کد:
http://www.learnthat.com/Certification/learn/1388/Managing_Access_to_Resources_and_Managing_Printing_MCSE_70_290/
Welcome to our free Microsoft Server 2003 tutorial!
We have designed these tutorials to help you understand how to manage and maintain a
Windows Server 2003 environment. These tutorials are designed to give you the fundamental knowledge you need to configure your environment and maintain it.
The skills identified are based on the skills Microsoft requires you to know for MCSE exam 70-290: Managing and Maintaining a Windows Server 2003 Environment. We added a little explanation where we felt necessary and expanded the curriculum a little to help you with some of the more difficult concepts in Active Directory. You should find these tutorials a
handy reference as you're working - if you forget something, just refer back to these tutorials and you can see how to perform a task.
This tutorial will teach you how to manage access to resources and use printing in Microsoft
Windows Server 2003. Throughout the tutorial, you will see short animated examples. These are signified with a
icon. Clicking these links will open a new window which will illustrate the concept by walking you through the steps required to complete that task.
Outline for Part 2
Section 1: Managing Access to Resources
Section 2: Implementing and Managing Printing
Section 3: Managing Access to Objects in Organizational Units
Managing Access to Resources
In this section, you will learn how to:
- Manage access to files and folders
- Create and manage shared folders
- Determine effective permissions on a resource
- Manage access to shared files using offline caching
Introduction to Managing Access
Microsoft Server 2003 has very detailed security rights assignments so you can assign access to specific resources for specific users and groups of users. NTFS, the default Windows Server 2003 file system, allows for security on individual files and folders. FAT32 does not have security functionality built in. Share permissions can be set on either file system, however.
Understanding NTFS Permissions
When you grant a user or group permission to a resource (such as a file, folder, or drive), there are six primary permissions:
Full Control - Full control to the resource. Can set security, modify, delete, or create files. Can change the ownership on the resource.
Modify - Has the ability to create, modify, or delete files.
Read & Execute - Can read and execute files but cannot modify or delete unless allowed.
List Folder Contents - Can view a file listing in a folder.
Read - Can read files and folders, but cannot write.
Write - Can write files and folders but cannot perform any of the other tasks unless permitted.
You will see a seventh permission in most security dialog boxes,
Special Permissions. If you want more granular control of permissions, you can allow or deny very specific permissions in the Advanced dialog box.
There are three ways to control permissions: Allow, Deny, or not selected. Allow specifically allows the user or group to access the resource, Deny specifically disallows. Not checked is no response with a default of denied. For example, you could give the entire accounting team access to a shared folder by allowing the group permission to it. If there was one user in the team you didn't want access you could add that user and Deny him access. The entire accounting team would have access except for the one user specifically named.
Since the permissions are separated into these primary categories, you can setup some unique situations. If the payroll department has a folder they want departments to submit timesheets to but they do not want the departments to see the other timesheets, you could set a Write permission on the folder for those groups. The departments can write files but not read them - or delete them. Once submitted, they cannot change the files or folder.
For our users or departments, we typically grant them the Modify permission (and everything below it) to their personal folders or group folders. This allows them to create, edit, read, or delete files and folders, but not change security rights to them. Be aware though that with department or group folders, any user with permissions can delete other user's files.
Managing Access to Files and Folders
You set specific security on files and folders and allows users or groups a variety of permissions. To set permissions on a folder:
- Right-click on the folder and select Properties.
- Click on the Security tab.
- You will see a list of the current users and groups with access to this folder. The folder inherits its security settings from its parent folder. We will discuss permissions inheritance in a few pages.
- Click Add to add a user or group.
- Type in the name of the user or group you want to add. If you do not know the name, you can use the search functionality to find the user. Once you have found the user or group, click OK.
- The group or user is added with the default permissions - Read & Execute, List Folder Contents, and Read. You can change these permissions to reflect the requirements for this folder.
- In this example, we allowed the group Modify rights. Click OK to save the permissions.
Permission Inheritance
The basic security model of NTFS permissions is one based on inheriting the permissions of the parent. By default, the security of folders and files several layers deep in a file structure is inherited from its parent folders.
For example, in this folder diagram:
All of the folders are inheriting permissions from the parent folders. If you view the security of the
Orlando folder and view the security of the
IT folder, they match. However, you can change this so certain folders do not inherit permissions from its parent and you can set specific permissions for those folders.
Changing Inheritance on a Folder
- Right-click the folder you want to change and choose Properties.
- Click on the Security tab.
