CHAPTER 3

MANAGING NETWORK ACCESS

3.1. Basic Concepts

Network access defines what access/rights a user has to local resources, i.e. the scope of access
users can have to the resources. Network administrator can limit user’s access by using New
Technology File System (NTFS) permission to files and folders. A powerful feature of
networking is the ability to allow or protect access to files and folders.

3.2. Accessing Files and Folders

Network administrator can create shared files/folders on a network so that users with appropriate
access rights can access them. To enable users to access files and folders the network
administrator must perform the following tasks:
 Create shared files and folders.
 Assign access rights to the users.

3.3. Partition System and Local Security Policy

 There are two types of file systems used by local partitions:
 File Allocation Table (FAT) – which includes FAT-16 and FAT-32
 New Technology File System (NTFS)
 FAT partitions don’t support local security option but NTFS partitions do.
 If the partition is NTFS, the network administrator can specify the access level each user has
to the folders and files on the partition. NTFS permission is the process to control access to
NTFS folders and files. Network administrator can configure access level by allowing or
denying NTFS permissions to the users. NTFS permissions are cumulative type, based on
group member’s access type. If the user has denied access and allowed access through group,
denied permissions override allowed permissions. For example, If user “A” allowed a
“write” permission in the accounting group and denied to “write” in the marketing group, the
cumulative permissions of user “A” indicate that user “A” has no any permission to “write”.

3.3.1. Levels of NTFS Permissions

Windows server OS offers six levels of NTFS permissions:
 Level 1 – Full Control: this permission allows the following rights:

1
 o Create folders and execute files/programs in the folders (folder properties, copy and
move files).
o List the content of folders and read data in the folder.
o Create new files and write data to the file.
o Delete folders and files.
o See files or folders attributes (read only, hidden, archive).
o Set/Change permissions for files and folders.
If we check full control permission, all permissions will be checked by default.
If we uncheck any lower level permission (such as read, or others) the full control allow check
box will be automatically unchecked.
 Level 2 – Modify: This permission allows the following rights:
o Create new folders and write data to the files.
o Delete folders and files.
o List the contents of folders and read the data in folders.
o Execute files (Access files) in the folders.
o See files or folders attributes (read only, hidden, archive).
 If we select modify permission the following will be checked/allowed:
o Read and execute
o List folder content
o Read
o Write
 Level 3 – Read and Execute: This permission allows the following rights:
o Execute files in the folders (copy, move, & renaming…).
o List the content of folder and read data in a folder’s file.
o See files or folders attributes (read only, hidden, archive).
 If we select the read and execute permission the following will be allowed automatically:
o List folder contents
o Read permission
 Level 4 – List Folder Contents: this permission allows the following rights:
o List the content of folders.
o See files/folders attributes.
 Level 5 – Read: this permission allows the following rights:
o List the content of folder.
o Read the data in a folder’s files.
2
 Level 6 – Write: this permission allows the following rights:
o Create new folder/file.
o Write data to the file.
o Overwrite a file (modify a file).
o Change files/folder’s attribute.
Applying NTFS permissions
 Right click the file/folder we want.
 Select properties.
 From properties dialog box click security tab.
 Use add button, to add user to whom we want to assign access permission.
 Use remove button, to remove user from access permission.
 Finally click OK.
This dialog box allows us to set NTFS permissions to the users/groups:

3.3.2. Understanding User’s Effective Permissions

 User’s effective permission is the right the user actually has to access file or folder.
3
 To determine user’s effective permission combine all permissions that have been allowed to
the user through username or group association and subtract/remove/ all permissions that
have been denied to the user.
o Example: Suppose “Sara” was a member of accounting and IT groups. She was
assigned the following access permissions through groups
Sara’s permissions in the Accounting group:

Permission Allowed Deny

Full control

Modify √

Read and execute √

List folder contents √

Read √

Write √

Sara’s permissions in the IT group:

Permission Allowed Deny

Full control

Modify √

Read and execute

List folder contents √

Read √

Write √

Sara’s effective permissions are:

Permissions allowed (pA) – Permissions denied (pD) = Effective permissions (Ep), or

Effective permissions will be all permissions allowed that are not found in permissions denied.

4
 Therefore, Sara’s effective permissions are:
o Read and execute
o List folder contents and
o Read

3.3.3. Permission Inheritance

 Suppose we may have sub-folders in the main folders that we apply permission to.
 By default parent folders permissions are applied to any files and sub-folders in the folder.
 This is called inherited permission.
To configure permission inheritance:
 Right click the folder we want.
 Click properties.
 Click advanced tab.
 Select allow inheritable permissions from the parent to propagate to this object check box
click OK.
The following dialog box indicates permission inheritance allowed to the users in the entries box:

We should assign permissions at higher level folders with in directory structure and use
inheritable permissions to propagate permissions to all child objects with in structure

5
 3.3.4. Determining NTFS Permissions

1. Copy files
2. Move files
When we move or copy NTFS files, the permissions that have been set for those files might be
changed:
1. If we move a file from one folder to another folder on the same NTFS volume, the file
will retain the original NTFS permissions (NTFS permissions of the source folder).
2. If we move file from one folder to other folder between different NTFS volumes, the file is
treated as a copy and will have the same permissions as the destination folder.
3. If we copy a file from one folder to another folder on the same NTFS volume or on
different volume the file will have the same permission as the destination folder.
4. If we copy/move a folder or file to a FAT partition, it will not retain any NTFS
permission.

