70-240 in 15 minutes a week: Administration of Resources - Part 1

70-240 in 15 minutes a week: Administration of Resources - Part 1


March 19, 2001

by Dan DiNicolo
http://www.win2000trainer.com

Welcome to the second installment in my '70-240 in 15 minutes a week' series. This week's article covers the second major area of study on our journey through the core exam material: Implementing and Conducting Administration of Resources. Again this ties into the material from the Windows 2000 Professional portion of the exam. This includes a look at topics such as NTFS permissions, file caching, web server management, printing, and more. Because of the size of this topic, I have decided to split it up into two articles, in order to not break our 15-minute rule! Again this week, appearances can be deceiving. Be sure not to overlook the importance of the Professional material on the exam - sometimes it's the little details that bite the hardest. Remember, you're dealing with a quarter of the exam material in Professional alone.

The material that this article will cover includes:

- NTFS Settings (including EFS and Compression)
- User and Group Settings
- File Auditing and Ownership
- File Caching Settings
- Shared Folders

Part 2 of this topic will continue next week with a look at web server settings, printing configuration, Internet printing and more.


NTFS Settings

To begin with, let's revisit an old friend, NTFS. Although NTFS still provides the secure file system you're familiar with from Windows NT 4.0, there are a number of changes in terms of both functionality and configuration. The version of NTFS supplied in Windows 2000 is NTFS 5, as opposed to the NT's version, which was version 4. (Unless you have NT 4.0 SP4 or higher, in which case it also uses NTFS 5). The new version of NTFS in Windows 2000 supports both new and old features including:

- The ability to encrypt files and folders that reside on an NTFS partition using EFS, the Encrypting File System.
- The ability to compress files and folders. 
- The ability to set file and folder security permissions via access control lists.
- The ability of an administrator or user with the appropriate permissions to take ownership of files and folders.
- The ability to audit access to files and folders.

Setting file or folder encryption and compression is easy. Both are implemented as attributes, similar to the System, Read-only, Hidden, and Archive attributes that you are probably already familiar with. Both encryption and compression are set via the Advanced button on General tab of the properties of the file, as shown below.

Note that although it appears as though you could choose both, encryption and compression are mutually exclusive, so you can only choose one of the two. As far as EFS encryption is concerned, only the person who encrypted a file can open it, with one exception. Windows 2000 includes a special role, set via group policy, called a Recovery Agent. A recovery agent can open an EFS encrypted file, which serves as a backup should the user leave the company or similar. By default, the only recovery agent is the Administrator of the domain (on a non-domain computer, it is the local administrator), though it can be changed to another trusted user or users. 

To make things easier, a user should set a folder to use encryption, and then save all security sensitive files to this folder. This will automatically encrypt the files, and avoid the user having to encrypt files individually. To encrypt a number of files at once, consider using the command line tool Cipher.exe, which does bulk encryption using the parameters (including wildcards) that you specify. Other important things you should know about EFS:

- If a user attempts to open (or copy) a file encrypted by another user, they will receive an 'Access Denied' message.
- If the user who encrypts the file moves it to a non-NTFS volume, the file will no longer be encrypted
- EFS is strictly file-system (not transport) encryption. If you encrypt a file on a server and then open it on your workstation, the file moves across the network unencrypted.
- When you move an unencrypted file into an encrypted folder, it does not become encrypted (retains attribute). However, when you copy an unencrypted file into an encrypted folder, it will be encrypted (inherits attribute).

Want to know more about EFS? Click here.
As far as compression is concerned, you still need to know what happens when you copy or move compressed files within and between volumes. The table below outlines what happens to the compression attribute on a file in the different scenarios. Remember, both copying and moving a file to a FAT or FAT32 volume results in all compression settings being lost. Incidentally, you can also use the table below to describe what happens to NTFS permissions when a file is moved or copied to a folder.

   Within Same NTFS Volume  Between NTFS Volumes
 Copy a File  Inherits Compression attribute of target folder  Inherits Compression attribute of target folder
 Move a File  Retains Compression attribute  Inherits Compression attribute of target folder

Next lets explore NTFS permissions. Although many concepts remain similar to those in NT 4.0, some of the implementation details have changed. NTFS permissions are still cumulative in nature. That is, if multiple permissions apply to you, the combination of permissions is your effective permission. If you were given Read access to a folder as a member of Sales, and Modify on the same folder as a member of Managers, your effective permission would be Modify. There is an exception, of course. Any permissions that are explicitly denied always override those explicitly allowed.

The table below outlines the standard permissions that exist in an Access Control List (ACL) for files and folders in Windows 2000. Note that all Standard Permissions are comprised of more granular Advanced Permissions which can be viewed by clicking the Advanced button on the Security tab of a the file or folder's properties. 

 Standard File Permissions  Standard Folder Permissions
 Full Control  Full Control
 Modify  Modify
 Read and Execute  Read and Execute
 Read  List Folder Contents
 Write  Read
   Write

There are a couple of important notes that you should remember about NTFS permissions:

- By default, NTFS drives on Windows 2000 are set to allow Everyone the Full Control permission at the drive root. Some folders, such as the %systemroot% directory, have more restrictive permissions applied.
- By default, permissions in Windows 2000 are inherited. You can tell permissions have been inherited when the permission boxes are grayed out. This means permissions have been set at a higher level.
- If you wish to change permissions that have been inherited, you have to first clear the 'Allow inheritable permissions from parent to propagate to this object' check box. Doing so will ask you whether you wish to remove all existing permissions, or copy the existing permission (the latter takes inherited permission and simply applies them directly to the file or folder).
- When you add a new user or group to a file, they are given the 'Read' and 'Read and Execute' permissions by default (same for a folder, but includes 'List Folder Contents' as well).
- You can set file and folder permissions from the command line, using the Calcs.exe tool.
- File permissions always override folder permissions.
User and group Settings

In Windows 2000 Professional, users and groups are created using the Computer Management tool's Users and Groups extension. By default, W2K Pro still only includes two user accounts by default, Administrator and Guest. Similar to NT 4, the Guest account is disabled by default. Both accounts can be renamed, though neither can be deleted. A number of built-in groups also exist by default, some of which allow you to control membership (local groups), and some of which control membership automatically (system groups). The table below outlines the built-in groups you will find, but of course you can still create your own local groups.

 Built-in Local Groups  Built-in System Groups
 Administrators  Anonymous Logon
 Backup Operators  Authenticated Users
 Guests   Creator Owner
 Power Users  Dialup
 Replicator  Everyone
 Users  Interactive
   Network

File Auditing and Ownership

File and folder auditing and the concept of file ownership still also exist when (and only when) we use the NTFS file system. This is important to consider, especially because you may have trouble finding where things get set up in Windows 2000. To begin, ownership and auditing settings are found behind the Advanced button on the security tab of the properties of a file or folder on an NTFS volume. 

Audit settings for a particular file or folder are controlled from the Auditing tab of that resource. This only controls what elements of this resource you wish to audit, similar to NT 4. Auditing, however, is not enabled by default of a Windows 2000 Professional system, so if you wish to audit files and folders, you must first create an Audit Policy. In W2K Pro, this is now done via the Local Security Settings console (which can also be accessed from within the Group Policy tool). Audit Policy settings are shown in the screenshot below. 

The concept of ownership remains very similar to that of Windows NT 4. It is now controlled from the Owner tab of the advanced security settings of a file or folder. Simply, the person who creates a file is the owner, and can always change permissions on that file. However, anyone with Full Control or the advanced permission Take Ownership can take ownership of a file or folder. The exception to this rule is a person with administrator-level privileges, who can always take ownership, even if they have no NTFS permissions to a file or folder. Ownership can still only be taken and not given.File Access Settings

Offline Files is a new feature in Windows 2000 that allows client machines to cache files and then work with those files offline. Although conceptually similar to My Briefcase, Offline Files goes a step beyond by handling synchronization (via Synchronization Manager) and version checking automatically. Before looking at how a user interacts with Offline Files, it is important to understand how they are configured. Since these files must first be accessible over the network, the folder in which the files exist must be shared. You also enable caching properties via the Caching button on the Shared folder tab. For a folder shared off Windows 2000, three settings are available:

- Manual Caching for Documents: This is the default setting, and documents will only be cached if the client explicitly chooses to make the folder or files within it available offline.
- Automatic Caching for Documents: This option will automatically cache any files opened from the shared folder onto the client machine. By default, up to 10% of the drive can be used for these 'temporarily' cached documents, though this setting can be changed. Note that files follow a 'longest unused, first out' rule as the cache fills.
- Automatic Caching for Programs: This option client-side caches applications that have been configured to run over the network, making them available offline.

