L
Leonard Hopkins
I have been working on my MCSE on my own and flaws like this don't make it
any easier. I could be wrong and hope that I am but a sample test question
on page 962 goes as follows.
70-215.02.03.003
You are the administrator of a Windows 2000 Server computer that is
configured with a 10-GB FAT32 partition on its only hard disk. The partition
includes the AccountingDept folder, which contains documents specific to the
accounting department. You create two user groups: the Accounting group and
the AccountAdmin group. The Accounting group includes all members of the
Accounting department.
The AccountAdmin group includes about 10 members of the Accounting
department who manage accounting-related documents.
You want to accomplish the following goals:
.. Only the Accounting group should have read-only access to content in the
AccountingDept folder.
.. Only the AccountAdmin group should have full control over content in the
AccountingDept folder.
.. Only the Accounting group and the AccountAdmin group should have full
control over specified files in the AccountingDept folder.
You convert the FAT32 partition to an NTFS partition and share the
AccountingDept folder. You implement share-level security for the
AccountingDept folder by granting Read permission to the Accounting group
and by granting Full Control permission to the AccountAdmin group. You
implement NTFS permissions on the specified files within the AccountingDept
folder, granting full control to members of the Accounting group and the
AccountAdmin group and removing the Everyone group.
Which result or results does your installation achieve?
A. Only the Accounting group will have read-only access to content in the
AccountingDept folder.
B. Only the AccountAdmin group will have full control over content in the
AccountingDept folder.
C. Only the Accounting group and the AccountAdmin group will have full
control over specified files in the AccountingDept folder.
D. The proposed solution does not meet any of the required results.
The book answer states the only correct answer is D. How can this be? I
don't care what folder you share, as long as you have NTFS permissions on
the folder and its contents, this trumps any shared permission. I have
demonstrated this exactly in my lab. Domain admins can't gain access to a
shared folder as described in the preceding scenario after I set the folder
and file permissions to full control by the Accounting and AccountAdmin's
groups. It doesn't matter that the "EVERYONE" group has full control on
share permissions, only the groups with the appropriate NTFS permission have
authority. If not, then the whole NTFS security concept is a fantasy. I
would like this addressed by someone from Microsoft. If I am wrong, please
show me where. If I am correct, then I would like to know how flawed
questions make it into training books and possibly even tests.
MCSE Training Kit-Microsoft Windows 2000 Server
70-215.02.03.003
~ Correct Answers: D
A. Incorrect: A shared folder is used to provide network users with access
to file resources. When a folder is shared, users can connect to the folder
over the network and gain access to the files that it contains. However,
although the Accounting group has been granted Read permission to the shared
folder, all other network users will have full control over the content
because the Everyone group was not removed from the share permissions. By
default, the Everyone group is granted Full Control permission to a shared
folder. If you grant Read permission to the members of the Accounting group,
these users will be granted read-only access to all content within the
shared folder, including subfolders and all files. Read permission allows
users to display folder names, filenames, file data, and file attributes;
run program files; and change folders within the shared folders', However,
Full Control permission allows users to change file permissions, take
ownership of files, create folders, add files to folders, change data in
files, append data to files, change file attributes, delete folders and
files, and perform all actions permitted by the Read permission. Users who
are members of the Accounting group are also, by default, members of the
Everyone group. When multiple permissions are granted to a resource, the
most restrictive permissions apply,
B. Incorrect: Although the AccountAdmin group has been granted Full Control
permission to the shared folder, all other network users will have full
control over the content because the Everyone group was not removed from the
share permissions. By default, the Everyone group is granted Full Control
permission to a shared folder. As a result, you must remove the Everyone
group if you want to restrict access to the share; otherwise, all users on
the network will have full control over all content in the shared folder
except those users who are specifically allowed or denied specific
permissions
C. Incorrect: Although the AccountAdmin group will have full control over
the specified files, the Accounting group will not because the Accounting
group was granted read-only access at the share level. If share rights are
configured for a shared folder and NTFS permissions are configured for
folders or files within that shared folder, the most restrictive rights
become the user's effective rights. So even though the Accounting group has
been granted full control over the files, it still has read-only access to
those files. Another problem is that the Everyone group has full control
over the entire folder, so the AccountAdmin and Accounting groups are not
the only ones who will have full control over the specified files, In
general, you should use either share permissions or NTFS permissions, but
not both, Using both significantly increases the complexity of resolving
access permissions for network resources. NTFS permissions are preferred
because they can be set on both files and folders.
D. Correct: The proposed solution fails to meet any of the requirements
because the Everyone group was not removed from the share permission, which
granted all network users full control over all content in the shared
folder, In addition, the solution fails because Read permission was granted
to the Accounting group at a share level, but Full Control permission was
granted to the group for individual files, and the share-level Read
permission overrides the NTFS-Level Full Control permission for those files.
any easier. I could be wrong and hope that I am but a sample test question
on page 962 goes as follows.
