using the Set-ACL cmdlet to change the ACL of the target file or folder so that it matches with the values that the Get-ACL cmdlet provides.

For example, to set the ACL on the C:\Temporary folder so that it's the same as the permissions on C:\Windows, including inheritance settings, you would run the following command:

Get-ACL C:\Windows | Set-ACL C:\Temporary

With that, you've learned how to see and change the ACL via PowerShell and Command Prompt. In the next section, you will learn how to set file and folder permissions and what types of permissions there are.

Configuring file and folder permissions

You can only configure file and folder permissions on NTFS and ReFS volumes. Permissions are rules that determine which specific users can perform on a file or a folder. A file or folder's owner can grant or deny permissions to it, just like anyone with Full Control permissions can, which grants that person rights to modify permissions for that file or folder.

You assign permissions to files and folders by granting or denying a specific permission level. Typically, you assign them in groups to minimize administrative overhead. If you assign permissions to a group, every group member has the assigned permission. You can also assign permissions to individual users and computers. If you assign permissions to a group and to individual group members, they are cumulative. This means that a user has the permissions that you assign to him or her, in addition to those you assign to the group.

You can configure two types of permissions for files and folders, namely basic and advanced. The difference between these types is as follows:

  • Basic permissions: This type of permission is used the most. You must work with basic permissions often and assign them to groups and users.
  • Advanced permissions: This type of permission provides a finer degree of control. However, advanced permissions are more complex to document and manage than basic permissions.

You can choose which permission you want to allow or to deny on a file or folder. The basic file and folder permissions are as follows:

  • Full Control: This provides complete control of the file or folder and control of permissions.
  • Modify: This allows you to read a file, write changes to it, and modify permissions.
  • Read & execute: This allows you to see folder content, read files, and start programs.
  • Read: This allows you to read a file, but not make any changes to it.
  • Write: This allows you to change folder and file content.
  • Special permissions: This is a custom configuration.

    Important Note

    Groups or users that have the Full Control permission on a folder can delete any files in that folder, regardless of the permissions that protect the file.

You must have the Full Control permission for a folder or file to modify the permissions, except for the file and folder owners. The owner can always modify the permissions and administrators can always take ownership of files and folders to configure permissions.

The next section will be about inheritance of permissions. Permission inheritance is all about permissions that will be applied automatically to files and subfolders in a root folder.

Understanding permission inheritance

Permission inheritance allows the permissions that you set on a folder to be applied automatically to files that users create in that folder and its subfolders. This means that you can set permissions for an entire folder structure at a single point. If you must modify permissions, then you must perform the change at that single point itself.

For example, when you create a folder called Folder1, all subfolders and files created within Folder1 automatically inherit that folder's permissions. Therefore, Folder1 has explicit permissions, while all the subfolders and files within it have inherited permissions.

Permissions on a file are a combination of inherited and explicit permissions. For example, if you assign Group1 Read permissions on a folder and Write permissions on a file in the folder, the members of Group1 can read and write in the file. If inherited and explicit permissions collide with each other, explicit permissions take precedence.

As mentioned earlier, you have two types of permissions. These types are as follows:

  • Explicit permissions: When you set permissions directly on a file or a folder, the permissions are applied explicitly. You can assign permissions to the object directly by modifying the security settings in the object's properties dialog box.
  • Inherited permissions: Files and folders are typically arranged in a nested structure, where a folder contains subfolders and files, and those subfolders contain files and folders. Permission inheritance allows for child objects to inherit the parent object's permissions settings.

This allows you to assign explicit permissions to a parent folder and have inheritance pass those permissions settings down to the parent folder's subfolders and files. By doing this, you can control inheritance behavior. Inherited permissions ease the task of managing permissions, and they ensure the consistency of permissions among all a container's objects.

Now that you know about the inheritance of permissions, you will learn how to configure inheritance for all objects.

Configuring inheritance for all objects

If the Allow or Deny checkboxes that are associated with each of the permissions appear shaded, then this means a file or folder has inherited permissions from one of its parent folders. There are two ways that you can make changes to inherited permissions, as follows:

  • You can make changes to a parent folder that you set permissions for explicitly. The file or folder will inherit these modified permissions.
  • You can choose not to inherit permissions from a parent object. You can then make changes to the permissions or remove a user or group from the permissions list of the file or folder.

