Working With Shares

Module 12
2020

COMP10041 Microsoft Server Admin 1

 Module Objectives
• Use the secondary logon feature
• Know who can create shares
• Know what share and NTFS permissions do and when each can be
used
• Know what a special share is and know the other names special
shares are known by
• Identify the shares on a computer
• Map a network drive to hidden and unhidden shares
• Obtain network share connection information
• Manually disconnect a user from a share
• Close open files on shared folders
• Create mappings using alternate user accounts without logging out
2020
 Activity: Prepare the Environment
1. Boot the computer at your seat – this is your local host

2. Login

3. Navigate to D:\Courses\COMP-10041\Scripts

4. Run script 1.StartAcmeCore

5. Run script 2.StartWindows10

6. Open VirtualBox

7. Start the AcmeCore2016 virtual server

8. Start the Windows10 Professional virtual workstation

9. Login to the workstation as Anthony.Green using the password AdminP@ss

• Perform this procedure immediately starting every class unless told otherwise
2020
 Multiple Accounts for the Network
Administrator
• An experienced network administrator knows that it
is important to have two working accounts:

1.Administrative account
− Only used when doing administration tasks
2.Regular user account
− Used except when performing admin tasks
− Reduces the chance of the administrator accidentally
altering network resources and settings for everyone when
a procedure was only intended to impact the
administrator’s personal environment
2020
 Secondary Logon Feature
“Run as administrator”
• Typically, network administrators spend a lot of time logged
on with their regular user account
• There are many instances when a quick administrative task
needs to be performed and it’s inconvenient to log off the
regular account and log back on with the administrator
account, perform the task then log back on as a regular user
• There is a secondary logon feature that allows you to execute
a command as a different user than the currently logged on
user without having to log off first
• The “Run as administrator” option is used to access this
secondary logon feature
2020
 Activity: Using the Secondary Logon Feature
• Here is a situation when the secondary logon feature would
be handy
– By default only members of the Administrators or the Server
Operators group can create shares on a server
• Log on with the Juned Painter account Password
(P&ssw0rd). (Juned has never logged in yet so you will need to change his password)
– Assume you want to add the Juned Painter account to the Server
Operators group
– The Juned Painter account does not have permission to add a user
to this group
– You don’t want log off and log back in again as an Administrator in
order to add the account to this group
2020
 Activity: Using the Secondary Logon Feature
1. Select Start and begin typing Administrative Tools
2. Choose Active Directory Users and Computers
– The current user doesn’t have the Administrative Tools on their menu

3. Open Active Directory Users and Computers, locate any user and
attempt to make a change to their information
– You should not be successful

4. Close the console and from the Start button, once again begin to type
Active Directory Users and Computers
5. Right click on Active Directory User and Computers and select Run as
administrator
6. Provide the domain administrator’s name and password
(Anthony.Green, AdminP@ss)
2020
 Activity: Using the Secondary Logon Feature
6. To verify that you are running this utility as the domain Administrator,
Anthony.Green and not as Juned Painter, start a Task Manager window
− i.e. CTRL, ALT, DELETE and select Task Manager or from the Run menu,
type taskmgr

7. Select the Processes tab

8. Locate the Active Directory Users and Computers entry and right click
on the parent application Microsoft Management Console
9. Select Go To Details
− Notice that this MMC.exe process is running under the User Name
Anthony.Green

10. Close the Task Manager window

2020
 Activity: Using the Secondary Logon Feature
11. Return to the Active Directory Users and Computers window
12. Make Juned Painter a member of the built-in Server Operators group
(located in the Builtin container)
13. Apply the changes and close Active Directory Users and Computers
– Now that the Active Directory Users and Computers is closed, you are no
longer working with the Administrator account

• From this point on, any time you must perform a task requiring
administrative privileges that your current account does not have, you
can use the secondary logon feature to accomplish the task
2020
 Activity: Using the Secondary Logon Feature
• Although right clicking on an application only gives you the option to
run as Administrator, you can run any application as any user
14. Select the Start button and type the following command exactly:
runas.exe /user:acme\tony.green notepad
15. When prompted, provide the password for Tony Green (P@ssw0rd)
16. Use Task Manager to determine that notepad is running under the name
Tony Green
17. Log off then log on to the acme.com domain as Tony Green (P@ssw0rd)
2020
 Shared Folder Access
• In order to make network resources, such as
files and folders, available to remote users
on a network, those resources must be
configured to be shared
• Two sets of permissions control who can
access a share:
− Share permissions
− NTFS permissions
2020
 Share Permissions versus NTFS Permissions

