Chapter 13

Sharing and Securing Network Resources

In this chapter, you learn how to

• Create shared folders on the server
• Use share permissions to control global access to shared folders
• Use NTFS folder permissions and NTFS file permissions
• Use the Add Printer Wizard to share a printer attached directly to the computer running Windows NT Server 4.0
• Configure a remote network printer server and print queue as a shared server resource
• Install and configure printer auditing

The fundamental purpose of any network operating system (NOS) is to give users access to shared network resources such as folders, files, and printers. Just as important as the capability to share these resources is the capability to control which users have access to each resource.

Windows NT Server 4.0 provides all the tools you need to share and secure folders and files. You can control access to folders and files on a very broad level. For example, folder shares function like a blunt instrument. They allow you to share a folder on the Windows NT Server computer, but they allow access control only at the group level, and only then to the folder and all subfolders as a group. NTFS folder access permissions and NTFS file access permissions, on the other hand, function more like scalpels. They allow you to control access very finely, down to the level of deciding whether one particular user can access one particular file in one particular subfolder.

Windows NT Server 4.0 also provides all the tools you need to share and secure network printers. You can share printers that are physically connected to the computer running Windows NT Server. You can also share printers that are physically connected to other Microsoft Networking clients on the network, configuring them to appear as shared resources on the Windows NT Server computer.

Sharing and Securing Folders and Files

Windows NT Server makes it easy for you to share folders and files. Behind this ease of use lurks the power needed to control which users can access which resources. In the following sections, you learn how to share folders and files and how to control access to them. The extent to which you can secure your folders and files depends on the file system you decide to use.

Windows NT 4.0, like Windows 95, has adopted the term folder to replace directory; thus, this chapter uses the term folder, which is likely to be adopted by most Windows NT users. (Similarly, this chapter uses the term subfolder in place of the term subdirectory.) Some Windows NT dialogs and help screens still use the term directory. When one of these screen elements is explicitly referred to in the text, this chapter uses the term directory to correspond to Microsoft usage and to avoid confusion.

Windows NT Server File Systems

Windows NT Server lets you choose among three supported file systems. The first two of these file systems are supported largely for historical and backward-compatibility reasons. The third was designed to provide the performance, security, and features needed by a modern network operating system.

The three supported file systems of Windows NT Server 3.x and 4.0 are as follows:

• The FAT file system is marginally faster than the other file systems on small servers, but provides none of the data integrity features available with the HPFS and NTFS file systems. Access control is limited to share-level security. Don't consider using the FAT file system on a production server.

• The High Performance File System (HPFS), originally developed by IBM for its OS/2 operating system, is fast and provides good data integrity features, but offers only share-level security. However, all features of HPFS are matched or bettered by NTFS, so there's no reason to use HPFS. Unlike prior versions of Windows NT, Windows NT 4.0 doesn't support HPFS, although you can access HPFS files and folders running on networked Windows NT 3.x servers.
• The NT File System (NTFS) is the native file system designed by Microsoft for Windows NT Server. It's fast, offers excellent security, and provides rock-solid data integrity functions.

Although Microsoft offers you a choice of file systems, don't spend too long thinking about which to pick. Using NTFS provides the best mix of speed, security, and protection for your data.

See "Handling Files with NTFS," (Ch 3)

Understanding Folder Shares

Until a folder is shared, no user can access it across the network. Even the system administrator, who has full access to all server folders and files, can't access a folder across the network until a share has been created for that folder.

Folder shares provide the first level of security by controlling which folders on the server are visible to--and therefore accessible by--logged-on users. As a means of securing access, folder shares have the following drawbacks:

• Sharing a folder automatically shares all files contained in that folder and in its subfolders. If you need finer control of which subfolders and files are accessible to which users, you must use folder access permissions and file access permissions, which are available only if you're using the NTFS file system.
• A folder share controls access only for those users who log on to the server from a remote workstation. Any user with physical access to the server can log on locally and bypass share-level security.

Sharing works with all three file systems supported by Windows NT Server--FAT, HPFS (Windows NT Server 3.x only), and NTFS. Shares are the only form of access control available with the FAT and HPFS file systems. This means that any user who has physical access to the server can log on locally and bypass security on FAT and HPFS volumes.

Creating, Modifying, and Removing Folder Shares.

To create a folder share, you must be logged on locally to the computer running Windows NT Server, and your account must be a member of the Administrators, Server Operators, or Power Users group. Follow these steps to create a new folder share:

1. Double-click the My Computer icon to display a list of drives available on your server.
2. Double-click one of the available drives to display a list of folders contained on that drive. If the folder you want to share isn't at the root level, click the + symbol to the left of the parent folder name to display a list of subfolders for that folder.
3. Right-click a folder to display the context-sensitive menu.
4. Click Sharing to display the Sharing page of the property sheet for that folder (see fig. 13.1).
   
   13.1
   
   Creating a share with the Sharing page of the Foldername Properties sheet.
   
5. By default, the folder is marked Not Shared. Select the Shared As option button to activate the remaining controls of the dialog and to let you enter information for the share.
6. Type a descriptive name for the share into the Share Name combo box. This is the name by which users access the shared folder. Optionally, type a more complete description of the resource into the Comment text box.
7. Specify User Limit information. By default, the new share is set to Maximum Allowed, which allows any number of users to access the share simultaneously, up to the limit of the number of users for which the server is licensed.
8. Select the Allow option button and select a specific number of allowable simultaneous users, if you want to limit the number of users who are permitted to access this share at any one time. Do this if you're concerned about performance degradation when a large number of users contend for a single resource.

By default, the new share provides Full Control to the group Everyone. This means that any user with an account on the server can add, modify, or delete files contained in this folder. The following section, "Working with Share Permissions," describes how to restrict access to the new share.

Although Windows NT Server 4.0 converts long file and folder names to a form usable by clients running DOS and Windows versions before Windows 95, it doesn't perform a similar conversion for share names. So although Windows NT Server 4.0 allows you to use share names that exceed the MS-DOS 8.3 naming conventions, doing so makes these shares inaccessible to some clients.

To remove a folder share, perform the preceding first four steps to display the Sharing page of the Foldername Properties sheet. Select the Not Shared option button and then click the Apply button.

To modify the share, specify a new Share Name, Comment, or User Limit, as described in the preceding steps. You also can create an alias for this shared resource by clicking the New Share button and completing the dialog. Doing so allows the same shared resource to be accessed by more than one share name.

Clicking the Permissions button allows you to determine which users and groups have access to this shared resource, and at what level. The following section describes how to restrict access in this manner.

Working with Share Permissions.

Share permissions control which users and groups can access a share, and at what level. You can add, modify, view, or remove the following share permissions for each folder you have shared on the server:

• No Access (None) permission restricts all access to the shared folder.
• Read permission allows the user to view file names and subfolder names within the shared folder. You can change to a subfolder, and you can open a file in the shared folder or in a subfolder in read-only mode, but you can't write to that file or delete it. You can execute program files for which you have only Read permission.
• Change permission grants all the rights provided by Read permission, and adds the rights to create new files and subfolders, modify the contents of new or existing files, and delete files and subfolders.
• Full Control (All) permission grants all the rights provided by Change permission, and adds the rights to create and modify NTFS file permissions and folder permissions, as well as take ownership of NTFS files and folders.

You can modify, view, and remove share permissions by using the following procedure:

1. Perform the first four steps in the preceding section to display the Sharing page of the Foldername Properties sheet.
2. Click the Permissions button to display the Access Through Share Permissions dialog (see fig. 13.2). The Name list displays the users and groups authorized to access this share. By default, the group Everyone is assigned the Full Control permission to the share.
   
   13.2
   
   Setting share permissions in the Access Through Share Permissions dialog.
   
3. To modify the share permission for an existing user or group, highlight that user or group and select a Type of Access from the drop-down list.
4. To remove the share permission for an existing user or group, highlight that user or group and click the Remove button.
5. Click OK to accept the changes and return to the Foldername Properties sheet.

Adding a share permission requires a few more steps. To add a share permission, display the Add Through Share Permissions dialog by following steps 1 and 2 in the preceding list. Then proceed as follows:

1. Click the Add button to display the Add Users and Groups dialog (see fig. 13.3).
   
   13.3
   
   Granting share permissions to users and groups in the Add Users and Groups dialog.
   
2. Select the domain or computer from which the new users or groups are to be added by highlighting a choice in the List Names From drop-down list. Groups that are members of the selected domain or computer are displayed in the Names list.
3. Select one of the displayed groups by clicking its name. (By default, only the groups are displayed. To display users, click the Show Users button.)
   
   
   
   You can add several users and groups to the share in a single step by selecting multiple users and groups using standard Windows selection conventions. Hold down the Ctrl key and click to add additional individual users or groups to the selected list. Hold down the Shift key and click to add a contiguous range of users or groups to the selected list. As you select each user or group to be added, its name appears in the Add Names list.
   
   
   
4. After you select all users and groups to be added to the share, use the Type of Access drop-down list to select the access type to be granted to the selected users and groups.
5. Click the Add button and then click OK to add the selected users and groups to the share. The Access Through Share Permissions dialog appears, with the new users and groups added to the share and their access type displayed.
   
   
   
   If you're using share permissions to restrict access to a shared folder, remember to remove the default share permission that grants the group Everyone the Full Control share permission for that folder. Share permissions are cumulative, so any user has all share permissions granted to any group of which he is a member.
   
   
   
6. In the Access Through Share Permissions dialog, click OK to return to the Foldername Properties sheet. Click OK to accept the changes you've made to the share.



Share permissions specify the maximum level of access available within the shared folder tree. Any subsequent restrictions you add with NTFS folder permissions and NTFS file permissions (described in the following section) can only further restrict access. They can't grant an access level above that allowed by the share permission.

Administrative Shares.

In addition to the shares that you create, Windows NT Server automatically creates several shares for administrative purposes. These administrative shares include at least the following:

• ADMIN$ points to the location of the shared Windows NT Server folder on the server. For example, if you install Windows NT Server to the C:\Winnt folder on your server, the ADMIN$ share points to this folder.
• [drive letter]$ points to the root folder of each drive on the server. For example, if your server has three drives, designated C, D, and E, these drives are each represented by an administrative share, named C$, D$, and E$, respectively.

The most common administrative shares are the drive and folder shares. However, administrative shares can also represent a named pipe for Remote Procedure Calls, a communication-device queue (only on LAN Manager servers), or a shared printer.

See "Calling Remote Procedures," (Ch 3)

If you want to create a share that isn't visible to users browsing the network, make the final character of the share name a $. A share so named doesn't appear to a user browsing network resources. To access the share, the user must know the exact share name and must explicitly type it.

Displaying All Shares and Disconnecting Shares.

Shared folders are indicated by a distinctive icon in Windows NT Explorer and the My Computer window. However, sometimes it's useful to see a comprehensive list of shares displayed in one place. To see a list of all active shares on your server, proceed as follows:

1. From Control Panel, double-click the Server icon to display the Server dialog (see fig. 13.4).
   
   13.4
   
   The initial dialog of Control Panel's Server tool.
   
2. Click the Shares button to display the Shared Resources dialog (see fig. 13.5). For each share, this dialog displays the Sharename, Uses (the number of current active sessions for the share), and Path associated with the share name.
3. To disconnect one share, highlight the share name and click the Disconnect button. You can disconnect all shares in one step by clicking the Disconnect All button.
   
   13.5
   
   The Shared Resources dialog, displaying share names and number of connected users.

Using the Managing Folder and File Access Wizard

The Managing Folder and File Access Wizard provides a quick and easy way to create and manage folder shares.

During each major step of the Managing Folder and File Access Wizard, you can click the Next button to proceed to the next step, click the Back button to return to the preceding step, or click the Cancel button to abort the process.

During subsidiary dialogs in the Managing Folder and File Access Wizard process, you use the standard Windows dialog buttons. Clicking OK accepts the changes you've made and proceeds to the next step in the process. Clicking Cancel returns you to the previous dialog without making changes. In the interest of brevity, the following steps assume that you click the appropriate button to proceed with each step of the process.

To use the Managing Folder and File Access Wizard, follow these steps:

1. From the Start menu, choose Programs, Administrative Tools, and Administrative Wizards to display the Administrative Wizards menu.
2. Click the Managing File and Folder Access icon to display the first dialog of the Managing Folder and File Access Wizard (see fig. 13.6).


13.6

The opening dialog of the Managing Folder and File Access Wizard.

3. Select On My Computer to create or manage shares on the server, or select On Another Computer to manage shares on another computer on the network. In this example, a new share is created on another server. The Managing Folder and File Access Wizard displays the dialog shown in figure 13.7.


13.7

Selecting the computer where the share is to be created.

4. Select the computer where you want to create or manage the share and click Next. The Managing Folder and File Access Wizard displays the dialog shown in figure 13.8. In the example, a new share name is entered into the To Create a New Folder, Type a New Name text box to create a new share named SHARED.


13.8

Selecting an existing folder or creating a new folder.

5. Click Next to display the Managing Folder and File Access confirmation message shown in figure 13.9. Click Yes to create the new folder. The Managing Folder and File Access Wizard displays the message box shown in figure 13.10 to confirm that the new folder has been created successfully. Click OK.


13.9

Confirming the creation of the new folder for the share.


13.10

Confirming that the new folder has been created.

