Managing Access to Resources and Managing Printing

[patris1]

کد:

http://www.learnthat.com/Certification/learn/1388/Managing_Access_to_Resources_and_Managing_Printing_MCSE_70_290/

Welcome to our free Microsoft Server 2003 tutorial!

We have designed these tutorials to help you understand how to manage and maintain a Windows Server 2003 environment. These tutorials are designed to give you the fundamental knowledge you need to configure your environment and maintain it.
The skills identified are based on the skills Microsoft requires you to know for MCSE exam 70-290: Managing and Maintaining a Windows Server 2003 Environment. We added a little explanation where we felt necessary and expanded the curriculum a little to help you with some of the more difficult concepts in Active Directory. You should find these tutorials a handy reference as you're working - if you forget something, just refer back to these tutorials and you can see how to perform a task.
This tutorial will teach you how to manage access to resources and use printing in Microsoft Windows Server 2003. Throughout the tutorial, you will see short animated examples. These are signified with a icon. Clicking these links will open a new window which will illustrate the concept by walking you through the steps required to complete that task.
Outline for Part 2
Section 1: Managing Access to Resources
Section 2: Implementing and Managing Printing
Section 3: Managing Access to Objects in Organizational Units





Managing Access to Resources

In this section, you will learn how to:

• Manage access to files and folders
• Create and manage shared folders
• Determine effective permissions on a resource
• Manage access to shared files using offline caching

Introduction to Managing Access

Microsoft Server 2003 has very detailed security rights assignments so you can assign access to specific resources for specific users and groups of users. NTFS, the default Windows Server 2003 file system, allows for security on individual files and folders. FAT32 does not have security functionality built in. Share permissions can be set on either file system, however.
Understanding NTFS Permissions
When you grant a user or group permission to a resource (such as a file, folder, or drive), there are six primary permissions:
Full Control - Full control to the resource. Can set security, modify, delete, or create files. Can change the ownership on the resource.
Modify - Has the ability to create, modify, or delete files.
Read & Execute - Can read and execute files but cannot modify or delete unless allowed.
List Folder Contents - Can view a file listing in a folder.
Read - Can read files and folders, but cannot write.
Write - Can write files and folders but cannot perform any of the other tasks unless permitted.
You will see a seventh permission in most security dialog boxes, Special Permissions. If you want more granular control of permissions, you can allow or deny very specific permissions in the Advanced dialog box.
There are three ways to control permissions: Allow, Deny, or not selected. Allow specifically allows the user or group to access the resource, Deny specifically disallows. Not checked is no response with a default of denied. For example, you could give the entire accounting team access to a shared folder by allowing the group permission to it. If there was one user in the team you didn't want access you could add that user and Deny him access. The entire accounting team would have access except for the one user specifically named.
Since the permissions are separated into these primary categories, you can setup some unique situations. If the payroll department has a folder they want departments to submit timesheets to but they do not want the departments to see the other timesheets, you could set a Write permission on the folder for those groups. The departments can write files but not read them - or delete them. Once submitted, they cannot change the files or folder.
For our users or departments, we typically grant them the Modify permission (and everything below it) to their personal folders or group folders. This allows them to create, edit, read, or delete files and folders, but not change security rights to them. Be aware though that with department or group folders, any user with permissions can delete other user's files.
Managing Access to Files and Folders

You set specific security on files and folders and allows users or groups a variety of permissions. To set permissions on a folder:

1. Right-click on the folder and select Properties.
2. Click on the Security tab.

1. You will see a list of the current users and groups with access to this folder. The folder inherits its security settings from its parent folder. We will discuss permissions inheritance in a few pages.
2. Click Add to add a user or group.
3. Type in the name of the user or group you want to add. If you do not know the name, you can use the search functionality to find the user. Once you have found the user or group, click OK.

1. The group or user is added with the default permissions - Read & Execute, List Folder Contents, and Read. You can change these permissions to reflect the requirements for this folder.

