Introduction to File and Share Permissions in Windows Server 2012

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello again as you know I am Eli the computer guy and this is the next class in the Windows Server 2012 track this is introduction to file and share permissions on Windows Server 2012 so as I talked about before where Active Directory is one of the main components one of the main reasons why enterprises use Microsoft servers the file and share permissions is one of the main pieces of functionality that makes Active Directory so cool and useful basically using file and share permissions you can very easily give access to files folders printers to the to the users that you want to have access to those items and restrict that access from the users you don't want to be able to have access not only that but you can refine what individual users can do to say whether you want them to be able to do things like simply be able to read a document or do you want them to be able to read and write to a document you want them to Veeam to execute you want them to be able to list the files the contents in a folder you can do all of that through using file and share permissions that are part of the Windows Server 2012 suite it is this is kind of like one of those again the cornerstone things you're going to find in enterprise environments so again whether you whether you're you're a Linux fanboy or a Mac fanboy even if you completely and utterly hate Microsoft you eight windows this is something you should know because you are going to run into it in the real world if you can't run into it in the Rif you can't deal with it in the real world well well you're probably not going to be be working unless you work in a very specialized Linux or UNIX environment now with this class again as I've talked about I have a number of Server 2012 books that I use in order to create these classes so that I can do my own research this is one of those classes again that you need to go out and you need to buy a Windows Server 2012 book again I like Windows Server 2012 unleashed by Sams Sams is a very good company whatever you do though go out and buy a book especially once you get into dealing with these permissions because permissions is kind of how do you explain permissions permissions is a bit like out of your bra it's one of those things that once you understand it darn it's easy Wow how could anybody not understand this stuff right but until you you do understand it yeah it can just seemed like the most esoteric stupid thing in the world so make sure you go out and buy a book just so you can read up on the stuff and really understand what's going on because once the light bulb goes off in your head this stuff will seem really really easy until then it's gonna seem a little convoluted this well kind of is a little convoluted really at the end of the day um and also if you're going to be playing with with permissions this is one of those times again you need to have your own computer lab and you need to start playing with this you need to create multiple groups you need to create multiple users multiple computers and actually start playing with this this is one of those again the skill sets that's very tactile this is not like subnetting where you kind of either know it or you don't know it this is one of those things that you've got to play with you've got to fool around with you've got to break you got to fix and then once you do you'll be like yep oh so when we start talking about permissions and shares one of the big important things that we have to remember in the Microsoft world is that there are two different types of permissions there's what are called file permissions and there is what are called NTFS permissions or share permissions and NTFS permissions it's very important to understand the difference between share permissions and NTFS permissions sher because they're two entirely different things share permissions are permissions that come into play when you share resources files folders printers over the network right so if I have a computer here that has a file or folder on it if I create a share permission anybody on the network who tries to connect to that share will have to deal with the share permission on the other hand if I simply sit down at the computer itself interactively so locally interactively start working with that computer the share permission for all intents and purposes doesn't exist I don't deal with it so share permissions are only come into play when people are accessing the resource from another computer device whatever on the network NTFS permissions are always in effect so basically if you try to access the the the file folder resource over the network the the permissions will be in effect and if you sit down locally at the computer the permissions will be in effect so that's the first thing to realize and there are two separate sets of permissions their share permissions and then there are NTFS permissions and there are two separate things that kind of meet and do a whole bunch of messy messy ugly nasty stuff now as I talk about this when I'm talking about permissions again again the big problem with new people in the technology world is they convolute and they mash concepts together and it really makes them confused and so when they when they when they think that one thing means another thing they get confused and then they don't understand what's going on and they get frustrated they give up and they become florist's well one of the big important things to remember with permissions we are currently talking about permissions permissions are how users can deal with resources on computers are on the network files folders printers and such we are not not talking about sick purity so you will hear about group policy objects local security policies security it will be dealt with in a different class and security is about what you can do to devices and computers on the network whether you can access the control panel whether you can access the CD Drive whether you can access registry editor whether you can change the background those are security that's security and that will be dealt with in a different class permissions and security are to really really really really different critters so just keep that in mind so when we're talking about permissions here we're talking about resources files folders printers those types of things and whether you can access them so again when we're talking about permissions we have file and we have NTFS permissions now whenever we are talking about permissions or whenever we are going to be implementing permissions again as I talked about in the class on groups we should be assigning permissions to groups and not to individual users when you are a new computer geek you you think you want to be really cool um and what you want to do at most most new computer geeks is they want to assign permissions and security but it's another class to individual users so you want to say the CEO has access to this file this folder and this printer the secretary has access to this file this folder and has no access to this printer so when you first start thinking about assigning permissions and future security you are thinking about assigning them that those permissions to individual users that is not how