6. Click Next to display the next Managing Folder and File Access Wizard dialog (see fig. 13.11). This dialog allows you to set permissions for the folder to determine who has access to it, and at what level. By default, the original permissions for the share are retained, and these permissions flow down to affect the files and subfolders contained within this folder.


13.11

Assigning permissions to the shared folder.

7. To change these default permissions, click Change Permissions and choose one of the three options presented:
• Only I Have Access and Full Control
• I Have Access and Full Control, Everyone Else Can Only Read It
• Everyone Has Access and Full Control
8. Mark the Apply These Permissions to All Folders and Files Within This Folder check box if you want the permissions you set here to apply to all subfolders and files contained within this folder. Unmark the check box if you want these permissions to apply only to this folder.
9. Click Next to display the Managing Folder and File Access message box (see fig. 13.12). This message box allows you to specify whether the folder will be shared with network users. Click Yes to allow network users to access the folder.


13.12

Specifying whether you want to share this folder with network users.

10. The Managing Folder and File Access Wizard displays the dialog shown in figure 13.13. You may rename the share, provide a brief description of the share, and specify which types of network users may access the share. Make any changes necessary and click Next.


13.13

Renaming the share, adding a description, and selecting the type of network users who have access to the share.

11. The Managing Folder and File Access Wizard displays the summary shown in figure 13.14. Click Finish to complete creating the share.


13.14

The summary displays the choices you've made for the new share.

12. The message box shown in figure 13.15 lets you exit the Managing Folder and File Access Wizard or continue managing shares. Click No to exit or Yes to manage another share.


13.15

The final message of the Managing Folder and File Access Wizard.

Understanding NTFS Permissions

Share-level access control provides only a limited capability to determine which users can access which files. The FAT and HPFS file systems offer only share-level access control. If you need to control access down to subfolders and individual files, your only choice is to use the NTFS file system. Doing so is no sacrifice at all, because NTFS offers more features, better performance (on all but the smallest volumes), and better security than the other file systems supported by Windows NT Server.

In addition to the file name, file size, and date/time stamp, NTFS stores extended attributes with each file and folder entry. One of these extended attributes, named permissions, determines which users and groups have access to the shared resource. NTFS has the following types of permissions:

• File access permissions store information about which users and groups are permitted to access a specified file and the level of access they're allowed. For example, the user Admin and the group Programmers might have full read/write access to a particular database file; the group Marketing might have read-only access; and the group Accounting might have no access at all.
• Folder access permissions store information about which users and groups are permitted to access a specified folder and the level of access they're allowed. For example, the user Webmaster and the group Administrators can have full read/write access to the Web server folder on your server (which contains your private company intranet), the group Everyone can have read-only access, and the user Guest can have no access at all.

By default, a user inherits file and folder permissions from the group of which that user is a member. For example, if a newly created user is assigned to the group marketing, that user is automatically granted all file- and folder-access permissions possessed by the group. If a user is a member of more than one group, that user has all permissions owned by any group of which he is a member.

Paying careful attention to how you assign file and folder permissions to groups allows you to reduce or eliminate the time-consuming and error-prone process of assigning permissions on a user-by-user basis.

NTFS file and folder permissions can be used only to further restrict share-level permissions established when the original share was created or modified. NTFS permissions can't grant something that was taken away by the share-level permission in effect. For example, if the share-level permission restricts users to read-only access, setting NTFS file or folder permissions to a higher level of access does nothing to increase the users' level of access. Conversely, if the share-level permission allows full access but an NTFS permission further restricts access to read-only, users affected by the NTFS permission are limited to read-only access.

Working with NTFS File Access Permissions.

NTFS file access permissions control which users and groups can access a file, and at what level. Remember that NTFS file access permissions can further restrict the access level granted by share permissions, but they can't extend access beyond that granted by share access permissions. You can add, modify, view, or remove the following file access permissions for each file:

• No Access (None) permission restricts all access to the shared file.
• Read (RX) permission allows you to view the file name and open the file in read-only mode, but you can't write to the file or delete it. Because read (R) permission implies execute (X) permission, if the file is an executable program file, read permission allows you to execute it.
• Change (RWXD) permission grants all the rights provided by Read permission, and adds the rights to write (W) and delete (D) the file, create new files and subfolders, modify the contents of new or existing files, and delete files and subfolders.
• Full Control (All) permission grants all the rights provided by Change permission, and adds the rights to change NTFS file access permissions and folder permissions, and to take ownership of NTFS files and folders.
• Special Access permission allows you to customize the file access permissions for a particular file. You can specify any combination of read (R), write (W), execute (X), delete (D), change permissions (P), and take ownership (O). For example, you can use Special Access file access permissions to allow a specified user or group to have read, write, and execute permissions for the file, but not to have delete permission.

Modifying, Viewing, and Removing NTFS File Access Permissions.

You can modify, view, and remove NTFS file access permissions by following these steps:

1. In Windows NT Explorer, highlight the file or files for which permissions are to be added, modified, viewed, or removed.
2. Right-click to display the context-sensitive menu, and choose Properties to display the Filename Properties sheet.
3. Click the Security tab to display the Security page (see fig. 13.16).


13.16

The Security page of the Filename Properties sheet.

4. Click the Permissions button to display the File Permissions dialog (see fig. 13.17).


13.17

Granting permissions to groups with the File Permissions dialog.

5. Select a type of access from the Type of Access drop-down list. You can choose one of the standard types of access--No Access, Read, Change, or Full Control--or you can select Special Access to customize file access permissions for this file or group of files.
6. If you've selected one of the standard types of access, click OK to apply the selected file access permissions. You then return to the Filename Properties sheet. Click OK again to accept the changes and exit the Filename Properties sheet.
7. If you select Special Access, the Special Access dialog shown in figure 13.18 appears. Mark the check boxes to select the types of access to be granted for the selected file(s). The example shows a file for which all permissions except Take Ownership (O) have been granted. This custom set of permissions falls between the standard file access types Change (RXWD) and Full Control (RXWDPO).


13.18

Setting specific permissions for a group in the Special Access dialog.

8. After you select the permissions for the file, click OK to accept these settings and return to the File Permissions dialog.
9. In the File Permissions dialog, click OK to apply the selected file access permissions and return to the Filename Properties sheet. Click OK again to accept the changes and exit the Filename Properties sheet.

Adding NTFS File Access Permissions.

You can add NTFS file access permissions by following these steps:

1. Follow steps 1 through 4 from the preceding section to display the File Permissions dialog.
2. Click the Add button to display the Add Users and Groups dialog (see fig. 13.19).


13.19

Granting the Power Users group file access in the Add Users and Groups dialog.