If you wish to disable caching of a folder, simply clear the 'Allow caching of files in this shared folder' checkbox shown below.

If a folder has been set for Automatic Caching for documents, the files opened will be automatically cached as opened without user interaction, and can be accessed using the original path (for example a mapped drive letter or UNC path) even while offline. If the user wishes to make a folder available offline, they can accomplish this by browsing to the folder, and then right-clicking on the appropriate file or folder and choosing 'Make Available Offline'. The user opens these files either by browsing to the original path (as mentioned before) or via a shortcut folder called Offline Files that can be placed on the desktop (via the Offline files Wizard, which will run the first time a user chooses to make a file or folder available offline). Note that the files are actually cached into a special folder under %systemroot% called CSC. If you can't find the folder, that's because it's marked both System and Hidden, and you must choose to show protected operating system files as well as hidden files. You will not be able to open files directly from CSC, and should not make any changes in this folder.

Some important last words on Offline Files:

- Files shared from any SMB-based OS can be made available offline (including Win95 and NT 4, for example).
- You can control when synchronization happens. Options include at logon/logoff, when the computer is idle, at scheduled times, or when initiated manually.
- The synchronization process will check to see whether the online version of a file that you edited while offline has changed since the last synchronization (for example, if someone edited a file after you made it available offline). If a conflict exists, you would be prompted as to whether your version, the network version, or both versions (with one renamed) should be kept. If no conflict exists because the online version hasn't changed, it will simply be overwritten by your newer version. 
- Offline files is enabled by default on Windows 2000 Professional. The client settings for offline files (such as whether they can be used) are controlled via Tools - Folder Options - Offline Files from Explorer, as shown below.

Shared Folders

I'm not going to bore you with a great deal of information about shared folders, because most of it remains the same as in NT 4.0. However, the important stuff you need to know:

- Hidden administrative shares still exist, such as C$, D$, Admin$, and so forth. Only someone with administrator-level privileges can use these.
- Share permissions have changed. They now follow the same Allow / Deny format as NTFS permissions, and are limited to Full Control, Change, and Read. The effect of these is cumulative, so if you were given Read and Change, your effective share permission would be Change. A denied permission always overrides one that has been allowed.
- In the same manner as NT 4, when both shared folder and NTFS permissions are used, your effective permission becomes the more restrictive of the two.

Connecting to a shared folder can still be done in all the familiar ways, including mapping a drive, connecting to a UNC path, or browsing the network. A couple of quick notes here:

- It is not called Network Neighborhood anymore - now My Network Places. Most of the changes here are cosmetic, but you can also use the tool to browse Active Directory.
- One new option is the Add Network Place wizard. This wizard will allow you to create a shortcut within My Network Places to things like Web Folders, FTP sites and internal servers, while providing for things like a saved username for external resources. 

Well, that does it for Part 1 of Implementing and Conducting Administration of Resources. As mentioned earlier, next week I'll continue with the remainder of this large topic. I would like to thank everyone who has contacted me with comments about the series. I'm glad that you have found it useful so far, and hope you'll continue to stick with it. As a side note, I've been contacted by many people asking how hard the 70-240 exam really is. All I can say is that if you know your stuff, you more than likely WILL pass. Most of the fear surrounding the exam is based in the fact that you only get one shot, not on the actual difficulty of the exam. Yes, you do need to know a good deal about many topics, but if you're prepared, you shouldn't find things all that difficult. I've also been asked to provide a Printer-friendly version of these articles, which I think is a great idea for those studying for 70-240 while commuting (thanks Cliff!). The printer friendly version can be found by clicking the button at the bottom of this page. As always, please contact me with any feedback or ideas you might have - I look forward to your input. Also, be sure to check out my website for practice exams and a couple of new free hardcopy books I've added. Good luck with your studies until we meet again next week!

Dan
http://www.win2000trainer.com