based on the permissions assigned to various groups, and on the group mem- berships of the user. If the user belongs to a group that has been granted per- mission to access the resource, the access will be allowed. If not, access will be denied. In theory, this sounds pretty simple. In practice, however, it can get pretty complicated. The following paragraphs explain some of the nuances of how access control and permissions work: ⻬ Every object — that is, every file and folder — on an NTFS volume has a set of permissions called the Access Control List, or ACL, associated with it. ⻬ The ACL identifies the users and groups who can access the object and specify what level of access that the user or group has. For example, a folder’s ACL may specify that one group of users can read files in the folder, while another group can read and write files in the folder, and a third group is denied access to the folder altogether. ⻬ Container objects — files and volumes — allow their ACLs to be inher- ited by the objects that they contain. As a result, if you specify permis- sions for a folder, those permissions extend to the files and child folders that appear within it. ⻬ The permissions that can be applied to files and folders include such things as listing directory contents, reading files, modifying files, and executing programs. ⻬ It’s best to assign permissions to groups rather than to individual users. Then, if a particular user needs access to a particular resource, add that user to a group that has permission to use the resource. Understanding shares A share is simply a folder made available multiple users via the network. Each share has the following elements: ⻬ Share name: The name by which the share is known over the network. To be compatible with older computers, you should stick to eight-character share names whenever possible. ⻬ Path: The path to the folder on the local computer that’s being shared, such as C:\Accounting. ⻬ Description: A one-line description of the share. ⻬ Permissions: A list of users or groups who have been granted access to the share. 264 Part IV: Network Operating Systems Configuring the file-server role If you haven’t already configured Windows Server 2003 to function as a file server, you can do so by following these steps: