User:Mjb/Windows 7 folder sharing

NTFS folder sharing for Windows networks

Ordinary file and printer sharing in a Windows workgroup or domain is really just randomly shared folders (and maybe also printers), and it is available in all versions of Windows. In this system, any folder can be designated as "shared" and will thus be potentially visible to everyone on the LAN. However, each person's actual ability to see, list the contents, and read and write files in a shared folder on an NTFS-formatted drive depends on that folder's explicit or inherited permissions, as seen in the Security tab of its Properties window.

The designation of folders as shared is something that happens on the drive, in the folders themselves. So if you attach the drive to a different computer, the folders will be shared on that computer, too!

When the user of another computer in the workgroup attempts to access a folder on your computer, unless they specifically tried to use a different username, they will be using the username that 'whoami' reports on their system. The same username must exist on your system. If the password is different, they'll be prompted for it, otherwise it should just work.

'Guest' is an option for the username, e.g. they could do 'net use Z: \\yourmachine\somefolder /user:Guest' and enter a blank password (Guest always has a blank password), and if you've enabled guest access and Guest (or a Guest-containing group) has explicit read permissions on the folder in question, then they should be able to see what's in the folder. In Win7 you have to enable the Guest account (it's in the policy settings), and enable public folder sharing (it's in the advanced network settings), and add Guest permissions on the folder if it's not one of the standard public folders.

The Windows 7 Homegroup and Libraries model

The somewhat-separate concept of a Homegroup (or HomeGroup; they aren't consistent with capitalization) is like a password-protected workgroup in which other members of the group can access each some or all of each other's Library folders. This feature was introduced in Windows 7 and is not supported in older versions of Windows.

Basically, the Library folders, or some designated subset thereof, are visible in the Homegroup section of Explorer on all the LAN computers configured with the same Homegroup password. This also results in a bunch of clutter in the ordinary file and printer sharing space: the folders that are in the Library folders are visible to Homegroup users (HomeUsers group) as ordinary shared folders at the root level, and the Library folders themselves are visible at Users\Whoever\AppData\Roaming\Microsoft\Windows\Libraries.

Homegroup password

The Homegroup password can be viewed and set in the Homegroup control panel (just type Homegroup from the Start menu). If you join a new LAN and want to be part of the Homegroup, you must change the password in your Homegroup settings so it matches the one used by the group you want to join.

Symlink handling in Library folders

Some experimentation reveals that symlinks (introduced in Windows Vista) are honored by the Libraries, but only for local browsing in Explorer. Other Homegroup users can see the links but can't follow them. For example, I have a music folder in which some folders are real and some are symlinks (made at the command line with mklink /D), so I can browse the folder kind of like a library. When the folder is added to the library, it works fine; I can follow the links as I browse the library. But if I am connected from elsewhere on the Homegroup and am trying to browse that library, I can't follow the links.

Master control for all folder sharing

In Windows 7, there's an on/off switch for all folder sharing here:

Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings

It's the File and Printer Sharing control, but I believe it also affects Homegroup sharing as well.

That control panel has separate sections for each type of network (home, work, public, whatever), so make sure it's set the way you want it in each place.

The lock icon

When you create a folder, normally it won't have any explicit permissions on it; it will just inherit permissions from its parent. Thus, if you move the folder elsewhere, it will inherit new permissions depending on where you put it.

If you haven't set any custom permissions on any ancestor folders, then the default permissions that will be inherited from the root, as seen in the folder properties Security tab, will be as follows:

• SYSTEM - full control
• Administrators - full control
• the owner - full control
• Users - list contents, read & execute, read
• Authenticated Users - same as Users, plus modify and write

If the folder is explicitly shared with the Homegroup, it will have HomeUsers permissions as well:

• HomeUsers - for Homegroup (Read) - list contents, read & execute, read.
• HomeUsers - for Homegroup (Read/Write) - full control.

These Homegroup users won't see the folder in the Homegroup section of Explorer on their machines, though; it will only be in the Network section, with the rest of the normally shared (non-Library) folders.

The lock icon simply means the folder does not have read permissions for Users, Authenticated Users, or HomeUsers. The icon is telling you that the folder is only be accessible to certain designated people (like the owner) and Administrators, regardless of its shared or unshared state.

Just because a folder has the lock icon doesn't mean it isn't shared—it could still be included in a Library which is shared with the Homegroup! IIRC, what happens is they can see the folder in their library, and they can even see its contents, but they can't access the content. (I need to verify whether this is true, though).

See below for how to remove the lock icon. As I said, it's a permissions issue, nothing to do with sharing.