3. Select the domain or computer from which the users and groups are to be added from the List Names From drop-down list. Available groups are displayed in the Names list. You also can display individual users from within these groups by clicking the Show Users button.
4. Select individual users or groups for which you want to add file access permissions by double-clicking the name in the Names list. Each of these is displayed in the Add Names list as you select it.
5. You can also select multiple users and groups in the Names list by using standard Windows conventions for making multiple selections. After you finish making selections, click the Add button to transfer all selected names to the Add Names list.
6. Select the type of access to be granted to the selected users and groups from the Type of Access drop-down list.



Only the standard types of access--No Access, Read, Change, and Full Control--are available in the Add Users and Groups dialog. If you need to assign special file access permissions for the users or groups being added, simply choose any one of the standard permissions here and modify your selection in the File Permissions dialog in the following step.



7. Click OK to accept your changes and return to the File Permissions dialog. The newly added users or groups are displayed in the Names list. If you need to assign special file access permissions to the newly added users or groups, highlight them now and assign these special file access permissions using the steps described in the preceding section.
8. After you properly assign all permissions, return to the File Permissions dialog and click OK to return to the Filename Properties sheet. Click OK to accept the changes and exit the Filename Properties sheet.

Working with NTFS Folder Access Permissions.

NTFS folder access permissions control which users and groups can access a folder and its files, and at what level. Remember that NTFS folder access permissions can further restrict the access level granted by share permissions, but they can't extend access beyond that granted by share access permissions.

You can add, modify, view, or remove the following folder access permissions for each folder. Each named permission affects the folder in question and the files contained within it. The first parenthetical item after each folder access permission name lists the effect of that permission on the folder; the second parenthetical item lists the effect of that permission on files contained within the folder.

• No Access (None) (None) permission restricts all access to the shared folder. Specifying No Access for a user eliminates that user's access to the folder, even if the user is a member of a group or groups that have access to the folder.
• List (RX) (Not Specified) permission allows the user to view a list of files and subfolders contained within the folder, and to change to a subfolder, but it doesn't grant permission to access the files.
• Read (RX) (RX) permission grants all the rights provided by list permission. It allows the user to open a file in read-only mode, but not to write to the file or delete it. Because read (R) permission implies execute (X) permission, if the file is an executable program file, read permission allows you to execute it.
• Add (WX) (Not Specified) permission allows the user to create new files and new subfolders within the folder, but doesn't grant permission to access the files, including those newly created.
• Add & Read (RWX) (RX) permission combines the rights granted by the Read and Add folder permissions described in the preceding items.
• Change (RWXD) (RWXD) permission grants all the rights provided by the Add & Read permission, and adds the rights to write (W) to and delete (D) files and to delete (D) subfolders.
• Full Control (All) (All) permission grants all the rights provided by the Change permission, and adds the rights to change NTFS file access permissions and folder permissions, as well as take ownership of NTFS files and folders.
• Special Directory Access permission allows you to customize folder access permissions. You can specify any combination of read (R), write (W), execute (X), delete (D), change permissions (P), and take ownership (O). For example, you can use special directory access folder access permissions to allow a specified user or group to have list and read permissions for files within the folder, but not to have the execute permission.
• Special File Access permission allows you to customize file access permissions. You can specify any combination of read (R), write (W), execute (X), delete (D), change permissions (P), and take ownership (O). Special file access permission works in the same way as the special directory access permission described in the preceding item, but affects only specified files contained within the folder rather than the folder itself.

NTFS folder access permissions supersede restrictions placed on files by NTFS file access permissions. For example, if a user has the Full Control folder access permission in a folder that contains a file with file access permissions set to read (R), that user can modify or delete the file.

Modifying, Viewing, and Removing NTFS Folder Access Permissions.

You can modify, view, and remove NTFS folder access permissions by following these steps:

1. In Windows NT Explorer, highlight the folder or folders for which permissions are to be added, modified, viewed, or removed.
2. Right-click to display the context-sensitive menu, and choose Properties to display the Foldername Properties sheet.
3. Click the Security tab to display the Security page (refer to fig. 13.16).
4. Click the Permissions button to display the Directory Permissions dialog (see fig. 13.20).


13.20

Granting file permissions for two NTFS folders in the Directory Permissions dialog.

5. Select an access type from the Type of Access drop-down list. You can choose one of the standard types of access--No Access, List, Read, Add, Add & Read, Change, or Full Control. You also can choose Special Directory Access to specify a custom set of access rights for the affected folders, or Special File Access to specify a custom set of access rights for the files contained within those folders.



The Directory Permissions dialog includes two check boxes--Replace Permissions on Subdirectories and Replace Permissions on Existing Files--that allow you to specify which files and folders within the selected folder tree are affected by the permissions you set. Marking both check boxes causes the permissions you set to affect the selected folder, the files it contains, the subfolders of that folder, and the files contained in these subfolders.

Marking only the Replace Permissions on Subdirectories check box causes the permissions you set to affect only the selected folder and its subfolders, but not the files contained within them. Marking only the Replace Permissions on Existing Files check box causes the permissions you set to affect only the selected folder and the files contained within it, but not the subfolders or their files. Clearing both check boxes causes the permissions you set to affect only the selected folder, but not the files contained within it or the subfolders and their files.



6. If you've selected one of the standard access types, click OK to apply the selected folder access permissions. You then return to the Foldername Properties sheet. Click OK again to accept the changes and exit the Foldername Properties sheet.
7. If you select Special Directory Access, the Special Directory Access dialog appears (see fig. 13.21). Mark the check boxes to select the types of access to be granted for the selected folder or folders. The example shows access being set for two folders for which all permissions except Take Ownership (O) have been granted. This custom set of permissions falls between the standard folder access types Change (RXWD) and Full Control (RWXDPO).


13.21

Granting specific permissions for two NTFS folders in the Special Directory Access dialog.

8. After you select the permissions for the folder, click OK to accept these settings and return to the Directory Permissions dialog.
9. In the Directory Permissions dialog, click OK to apply the selected folder access permissions and return to the Foldername Properties sheet. Click OK again to accept the changes and exit the Foldername Properties sheet.
10. If you select Special File Access, the Special File Access dialog shown in figure 13.22 appears. Mark the check boxes to select the types of access to be granted for files contained within the selected folder or folders. The example shows access being set for two folders for which all permissions except Take Ownership (O) have been granted. This custom set of permissions falls between the standard folder access types Change (RXWD) and Full Control (RWXDPO).


13.22

Granting specific file permissions in the Special File Access dialog.



The Special File Access dialog is almost identical to the Special Directory Access dialog but includes one additional item. Selecting the Access Not Specified option button in the Special File Access dialog prevents files in the affected folder or folders from inheriting folder permissions.



11. After you select special file access permissions for the affected folder or folders, click OK to accept these settings and return to the Directory Permissions dialog.
12. In the Directory Permissions dialog, click OK to apply the permissions and return to the Foldername Properties sheet. Click OK again to accept the changes and exit the Foldername Properties sheet.

Adding NTFS Folder Access Permissions.

You can add NTFS folder access permissions by following these steps:

1. Follow steps 1 through 4 from the preceding section to display the Directory Permissions dialog.
2. Click the Add button to display the Add Users and Groups dialog (see fig. 13.23).


13.23

The Add Users and Groups dialog with the Power Users group added.

3. Select the domain or computer from which the users and groups are to be added from the List Names From drop-down list. Available groups are displayed in the Names list. You can also display individual users from within these groups by clicking the Show Users button.
4. Select individual users or groups for which you want to add file access permissions by double-clicking the name in the Names list. Each of these is displayed in the Add Names list as you select it. You can also select multiple users and groups in the Names list by using standard Windows conventions for making multiple selections. After you finish making selections, click the Add button to transfer all selected names to the Add Names list.
5. Select the access type to be granted to the selected users and groups from the Type of Access drop-down list.



Only the standard types of access--No Access, List, Read, Add, Add & Read, Change, and Full Control--are available in the Add Users and Groups dialog. If you need to assign special directory access permissions or special file access permissions for the users or groups being added, simply choose any one of the standard permissions here and modify your selection in the Directory Permissions dialog in the following step.



6. Click OK to accept your changes and return to the Directory Permissions dialog. The newly added users or groups are displayed in the Name list. If you need to assign special directory access permissions or special file access permissions to the newly added users or groups, highlight them now and assign these special access permissions using the steps described in the preceding section.
7. After you properly assign all permissions, return to the Directory Permissions dialog and click OK to return to the Foldername Properties sheet. Click OK to accept the changes and exit the Foldername Properties sheet.

Replicating Folders

Windows NT Server 4.0 allows you to replicate, or copy, folders to other computers or domains to maintain identical copies of folders and files on more than one computer. The folder from which data is copied is called the export folder and is located on the export server; the folder to which data is copied is called the import folder and is located on the import computer. The export and import folders can be located on the same computer or on different computers.

A server running the Windows NT Server 4.0 replication service can be either an export server or an import computer, or both. A client running Windows NT Workstation 4.0 can participate in folder replication, but only as an import computer.

Folder replication does more than simply copy data from the export folder source to the import folder destination. The Windows NT Server replication service functions much like an FTP mirror program. It monitors the export folder for changes to existing files and newly created files and subfolders, and replicates these changes and additions to the import folder. The replication service also deletes files in the import folder that have been deleted from the export folder. By doing so, it synchronizes the contents of the two folders.

Folder replication is most commonly used for the following two purposes:

• Replicating logon scripts from one domain controller to other domain controllers. This allows users of any domain controller to log on locally, and reduces server load and network traffic.
• Replicating a database from one server to another. This allows users who access the database to be distributed among two or more servers in order to share the workload among multiple servers.

You can also use folder replication to keep a frequently updated backup copy of a heavily used database file, which would otherwise be difficult to back up.

Creating a Replication User

Before you can configure the replication service, you must first create a special user for that service. Create a new user, as described in Chapter 12, "Managing User and Group Accounts." This new special user must have the following properties:

• The user must be assigned to the Backup Operators group.
• The Password Never Expires check box must be marked.
• The Logon Hours settings must allow this user access at all times.

You won't be able to name the new user Replicator because a group already exists with that name. Choose another similar name, such as Replicate.

Starting the Replication Service

After you create the special user, you must then configure and start the Directory Replicator service before folder replication can occur. To do so, proceed as follows:

1. From Control Panel, double-click the Services tool to display the Services dialog, shown in figure 13.24 with the Directory Replicator service shown highlighted. The Status is shown as blank, indicating that the Directory Replicator service isn't running. Startup is shown as Manual, indicating that this service won't be started unless you do so manually.


13.24

Selecting the Directory Replicator service in the Services dialog.

2. With the Directory Replicator service highlighted, click the Startup button to display the Service dialog (see fig. 13.25).


13.25

Setting the Startup Type and Log On As account in the Service dialog.

3. In the Startup Type section, select the Automatic option to indicate that the Directory Replicator service should start automatically each time Windows NT Server is started.
4. In the Log On As section, select the This Account option, and enter the domain and user account name that you created in the preceding section. You can also click the ... button to display a list of available accounts to choose from.
5. Type the password for this account in the Password and Confirm Password fields.
6. Click OK to accept the changes. You're prompted to restart Windows NT Server.
7. After Windows NT Server is restarted, double-click Control Panel's Services tool to verify that the Directory Replicator service has been started successfully. You should see a display similar to figure 13.26, with the Directory Replicator service shown with Status as Started and Startup as Automatic.


13.26

Confirming startup of the Directory Replicator in the Services dialog.

Configuring Folder Replication

After you successfully configure the Directory Replicator service, you must then configure an export server and an import computer.

To configure the export server, you must provide the following pieces of information:

• The export folder designates the source folder from which files and subfolders are exported.
• The Export To list designates computers and domains to which files and subfolders are exported. If you designate a domain here, exported data is replicated on all computers in the export to domain that have replication enabled.

To configure the import computer, you must also provide two pieces of information, as follows:

• The import folder designates the destination folder in which imported files and subfolders are stored.
• The Import From list designates computers and domains from which data to be imported is accepted.

To configure the export server and the import computer, proceed as follows:

1. From Control Panel, double-click the Server tool to display the Server dialog (refer to fig. 13.4).
2. Click the Replication button to display the Directory Replication dialog (see fig. 13.27).


13.27

Setting replication paths, lists, and script location in the Directory Replication dialog.

3. In the export section, select the Export Directories option to enable exporting. Then complete the From Path text box to designate which folder is to be exported. Click the Add button to add domains or computers to the To List to designate a target or targets to which data are exported.



Windows NT Server 4.0 creates default import and export directories when you install it. The default import directory is C:\Winnt\System32\Repl\Import. The default export directory is C:\Winnt\System32\Repl\Export.



4. Click the Manage button to display the Manage Exported Directories dialog (see fig. 13.28). You can use the controls in this dialog to add and remove exported directories and to add and remove locks on managed directories.


13.28

Setting export subdirectory parameters in the Manage Exported Directories dialog.

5. If this server will also be an import computer, select the Import Directories option in the import section of the Directory Replicator dialog to enable importing. Then complete the To Path text box to designate which folder is to receive the imported data. Click the Add button to add domains or computers to the From List to designate computers and domains from which imported data is to be accepted.
6. Click the Manage button in the import section to display the Manage Imported Directories dialog (see fig. 13.29). You can use the controls in this dialog to add and remove imported directories and to add and remove locks on managed directories.