All the child objects only inherit permissions that they are capable of inheriting. When you set permissions on a parent object, you can decide whether folders, subfolders, and files can inherit permissions. We can perform the following procedure to assign permissions that child objects can inherit:

  1. Open File Explorer.
  2. Right-click on a file or subfolder.
  3. Click the Properties | Security | Advanced button.
  4. In the Advanced Security Settings for file or folder dialog box, the Inherited From column lists where the permissions are inherited from. The Applies To column lists the folders, subfolders, or files that the permissions have been applied to, as shown in the following screenshot:

    Figure 5.1 - The Advanced Security Settings box

  5. Double-click the user or group that you want to adjust permissions for.
  6. In the Permissions Entry for name dialog box, click the Applies to drop-down list:

    Figure 5.2 - Permission Entry Data window

  7. From the previous step, select one of the following options from the Applies to drop-down list: This folder only, This folder, subfolders and files, This folder and subfolders, This folder and files, Subfolders and files only, Subfolders only, or Files only.
  8. Click OK in the Permission Entry for name dialog box.
  9. After that, click OK in the Advanced Security Settings for name dialog box.
  10. Then, click OK in the Properties dialog box.

    Important Note

    If the Special permissions entry in the Permissions for User or Group box is shaded, this does not imply that this permission is inherited. Rather, this means that a special permission has been selected.If you add permissions for Creator Owner at the folder level, those permissions will apply to the user who created the file in the folder.

With that, you've learned how to modify inheritance permissions. We can also prevent inheritance to files and folders. In the next section, you will learn what the consequences of doing this are and how to configure this particular setting.

Preventing inheritance

After you've set permissions on a parent folder, new files and subfolders that users create in the folder inherit these permissions. You can block permission inheritance to restrict access to these files and subfolders. For example, you can assign all Accounting users the Modify permission to the Accounting folder. For the Invoices subfolder, you can block inherited permissions and grant only a few specific users' permissions to the folder.

Important Note

When you block permission inheritance, you have the option to convert inherited permissions into explicit permissions, or you can remove all inherited permissions. If you want to restrict a group or user, you can convert inherited permissions into explicit permissions to simplify the configuration.

To prevent a folder or file from inheriting permissions from a parent folder, perform the following procedure:

  1. Open File Explorer.
  2. Right-click a file or subfolder.
  3. Click the Properties | Security | Advanced button.
  4. In the Advanced Security Settings for file or folder dialog box, click Disable inheritance, as shown in the following screenshot:

    Figure 5.3 - Advanced properties tab

  5. Then, in the Block Inheritance dialog box, select one of the following options: Convert inherited permissions into explicit permissions on this object or Remove all inherited permissions from this object.

    The following screenshot shows the previously stated options that will appear in the Block Inheritance dialog box:

    Figure 5.4 - Block Inheritance window

  6. Click OK in the Advanced Security Settings for name dialog box.
  7. Click OK in the Properties dialog box.

In the next section, you will learn about forcing the inheritance of permissions and the effects this has on the permissions of files and folders.

Forcing permission inheritance

The Advanced Security dialog box for folders includes a Replace all child object permission entries checkbox with inheritable entries from this object. Selecting this checkbox will replace the permissions on all child objects that you can change permissions for, including child objects that had Block inheritance configured. This is useful if you need to change permissions on many subfolders and files, especially if you set the original permissions incorrectly.

You might be overwhelmed with inheritance permissions after reading the previous sections, but there is still a feature to check; that is, what the inheritance of permissions will do for a user or a group with the Effective Access feature. In the next section, you will learn what you can do with this feature.

Understanding the Effective Access feature

The Effective Access feature determines the permissions a user or group has on an object by calculating the permissions that are granted to the user or group. The calculation considers the group membership permissions and any of the permissions that are inherited from the parent object.

The calculation determines all the domain and local groups that the user or group is a member of.

The Effective Access feature only produces a rough calculation of the permissions that a user has. The actual permissions that a user has might be different, because permissions can be granted or denied based on how a user signs in.

To view the Effective Access permissions, follow the following steps:

  1. Open File Explorer.
  2. Right-click on a folder.
  3. Click the Properties | Security | Advanced | Effective Access | Select a user button.
  4. Choose a user and click OK.
  5. Then, click View effective access. The Effective Access tab can be seen in the following screenshot:

Figure 5.5 - Effective Access dialog box

In the next section, we will take a look at what the behavior of file and folder permissions are when we copy or move the files and folders to a different location (on the same or different volume).