1. In this example, we allowed the group Modify rights. Click OK to save the permissions.

Permission Inheritance
The basic security model of NTFS permissions is one based on inheriting the permissions of the parent. By default, the security of folders and files several layers deep in a file structure is inherited from its parent folders.
For example, in this folder diagram:

All of the folders are inheriting permissions from the parent folders. If you view the security of the Orlando folder and view the security of the IT folder, they match. However, you can change this so certain folders do not inherit permissions from its parent and you can set specific permissions for those folders.
Changing Inheritance on a Folder

1. Right-click the folder you want to change and choose Properties.
2. Click on the Security tab.
3. Click on the Advanced button.

1. Uncheck the Allow inheritable permissions from the parent to propogate to this object and all child objects. Include these entries explicitly defined here.

1. You are now give the option to Copy or Remove the current permissions. By copying the permissions, you have same entries before and can change them. If you remove the permissions, you will start with a blank slate and add users or groups as you wish. In this example, we are going to choose Copy.
2. Click OK.

1. You can now change permissions, or add/remove users and groups.
2. If you want to reset the permissions on files and folders underneath the folder you just changed, click Advanced.
3. Check the Replace permission entries on all child objects with entries shown here that apply to child objects.
4. Click OK.
5. Click Yes to continue.
6. Click OK to close the Properties window.

Managing Access to Shared Folders

Shared Folders access is set on the server on the Sharing tab in Windows Explorer. Individual files cannot be shared, only folders and drives can be. Though you can set permissions in Sharing for certain users, the security is compared with effective NTFS permission and the most restrictive permission is the final effective permission. If you setup a user to access a shared folder in the Sharing tab but then set the user to be denied access in NTFS, the user will not be able to reach the shared folder.
Setting Up a Shared Folder
We setup a file structure to allow users to access a group folder through a share on the server. We setup five department folders:

We are going to setup shares on each folder.

1. Right-click on the folder and select Sharing and Security.

1. Click Share this folder.
2. A default name will populate the Share name field. You can change this if you want.
3. Click Permissions to change permissions on the drive.

1. Add the users or groups you want to have permissions on this share. Click OK.
2. Click OK to create the share.

1. The folder now has a "hand" icon on it signify it is shared.
2. Repeat this process for each folder you want to share.

In the directions above, you setup Share Permissions on each folder, you could repeat the same process and instead setup NTFS Security Permissions on each folder and leave the Share permissions with the defaults. From a security and administration perspective, this is the preferred method to setup security on network folders.
In addition, if you have restrictive NTFS permissions on a folder, setting Share Permissions may not allow users access to the resource.
Determining Effective Permissions

Effective Permissions are the permissions allowed a user after all of the access control methods are taken into account. Effective Permissions is a tab on the Advanced Security Settings tab. To view effective permissions:

1. Right-click the folder or file you want to view Effective Permissions on. Select Sharing and Security.
2. Click on the Security tab.
3. Click on the Advanced button.
4. Click on the Effective Permissions tab.
5. Click the Select button to select a user or group you want to view the effective permissions for.
6. Enter the name or find the name. Click OK.

1. The Effective Permissions for the selected group or user is displayed.

Managing Access to Shared Files Using Offline Caching

Offline caching allows users to save network folders local to their machines and take the files and folders with them. You can control the settings of Offline caching to disallow this if required on certain folders.

1. Right-click on the shared folder you want to change and click Sharing and Security.
2. Click the Offline Settings button.

1. Click the option you want to change:
   Only the files and programs that users specify will be available offline. - The default setting which allows users to control offline caching.
   All files and programs that users open from the share will be automatically available offline. - This option allows any files a user opens will automatically be cached.
   Files or programs from the share will not be available offline. - Prevents users from using offline caching on the folder.

In this section, you learned how to:

• Manage access to files and folders
• Create and manage shared folders
• Determine effective permissions on a resource
• Manage access to shared files using offline caching

Practice Exercises

1. Create a shared folder.
2. Grant permissions to the shared folder for a certain user group.
3. Grant "Modify" NTFS permissions to the folder to a certain group.
4. Create a user folder. Give the user account Modify NTFS Permissions on the folder.