• Both Share permissions and NTFS permissions are

used to grant or deny access to Windows
resources
• A key difference is where the user is in relation to
the resource:
– Share permissions control user access to shared
resources accessed over the network
– NTFS permissions control user access to both
resources accessed over the network and resources
accessed locally
2020
 File Systems: Share versus NTFS Permissions
• NTFS permissions can only be set on volumes
where the NTFS file system is installed
• Share permissions can be set on volumes using
either the FAT file system or the NTFS file system
• On volumes using NTFS, both share permissions
and NTFS permissions work together in
controlling access to network resources
• We will work with NTFS and share permission
settings in more detail in future labs
2020
 Activity: Controlling NTFS Permissions Locally
1. Open File Explorer
2. Navigate to This PC \ C:\ Windows\
3. Right click the Windows folder on C:\
4. Select Properties
5. Select the Security tab
– This is where local NTFS permissions are controlled (not the focus of this lab)
– The Security tab would not be available if the computer was using the FAT file system
instead of NTFS

5. Close all open windows

2020
 Activity: Viewing Share Information
• The Computer Management console is used to:
– Manage disks and data storage devices
– Manage shares and sessions

1. Open Computer Management, right click on Computer Management and connect

to acmeserver
2. Expand System Tools / Shared Folders and select Shares to see the existing shares
on the server
• Juned is a member of Server Operators group
• A Server Operator cannot create Shares.
3. Try to create a new share called
Corporate
1. Right Click on Shares and choose New Share
2. You will get this error message
3. Close Computer Manager.
2020
 Activity: Viewing Share Information
1. Open Computer Management using the
Run As administrator feature
(Anthony.Green, AdminP@ss)
2. Connect to acmeserver
3. Expand System Tools / Shared Folders and select
Shares to see the existing shares on the server
3. Create a new share called Corporate
1. Right Click on Shares and choose New Share
2. Type in C:\Corporate
3. Answer Yes
4. Customize permissions – Custom
5. Everyone – Full Control
2020
 Share Information
• If you maximize this window, you will see a list
of the current shares on the server as well as
the following information about these shares:
– Shared Folder name
– Folder path to the share
– Type of share
• Which type of clients can access the share; Windows,
Mac, UNIX, … etc.
– Number of current connections to the share
– Optional comment field to describe the share
2020
 Default Domain Controller Shares
• The Corporate share has been created
specifically for this course and is not a default
Windows share
• All other shares you see are default shares
created by the Windows Server operating
system
• Default shares are referred by several names:
– Special shares
– Administrative shares
– Hidden shares (although some are not hidden)
2020
 Special Share Characteristics
• Special shares have these characteristics:
– System generated
– May be hidden
– Do not allow their access permission settings to be
changed; not even by an Administrator
• Permissions are assigned by the Windows OS
– Are designed to make system administration easier
– System configuration determines which special shares
are created
• Exactly the same set of shares are not found on every system
2020
 Special Shares List
• What is the Folder Path and Comment for the
following default domain controller shares on
acmeserver.acme.com?

Folder Path Comment (Description)

ADMIN$

C$

IPC$

NETLOGON

SYSVOL
2020
 Purpose of Specific Special Shares
• What is the purpose for these special shares?
–Research the purpose for these special shares.
ADMIN$
______________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________

IPC$ ______________________________________________________________________________________________________________________________

______________________________________________________________________________________________________________________________

NETLOGON
______________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________

SYSVOL
______________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________

DriveLetter$
______________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
2020
 Hidden Shares
• By using a $ (dollar sign) as the last character
in the share name, the share will be hidden
• A hidden share cannot be seen when
browsing network resources with tools such
as Windows Explorer and Net View
• A share can be hidden but not necessarily be
a special share
2020
 Activity: Mapping a Drive to a Hidden Share
• In the following procedures you will attempt to map a network drive to a hidden
share

1. Close all open windows

2. Open File Explorer
3. Right click on ThisPC
4. Select Map network drive
5. Leave the default drive letter (Z:)
6. Type \\acmeserver\ and click the Browse button
7. Expand the acmeserver folder and attempt to browse to the Admin$ share on
the domain controller
− You should find that the Admin$ share is not listed
2020
 Activity: Mapping a Drive to a Hidden Share
• You should see shares such as netlogon,
sysvol, etc. You should also see the
Corporate Share that we just created
• You will NOT see some of the shares you saw
earlier such as IPC$, C$, Admin$
• Why?
2020
 Activity: Mapping a Drive to a Hidden Share
Shares are typically hidden for security reasons
In order to connect to a hidden share, first one must know that the share
exists and also know the share’s exact share name
6. Cancel the Browse For Folder window
7. In the Folder: field, enter \\acmeserver\admin$ which is the path to
the Admin$ share
8. Do NOT click Finish yet
– Because Juned is a member of the Server Operators group, you will have permission
to connect to this share
2020
 Activity: Mapping a Drive to a Hidden Share
• Notice the option box Reconnect at sign-in
• The default setting is to reconnect this network share to this drive letter
every time you logon
• In other words, from this point on, whenever you logon from this
computer, the Admin$ share will be mapped to Z: making it accessible
through This PC without having to recreate this mapping
• If you did not want this share to be mapped every time you logon, you
would remove the check for “Reconnect at sign-in”

9. Leave Reconnect at Sign-in checked and click Finish

2020
 Activity: Mapping a Drive to a Hidden Share
• In a few seconds, a new window opens and displays the contents of the
Admin$ share
• The Admin$ share is linked to the setting for the %SystemRoot% environment
variable which, in this case, points to the server’s directory C:\Windows

10. You have just successfully mapped the local drive letter Z: to a network
share; now close the window
11. Open This PC
12. Double click the entry admin$ (\\acmeserver) (Z:)
− This is the reason for “mapping a drive” – to provide quick access to network
resources

13. Close all open windows

2020
 Activity: Mapping an Unhidden Share
to a Network Drive
• In this activity, you are to map M: to the Corporate share
• Since Corporate is not a hidden share, you will be able to browse to it

1. Click the Start button and right click on This PC

2. Click Map network drive and map M: to the Corporate share on
acmeserver
\\acmeserver\Corporate
3. Close all open windows after you have mapped the drive
2020
 Activity: Determining the Number of
Connections to Shared Folders
1. Open File Exlorer and right click on both the M: and Z: drive icons and choose
Open in new window for both

• Now that you have connected to these shares, the # Client Connections to these
shares should have been updated in Computer Management

2. Open Computer Management (Run As administrator)

3. Connect to the server acmeserver
4. Select the Shares container under System Tools / Shared Folders

• Note the entry under # Client Connections for both the Corporate share and the
Admin$ share
2020
 Activity: Determining the Number of
Connections to Shared Folders
• There should be 1 connection for the Corporate share
• This information is not dynamically updated and will need to be
refreshed in order to display the most recent information

5. Refresh the data by either clicking the Refresh option under Action or
pressing F5
2020
 Activity: Determining Who is
Currently Connected to Shared Folders

1. Continue to work with the acmeserver computer from Computer Management

2. Select the Sessions container and expand the Computer Management window

• This lists information about accounts currently connected to shares on this

computer
• The Sessions container tells you:
– Name of user or computer connected to the share
– Computer being used for this share connection
– Type of network connection being used
– Number of files user has open at this time
– How long the connection has been open
– How long since the user last used the connection
– Is the user logged on with a guest account
2020
 Activity: Disconnecting Users from a Shared
Folder
• The Computer Management console can be used to disconnect users
from shared resources
1. In order to disconnect the Juned Painter session, right click on Juned’s
user name in the Sessions list
2. Select Close Session read the warning.
3. Try closing Anthony.Green’s session
• You will probably get a message stating “You are not allowed to close a
session that is being used to administer the remote machine”
• You are currently using the IPC$ share as Anthony.Green to remotely
access acmeserver through Computer Management so the system is
preventing you from ending this session since this would remove your
ability to perform remote administration tasks
2020
 Why Disconnect A Session?
• So what good is disconnecting the user from the shares?
– Assume an employee was working on a shared document but
leaves for the day without logging off and also inadvertently
leaves the shared document open on his/her desktop
– If that user has locked the workstation and you do not know the
password, you cannot simply walk up to the computer and close
the document
– Assume another person needs to make changes to the open file
but cannot open the file for writing because it is already in use

• Solution: Disconnect the session and the file will become

unlocked for the next user
2020
 Disconnection Considerations
• You can also close a connection to a specific
file
– You don’t have to disconnect all share
connections
• NOTE: Data may be lost if the file was not
saved prior to disconnecting
– E.g. User updated the file in RAM but did not
save the changes to the network file before you
disconnected the user
2020
 Activity: Closing Open Shared Folder Files
1. Using Microsoft WordPad, create a document
2. Enter text into the file and try saving the file with the name Junk in your
Corporate share (M:)
3. Keep the WordPad file open as you open the Computer Management
console and connect to acmeserver
4. Select the Open Files container under Shared Folders
5. You should see your file listed
− Because the file is open in Write+Read mode, any other user that attempts to
open the file will receive an error message stating the file can only be opened
in Read Only mode

6. Right click on the entry associated with the file and select Close Open File
− This file is now available for use by another user and will not have to be
opened in Read Only mode
2020

7. Close all open windows

 Activity: What Happens When You Map Without
Appropriate Permissions
1. Run Active Directory Users and Computers as the Administrator
(Anthony.green, AdminP@ss)
2. Remove Juned Painter from the Server Operators group
3. Sign put and then sign in again as Juned.Painter
– The server might remember Juned’s credentials

4. Try to map a network drive to the \\Acmeserver\C$ share

– You should get a message asking for elevated rights,
Enter Network Credentials
– The Juned Painter account has not been given permission to map to this drive
2020
 Mapping With Multiple Accounts
• When administering a network, you may need to access a
resource on a network share with an account that has
administrator privileges
• At the time, you may be using your regular user account
and don’t want to log off that account just to access a
share available only to your administrative account
• Just as with the secondary logon option, you can map a
network share using the credentials (i.e. user name and
password) of another account thus avoiding having to log
off and log back on as administrator briefly then log off
and log back on as a regular user
2020
 Conflicting Credentials
• Because we have mapped a drive to the
acmeserver with the Juned Painter account, in
order to be successful in mapping a drive to the
same server with a different set of credentials,
we must disconnect our current connections
2020
 Activity: Mapping Using an Alternate User
Account
1. As Juned Painter, open File Explorer
2. Click the Map Network Drive button
3. Accept the default Drive: letter
4. Enter \\acmeserver\c$ in the Folder box which will create a mapping to
the root of the C: drive on the server
5. Select the Connect using different credentials option since Juned
doesn’t have permission to access C:\ on the acmeserver computer
6. Click Finish and enter the domain administrator account credentials
(Anthony.Green, AdminP@ss)
2020
 Activity: Mapping Using an Alternate User
Account
7. You will not be able to map the drive, but will instead have the security
box pop up for you to enter credentials again
• Why could you not complete this task?
___________________________________________________________
___________________________________________________________
___________________________________________________________
• What must you do before completing this mapping task?
___________________________________________________________
___________________________________________________________
___________________________________________________________
2020
 Activity: Mapping Using an Alternate User
Account
8. Close the Map Network Drive window
9. Right click all currently mapped drives and select Disconnect
10. Attempt to map to \\acmeserver\c$ using the Administrator
credentials once again

• You should now see the files and folders that are located on the root of
the C drive on the acmeserver
2020
 Activity: Mapping Using an Alternate User
Account
• The Juned Painter account has not been given the permissions it needs to have
full access to the Corporate folder
• However, now that you are mapped to C:\ on the acmeserver with the
Administrator account, you will now be able to open the Corporate folder

11. Now try opening the Corporate folder

− You should be successful

• Since you’ve mapped to the acmeserver with the Administrator credentials, you
can now map to other shares on the acmeserver without providing those
credentials again

12. Try mapping a drive to the Corporate share once again

− You should be successful
2020
 End
Remember to bring the Supplemental Content documents
for this module and the next module to the next class
2020