Learning about copying and moving files

When you copy or move a file or folder, the permissions can change, depending on where you move the file or folder. Therefore, when you copy or move files or folders, it is important to understand the impact this has on permissions.

Effects of copying files and folders

When you copy a file or folder from one folder to another folder, or from one volume to another volume, the permissions for the files or folders might change. Copying a file or folder creates new objects with the same content as the original files or folders, which has the following effects on permissions:

  • When you copy a file or folder within a single volume, the copy of the folder or file will receive the permissions of the destination folder.
  • When you copy a file or folder to a different volume, the copy of the folder or file will receive the permissions of the destination folder.

When you copy a file or folder to a volume that does not support permissions, such as a FAT file system, the copy of the folder or file loses its permissions. This is because the target volume does not support permissions.

Important Note

When you copy a file or folder within a single volume or between volumes, you must have the Read permission for the source folder and the Write permission for the destination folder.

When you are copying or moving files and folders, the copied files and folders will receive the permissions from the folder above (origin folder). But what are the effects of moving files and folders? You will learn about that in the next section.

Effects of moving files and folders

When you move a file or folder, permissions might change, depending on the destination folder's permissions. Moving a file or folder has the following effects on permissions:

  • If you move a file or folder within the same volume, only the pointers are updated, and data is not moved. Permissions that are inherited at the source location no longer apply and the file or folder that you moved inherits the permissions from the new parent folder. If the file or folder has explicitly assigned permissions, it retains those permissions, in addition to the newly inherited permissions.
  • When you move a file or folder to a different volume, the folder or file inherits the destination folder's permissions, but it does not retain the explicitly assigned or inherited permissions from the source location. When you move a folder or file between volumes, Windows 10 copies the folder or file to the new location and deletes the original file from the source location.
  • When you move a file or folder to a volume that does not support permissions, the folder or file loses its permissions because the target volume does not support permissions.

    Important Note

    Most files do not have explicitly assigned permissions. Instead, they inherit permissions from their parent folder. If you move files that only have inherited permissions, they do not retain the inherited permissions during the move.

    Also, when you move a file or folder within a volume or between volumes, you must have both the Write permission for the destination folder and the Modify permission for the source file or folder. You need the Modify permission to move a folder or file because Windows 10 deletes the folder or file from the source folder after it has been moved to the destination folder.

The Copy command is not aware of the security settings on folders or files. However, commands that are more robust have this awareness, some of which are as follows:

  • Xcopy: This has the /o switch so that it can include ownership and ACL settings.
  • Robocopy: This has several switches that cause security information to be copied. They are /Copy:DAT and /Sec. In the /Copy:DAT term, D stands for Data, A stands for Attributes, and T stands for Timestamps. You can add the S flag after T, where S stands for Security, such as NTFS ACLs. /Sec is the equivalent of /Copy:DATS.

In this section, you learned how you can configure and maintain file access in a Windows 10 environment. You can do this via the File Explorer, PowerShell, or Command Prompt. You also learned about how to set permissions and what inheritance permissions are, as well as how you can force or prevent this type of permissions. You also learned what will happen when you move or copy files within the same volume or to another volume.

In the next section, you will learn how to configure and maintain shared folders.

Configuring and managing shared folders

The daily administrator's job is to collaborate with your team. Your team might create documents that only team members can share, or you might work with a remote team member who needs access to your team's files. Because of this type of collaboration and the requirements for this, you must understand how to manage shared folders in a network environment.

A user can connect to a shared folder over a network and access the folders and files that are in the shared folder. Shared folders can contain applications, public data, or a user's personal data. By providing a central location for shared folders, you enable the following features:

  • Simplification of administrative management
  • Ease in backing up data
  • Consistent location and availability
  • User familiarity

In this section, we will learn about the various methods you can use to share folders, along with the effect this has on file and folder permissions when you create shared folders on an NTFS formatted partition.

When an administrator shares a folder, the administrator makes its content available on the network to multiple users. The administrator can limit who can access the shared folder and what type of shared permissions they have. Additionally, the administrator can limit the number of users who can access the share at the same time and if an offline copy will be created automatically on their computer.

Shared folders maintain a separate set of permissions from the file system permissions, which means that the administrator can set share permissions, even if the administrator shares a folder on the FAT file system. The same share permissions apply to all shared content. This behavior is different from file system permissions, where the administrator can set permissions for each file individually.