13.29

Setting import subdirectory parameters in the Manage Imported Directories dialog.

Sharing and Securing Network Printers

Beyond sharing folders and files, the most common purpose of most networks is to share printers. One justification for early local area networks was their capability to share expensive laser printers among many users. In the past few years, the prices of laser printers have plummeted; it's now economically feasible for many companies to provide sub-$1,000 personal laser printers, such as the Hewlett-Packard LaserJet 5L and 5P, to any client that needs one.

Still, in all, the original justification for sharing expensive printers on the network holds true. Ten years ago, you might have been sharing a $3,500 LaserJet that printed eight letter-size pages per minute at 300 dpi. Today, you might instead be sharing a laser printer that prints 20 11-by-17-inch pages per minute at 600 dpi, but that printer still costs $3,500, and budget realities still demand that it be shared. Just as it always did, the network allows you to share scarce and expensive resources, such as high-speed laser printers and color printers.

Windows NT Server makes it easy to share printers on the network. Printers attached directly to the computer running Windows NT Server can be shared as a network resource and used by any network client authorized to do so. Network clients running Windows 3.11 for Workgroups, Windows 95, or Windows NT Workstation can also function as printer servers, sharing their attached printers with other network users.

Any Windows Networking server or client can share an attached printer as a network resource. Windows NT Server also supports sharing of directly network connected Hewlett-Packard network printers, using the HP JetDirect network interface. A directly network connected printer is one that contains its own network adapter card and connects directly to the network cable, rather than to a network client that provides printer server functions for that printer. Directly network connected printers are also called DLC printers, from the Data Link Control protocol that must be installed to support them.

You can use directly network connected printers in locations that are too far removed from the network server to be cabled directly to the server, but where you don't want to put a network client computer. High-speed laser printers, color printers, and other output devices designed to be used as shared network resources are often connected directly to the network in this fashion.

Configuring Locally Attached Server Printers as Shared Resources

After you physically install the printer to be shared and connect it to the computer running Windows NT Server, you can use the Add Printer Wizard to configure it and make it available as a shared printer. To do so, proceed as follows:

1. From My Computer, double-click the Printers icon to display available printers in the Printers window. (If you haven't yet installed any printers, only the Add Printer icon appears in the Printers window.)
2. Double-click the Add Printer icon to invoke the Add Printer Wizard (see fig. 13.30). You can select the My Computer option to add a printer to the local computer, or the Network Printer Server option to add a network printer that's physically connected to a different computer. This section describes adding a locally connected printer, so select the My Computer option button and click Next.


13.30

Specifying the printer location in the first Add Printer Wizard dialog.

3. The next dialog, shown in figure 13.31, allows you to specify the port to which the printer is connected, to add a port, and to modify the properties for a port. Mark the check box that corresponds to the port to which your new printer is connected.


13.31

Selecting the printer port in the second Add Printer Wizard dialog.

4. If you need to add a port to the Available Ports list, click the Add Port button to display a list of available printer ports (see fig. 13.32). When you add a printer port and accept the change by clicking OK, you return to the preceding Add Printer Wizard dialog, where the newly added printer port appears as an available selection.


13.32

Adding a new printer port in the Printer Ports dialog.

5. In the second Add Printer Wizard dialog (refer to fig. 13.31), you can click the Configure Port button to display and modify port settings. If the selected port is a parallel port, the Configure LPT Port dialog appears (see fig. 13.33).


13.33

Setting the printer timeout in the Configure LPT Port dialog.



The only configuration item available for a parallel port is Transmission Retry, which should ordinarily be left at the default setting. If the server to which the printer is connected is very busy, other workstations can have difficulties in completing a print job to this shared printer. If so, try increasing the value for Transmission Retry a little at a time until the problem disappears.



6. If the selected port is a serial port (also called a COM port), the Ports dialog appears (see fig. 13.34). Highlight the COM port to which the printer is connected and click the Settings button to display the Settings for COMx dialog (see fig. 13.35). Select the settings for Baud Rate, Data Bits, Parity, Stop Bits, and Flow Control from the drop-down lists that correspond to the settings of the printer being installed.


13.34

Choosing between available COM (serial) ports in the Ports dialog.


13.35

Selecting standard COM port parameters Settings for COMx dialog.

7. Click the Advanced button to display the Advanced Settings for COMx dialog (see fig. 13.36). In this dialog, you can adjust settings for COM Port Number, Base I/O Port Address, and Interrupt Request Line (IRQ). The FIFO Enabled check box, when marked, allows Windows NT to use the buffering provided by 16550 and higher UARTs to improve Windows printing performance. If an advanced UART was detected during Windows installation, this check box is marked by default and should be left marked. If Windows NT didn't detect an advanced UART on this port during installation, the check box is disabled (grayed out).


13.36

Specifying the I/O memory address and interrupt level in the Advanced Settings for COMx dialog.



The settings for COM Port Number, Base I/O Port Address, and Interrupt Request Line (IRQ) should almost always be left at their default values. Alter these settings only if you've changed the standard COM port settings for your hardware. Otherwise, Windows won't be able to locate the COM port.



8. After you finish selecting the printer port, click OK to advance to the Add Printer Wizard printer selection dialog (see fig. 13.37). Begin by highlighting the manufacturer of your printer in the Manufacturers list. When you highlight a manufacturer, the Printers list displays supported printer models for that manufacturer. Highlight the model of your printer and click Next.


13.37

Selecting the printer manufacturer and model in the third Add Printer Wizard dialog.



If you have an updated printer driver supplied by the printer manufacturer, click the Have Disk button and follow the prompts to load the updated driver.



9. The fourth Add Printer Wizard dialog, shown in figure 13.38, allows you to specify whether this printer is shared, to provide a share name for the printer, and to load support for other operating systems that will be printing to this printer. After you complete this dialog, click Next. If you've specified that support for operating systems other than Windows NT 4.0 is to be loaded, you're prompted to insert driver disks for those operating systems.


13.38

Assigning a share name and specifying types of client PCs in the fourth Add Printer Wizard dialog.



Be careful when you choose a share name for the printer. If this printer will be accessed by clients running MS-DOS or Windows 3.1+, the share name you select must conform to the MS-DOS 8.3 naming conventions, or the printer won't be visible to these clients. If all your clients are running Windows 95 or Windows NT 4.0, you can select a share name that conforms to Microsoft's long file name conventions.



10. The next step in the Add Printer Wizard allows you to print a test page (see fig. 13.39). You should always allow the wizard to print the test page to verify that your printer has been installed successfully and is performing as expected. After you print the test page and verify that it printed correctly, click the Finish button to complete the Add Printer Wizard.


13.39

Printing a test page in the fifth Add Printer Wizard dialog.

11. The Copying Files -- Files Needed dialog (see fig. 13.40) prompts you to insert the Windows NT Server CD-ROM so that the necessary files can be copied from it. Specify the drive and path name for these files, or click the Browse button to browse for the location. Make sure that the CD-ROM disk is inserted in the drive, and click OK to proceed with copying files.


13.40

Specifying the location of the required printer driver in the Copying Files -- Files Needed dialog.

12. When all needed files are copied from the Windows NT CD-ROM, the Add Printer Wizard prompts you to insert the distribution media for the other operating systems you've elected to provide printing support for. Insert the media and specify the location of these files as described in the preceding step.

After all needed files are copied, the Add Printer Wizard takes you directly to the Printer Properties sheet to allow you to configure the newly installed printer. This process, used both to configure newly installed printers and to reconfigure printers that are already installed, is described in the following section.

Configuring Network Printer Servers as Shared Resources

The preceding section described how to configure a printer that's physically attached to the computer running Windows NT Server as a shared printer. The Add Printer Wizard also allows you to configure a network printer server as a shared resource on the server. A network printer server is a print queue that services a printer that's physically connected to a different computer on the network.

In this section, you learn how to configure a printer queue serviced by a Novell NetWare printer server as a Windows NT Server shared resource. You can use the same procedure to associate a Windows Networking printer queue with a share name on your Windows NT server, allowing you to present printers connected to Windows Networking clients as a server shared resource.

To install and configure a network printer server as a shared server resource, proceed as follows:

1. From My Computer, double-click the Printers icon to display available printers in the Printers window.
2. Double-click the Add Printer icon to invoke the Add Printer Wizard (see fig. 13.41). You can select the My Computer option button to add a printer to the local computer (as described in the preceding section), or the Network printer server option button to add a network printer that's physically connected to a different computer. This section describes adding a network printer server, so select the Network printer server option and click the Next button.


13.41

Specifying a networked printer as a shared resource in the first dialog of the Add Printer Wizard.

1. The Connect to Printer dialog appears, displaying the available networks and network printer queues that are visible to Windows NT Server.
2. Highlight and double-click the printer server name to display the print queues associated with that printer server (see fig. 13.42). In the example, a Novell NetWare printer server named Theodore is servicing a print queue named \\THEODORE\\LASER_QUE. If more than one print queue exists on that server, double-click the print queue you want to select to insert it in the Printer text box. (If only one print queue exists on the printer server, it's inserted into the Printer text box automatically when you select the printer server.) Click OK to select that print queue.


13.42

Selecting a printer on a NetWare server from the second dialog of the Connect to Printer dialog.

3. If the selected print queue doesn't have a printer driver installed, you're prompted to install an appropriate printer driver locally on the Windows NT Server computer (see fig. 13.43). Click OK to install the printer driver locally.


13.43

The message box that indicates the local server is missing the required printer driver.

4. The Add Printer Wizard moves next to selecting a printer manufacturer and model (refer to fig. 13.37). Begin by highlighting the manufacturer of your printer in the Manufacturers list. When you highlight a manufacturer, the Printers list displays supported printer models for that manufacturer. Highlight the model of your printer and click the Next button to proceed to the next step.
5. The Connect to Printer -- Copying Files -- Files Needed dialog prompts you to insert the Windows NT Server CD-ROM so that the necessary files can be copied from it. Specify the drive and path name for these files, or click the Browse button to browse for the location. Make sure that the CD-ROM disk is inserted in the drive, and click OK to proceed with copying files.
6. When the necessary files are copied, the Printer Properties sheet appears (see fig. 13.44). The example shows a Hewlett-Packard LaserJet 5P printer. The exact contents of this dialog vary, depending on the capabilities of the particular printer you're installing. Configure these settings appropriately, and then click OK to proceed to the next step.


13.44

Setting the printer configuration in the Printer Properties sheet.

7. The Add Printer Wizard default printer dialog (see fig. 13.45) asks you whether this printer should be set as the default printer. Select the appropriate option and click Next.
8. The final Add Printer Wizard dialog appears (see fig. 13.46). Click Finish to complete installation of your network print queue printer and return to the Printers window.


13.45

Selecting between default and non-default local printer status in the fourth Add Printer Wizard dialog.


13.46

Indication of successful addition of the remote printer in the final Add Printer Wizard dialog.

Configuring Printer Properties

The following procedure is automatically invoked as the final step in installing a local printer, described earlier in the section "Configuring Locally Attached Server Printers as Shared Resources." When used in this fashion, the Add Printer Wizard places you at step 3 in the following procedure. This procedure can also be used to reconfigure an existing printer, beginning with step 1:

1. From My Computer, double-click the Printers icon to display available printers in the Printers window.
2. Highlight the printer you want to configure, and right-click to display the context-sensitive menu. Choose Properties to display the General page of the Printername Properties sheet (see fig. 13.47).


13.47

Specifying printer properties in the General page of the Printername Properties sheet.

3. On the General page, supply the following information:
• Comment allows you to enter a short comment that can be viewed by users of the printer. For example, if the printer is available only during normal business hours, you might note that in the Comment text box.
• Location allows users to view the physical location of the printer to make sure that they know where to pick up their print jobs.
• Driver allows you to select from a drop-down list of available drivers for the printer.
• New Driver allows you to install a new or updated driver for the printer. To do so, click the New Driver button and follow the prompts.
• Separator Page allows you to specify options for separator pages, used to keep print jobs separate.
• Print Processor allows you to select different methods of processing the incoming byte stream. The default WinPrint processor should be used unless you have specific reasons for changing it.
• Print Test Page allows you to print a test page to verify printer functioning.
4. After you complete the General page, display the Ports page (see fig. 13.48). You can use the Add Port, Delete Port, or Configure Port buttons to modify the port configuration for your printer, as described in the preceding section. The Enable Bidirectional Support check box is marked by default if your printer supports this function. If it doesn't, this selection is disabled (grayed out) to prevent you from selecting bidirectional support on a printer that doesn't have that capability.


13.48

Selecting a parallel port in the Ports page of the Printername Properties sheet.

5. After you finish configuring the port, display the Scheduling page (see fig. 13.49). The Scheduling page allows you to specify when the printer is available to users, at what priority print jobs are to be handled, and the various options to control how spooled documents will be processed.


13.49

Specifying spooler properties in the Scheduling page of the Printername Properties sheet.