- Click on the Advanced button.
- Uncheck the Allow inheritable permissions from the parent to propogate to this object and all child objects. Include these entries explicitly defined here.
- You are now give the option to Copy or Remove the current permissions. By copying the permissions, you have same entries before and can change them. If you remove the permissions, you will start with a blank slate and add users or groups as you wish. In this example, we are going to choose Copy.
- Click OK.
- You can now change permissions, or add/remove users and groups.
- If you want to reset the permissions on files and folders underneath the folder you just changed, click Advanced.
- Check the Replace permission entries on all child objects with entries shown here that apply to child objects.
- Click OK.
- Click Yes to continue.
- Click OK to close the Properties window.
Managing Access to Shared Folders
Shared Folders access is set on the server on the Sharing tab in Windows Explorer. Individual files cannot be shared, only folders and drives can be. Though you can set permissions in Sharing for certain users, the security is compared with effective NTFS permission and the most restrictive permission is the final effective permission. If you setup a user to access a shared folder in the Sharing tab but then set the user to be denied access in NTFS, the user will not be able to reach the shared folder.
Setting Up a Shared Folder
We setup a file structure to allow users to access a group folder through a share on the server. We setup five department folders:
We are going to setup shares on each folder.
- Right-click on the folder and select Sharing and Security.
- Click Share this folder.
- A default name will populate the Share name field. You can change this if you want.
- Click Permissions to change permissions on the drive.
- Add the users or groups you want to have permissions on this share. Click OK.
- Click OK to create the share.
- The folder now has a "hand" icon on it signify it is shared.
- Repeat this process for each folder you want to share.
In the directions above, you setup
Share Permissions on each folder, you could repeat the same process and instead setup
NTFS Security Permissions on each folder and leave the Share permissions with the defaults. From a security and administration perspective, this is the preferred method to setup security on network folders.
In addition, if you have restrictive NTFS permissions on a folder, setting Share Permissions may not allow users access to the resource.
Determining Effective Permissions
Effective Permissions are the permissions allowed a user after all of the access control methods are taken into account. Effective Permissions is a tab on the Advanced Security Settings tab. To view effective permissions:
- Right-click the folder or file you want to view Effective Permissions on. Select Sharing and Security.
- Click on the Security tab.
- Click on the Advanced button.
- Click on the Effective Permissions tab.
- Click the Select button to select a user or group you want to view the effective permissions for.
- Enter the name or find the name. Click OK.
- The Effective Permissions for the selected group or user is displayed.
Managing Access to Shared Files Using Offline Caching
Offline caching allows users to save network folders local to their machines and take the files and folders with them. You can control the settings of Offline caching to disallow this if required on certain folders.
- Right-click on the shared folder you want to change and click Sharing and Security.
- Click the Offline Settings button.
- Click the option you want to change:
Only the files and programs that users specify will be available offline. - The default setting which allows users to control offline caching.
All files and programs that users open from the share will be automatically available offline. - This option allows any files a user opens will automatically be cached.
Files or programs from the share will not be available offline. - Prevents users from using offline caching on the folder.
In this section, you learned how to:
- Manage access to files and folders
- Create and manage shared folders
- Determine effective permissions on a resource
- Manage access to shared files using offline caching
Practice Exercises
1. Create a shared folder.
2. Grant permissions to the shared folder for a certain user group.
3. Grant "Modify" NTFS permissions to the folder to a certain group.
4. Create a user folder. Give the user account Modify NTFS Permissions on the folder.
Implementing & Managing Printing
Printing is a very important role for your server. Understanding how printing works, how to setup printers, and how to troubleshoot printing will be extremely important for your career as a systems administrator.
In this section, you will learn:
- Printing in Windows Server 2003
- Setting up a TCP/IP printer
- Managing printing
- Managing access to printers
- Managing printer drivers
- Implementing printer locations
- Changing the location of the print spooler
- Setting printer priorities
- Scheduling printer availability
- Configuring a printing pool
Printing in Windows Server 2003
Windows Server 2003 is a very effective print server. You can setup multiple printers and control access to printers to specific users or specific groups. The print server also allows you to add specific drivers for different versions of the client operating systems. For example, you can have print drivers on the server for Windows NT 4,
Windows 2000, and Windows XP clients.
Setting up printers is similar in Windows Server 2003 to any other Windows
operating system. You have an Add Printer wizard which will guide you through the setup.
Setting Up a TCP/IP Printer
TCP/IP printing allows your server to print to printers across the network using their IP address. You should set your printer up with a reserved DHCP address or with a static IP address.
