Article ID: 254219 - View products that this article applies to.
This article was previously published under Q254219
This article describes how to administer file share security in Microsoft Windows Server 2003 and Microsoft Windows 2000 clustering, and to a limited extent Microsoft Windows NT 4.0 Enterprise Server.
This article assumes basic knowledge of the difference between share level and filesystem level security.
186496You can also search for permissions, security, and share in Windows NT 4.0 Help.
(http://support.microsoft.com/kb/186496/ )Securing a common folder
File Shares By Type
Normal ShareNormal Shares are the most flexible and easily understood in terms of security. The only real difference is that you administer share level security using the cluster user interface instead of Windows Explorer. You administer NTFS level security using Windows Explorer.
For more information about creating cluster file shares, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/224967/ )How to create file shares on a cluster
Share SubdirectoriesSubdirectory shares are available in versions of Windows NT later than Windows NT 4.0 Service Pack 4. Windows NT 4.0 Service Pack 5 or later automatically creates and deletes the shares. This share allows administrators to rapidly create directories to host large numbers of shares. A root share is specified, and all subdirectories one level below the specified root are created as regular shares. These shares inherit the same share level permissions as the root share. Unless this is the desired behavior, share-level permissions should be left to Everyone, and security implemented on the file system level.
For more information about subirectory shares, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/194831/ )SP4 Cluster shares must be reset to recognize added subdirectories
DFS RootDFS root is only available in Windows 2000. You can administer stand-alone DFS roots within a cluster. You can use share level permissions for the root through the cluster administrator user interface and you can administer each link through file share permissions on the appropriate server. However, this method of controlling access can be difficult for DFS trees spanning a large number of servers and links. We recommend you administer DFS trees by leaving file share level permissions open and use NTFS filesystem permissions to restrict access. Note that filesystem security is not possible on links that point to FAT or FAT32 volumes.
For more information about DFS Roots in Cluster Server, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/220819/ )How to configure DFS root on a Windows 2000 Server cluster
(http://support.microsoft.com/kb/241452/ )How to install Distributed File System (DFS) on Windows 2000
Article ID: 254219 - Last Review: February 28, 2007 - Revision: 3.3