What folders are shared?

Homegroup

To see what Library folders are shared with your Homegroup, you can look at your own Homegroup in Explorer, or (better) type Homegroup in the Start Menu to go to the HomeGroup control panel.

Regular folder sharing

Explicitly shared folders

Go to Computer > Manage, and under the System Tools, look at Shared Folders. These are things that are shared and probably are visible to everyone on the local LAN (e.g., the wired or WiFi network in your home, office, or public place).

Ideally, in the management console under Shared Folders, you should only see the default shares: one for each drive's root folder, plus the Remote Admin and Remote IPC shares. Don't worry; although these can't be unshared, they don't show up when other people are looking at your shares, and even if someone attempts to access these folders by name, they won't get in unless you've set special permissions or given them your Windows username & password.

If you see other folders shared here, then it means that they have been explicitly shared, regardless of what permissions are set on the folders themselves.

For example, if you see a share named "foo", and your computer's name is "ROCKSTAR", then it means the UNC path \\ROCKSTAR\foo is accessible to everyone on your LAN, unless it was further configured with special permissions to lock people out. You can test it by connecting to browsing the Network; it's linked from the bottom left corner of the folder pane in Explorer on Win7. Try it from different computers.

Public folders

Unless you have turned it off, Public folders are also shared.

These folders are located in %PUBLIC%, which is usually C:\Users\Public. Sharing of this folders can be controlled under Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings, which you can also reach via the "Share with" context menu item. That control panel has separate sections for each type of network (home, work, public, whatever), so make sure it's set the way you want it in each place.

Sharing public folders will actually also result in C:\Users being shared, too. People will therefore be able to see the user folders of whoever has shared folders or libraries. Only whatever's actually shared within them will be visible.

If you share the Public folder via the control panel, then unshare it by some other means, the control panel will still say that the folder is shared. If you do really want to share it again, just set the control panel to not share, save changes, set it back to share, and save changes again.

Sharing and unsharing a folder

In Explorer, if you highlight a single folder, you have the option of choosing "Share with" from a drop-down or context menu. This will change sharing and permissions:

• Nobody - unshares the folder, and deletes Users, Authenticated Users, and HomeUsers permissions. Does not restore inherited permissions.
• Homegroup (Read) - shares the folder, converts inherited permissions, and adds HomeUsers permission (read only).
• Homegroup (Read/Write) - shares the folder, converts inherited permissions, and adds HomeUsers permission (full control).
• Specific People - shares the folder, converts inherited permissions, and adds appropriate permissions for whoever you choose. If you choose Everyone, it adds permissions for Users and Authenticated Users.

You can also get to the 'Specific People' dialog by pressing the Share button in the Sharing tab of the folder Properties.

Alternatively, from the right-click menu in the Shared Folders management console, there is a Create A Shared Folder Wizard. This prompts you for a folder to share (or you can make a new one), a share name & description, offline settings, and gives you several more options than usual for Share Permissions. (I don't understand actually understand the difference between Share Permissions and other permissions...)

Permissions

When you share a folder, its inherited permissions are converted to explicit ones. When you unshare the folder, do you want these explicit permissions to remain, or do you want to get the folder back to its pristine state with only inherited permissions? It depends on the situation; I can't tell you one is better than the other.

• Since I usually want inherited permissions, my preferred way to unshare a folder is to create a new folder as a sibling of the shared folder, move the shared folder's contents over to it (or copy the contents, if moving doesn't get rid of the lock icon), delete the shared folder, and rename the new folder. The new folder will not only be unshared, it will also have the default, inherited permissions like you probably want. This is also a good way to get rid of the lock icon.
• If you want to temporarily unshare a folder, you can just right-click on it in the management console under Shared Folders, and choose "Stop sharing". This will just stop the sharing; the permissions won't change. So if you want to go back to inherited permissions, you have to go in and delete the explicit permissions in the Security tab. It's not that hard, but not obvious or something you want to mess up.
• Another way to unshare a folder is to choose to share it with Nobody, or with just the owner. But again, this leaves explicit permissions on the folder, and furthermore will result in a lock icon. To get rid of the lock icon, you could share it with Everybody. But then you'd have to go into the management console under Shared Folders and choose to stop sharing it, which leaves you with explicit permissions set, as mentioned above.

Another way to get rid of the lock icon is to re-add the permissions that were lost:

• add Users and leave the permissions at their defaults
• add Authenticated Users and check the Modify permission (which will also enable Write permission)

However, as mentioned, this is not the same as resetting the folder to only use inherited permissions.