Professional Documents
Culture Documents
rint Services
Contents:
Module Overview
Lesson 1:
Lesson 2:
Lesson 3:
Lesson 4:
Lab:
Module Overview
Accessing files and printers on the network is one of the mos
t common activities in the Windows Server environment. R
eliable,secure access to files and folders and print resources
is often the first requirement of a Windows Server 2012based network. Toprovide access to file and print resources o
n your network, you must understand how to configure these
resources within WindowsServer 2012 server, and how to co
nfigure appropriate access to the resources for users in your
environment.
This module discusses how to provide these important file a
nd print resources with Windows Server 2012. It describes h
ow to securefiles and folders, how to protect previous versio
ns of files and folders by using shadow copies, and how to gi
ve workers remoteaccess to corporate files by implementing
the new Work Folders role service. It also describes new net
work printing features that helpmanage the network printing
environment.
Objectives
After completing this module, you will be able to:
Secure shared files and folders.
Lesson Objectives
Standard Permissions
Standard permissions provide the most commonly used per
mission settings for files and folders. You assign standard per
missions inthe Permissions for folder name dialog box.
The following table details the standard permissions options
for NTFS files and folders.
File permissions
Description
Full Control
Modify
Read
Write
(folders only)
Advanced Permissions
Advanced permissions can provide a much greater level of c
ontrol over NTFS files and folders. Advanced permissions are
accessibleby clicking the Advanced button from the Securi
ty tab of a file or folders Properties dialog box.
The following table details the Advanced permissions for NTF
S files and folders.
File per
mission
s
Description
Traverse F
The Traverse Folder permission applies only to folders. This permission grants or
older/Exec
rs, even if the user has no permissions for the traversed folders. The Traverse Fol
ute File
Bypass Traverse Checking user right. By default, the Everyone group is given the
denies access to run program files. If you set the Traverse Folderpermission on a
t folder.
List Folder/
The List Folder permission grants the user permission to view file names and sub
Read Data
ntents of that folderit does not affect whether the folder itself is listed. In additi
line interface. The Read Data permission grants or denies the user permission to
Read Attrib
The Read Attributes permission grants the user permission to view the basic attri
utes
Read Exte
The Read Extended Attributes permission grants the user permission to view the
nded Attrib
utes
Create File
The Create Files permission applies only to folders, and grants the user permissio
s/Write Dat
mission to make changes to the file and overwrite existing content by NTFS. The
a
Create Fol
The Create Folders permission grants the user permission to create folders within
ders /Appe
nd Data permission grants the user permission to make changes to the end of th
File per
mission
s
Description
nd Data
Write Attri
The Write Attributes permission grants the user permission to change the basic a
butes
ed by NTFS. The Write Attributes permission does not imply that you can create o
the attributes of a file or folder. To grant Create or Delete permissions, see the Cr
les, and Delete entries in this table.
Write Exte
The Write Extended Attributes permission grants the user permission to change t
nded Attrib
programs and apps, and can vary by each one. The Write Extended Attributes pe
utes
includes only the permission to make changes to the attributes of a file or folder.
te Folders/Append Data, Delete Subfolders and Files, andDelete entries in this tab
Delete Sub
The Delete Subfolders and Files permission grants the user permission to delete s
folders and
older or file. The Delete Subfolders and Files permission applies only to folders.
Files
Delete
The Delete permission grants the user permission to delete the file or folder. If yo
delete the file or folder if you are granted Delete Subfolders and Files permission
Read Perm
Read Permissions grants the user permission to read permissions about the file o
issions
Change Pe
Change Permissions grants the user permission to change permissions on the file
rmissions
Take Owne
The Take Ownership permission grants the user permission to take ownership of t
rship
Synchroniz
The Synchronize permission assigns different threads to wait on the handle for th
Administrative Shares
If you have shared folders that need to be available from the
network, but should be hidden from users browsing the netw
ork, youcan create administrative
(or hidden) shared folders. You can access an administrative
shared folder by typing in its UNC path, butthe folder will not
be visible if you browse the server by using File Explorer. Ad
ministrative shared folders also typically have a morerestricti
ve set of permissions to reflect the administrative nature of t
he folders contents.
To hide a shared folder, append the dollar symbol
($) to the folders name. For example, a shared folder on LO
N-SVR1 named Salescan be made into a hidden shared folde
r by naming it Sales$. The shared folder is accessible over th
e network by using the UNC path\\LON-SVR1\Sales$.
Note: Shared folder permissions apply only to users who acc
ess the folder over the network. They do not affect users wh
oaccess the folder locally on the computer where the folder i
s stored.
Just like NTFS permissions, you can assign shared folder per
missions to users, groups, or computers. However, unlike NT
FSpermissions, shared folder permissions are not configurabl
e for individual files or folders within the shared folder. Share
d folderpermissions are set once for the shared folder itself,
and apply universally to the entire contents of the shared fol
der for users whoaccess the folder over the network.
Description
Read
Users can view folder and file names, view file data and attributes,
hared folder.
Change
Users can create folders, add files to folders, change data in files, a
orm all tasks permitted by the Read permission.
