By default, Windows 2003 assigns Full Control permissions to the Administrators group and the System group to any NTFS volume, which are also inherited by the folders and files in it. The Users group is assigned Read & Execute, List Folder Contents, and Read permissions. Users or groups who need to write and or modify files and folders will need additional permissions.
The above list describes what the NTFS permissions ‘allow’, but you can also explicitly deny the permissions to users. Denying permissions is usually only done to make an exception. For example, you could allow Modify permission for the Sales group and deny the same permission for certain user account in the Sales group for whom you want to make an exception.
Allow permissions are cumulative, which basically means the least restrictive permission becomes the effective permission. For example, John is a member of the Sales group and the Management group. Sales has been allowed Modify permissions for the folder SalesReports. Management has been allowed Read permissions for the same folder. Since John is a member of both groups, his effective permission in this case is Modify. The following table lists some more examples. Note that the listed permissions in these examples are ‘allowed’.
User Permissions Sales Group Management Group Effective NTFS Permissions
John Full Control Read Modify Full Control
Lisa Read Write Read Write
Bob Write Modify Read & Execute Modify
Alice Read Read Full Control Full Control

Configuring NTFS Permissions
There are several different ways to assign NTFS permissions but the most common way is to use Windows Explorer or My Computer, right-click a file, folder, or volume, click Properties and then the click on the Security tab. Under Group or user names on the Security tab, select or add a group or user. Then at the bottom allow or deny one of the available permissions.

By default, when you add a user or group to the list in the dialog show above, this user or group will have Read & Execute, List Folder Contents, and Read permissions.
File permissions override folder permissions. For example, if user David has been allowed Read permissions for the folder and Modify permission for a file work.doc, his effective permissions for the work.doc file is Modify. The exception to this rule is the permission Full Control on folders. Groups or users that have Full Control for a folder can delete files and subfolders in it regardless of the permissions set on those files and subfolders.
In addition to the permissions listed in the tables above, you can also assign special permissions by clicking the Advanced button on the Security tab to open the Advanced Security Settings dialog with the Permissions tab opened as displayed in the following screenshot. Here you can add, remove, and edit the permissions for users on a more granular level.

Permission Inheritance
Besides explicitly assigned permissions on a file or folder, it may inherit permissions from its parent folder (up to the root folder, which is the volume itself). By default, permissions set on a folder are automatically inherited by all files and subfolders in it. This simplifies administration but is not always desired.
In the image above, you can see the following two options:
Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.
When this option is cleared, the file or folder will not inherit permissions from the parent folder.
Replace permission entries on all child objects with entries shown here that apply to child objects.
This option will actually reset the permissions on child objects (files and subfolders) to make sure they inherit the permissions from this folder and those permissions are not overridden by permissions explicitly assigned on child objects.
In some situation you may want to inherit most of the permissions from the parent, but make an exception for one or more users/groups. In that case you should set the opposite permission of the one that is inherited. For example, if James inherits Modify permissions from a parent folder through group permissions, you could deny Modify permissions for James on the child object to prevent inheritance for James only and still allow Modify access to the rest of the group.
Effective Permissions
On the Effective Permissions tab of the Advanced Security Settings for a file or folder you can select a user or group and see the effective permissions. These are the results of the permissions directly assigned to the file or folder and permission inherited from parent folders.
Change ownership of files and folders
When a user creates a file or folder Windows 2003 automatically assigns Full Control permissions to the creator/owner. This allows the user to assign permissions to other users for the files he or she creates. This means that besides the ACL, files and folders need to include information about who owns the file. By default, this is the account who creates the file or folder or the Administrators group. For several different reasons, the ownership of a file or folder may need to change. For example, if a user leaves the company, the ownership of his or her files and folders may need to be transferred to other users.
You can take ownership of a file by replacing the owner with your own account or with one of the groups you are a member of. You must have Full Control or the special permissions Take Ownership to be able to take ownership of a file or folder. Users who has the Restore files and directories privilege can assign ownership to any user or group.

Moving and copying protected files
Moving and copying NTFS protected files is similar to moving and copying compressed file. When you copy a protected file to a folder on the same, or a different volume, it inherits the permissions of the target folder. When you move a protected file to a different NTFS volume, the file inherits the permissions of the target folder. A move between volumes is actually considered a copy; the source file is deleted after it is copied to the target volume.
However, when you move a protected file to a different location on the same volume, the file retains its permission. When data is moved within the same volume, the data is not actually relocated, the pointer to it is merely changed and that is why it retains the ACL. In all cases the target volume needs to be a NTFS volume as well because as mentioned earlier, FAT, FAT32 and other file systems do not support NTFS file and folder permissions.
Shared Folder Access
A shared folder (commonly referred to as a share) is a folder or entire volume that is published on the network and can be remotely accessed by other users. The shared folder can be used as if it were a local folder; to store data, and even to run applications from the share over the network. Members of the built-in group Administrators, Server Operators and Power Users can share folders. If the shared folder is located on an NTFS volume, users need at least the NTFS permission Read for the local folder to be able to access it, regardless of the share permissions assigned to it. Following are some of the common methods for creating shared folders:
1. Using the Shared Folders snap-in, which is included by default in the Computer Management console. In the console tree, click Shares (below ComputerManagement|System Tools|Shared Folders). On the Action menu, click New File Share. You will be prompted to select the folder or drive, enter the share name and description, and set permissions.
2. Use the net share command at the prompt: net share sharename=drive:path
3. In Windows Explorer/My Computer right-click the folder or drive, click Properties and then the Sharing tab. Enable the option Share this folder, enter a name for the share, a description and configure other settings as depicted in the following image.

Users can connect to a share in several ways, for example:
1. Use My Network Places/Windows Explorer a user can browse to the share or use the Add Network Place wizard to create a shortcut.
2. Use a direct UNC path, for example: //FileServer12/ShareX
3. Use My Network Places/Windows Explorer or the net use command to map a drive letter to a share.
By default, Windows 2003 creates the following hidden administrative shares depending on the configuration of the server:
Admin$ This is the system root, usually C:\Windows, Administrators are assigned Full Control share permissions.
C$, D$, E$, etc. Each volume on a hard disk is shared by default and provide easy access of the entire volume to Administrators. Administrators are assigned Full Control share permissions.
IPC$ A system share that allows named pipes connections for communication between applications and other computers.
Print$ This points to the %systemroot%\System32\Spool\Drivers folder, and is created when printers are shared to allow clients to automatically download the printer drivers.
Fax$ A system share used by fax clients.
You can create hidden shared folders yourself by adding a $ sign to the end of the share’s name. Hidden shares do not show up when users browse the network through My Networks Places for example. To access these hidden shares, users need to enter the name including the $ sign. NETLOGON and SYSVOL are two other administrative shares that exist on domain controllers, but they are not hidden.
Shared Folder Permissions
There are three different share permissions that can be assigned to groups and individual user accounts. These permissions apply only when connecting to the share over the network. The share permissions do not apply to users who log on to the local machine. The following share three permissions are available for shared folders:
READ
Allows user to read files and list the contents of folders and volumes. This allows executing applications as well. The default for new shared folders is Read permissions for Everyone.
CHANGE
Allows the same as Read and allows the user to modify, create and delete files and subfolders.
FULL CONTROL
Allows the same as Change, but additionally allows the user to modify permissions.
Whether the permissions actually allow the desired access depends on the NTFS permission of the shared folder and the file subfolders in it. For example, if a user has the share permission Change for a shared folder, that user will not be able to actually change files for which the user has only Read NTFS permissions. We will go over some more examples in the following section “Combining Shared Folders with NTFS Permissions”. However, you can create share folders located on a FAT or FAT32 disk and assign share permissions to provide protected access for users that connect to the shared folder. Remember that share permissions are only used when a user connects to the shared folder from a remote computer. So if a user logs on locally to a computer with a FAT/FAT32 drive, the share permissions are ignored.
To configure share permissions in Windows Explorer/My Computer right-click the folder or drive, and then click Properties and then the Permissions button on the Sharing tab. Under Group or user names: select or add a group or user, and allow or deny one of the permissions listed in the table above.

When you set permissions, you can either Allow or Deny them to a user or group. Typically you would allow a group share permissions and deny the same permissions to certain members of that group. The default permissions for new shared folders is Read to Everyone. Whether Everyone will actually be able to read depends on the NTFS permissions.
Combining Shared Folders with NTFS Permissions
When you combine NTFS permissions and share permissions the most restrictive effective permission counts. For example, if you create a folder with files and assign them Full Control NTFS permissions to Everyone and share the same folder and assign the share permission Read to Everyone, users connecting through the network will have Read permissions.
Probably the most common mistake made when combining share permissions and NTFS permissions is to add them all to a single pile and then take the most restrictive. Instead, you need to determine the effective share permissions amd the effective NTFS permission before taking the most restrictive.
So to determine what the permissions are for a user connecting through a shared folder to a local folder protected with NTFS permissions you need to do the following:

1. Determine the ‘effective’ NTFS permissions
2. Determine the ‘effective’ share permissions
3. Take the most restrictive of these two.
Following is a practice questions that raised discussion in our forums several times:
X. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions. What are John’s effective permissions when connecting to the shared folder?
a. Read
b. Read & Execute
c. Change
d. Full Control
The correct answer is c. Change, but many people seem to be inclined to choose answer a. Read instead because Read is the most restrictive permission. However, it is the most restrictive effective permissions that counts.
1. Determine the effective NTFS permissions:
As mentioned earlier in the NTFS permissions section, NTFS permissions are cumulative. This means the least restrictive applies when considering only NTFS permissions. In this case, this means John has Read NTFS permissions for the folder through the Sales group, and Full Control NTFS permission through his own account, hence his effective NTFS permissions is Full Control.
2. Determine the effective share permissions:
The question only mentions that the share permissions are Change to Everyone, so no other share permissions have been explicitly assigned for the Sales group or John and hence the effective share permission is Change.
3. Take the most restrictive of these two:
The most restrictive of the previous two effective permissions is Change. Although John has Full Control NTFS permission for the folder, he is accessing the folder through a shared folder for which he only has Change permissions.
Troubleshoot access to files and shared folders
Problems accessing shared folders are often caused by underlying network connectivity problems. Before you scratch yourself a bold spot trying to find an incorrectly configured ACL or Shared Folder, make sure you check basic network connectivity, ping the file server by name, check if the user is properly logged on to the domain, etc.
Probably the most common cause of problems with accessing files and shared folders is an incorrect configuration, so when things are not working as expected you should verify the configuration. A user that is not able to access a file or folder maybe a member of a group who was recently denied certain permissions. Configuration changes of permissions assigned to a parent folder my also cause problems through inheritance.
The Effective Permission tool on the Advanced Security Settings dialog provides an easy method to determine the NTFS permissions, but it does not include share permissions. I n large environments with many users and groups, it can be hard to determine the effective share permissions so it is important to maintain a structured user and group design and folder hierarchy. The following link points to document with Best practices for Shared Folders.
The Shared Folders snap-in, included by default in the System Tools of the Computer Management console, provides an overview of the Shares configured on the local computer, the active Sessions, and the currently Open Files. These can provide valuable information when troubleshooting access to shared folders.

                                   

Implementing and Conducting Administration of Resources

FILE SYSTEMS    

Windows XP support the following file systems:

FAT   

Disks formatted with the FAT file system can be accessed by MS-DOS, all versions of Windows, and OS/2. The maximum supported volume size is 4 GB, the maximum file size is 2 GB.

This file system should only be used on removable media such as floppy disks and hard disks smaller than 512 MB.
FAT32    

The faster file system FAT32, is often used in multi-boot situations with operating systems that do not support NTFS. Disks formatted with the FAT32 file system are supported by

Windows 95 OSR2, Windows 98 and ME, Windows 2000, and Windows XP. Windows NT 4 and earlier cannot access FAT32 volumes. The maximum supported volume size for FAT32 is 2 TB, but

Windows XP can format up to 32 GB only. The maximum file size is 4 GB. The minimum size for a FAT32 volume is 512 MB. You cannot format removable media such as floppy disks with

FAT32.
NTFS    

Disks formatted with NTFS version 5 can only be accessed by Windows NT 4.0 with Service Pack 4 or higher, Windows 2000, and Windows XP. NTFS supports a volume size over 2 TB and

the maximum file size is limited only by the available free space. You cannot format removable media such as floppy disks with NTFS. Besides being able to handle large disks,

NTFS is the preferred file system for Windows 2000 and XP because of the extra features it offers, including:
- File and folder permissions – (discussed below)
- File and folder compression – (discussed below)
- Encrypted File System (EFS) – (see EFS TechNotes)
- Disk Quotas – Allows quotas to be assigned to users for disk space usages per volume. Quotas are only available on NTFS volumes and can be enabled and configured on the Quota

tab on a volume’s Properties sheet.
CDFS   
This is the file system used on compact discs. You cannot format regular disks with this file system.
Converting File Systems 

You can convert FAT file systems to NTFS using the following command: convert c: /fs:ntfs
The convert utility cannot be used to convert from NTFS to another file system. For example if you converted a FAT32 partition to NTFS and you want to revert it back to FAT32,

you will have to create a full backup, reformat the drive with FAT32, and restore the backup.
FILE AND FOLDER COMPRESSION    

NTFS Compression    

NTFS Compression allows compression of individual files and folders, as well as entire NTFS drives. The process of compression and decompression is transparent to the user. For example, when a user opens a document from a NTFS compressed disk, the document is decompressed automatically, when the user saves the document it is compressed again. This

process might decrease your computer’s performance; it’s best to compress static data and only if it really saves space, you don’t want to waste CPU cycles compressing a ZIP

file for example. An NTFS-compressed file cannot be encrypted, and an encrypted file cannot be compressed. If you do enable compression for an encrypted file, the file will lose

it’s encryption attribute before it is compressed.

You can enable compression for a volume when you format it. To enable compression on an existing volume, right-click it and choose Properties from the context menu, on the

General tab enable the option Compress drive to save disk space. To compress a file or folder, right-click it and choose Properties from the context menu, click the Advanced

button and below Compress and Encrypt attributes enable the option Compress contents to save disk space. When you enable compression on a folder or volume, Windows will ask if

you want to enable compression for all the files and subfolders in the folder or volume as well. Besides using Windows Exporer, you can also use the command compact to compress

or decompress a file or folder.

When you copy a compressed file to a folder on the same, or a different volume, it inherits the compression state of the target folder. This works also vice versa; when you copy

an uncompressed file to a folder with compression enabled, the file will inherit the the target’s compression state and thus it will be compressed.

When you move a compressed file to a folder without compression on the same volume, the file retains its compression attribute. When data is moved within the same volume, the data is not actually relocated, just the pointer to it, this is why it retains the compression attribute. When you move a compressed file to a folder without compression on a different NTFS volume, the file inherits the compression state of the target folder. If the target is not compressed, or is a FAT or floppy disk, the file will be uncompressed.

A move between volumes is actually considered a copy; after the source file is copied to the target volume the source file is deleted.

By default, compressed files and folders are displayed in a different color, you can change this by choosing Folder Options in the Tools menu of My Computer/Windows Explorer.

Click on the View tab and enable the option: Show encrypted or compressed NTFS files in color.
Compressed (zipped) Folders   

A new feature introduced in Windows XP is Compressed Folders. These are ZIP files that can be used like regular folders, with some limitations and some advantages. The main limitation is that many programs can’t be run directly from the ZIP file because they might depend on files outside the Compressed Folder. Also you cannot save files to a compressed folder (zip file), you have to use drag and drop or copy and paste. Some advantages of Compressed (zipped) Folders are that they can easily be transported on removable media and the Internet, they can be used on FAT partitions, and they can be protected with a password. Compressed Folders are not available on Windows XP 64-Bit Edition.

The easiest way to create a Compressed Folder is by right-clicking the desktop, point to New, and then select Compressed (zipped) Folder. You can also use the File menu in My Computer. A Compressed Folder is represented by a Folder icon with a zipper.
NTFS FILE PERMISSIONS    

One of the main reasons to use NTFS is the possibility to assign permissions for individual files and folders. Each file and folder on an NTFS volume contains an Access Control List (ACL). This list is filled with entries for groups and individual user accounts and their corresponding permissions. When a user tries to access a resource, Windows XP checks the ACL if the user is listed and what level of permission is assigned.

The following permissions can be assigned for files and folders:

Read  Allows user read files and list the contents of folders, subfolders and volumes, including the attributes, permissions and ownership of the files.
Write Allows the same as Read and additionally allows the user to modify and create files and (sub-)folders as well as changing attributes.
Read and Execute Allows the same as Read and additionally allows users to run applications.
Modify  Same as Read plus Write and and additionally allows executing applications as well.
Full Control Allows everything permitted by the other permissions and and additionally a user with Full Control can change permissions and take ownership of file. 

For folders only, the following additional permission can be assigned:

List Contents  Allows user to read files and list the contents of folders and volumes, user with this permissions can only see the files and folders, not read or change them.

To assign NTFS permissions in Windows Explorer/My Computer, right-click a file, folder, or drive, and click Properties and then the Security tab. If your computer is not a member of a domain, you have to disable the option Use simple file sharing on the View tab of Folder Options before you can see the Security tab.

Under Group or user names: on the Security tab, select or add a group or user, and allow or deny one of the permissions listed in the table above. Denying permissions is usually only done to make an exception, for example, you could allow Modify permission for the Sales group and deny the same permission for certain user account in the Sales group.
 

When you share a folder, you can set a User limit to set a maximum amount of users that can connect to the share simultaneously.

There are three different share permissions that can be assigned to groups and individual user accounts. These permissions apply only when connecting to the share over the network. The share permissions do not apply to users who log on to the local machine. If you want local security use NTFS file and folder permissions.

Share permissions:
Read Allows user to read files and list the contents of folders and volumes. This allows executing applications as well.
Change Allows the same as Read and allows the user to modify and create files and folders.
Full Control
 Allows the same as Change and allows the user to modify Share permissions as well.

When you set permissions you can either Allow or Deny them to a user or group. Typically you would allow a group share permissions and deny the same permissions to certain members of that group. The default permissions for new shares is Read to Everyone.

When you combine NTFS permissions and share permissions the most restrictive permission counts. For example, if you create a folder with files and assign them Full Control NTFS permissions to Everyone and share the same folder and assign the share permission Read to Everyone, users connecting through the network will have Read permissions.

To assign share permissions in Windows Explorer/My Computer right-click the folder or drive, and then click Properties and then the Permissions button on the Sharing tab. Under Group or user names: select or add a group or user, and allow or deny one of the permissions listed in the table above.

By default, Windows XP creates several hidden administrative shares:

Share Purpose
Admin$ This is the system root, usually C:\Windows, Administrators are assigned Full Control share permissions.
Print$ This is the %systemroot%\System32\Spool\Drivers folder, this folder is created when printers are shared to allow clients to automatically download the printer drivers. Administrators and Power users are assigned Full Control share permissions, Everyone is assigned Read permission.
C$, D$, E$, etc.
 Each volume on a hard disk is shared. to provide easy access of the entire volume to Administrators. Administrators are assigned Full Control share permissions.

You can also create hidden shares yourself by adding a $ sign to the end of the share’s name.

Users can connect to a share in several ways, for example:
1. Using My Network Places/Windows Explorer you can browse to the share or use the Add Network Place wizard.
2. Using a direct UNC path, for example: //FileServer12/ShareX
3. Using My Network Places/Windows Explorer or the net use command to map a drive letter to a share.

Offline Files     

Offline Folder allows user to cache the contents of a share and make it available offline, so they can access the files and some programs, even when they are not connected to the network. To allow a shared folder to be cached offline, in Windows Explorer/My Computer right-click the folder or drive, click Properties and then the Caching button on the Sharing tab.

If you enable the option Allow caching of files in this shared folder you can choose one of the following three settings:

Manual caching of documents This is the the default setting when you enable caching. Users will be able to manually select the files they want to make available offline.
Automatic caching of documents Each file that is opened from this share will automatically be copied to the Offline Files folder.
Automatic caching of programs and documents
 This setting allows caching of files that are read-only such as program files.
To enable and configure the Offline Files feature on a client computer, from the Tools menu in My Computer choose Folder Options and click the Offline Files tab. Here you can disable/enable Offline Files, configure synchronization at logon and/or logoff, enable encryption for all offline files, and set the maximum amount of disk space used for offline files (default is 10% of drive space). When you click the Advanced button, you can also view and delete the offline files, and configure what action should be taken when the network connection is lost.

Before files are actually cached on your client, you need to select the shares you wish to make available offline. You can do this simply by right-clicking a drive mapping, and choosing Make available offline.

 Printing
Covers Windows XP local and network printing. Creating, configuring, sharing, securing and connecting to printers.

 Desktop Environment
Covers User Profiles, multiple langauges and locations, local settings and Windows Installer packages.

 Storage
Covers storage types, dynamic and basic, spanning, striping, removable media and disk management tasks.

 Backup, Restore, Repair, and Recover
Covers Backup, Restore, System State Data, ASR, System Restore, Safe Mode, Last Know Good, Device Driver Roll Back and more.

 Devices and Drivers
Covers Device Manager, display devices, ACPI, driver signing, multi-processor configuration, and installing various I/O devices.

 Introduction to ADS
Covers Windows 2000 Active Directory basics and terminology.

 Remote Assistance and Remote Dekstop
Covers Remote Assitance and Remote Dekstop, invitations, offers and troubleshooting.

 Internet Connection Sharing (ICS) and Internet Connection Firewall (ICF)
Covers Internet Connection Sharing (ICS) and Internet Connection Firewall (ICF).

 Internet Information Services (IIS)
Covers Internet Internet Information services, home directories, virtual directories, web sharing, permissions and troubleshooting.

 Encrypted Files System (EFS)
Covers Encrypted File System (EFS), Recovery Agents, and CIPHER command.

 Auditing *NEW*
Covers local Audit Policy and Event Viewer’s security log configuration.

 Performance *NEW*
Covers memory, processor, disk, and application performance, Task Manager, System Monitor and Performance Logs and Alerts, Disk Defragmenter, Scheduled Tasks, and Visual Effects.

 Local User and Group Accounts *NEW*
Covers Local Users and Groups, account settings, account policies, and user rights assignment.

 Internet Explorer *NEW*
Covers Internet explorer security settings and access to resources. 

This is from http://www.techexams.net/technotes/xp/administration.shtml

                                   

Several weeks ago，we once talked about the 70-270 preparation guide. From that post, we have known some useful information such as the number of MCSE 70-270 questions, how to choose best practice tests or exam or other exam materials, passing or total scores and so on. Obviously, it is not enough for us to grasp XP technologies such as Install, Configure, and Administer Microsoft Windows XP Professional, and so on. To help us get MCSE/MCSA on server 2003 in high rate, here we will share our 70-270 Xp Exam TechNotes(1) for free.

SYSTEM REQUIREMENTS

Before you install Windows XP Professional you should ensure that your hardware meets the system requirements. These may vary based on your system configuration, click here for more details and the complete system requirements listed at Microsoft.com
  CPU Minimum required: 233 MHz
Recommended: 300 Mhz or higher processor
Supports Dual-processor.
RAM 64 MB minimum supported
128 MB or higher recommended
4 GB maximum supported
Disk space 1.5 gigabytes (GB) of available hard disk space
Other
requirements  – SVGA (800×600 or higher) display adapter and monitor
- CD-ROM or DVD drive
- Keyboard and mouse or compatible pointing device

HCL

You should also ensure that you hardware is listed in the Hardware Compatibility List, You can download the HCL in text file format here. When not all your hardware is on the HCL it does not necessarily mean you cannot use it with Windows XP, check the vendor’s web site if they have a XP driver for their device.

THE INSTALLATION     Back to top

A typical installation of Windows XP Professional from a CD-ROM consists of 4 stages described below:

1. Starting Setup

If your computer is able to boot from CD-ROM, the easiest way to start setup is to boot from the Windows XP Professional installation CD. During this stage, which is also known as the text-based portion of setup, a mini Windows XP is loaded on the target computer and starts the setup program. After accepting the license agreement, setup prompts you to create or choose a partition where Windows XP should be installed. If you choose to create a new partition setup formats the new partition as either FAT32 or NTFS, depending on your choice.

If the target computer is not able to boot from CD-ROM, or you want more control over the setup process and parameters, you can start setup manually using winnt32.exe or winnt.exe, both described below.

Winnt32.exe

Performs an installation of, or upgrade to Windows XP. You can run winnt32.exe on Windows 9x, ME, NT, 2000, or XP. The following table lists and describes the available command-line parameters for the winnt32.exe command:

Parameter Purpose
/checkupgradeonly Checks your computer for upgrade compatibility with Windows XP. You can save the results in a file, upgrade.txt in the system root by default.
/cmd:command_line  Instructs Setup to carry out a specific command before the final phase of Setup. This would occur after your computer has restarted and after Setup has collected the necessary configuration information, but before Setup is complete.
/cmdcons Adds the Recovery Console to the startup options. This option can only be used when Windows XP is already installed.
/copydir:{i386|I64}\FolderName Creates an additional folder within the folder in which the Windows XP files are installed. For example use /copydir:i386\corpdrivers to have Setup copy that folder to your newly installed computer, making the new folder location systemroot\corpdrivers. Use /copydir multiple times to create additional folders.
/copysource:FolderName  Creates a temporary additional folder within the folder in which the Windows XP files are installed and is deleted after Setup completes. For example use /copysource:corpdrivers to have Setup copy that folder to your newly installed computer, making the temporary folder location systemroot\corpdrivers. Use /copysource multiple times to create additional folders.
/debug[Level]:[FileName]  Creates a debug log at the level specified, for example, /debug4:InstDbg.log. The default log file is C:\systemroot\Winnt32.log, and the default debug level is 2. Level 0 represents severe errors, 1 errors, 2 warnings, 3 information, and 4 detailed information for debugging.
/dudisable Discussed below in "Post-installation Updates"
/duprepare:pathname Discussed below in "Post-installation Updates" 
/dushare:pathname  Discussed below in "Post-installation Updates"
/m:FolderName Instructs Setup to look for installation files in this alternate location first, instead of using the files from the default location.
/makelocalsource Instructs Setup to copy all installation source files to your local hard disk.
/noreboot  Instructs Setup to not restart the computer after the file copy phase of Setup is completed so that you can run another command.
/s:SourcePath  Specifies the source location of the Windows XP files. You can copy files simultaneously from multiple servers, by using the /s:SourcePath option multiple times (up to a maximum of eight) to specify different source servers.
/syspart:DriveLetter Copies Setup startup files to the hard disk and marks the disk as active. This disk can then be installed into another computer. When you start that computer, it automatically starts with the next phase of Setup. You must always use the /tempdrive parameter with the /syspart parameter. You can start Winnt32 with the /syspart option on an x86-based computer running Windows NT 4.0, 2000, or XP.
/tempdrive:DriveLetter  Specifies a drive letter to place temporary files. (note: for a clean installation, Windows XP will also be installed on the specified partition.)
/unattend[num]:[answer_file] Specifies an answer file for unattended installations, discussed in detail below in "unattended installations"
Num is the number of seconds between the time that Setup finishes copying the files and when it restarts your computer. 
/unattend Discussed below in "unattended installation"
/udf:id [,UDB_file] Specifies an UDB file for unattended installations
Discussed below in "unattended installations"

Winnt.exe

Performs an installation of Windows XP. If your hardware is compatible with Windows XP, you can run winnt.exe at a Windows 3.x or MS-DOS command prompt. The following table lists and describes the available command-line parameters for the winnt.exe command:

Parameter Purpose
/s:SourcePath Specifies the source location of the Windows XP files. The location must be a full path of the form x:\[Path] or \\server\share[\Path]. 
/t:TempDrive  Directs Setup to place temporary files on the specified drive and to install Windows XP on that drive. If you do not specify a location, Setup attempts to locate a drive for you. 
/u:answer file  Discussed below in "unattended installation"
/udf:ID [,UDB_file]  Discussed below in "unattended installation"
/r:folder  Specifies an optional folder to be installed. The folder remains after Setup finishes.
/rx:folder  Specifies an optional folder to be copied. The folder is deleted after Setup finishes.
/e:command  Specifies a command to be carried out just before the final phase of Setup.
/a  Enables accessibility options.
/? Displays the parameters listed above.

2. Setup Wizard

When the first stage of the installation completed, the computer reboots and the GUI portion, known as the Setup Wizard, will start. This will prompt you for regional settings to customize keyboard, language, and locale settings. Information such as your name and organization, the Computer name, Administrator password and time and date is also entered during this stage.

3. Installing Network components

The next stage is Installing Network components, which includes detecting the network interface card. You must also choose to join a Domain or Workgroup during this stage. Typically the following components are installed:
- Client for Microsoft Networks
- File and Print Sharing for Microsoft Networks
- Qos Packet Scheduler
- TCP/IP protocol suite.

4. Completing the installation

During this final stage Setup copies the remaining files, configures the computer, saves the settings, removes temporary installation files, and restarts the computer

UNATTANTED INSTALLATIONS

There are several ways to perform an unattended installation of Windows XP. Unattended means Setup will not require any user input during the installation, although in practice this is not always the case. But it allows you to install multiple computers without actually sitting in front of them.

Setup Manager

The Setup Manager (setupmgr.exe) can be used primarily to create or modify answer files. When you start the Setup Manager, a wizard will take you through all the steps involved, similar to going through a regular Setup. Although answer files can be created manually using a simple text editor, the Setup Manager provides a graphical interface allowing you to easily create complex answer files. For example, answer files with additional commands that run other installation and configuration scripts when Setup is finished. Besides creating the default unattend.txt answer files, you can also use the Setup Manager to create answer files for Sysprep and RIS installations. When a regular unattend.txt answer file is created you can also have Setup Manager create a distribution folder with the installation files. Additional files (applications, drivers, etc.) can be installed in the same folder.
The Setupmgr.exe file must be extracted from the DEPLOY.CAB file located in the \Support\Tools folder on the XP installation CD. Before you enter the the information (the answers) you would normally enter during the installation process, you have to select the User Interaction Level. You can choose from 5 different options:

Provide Defaults
During the installation the user will see the answers provided in the answer file as defaults, the user can accept or change them.

Fully Automated
Fully automated installation.

Hide Pages
During the installation the user will see the answers provided in the answer file as defaults. Pages which answers are completely provided by the answer file are hidden, the user cannot accept or change those.

Read Only
During the installation the user will see the answers provided in the answer file as defaults, but cannot change them.

GUI Attended
This automates only the text-based stage of the installation, the user will have to enter the answers starting from the Setup Wizard.

At some point during the wizard, you need to provide the computer name. If you specify multiple names, Setup Manager will also create Uniqueness Database (UDB) files. The computer or user specific values in these .udf files can be used to override the values provided in the answer file.
If you want to perform an unattended installation from the command prompt on Windows 98, ME, NT, 2000, or XP, use Winnt32.exe, otherwise use winnt.exe. For example to perform an unattended installation on a computer named XPclient1, using unattend.txt as the answer file, and overriding some of the answers with XPclient1 specific values in the unnattend.udf file use the following command:
winnt32 /unattend:unattend.txt /udf:XPclient1,unattend.udf
or
winnt /u:unattend.txt /udf:XPclient1,unattend.udf
You can also use the /unattend parameter without specifying an answer file to upgrade Windows 98, ME, NT 4.0, or 2000 in unattended mode and take all user settings from the ‘previous’ installation. If you use the /udf parameter and do not specify an UDB_file, Setup will prompt to insert a disk that contains the $Unique$.udb file.
When you want to perform an unattended installation by booting from a CD-ROM, you need to rename the answer file to winnt.sif (default is unnattend.txt) and copy it to a floppy disk. When Setup starts, it looks for the winnt.sif file on the floppy disk and uses it to provide the answer during the unattended installation.
Using answer files in combination with winnt32, winnt, or the CD rom/winnt.sif combination is used for standardized deployment of Windows XP Professional in situations where the target clients have many different hardware configurations. If the target clients all have the same or very similar hardware and configuration, RIS or disk duplexing is usually faster to deploy Windows XP to a large number of clients.
Here’s a sample part of an answer file:
[Data]
UnattendedInstall=Yes
MSDosInitiated=No
AutoPartition=1
[Unattended]
UnattendMode = FullUnattended
TargetPath = WinXPpro
FileSystem = LeaveAlone
OemPreinstall = No
OemSkipEula = Yes

[GuiUnattended]
TimeZone = "YourTimeZone"
OemSkipWelcome = 1
OemSkipRegional = 1

[UserData]
ComputerName = *
ProductKey = "Your product key"
[SetupMgr]
ComputerName0=XPclient1
ComputerName1=XPclient2
[Display]
BitsPerPel = 16
XResolution = 800
YResolution = 600
VRefresh = 60

[Components]
iis_common = On
iis_inetmgr = Off
iis_www = Off
iis_ftp = Off
iis_doc = Off
Fp_extensions = On
Indexsrv_system = On
Accessopt = On
Calc = On
Charmap = On
Chat = Off
Clipbook = On
Deskpaper = On
Dialer = On

[TapiLocation]
CountryCode = "1"
Dialing = Pulse
AreaCode = "Your telephone area code"
LongDistanceAccess = 9

[Networking]
InstallDefaultComponents=Yes

[Identification]
JoinDomain = TEcorp.net
DomainAdmin = Administrator
DomainAdminPassword = XEkdf7834H

[URL]
Home_Page = http://www.techexams.net
Search_Page = http://www.google.com
Quick_Link_1 = http://www.techexams.net

[Proxy]
HTTP_Proxy_Server = proxysrv12:80
Use_Same_Proxy = 1
[GuiRunOnce]
Command0=c:\task1.bat

Here’s an example of a simple .udf file, which can be used in combination with the answer file above:
;SetupMgrTag
[UniqueIds]
    1=UserData
    2=UserData
[1:UserData]
    ComputerName=xpclient1
[2:UserData]
    ComputerName=xpclient2

System Preparation Tool

The System Preparation Tool (sysprep.exe) is used to assist in performing a large deployment of Windows XP on clients with identical hardware configurations. This process is fairly simple:
First Windows XP Professional is installed and completely configured on a master disk. Next, an image of the client is created using sysprep.exe (remember that only a single partition can be imaged). This image can be duplicated to other disks using third-party disk duplication software. A duplicate of the master disk is placed in a target machine, and when this computer boots a mini-setup will be performed and a new SID is generated. You can use the Setup Manager Wizard to create a mini-answer file named sysprep.inf. This file must be placed in the Sysprep folder on the root where Windows is installed or saved to a floppy disk, and inserted at the beginning of Mini-Setup. (Click here for more information about using Sysprep with sysprep.inf.)
The Sysprep.exe file must be extracted from the DEPLOY.CAB file located in the \Support\Tools folder on the XP installation CD and supports the following parameters:

Parameter
Purpose

pnp
force Plug and Play enumeration on next restart

quiet
run in Silent mode, with no dialog boxes

nosidgen
do not regenerate security ID on restart (this is useful for creating a backup image of a client)

reboot
automatically restart when the Sysprep.exe tool is finished

mini
Configures Windows XP Professional to use Mini-Setup instead of Windows Welcome. This option has no effect on Windows XP Home Edition, where the first-run experience is always Windows Welcome. This switch also forces SysPrep to recognize the Sysprep.inf file.

Remote Installation Services (RIS)

One of the best additions to Windows introduced in Windows 2000 is RIS. This service allows you to push automate remote installations of Windows 2000 Professional and Windows XP Professional clients.
First Windows XP Professional is installed and configured on a client, including software applications and other settings. Next, an image of the client is created using riprep.exe ( only a single partition can be imaged). The riprep.exe command offers the same parameters as the sysprep.exe tool described earlier. The image is stored on the RIS server. When a target client’s boot order is set to "boot from network" (in the BIOS) it receives basic IP addressing info and a mini-Setup (Client Installation Wizard) starts. Again the answers to this mini-setup can be provided by a special answer file created with Setup Manager. (Click here for more information about using answer files and RIS).
Instead of creating a new preconfigured RIS image, you can also use the default CD-ROM based image. There must be at least one Windows XP CD-ROM based image to allow target clients to request additional installation files if needed.
There are a couple of things you need in a network to be able to install RIS and perform remote installations.
Network in which clients are installed needs:
- a DHCP server
- Active Directory
- a DNS server
Target clients:
Besides enough available disk space for Windows XP and temporary installation files the target clients must have a Network Interface Card equipped with PXE Boot Rom version .99c or greater. If Pre-boot Execution Environment (PXE) is not supported use rbfg.exe (located in the \remoteinstall\admin\i386 folder on the Windows 2000 RIS server) to create a remote boot floppy.
Users:
The user used to perform RIS installations needs the right Create Computer Objects in Active Directory.
Click here for more detailed information in the chapter RIS in the Windows XP Resource Kit.
UPGRADING TO WINDOWS XP
Windows 98, ME, NT 4 Workstation, 2000 Professional can be directly upgraded to Windows XP Professional. If you want to upgrade from Windows 95 you need to upgrade to Windows 98 first, and if you want to upgrade from Windows NT 3.x you need to upgrade to Windows NT 4 first.
Run winnt32.exe with the /checkupgrade only parameter to check if the target machine meets the minimum system requirements. You can save the results in a file, upgrade.txt in the system root by default.
There are several ways to address problems with applications that do not run properly after the upgrade:
- Reinstall the applications after the upgrade.
- Use migration dynamic-link libraries (DLLs)
- Run the application in Compatibility Mode by right-clicking the application, selecting Properties, and then clicking the Compatibility tab.

MIGRATING USER ENVIRONMENTS

Files and Settings Transfer Wizard
This tool allows users who with a new computer to migrate their own files and settings by using a direct cable connection or the network and without the support of an admin. When you run the wizard you’ll have to choose the transportation method, which can be removable media, a direct serial cable connection or the network. Then you can customize which settings and files are included in the migration. This includes display settings, Internet Explorer and Outlook setting, and regional settings.
User State Management Tool (USMT)
The User State Management Tool (USMT) provides the same functionality as the wizard, but on a large scale, targeted at migrating multiple users. USMT gives administrators command line precision in customizing specific settings such as unique modifications to the registry. The User State Migration Tool consists of two executable files, ScanState.exe, LoadState.exe, and four migration rule information files Migapp.inf, Migsys.inf, Miguser.inf, and Sysfiles.inf. These files are located on the Windows XP CD in the \valueadd\msft\usmt\ folder.
A user can run Scanstate.exe on a Windows 95, 98, NT Workstation 4.0, or 2000 Professional computer and it will collect the data and settings based on the information in the migration rule .inf files mentioned above. A local admin can then run Loadstate.exe on the target Windows XP Professional computer to migrate the data and the settings.