Implementing & Managing Printing

Printing is a very important role for your server. Understanding how printing works, how to setup printers, and how to troubleshoot printing will be extremely important for your career as a systems administrator.
In this section, you will learn:

• Printing in Windows Server 2003
• Setting up a TCP/IP printer
• Managing printing
• Managing access to printers
• Managing printer drivers
• Implementing printer locations
• Changing the location of the print spooler
• Setting printer priorities
• Scheduling printer availability
• Configuring a printing pool

Printing in Windows Server 2003

Windows Server 2003 is a very effective print server. You can setup multiple printers and control access to printers to specific users or specific groups. The print server also allows you to add specific drivers for different versions of the client operating systems. For example, you can have print drivers on the server for Windows NT 4, Windows 2000, and Windows XP clients.
Setting up printers is similar in Windows Server 2003 to any other Windows operating system. You have an Add Printer wizard which will guide you through the setup.
Setting Up a TCP/IP Printer
TCP/IP printing allows your server to print to printers across the network using their IP address. You should set your printer up with a reserved DHCP address or with a static IP address.

1. Click on Start and select Printers and Faxes.
2. Double-click on Add Printer. The Add Printer wizard opens. Click Next.

1. Click Local printer attached to this computer and uncheck Automatically detect and install my Plug and Play Printer. Click Next.

1. Click Create a new port and pull down Type of port: and select Standard TCP/IP Port. Click Next.
2. The Add Standard TCP/IP Printer Port Wizard opens. Click Next.

1. Enter in the IP address of the printer you are printing to. Click Next.
2. Click Next at the Device Type screen. Click Finish to close the wizard.
3. Choose the manufacturer and printer type. Click Next.
4. Name the printer. Click Next.
5. Type in a share name for the printer. We recommend either geographically focused names (4floorwestHP) or department names (MKT02) for the shares. It makes it easier to identify which printer you are referring to. Click Next.
6. Type in the location for the printer and any comments. Click Next.
7. Click Next at the test print screen, then click Finish to complete the wizard.

Watch this short animated clip to see how to add a TCP/IP printer.

Managing Access to Printers

As a server administrator, you can control access to printers for individuals or groups of users. Follow these steps to set security for a printer:

1. Open the Printers and Faxes control panel.
2. Right-click on the printer you want to manage and select Properties.
3. Click on the Security tab.
4. You can manage any of the users or groups listed there, or click Add to add a user or a group.
5. Once you have added a user or a group, you can control what permissions they have. The primary permissions are Print, Manage Printers, and Manage Documents.
6. If you would like to specify only certain users or groups to print to a printer, you should remove Everyone from the security list. This will allow only specified users the right to print.

Managing Printer Drivers

There are two aspects to managing printer drivers on your server. You can change a printer driver or add printer drivers for client operating systems.
Changing a Printer Driver

1. Open the Printers and Faxes Control Panel.
2. Right-click on the printer you want to change and choose Properties.
3. Click on the Advanced tab.

1. Select a driver from the pull down list of click on New Driver.

Adding Drivers for Client Operating Systems
By default, Windows Server 2003 installs the Windows 2000/XP client drivers. With the Additional Drivers functionality, you can add drivers for other client operating systems.

1. Open the Printer and Faxes Control Panel.
2. Right-click on the printer you want to change and choose Properties.
3. Click on the Sharing tab.

1. Click on the Additional Drivers button.

1. Select the additional systems you want to install drivers for. Click OK.

1. It will request the driver disks for each of the operating systems you selected.
2. Once the drivers are installed, the print server can service those operating systems.

Implementing Printer Locations

Enabling printer locations makes it easier for users to find printers near them. With printer locations, you can setup the location of a printer based on the subnet it is on. The location will prepopulate for the printers.
The first step is to map out your locations. A location is a string separated by / characters. For example, your site might be NorthAmerica/Detroit/Marketing or /Florida/ Miami/Floor1. You can create the location structure however you want.
There are some limits to your naming structure. Any single level cannot be more than 32 characters, there is a maximum of 256 levels, and the maximum length of the entire location is 260 characters. You can use any character but the / character.
Sample Location Structure
As you can see from the example, you can have location names in any order you want. In example 1 and 2, the city is at level 2 but in example 3, the city is in level 3. This allows you the flexibility to design your location codes however you wish.
The format of example 3 would be NorthAmerica/Ohio/Columbus/HR/East if you were entering this into a location field.