The administrator can use these permissions to provide an extra level of security for files and folders that you make available on your network. The administrator can share the same folder multiple times by using a different share name and other share settings for each creation.

After the administrator shares a folder, all users on the network will see the share name. But only the users with Read permissions can view the content inside that share. Windows 10 restricts folder sharing to members of the Administrators group. If a user is not a member of the Administrators group, then the user must provide administrative credentials in the User Account Control (UAC) dialog box.

File and printer sharing are disabled by default. When you share the first folder on a Windows 10 device, Windows 10 turns on file and printer sharing automatically. This setting remains turned on, even if you remove all shared folders. You can configure it manually in Advanced sharing settings in the Control Panel.

Now, let's take a look at shared folder permissions. As you can see, besides files and folder permissions, you can also set permissions on shares. Share permissions are permissions for users or groups so they can access the folder before they can access the files.

Understanding shared folder permissions

When you share a folder, you must configure the permissions that a user or group will have when they connect to the folder through the share. This is called sharing permissions. The following are three options for sharing permissions:

  • Read: The users can view the content, but they cannot modify or delete it.
  • Change: The users can also modify, delete, and create content, but they cannot modify permissions. This permission also includes the Read permission.
  • Full Control: The users can perform all actions, including modifying the permissions. This permission also includes the Change permission.

Besides the previously stated sharing permissions, you also have the basic sharing permissions. These permissions are simplified and can have one of two options, which are given as follows:

  • Read: The users can open but cannot modify or delete a file.
  • Read/Write: This is the Full Control option. The users can open, modify, or delete a file and modify permissions.

    Now that you know about the five different shared folder permissions, in the next section, you will learn how you can view which permissions a shared folder has.

Viewing shared folders

Windows 10 creates several shared folders by default. You can view all shared folders in the Computer Management console by clicking the Shared Folders node. You can also run the following command:

net view \\localhost /all

We can also run the following command on a PowerShell cmdlet:

Get-SmbShare

The following screenshot shows the output after executing the net view \\localhost /all command:

Figure 5.6 - Output of the net view command and Get-SmbShare

In the previous screenshot, you can see the output of both commands. The first output is the command line, while the second output is the PowerShell cmdlet.

Important Note

In older Windows versions, you could recognize shared folders in File Explorer because there was a different icon for folders that were being shared compared to folders that were not being shared. In File Explorer within Windows 10, the same icon is used, regardless of whether a folder is shared or not.

Now, you know how to view which permissions a shared folder has. In the next section, we will create a shared folder and the tools needed to create such a folder.

Creating shared folders

Users can connect to a shared folder most commonly over the network by using its Universal Naming Convention (UNC) address. The UNC address contains the name of the computer that is hosting the folder and the shared folder name, separated by a backward slash (\) and preceded by two backward slashes (\\). For example, the UNC name for the Accounting shared folder on the CAT-CL7 computer in the Theorange.cat domain would be \\CAT-CL7.theorange.cat\Accounting. You can share folders in several ways, as follows:

  • Shared Folders snap-in
  • File Explorer
  • Command Prompt
  • PowerShell cmdlets

In the next few sections, you will learn how you can use the previously mentioned ways to share a folder.

Shared Folders snap-in

You can use the Shared Folders snap-in to manage a computer's file shares centrally. You can use this snap-in to create file shares, set permissions, and view and manage open files and the users who can connect to a computer's file shares. Additionally, you can view the properties for the shared folder, which would allow you to perform actions such as specifying file permissions.

Let's create a share and give permissions using the Shared Folders snap-in:

  1. Right-click on Start.
  2. Click Computer Management | Shared Folders | Shares buttons. The following screenshot shows the computer management window:

    Figure 5.7 - Shares overview

  3. Right-click in the middle pane, or right-click on Shares.
  4. Click on New Share….
  5. In the Create a Shared Folder Wizard, click Next:

    Figure 5.8 - The Create a Shared Folder Wizard

  6. Click on Browse…, go to the folder you want to share, and click OK:

    Figure 5.9 - Browse to a folder you want to share

  7. Click on Next, as shown in the following screenshot:

    Figure 5.10 - Folder path window

  8. Type in the share name and description and choose the correct offline settings:

    Figure 5.11 - Providing the share name and description

  9. Click on Next.
  10. Choose the correct permissions for the shared folder or customize the permissions by clicking Customize permissions:

    Figure 5.12 - Shared Folder Permissions window

  11. Click on Finish.
  12. Then, click on the next Finish button:

Figure 5.13 - The Sharing was Successful window

With that, you have successfully created a shared folder by using the Shared Folders snap-in:

Figure 5.14 - The newly created shared folder

Now that we've created a share via the Shared Folders snap-in, we can do the same via File Explorer.

