2- Managing File Security

20 Aug

quotas. You can also configure quotas using the DirQuota command-line tool. Additionally,
you can configure disk quotas by using Group Policy settings or by using Windows Explorer.
The sections that follow describe each of these techniques.
Lesson 2: Sharing Folders 527
Configuring Disk Quotas Using the Quota Management Console
After installing the File Server Resource Manager role service, you can manage disk quotas
using the Quota Management console. In Server Manager, you can access the snap-in at
Roles\File Services\Share And Storage Management\File Server Resource Manager\Quota
Management. The Quota Management console provides more flexible control over quotas and
makes it easier to notify users or administrators that a user has exceeded a quota threshold or
to run an executable file that automatically clears up disk space.
Creating Quota Templates The Quota Management snap-in supports the use of quota templates.
You can use a quota template to apply a set of quotas and response behavior to volumes.
Windows Server 2008 includes the following standard templates:
■ 100 MB Limit Defines a hard quota (a quota that prevents the user from creating more
files) of 100 MB per user, with e-mail warnings sent to the user at 85 percent and 95
percent. At 100 percent of the quota, this template sends an e-mail to the user and to
■ 200 MB Limit Reports To User Defines a hard quota of 200 MB per user, with e-mail
warnings sent to the user at 85 percent and 95 percent. At 100 percent of the quota, this
template sends an e-mail to the user and to administrators and sends a report to the user.
■ 200 MB Limit With 50 MB Extension Defines a 200 MB quota. When the 200MB quota
is reached, the computer sends an e-mail to the user and administrators and then applies
the 250 MB Extended Limit quota to grant the user additional capacity.
■ 250 MB Extended Limit Primarily used with the previous quota template to provide the
user an additional 50 MB of capacity. This template prevents the user from exceeding
250 MB.
■ Monitor 200 GB Volume Usage Provides e-mail notifications when utilization reaches
70 percent, 80 percent, 90 percent, and 100 percent of the 200 GB soft quota.
■ Monitor 500 MB Share Provides e-mail notifications when utilization reaches 80 percent,
100 percent, and 120 percent of the 500 MB soft quota.
These standard templates are provided as examples. To create your own quota templates,
right-click Quota Templates in the Quota Management console, and then choose Create
Quota Template. In the Create Quota Template dialog box, select a standard template you
want to base your new template on, and then click Copy. Figure 11-6 demonstrates copying a
quota template.
528 Chapter 11 Managing Files
Figure 11-6 Creating a quota template
Thresholds define what happens when a user reaches a quota (or a percentage of a quota). To
add a threshold, edit a quota template or a quota, and then click Add. The Add Threshold dialog
box has four tabs:
■ E-mail Message Sends an e-mail notification to administrators or to the user. You can
define the [Admin Email] variable and other e-mail settings by right-clicking File Server
Resource Manager and then choosing Configure Options.
■ Event Log Logs an event to the event log, which is useful if you have management tools
that process events.
■ Command Runs a command or a script when a threshold is reached. You can use this
to run a script that automatically compresses files, removes temporary files, or allocates
more disk space for the user.
■ Report Generates a report that you can e-mail to administrators or the user. You can
choose from a number of reports.
Use thresholds to notify users or administrators that a user has consumed a specific amount
of disk space.
Creating Quotas To apply quotas consistently, you should always create a quota template
first and then create a quota based on that template. To create a quota, follow these steps:
Lesson 2: Sharing Folders 529
1. Select and right-click the Quotas node in Server Manager, and then choose Create Quota.
The Create Quota dialog box appears, as shown in Figure 11-7.
Figure 11-7 Creating a quota
2. Click the Browse button to select a folder to apply the quota to, and then click OK.
3. Optionally, select Auto Apply Template And Create Quotas On Existing And New Subfolders.
Selecting this option applies a template to any new folders created within the
parent folder you select.
4. Select the Derive Properties From This Quota Template option, and then select the
quota template from the drop-down list. Otherwise, you can select the Define Custom
Quota Properties option and then click the Custom Properties button to define a quota
not based on an existing template.
5. Click Create.
The Quotas snap-in shows the newly created quota, which is immediately in effect.