professionals do it because that is it that is just a horrible horrible horrible horrible way to do things in environments where you're dealing with a hundred users a ow users 10,000 users are a hundred thousand users if you assign individual permissions to every individual user and a hundred thousand users yeah that's that's that's just that's that's not going to work remember the entire point of using something like Active Directory the entire point of using Microsoft server uh ecosystem is the idea to simplify things so that whenever you have to make an administrative change you can have that thing go out to as many people as possible instead of changing an individual users account I would or permission I would rather be able to make one little 30-second change that would change a thousand accounts all at the same time well how you do that is you put all users into groups and then you assign permissions to those groups so if you have a marketing group you decide what files and folders and files folders and printers that marketing group should be able to access and then you give the marketing group permissions to those files and folders the accounting group decide what resources they need access to and then give them permission to those resources the executive group the c-level group figure out what they need access to and assign permissions based on that so you want to always almost always 99.99999% of the time be assigning permissions to groups not to individual users very important to remember in the real world even if it's a group of one a group of one is a better idea than assigning an individual permissions to a specific user because again that user may be on a certain project right now they're the only person on the project but then three months from now they get five employees if you've assigned individual permission set a user now it's kind of a mess whereas if you put that user into one they hire five employees to get brought into that unit you can now just dump those users into that group and now they have the exact same permissions so now the question becomes well if we were dumping all these users into groups and we're giving permissions to groups what happens when one user is a member of multiple groups so you know you have a you have the book keeper the accounting guide the person that's there and let's say they also have a function in the marketing department so they are a member of the accounting group and the marketing group what happens then the permissions well as you give up permissions you give the permission to use resources to these different groups to allow them the ability to read the ability to write the ability to list contents all of those things the ability basically it's cumulative so if you give the marketing department read the permission to a folder and you give the bookkeeping apartment write permission to a folder and you have a user that is both bookkeeping and marketing it is cumulative and therefore they will get read and write permission to that resource so it's very important to remember that as you put people into multiple groups their their access becomes cumulative for whatever has for whatever permissions you have given to that file folder or resource the only time this is not the case is if you do the deny permission so if you explicitly want to deny a certain group from seeing something if you check off as I will show you in a minute that deny then they will never be able to get that access to the file or for until you change the setting so you want to always put users into groups group permissions are cumulative to the better unless you do deny now the final thing before we start going over to computer is that there is something called the owner of a resource basically the generally the owner of a folder so the owner of a folder can assign permissions to other users so by default whenever you create a folder you are the owner or that whoever created that folder is the owner and so by default they can give access to other people so they can say one person has full control or in one group has full control and one group only has read permission they're the ones that can assign that now if you are an administrator this may become a problem because you go in you need to give somebody else access to a folder but a different user created the folder so they're the ones that are able to give permissions what you can do is you can take ownership of folders called taking ownership so you as the administrator you have the rights to take ownership of folders you can take ownership of the folder and then you can assign other other groups permissions to use the folder and the files and the resources internally so that is what ownership is so these are some of the things that you need to be thinking about so we talked about so we've got NTFS permissions and we've got share permissions now the important thing basically share permissions you don't need to think about share permissions a lot or you shouldn't think about share permissions a lot mainly you want to be dealing with NTFS permissions so whenever you want to be restricting users or giving users access to files folders resources you want to be using NTFS permissions but you've got these share permissions that are sitting there so you're thinking Eli what do we do with these share permissions well the first thing that you do with the share permissions is by assigning the share permissions this is what actually shares the file folder or resource out to the network so if you get a file folder resource NTFS permissions only nobody else from the network will be able to access it because it hasn't been shared the very fact the very the very act of giving share permissions to a full order or resource is what actually shares it on the network so if you only give NTFS permissions then if somebody sits down interactively at the computer then those permissions will be in effect but if somebody is at a different computer on the network that folder or resource will be shared and therefore they won't be of accessive so essentially all you're going to be doing with the share permission is you're you're going to use it to share a file folder or resource over the network and then what I would say to make your life easier is give everyone everyone the group everyone the the permission to read and write to the folder so if you give everyone to read write permission to the folder then you are not going to run into conflicts between share permissions and NTFS permissions because basically if you restrict access using the share permissions that will affect how users are able to access the files and folders and resources so again this gets a little complicated gets a little convoluted it gets a lot of convoluted if you're if you're a little lost make sure you buy the book or maybe if you watch this video a couple times but basically in general you use a share permissions to share out file folder resource then you give everyone the everyone group the ability to read right into that folder or resource that you've shared out then past that you're only going to be using NTFS permissions in order to actually give people access or restrict access to those resources so with that let's go over the computer now so I can start explaining this stuff to you guys gessie your eyes don't glaze