File Explorer

You can use File Explorer to share a folder using the Share with option from the shortcut menu or via the ribbon.

Let's create a shared folder using File Explorer with the Share with option:

  1. Open File Explorer and go to the folder you want to share.
  2. Click on the Share tab in the ribbon.
  3. In the Share with box, choose a user:

    Figure 5.15 - Choosing the user who wants to have access to the share

  4. In the Network access wizard, click on Yes, share the items.
  5. If this is your first time doing this, then the Network discovery and file sharing dialog box will open. Choose the appropriate option for your environment: No, make the network that I am connected to a private network or Yes, turn on network discovery and file sharing for all public networks. The Network discovery and file sharing window is as follows:

    Figure 5.16 - Choosing the appropriate option

  6. The folder will now be set up so that it can be shared with the user.
  7. To check if the folder is being shared, open the Properties dialog box and click on the Sharing tab:

Figure 5.17 - Result of your created folder

With that, you have successfully created a share with File Explorer. Next, we will do this with the command line.

Command line

You can share a folder by using the net share command, as shown here:

net share IT=C:\Data\Department\IT

The previous command will create the IT share, which uses the IT share name, and which grants all users Read permissions. You can specify additional parameters when creating a share, some of which are as follows:

  • /Grant:user permission: This allows you to specify Read, Change, or Full share permissions for the specified user.
  • /Users:number: This allows you to limit the number of users who can connect to the share.
  • /Remark:"text": This allows you to add a comment to the share.
  • /Cache:option: This allows you to specify the caching options for the share.
  • sharename /Delete: This allows you to remove an existing share.

Besides using Command Prompt, you can use PowerShell as well.

In the following screenshot, you can see an example of how to use the net share command with some optional parameters:

Figure 5.18 - Output of using the net share command with optional parameters

PowerShell

PowerShell includes several cmdlets that you can use to manage shares. The following example illustrates the cmdlet for creating a share:

New-SmbShare –Name "Global IT" –Path C:\Data\Department\IT

The following points list additional PowerShell commands that you can use to manage shares:

  • Get-SmbShare: This retrieves a list of the computer's existing shares.
  • Set-SmbShare: This modifies an existing share.
  • Remove-SmbShare: This removes an existing share.
  • Get-SmbShareAccess: This retrieves a share's permissions.
  • Grant-SmbShareAccess: This sets share permissions.

In the following screenshot, you can see an example of the New-SmbShare cmdlet being used with some optional parameters:

Figure 5.19 - Output of the New-SmbShare cmdlet with additional parameters

With that, you learned how you can create, modify, or delete shares in different ways. Next, you will learn what you can do with this shared folder properties and how you can configure them.

Shared folder properties

You can configure the properties of a shared folder when you create a share or when you modify shared folder properties. The properties that you can configure from a shared folder are as follows:

  • The way your users can view and connect to a share
  • The number of users that can access a share simultaneously
  • Which share permissions will be effective for your users
  • The offline settings for the share data

You can configure these three properties in several ways, as follows:

  • Advanced Sharing
  • The net share command
  • The PowerShell cmdlets, namely New-SmbShare and Set-SmbShare

There are many ways to connect to a shared folder by using the File Explorer, command line, and by using PowerShell. Let's take a look.

Advanced Sharing

From the Advanced Sharing option, which you can find in the Sharing tab in the Folder properties window, you can configure the following parameters: Share name, Number of simultaneous users, Caching, and Permissions. The following screenshot shows the Advanced Sharing window:

Figure 5.20 - The Advanced Sharing window

From the preceding screenshot, you can see various fields. Let's take a look at them in more detail:

  • Share name: Each share must have a share name, and it must be unique for each Windows 10-based computer. The share name can be any string that does not contain special characters, and it is part of the UNC path.