POST-INSTALLATION UPDATES   

If you are performing an upgrade to Windows XP Professional on a computer with Internet connectivity, you can have setup uses Dynamic Update to check online for newer versions of the installation files. Instead of using the Internet for each installation, you can also place the updated files on a share in the network.

There are three related parameters for the winnt32.exe command:

/dudisable
Prevents Dynamic Update from running and will disable Dynamic Update even if you use an answer file and specify Dynamic Update options in that file. Setup will only use the original Setup files.

/duprepare:pathname
Prepares an installation share so that it can be used with Dynamic Update files that you downloaded from the Windows Update Web site. This share can then be used for installing Windows XP for multiple clients.

/dushare:pathname
Specifies a share on which you previously downloaded Dynamic Update files (updated files for use with Setup) from the Windows Update Web site, and on which you previously ran /duprepare:pathname. When used on a client, it specifies that the client installation will make use of the updated files on the share specified in pathname.

SERVICE PACKS    

Once in a while Microsoft releases a Service Pack; a combination of all previous updates and hot-fixes and some new ones. A service pack can be installed by using the command:
update.exe

To uninstall a service pack, change to the %systemroot%\$NtservicepackUninstall$\spuninst folder and type: spuninst.exe -u

ACTIVATING WINDOWS XP    

Windows XP introduces a new method to prevent piracy: if you don’t activate your copy of Windows online within 30 days you don’t you won’t be able to use it any longer. An Installation ID is created based on a hardware ID (based on several hardware components) and a Product ID (based on the Product Key) and is send to Microsoft. Replacing several hardware devices might require re-activation. MS does not know the actual hardware configuration, the information is encrypted using a on-way hash, which means it can’t be decrypted.
To activate Windows from the command-prompt type: C:\WINDOWS\system32\oobe>msoobe /a

To activate Windows XP unattended installations, add the following information to the Unattend.txt or Winnt.sif answer file:
In the [Unattended] section: AutoActivate = Yes
In the [UserData] section: ProductID = yourProductID

Windows Product Activation uses ports 80 – HTTP and 443 – HTTPS.

TROUBLESHOOTING INSTALLATIONS    

Installations of Windows XP Professional can fail partly or completely for many different reasons. Some common causes and possible solutions are listed in the following table:

Media errors Check/clean the CD-ROM drive and the installation CD.
Dependency service fails to start This is almost always network related.
SCSI disk not detected Install the drivers by pressing F6 during the text mode portion of setup.

Windows Setup creates several log files during the installation listed in the following table:

SETUPACT.LOG Keeps a record of all actions performed during setup.
SETUPERR.LOG Keeps a record of errors that occurred during setup and their severity. The information in this file will be displayed at the end of setup if any errors occurred.
%windir%\COMSETUP.LOG COM+ components
%windir%\SETUPAPI.LOG Keeps a record of each processed line from an .inf file and related errors. 
%windir%\debug\NETSETUP.LOG Logs the process of joining a domain or workgroup.

This is from http://www.techexams.net/technotes/xp/installing.shtml

                                   

Several weeks ago,We shared 70-290 free resource :Managing Groups.Today ,we continue to introduce the main topic of MCSE 70-290  which  Covers configuring, troubleshooting, and combining shared folders and NTFS permissions, effective permissions, ownership, and permission inheritance.hope them useful for Server 2003 candidates .

By default, Windows 2003 assigns Full Control permissions to the Administrators group and the System group to any NTFS volume, which are also inherited by the folders and files in it. The Users group is assigned Read & Execute, List Folder Contents, and Read permissions. Users or groups who need to write and or modify files and folders will need additional permissions.

The above list describes what the NTFS permissions ‘allow’, but you can also explicitly deny the permissions to users. Denying permissions is usually only done to make an exception. For example, you could allow Modify permission for the Sales group and deny the same permission for certain user account in the Sales group for whom you want to make an exception.

Allow permissions are cumulative, which basically means the least restrictive permission becomes the effective permission. For example, John is a member of the Sales group and the Management group. Sales has been allowed Modify permissions for the folder SalesReports. Management has been allowed Read permissions for the same folder. Since John is a member of both groups, his effective permission in this case is Modify. The following table lists some more examples. Note that the listed permissions in these examples are ‘allowed’.

Configuring NTFS Permissions
There are several different ways to assign NTFS permissions but the most common way is to use Windows Explorer or My Computer, right-click a file, folder, or volume, click Properties and then the click on the Security tab. Under Group or user names on the Security tab, select or add a group or user. Then at the bottom allow or deny one of the available permissions.

By default, when you add a user or group to the list in the dialog show above, this user or group will have Read & Execute, List Folder Contents, and Read permissions.

File permissions override folder permissions. For example, if user David has been allowed Read permissions for the folder and Modify permission for a file work.doc, his effective permissions for the work.doc file is Modify. The exception to this rule is the permission Full Control on folders. Groups or users that have Full Control for a folder can delete files and subfolders in it regardless of the permissions set on those files and subfolders.

In addition to the permissions listed in the tables above, you can also assign special permissions by clicking the Advanced button on the Security tab to open the Advanced Security Settings dialog with the Permissions tab opened as displayed in the following screenshot. Here you can add, remove, and edit the permissions for users on a more granular level.

Permission Inheritance
Besides explicitly assigned permissions on a file or folder, it may inherit permissions from its parent folder (up to the root folder, which is the volume itself). By default, permissions set on a folder are automatically inherited by all files and subfolders in it. This simplifies administration but is not always desired.

In the image above, you can see the following two options:

Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.
When this option is cleared, the file or folder will not inherit permissions from the parent folder.

Replace permission entries on all child objects with entries shown here that apply to child objects.
This option will actually reset the permissions on child objects (files and subfolders) to make sure they inherit the permissions from this folder and those permissions are not overridden by permissions explicitly assigned on child objects.

In some situation you may want to inherit most of the permissions from the parent, but make an exception for one or more users/groups. In that case you should set the opposite permission of the one that is inherited. For example, if James inherits Modify permissions from a parent folder through group permissions, you could deny Modify permissions for James on the child object to prevent inheritance for James only and still allow Modify access to the rest of the group.

Effective Permissions
On the Effective Permissions tab of the Advanced Security Settings for a file or folder you can select a user or group and see the effective permissions. These are the results of the permissions directly assigned to the file or folder and permission inherited from parent folders.

Change ownership of files and folders
When a user creates a file or folder Windows 2003 automatically assigns Full Control permissions to the creator/owner. This allows the user to assign permissions to other users for the files he or she creates. This means that besides the ACL, files and folders need to include information about who owns the file. By default, this is the account who creates the file or folder or the Administrators group. For several different reasons, the ownership of a file or folder may need to change. For example, if a user leaves the company, the ownership of his or her files and folders may need to be transferred to other users.

You can take ownership of a file by replacing the owner with your own account or with one of the groups you are a member of. You must have Full Control or the special permissions Take Ownership to be able to take ownership of a file or folder. Users who has the Restore files and directories privilege can assign ownership to any user or group.

Moving and copying protected files
Moving and copying NTFS protected files is similar to moving and copying compressed file. When you copy a protected file to a folder on the same, or a different volume, it inherits the permissions of the target folder. When you move a protected file to a different NTFS volume, the file inherits the permissions of the target folder. A move between volumes is actually considered a copy; the source file is deleted after it is copied to the target volume.

However, when you move a protected file to a different location on the same volume, the file retains its permission. When data is moved within the same volume, the data is not actually relocated, the pointer to it is merely changed and that is why it retains the ACL. In all cases the target volume needs to be a NTFS volume as well because as mentioned earlier, FAT, FAT32 and other file systems do not support NTFS file and folder permissions.

Shared Folder Access
A shared folder (commonly referred to as a share) is a folder or entire volume that is published on the network and can be remotely accessed by other users. The shared folder can be used as if it were a local folder; to store data, and even to run applications from the share over the network. Members of the built-in group Administrators, Server Operators and Power Users can share folders. If the shared folder is located on an NTFS volume, users need at least the NTFS permission Read for the local folder to be able to access it, regardless of the share permissions assigned to it. Following are some of the common methods for creating shared folders:

1. Using the Shared Folders snap-in, which is included by default in the Computer Management console. In the console tree, click Shares (below ComputerManagement|System Tools|Shared Folders). On the Action menu, click New File Share. You will be prompted to select the folder or drive, enter the share name and description, and set permissions.

2. Use the net share command at the prompt: net share sharename=drive:path

3. In Windows Explorer/My Computer right-click the folder or drive, click Properties and then the Sharing tab. Enable the option Share this folder, enter a name for the share, a description and configure other settings as depicted in the following image.

Users can connect to a share in several ways, for example:

1. Use My Network Places/Windows Explorer a user can browse to the share or use the Add Network Place wizard to create a shortcut.
2. Use a direct UNC path, for example: //FileServer12/ShareX
3. Use My Network Places/Windows Explorer or the net use command to map a drive letter to a share.

By default, Windows 2003 creates the following hidden administrative shares depending on the configuration of the server:

Admin$
This is the system root, usually C:\Windows, Administrators are assigned Full Control share permissions.
C$, D$, E$, etc.
Each volume on a hard disk is shared by default and provide easy access of the entire volume to Administrators. Administrators are assigned Full Control share permissions.
IPC$
A system share that allows named pipes connections for communication between applications and other computers.
Print$
This points to the %systemroot%\System32\Spool\Drivers folder, and is created when printers are shared to allow clients to automatically download the printer drivers.
Fax$
A system share used by fax clients.

You can create hidden shared folders yourself by adding a $ sign to the end of the share’s name. Hidden shares do not show up when users browse the network through My Networks Places for example. To access these hidden shares, users need to enter the name including the $ sign. NETLOGON and SYSVOL are two other administrative shares that exist on domain controllers, but they are not hidden.

Shared Folder Permissions
There are three different share permissions that can be assigned to groups and individual user accounts. These permissions apply only when connecting to the share over the network. The share permissions do not apply to users who log on to the local machine. The following share three permissions are available for shared folders:

READ
Allows user to read files and list the contents of folders and volumes. This allows executing applications as well. The default for new shared folders is Read permissions for Everyone.

CHANGE
Allows the same as Read and allows the user to modify, create and delete files and subfolders.

FULL CONTROL
Allows the same as Change, but additionally allows the user to modify permissions.

Whether the permissions actually allow the desired access depends on the NTFS permission of the shared folder and the file subfolders in it. For example, if a user has the share permission Change for a shared folder, that user will not be able to actually change files for which the user has only Read NTFS permissions. We will go over some more examples in the following section “Combining Shared Folders with NTFS Permissions”. However, you can create share folders located on a FAT or FAT32 disk and assign share permissions to provide protected access for users that connect to the shared folder. Remember that share permissions are only used when a user connects to the shared folder from a remote computer. So if a user logs on locally to a computer with a FAT/FAT32 drive, the share permissions are ignored.

To configure share permissions in Windows Explorer/My Computer right-click the folder or drive, and then click Properties and then the Permissions button on the Sharing tab. Under Group or user names: select or add a group or user, and allow or deny one of the permissions listed in the table above .

When you set permissions, you can either Allow or Deny them to a user or group. Typically you would allow a group share permissions and deny the same permissions to certain members of that group. The default permissions for new shared folders is Read to Everyone. Whether Everyone will actually be able to read depends on the NTFS permissions.

Combining Shared Folders with NTFS Permissions
When you combine NTFS permissions and share permissions the most restrictive effective permission counts. For example, if you create a folder with files and assign them Full Control NTFS permissions to Everyone and share the same folder and assign the share permission Read to Everyone, users connecting through the network will have Read permissions.

Probably the most common mistake made when combining share permissions and NTFS permissions is to add them all to a single pile and then take the most restrictive. Instead, you need to determine the effective share permissions amd the effective NTFS permission before taking the most restrictive.

So to determine what the permissions are for a user connecting through a shared folder to a local folder protected with NTFS permissions you need to do the following:

1. Determine the ‘effective’ NTFS permissions
2. Determine the ‘effective’ share permissions
3. Take the most restrictive of these two.

Following is a practice questions that raised discussion in our forums several times:

X. You share a folder on your computer and you assigned the share permission Change to Everyone. John, a user from the Sales department, has been granted Full Control NTFS permission to the folder. John is also a member of the Sales group, which has been assigned Read NTFS permissions. What are John’s effective permissions when connecting to the shared folder?

a. Read
b. Read & Execute
c. Change
d. Full Control

The correct answer is c. Change, but many people seem to be inclined to choose answer a. Read instead because Read is the most restrictive permission. However, it is the most restrictive effective permissions that counts.

1. Determine the effective NTFS permissions:
As mentioned earlier in the NTFS permissions section, NTFS permissions are cumulative. This means the least restrictive applies when considering only NTFS permissions. In this case, this means John has Read NTFS permissions for the folder through the Sales group, and Full Control NTFS permission through his own account, hence his effective NTFS permissions is Full Control.

2. Determine the effective share permissions:
The question only mentions that the share permissions are Change to Everyone, so no other share permissions have been explicitly assigned for the Sales group or John and hence the effective share permission is Change.

3. Take the most restrictive of these two:
The most restrictive of the previous two effective permissions is Change. Although John has Full Control NTFS permission for the folder, he is accessing the folder through a shared folder for which he only has Change permissions.

Troubleshoot access to files and shared folders
Problems accessing shared folders are often caused by underlying network connectivity problems. Before you scratch yourself a bold spot trying to find an incorrectly configured ACL or Shared Folder, make sure you check basic network connectivity, ping the file server by name, check if the user is properly logged on to the domain, etc.

Probably the most common cause of problems with accessing files and shared folders is an incorrect configuration, so when things are not working as expected you should verify the configuration. A user that is not able to access a file or folder maybe a member of a group who was recently denied certain permissions. Configuration changes of permissions assigned to a parent folder my also cause problems through inheritance.

The Effective Permission tool on the Advanced Security Settings dialog provides an easy method to determine the NTFS permissions, but it does not include share permissions. I n large environments with many users and groups, it can be hard to determine the effective share permissions so it is important to maintain a structured user and group design and folder hierarchy. The following link points to document with Best practices for Shared Folders.

The Shared Folders snap-in, included by default in the System Tools of the Computer Management console, provides an overview of the Shares configured on the local computer, the active Sessions, and the currently Open Files. These can provide valuable information when troubleshooting access to shared folders.

This is copied from http://www.techexams.net/technotes/70290/permissions.shtml

                                   

GROUPS
The main purpose of a group is to simplify administration by allowing permissions to be assigned to a collection of users instead of individual users. A group can contain user accounts, computer accounts, or contacts, as its members. In addition to the previous, a group can also contain other groups, which is referred to as group nesting. Which items a group can contain and what they can be used for, depends on the group type, the group scope and the domain functional level.

Group Types
Windows 2003 Active Directory supports the following two group types:
• Security Groups – Used for assigning permissions for directory objects and resources such as shared folders and printers. Security groups are also used for assigning rights to users, for example by using Group Policies.
• Distribution Groups – Used for creating e-mail distribution lists (ie. for MS Exchange server). It allows a user to send e-mail to all the members by using a single address.
You can change the group type from security to distribution, or vice versa, if the domain functional level is set to Windows 2000 native or Windows 2003. Group types cannot be changed if the domain is running in Windows 2000 mixed mode.

Group Scopes
A group scope defines from which domain from which members can be added and in which domain, tree, of forest, rights and permissions can be assigned to a group. When you create a new group, it will be a security group with global scope by default. You can modify the group scope if the domain functional level is set to Windows 2000 native or Windows Server 2003. Changing a group scope in Windows 2000 mixed mode domains is not possible.