over as you think Eli oh my golly what the hell are you talking about ok so here we are we are back at my Windows Server 2012 box so this is the one we've been using for a while it's it's the e TCG dot-com domain so basically it's exactly the same box I've been showing you for a couple classes now and this is sitting on my VirtualBox within my really powerful computer so this is a virtual machine but this this this is the 2012 server so the first thing that we are going to do is we are going to go up to tools and then we are going to go to Active Directory users and computers because we are going to need to play with individual users and we're going to need to play with groups so we might as well create those now so basically for the this little lab I have already created all these things just so you don't have to watch me slog through this stuff but basically I have created a test user account so this guy's username is test user and I created a user to account so these are just two individual users then what I've done is I created a group called employees we double click on this we can see the members of the group are test user and user two so I created those two users creating a group called employees and put them both into it but then to show you how the Danai works I also created a group called bad and if you look in here you will see the member of the group is user two so this may be like if you're looking at a company let's say this is an employee that you're thinking about firing this is somebody who maybe they did something wrong and they're under investigation so they have it they have not been fired yet on the other hand you don't want them to get really mad and go in and just start deleting stuff willy-nilly because they hate you because they're under investigation so they're not fired so you don't delete the account or disable the account they still exist but you want to be able to restrict them from being able to access certain files and folders so I have created the user - now again imagine if you work for a really nasty company what you can do is you can add just a ton of different users up to this ad group so if you had 20 people under investigation you could add 20 people to this group so we've created test user user to employees and bad so those are the users and groups we created and we do that in Active Directory users and computers now what we're going to do is we're going to go to file explorer and we are going to go to computer and then we are going to go to our C Drive now basically whenever you're sharing out folders off of a server such as a file server most of us consider it best practice to share the folder from the root directory now if you created different partitions on the server you may have a file share partition and that's where you would share the folder out from but for me generally I find is just easiest to share from the root just right up here in the C Drive so I have created a folder called share then what I did was I shared this folder out so if I right click I can go down to properties and first what we're looking at what we're looking at here is sharing so what we can see is that I have shared this this particular folder so it says server share so if I click on the share we can see that everyone has read write permission so this has already been shared so I'll do cancel so what you would do is if you would create a folder you would come here you'll click share you would type in everyone you would add it and then you would give them the read/write permission so that is what will actually share this thing out over the network so once we have done that then what we can do is we can go into the folder and we can see that I've created two other two different folders in here now these are protected by NTFS permission so that first one is the share out these are now protected by NTFS permissions so if I right click on private I can go to properties now I'm going to go to purity and what we can see here is that different groups or users have been given access to this particular folder so what I can do is I can go here to edit just so I can show you so system has full control has all access to the files and folders in here that's what we want now what we've done is we've said employees anybody in the employees group has full control of the folder this means they can add folders they can rename folders they can delete files they can do whatever they want on the other hand anybody in the bad group we want to deny all permissions they're bad bad bad bad bad then we have the administrator and then we have the administrators group but the big one that we're dealing so system administrator and administrators you basically just leave the same what we've done is we've come in here and we've said employees anybody in that employees group has full control anybody in the bad group is completely denied so that's the first thing that we do so that's where you actually give the permissions to the groups on whether you want them to be able to access the folder and its contents or not the other thing is we can go to the Advanced tab so this is an important one to go to and here under the Advanced tab is where we have the ownership so I talked about the ownership before so as we can see the owner of this particular folder is the administrators group etcd administrators so if this was owned by a different user and we wanted to take ownership of it as administrators we could click on the change and then we could cave who the owner of this folder is now the ability to take ownership of a file or folder is a security policy so basically administrators are allowed to take ownership of files and folders willy-nilly whereas average users are not so then we can see as we've seen so bad is deny system is allow administrator administrator employees so this is basically like what we were seeing before now the one thing down here that you should take into account you should look at is this inheritance so this will this this little button here will either say enable inheritance or disable inheritance it's very important that you understand what inheritance is so we're talking about inheritance what we're talking about when we're talking about inheritance is that the files or folders within a folder will take on the same permissions of the parent folder so the parent folder you assign whatever you know permissions to the resources the files and folders that are inside of it then the question is is do the kiled resources the child files and folders what permissions are assigned to them by default they inherit all the permissions that you assign to the parent sometime most in time 90% of the time you want the files or folders to inherit the permissions from the parent 10% of the time for whatever reason you don't want them to inherit so but what the inheritance does is it says the files and folders within this folder have the exact same permissions as that parent folder so that's something to keep in mind again play with it if you're sitting there going like Eli oh that's why you play with it that's why you sit here for a day and you futz with permissions and by the end of the day it will seem very easy I know permissions are just one of those horrible evil kiss convoluted nasty things right but anyways so here we go and we're back at the computer so I cancel out of here and then cancel out of here so then what I've done is I've created the public folder if I look at the properties of the public folder I go to security and we see the permissions here so we've got system you've got employees we've got administrator and administrators now as we can see here so we have the group more employees and they have full control access of this folder so they are able to get into this folder and do whatever it is they want you will notice that the bad group is not even mentioned here it's it's I haven't put anything here because I want the bad group to still be able to get access and have full control of whatever is in this public folder since it's theoretically supposed to be public so all we do is we hit okay and that is the setup on this server so that people are they are the users can access the files and folders so what we're going to do is we're going to minimize here and then we're going to go up and we are going to go into my Windows 8 computer so we can see here that we are at this Windows 8 computer so Windows 8 Professional computer is part of the domain and I'm logged in as the test user so this is a test user who is an employee and is a good employee he has not been put into the bad persons section right so if I go to desktop then I go up here to the corner and I go to search basically we are going to use this little search bar just the way we used to use run so I'm going to use UN see here universal naming convention so backslash backslash and then server so the name of my server is server so you in order to access the shared files on the server you do backslash backslash whatever the name of the server is and the share if you know it for now I'm just going to do server and hit enter from here we see the files or the folders that are shared on the server so net logon we're not going to worry about sysvol we're not going to worry about what we care about is this share folder so we double click on this and now we can see private and public if I go into private you can see I created folders so I can create a folder I can rename a folder I can do whatever I want here so this is the private folder and I can do what I want I can go back to the share again I can go into public I can create folders I can delete folders so as I talked about I have full control of whatever is in these particular folders because I am that test user that is in the group employees that has been given full control so what I'll do now is to show you what it's like when it's restricted I will sign out sign in as another user so I'll sign in as user two now when I sign in so now I'm user two again I'll go to the desktop so you get this little search thing I'll go to server I'll go to share and now you can see that only the public folder is even shown so I can go into the public folder and again I have full access to do whatever I want but the private folder isn't even shown because I don't have permission to do anything to that private folder so that's the basic concept behind these uhm this how this permission works so that's that's what there is to the share permissions and the NTFS permissions so the share permissions are what allow you to actually share the files and folders over the network generally you just give everyone the readwrite permission then the NTFS permissions are what you can go down you can drill down and say do I want to get somebody the ability to read to write to execute to list to do all that kind of stuff now the important thing that I haven't set up till now that I have to say I have to scream at the top of my lungs I think I've said this before in other classes but but God remind you here is that whenever you make any modifications to either permissions or security in the future many times those changes do not come into effect until the user has logged off and logged back in so when they log in they will be given the access control key that will actually give them the new permission so again one of the big problems with newbies is they go and they make all these modifications for permissions they forget to log the user off and log them back in and then it doesn't seem like any of its working so they're like ah and so they just sit there for like five hours doing all kinds of weird stuff trying to make permissions work when in fact all that needed to happen was for the user to log off and log back in so whenever you make any modifications to permissions or to security always make sure the user logs off and logs back in so that is what there is to share permissions and NTFS permissions this is the introduction to this this you know permissions class because of course in Windows 2012 they couldn't leave well enough alone and they have made a few additional improvements to functionality so there are some things I will show you in a different class that are on like older versions of Windows Server things that you can do to improve security and whatnot but this is the basic idea for the share and NTFS permissions again if you don't if you're confused I'm telling you permissions are one of those things it is the cornerstone it's one of the bedrocks to enterprise Microsoft environments so so go out spend the 40 bucks 50 bucks on the book so you can read it to make sure what's going on because make sure if you're confused one go out and read about it and then to just play with it for a day if you spend five hours just hammering out permissions and playing around and trying to figure this stuff out it'll seem easy and you'll be like wow how did I never how did I not understand that before but again if all you're trying to do is listen to me and watch this it may be a little confusing so it's you really need the hands-on and you really need to be able to read about this to get to get your head around it so so so so that's it again don't confuse permissions with security permissions and security are two different things and within permissions there's the share permission and then there are the NTFS permissions again two different things that do kind of come together every once in a while and make a little bit of a mess I would argue with the share permissions simply share the folder out share it so that everyone group can have the readwrite permission to the folder and then from there use NTFS permissions for the underlying files and folders for for the really refined security remember that owners of the folder are able to allow to change permissions for other users to be able to access that resource and remember the inheritance so inheritance 90% of the time is going to be a very good thing so the files and folders will inherit the same permissions as the parent folder has 10% of the time this is absolutely not what you want to have happen and so you have to make sure to disable inheritance and then go from there again play play with play with it but once you play with it it'll be very easy so as you know I am Eli the computer guy this was introduction to file and share permissions on Windows Server 2012 as always I enjoy teaching this class and I look forward to see you the next one

Info

Channel: Eli the Computer Guy

Views: 461,713

Rating: 4.9249721 out of 5

Keywords: Eli, the, Computer, Guy

Id: fJHFmt6F0Rc

Channel Id: undefined

Length: 35min 10sec (2110 seconds)

Published: Tue Apr 16 2013