3.4. Creating Shared Folders

To share a folder, we must be logged on as a member of administrator or server operators group:
 In the folder properties dialog box, click sharing tab.
 Select don’t share this folder option to unshared folder.
 Select share this folder option to share folder.
The following dialog box indicates how a folder called Sara was shared:

6
 3.4.1. Configuring Share Permissions

 To control users’ access to shared folders, we have to assign share permissions.

 Share permissions are less complex than NTFS permissions and they can be applied only to
folders where as NTFS permissions are applied to both folders and files.
To assign share permissions:
 Click permission button in the sharing tab of the folder properties dialog box.
 We can assign 3 types of share permissions:
 Full control share permission to allow full access to the shared folder.
 Change share permission to allow users to change data in a file (to modify).
 Read share permission to allow users to view and execute files in the shared folders.

Full control permissions allowed to the user Sara:

 Read is a default share permission on a shared folder for everyone.
 Shared folders do not use the concept of inheritance as NTFS permission.
 If we share a folder there is no way to block access to lower level resources in the structure.
Viewing shared folders
 When we select shares in the shared folder utility, we will see all shares that have been
configured on the computer.

7
  A share that is followed by a dollar sign ($) indicated that the share is hidden from view
when user access through my network places.
o Example: C$ for C:\ and D$ for D:\
 A shared folder looks like the following:

3.5. Managing Network Printing

The process of creating, managing and deleting printers is fairly easy. When we connect a plug
and play printer to a windows server OS, it is typically recognized through the Found New
Hardware wizard. We can also manually configure printers through the Add New Printer wizard,
which leads us to the process of installing and configuring our printer.
Each printer has an associated set of print properties, which allows us to exercise full control
over how the printer is set up. For example, we can determine whether the printer is shared,
whether it will use advanced features such as print pooling, and which users and groups can
access the printer.

3.5.1. Setting up Network Printers

The network administrator can create a local printer, which is a print device that is directly
attached to the local computer, or a network printer which is a print device that is attached to
another computer on the network or a print device that has its own network card and attaches
directly to the network similar to the computers.
The computer on which we run the Add Printer wizard and create the printer automatically
becomes the print server for that printer. The print server manages all of the printers that have
been created on the computer.
As the print server, the computer must have enough processing power to support incoming print
jobs and enough disk space to hold all of the print jobs that will be queued. To manually create a
new local or network printer, take the following steps:
 Select Start > Printer and Fax/Devices and Printers.
 Click the Add Printer icon.
 The Add Printer wizard will start.
 Click the Next button to continue.

3.5.2. Managing Network Printer Properties

Once printer has been set up, printer properties allow us to configure options such as the printer
name, whether or not the printer is shared, and printer security issues. To access the printer
properties dialog box:
8
  Open the printers and faxes/devices and printers folder.
 Right click the printer we want to manage.
 Choose Properties from the pop-up menu.
The printer properties dialog box has a minimum of six tabs: General, Sharing, Ports, Security,
Device Settings, and Advanced.
a) Configuring General Properties:
The general tab of the network printer properties dialog box contains information about the
printer: The name of the printer, the location, and the comment about the printer is shown here to
reflect our entries when we set up the printer. It also lets us to set printing preferences and print
test pages to check our printer connectivity.

Setting Printing Preferences

Clicking the Printing Preferences button opens the printing preferences dialog box as shown
below. This dialog box will allow us to specify the layout of the paper (orientation: portrait or
vertical, Landscape or horizontal), number of page per sheet, and page order.

9
 b) Configuring Sharing Properties:
The sharing tab of printer properties dialog box allows us to specify whether the printer will be
configured as a local printer or as a shared network printer. If we choose to share the printer, we
also need to specify a share name, which will be seen by the network users.

If we uncheck share this printer check box, the printer will become local printer and no one can
use this printer as a shared network printer.
c) Configuring Port Properties:
The ports tab will allow us to configure all of the ports that have been defined for printer use. A
port is defined as the interface that allows the computer to communicate with the print device.

10
Windows server OS supports local ports/physical ports/ and logical ports which can be: Parallel
ports, Serial ports, USB ports, Infrared, TCP/IP ports and others.
Local ports are used when the printer attaches directly to the computer. Standard TCP/IP-
physical ports are used when the printer is attached to the network by installing a network card in
the printer.

The advantage of network printers is that they are faster than local printers and can be located
anywhere on the network. When we specify TCP/IP port, we must know the IP address of the
network printer.

