Setting up shares and drive mappings

Overview:

With the release of Windows 2000, it was no longer necessary for there to be a share name for each set of files that a client needed to access. If all files on a machine are stored under the same folder, only one share is needed to allow drive mappings to any directory under this folder. By taking full advantage of this deep mapping, we may decrease the number of shares we create on our servers, and this will enable IFAS to develop a Distributed File System (DFS) that can include all shares files in IFAS while making all of these files accessible via the web. With Windows Server 2003 SP1, this scheme can be improved further by the use of an additional product called Windows Access-based Enumeration, that will allow users to only see those folders to which that have access. This application is available for download here, and will be installed on all Multi-Purpose and IFAS IT supported file servers.

Our remote IFAS Multi-Purpose Servers:

By way of example, lets examine the details involved in properly configuring a Remote IFAS Multi-Purpose Server (MPS), including its Shares and NTFS permissions. These principles may be extended to the configuration of any departmental file server.

Each IFAS MPS has 2 shares:

• Data

  The DATA share is the main and top level share on the MPS. All shared information is beneath this folder and generally consists of the Public, Unit and Users sub-folders whose use is detailed below.
   
  

• IFAS-MULTI

  This is also a subfolder beneath DATA, but it requires its own separate share because its contents are populated by replication so that its contents are easily maintained to remain identical on each server. This share is used for special security tools that need exceptions in Mcafee. It is also used for the distribution and replication of software that needs to be installed on the IFAS Multi-Purpose servers. A typical departmental file server would not have this directory. This folder is not set for inheritance because OU admins should not have access to place files in this folder.

The DATA share:

The suggested proper share and NTFS permissions are detailed following...
 


• Share permissions on the DATA share:
   
  

  Group	Permissions	Explanation
  _IFAS-USERS_autogs	Read and Modify	The _IFAS-USER_autogs setting will allow all IFAS users to be able to access the shares, but prevent them from being able to modify permissions. If users outside of IFAS must be given access to these files, it may be necessary to add another group to the share permissions. This can be done by e-mailing itnslan@ifas.ufl.edu.
  Administrators	Full Control	This is needed in case the machine for some reason does not authenticate to UFAD.
  IF-ADM-OU	Full Control	This will allow authorized and trained admins to modify NTFS permissions on the server.

 


• NTFS permissions on the DATA directory:

  Note: the folders under the data share should have inheritance turned on, so these permissions will never be lost. These permissions are very important to have on every folder and file on the server.
   
  

  Group	Permissions
  Administrators	Full Control
  System	Full Control
  IF-ADM-OU	Full Control
  _IFAS-Users_autogs	Read and Modify – This Folder Only

The Public sub-folder:

The Public sub-folder is used as a public area where all IFAS employees can share and collaborate on files. To support this, permissions for the IFAS-Users autogroup should be applied as follows...
 

Group	Permissions
_IFAS-USERS_autogs	Modify

The Unit sub-folder:

The Unit sub-folder is used as an area where unit (center) employees can share and collaborate on files. To support this, permissions for the IFAS-OU autogroup should be applied as follows...
 

Group	Permissions
_IFAS-OU_autogs	Modify

The Users sub-folder:

The Users sub-folder should contain folders with names corresponding to the Gatorlink ID of people in your OU. Each of those folders should have Modify permissions applied for the corresponding user...
 

Group	Permissions
Gatorlink user	Modify

The IFAS-MULTI share:

This special share for security tools should be permissioned as follows...
 

Group	Permissions
_IFAS-USERS	Read and Modify
Administrators	Full Control
IF-ADM-OU	Full Control

Drive Mappings:

The above detailed file server configuration allows drives to be mapped easily via a login script. An example login script for a site might look like the following:

_IFAS-OU-Users_autogs.vbs

on error resume next
Set objNetwork = CreateObject("WScript.Network")

objNetwork.MapNetworkDrive "G:", "\\if-srv-xxxxxx\data\unit"
objNetwork.MapNetworkDrive "H:", "\\if-srv-xxxxxx\data\user\" & objNetwork.Username & "$"
objNetwork.MapNetworkDrive "P:", \\if-srv-xxxxxx\data\public

This creates drive mappings for the each network drive.

Variations on this sharing scheme:

Some sites may need additional folders for sharing between specific groups of users. We suggest creating a folder under data labeled Groups and creating the folders under this directory. You can then assign NTFS permissions to the specific folder which is to be shared. It is preferable that all permissions be assigned via UFAD group rather than by Gatorlink ID.

Some sites may also want their users to be able to control access permissions to folders. This can be done by creating a group in UFAD and setting the user to be a manager of the group. You can then create a custom MMC that opens directly to that group for that user.

You can then map these drives using a script named for the group, and using the data share:

IFAS-TestLabGroup.vbs

on error resume next
Set objNetwork = CreateObject("WScript.Network")
objNetwork.MapNetworkDrive "G:", "\\if-srv-xxxxxx\data\group\TestLabGroup"

Questions:

If you have any questions of comments on this documentation, please contact the IT/SA group at itnslan@ifas.ufl.edu.