- Click on Start and select Printers and Faxes.
- Double-click on Add Printer. The Add Printer wizard opens. Click Next.
- Click Local printer attached to this computer and uncheck Automatically detect and install my Plug and Play Printer. Click Next.
- Click Create a new port and pull down Type of port: and select Standard TCP/IP Port. Click Next.
- The Add Standard TCP/IP Printer Port Wizard opens. Click Next.
- Enter in the IP address of the printer you are printing to. Click Next.
- Click Next at the Device Type screen. Click Finish to close the wizard.
- Choose the manufacturer and printer type. Click Next.
- Name the printer. Click Next.
- Type in a share name for the printer. We recommend either geographically focused names (4floorwestHP) or department names (MKT02) for the shares. It makes it easier to identify which printer you are referring to. Click Next.
- Type in the location for the printer and any comments. Click Next.
- Click Next at the test print screen, then click Finish to complete the wizard.
Watch this short animated clip to see how to add a TCP/IP printer.
Managing Access to Printers
As a server administrator, you can control access to printers for individuals or groups of users. Follow these steps to set security for a printer:
- Open the Printers and Faxes control panel.
- Right-click on the printer you want to manage and select Properties.
- Click on the Security tab.
- You can manage any of the users or groups listed there, or click Add to add a user or a group.
- Once you have added a user or a group, you can control what permissions they have. The primary permissions are Print, Manage Printers, and Manage Documents.
- If you would like to specify only certain users or groups to print to a printer, you should remove Everyone from the security list. This will allow only specified users the right to print.
Managing Printer Drivers
There are two aspects to managing printer drivers on your server. You can change a printer driver or add printer drivers for client operating systems.
Changing a Printer Driver
- Open the Printers and Faxes Control Panel.
- Right-click on the printer you want to change and choose Properties.
- Click on the Advanced tab.
- Select a driver from the pull down list of click on New Driver.
Adding Drivers for Client Operating Systems
By default, Windows Server 2003 installs the Windows 2000/XP client drivers. With the Additional Drivers functionality, you can add drivers for other client operating systems.
- Open the Printer and Faxes Control Panel.
- Right-click on the printer you want to change and choose Properties.
- Click on the Sharing tab.
- Click on the Additional Drivers button.
- Select the additional systems you want to install drivers for. Click OK.
- It will request the driver disks for each of the operating systems you selected.
- Once the drivers are installed, the print server can service those operating systems.
Implementing Printer Locations
Enabling
printer locations makes it easier for users to find printers near them. With printer locations, you can setup the location of a printer based on the subnet it is on. The location will prepopulate for the printers.
The first step is to map out your locations. A location is a string separated by / characters. For example, your site might be NorthAmerica/Detroit/Marketing or /Florida/ Miami/Floor1. You can create the location structure however you want.
There are some limits to your naming structure. Any single level cannot be more than 32 characters, there is a maximum of 256 levels, and the maximum length of the entire location is 260 characters. You can use any character but the / character.
Sample Location Structure
As you can see from the example, you can have location names in any order you want. In example 1 and 2, the city is at level 2 but in example 3, the city is in level 3. This allows you the flexibility to design your location codes however you wish.
The format of example 3 would be NorthAmerica/Ohio/Columbus/HR/East if you were entering this into a location field.
Top Level
Level 2
Level 3
Level 4
Level 5
NorthAmerica
Chicago
Floor1
NorthAmerica
Detroit
Marketing
NorthAmerica
Ohio
Columbus
HR
East
NorthAmerica
Ohio
Cincinnati
IT
Europe
London
Downing
Accounting
Europe
Paris
IT
Configuring Printer Locations
A broad overview of the process is:
- Create a list of the printers and their locations. Create a list of the locations you want to enter.
- Create sites.
- Configure the printer locations.
- Enable Group Policy change.
The first step in the process is to setup a site code and location in
Active Directory Sites and Services. This allows the printer to be easily found based on a
computer's IP address.
- Open the Active Directory Sites and Services administrative tool.
- Right-click on Subnets. Click New Subnet.
- Enter an IP address and a subnet mask. Select the site object you want this subnet associated with.
- Click OK.
- Your new subnet is listed.
- Right-click on the subnet you created and choose Properties.
- Click on the Location tab.
- Enter the location of the subnet.
- Click OK.
The next step in the process is to set group policy to pre-populate the printer search location.
- Open Active Directory Users and Computers.
