ICC Home  /  Members  /  Meetings  /  Peer Support  /  Documentation  /  Projects

Setting up shares and drive mappings


Return to IT/SA Services Documentation: File and Print Services
 

Overview:

top

With the release of Windows 2000, it was no longer necessary for there to be a share name for each set of files that a client needed to access. If all files on a machine are stored under the same folder, only one share is needed to allow drive mappings to any directory under this folder. By taking full advantage of this deep mapping, we may decrease the number of shares we create on our servers, and this will enable IFAS to develop a Distributed File System (DFS) that can include all shares files in IFAS while making all of these files accessible via the web. With Windows Server 2003 SP1, this scheme can be improved further by the use of an additional product called Windows Access-based Enumeration, that will allow users to only see those folders to which that have access. This application is available for download here, and will be installed on all Multi-Purpose and IFAS IT supported file servers.


Our remote IFAS Multi-Purpose Servers:

top

By way of example, lets examine the details involved in properly configuring a Remote IFAS Multi-Purpose Server (MPS), including its Shares and NTFS permissions. These principles may be extended to the configuration of any departmental file server.

Each IFAS MPS has 2 shares:

  • Data

    The DATA share is the main and top level share on the MPS. All shared information is beneath this folder and generally consists of the Public, Unit and Users sub-folders whose use is detailed below.
     

  • IFAS-MULTI

    This is also a subfolder beneath DATA, but it requires its own separate share because its contents are populated by replication so that its contents are easily maintained to remain identical on each server. This share is used for special security tools that need exceptions in Mcafee. It is also used for the distribution and replication of software that needs to be installed on the IFAS Multi-Purpose servers. A typical departmental file server would not have this directory. This folder is not set for inheritance because OU admins should not have access to place files in this folder.


The DATA share:

top

    The suggested proper share and NTFS permissions are detailed following...
     

  • Share permissions on the DATA share:
     
    Group Permissions Explanation
    _IFAS-USERS_autogs Read and Modify The _IFAS-USER_autogs setting will allow all IFAS users to be able to access the shares, but prevent them from being able to modify permissions. If users outside of IFAS must be given access to these files, it may be necessary to add another group to the share permissions. This can be done by e-mailing itnslan@ifas.ufl.edu.
    Administrators Full Control This is needed in case the machine for some reason does not authenticate to UFAD.
    IF-ADM-OU Full Control This will allow authorized and trained admins to modify NTFS permissions on the server.
  •  

  • NTFS permissions on the DATA directory:

    Note: the folders under the data share should have inheritance turned on, so these permissions will never be lost. These permissions are very important to have on every folder and file on the server.
     
    Group Permissions
    Administrators Full Control
    System Full Control
    IF-ADM-OU Full Control
    _IFAS-Users_autogs Read and Modify This Folder Only


The Public sub-folder:

top

The Public sub-folder is used as a public area where all IFAS employees can share and collaborate on files. To support this, permissions for the IFAS-Users autogroup should be applied as follows...
 
Group Permissions
_IFAS-USERS_autogs Modify


The Unit sub-folder:

top

The Unit sub-folder is used as an area where unit (center) employees can share and collaborate on files. To support this, permissions for the IFAS-OU autogroup should be applied as follows...
 
Group Permissions
_IFAS-OU_autogs Modify


The Users sub-folder:

top

The Users sub-folder should contain folders with names corresponding to the Gatorlink ID of people in your OU. Each of those folders should have Modify permissions applied for the corresponding user...
 
Group Permissions
Gatorlink user Modify


The IFAS-MULTI share:

top

This special share for security tools should be permissioned as follows...
 
Group Permissions
_IFAS-USERS Read and Modify
Administrators Full Control
IF-ADM-OU Full Control


Drive Mappings:

top

The above detailed file server configuration allows drives to be mapped easily via a login script. An example login script for a site might look like the following:

_IFAS-OU-Users_autogs.vbs

on error resume next
Set objNetwork = CreateObject("WScript.Network")

objNetwork.MapNetworkDrive "G:", "\\if-srv-xxxxxx\data\unit"
objNetwork.MapNetworkDrive "H:", "\\if-srv-xxxxxx\data\user\" & objNetwork.Username & "$"
objNetwork.MapNetworkDrive "P:", \\if-srv-xxxxxx\data\public

This creates drive mappings for the each network drive.


Variations on this sharing scheme:

top

Some sites may need additional folders for sharing between specific groups of users. We suggest creating a folder under data labeled Groups and creating the folders under this directory. You can then assign NTFS permissions to the specific folder which is to be shared. It is preferable that all permissions be assigned via UFAD group rather than by Gatorlink ID.

Some sites may also want their users to be able to control access permissions to folders. This can be done by creating a group in UFAD and setting the user to be a manager of the group. You can then create a custom MMC that opens directly to that group for that user.

You can then map these drives using a script named for the group, and using the data share:

IFAS-TestLabGroup.vbs

on error resume next
Set objNetwork = CreateObject("WScript.Network")
objNetwork.MapNetworkDrive "G:", "\\if-srv-xxxxxx\data\group\TestLabGroup"

Questions:

top

If you have any questions of comments on this documentation, please contact the IT/SA group at itnslan@ifas.ufl.edu.


last edited 24 April 2006 by Steve Lasley