By Ed Bott, Carl Siechert, and Craig Stinson(Adapted from Windows Vista Inside Out © 2007 Microsoft Corporation. To learn more about this book, visit the Microsoft Learning website.)
BY SHARING YOUR COMPUTER'S RESOURCES, such as its files and folders, you let other people who use your computer and other people on your network use these resources. With the Windows Vista operating system, sharing your files and folders with other users—either locally or over the network—is simple and straightforward.
This article shows you how browsing through a network folder is just like browsing through a folder on your hard disk. The information that follows includes: sharing files with public folders, sharing files and folders from any folder, using advanced sharing to create shorter network paths, stopping or changing sharing of a file or folder, setting advanced sharing properties, and how share permissions and NTFS permissions work together.
To share items in your Public folder and its subfolders with other users of your computer, you don’t need to do a thing. By default, all users with an account on your computer can log on and create, view, modify, and delete files in the Public folders. The person who creates a file in a Public folder (or copies an item to a Public folder) is the file’s Owner and has Full Control access. All others who log on locally have Modify access. For more information on access levels, see What are permissions?
Whether you plan to share files and folders with other people who share your computer or with those who connect to your computer over the network (or both), the process for setting up shared resources is the same as long as the Sharing Wizard is enabled. We recommend that you use the Sharing Wizard even if you normally disdain wizards. It’s quick, easy, and almost certain to make all of the correct settings for network shares and NTFS permissions—a sometimes daunting task if undertaken manually. Once you’ve configured shares with the wizard, you can always dive in and make changes manually if you want.
With the Sharing Wizard at the ready, follow these steps to share files or folders:
In Windows Explorer, select the folders or files you want to share. (You can select multiple objects.)
In the Command bar, click Share. (Alternatively, right-click, and then click Share.)
In the file sharing box, enter the name of the user with whom you want to share files or folders, and then click Add. You can type a name in the box or click the arrow to display a list of available names. Repeat for each person you want to add.
The list includes all of the users who have an account on your computer, plus Everyone. If you want to grant access to someone who doesn’t appear in the list, you need to create a user account for that person (for information on how to do this, see Create a user account).
If you select Everyone, and you have password-protected sharing enabled, the user must still have a valid account on your computer. However, if you have turned off password-protected sharing, network users can gain access only if you grant permission to Everyone or to Guest.
For each user, select a permission level. Your choices are:
Reader. Users with this permission level can view shared files and run shared programs, but cannot change or delete files. Selecting Reader in the Sharing Wizard is equivalent to setting NTFS permissions to Read & Execute.
Contributor. This permission level, which is available only for shared folders (not shared files), allows the user to view all files, add files, and change or delete files that the user adds. Selecting Contributor sets NTFS permissions to Modify.
Co-owner. Users who are assigned the Co-owner permission have the same privileges that you do as the Owner: They can view, change, add, and delete files in a shared folder. Selecting Co-owner sets NTFS permissions to Full Control for this user.
You might see other permission levels if you return to the Sharing Wizard after you set up sharing. The Custom permission level identifies NTFS permissions other than Read & Execute, Modify, and Full Control. The Mixed permission level appears if you select multiple items, and those items have different sharing settings. Owner, of course, identifies the owner of the item.
Click Share. After a few moments, the wizard displays a page similar to the page shown in the following illustration.
In the final step of the wizard, you can do any of the following:
Send an e-mail message to the people with whom you’re sharing. The message includes a link to the shared file or folder.
Copy the network path to the Clipboard. This is handy if you want to send a link via instant messenger or another application.
Double-click a share name to open the shared item.
Open a search folder that shows all of the folders or files you’re sharing.
When you’re finished with these tasks, click Done.
Creating a share requires privilege elevation. But, after a folder has been shared, the shared folder is available to network users no matter who is logged on to your computer—or even when nobody is logged on.
Confusingly, when you share one of your profile folders (or any other subfolder of %SystemDrive%\Users), Windows Vista creates a network share for the Users folder—not for the folder you shared. This isn’t a security problem; NTFS permissions prevent network users from seeing any folders or files except the ones you explicitly share. But it does lead to some long UNC paths to network shares.
For example, if you share the My Received Files subfolder of Documents (as shown after step 5 in the previous section), the network path is \\CARL-PC\Users\Carl\Documents\My Received Files. If this same folder had been anywhere on your computer outside of the Users folder, no matter how deeply nested, the network path would instead be \\CARL-PC\My Received Files. Other people to whom you’ve granted access wouldn’t need to click through a series of folders to find the files in the intended target folder.
Network users, of course, can map a network drive or save a shortcut to your target folder to avoid this problem. But you can work around it from the sharing side, too: Use advanced sharing to share the folder directly. (Do this after you’ve used the Sharing Wizard to set up permissions.)
Make sure the share name you create doesn’t have spaces. Eliminating spaces makes it easier to type a share path that works as a link.
If you want to stop sharing a particular shared file or folder, select it in Windows Explorer, and then click Share. The Sharing Wizard appears, as shown in the following illustration.
If you click Change sharing permissions, the wizard continues as when you created the share, except that all existing permissions are shown. You can add or remove names and change permissions.
The Stop sharing option removes access control entries that are not inherited. In addition, the network share is removed; the folder will no longer be visible in another user’s Network folder.
If you disable the Sharing Wizard, Windows Vista reverts to a process similar to that employed by earlier versions of Windows (except the aberration in Windows XP called Simple File Sharing—nothing before or after is similar to that). Without the Sharing Wizard, you configure network shares independently of NTFS permissions. (For more information about this distinction, see How share permissions and NTFS permissions work together at the end of this section.)
With the Sharing Wizard disabled, when you select a folder, and then click Share, rather than the wizard appearing, Windows opens the folder’s properties dialog box and displays the Sharing tab, as shown in the next illustration. Even with the Sharing Wizard enabled, you can get to the same place; right-click the folder, and then choose Properties.
The Sharing tab is part of the properties dialog box for a folder, but not for files. Also, when the Sharing Wizard is disabled, the Share button appears on the Command bar only when you select a single folder. Only the Sharing Wizard is capable of making share settings for files and for multiple objects simultaneously.
To create or modify a network share using advanced settings, follow these steps:
On the Sharing tab, click Advanced Sharing.
Select the Share this Folder check box.
Accept or change the proposed share name.
If the folder is already shared, and you want to add another share name (perhaps with different permissions), click Add, and then type the name for the new share. The share name is the name that other users will see in their own Network folders. Windows initially proposes to use the folder’s name as its share name. That’s usually a good choice, but you’re not obligated to accept it. If you already have a shared folder with that name, you’ll need to pick a different name.
Type a description of the folder’s contents in the Comments box. Other users will see this description when they inspect the folder’s properties dialog box in their Network folder (or when they use the Details view).
To limit the number of users who can connect to the shared folder concurrently, specify a number in the Limit the number of simultaneous users to box. Windows Vista permits up to 10 concurrent users. (If you need to share a folder with more than 10 users at once, you must use a server version of Windows.)
When you share a folder, you also make that folder’s subfolders available on the network. If the access permissions you set for the folder aren’t appropriate for any of its subfolders, either reconsider your choice of access permissions or restructure your folders to avoid the problem.
In the Group or user names box, select the name of the user or group you want to manage. The share permissions for the selected user or group appear in the permissions box.
Select Allow, Deny, or neither for each access control entry:
Full Control. Allows users to create, read, write, rename, and delete files in the folder and its subfolders. In addition, users can change permissions and take ownership of files on NTFS volumes.
Change. Allows users to read, write, rename, and delete files in the folder and its subfolders, but not create new files.
Read. Allows users to read files but not write to them or delete them.
If you select neither Allow nor Deny, it is still possible that the user or group can inherit the permission through membership in another group that has the permission. If the user or group doesn’t belong to another such group, the user or group is implicitly denied permission.
To remove a name from the Group or user names box, select the name, and then click Remove. To add a name to the list, click Add. Enter the names of the users and groups you want to add.
Click OK in each dialog box.
The implementation of share permissions and NTFS permissions is confusingly similar, but it’s important to recognize that these are two separate levels of access control. Only connections that successfully pass through both gates are granted access.
Share permissions control network access to a particular resource. Share permissions do not affect users who log on locally. You set share permissions in the Advanced Sharing dialog box, which you access from the Sharing tab of a folder’s properties dialog box.
NTFS permissions apply to folders and files on an NTFS-formatted drive. They provide extremely granular control over an object. For each user to whom you want to grant access, you can specify exactly what they’re allowed to do: run programs, view folder contents, create new files, change existing files, and so on. You set NTFS permissions on the Security tab of the properties dialog box for a folder or file.
It’s important to recognize that the two types of permissions are combined in the most restrictive way. If, for example, a user is granted Read permission on the network share, it doesn’t matter whether or not the account has Full Control NTFS permissions on the same folder; the user gets only Read access when connecting over the network.
In effect, the two sets of permissions act in tandem as gatekeepers that winnow out incoming network connections. An account that attempts to connect over the network is examined first by the share permissions gatekeeper. The account is either bounced out on its caboodle or allowed to enter with certain permissions. It’s then confronted by the NTFS permissions gatekeeper, which might strip away (but not add to) some or all of the permissions granted at the first doorway.
In determining the effective permission for a particular account, you must also consider the effect of group membership. Permissions are cumulative; an account that is a member of one or more groups is granted all of the permissions that are granted explicitly to the account as well as all of the permissions that are granted to each group of which it’s a member. The only exception to this rule is Deny permissions, which take precedence over any conflicting Allow permissions.
About the authors
Ed Bott is an award-winning journalist and one of the most recognized voices in the computing world. He’s been writing about Microsoft Windows and Microsoft Office for more than 15 years and is the author of nearly two dozen books.
Carl Siechert specializes in implementing and documenting operating system technologies. He has coauthored several Windows-related books including the popular Microsoft Windows XP Inside Out, Second Edition with Ed Bott and Craig Stinson.
Craig Stinson is a journalist and author. He has written or coauthored more than 20 books including Microsoft Windows XP Inside Out, Deluxe Edition, and Microsoft Office Excel 2007 Inside Out.
Have a comment for the authors? Enter your feedback using the tool below. (You'll see the comment box after you click one of the buttons.) Note that although the authors will read your feedback, personal replies are not possible due to the volume of feedback received.