6. The following options are available from the Scheduling page:
• Available defaults to Always, allowing users to access this printer at any hour. You can select the From option and specify From and To times if you want to restrict availability of the printer to specified hours.
• Priority allows you to specify what priority level Windows NT Server assigns to this printer.
• Spool Print Documents so Program Finishes Printing Faster allows you to specify that incoming print jobs are written to a temporary file and processed from that file. If you select this option, you can choose between Start Printing After Last Page Is Spooled and Start Printing Immediately. In the first case, Windows NT Server waits until the entire print job has been written to a temporary spool file before it begins printing the document. In the latter case, Windows NT Server begins printing as soon as it has received enough data to complete the first page. The latter selection is marked by default, because Start Printing Immediately almost always provides better printing performance. If your network is very heavily loaded, you may need to specify Start Printing After The Last Page Is Spooled to prevent pages from different print jobs from being interleaved, and other printing problems.
• Print Directly to the Printer allows you to specify that incoming print jobs are sent directly to the printer without first being queued. Never choose this option for a shared printer on a Windows NT server. Doing so can cause pages printed directly to the printer to be interleaved with pages from a print job that are being despooled from the printer queue.
• Hold Mismatched Documents, if marked, retains documents in the queue that couldn't be printed successfully because of mismatched pages.
• Print Spooled Documents First, if marked, gives preference to printing documents contained in the spool before printing other documents.
• Keep Documents After They Have Printed, if marked, retains documents in the print queue even after they print successfully. Windows NT Server ordinarily removes documents from the print spool after they are printed. Marking this check box results in all documents being retained in the spool, which causes a rapid growth in disk space consumed for spooled documents. Mark this check box only as a part of diagnosing printing problems.
7. After you finish setting scheduling options, display the Sharing page (see fig. 13.50). The upper section of the Sharing page allows you to specify that the printer be Not Shared or Shared. If it's set as Shared, you can modify the share name in the Share Name text box.


13.50

Specifying a share name and alternate drivers, if required, in the Sharing page of the Printername Properties sheet.

8. The bottom section of the Sharing page allows you to specify alternate drivers that allow users of other operating systems to use the shared printer. In the example shown in figure 13.50, the Alternate Drivers list shows that support is installed only for Windows NT 4.0 running on the x86 processor family. You can install support for additional operating systems by highlighting them in this list. Later, when you finally accept changes to all pages of the Printername Properties sheet by clicking OK, you're prompted to insert the disks containing the printer drivers needed.
9. After you finish setting sharing options, display the Security page (see fig. 13.51). The Security page has three sections, each of which is accessed by clicking that section's button. The Permissions section allows you to specify which groups are permitted to access the printer. The Auditing section allows you to specify by user and by group which actions are recorded to an audit log. The Ownership section allows you to specify which user or group owns the printer.


13.51

The Security page of the Printername Properties sheet.

10. Click the Permissions button to display the Printer Permissions dialog (see fig. 13.52). The Name list displays the name of each group that's now authorized to access the printer on the left, with that group's level of access specified on the right. You can add a group by clicking the Add button and responding to the prompts. You can remove a group by clicking the Remove button.


13.52

Setting printer permissions for user groups in the Printer Permissions dialog.

11. You can change the access level associated with a group or groups by highlighting the group or groups and selecting the type of access to be allowed from the Type of Access drop-down list. You can assign one of the following types of access:
• No Access allows the group so assigned no access whatsoever to the printer.
• Print allows the group so assigned to print documents, but not to manage the printer or to modify its properties. This is the access level you should assign to ordinary users of the printer.
• Manage Documents allows the group so assigned to print documents and to manage the printer. Manage documents is normally assigned to the creator/owner of the printer.
• Full Control allows the group so assigned to print documents, manage the printer, and modify its properties. Full control should normally be assigned to the groups Administrators, Print Operators, and Server Operators.
12. After you set permissions as necessary, click OK to return to the Security page of the Printername Properties sheet.
13. In the Security page of the Printername Properties sheet, click the Auditing button to display the Printer Auditing dialog (see fig. 13.53). By default, no auditing is assigned for the printer. To add auditing for specified users and groups, click the Add button to display the Add Users and Groups dialog (see fig. 13.54). You can add users and groups to the Add Names list by either double-clicking the user or group name, or by highlighting the name and clicking the Add button. Each user or group name is added to the Add Names list as you add it.


13.53

Audit log options disabled in the Printer Auditing dialog.


13.54

Selecting groups for printer auditing in the Add Users and Groups dialog.

14. After you finish adding users and groups, click OK to return to the Printer Auditing dialog, which shows Domain Users added for auditing in figure 13.55. The example shows auditing configured to report only Print Failure for the selected group. After you specify the desired level of auditing for each selected group, click OK to accept the changes and return to the Security page of the Printername Properties sheet.


13.55

The Printer Auditing dialog with the Domain Users group added for auditing.



Be careful about assigning auditing for printers. If you assign too many auditing triggers to too many groups, the audit log file soon grows out of control. Not only does it occupy disk space that can otherwise be used for storing user data, but the large number of audit entries makes it impossible to notice the really important ones. If you decide to use auditing at all, limit it to logging attempts at unauthorized activities or with problems that occur during normal operations.



15. In the Security page of the Printername Properties sheet, click the Ownership button to display the Owner dialog (see fig. 13.56). You can take ownership of this printer by clicking the Take Ownership button, or close the dialog by clicking Close. In either case, you return to the Security page of the Printername Properties sheet.


13.56

Taking ownership of the printer in the Owner dialog.

16. In the Printername Properties sheet, display the Device Settings page. The appearance of this page varies depending on the characteristics of the printer for which you're setting properties. After you configure the device settings to your satisfaction, click OK to save the properties settings for all pages.

From Here...

This chapter covered how to share the three primary server resources-folders, files, and printers. Although Windows NT Server 4.0's new Managing Folder and File Access Wizard provides a step-by-step approach to sharing files and folders, most network administrators are likely to use the Windows NT Explorer's file or folder property sheets to manage server shares.

The chapter also described how to use the Add Printer Wizard to share a printer connected to an LPT or COM port of the server, as well as how to create a Windows NT shared resource (print queue) from a printer connected to a NetWare server. The chapter concluded with a description of how to change properties of a printer previously set up as a shared Windows NT resource.

The following chapters provide additional information on topics discussed in this chapter:

• Chapter 10, "Configuring Windows 95 Clients for Networking," shows you how to set up PCs running Windows 95 to take maximum advantage of Windows NT 4.0 networks, including the use of printers shared by Windows NT servers.
• Chapter 11, "Connecting Other PC Clients to the Network," provides the details on setting up Windows 3.1+, Windows for Workgroups 3.1+, Windows NT Workstation 4.0, and Macintosh clients to communicate with Windows NT 4.0 servers and use printers shared by Windows NT servers.
• Chapter 12, "Managing User and Group Accounts," describes how to use Windows NT Server 4.0's User Manager for Domains, take advantage of the new Add User Accounts and Group Management wizards, and utilize the built-in user groups of Windows NT.

DISCLAIMER

© 1996, QUE Corporation, an imprint of Macmillan Publishing USA, a Simon and Schuster Company.