Along with deleting and reconfiguring the existing ports, we can also set up printer pooling (i.e.
redirecting print jobs to another printer).

Printer Pooling
Printer pools are used to associate multiple physical print devices with a single logical printer.
We would use a printer pool if we had multiple physical printers in the same location that were
the same type and could use a single print driver.

11
The advantage of configuring and using a printer pool is that the first available print device will
print our job. This is useful in situations where there is a group of devices shared by a group of
users, such as secretarial pool.

To configure a printer pool, click the Enable Printer Pooling check box at the bottom of the
ports tab and then check all of the ports that the print devices in the printer pool will attach to. If
we do not select the enable printer pooling option, we can select only one port per printer.
Redirecting Print Jobs to another Printer
If our print device fails, we can redirect all of the jobs that are scheduled to be printed to that
print device to another print device that has been configured and attached as a printer to another
client computer in the network environment. For this redirection to work, the new print device
must be able to use the same print driver as the old print device.
To redirect print jobs:
 Click the Add Port button in the ports tab; the following Printer Ports dialog box will be
displayed.

12
 From the Available port types, highlight Local Port and choose New Port; the following port
name dialog box will appear.

 In the port name box, type the name of the computer and printer that we want to redirect the
print jobs to in the following format and click OK button to start print job.
Syntax: \\computername\printer-sharename
Look the following example:

d) Security Properties – Print Permission:

The network administrator can allow or deny access to a printer using security tab from printer
properties dialog box.
Followings are the print permissions assigned by windows server OS:
 Print: allow a user or group to connect to a printer and send print jobs to the printer.
 Manage printers: allow administrative control of the printer (change printer settings,
share or unshared a printer, change print permissions, and manage printer properties).
 Manage documents: allow users to manage documents (pausing, restarting, resuming, and
deleting queued documents). Users with this permission cannot manage printer
properties.
The following printer properties dialog box shows how the network administrator configures the
printer security permissions:

13
 e) Configuring Advanced network print properties:
The advanced tab of the printer properties dialog box allows us to control many characteristics of
the printer. We can configure the following options:
 Printer availability
 Printer priority
 Spooling properties
 Separator page
i. Printer Availability configuration
Printer availability specifies when a printer will service print jobs. Usually, we control
availability when we have multiple printers that use a single print device. By default, the Always
Available radio button in the advanced tab is selected, so that users can use the printer 24 hours a
day. To limit the printer’s availability, select the Available from radio button and specify the
range of time when the printer will be available for print service.

14
The following printer availability option is configured to force the printer available only from
8:00 AM to 12:00 AM.

ii. Printer Priority configuration

Priority is another option that we might configure if we have multiple printers that use a single
print device. When we set priority, we specify how jobs are directed to the print device. For
example, we might use this option when two or more groups share a printer and we need to
control the priority in which print jobs are serviced by the print device. In the advanced tab of the
printer properties dialog box, we can set the priority value to a number from 1 to 99, with 1 as
the lowest priority and 99 as the highest priority.
Example:
Suppose that a single print device is used by the accounting department. The creators/owners in
the accounting department always want their print jobs to print before the jobs created by the
other users in the accounting department. To configure this arrangement, we could create a
printer called CREATORS/OWNERS on a port LPT1 with a priority of 99. We would then create
a printer on the same port LPT1 called USERS with a priority of 1.

15
Through the security tab of the printer properties dialog box, we would allow only
creators/owners to use the CREATORS/OWNERS printer and allow the other users to use the
USERS printer.

The following diagram shows how the two logical printers (users and creators/owners) can be
configured to use the same port (LPT1):

The following printer properties dialog box shows how to configure CREATORS/OWNERS to
have a permission to print their document using creators/owners printer where as USERS can not
print using this printer:

16
The following configuration shows how a priority can be set to 99 for creators/owners printer
with higher priority to print:

17
 iii. Spooling
Spooling means that print jobs are saved to disk into a printer queue before they are sent to the
printer. It keeps all of the print jobs from trying to print at the same time and make the print job
faster. When we configure spooling options, we specify whether print jobs are spooled or sent
directly to the printer. By default, spooling is enabled.
iv. Separator Pages
Separator pages are used at the beginning of each document to be printed to identify the user
who submitted the print job and to separate print jobs/documents. If our printer is not shared, a
separator page is generally a waste of paper. If the printer is shared by many users, the separator
page can be useful for distributing finished print jobs.
To add a separator page, click the Separator Page button in the lower-right corner of the
advanced tab of the printer properties dialog box.
Click the Browse button to locate and select the separator page file that we want to use. Windows
server OS supplies the separator files listed below, which are stored in the \windir\system32
folder. These separator page files are: Pcl.sep, Pscript.sep, Sysprint.sep, and Sysprintj.sep. When
we click separator page button for the first time, the system will display the following dialog box
and prompt us to choose the separator page files from windows folder using browse button.

After we choose a separator page file – pcl.sep, the system will display the following separator
page dialog box. Click OK to finish the set up.

18