- Right-click on the Organizational Unit you want to apply the Group Policy to. Click on Properties.
- Click on the Group Policy tab. If you have installed the Group Policy Management snap-in, click Open. If you did not install the snap-in, click New to create a new object. Name the object and click OK. Click on the new object and select Edit.
- If you did install the Group Policy Management snap-in and you clicked Open, select the new policy and right-click. Choose Edit.
- The Group Policy Object Editor opens. Browse to Computer Configuration: Administrative Templates: Printers.
- Double-click on Pre-populate printer search location text. Click on Enabled. Click OK.
- Close Group Policy Object editor.
The final steps in the process setup the location strings on the printers.
- Open the Printers and Faxes control panel.
- Right-click on the printer you want to set a location for. Choose Properties.
- Click Browse next to the Location field. Select the location for the printer.
- Click OK.
You can test by trying to add a printer on a machine on the subnet you specified earlier.
- Double-click on Add Printer.
- Choose Network Printer and click Next.
- Click Find a printer in the directory and click Next.
- The Find Printers dialog box opens. The Location field is autopopulated.
- Click Find Now to list your printers.
Location search for your printers is very useful for your users. We recommend using a consistent location string to make it easier for users to find printers near their location.
Changing the Location of the Print Spooler
There are many reasons you may need to change the location of the print spooler. The primary reason is you would like it on a different hard drive because of the size of the printed documents.
You could also want to change the location of the print spooler to:
- Improve performance
- Ensure security
- Improve reliability
- Reduce fragmentation on the boot partition
Changing the print spooler is a relatively easy task:
- Open the Printers and Faxes control panel.
- Right-click in any blank area and choose Server Properties.
- Click on the Advanced tab.
- Change the Spool folder to the location you want print jobs to be spooled in.
- Click OK.
Watch this short animated clip to see how to change the Print Spooler location.
Setting Printer Priorities
You can also set the priority of certain printers. This allows print jobs from that
printer to be printed before other printers on the server. If you have a large number of print jobs flowing through your print server and HR needs priority over any other group, you may set the HR printers to higher priority than other departments. The default priority is 1 (which is the lowest). You can set priorities up to 99.
- Open the Printers and Faxes Control Panel.
- Right-click on the printer you want to change and choose Properties.
- Click on the Advanced tab.
- Change the Priority field to whatever priority you would like for that printer. The range is 1 to 99 with 99 being the highest priority.
- Click OK.
Scheduling Printer Availability
In addition, you can also set printers so they are only available for a certain time period during the day. This may be useful for restricted printers (such as HR or color printers). If you do not want people printing after certain hours, this is a
handy setting.
You could also use this for security reasons. You can setup two printers on the server for the same physical printer and set one to 24 hours and the other to only business hours. You could then set security so users with limited security rights can only print to it during the day and other users can print any time.
- Open the Printers and Faxes Control Panel.
- Right-click on the printer you want to change and choose Properties.
- Click on the Advanced tab.
- Click on the Available from radio button and enter the two times you want the printer to be able to be printed to.
- Click OK.
Configuring a Printing Pool
In a high printing environment, you may have several of the same model of printers. To efficiently allow users to print and get the most use out of your printers, you can use Printer Pooling. Printer Pooling allows your users to print to one printer but have the server automatically distribute to jobs to any number of the same model of printer.
For example, if you had three
HP LaserJet 5 printers, you could setup a print pool for the users to print to one printer and have it print out on any of the three printers in the pool.
- Open the Printers and Faxes Control Panel.
- Add a new printer using the earlier instructions, or choose an existing printer you want to use as the starting point for the pool.
- Right-click on the printer and choose Properties.
- Click on the Ports tab.
- Click the Enable printer pooling checkbox.
- Select the ports above you want to add to the printer or use the Add Port wizard to add a new port.
- Click OK.
wizard to add a new port.
In this section, you learned:
- Printing in Windows Server 2003
- Setting up a TCP/IP printer
- Managing printing
- Managing access to printers
- Managing printer drivers
- Implementing printer locations
- Changing the location of the print spooler
- Setting printer priorities
- Scheduling printer availability
- Configuring a printing pool
Practice Exercises
1. Create a TCP/IP printer on your network.
2. Control access by specifying a specific group which is allowed to print to the printer.
3. Add printer drivers for older client operating systems.
4. Move the print spooler to a different folder or drive on the server.
5. Change the printer to a high priority.
6. Set the printer so it is only available between 6:00 am and 8:00 pm.