Windows 2003 Active Directory supports the following three group scopes:
• Domain Local – Used for assigning permissions within the local domain only. A domain local group can contain user accounts and global and universal groups with from any domain, and other domain local groups from the same domain. A domain local group can be changed to a universal group only if it does not have other domain local groups as its members.
• Global – Used for assigning permissions throughout the entire forest. A global group can only contain user accounts and global groups from the same domain the global group is in. If the domain is running in Windows 2000 Mixed mode, you can add only user accounts to a global group. A global group can be changed to a universal group if it is not a member of another global group.
• Universal – Used for assigning permissions throughout the entire forest. A universal group can contain user accounts, computer accounts, and global and universal groups from any domain in the forest. Security type universal groups can be created only when the domain functional level is set to Windows 2000 native or Windows Server 2003. Opposite to domain local and global groups, universal groups are replicated to every global catalog in the entire forest. A universal group can be changed to a domain local group at any time. A universal group can be changed to a global group only if it does not have other universal groups as its members.
The preferred method to use these group scopes is explained in the following example:
When you assign permissions to all the users in the Sales department, for a shared resource, i.e. Printer1, you should create a domain local group for the sales department, i.e. SalesPrinters, and assign it permissions for Printer1. Then you should group the users into a global group, i.e. Sales, and add the global group to the domain local group. A universal group is particularly useful when the group needs to contain members from multiple domains. Universal groups should be members of domain local groups, and have global groups as their members.
Local vs. Active Directory Groups
The group types and scopes outlined above are pertinent to Windows 2003 servers that are members or domain controllers in an Active Directory domain. They are stored in the Active Directory on domain controllers. However, groups also exist on a local machine level, even if ADS is not in use. You can create local groups on the local computer using the Local Users and Group MMC snap-in and the can be used for assigning permissions on that computer only.
Default Groups
Windows 2003 creates default groups in the Builtin container and the Users container. The following lists show the groups created in a Windows 2003 domain by default (this may vary per configuration and on the installed Windows components). The first list shows the groups in the Builtin container. These groups are all domain local groups and cannot be moved to another container or OU.
• Account Operators – Members of this group can administer domain user and group accounts, log on locally, and can shutdown domain controllers. Account Operators cannot modify the Administrators or Domain Admins groups and accounts.
• Administrators – Members of this group have full access to the domain or computer. By default, this group contains the Domain Admins and Enterprise Admins groups and the Administrator user account.
• Backup Operators – Members of this group can back up or restore files without being limited by file permissions. Back up Operators can also log on locally and shutdown domain systems.
• Guests – Members of this group have the same permissions and right as the Users group by default, The Guest user account is disabled by default. This Guests group contains the Domain Guests group as a member.
• Incoming Forest Trust Builders -Members of this group can create incoming, one-way trust relationships to this forest. This group appears only in the root domain of the forest.
• Network Configuration Operators – Members of this group can change the TCP/IP settings on domain controllers in the domain.
• Performance Monitor Users – Members of this group can monitor performance counters on domain controllers in the domain.
• Performance Log Users – Members of this group can manage performance counters, logs and alerts on domain controllers in the domain.
• Pre-Windows 2000 Compatible Access – Members of this group have read access to all users and groups in the domain. This group provides backward compatibility for computers running Windows version pre-Windows 2000, such as Windows NT 4. The Everyone group is a member of this group by default.
• Print Operators – Members of this group have the appropriate rights to administer printers connected to domain controllers and shared printer objects in the Active Directory. Print Operators can also log on locally and shutdown domain systems.
• Remote Desktop Users – Members in this group are granted the right to logon remotely using a terminal session.
• Replicator – A system group account used for file replication in a domain. This group has no members and you should not add them either.
• Server Operators – Members of this group can administer shared resources on domain servers, start and stop certain services, and format hard disks. Additionally, members of this group have the same rights Backup Operators have.
• Users – Members of this group have sufficient permissions and rights to run certified Windows applications, but cannot run most legacy applications. This prevents regular users from making system-wide changes.
The following default groups reside in the Users container in the Active Directory. The Users container contains domain local, global, and universal scope default groups. These groups can be moved to another OU if desired.
• Cert Publishers – Members of this group can publish digital certificates for users and computers.
• DnsAdmins – Members of this group have permissions to administer DNS.
• DnsUpdateProxy – Members of this group can act as a DNS proxy for clients. A DHCP server that handles dynamic updates for DCHP clients should be a member of this group.
• Domain Admins – Members of this group have full control of the domain. This group is a member of the Administrators group on all domain members including domain controller. The Administrator user account is a member of this group by default.
• Domain Computers – This group contains all the computer accounts of the client and servers joined to the domain.
• Domain Controllers – This group contains all domain controllers in the domain.
• Domain Guests – This group contains all domain guests.
• Domain Users – This group contains all domain users. When you create a new user account in the domain, it will automatically become a member of the Domain Users group.
• Enterprise Admins – Members of this group have full control of all domains in the forest. This group is a member of the Administrators group on all domain controllers in the forest. The Administrator user account is a member of this group by default.
• Group Policy Creator Owners – Members of this group can modify Group Policy settings in the domain. The Administrator user account is a member of this group by default.
• IIS_WPG – A system group account used by Internet Information Services (IIS) 6.0.
• RAS and IAS Servers – Servers in this group have access to the remote access properties of users. This group is used for IAS servers that perform authentication for a collection of RRAS servers.
• Schema Admins – Members of this group can modify the Active Directory schema. The Administrator user account is a member of this group by default.
The following special identities can also be considered groups as they allow you to assign permissions to a dynamic group of users:
• Everyone – Includes everyone with a user account.
• Anonymous Logon – Includes everyone without a user account.
• Network – Includes users that are currently logged on to a computer over the network. This is the opposite of the Interactive group.
• Interactive – Includes users that are currently logged on to the local computer. This is the opposite of the Network group.
Managing Groups
Groups are created by using the Active Directory Users and Computers MMC snap-in. To create a new group, right-click the domain or OU in which you want to create the user, select New, and then click Group. The New Object – Group dialog, displayed below, will open. You will need to provide a name and you can choose the group scope and group type.

When you open the properties sheet of an existing group, you can associate a description and an e-mail address with the group and change the scope and type on the General tab. The Members tab of the group’s properties allows you to add members to this group, and the Member Of tab allows you to join this group to other groups. On the Managed By tab, you can specify a person that is responsible for this group, and specify whether this person should be able to add and remove members to and from this group.

You can move a group to another container, from the Users container to a departmental OU for example, by right-clicking the group and selecting Move from the context menu. With the exception of universal groups, groups can be moved within a domain only. When you move a universal group from one domain to another, you will have to reassign permissions and rights as they will be lost in the process. The member settings of the universal group will be retained.
Find domain groups in which a user is a member
On a large Active Directory with many group it can be hard to keep track of which groups a user belongs to. The Member Of tab of a user’s properties, displays a list of groups the user is a member of. It does not show groups that reside in trusted domains but the user is a member of. For a more complete list of groups a user belongs too, you can use the Dsget.exe command line utility. The syntax for displaying group membership is:
dsget user UserDN -memberof -expand

The UserDN parameter is the user’s distinguished name, for example:
dsget user “CN=Johan Hiemstra,CN=users,dc=testdomain,dc=techexams,dc=corp” -memberof -expand

Without the -expand option, only the groups the user is joined to directly are displayed. With this option, each group is expanded to determine membership through nested groups. For example, when a user is a member of the Domain Users default group, it is also a member of the Users built-in group, because the Domain Users group is a member of the Users group.
Click here for more information about the dsget command.

Automated Group Management
Instead of creating and modifying groups manually, you can also automate group management using command-line utilities. Csvde.exe is one of the tools that can be used to perform batch changes to the Active Directory. It can be used to import and export data from and to a file in comma separated value (CSV) format. Ldifde.exe is a more advanced tool that allows you to create, modify, and delete active directory objects. You can use Ldifde to extend the schema, and export and import Active Directory user and group data to or from other directories.

This is from http://www.techexams.net/technotes/70290/man_groups.shtml