I hear about certain file and print "challenges"
over and over again from clients. Visitors of
my Web site echo these annoyances. I want
to address three of the most popular complaints
I hear on this subject: the inability to restrict file
shares, to deploy printers via Group Policy, and
to control quota usage.
Too often, we give in to the temptation of
reaching out to third-party solutions rather
than using freely available, built-in OS tools. In
particular, Windows Server 2003 Release 2 (R2)
and the forthcoming Longhorn Server offer
terrific file and print management solutions.
Can't Restrict File Shares
File services have vastly matured in Windows,
but there are always features that other network OSs have that Windows doesn't (or hasn't
had before now). One such feature is visibility
of folders and files to which users don't have
permissions. In OSs such as Novell NetWare,
users see only the files and folders to which
they have access, whereas in Windows, users
typically see all shared files and folders—even
those to which they're denied access. Perhaps
this default behavior doesn't seem significant,
but users can often glean an idea of file contents from filenames. For example, the file John Savill reasons to fire.doc would make me uncomfortable even though I can't see what's
in the file. And depending on industry type,
this hint of data content might break regulations and compliance requirements.
To solve this problem, Microsoft has
released Windows Server 2003 Access-based
Enumeration, a downloadable add-on for
Windows 2003 Service Pack 1 (SP1) that you
can obtain from Microsoft's Web site. This tool
lets you control—at the server or individual
share level—the ability for users to see only
the files and folders to which they have access.
Downloads are available for both 32-bit and
64-bit versions of the OS; although Windows
2003 SP1 is discussed, Windows 2003 R2 is
also fully supported (since Windows 2003 R2 is
essentially Windows 2003 SP1 with "extras").
The installation procedure prompts you
to enable access-based enumeration for all
folders or to allow folders to be individually
enabled (the default option). After installation,
the properties of a shared folder will have a
new tab—Access-based Enumeration—which
Figure 1 shows. On this tab, you configure folders so that only users who have at least Read
permissions can view them.
A command-line tool called Abecmd is also
provided as part of the download. This tool
gives you command-line control of access-based enumeration.
Can't Deploy Printers via Group Policy
Longhorn Server will offer full support for
printer deployment and management, but
until we're all enjoying Longhorn Server and
Windows Vista clients, most of us are turning
to third-party alternatives for help in the management of printer deployments. However,
you might not know about an interim solution
that's part of Windows 2003 R2—a feature that
helps fill the gap between what we have today
in terms of printer deployment via Group
Policy (i.e., zero functionality) and Longhorn
(i.e., a useful set of tools). The new Print Management Console aids in the management of
print servers both locally and remotely, and it
lets you push printers via Group Policy.
There is a caveat. Typically, the client reads
and automatically processes Group Policy
settings; obviously, legacy clients won't understand the Windows 2003 R2 print-deployment
capabilities of Group Policy. Therefore, you'll
need to install a client-side piece on those
computers so that you can process printers
they should connect to. These client pieces
are usually Client Side Extensions (CSEs),
which are part of the OS and executed automatically as required to process Group Policy
settings. For example, there are Folder Redirection, Administrative Template, and Security CSEs—to name a few. Unfortunately, there's
no Printer Connections CSE in Windows XP.
(Vista will have one.) So, in addition to setting
Group Policy options for the actual printers,
you'll need to deploy a command-line utility—Pushprinterconnections.exe—to run at
machine startup or user logon (accomplished
through a startup or logon script).
To install the Print Management Console,
open the Control Panel Add/Remove Programs applet and find the tool in Add/Remove
Windows Components. During installation,
the system creates a folder called PMCSnap
under the Windows folder. The PMCSnap
folder contains the files that the Print Management Console will use, including the new
Microsoft Management Console (MMC) Print
Management snap-in and the client-side Pushprinterconnections.exe image.
A word of caution: The Pushprinterconnections.exe tool automatically matches the processor type of the server on which you enable
it. For example, if I'm running on 64-bit Windows 2003 R2, the Pushprinterconnections.exe
tool installed on the server will be the 64-bit
version, which won't run on most client plat-
forms. Therefore, you'll need to
take Pushprinterconnections.exe
from the 32-bit Windows 2003 R2
CD (the second disc), and you'll
need to manually expand it
by using the Expand command on the \CMPNENTS\R2\PUSHPRINTERCONNECTIONS .EX_ file.
Previous
)
Register
What a bunch of greedy #$%@#$% you guys are.
billdunn May 20, 2007 (Article Rating: