How to open access to a folder on the server. Share a network folder


In the vastness of Russia, many firms and small enterprises do not have their own system administrator on an ongoing basis or coming from time to time. The company grows and sooner or later one shared folder on the network, where everyone can do whatever he wants, becomes small. Differentiation of access is required for different users or user groups on the MS Windows platform. Linux users and experienced administrators, please do not read the article.

Most the best way- hire an experienced administrator and think about buying a server. An experienced admin will decide for himself on the spot: whether to raise MS Windows Server with Active Directory or use something from the Linux world.

But this article was written for those who decided to suffer on their own for now, without using modern software solutions... I will try to explain at least how to correctly implement the differentiation of rights.

Before we start, I would like to chew on a couple of points:

  • Any operating system "recognizes" and "distinguishes" real people through their accounts. It should be like this: one person = one account.
  • The article describes a situation when the company does not have its own administrator and has not bought, for example, MS Windows Server. Any ordinary MS Windows simultaneously serves no more than 10 people for WinXP and 20 people for Win7 over the network. This is specifically done by Microsoft in order to client windows you didn't run across Windows servers and you didn't ruin Microsoft's business. Remember the number 10-20, and when your company has more than 10-20 people, you will have to think about buying an MS Windows Server or ask someone to bring you a free Linux Samba server that does not have such restrictions.
  • Since you do not have a competent administrator, then your usual computer with client MS Windows will pretend to be a file server. You will have to duplicate user accounts on it from other computers in order to access the shared files. In other words, if PC1 has an accountant Olya with an olya account, then on this "server" (hereinafter referred to as WinServer), you need to create an olya account with the same password as on PC1.
  • People come and go. Staff turnover is everywhere and if you are that poor person who is not an admin and is assigned (forced) to support the company's IT issues, then here's some advice. Create non-personal accounts. Create for managers - manager1, manager2. For accountants - buh1, buh2. Or something similar. Is the man gone? Another will not be offended if he uses manager1. Agree, this is better than using the olya account for Semyon, since there is no one to redo it, and everything has been working for 100 years.
  • Forget such words as: "make a password for the folder". The days when a password was imposed on resources are long gone. The philosophy of working with various resources has changed. The user now logs into their system with account(identification), confirming himself with his password (authentication) and he is given access to all authorized resources. Once logged in and got access to everything - that's what you need to remember.
  • It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is a member of the Administrators group.

Cooking.

In Explorer, remove the simplified access to the things we need.

  • MS Windows XP. Tools menu - Folder options - View. Uncheck Use Sharing Wizard
  • MS Windows 7. Press Alt. Tools menu - Folder options - View. Uncheck Use simple general access to files.

Create a folder on your WinServer computer that will store your wealth in the form of order files, contracts, and so on. For me, as an example, it will be C: \ dostup \. The folder must be created on a partition with NTFS.

Access over the network.

At this stage, you need share on the network(share - share) a folder for other users to work with on their computers local network.

And the most important thing! Share the folder with full permission for everyone! Yes Yes! You heard right. But what about access control?

We allow everyone to connect to the folder on the local network, BUT we will delimit access by means of security stored in the NTFS file system on which our directory is located.

  • MS Windows XP. On the desired folder (C: \ dostup \), right-click and there Properties. Access tab - Full access.
  • MS Windows 7. On the desired folder (C: \ dostup \), right-click and there Properties. Access tab - Advanced configuration. Check the box Share this folder... We fill in the Note. We press Resolution. The Everyone group must have the right to Full access.

Users and security groups.

You need to create the required user accounts. I remind you that if on your numerous personal computers different user accounts are used, then all of them must be created on your "server" and with the same passwords. This can only be avoided if you have a competent admin and computers in Active Directory. No? Then painstakingly create your accounts.

  • MS Windows XP.
    Local users and groups - Users. Action menu - New user.
  • MS Windows 7. Control Panel - Administrative Tools - Computer Management.
    Local Users and Groups - Users. Action menu - Create user.

Now it's the turn of the most important thing - the groups! Groups allow you to include user accounts and simplify manipulations with the issuance of rights and access control.

Below will be explained the "overlay" of directories and files, but now the main thing is to understand one thought. The rights to folders or files will be granted to groups, which can be figuratively compared to containers. And the groups will already "transfer" the rights to the accounts included in them. That is, you need to think at the group level, and not at the level of individual accounts.

  • MS Windows XP. Control Panel - Administrative Tools - Computer Management.
  • MS Windows 7. Control Panel - Administrative Tools - Computer Management.
    Local Users and Groups - Groups. Action menu - Create group.

You need to include the required accounts in the required groups. For example, on the Accountants group, right-click and there Add to group or Properties and there is an Add button. In field Enter the names of the objects to select enter the name of the required account and click Check names... If everything is correct, then the account will change to the type SERVER NAME \ account. In the picture above, the buh3 account has been coerced to WINSERVER \ buh3.

So, the required groups have been created and the user accounts are included in the required groups. But before the stage of assigning rights to folders and files using groups, I would like to discuss a couple of points.

Is it worth bothering with a group if it has one account? I think it's worth it! The group gives flexibility and maneuverability. Tomorrow you will need to give one more person B the same rights as a certain person with his account A. You just add account B to the group where there is already A and that's it!

It is much easier when permissions are assigned to groups rather than individuals. You just have to manipulate the groups and include the necessary accounts in them.

Access rights.

It is advisable to perform the following actions from the built-in Administrator account or from the first account in the system, which by default is a member of the Administrators group.

So we got to the stage where the magic of differentiating access rights for various groups, and through them, for users (more precisely, their accounts), takes place.

So, we have a directory at C: \ dostup \, which we have already made available to all employees over the network. Inside the C: \ dostup \ directory, for the sake of example, we will create the folders Agreements, Orders, MC accounting. Suppose there is a task to do:

  • the Agreement folder must be read-only for Accountants. Read and write for a group of Managers.
  • the UUCHMTs folder should be available for reading and writing for Accountants. The Group of Managers has no access.
  • the Orders folder should be read-only for Accountants and Managers.

On the Treaties folder, right-click and there Properties - the Security tab. We see that some groups and users already have access to it. These rights were inherited from parent dostup \, and that in turn from its parent C:

We will interrupt this inheritance of rights and assign our wishlists.

Click the Advanced button - Permissions tab - button Change permissions.

First, we interrupt the inheritance of rights from the parent. Uncheck the box Add permissions inherited from parent objects. We will be warned that parental permissions will not apply to this object(v this case this is the folder of the Treaty). Choice: Cancel or Remove or Add. Click Add and the rights from the parent will remain as inheritance, but the parent's rights will no longer apply to us. In other words, if in the future the access rights of the parent (the dostup folder) are changed, this will not affect the child folder of the Agreement. Notice in the field Inherited from costs not inherited... That is, the connection parent - child torn apart.

Now carefully remove the extra rights, leaving Full access for Administrators and System. We select in turn all sorts Verified and just Users and delete with the Delete button.

Add button in this window Extra options security intended for experienced admins who can set special, special permissions. The article is aimed at the knowledge of an experienced user.

We tick the box Replace all permissions of child object with permissions inherited from this object and click OK. Go back and OK again to go back to simple mind Properties.

This window will allow you to achieve what you want in a simplified way. The Modify button will display the Group Permissions window.

Click Add. In a new window, write Accountants and click "Check Names" - Ok. By default, "read" access is given in a simplified form. The checkboxes in the Allow column are automatically set to "Read and Execute", "List of folder contents", "Read". We are satisfied with this and click OK.

Now, according to our terms of reference, we need to grant read and write permissions for the Managers group. If we are in the Properties window, then again Change - Add - drive in Managers - Check names. Add in the Allow column the checkboxes Change and Write.

Now you need to check everything!

Follow the thought. We ordered the Contract folder not to inherit rights from its parent dostup. We ordered the child folders and files inside the Agreement folder to inherit the rights from it.

We have imposed the following access rights on the Agreement folder: the Accountants group should only read files and open folders inside, and the Managers group should create, modify files and create folders.

Therefore, if a document file is created inside the Contract directory, it will have permissions from its parent. Users with their own accounts will be able to access such files and directories through their groups.

Go to the folder Agreements and create a test file agreement1.txt

Right-click on it and there Properties - Security tab - Advanced - Effective Permissions tab.

Click Select and write the account of any accountant, for example buh1. We can clearly see that buh1 received rights from his group Accountants, who have read rights to the parent folder of the Agreement, which "extends" its permissions to its child objects.

We try manager2 and see clearly that the manager gets read and write access, since it is a member of the Managers group, which gives such rights to this folder.

In absolutely the same way, by analogy with the Contract folder, access rights are imposed for other folders, following your terms of reference.

Bottom line.

  • Use NTFS partitions.
  • When delimiting access to folders (and files), then manipulate groups.
  • Create accounts for each user. 1 person = 1 account.
  • Include accounts in groups. An account can be a member of different groups at the same time. If the account is in several groups and any group permits something, then this will be allowed for the account.
  • The Deny column (Deny rights) take precedence over Allow. If an account is in several groups and some group prohibits something, and another group permits it, then this will be denied to the account.
  • Remove an account from a group if you want to revoke the access that this group grants.
  • Consider hiring an admin and don’t offend him with money.

Ask questions in the comments and ask, correct.

Video material shows special case, when you just need to deny access to a folder, using the fact that denying rules take precedence over allowing rules.

Attention! All actions take place on the server itself under control operating system Windows Server 2003. Also, everything can be done on the server using the terminal server management service.

All of the following will only work on the NTFS file system. If you still have FAT32 (16), then translate your file system to NTFS. It can be done easily standard means... At the command line, just type convert [drive] / fs: NTFS... For example: convert c: / fs: NTFS.

  • You cannot convert back to FAT.
  • Ori conversions system disk there will be warnings about the loss of descriptors, agree. This does not result in data loss.
  • Reboot.

We open access

To open access to use the folder as a network folder for a user, you need to do the following:

Run Conductor

Right-click on the desired folder, select " Properties»

In the window that appears, move the checkmark to the item " Share this folder».

Give a name to the share. As a rule, the default value is the name of the folder.

We leave by default “ Limit quantity users"To the value" The maximum possible»

After the above actions, click on the button " Permissions»

Adding a user

When you click on the " Add»Select the desired user from the list

After adding, we set the corresponding rights to it Full access, The change, Reading... The rights are set at the discretion of the administrator, that is, you.

To select the desired user, you need to do the following:

After pressing the button " Add"A window will appear where you can select both a group and any user individually

Enter the username manually (if, of course, you remember it by heart), or press the button " Additionally»And using the search to select from the proposed list of users.

After you have registered everything that is required in the folder " Access"Go to daddy" Security"And rejoice" Oh my God "how many rights there are.

Additional rights

We choose the right user and begin to administer justice: This is possible, this is not possible.

When you press the " Additionally»There will be an even more extensive list of rights, what the user can and what not.

Also in the section " Additional»Right, select the desired user:

Uncheck the box " Allow inheritance ...". - If this is not done, then all your actions will be in vain, and all internal folders will inherit rights from more high level... As a rule, from the disk (and there is only reading for everyone).

Check the box " Replace Permissions».

Click " Apply”And the process of distribution of rights for the current user will begin. This process can take several minutes, depending on the number of files. The size of the files does not matter in this case.

I will try to formulate a set of general rules / recommendations / theses for organizing access rights on a file server in a domain environment on Windows servers Server 2012 R2, based on my own experience and observations:

        1. We do not install any roles and services on the file server, except for the file server role. The cleaner the better. We organize data replication to another file server, backing up data to a backup server, monitoring / audit / scripts and that's it ... RDP access should only be for administrators, no need to deploy a terminal server, install client software and let users on the server.
        2. Access to data for users is carried out by sharing the root folder (in my opinion, ideally, only one root folder is “shared”). It makes no sense to publish several folders located on the same disk and at the same hierarchy level, since everything is remarkably “ruled by” access rights on the “Security” tab and the “Access Based Enumeration” (ABE) option - folders to that do not have access will not be displayed. On Windows Server 2012 R2 servers, the ABE option is located here: It makes sense to “share” multiple folders in the following cases:
          1. The folders are on different drives. There are two options: either you have multi-terabyte data arrays and you run into the physical limitations of the size of a RAID array or a logical volume in the OS, or you were too lazy to organize (or you were not given money for this) a RAID array of sufficient volume. A more viable second option, therefore, you should reorganize / modernize the disk subsystem.
          2. It is necessary to give access to a folder deeply "buried" in the hierarchy of directories, while not giving access to neighboring and higher directories. In this case, to configure access rights, you will have to walk along the entire path to the desired folder, giving the minimum rights to each "transit" folder. If you "share" the target folder, it will be easier to issue access rights, and it will be easier for the user to enter it. Alternative ways: grant rights with Powershell scripts (I will publish an article on this in the future) or revise / optimize the folder structure and access rights to them. For more quick access in the "buried" folders, you can use shortcuts or connect network drives.
        3. To provide access to the folder with distributions, with roaming profiles and user desktops, hidden "balls" are made, for example distr $, prof $, dsk $. These shared folders are not displayed in Network Neighborhood and are only accessible by the exact path: \\ srv01 \ prof $ \ and so on.
        4. In the root folder, create folders for departments, exchanges, projects, directions, branches, and so on. The folder structure should be carefully considered at the outset. , pay special attention to the implementation of access to department data to employees of other departments and options for data exchange between departments. You should also consider a number of restrictions for folders: maximum size, allowed file formats, and so on. It is advisable to build a clear hierarchy of folders and corresponding access rights so that users can change the folder structure only from 3-4 nesting levels.
        5. The principle of granting the least rights should be adhered to, expanding them only as necessary ... In the root folder, turn off inheritance with the conversion of inherited rights to explicit ones. We leave full access for this folder, its subfolders and files to administrators and the system, we cut the rights of the creator-owner, delete the rest of the access rights:
        6. You should not remove creator-owner access rights. For example, there is a folder "... \ Human Resources \", to which the user has change rights only for this folder. User creates new folder and "nothing happens to him", or rather a folder is created, but the employee does not have access to it, since inherited rights from the parent folder are applied. If access-based enumeration (ABE) is disabled for a shared folder, then the created folder will be visible, but the employee will not be able to rename it, open or delete it.
        7. System access rights should also not be removed. Many services run with system permissions, such as the Shadow Copy Service (VSS), which can be used by the system Reserve copy for example Acronis. To run scripts on a schedule without being bound to a user account, the system account is also used. Thus, for correct operation, the system must have full rights to all folders and files on the server.
        8. Add the domain administrators group to the local administrators group. Thus administrative rights on the server, including full access to all folders and files on the server, both local administrators and domain administrators will have full access through membership in the local Administrators group. In the domain, it is very convenient to configure it through group policies and applies to all servers and workstations in the domain: Computer Configuration -> Settings -> Control Panel Settings -> Local Users and Groups.
        9. For privileged users (company management, auditors, etc.) create an access group in the domain and give it read rights in the root directory for this folder, its subfolders and files. If necessary, we expand the rights to subdirectories by adding change permission. In the case of a request for full access to all folders, we add the maximum rights to change (in the understanding of users, this is full access, and giving users the ability to administer access rights is fraught with consequences for which the system administrator is responsible). In this case, we issue the rights to change as follows: in the root folder, we assign read rights to this folder, its subfolders and files. In the subdirectories of the root folder, assign change rights only to subdirectories and files. Thus, VIP-users will have the rights to change folders / files, starting from the 3rd level of the hierarchy, which will guarantee the safety of the structure of the subdirectories of the root directory: without the knowledge of the system administrator, new folders will not appear in the root, no one will rename or delete the whole folder department / division.
        10. For other employees create in the domain a general access group and access groups for each department, division, project, direction, branch. For the general access group, we give the rights in the root directory to read only for this folder. For the access groups of the departments, we assign the rights to read in their folders, we assign the rights to change to the heads of departments and their deputies. It is advisable to grant rights in the department folder only for this folder, and in subdirectories - for this folder, its subfolders and files; supervisors and their deputies give the rights to change in subdirectories of the department folder only for subfolders and files. This will save general structure folders inside the department directories, as well as in the future, quickly create a new subfolder inside the department with limited access without disabling the inheritance of access rights.
        11. Rights must be assigned to access groups, not user accounts, at least on upper levels folder hierarchy is a must! First, it is clearer and easier to administer. Secondly, directories that are "deep" in nesting can have a very impressive number of access rights, given the inherited permissions from parent folders. Thirdly, when employees are fired and their accounts are blocked / deleted, the folder access rights remain "slag" in the form of irrelevant (read - useless / unnecessary / unnecessary) permissions for accounts (and when deleting an account - account SIDs ). For 1-2 years, quite a lot of "garbage" accumulates, you can't count it with a scroll.
        12. Don't get carried away with disabling parental inheritance, we should try to use this opportunity as a last resort, the same applies to explicit prohibiting rights. Disabling inheritance breaks the integrity of the top-down enforcement. And God forbid, if the rights to the entire root directory and department folders are issued through access groups and they are already present in folders with disabled inheritance (then it is enough to add a new employee's account to the required group), but if the rights were granted to user accounts ?! And if you need a group of users to give rights to all child folders, including 5-6 with inheritance disabled, but deny access to 3-4 folders with inheritance enabled ?! And if for each of these users there must be different access rights and it will not work to combine into a group ?! To avoid such troubles, you should disable inheritance of rights in exceptional cases and for folders at lower levels (without the structure of child subdirectories).
        13. When copying a folder to the new directory explicitly set rights are not saved and to the folder inherited rights apply from the new parent folder even with disabled inheritance parental access rights of the copied folder. A when moving a folder to a new directory - explicitly set rights are preserved, including disabled inheritance . With inheritance enabledwith explicit rights, inherited rights are also applied from the new parent folder. Therefore, when “moving” to a new folder structure, you need to copy the data, not move it! Otherwise, "garbage" will appear in the form of irrelevant access rights and not all rights will be applied due to the disabled inheritance of subfolders. And the opposite thesis - to preserve disabled inheritance and the necessary access rights set explicitly, you need to move folders, not copy! Or you will have to reconfigure the access rights. Users should be warned about possible consequences such manipulations: someone may lose access to folders, others may have. It is highly advisable to periodically check the relevance of access rights.
        14. Option "Replace all child object permission entries with inherited from this object" removes all explicitly set permissions of all child objects and enables inheritance of parental permissions for all subdirectories:
          It makes sense to use it when it's already easier to crash everything and set up access rights to the subdirectory structure from scratch. It is especially important when rights were assigned to user accounts, a lot of "slag" has accumulated in the form of SID-identifiers and disabled accounts, inheritance of access rights is disabled for many subdirectories, and in general everything is very sad, but at the same time there is a clear understanding of which user groups what rights are needed access - then this option is very useful.
        15. When disabling inheritance of rights the parent folder should choose to convert inherited permissions to explicit permissions:
          After conversion, remove unnecessary access rights, except for the access rights for administrators, system and creator-owner (see points 6 and 7).
        16. Consider typical access rights (general security permissions) , which can be set by clicking the "Change" button on the "Security" tab: We will also open the specified standard access rights in the section of additional security parameters (in the mode of displaying additional permissions) by clicking the "Advanced" button on the "Security" tab: This will allow you to see the scope of typical access rights and display their additional permissions.
          1. "Full access" includes all subordinate access rights: "Full access" in the mode of displaying additional permissions:
            Scope: "For this folder, its subfolders and files", includes all additional permissions, including changing permissions and ownership.
          2. "The change" also includes all subordinate access rights: "Change" in the mode of displaying additional permissions:
            Scope: "For this folder, its subfolders and files", includes all additional permissions except "Delete subfolders and files", "Change permissions" and "Change owner". The absence of the additional "Delete subfolders and files" permission is due to the fact that these rights already exist in the form of the "Delete" permission with the scope "For this folder, its subfolders and files".
          3. Read and Execute includes the "List of folder contents" and "Read" access rights: Read and Execute in Advanced Permissions Display Mode:
            Scope: "For this folder, its subfolders and files", includes additional permissions "Folder Traverse / Execute Files", "Folder Content / Read Data", "Read Attributes", "Read Additional Attributes", "Read Permissions".
          4. "List of folder contents" :"List of folder contents" in the mode of displaying additional permissions:
            Includes the same additional permissions as Read and Execute, except for a narrower scope: For this folder and its subfolders.
          5. "Reading" :"Reading" in the mode of displaying additional permissions:
            Scope: For this folder, its subfolders and files, includes the same additional permissions as Read and Execute, except for Folder Travers / Execute Files.
          6. "Record" :"Recording" in the mode of displaying additional permissions:
            Scope: "For this folder, its subfolders and files", includes additional permissions "Create files / write data", "Create folders / add data", "Write attributes" and "Write additional attributes".
        17. Typical access rights are convenient due to their simplicity : no need to select a scope, only general permissions are presented, due to which you can view and edit user access rights in one window. As a result, editing generic permissions takes less time than editing additional permissions (even when displaying general permissions). On the other hand, in keeping with the principles of granting least rights and maintaining the integrity of inheritance from the top down, model rights should be applied with caution.
        18. All generic access rights have a wide range of applications , due to which the specified rights are extended to all child subfolders. Thus, they should only be used for those users whose access rights do not need to be restricted in child subdirectories. This mainly concerns the access rights of administrators, systems, privileged employees, department heads and their deputies. In the following paragraphs, we will consider each type of access rights and options for their use.
        19. "Full access" should be assigned only to administrators and the system, it is applied in the root folder and in subdirectories for which inheritance of parental rights is disabled.
        20. "The change" should be assigned to those employees who form the structure and hierarchy of directories in the subdirectories of their department: heads of departments and their deputies. However, this will provide the ability to delete and rename subdirectories in the department folder. For a more stringent policy, it is more expedient to configure change access rights for subdirectories through additional permissions, limiting the scope to "Only for subfolders and files".
        21. Read and Execute should be used in subdirectories with executable files, for example, in a folder with distributions. However, ordinary employees generally only need access to data, so it is best to use the "read" access right.
        22. "List of folder contents" should only be used to browse the folder hierarchy, files will not be visible when access-based enumeration is enabled. I don't even know in what situations it would be useful, I never had to use this access right in practice.
        23. "Reading" is probably the most used access right. It is used for public folders with open data - for all employees, for exchange folders between departments - for employees of other departments, for subfolders of departments - for employees of a department. It is only necessary to take into account the wide scope of application, that is, to issue "read" rights for a directory of folders, in the subdirectories of which you will not have to close access later by disabling the inheritance of access rights.
        24. "Record" should be used to extend read or read / execute access to specific folders. The difference from the “change” access right is the absence of the “Traverse folders / execute files” and “Delete” permissions. By itself, the "write" access right is meaningless, used only in conjunction with the "read" or "read and execute" access rights.
        25. Let's consider access rights in extended mode. The screenshot below shows the possible areas of application of access rights:
        26. "Only for this folder" , in my opinion, is actively used at the upper levels of the folder hierarchy. For example, with this area of ​​application, “read” or “list of folder contents” access is granted in the root folder, in the department folder, and starting from subdirectories, a wider scope is applied and, if necessary, access rights are expanded.
        27. "For this folder, its subfolders and files" - default scope. As a rule, they enter the extended mode of access rights in order to narrow the standard scope.
        28. "For this folder and its subfolders" - access rights apply only to directories. I don’t remember ever using it in practice. Can be used to allow reading of folder attributes only, to explicitly prohibit deleting only folders, or some other specific access rights applied only to folders.
        29. "For this folder and its files" - it is convenient to use for dotted issue or expansion of access rights, the rights are applied only at the current level of the hierarchy.
        30. "For subfolders and files only" used in conjunction with the "This folder only" scope. For example, we grant access to the head of the department and his deputies to "read" in the department folder "Only for this folder" and add access to "change" in the department folder "Only for subfolders and files". Thus, in the department folder, employees will not be able to create folders / files themselves, rename the department folder; they will be able to make all changes starting from the subdirectories of the department folder.
        31. "For subfolders only" - similar to the "For this folder and subfolders" area, but applied one level down the hierarchy.
        32. "Files only" I have not personally used it in practice. It is possible to combine "This folder only" read access rights by adding "Files only" edit permissions. Thus, the user will not be able to create subdirectories and files in the folder, but will be able to edit / delete files existing in the folder.
        33. Access rights in the mode of displaying additional permissions are akin to microsurgery; I don’t remember ever having to issue access rights in such a precise and detailed manner. As a rule, typical access rights and options for their application are quite enough for ordinary organizations.

Below we will describe how to set up different access rights for a specific directory in the multi-user mode. The operating system in my example is. But for other OS Windows family the actions will be similar.

0. Task:

Several are running on the server. Required for the folder " C: \ Share"Configure the rights so that the group" Users"Had read-only rights in this directory, while Administrators and the user" Onyanov"Had both read and write rights.

1. Solution:

We find the necessary folder in the explorer, right-click on it and select “ Properties"(Properties).

In the opened folder properties window, go to the tab " Security"(Security) and click" Change…"(Edit ...). The window “ Group permissions.. " in which we see that security parameters have already been defined for 3 system groups. In particular, for the group “ Administrators»Full access to the folder is set. To add groups and users, press the button " Add…"(Add ...).

In the window for selecting users and groups, click " Additionally"(Advanced ...), and in the selection window the button" Search»(Find Now) to display all groups and all users that exist on the system. Let's select the group we need in the search results " Users"And click" OK»To add it to the list.

In the same way, add to the list the user “ Onyanov"And click" OK»To complete the selection.

Now let's select the permissions for each added position. For the group " Users"Set the rights only for viewing the list, reading and executing files and, accordingly, for the user" Onyanov"Check the flag" Full access» .

(Here you can either allow any actions with the folder for the selected user, or prohibit by setting the corresponding flag. It should be remembered that prohibiting rules are always in higher priority than permissive ones.)

After selecting the necessary parameters, click " Apply"(Apply) to save the settings and clicking" OK»Close all window openings.

That's all. We have set the security settings for the selected directory in accordance with the task at hand.

Did this article help you?

Problem: Unable to access the network resource. The network folder is displayed ...

but when trying to log in, the system displays a message:

Windows cannot access \\ computer \ network_resource. Permission to access \\ computer \ network_resource absent. Contact your network administrator for access.

In the Windows XP operating system, a similar message sounds like this:

No access to \\ computer \ network_resource... You may not have permission to use this network resource. Contact the administrator of this server for the appropriate access rights. Access denied


Why is there no access to the network resource?

This may be due to the following factors:

  • the user does not have permission to access the share.
    These rights are configured on the tab Access and are only relevant for configuring network access.
  • the user does not have NTFS permission to access the folder
    Configurable on a tab Security... This setting controls access rights for both network and local access.
  • the user has neither network permissions nor NTFS rights.

How to open access to a network folder for all users

The settings must be made on the computer where the network resource is located.

We go to Computer Management:

Opening the section Shared folders... Select the subsection Shared resources and find out the local path to the folder that is open to the network.
In our example, we see that the network resource temp matches local path C: \ temp :


Find the local folder, right-click on it and call Properties:


1 The first thing to check is network access permissions... Open the tab Access and press the button Advanced customization:

Push the button Permissions:

We check for whom network access is open, and also check the rights.
In order to enter the network resource, all users could enter the list Share permissions you need to add a group Everything.
In our case, full access is open for the group Everything... So, everything is in order with the network access permissions:

2 The second thing to check is NTFS rights... Go to the tab Security and check the global permissions for the folder.
In our example, we see that only users and administrators of the local computer have access to this folder. This means that if we try to log into a network share as a user who does not have an account on the local computer, we will be denied access.

In order to allow access to the folder to all users, even those who do not have an account on local computer, you must add the same group to the list Everything... To do this, press the button Change:

We press Add:

Add a group Everything and press OK.

Attention! It is NOT necessary to search for a group in the list of groups and users. You can simply spell out the word "Everything" with your hands - always with a capital letter.


Now we indicate what operations are allowed for the Everyone group. To access and download files over the network, it is enough to allow:

  • Reading;
  • Reading and Execution;
  • List of folder contents.

After setting the permissions, click OK to save your permission settings:

Again OK:

Checking. The folder can be accessed both from a computer running Windows 7 and from a computer running Windows XP:



If you come across a "security settings application error" while configuring access, read how to fix it.

Wired or Wi-Fi and found that computers "do not see" each other. And these computers are controlled by Windows 7, while computers with an old but beloved XP perfectly detect each other on the network and see folders open for public access.

In windows 7, networking and sharing has been radically redesigned. There were "network locations" (home, work, public network and domain network) and this was done, of course, for our good, but it turned out, as they say, as always.

By default, the seven defines all new networks as public, and very strict security rules are set for them: network discovery is disabled (the computer is blind and not visible to other machines), disabled to files and printers (other computers cannot see shared folders, folders, printers), access to the computer from the network is password protected.

Ever since the dark days of Windows Vista, many will remember this network location selection screen, which appears whenever a computer connects to a new network.

So, how to open access to files over the network in windows 7 ( share files)?
You can select Home Network each time you select a network location. Or you can configure your computer once for convenient use when connecting to any network with the inhabitants of which you want to share files. If you are concerned about the safety of your confidential data, just do not provide access to them and try not to open full access to files and folders (for writing and reading).

If you are afraid that third parties will have access to your files when, for example, you are at the airport and connected to a Wi - FI network, install the program

Kill watcher

and close access to your computer from the outside with two mouse clicks. Kill watcher stops the server service, and your files become unavailable over the network, even for reading.

Preparing to share

Click on the network icon in tray and follow the link in Network and Sharing Center.


In the window that appears, set the values ​​of the switches as shown in screenshot:

Note. I do not recommend opening access so that network users can read and write files in shared folders. These folders are located on the "C" drive, and by removing write access to them, you open the way for Trojans and viruses to your machine. Do this only if you are familiar with all computers on the network and have anti-virus software installed on them.

Share a file or folder
Right-click on a folder or file and go to Properties.


Go to the tab Access and click on the button Advanced customization


Check the box next to Share this folder and click on the button Permissions

Click on Add


In the window that appears, click the button Additionally


Click the button Search in the middle right (1) - a list of services and users will appear in the bottom field of the window (2). Scroll down to the bottom and find Network... Highlight Network(3) left click and click OK(4). Then one more time OK.


In the field highlighted in yellow, you can set the rights for users who will connect to you over the network.

The differences between full access, modify, and read are shown in this table (material from Windows Help).

In short, the only difference between full access and change is that with full access, you can delete files.
When you have configured the desired user rights, click OK twice and go to the window properties folders per tab Security... Next, you need to perform actions similar to those that we performed when setting permissions.

Click the button Change.


In the window that appears, click Add.

Click the button Additionally in the next window.


Next press Search and find at the bottom of the list Network... Highlight Network left click and click OK... Confirm your selection twice by pressing OK.


In this window, as before in the access parameters, set the desired security parameters. If you leave the list unchanged, the folder will be set to read options by default. Confirm your choice by pressing twice OK.

That's basically it. You can start transferring files over the network.

If, despite all the above measures, the computer is still inaccessible to others, try disabling windows firewall or the one built into your Anti-Virus.

This is especially true for users of Eset Smart Security, who by default loves to block everything network connections... KIS, too, sometimes sins with this.

If the computer could not be shared in this case, try rebooting and accessing it by typing its address in the explorer's address bar (in any window). The address must be preceded by two backslashes (\\).

In the Windows operating system, you can connect a shared access to a folder on your local home network to exchange data between computers using shared folders. This is a very convenient and fast way to transfer files according to the computer-to-computer scheme, without using external media (flash drives, external hard drives, memory cards, etc.).

In this article I will talk about creating a local network using the example of the Windows 10 operating system. Creating and configuring a local network in Windows 8 and in Windows 7 is similar, this instruction is universal.

The article discusses the following option for using shared folders on a local network: several computers are connected to the router, connected via cable and a wireless Wi-Fi network, united into a home network. A shared folder is created on each computer, and all computers in this local network have access to shared folders.

Computers connected to a home local network can have operating systems Windows 10, Windows 8, Windows 7 (different OS, or the same operating system), connected to the router via Wi-Fi or cable.

Creation and configuration of a local network takes place in four stages:

  • first step - name verification working group and network card settings
  • second stage - creating and configuring local network parameters
  • the third stage - connecting the shared access to the folder on the local network
  • the fourth stage is the exchange of data over the local network

First you need to check the workgroup parameters and settings network card, and then create a local Windows network.

Checking the settings of the network card and workgroup

On the Desktop, right-click on the "This Computer" icon ("My Computer", "Computer"), in the context menu, select the "Properties" item. In the "System" window, click on the "Advanced system settings" item.

In the "System Properties" window that opens, open the "Computer Name" tab. Here you will see the name of the workgroup. By default, in Windows 10, the workgroup is named "WORKGROUP".

On all computers connected to this local network, the workgroup name must be the same. If the workgroup names are different on the computers you connect to the network, change the names to the same name for the workgroup.

To do this, click on the "Change ..." button, in the "Change computer name or domain" window, give a different name for the workgroup (write the new name in capital letters, preferably in English).

Now check your network card settings. To do this, in the notification area, right-click on the network icon (Internet access). Click on "Network and Sharing Center". In the "Network and Sharing Center" window, click the "Change adapter settings" link.

In the "Network Connections" window, select a network card, Ethernet or Wi-Fi, depending on how your computer is connected to the Internet. Next, right-click on the network card, in the context menu, click on "Properties".

In the properties window of the network card, in the "Network" tab, select the "IP version 4 (TCP / IPv4)" component, and then click on the "Properties" button.

In the opened Internet Protocol properties window, in the "General" tab, check the parameters of the IP address and DNS service. In most cases, these parameters are assigned automatically. If these parameters are inserted manually, check the corresponding addresses with your Internet provider (the IP address on the computers connected to the network must be different).

After completing the verification of the parameters, you can go directly to creating a local network in Windows.

Creation of a local network

The first step is to configure your local network settings in Windows. Enter the "Network and Sharing Center", click on the item "Change advanced sharing settings."

The Advanced Sharing Settings window configures how to change the sharing settings for different network profiles. The Windows operating system creates a separate network profile with its own special parameters.

There are three network profiles available:

  • Private
  • Guest or public
  • All networks

In the private network profile, under Network Discovery, select Enable Network Discovery.

In the "File and Printer Sharing" option, activate the "Enable File and Printer Sharing" option.

In the "Homegroup Connection" option, select "Let Windows Manage Connections home group(recommended) ".


Then open the network profile "All networks". In the Sharing Public Folders option, select Enable Sharing so that network users can read and write files in shared folders.

For File Sharing Connection, select Use 128-bit encryption to secure shared connections (Recommended).

In the option "Share with password protection»Activate the item" Disable password protected sharing ".


After completing the settings, click on the "Save Changes" button.

Repeat all these steps on all computers that you plan to connect to your home local network:

  • check the workgroup name (the name must be the same)
  • check network card settings
  • in the sharing options, enable network discovery, enable file and printer sharing, disable password protected sharing

How to enable folder sharing

In this case, I created a folder named "Public". Right-click on this folder, in the folder properties window open the "Access" tab.

Then click on the "Advanced setup" button.

In the "Advanced Sharing Settings" window, activate the "Share this folder" item, and then click on the "Permissions" button.

Select permissions to use shared folder data from another computer. There are three options to choose from:

  • Full access
  • The change
  • Reading

To save the settings, click on the "OK" button.

Re-enter the folder properties, open the "Security" tab, and then click on the "Change ..." button.

In the window that opens, enter the name "All" (without quotes) in the "Enter the names of the selected objects" field, and then click the "OK" button.


In the folder properties window, in the Security tab, configure the permissions that you previously selected for the shared folder.

To change the permission for the "Everyone" group, click the "Advanced" button. In the Advanced Security Settings for Shared Folder window, select the Everyone group, and then click the Change button to change the permissions.

Configuring the local network in Windows is completed. In some cases, you may need to restart your computer for all changes to take effect.

Logging into your local home network

Open Explorer, in the "Network" section you will see all available computers connected to the local home network. To log into another computer, click on the computer name, and then click on the shared folder name in order to access files and folders located in the shared folder.

The local network in Windows 10 has been created and configured.

Troubleshooting some network problems

Sometimes, after setting up the network, there are problems with accessing folders on the local network. One of the possible problems may be the incorrectly selected network profile. I ran into this myself on my computer. After reinstalling the system, I created and configured a local network, but my computer did not see two laptops connected to this network. From a laptop it was possible to access the shared folder of my computer without any problems, but the computer did not see them at all.

I checked all the settings of the local network several times, and only then I noticed that a public network is working on my computer, and not a private (home) network, as on laptops. How can this problem be solved?

Enter the "Network and Sharing Center", click on "Troubleshoot". Select the "Shared Folders" section, run diagnostics and troubleshooting. At the very end, the application will offer to configure the network as private. Apply this fix and then restart your computer. After performing this operation, my computer got access to shared folders on laptops in the local network.

Often, problems arise from the network. Windows 10 has the option to reset network settings to their default settings. Enter "Settings", "Network and Internet", under "Change network settings" click on "Reset network" to apply the default network settings.

Other problems may arise, look for their solution on the Internet.

Conclusion

In Windows, you can create a local private (home) network between computers, to organize data exchange using shared folders, to access the printer. Computers on the same network may have different or identical operating systems (Windows 10, Windows 8, Windows 7).

It is a generally accepted norm and you will not surprise anyone with their presence. Due to the availability of Internet connection, various online services are becoming more and more popular. Some of the most popular are network folders and remote resources organized both on your home network and provided by your Internet service provider. Most often, everything works as expected, but from time to time there may be errors that prevent full-fledged work, which the average user does not know how to solve. One of the most popular errors is the "No access to a network folder" error. Some of them can be identified by a numeric or alphanumeric code, such as 1231 or 0x800704cf. Various factors can cause these problems. In this article, we invite you to figure out all the reasons, as well as suggest ways to solve them.

No access to network folder

Let's say you have multiple computers between which you want to configure home network so that you don't constantly copy the files you need. In this case, you need to create a folder on one of the computers, make it public, so that it can be accessed from any other device with Internet access. It could even be a smartphone or tablet.

One of the most common errors when working with remote folders is that there is no access to a network folder, and error code 0x800704cf can be displayed. You see a public network folder in Explorer, but when you try to open it, you get the message "No access to the resource." The exact text of the message may differ depending on the version of the operating system. What are the possible causes of this problem? There may be several of them:

  • An individual user was not granted access rights to a folder located on the network.
  • The user does not have permission to access the network resource at the operating system security level.
  • The user does not have any permissions whatsoever to access the resource.


Every problem can be solved. Let's take a closer look.

Configuring access to a network folder for each user

All settings must be performed on the computer or resource where the contents of the folder are stored. To configure user access to a folder, you must:

  1. Go to computer management (depending on the version of the operating system, right-click on the My Computer icon on the Windows desktop or on the Start button, then select Management or Computer Management) and select Shared folders - Shared resources.
  2. Find a folder in the list of resources that you cannot access, and see its location on your hard drive.
  3. Open File Explorer and find desired folder(Windows 10 users can perform further actions without going to File Explorer by simply right-clicking directly on the Computer Management utility menu).
  4. Right-click on it, select Properties - Access - Advanced settings - Permissions (or Properties - Permissions for a share).
  5. You will see at least two items - Administrators and Everyone. Move the cursor arrow over the All item and make sure that there are checkmarks in front of all items in the Allow column (full access, change, read). If there is a check mark in the Disable column opposite some item, you should remove it from here and put it in the Allow column.
  6. Confirm the changes by clicking Apply - OK, and then try again to use the network resource.


Right-click on "Computer" and select "Manage" in the context menu

Configuring access to a resource at the system security level

Sometimes it happens that at the security level of the operating system, access of third-party users to a network resource is prohibited. To fix the problem:

  1. In the Properties menu, open the Security tab and click on the Modify button, and then Add.
  2. In the "Enter the object names to select" line, capitalize All and click OK.
  3. After you are transferred back to the list of groups and users, hover over the newly created Everyone group and check the actions that you want to allow. By default, the marked items are sufficient to read data from a remote network resource.
  4. Click Apply - OK - OK and try to access the network folder again.

Error 1231 occurs when trying to connect to the Internet

Error 1231 occurs when a Windows computer cannot access resources located on a remote server. Most often it occurs when the Internet provider provides access to the international network using VPN technology. It can also occur when trying to access a local resource from a network access provider. If access was and suddenly disappeared, this problem may occur for one of the following reasons:

  • problems from the provider;
  • interruption of communication between the subscriber and the server;
  • breakdown of the computer network card;
  • failure of network card drivers;
  • the security system of the operating system is blocking the VPN connection;
  • incorrectly established or disconnected local network connection;
  • actions of virus programs.

First of all, you should check if the error 1231 occurs due to the fault of the Internet provider. To do this, you need to start the command line (Win + R - cmd, or right-click on the Start button - Command line) and enter the following command:

net view \\ domain: domain name,

where domain name means the address of the server that the provider has provided you to connect to the World Wide Web. If you receive "System error 53. Network path not found", then the problem is on the part of the service provider. In this case, you should contact technical support.

If such an error does not knock out, you will have to look for the cause in your computer or laptop on Windows. What can be done to fix error 1231?

Conclusion

We hope that we helped you with solving the problem of accessing network resources with codes 1231 and 0x800704cf. We are confident that if you follow our instructions exactly, you will be able to solve everything on your own. In the comments, please indicate whether you managed to figure out the issue without the help of specialists.

SIMILAR ARTICLES