70-215.02.03.003
You are the administrator of a Windows 2000 Server computer that is
configured with a 10-GB FAT32 partition on its only hard disk. The partition
includes the AccountingDept folder, which contains documents specific to the
accounting department. You create two user groups: the Accounting group and
the AccountAdmin group. The Accounting group includes all members of the
Accounting department.
The AccountAdmin group includes about 10 members of the Accounting
department who manage accounting-related documents.
You want to accomplish the following goals:
.. Only the Accounting group should have read-only access to content in the
AccountingDept folder.
.. Only the AccountAdmin group should have full control over content in the
AccountingDept folder.
.. Only the Accounting group and the AccountAdmin group should have full
control over specified files in the AccountingDept folder.
You convert the FAT32 partition to an NTFS partition and share the
AccountingDept folder. You implement share-level security for the
AccountingDept folder by granting Read permission to the Accounting group
and by granting Full Control permission to the AccountAdmin group. You
implement NTFS permissions on the specified files within the AccountingDept
folder, granting full control to members of the Accounting group and the
AccountAdmin group and removing the Everyone group.
Which result or results does your installation achieve?
A. Only the Accounting group will have read-only access to content in the
AccountingDept folder.
B. Only the AccountAdmin group will have full control over content in the
AccountingDept folder.
C. Only the Accounting group and the AccountAdmin group will have full
control over specified files in the AccountingDept folder.
D. The proposed solution does not meet any of the required results.
The book answer states the only correct answer is D. How can this be? I
don't care what folder you share, as long as you have NTFS permissions on
the folder and its contents, this trumps any shared permission. I have
demonstrated this exactly in my lab. Domain admins can't gain access to a
shared folder as described in the preceding scenario after I set the folder
and file permissions to full control by the Accounting and AccountAdmin's
groups. It doesn't matter that the "EVERYONE" group has full control on
share permissions, only the groups with the appropriate NTFS permission have
authority. If not, then the whole NTFS security concept is a fantasy. I
would like this addressed by someone from Microsoft. If I am wrong, please
show me where. If I am correct, then I would like to know how flawed
questions make it into training books and possibly even tests.
MCSE Training Kit-Microsoft Windows 2000 Server
70-215.02.03.003
~ Correct Answers: D
A. Incorrect: A shared folder is used to provide network users with access
to file resources. When a folder is shared, users can connect to the folder
over the network and gain access to the files that it contains. However,
although the Accounting group has been granted Read permission to the shared
folder, all other network users will have full control over the content
because the Everyone group was not removed from the share permissions. By
default, the Everyone group is granted Full Control permission to a shared
folder. If you grant Read permission to the members of the Accounting group,
these users will be granted read-only access to all content within the
shared folder, including subfolders and all files. Read permission allows
users to display folder names, filenames, file data, and file attributes;
run program files; and change folders within the shared folders', However,
Full Control permission allows users to change file permissions, take
ownership of files, create folders, add files to folders, change data in
files, append data to files, change file attributes, delete folders and
files, and perform all actions permitted by the Read permission. Users who
are members of the Accounting group are also, by default, members of the
Everyone group. When multiple permissions are granted to a resource, the
most restrictive permissions apply,
B. Incorrect: Although the AccountAdmin group has been granted Full Control
permission to the shared folder, all other network users will have full
control over the content because the Everyone group was not removed from the
share permissions. By default, the Everyone group is granted Full Control
permission to a shared folder. As a result, you must remove the Everyone
group if you want to restrict access to the share; otherwise, all users on
the network will have full control over all content in the shared folder
except those users who are specifically allowed or denied specific
permissions
C. Incorrect: Although the AccountAdmin group will have full control over
the specified files, the Accounting group will not because the Accounting
group was granted read-only access at the share level. If share rights are
configured for a shared folder and NTFS permissions are configured for
folders or files within that shared folder, the most restrictive rights
become the user's effective rights. So even though the Accounting group has
been granted full control over the files, it still has read-only access to
those files. Another problem is that the Everyone group has full control
over the entire folder, so the AccountAdmin and Accounting groups are not
the only ones who will have full control over the specified files, In
general, you should use either share permissions or NTFS permissions, but
not both, Using both significantly increases the complexity of resolving
access permissions for network resources. NTFS permissions are preferred
because they can be set on both files and folders.
D. Correct: The proposed solution fails to meet any of the requirements
because the Everyone group was not removed from the share permission, which
granted all network users full control over all content in the shared
folder, In addition, the solution fails because Read permission was granted
to the Accounting group at a share level, but Full Control permission was
granted to the group for individual files, and the share-level Read
permission overrides the NTFS-Level Full Control permission for those files.