Configuring Disk Quotas at a Command Prompt or Script
You can use the DirQuota command to configure disk quotas at the command prompt or from
a script. For example, the following command applies the standard 200 MB Limit Reports To
User template to the C:\Shared folder:
dirquota quota add /Path:C:\Shared /SourceTemplate:”200 MB Limit Reports To User”
To create a hard limit of 100 MB, run the following command:
dirquota quota add /Path:C:\Shared /Limit:100MB /Type:Hard
530 Chapter 11 Managing Files
Although you can create multiple thresholds and notifications using the DirQuota command,
it is typically easier to create templates and use DirQuota to apply the templates. For complete
usage information, type the command DirQuota /?.
Configuring Disk Quotas Using Windows Explorer
Although you should always use the Quota Management console to configure quotas in Windows
Server 2008, the operating system continues to support quota management using Windows
Explorer, using the same interface as earlier versions of Windows. To configure disk
quotas on a local computer using Windows Explorer, follow these steps:
1. Open Windows Explorer (for example, by clicking Start and then choosing Computer).
2. Right-click the disk you want to configure quotas for, and then choose Properties. You
cannot configure quotas for individual folders.
The disk properties dialog box appears.
3. In the Quota tab, select the Enable Quota Management check box, as shown in Figure
Figure 11-8 Enabling quota management
4. Select the Limit Disk Space To option. Specify the limit and warning levels. Windows
does not notify users if they exceed either threshold. In fact, if you choose not to enforce
quota limits, the only difference between the two thresholds is the event ID that is added
to the System event log.
5. To add an event for the warning or limit levels, select the Log Event When A User
Exceeds Their Quota Limit check box or the Log Event When A User Exceeds Their
Warning Level check box. Events are added to the System event log with a source of
Lesson 2: Sharing Folders 531
NTFS. Event ID 36 indicates that a user reached the warning level, and event ID 37
indicates a user reached the quota limit. Use event triggers to send an e-mail or run a
program when these events are added so that systems administrators can address the
problem. For more information about event triggers, read Chapter 10, “Monitoring
6. Optionally, select the Deny Disk Space To Users Exceeding Quota Limit check box. If
you select this check box, users will be unable to save or update files when they exceed
their quota limit. For this reason, you should typically not select this option—the potential
harm to user productivity is rarely worth it. Instead, create an event trigger that notifies
IT when a user exceeds the quota limit so that IT can follow up with the user.
7. Click Quota Entries to view the current disk usage, as shown in Figure 11-9. In the Quota
Entries window, double-click a user to configure a user-specific quota that differs from
the default settings for the disk.
Figure 11-9 Viewing quota entries
8. Click OK to close the Quota Settings For user name dialog box, close the Quota Entries
For drive letter window, and then click OK again to close the Local Disk Properties dialog
box. If prompted, click OK to enable system quotas.
Configuring Disk Quotas Using Group Policy
You can also configure simple disk quotas using Group Policy settings. In the Group Policy
Management Editor, select the Computer Configuration\Policies\Administrative Templates\
System\Disk Quotas node to define these policy settings:
■ Enable Disk Quotas You must enable this policy to use disk quotas.
■ Enforce Disk Quota Limit Equivalent to selecting the Deny Disk Space To Users Exceeding
Quota Limit check box when configuring local disk quotas.
■ Default Quota Limit And Warning Level Defines the quota limit and warning levels,
exactly as you can when configuring disk quotas using Windows Explorer.
■ Log Event When Quota Limit Exceeded Equivalent to selecting the Log Event When A
User Exceeds Their Quota Limit check box in Windows Explorer.
532 Chapter 11 Managing Files
■ Log Event When Quota Warning Level Exceeded Equivalent to selecting the Log Event
When A User Exceeds Their Warning Level check box in Windows Explorer.
■ Apply Policy To Removable Media Defines whether quotas are applied to removable
media. Typically, this policy should be disabled.
Sharing Folders
You can share folders across the network to allow other computers to access them, as if the
computers were connected to a local disk.
Sharing Folders from Windows Explorer
The simplest way to share a folder is to right-click the folder in Windows Explorer and then
choose Share. As shown in Figure 11-10, the File Sharing dialog box appears and allows you to
select the users who will have access to the folder. Click Share to create the shared folder, and
then click Done.
Figure 11-10 Using the File Sharing dialog box to share a folder
Using this interface you can select four permission levels:
■ Reader Provides read-only access. This is equivalent to the Read share permission.
■ Contributor Provides read and write access. This is equivalent to the Change share permission.
■ Co-owner Enables the user to change file permissions, as well as granting full read and
write access. This is equivalent to the Full Control share permission.