    You can share the same folder multiple times and with different properties, but each share name must be unique. If the share name ends with a dollar sign ($), then the share is hidden and not visible on the network. However, you can connect to it if you know the share name and have the appropriate permissions.

  • Number of simultaneous users: This limits the number of users that can have an open connection to the share. The connection to the share is open when a user accesses the share for the first time, and it closes automatically after a period of inactivity. The default value in Windows 10 is no more than 20 users. However, you can set this to a lower number.
  • Caching: You can control which of the share's files and programs are available to offline users, or those who do not have network connectivity. You can configure files as follows:

Figure 5.21 - The Offline Settings window

From the previous screenshot, you can see the various options that you can choose from: Only the files and programs that users specify are available offline, No files or programs from the shared folder are available offline, and All files and programs that users open from the shared folder are automatically available offline.

  • Permissions: You can configure shared folder permissions that Windows uses in conjunction with file system permissions when a user tries to use a shared folder to access data over a network. Shared folder permissions can allow Read, Change, or Full control permissions, as shown in the following screenshot:

Figure 5.22 - Share Permissions window for a folder

If you try to use a share name that is already in use on the computer, Windows 10 will provide you with an option to stop sharing an old folder and use the share name to share the current folder. If you rename a folder that is being shared currently, you won't receive a warning. However, the folder will no longer be shared.

Important Note

If you share a folder by using Network File and Folder Sharing, you can share a folder only once, and you cannot configure its properties manually. The share name is set automatically and is the same as the folder name. The share permissions, number of simultaneous users, and caching properties retain the same value.

We'll look at the command-line option next.

Command line

With the following cmd command, you can view the shared folder properties for a share. In this example, the shared folder is named Accounting:

net share Accounting

The output from this command will be as follows:

Figure 5.23 - Output of the net share command

As shown in the previous screenshot, not that much information is given about this share, only Share name, Path, Remark, Maximum users, Users, Caching, and Permission. When you are using PowerShell, then you will see more information about a share.

PowerShell

With the following PowerShell cmdlet, you can view shared folder properties for a share. In this example, the shared folder is named Data:

Get-SmbShare –Name Data | Format-List –Property *

The output of the preceding command can be seen in the following screenshot:

Figure 5.24 - Output window of the Get-SmbShare PowerShell cmdlets

In this section, you learned how you can configure and maintain shared folders in a Windows 10 environment. There are benefits for an administrator to centrally manage shared folders, such as ease of use for backups and simplified management.

You also learned about the different types of shared folder permissions and how you can view shared folders. Then, you learned how to create a shared folder through the Shared Folders snap-in and how to give permissions to users. You can modify the properties from a shared folder by modifying the caching settings, permissions, number of simultaneous connected users, and, of course, the name of the share.

Summary

In this chapter, we have learned a lot of information about file systems, configuring and managing file access, and shared folders and permissions inheritance.

You learned that Windows 10 has three types of file system: FAT, NTFS, and ReFS. However, using FAT/FAT32 as a file system for Windows 10 is not advisable. NTFS is the default file system for Windows 10 and provides better enhancements, such as reliability, security, and support for larger volumes. With the NTFS file system, you can configure and manage file access on local storage or on remote storage, such as on a Network Attached Storage (NAS) device. You can configure and manage file access with tools such as File Explorer and PowerShell.

You also learned that there are two types of file and folder permissions: basic permissions and advanced permissions.

Then, you learned about permission inheritance. Permission inheritance allows the permissions that you set on a folder to be applied automatically to files that users create in that folder and its subfolders. You learned how you can configure these permissions on folders or files.

With the Effective Access feature, you can see what a user or group can do or can't do when this user or group has specific access permissions on a specific file or folder. You also learned happens with the file or folder permissions if you are copying or moving files and folders within the same volume or to another volume. Besides this, you learned how to configure and manage shared folders on a NTFS file system.

In the next chapter, you will learn about the Windows 10 local policies, how to configure these policies, and how you can implement them.

Questions

  1. Can the FAT file system support a partition size of 1 TB?
  2. Does the ReFS file system support the quota feature?
  3. With the Read and Execute permissions, is it possible to start programs?
  4. When you copy a file within a single volume, will the copy of the file inherit the permissions of the destination folder?
  5. Was File Explorer also in older versions of Windows?
  6. If you were to remove all shared folders, will Windows 10 automatically delete the firewall rules?
  7. Can you use the net use command to set the shared folder properties?

Further reading