Top Level
Level 2
Level 3
Level 4
Level 5
NorthAmerica
Chicago
Floor1
NorthAmerica
Detroit
Marketing
NorthAmerica
Ohio
Columbus
HR
East
NorthAmerica
Ohio
Cincinnati
IT
Europe
London
Downing
Accounting
Europe
Paris
IT
Configuring Printer Locations
A broad overview of the process is:

1. Create a list of the printers and their locations. Create a list of the locations you want to enter.
2. Create sites.
3. Configure the printer locations.
4. Enable Group Policy change.

The first step in the process is to setup a site code and location in Active Directory Sites and Services. This allows the printer to be easily found based on a computer's IP address.

1. Open the Active Directory Sites and Services administrative tool.
2. Right-click on Subnets. Click New Subnet.

1. Enter an IP address and a subnet mask. Select the site object you want this subnet associated with.
2. Click OK.

1. Your new subnet is listed.
2. Right-click on the subnet you created and choose Properties.

1. Click on the Location tab.
2. Enter the location of the subnet.
3. Click OK.

The next step in the process is to set group policy to pre-populate the printer search location.

1. Open Active Directory Users and Computers.
2. Right-click on the Organizational Unit you want to apply the Group Policy to. Click on Properties.
3. Click on the Group Policy tab. If you have installed the Group Policy Management snap-in, click Open. If you did not install the snap-in, click New to create a new object. Name the object and click OK. Click on the new object and select Edit.
4. If you did install the Group Policy Management snap-in and you clicked Open, select the new policy and right-click. Choose Edit.

1. The Group Policy Object Editor opens. Browse to Computer Configuration: Administrative Templates: Printers.
2. Double-click on Pre-populate printer search location text. Click on Enabled. Click OK.
3. Close Group Policy Object editor.

The final steps in the process setup the location strings on the printers.

1. Open the Printers and Faxes control panel.
2. Right-click on the printer you want to set a location for. Choose Properties.

1. Click Browse next to the Location field. Select the location for the printer.
2. Click OK.

You can test by trying to add a printer on a machine on the subnet you specified earlier.

1. Double-click on Add Printer.
2. Choose Network Printer and click Next.
3. Click Find a printer in the directory and click Next.

1. The Find Printers dialog box opens. The Location field is autopopulated.

1. Click Find Now to list your printers.

Location search for your printers is very useful for your users. We recommend using a consistent location string to make it easier for users to find printers near their location.






Changing the Location of the Print Spooler

There are many reasons you may need to change the location of the print spooler. The primary reason is you would like it on a different hard drive because of the size of the printed documents.
You could also want to change the location of the print spooler to:

• Improve performance
• Ensure security
• Improve reliability
• Reduce fragmentation on the boot partition

Changing the print spooler is a relatively easy task:

1. Open the Printers and Faxes control panel.
2. Right-click in any blank area and choose Server Properties.
3. Click on the Advanced tab.

1. Change the Spool folder to the location you want print jobs to be spooled in.
2. Click OK.

Watch this short animated clip to see how to change the Print Spooler location.

Setting Printer Priorities

You can also set the priority of certain printers. This allows print jobs from that printer to be printed before other printers on the server. If you have a large number of print jobs flowing through your print server and HR needs priority over any other group, you may set the HR printers to higher priority than other departments. The default priority is 1 (which is the lowest). You can set priorities up to 99.

1. Open the Printers and Faxes Control Panel.
2. Right-click on the printer you want to change and choose Properties.
3. Click on the Advanced tab.

1. Change the Priority field to whatever priority you would like for that printer. The range is 1 to 99 with 99 being the highest priority.
2. Click OK.

Scheduling Printer Availability

In addition, you can also set printers so they are only available for a certain time period during the day. This may be useful for restricted printers (such as HR or color printers). If you do not want people printing after certain hours, this is a handy setting.
You could also use this for security reasons. You can setup two printers on the server for the same physical printer and set one to 24 hours and the other to only business hours. You could then set security so users with limited security rights can only print to it during the day and other users can print any time.