■ Owner Assigned to the user who creates the share and allows changing file permissions
and read and write files. This is equivalent to the Full Control share permission.
Lesson 2: Sharing Folders 533
Sharing Folders Using the Provision A Shared Folder Wizard
Using the Provision A Shared Folder Wizard, you can share folders, configure quotas, and
specify security by following these steps:
1. In Server Manager, right-click Roles\File Services\Share And Storage Management, and
then choose Provision Share.
The Provision A Shared Folder Wizard appears.
2. On the Shared Folder Location page, click the Browse button to select the folder to share.
Click OK. Click Next.
3. On the NTFS Permissions page, select Yes, Change NTFS Permissions and then, if necessary,
click Edit Permissions. Configure the NTFS permissions as necessary, and then
click OK. Click Next.
4. On the Share Protocols page you can choose whether to share the folder using Windows
protocol (indicated as SMB, which stands for Server Message Block) or using a UNIX
protocol (indicated as NFS, or Network File System). Typically, SMB will suffice, even for
UNIX clients. NFS is available only if the Services For Network File System role service
is installed. Click Next.
5. On the SMB Settings page, click Advanced if you want to change the default settings for
the number of simultaneous users permitted or Offline Files. Click Next.
6. On the SMB Permissions page, as shown in Figure 11-11, select the permissions you
want to assign. To define custom permissions, select Users And Groups Have Custom
Share Permissions, and then click the Permissions button. Click Next.
Figure 11-11 The SMB Permissions page
534 Chapter 11 Managing Files
7. On the Quota Policy page, select the Apply Quota check box if you want to define a
quota. Then, select a quota template. Click Next.
8. On the File Screen Policy page, select the Apply File Screen check box if you want to
allow only specific types of files in the folder. Then, select the file screen you want to use.
Click Next.
NOTE Configuring file screening
You can configure file screening using the Roles\File Services\Share And Storage Management\
File Server Resource Manager\File Screening Management node of Server Manager.
You can use the FileScrn.exe command-line tool in scripts or when running Windows Server
2008 Server Core.
9. On the DFS Namespace Publishing page, select the Publish The SMB Share To A DFS
Namespace check box if desired. Then, provide the DFS namespace information. Click
10. On the Review Settings And Create Share page, click Create.
11. Click Close.
Sharing Folders from a Command Prompt or Script
You can share folders from a script or a command prompt (for example, when running Server
Core) using the net share command.
To view existing shares, type the following command:
net share
To create a share, use the following syntax:
net share ShareName=Path [/GRANT:user,[READ|CHANGE|FULL]]
For example, to share the C:\Shared folder using the share name Files, type the following
net share Files=C:\Shared
To share the same folder with read access for everyone but disallow Offline Files, type the following
net share Files=C:\Shared /GRANT:Everyone,Read /CACHE:None
To remove a share, specify the share name and the /DELETE parameter. The following example
would remove the share named Files:
Lesson 2: Sharing Folders 535
net share Files /DELETE
For complete usage information, tyep the following command:
net share /?
Connecting to Shared Folders
Client computers connect to shared folders across the network by using the Universal Naming
Convention (UNC) format: \\<server_name>\<share_name>. For example, if you share
the folder MyDocs from the server MyServer, you would connect to it by typing \\MyServer
You can use UNC format just as you would specify any folder name. For example, you could
open a file in Notepad by providing the path \\MyServer\MyDocs\MyFile.txt. At a command
prompt, you could view the contents of the shared folder by running the following command:
dir \\MyServer\MyDocs
Most users prefer to access shared folders using a network drive. Network drives map a drive
letter to a shared folder. For example, although the C drive is typically a local hard disk, you
could assign the Z drive to a shared folder. Client computers can connect to shared folders
from Windows Explorer by clicking the Map Network Drive button or by clicking the Tools
menu and then choosing Map Network Drive. Alternatively, you can map a network drive
using the Net command at a command prompt with the following syntax:
net use <drive_letter>: \\<server_name>\<share_name>
For example, the following command would map the Z drive to the \\MyServer\MyDocs
shared folder:
net use Z: \\MyServer\MyDocs
DFS Overview
Large organizations often have dozens, or even hundreds, of file servers. This can make it very
difficult for users to remember which file server specific files are stored on.
