Windows Networking & File Sharing
Key Takeaways
- Workgroups are decentralized peer-to-peer networks for small offices; domains use Active Directory on a domain controller for centralized accounts, authentication, and Group Policy.
- Only Windows Pro, Pro for Workstations, Enterprise, and Education can join a domain; Home edition cannot, which is a common upgrade trigger.
- Shared folders are reached by UNC path \\computer\share; net use Z: \\server\share maps a drive letter, and a trailing $ creates a hidden share like C$ or ADMIN$.
- Network location profiles control firewall and discovery: Private enables discovery/sharing for trusted networks, Public disables them for untrusted Wi-Fi, and Domain is policy-managed.
- Share permissions and NTFS permissions combine, with the most restrictive of the two winning; effective access never exceeds the stricter set.
Workgroup vs. Domain
The first decision in Windows networking is the management model. A workgroup is a flat, peer-to-peer group where every PC keeps its own local accounts; a domain centralizes everything on an Active Directory domain controller (DC).
| Trait | Workgroup | Domain |
|---|---|---|
| Management | Each PC managed alone | Centralized via Active Directory |
| Accounts | Local, per machine | Domain accounts on the DC |
| Group Policy | Local only | Pushed centrally to all members |
| Scale | Small (under ~10 PCs) | Enterprise, effectively unlimited |
| Authentication | Per machine | DC authenticates all users |
| Edition to join | Any edition | Pro / Enterprise / Education |
| Cost | Free | Requires Windows Server |
Joining a domain
- Confirm the edition is Pro or higher — Home cannot join.
- Ensure network reachability to the DC.
- Point the client's DNS at the DC, since Active Directory locates services through DNS SRV records — a wrong DNS server is the most common join failure.
- Settings > System > About > Domain or workgroup, supply domain credentials, then restart.
File Sharing, UNC Paths & Mapped Drives
A shared resource is addressed by its Universal Naming Convention (UNC) path: \\COMPUTERNAME\ShareName. To share a folder, open its Properties > Sharing > Advanced Sharing, enable sharing, and assign users with Read or Read/Write share permissions.
To reach it, browse to the UNC path in File Explorer, or map it to a letter: net use Z: \\SERVER\Share /persistent:yes keeps the mapping across reboots.
Hidden administrative shares
Windows auto-creates hidden shares whose names end in $ so they do not appear when browsing the network.
| Share | Path | Purpose |
|---|---|---|
| C$ | \pc\C$ | Root of C: (admins) |
| ADMIN$ | \pc\ADMIN$ | The Windows folder |
| IPC$ | \pc\IPC$ | Inter-process communication |
| PRINT$ | \pc\PRINT$ | Shared printer drivers |
Exam tip: The trailing $ only hides a share from browsing; it does not encrypt or protect it. Anyone who knows the full UNC path and has rights can still connect.
Share vs. NTFS Permissions
A frequently missed concept: when a folder is accessed over the network, two permission sets apply — share permissions and NTFS permissions — and the user's effective access is the most restrictive combination of the two. For example, if Share grants Full Control but NTFS grants only Read, the user gets Read. Accessing the same folder locally ignores share permissions and uses NTFS only.
Network Location Profiles
Windows applies a different firewall and discovery posture based on the network's classification.
| Profile | Discovery / Sharing | Use on |
|---|---|---|
| Private | ON | Home or trusted office |
| Public | OFF | Coffee shops, airports, hotels |
| Domain | Managed by Group Policy | A joined domain network |
Security rule: Always classify untrusted Wi-Fi as Public. That disables network discovery and file/printer sharing so other patrons cannot enumerate or reach your machine. (HomeGroup was removed back in Windows 10 version 1803 — use standard sharing or Nearby Sharing instead.)
Printer Sharing
- Shared local printer: Connect the printer via USB to a host PC, open Settings > Bluetooth & devices > Printers & scanners > Printer properties > Sharing, enable sharing, and clients connect to
\\HOST\PrinterShareName. The host must stay powered on to print. - Network (direct-IP) printer: Attach the printer to the LAN by Ethernet or Wi-Fi, give it a static IP or DHCP reservation, and each client adds it by IP. No host PC is required, so it is the more resilient choice for shared offices.
Diagnosing Common Sharing Failures
The networking domain leans heavily on troubleshooting scenarios, and most failures trace back to a handful of causes. If a user cannot see any other computers when browsing the network, the first thing to check is whether the connection is classified Public rather than Private — Public deliberately disables network discovery and file sharing, so reclassifying a trusted office network as Private (or the firewall's File and Printer Sharing rule) restores visibility.
If discovery works but a specific share is unreachable, verify the exact UNC path and that the share actually exists; a hidden $ share never shows up in browsing and must be typed in full.
When a user can open a shared folder but cannot save changes, the cause is almost always the most-restrictive permission rule: share permissions and NTFS permissions are evaluated together, and the stricter set wins. A folder shared as Read/Write but with NTFS set to Read will block saves, and the correct fix is to raise the NTFS Modify permission, not just the share permission. Conversely, if a user has correct NTFS rights locally but is denied over the network, the share permission is the bottleneck.
Accessing the folder while sitting at the host machine bypasses share permissions entirely and uses NTFS only — a fact that often explains "it works for me but not over the network."
Domain-join failures have their own signature. The error "An Active Directory domain controller could not be contacted" is overwhelmingly a DNS problem: the client must use the domain controller as its DNS server so it can resolve the AD SRV records, and pointing the client at a public DNS server like 8.8.8.8 breaks the join. Other blockers are using a Home edition (which simply lacks the option) and a clock skew greater than five minutes, which breaks Kerberos authentication.
Mapped-drive persistence: A drive mapped with
net use Z: \\SRV\Sharevanishes on reboot unless you add /persistent:yes, and a mapping that prompts repeatedly for credentials usually means the user is authenticating with a local account that the server does not recognize — supply domain credentials withnet use ... /user:DOMAIN\name. For printers, a shared local printer that suddenly stops working for everyone is frequently a powered-off or asleep host PC, which is exactly why direct-IP network printers are preferred in shared environments.
Which Windows editions are able to join an Active Directory domain?
A folder's share permission is Full Control, but its NTFS permission for the same user is Read. What effective access does the user have when connecting over the network?
What does a trailing $ on a Windows share name, such as C$, indicate?
A laptop connects to free Wi-Fi at an airport. Which network location profile should Windows apply?