Full Control
Users can change file permissions, take ownership of files, and per
Permissions Inheritance
Assigned Perm
orsNone set
Permission Conflicts
Sometimes, explicitly set permissions on a file or folder confl
ict with permissions inherited from a parent folder. In these c
ases, theexplicitly assigned permissions always override the
inherited permissions. In the given example, if Adam Carter
was denied Writeaccess to the parent Marketing folder, but t
hen explicitly granted Write access to the New York folder, th
e granted Write accesspermissions take precedence over the
inherited deny Write access permission.
Blocking Inheritance
Effective Permissions
folder, making iteasier for users to find the files that they ne
ed. Windows Server 2012 allows access-based enumeration
of folders that a servershares over the network.
Offline Settings
With Windows Server 2012, you view the Offline Settings dial
og box for a shared folder by clicking the Caching button in t
heAdvanced Sharing dialog box. The following options are av
ailable within the Offline Settings dialog box:
Only the files and programs that users specify are available offline. This is
ou use this option, no files or programs are available offline by default, and
s when they are not connected to the network. Alternatively, you can choo
mputers that are accessing the files to cache files downloaded from the fo
nfigure BranchCache on the Windows Server 2012 server to select this opt
No files or programs from the shared folder are available offline. This optio
d programs on the shared folder.
All files and programs that users open from the shared folder are automati
folder or drive and opens a file or program in it, that file or program is mad
ams that are made automatically available offline remain in the offline file
the cache is full or the user deletes the files. Files and programs that are n
Optimized for performance. If you select this option, executable files (.exe,
.dll) that are run from the shared folder by a clientcomputer are cached on
t computer runs the executable files, it willaccess its local cache instead o
Note: The Offline Files feature must be enabled on the client computer for
the Optimized For Performance option does not have any effect on client c
g systems, because these operating systems perform the program-level ca
3.
1.
2.
3.
Lesson Objectives
After completing this lesson, you will be able to:
Describe shadow copies.
Describe considerations for scheduling shadow copies.
Identify methods for restoring data from shadow copies.
Restore data from a shadow copy.
Shadow copies are suitable for recovering data files, but not
for more complex data
(such as databases), that need to be logicallyconsistent befo
re a backup is performed. A database that is restored from p
revious versions is likely to be corrupt and requiredatabase r
epairs.
1.
2.
3.
4.
In File Explorer, right-click Local Disk (C:), and then click Configure S
In the Shadow Copies dialog box, click Create Now.
When the shadow copy is complete, click OK.
Lesson Objectives
After completing the lesson, you will be able to:
Describe the Work Folders role service.
Discuss the benefits and limitations of Work Folders.
Describe Work Folders components.
Configure Work Folders.
Work Folders is a new role service of the File and Storage Ser
vices role and is only available in Windows Server 2012 R2.
WorkFolders allows users to synchronize corporate data to al
l of their devices. When a user creates or modifies a file in a
Work Foldersfolder on any device or PC, it is automatically re
plicated (using Secure Sockets Layer
(SSL) connections on port 443) to a folderknown as the sync
share on the corporate file server. The changes in the sync s
Conflict Resolution
If a file is edited and saved on different devices at the same
time, both copies will be uploaded to the server. One of the fi
le nameswill have the name of the device it was saved on ap
pended to it. For example, a user opens, edits, and saves a fi
le named Doc1 onhis office PC; he then edits the offline versi
on on his tablet. When the tablet version synchronizes, the fi
le will be saved as Doc1 nameof tablet. There will now be tw
o versions of the file in the sync share.
For organizations that want to maintain data storage onpremise and already have established practices around data
managementand storage, Work Folders provides a solution t
hat users will find familiar. Cloud-based technologies such as
SkyDrive Pro are goodsolutions for organizations that use S
harePoint and need the collaboration features of Office 365.
Benefits
Limitations
Software Requirements
Server Components
Client Components
Manual Deployment
Opt-in Deployment
Work Folders settings can be delivered via Group Policy, Micr
osoft System Center 2012 Configuration Manager or by Wind
owsIntune. After the settings are delivered, the user can th
en decide if they want to use Work Folders on that device.
Mandatory Deployment
Server Configuration
Add-WindowsFeature FS-SyncShareService
2Use the New Sync Share Wizard or Windows PowerShell to create a sync s
. oThe name of the server that will host the sync share.
oThe path to the sync share. This is a path to a local folder or an existing s
ing shared folder then the work folders can also be accessed by the UNC
oThe folder naming format. This is in the form of an email address or a use
ch as home folders. You can also specify that only a subfolder of the sync
oThe name of the sync share. This is the friendly name the sync share is k
oThe names of the users or groups that will have access to the sync share
disabled and the user is granted exclusive access to the folder, but you c
oYou can specify whether to encrypt the work folders and whether to autom
Windows PowerShell cmdlets New-SyncShare and Set-SyncShare are u
mple creates a sync share named SalesShare at the local path of C:\Sales
t resolution method to keep the latest file saved.
Client Configuration
Manual Configuration
This requires the user to launch the Work Folders item in Con
trol Panel and enter their corporate email address. This addr
ess is usedto build the URL
(by default HTTPS://FQDN) of the file server, which will conne
ct the user to Work Folders. If the URL cannot bediscovered
by using the users email address, the URL can be input man
ually.
Description
Force automati
manually specifying the local folder in which files are stored. Work Folders us
Setting
Description
sers
ders.
Specify Work F
This user configuration setting specifies the Work Folders server as well as w
olders settings
mputers. When enabled, users receive settings for the Work Folders URL and
ork folders are stored. The default location is %userprofile%\Work Folders.
In Server Manager, in File and Storage Services use the New Sync Share
eters:
o Server Name: LON-SVR1
o Select by file share: Data
o Structure for user folders: User alias
o Sync share name: WorkFolders
o Grant synchronize access to groups: Domain Users
o Device policies: Automatically lock screen, and require a passwo
4.
5.
6.
Open the Work Folders folder and create a new text document.
Lesson Objectives
After completing the lesson, you will be able to:
1.
2.
3.
4.
1.
2.
3
Click the Printers node, right-click the desired printer, and then click En
.
To configure Branch Office Direct Printing using Windows Pow
erShell, type the following cmdlet at a Windows PowerShell p
rompt:
Set-Printer -name "<Printer Name Here>" -ComputerName
<Print Server Name Here> -RenderingMode BranchOffice
Objectives
Lab Setup
Virtual machines
20410C-LON-CL1
20410C-LON-DC1
20410C-LON-SVR1
User name
Adatum\Administra
Password
Pa$$w0rd
For this lab, you will use the available virtual machine enviro
nment. Before beginning the lab, you must complete the foll
owing steps:
1. On the host computer, click Start, point to Administrative Tools, and
2. In Hyper-V Manager, click 20410C-LON-DC1 and in the Actions pane
3.
4.
5.
6.
Scenario
Your manager has asked you to create a new shared folder f
or use by all departments. There will be a single file share wi
th separatefolders for each department. To ensure that users
only see files to which they have access, you need to enable
access-basedenumeration on the share.
There have been problems in other branch offices with confli
cts when offline files are used for shared data structures. To
avoidconflicts, you need to disable Offline Files for this share
.
The main tasks for this exercise are as follows:
1. Create the folder structure for the new share.
2. Configure NTFS permissions on the folder structure.
3. Create the shared folder.
4. Test access to the shared folder.
5. Enable access-based enumeration.
6. Test access to the share.
7. Disable Offline Files for the share.
Task 1: Create the folder structure for the new share
On LON-SVR1, open File Explorer and create the following folders:
o E:\Data
o E:\Data\Development
o E:\Data\Marketing
o E:\Data\Research
o E:\Data\Sales
Permissions
E:\Data
No change
E:\Data\Development
Modify: Adatum\De
E:\Data\Marketing
Modify: Adatum\Ma
E:\Data\Research
Modify: Adatum\Res
E:\Data\Sales
Modify: Adatum\Sal
2.
Scenario
You must now enable and configure Work Folders to support
the requirements of your users. Domain users have their ow
n Windows8.1 and Windows RT 8.1 tablet devices and want a
ccess to their work data from anywhere. When they return to
work, they want tobe able to synchronize these data files. Yo
u will use Group Policy to force the Work Folders settings to u
sers and test the settings.
The main tasks for this exercise are as follows:
1. Install the Work Folders role service.
2. Create a Sync Share on the File Server.
3. Automate settings for users via Group Policy.
4. Test synchronization.
Task 1: Install the Work Folders role service
On LON-SVR1, use Windows PowerShell to run the following command to
Add-WindowsFeature FS-SyncShareService
Note that the name of the feature is case-sensitive.
Task 2: Create a Sync Share on the File Server
1. On LON-SVR1, use Windows PowerShell to run the following command
New-SyncShare Corp path C:\CorpData User Adatum\Domain
2. Open Server Manager and view the Work Folders to ensure the sync sh
Task 3: Automate settings for users via Group Policy
1.
2.
On LON-DC1, create a GPO named Work Folders and link it to the Ada
Edit the Work Folders GPO as follows:
o Navigate to User Configuration\Policies\Administrative Templ
o Enable the Specify Work Folders settings policy and specify the Wo
o Select Force automatic setup to force automatic setup.
3. Close all open windows.
Task 4: Test synchronization
1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$
2. Use File Explorer to navigate to C:\Labfiles\Mod10 and double-click W
This adds a registry entry to allow unsecured connections to the work f
3. Sign out of LON-CL1.
4. Sign in to LON-CL1 as Adatum\Administrator.
5. In File Explorer, open Work Folders and create a new text document na
6. Switch to LON-SVR1 and use File Explorer to open C:\CorpData\Admin
Ensure the new text file you created exists.
Results: After completing this exercise, you will have install
ed the Work Folders role service, created a sync share, and c
reated aGroup Policy Object to deliver the settings to the use
rs automatically. You will have also tested the settings.
Tools
Tool
Use
Where
Under A
aredfolder.
or share
Comman
line tool
nts.
le
2.
The Too