1. Open the Printers and Faxes Control Panel.
2. Right-click on the printer you want to change and choose Properties.
3. Click on the Advanced tab.

1. Click on the Available from radio button and enter the two times you want the printer to be able to be printed to.
2. Click OK.

Configuring a Printing Pool

In a high printing environment, you may have several of the same model of printers. To efficiently allow users to print and get the most use out of your printers, you can use Printer Pooling. Printer Pooling allows your users to print to one printer but have the server automatically distribute to jobs to any number of the same model of printer.
For example, if you had three HP LaserJet 5 printers, you could setup a print pool for the users to print to one printer and have it print out on any of the three printers in the pool.

1. Open the Printers and Faxes Control Panel.
2. Add a new printer using the earlier instructions, or choose an existing printer you want to use as the starting point for the pool.
3. Right-click on the printer and choose Properties.
4. Click on the Ports tab.

1. Click the Enable printer pooling checkbox.
2. Select the ports above you want to add to the printer or use the Add Port wizard to add a new port.
3. Click OK.
   wizard to add a new port.

In this section, you learned:

• Printing in Windows Server 2003
• Setting up a TCP/IP printer
• Managing printing
• Managing access to printers
• Managing printer drivers
• Implementing printer locations
• Changing the location of the print spooler
• Setting printer priorities
• Scheduling printer availability
• Configuring a printing pool

Practice Exercises

1. Create a TCP/IP printer on your network.
2. Control access by specifying a specific group which is allowed to print to the printer.
3. Add printer drivers for older client operating systems.
4. Move the print spooler to a different folder or drive on the server.
5. Change the printer to a high priority.
6. Set the printer so it is only available between 6:00 am and 8:00 pm.

---

موضوعات مشابه:

• Managing Routing And Remote Access in Windows Server 2003
• Managing Exchange Certificates
• Managing Routing And Remote Access in Windows Server 2003

---

[patris1]

Managing Access to Objects in Organizational Units

In this section, you will learn:

• The Organizational Unit structure
• Modifying permission for Active Directory objects
• Delegating control of Organizational Units

As you have learned in previous tutorials, Organizational Units are a fundamental part of Active Directory. Security and managing access to Organizational Units is essential to have a secure and efficient network architecture. This section teaches you how to manage access to objects within Organizational Units.
The Organizational Unit Structure

Active Directory allows administrators great control over the organization of their directory. This organization gives you flexibility with your environment.
Using Organizational Units and Groups in Active Directory can allow you to tailor AD to meet the needs of your business. There are distinct differences between OUs and Groups. You should properly plan out your AD design to ensure you are following best practices and make an efficient and effective environment.
Organizational Units are designed to be an effective structure to use for security purposes. You shouldn't use OUs just to create a model of your existing corporate structure (e.g. Marketing, IT, HR, Accounting, etc.) unless you have specific IT groups that manage those departments. You should instead look at a design based on efficient administration. If you have multiple locations and IT groups in those locations supporting those machines, you should probably design one based on geographical requirements and the local administration of individual OUs.

Groups are a more effective method of creating your organizational structure in. For example, you can create separate marketing, IT, HR, or accounting groups for users to distribute emails to or for secure access to resources.
Users can view group members when creating folders and adding security. Typically, end users do not see members of OUs.
The Computers and Users containers you see in Active Directory Users and Computers are not Organizational Units. They are containers which are distinctly different than OUs. Containers have a different security model. Even if your Active Directory environment is just for a small company, we recommend creating OUs to store your computer accounts and user accounts.

Modifying Permissions for Active Directory Objects

By default, you cannot see the security settings for objects in AD in Active Directory Users and Computers. In order to turn this functionality on:

1. Open Active Directory Users and Computers.
2. Click the View menu.
3. Click Advanced Features.

Whenever you choose Properties on an object, you will see a Security tab on the window.

If you scroll down the list of Group or user names you can view the security permissions for each of the accounts.
Typically, your security is inherited from above. Click on the Advanced button. If the Allow inheritable permissions from the parent to propagate to this object. checkbox is checked, this object is inheriting its permissions from a parent object.