DFS provides a single namespace that allows users to connect to any shared folder in your
organization. With DFS, all shared folders can be accessible using a single network drive letter
in Windows Explorer. For example, if your Active Directory domain is contoso.com, you
could create the DFS namespace \\contoso.com\dfs. Then, you could create the folder
\\contoso.com\dfs\marketing and map it to shared folders (known as targets) at both
\\server1\marketing and \\server2\marketing.
536 Chapter 11 Managing Files
Besides providing a single namespace to make it easier for users to find files, DFS can provide
redundancy for shared files using replication. Replication also allows you to host a shared
folder on multiple servers and have client computers automatically connect to the closest
available server.
Installing DFS
You can install DFS when adding the File Services server role using the Add Roles Wizard, or
you can add the role service later using Server Manager by right-clicking Roles\File Services
and then choosing Add Role Services. Whichever method you use, follow these steps to complete
the wizard pages:
1. On the DFS Namespaces page, choose whether to create a namespace. Click Next.
2. If the Namespace Type page appears, choose whether to use a domain-based namespace
(for Active Directory environments) or a stand-alone namespace (for workgroup environments).
If all DFS servers for the namespace are running Windows Server 2008,
enable Windows Server 2008 mode. Click Next.
3. If the Namespace Configuration page appears, you can click the Add button to add folders.
You can also do this later using the DFS Management snap-in. Click Next.
If you don’t create a DFS namespace or add folders, you can add them later using the DFS
Management console in Server Manager.
Creating a DFS Namespace
The DFS namespace forms the root of shared folders in your organization. Although you might
need only a single DFS namespace, you can create multiple DFS namespaces. To create a DFS
namespace, follow these steps:
1. In Server Manager, right-click Roles\File Services\DFS Management\Namespaces, and
then choose New Namespace.
The New Namespace Wizard appears.
2. On the Namespace Server page, type the name of the server that will host the
namespace. You can add servers later to host the namespace for redundancy. Users do
not reference the server name when accessing the DFS namespace. Click Next.
3. On the Namespace Name And Settings page, type a name. This name acts as the share
name when users access the DFS namespace—for example, \\domain_name
\namespace_name. Click the Edit Settings button to configure the permissions for the
namespace. Click Next.
Lesson 2: Sharing Folders 537
4. On the Namespace Type page, choose whether to create a domain-based namespace or
a stand-alone namespace. Domain-based namespaces use the Active Directory domain
name as their root, and stand-alone namespaces use the server as their root. Click Next.
5. On the Review Settings And Create Namespace page, click Create.
6. On the Confirmation page, click Close.
After creating a namespace, you can adjust settings by right-clicking it and then choosing Properties.
The Properties dialog box for the namespace has three tabs:
■ General Allows you to type a description for the namespace.
■ Referrals When a client accesses the root of a namespace or a folder with targets, the client
receives a referral from the domain controller. Clients always attempt to access the
first target computer in the referral list and, if the first target computer does not respond,
access computers farther down the list. This tab gives you control over how multiple targets
in a referral list are ordered. Select Random Order from the Ordering Method dropdown
list to distribute referrals evenly among all targets (with targets in the same site
listed first). Select Lowest Cost to direct clients to the closest target computer first using
site link costs (which you can define using the Active Directory Sites And Services console).
If you would rather have clients fail instead of accessing a target in a different
Active Directory site, select Exclude Targets Outside Of The Client’s Site. Folders inherit
the ordering method from the namespace root by default, but you can also edit the properties
of individual folders. The Cache Duration setting defines how long clients wait
before requesting a new referral.
Exam Tip Know the different referral order types for the exam!
■ Advanced Choose from two polling configurations: Optimize For Consistency or Optimize
For Scalability. Optimize For Consistency configures namespace servers to query
the primary domain controller (PDC) each time the namespace changes, which reduces
the time it takes for changes to the namespace to be visible to users. Optimize For Scalability
reduces the number of queries (thus improving performance and reducing utilization
of your PDC) by querying the closest domain controller at regular intervals.
Adding Folders to a DFS Namespace
Before your namespace is useful, you must add folders to it. Folders can be organizational,
which means they exist only within the DFS namespace, or they can be associated with a
shared folder on a server. When users connect to a DFS namespace, these folders appear
exactly like folders in a traditional file system.
538 Chapter 11 Managing Files
To add folders to a DFS namespace, follow these steps:
1. In Server Manager, select Roles\File Services\DFS Management\Namespaces.
2. In the details pane, right-click the namespace, and then choose New Folder.
The New Folder dialog box appears.
3. Type the name for the folder. If the folder is to be used only for organizational purposes
(for example, it will contain only other folders), you can click OK. If you want the folder
to contain files, click the Add button to associate it with a shared folder. If you add multiple
folder targets, you can configure automatic replication between the folders.
4. Click OK.
Configuring DFS from a Command Prompt or Script
You can use the DFSUtil tool to configure DFS from a command prompt or script. For example,
to view the DFS roots in a domain, run the following command:
dfsutil domain <domain_name>
To view the roots on a specific server, run the following command:
dfsutil server <server_name>
To view the targets in a namespace, run the following command:
dfsutil target \\<domain_name>\<namespace_root>
To view the targets for a folder, run the following command:
dfsutil link \\<domain_name>\<namespace_root>\<folder>
To view which Active Directory site a client participates in, run the following command:
dfsutil client siteinfo <client_name>
For complete usage information, type dfsutil /? at a command prompt. To troubleshoot DFS,
use the DFSDiag command-line tool. For more information, type dfsdiag /? at a command
Offline Files
Mobile users might need access to shared folders even when they’re disconnected from your
internal network. Offline Files makes this possible by allowing client computers to automatically
cache a copy of files on shared folders and by providing transparent access to the files
when the user is disconnected from the network. The next time the user connects to the network,
Offline Files synchronizes any updates and prompts the user to manually resolve any
Lesson 2: Sharing Folders 539
Server administrators can configure Offline Files at the shared folder, and users of client computers
can configure Offline Files when connected to a shared folder. To configure Offline
Files caching behavior for a shared folder, follow these steps:
1. In Server Manager, select Roles\File Services\Share And Storage Management.
2. In the details pane, right-click the share you want to configure, and then choose Properties.
3. In the Sharing tab, click Advanced.
4. In the Advanced dialog box, click the Caching tab, as shown in Figure 11-12. Select one
of the following three options, and then click OK twice:
❑ Only The Files And Programs That Users Specify Are Available Offline Users must
manually select the files they want to access while offline. This option works well
when users understand how to use Offline Files.
❑ All Files And Programs That Users Open From The Share Are Automatically Available
Offline Files that users access while connected to the network are automatically
cached for a limited amount of time. This option works well when users do not
understand how to use Offline Files.
❑ No Files Or Programs From The Share Are Available Offline Prevents users from
accessing Offline Files. This option is the best choice for confidential documents
that should not be stored on mobile computers.
Figure 11-12 Configuring Offline Files behavior for a shared folder
You can also access the same settings from Windows Explorer by clicking Advanced
Sharing in the Sharing tab of the shared folder’s properties dialog box and then clicking
the Caching button.
540 Chapter 11 Managing Files
If you choose Only The Files And Programs That Users Specify Are Available Offline, users
must configure mapped drives for use with Offline Files. In Windows Vista, configure a
mapped drive for Offline Files by following these steps:
1. In Windows Explorer, right-click the network folder or file, and then choose Properties.
2. On the Offline Files tab, select the Always Available Offline check box. Then, click OK.
NOTE Using Offline Files in Windows Vista
In Windows Vista, you can right-click a network file or folder and then select Always Available
Windows immediately synchronize the file or folder. Users can return to the Offline
Files tab later and click Synch Now to copy the latest version of the file.
PRACTICE Working with Shared Folders
In this practice, you create a redundant DFS namespace.
 Exercise 1 Add the Distributed File System Role Service
In this exercise, you must add the File Services server role and Distributed File System role service
on both Dcsrv1 and Boston. Then, you will create a DFS namespace that is hosted on both
computers and create shared folders that will be part of that namespace. The shared folders
will automatically replicate files between each other, providing redundancy for clients who
need to access the files.
To complete this exercise, Dcsrv1 should be configured as a domain controller and Boston
should be configured as a domain member.
1. On Dcsrv1, in Server Manager, right-click Roles, and then choose Add Roles.
The Add Roles Wizard appears.
2. On the Before You Begin page, click Next.
3. On the Server Roles page, select the File Services check box. Click Next.
4. On the File Services page, click Next.
5. On the Select Role Services page, select the role services File Server, Distributed File System,
and File Server Resource Manager check boxes. Click Next.
6. On the Create A DFS Namespace page, type the namespace name Public. Click Next.
7. On the Namespace Type page, leave the default settings selected. Click Next.
8. On the Namespace Configuration page, click Next.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.