Think of the objects as a tree.

In the diagrammed example, you have a tree of objects in your Active Directory domain. Everything with a solid line inherits (copies) all of the security rights from above. The Users OU has a dotted line, so it does not inherit the security rights but instead has its own settings. In this example, if you make a security change to the domain, every object except for Users will inherit those changes. Since Users has its own security rights, it will not receive a new copy of the updated rights.
Likewise, you cannot change the security on a child object - you must change it on the parent. If you wanted to change a security setting on OU 1, you would need to not allow it to receive settings from its parent and make the change. After the change, any child objects (in the example, the Computers OU) will receive the new changes because it is inheriting its security from its parent, OU 1. However, since Users is not inheriting its rights from OU 1, it will still remain independent keeping its own settings.
This principle also applies to other security permissions on other objects within Windows Server 2003. For example, if you set security rights on folders on a shared drive, you use these same principles when inheriting rights to subfolders.
These principles about the operation of security in Windows Server 2003 are crucial for your success. You must understand how inheriting works and how child objects react if they are or are not inheriting rights.

Exploring Inheriting Permissions
We setup a new Organizational Unit, Miami. Under this OU, we setup this structure:

All of the OUs created are inheriting their permissions from their parent object. For example, the Laptops OU inherits from the Computers OU which inherits from the Miami OU. If we make a change to the Computers OU, Laptops and Desktops will inherit those changes.
Changing Security on an OU

1. Open Active Directory Users and Computes.

1. Click the View menu and select Advanced Features (if it is not already selected).
2. Right-click on the OU you want to manage. In our example, we are going to change the Computers OU's security. Choose Properties.
3. Click on the Security tab.

1. The security rights for this OU are listed. Click Advanced.
2. Uncheck the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these entries explicitly defined here.

1. You have several options presented to you. You can Copy the current security settings, you can Remove the current settings and start with a clean slate, or you can simply Cancel the request. If you are simply adding or changing a single group or two in the security, it makes sense to Copy - you have a template to start with. If you are making a big change, removing the current settings may be easier. In our example, we are going to Copy the current security permissions.
2. Click OK.
3. Click Yes to the popup message.
4. The security settings remained as we copied versus removing them entirely.

1. Remove several of the groups listed from having security rights - for example, Account Operators or Authenticated Users.
2. Click Add to add groups or users.

1. As an example, we added the IT group to have Full Control over the OU.
2. Click OK.

Delegating Control of Organizational Units

If you have a distributed IT organization, you may want to delegate control of local OUs to individuals or teams at the location. This section explains how to use the Delegation of Control wizard and allow groups or individuals to administer certain functions of an OU.

1. Open Active Directory Users and Computers.
2. Right-click on the OU you want to delegate control over. Select Delegate Control.
3. The Delegation of Control Wizard opens. Click Next.
4. Click Add to add a user or group.

1. Enter the name of the user or group you want to delegate control to, click OK.

1. Click Next.

1. Select the common tasks you want this user or group to perform. In the example, we select the common account management tasks. If this were our helpdesk, we would simply select the ones they need, e.g. Read all user information and Reset user passwords.
2. Click Next.
3. Click Finish to close the wizard.

You can repeat this process for other users or groups if you want them to have different security rights.
If you right-click on the OU you just changed and select Properties, then click the Security tab, you can see the group or user you added is now listed in the Access Control List. Click on Advanced to see the advanced permissions they have.


In this section, you learned:

• The Organizational Unit structure
• Modifying permission for Active Directory objects
• Delegating control of Organizational Units

Practice Exercises

1. Create an Organizational Unit.
2. Create a user account. Create a PCSupport group. Change permissions on the user account to allow PCSupport to make changes to the account.
3. Delegate control of the OU to PCSupport.
Congratulations!

You have completed the Managing Access to Resources and Managing Printing sections, Part 2 of the Managing and Maintaining a Windows Server 2003 Environment (exam 70-290) tutorial.
Managing access to files, folder, prints, Organizational Units, and other resources is a crucial part of your job as a systems administrator. Learning the foundation to understanding security in Windows Server 2003 will be essential to your career and to the 70-290 exam objectives.