Incorrect answer in MS Press MCSA/MCSE Exam 70-215

From: Leonard Hopkins (anonymous_at_discussions.microsoft.com)
Date: 03/31/04 

Date: Tue, 30 Mar 2004 18:18:01 -0800

I have been working on my MCSE on my own and am having
problems understanding an answer to a sample question from
MS Press MCSA/MCSE Exam 70-215 for Windows 2000 Server. I
disagree with their conclusion for Answer C and I give my
reasons for doing so. I could be wrong and if I am I trust
someone will correct my thinking. However, if I am
correct, I am concerned that their are errors like this in
tests that I have to take. Has anyone ever come across a
situation where the you got a questin wrong but knew you
were right? Anyhow here is the issue from a sample test
question on page 962 goes as follows.

70-215.02.03.003
You are the administrator of a Windows 2000 Server
computer that is configured with a 10-GB FAT32 partition
on its only hard disk. The partition includes the
AccountingDept folder, which contains documents specific
to the accounting department. You create two user groups:
the Accounting group and the AccountAdmin group. The
Accounting group includes all members of the Accounting
department.

The AccountAdmin group includes about 10 members of the
Accounting department who manage accounting-related
documents.
You want to accomplish the following goals:
. Only the Accounting group should have read-only access
to content in the
AccountingDept folder.

. Only the AccountAdmin group should have full control
over content in the
AccountingDept folder.

. Only the Accounting group and the AccountAdmin group
should have full
control over specified files in the AccountingDept folder.

You convert the FAT32 partition to an NTFS partition and
share the AccountingDept folder. You implement share-level
security for the AccountingDept folder by granting Read
permission to the Accounting group and by granting Full
Control permission to the AccountAdmin group. You
implement NTFS permissions on the specified files within
the AccountingDept folder, granting full control to
members of the Accounting group and the AccountAdmin group
and removing the Everyone group.

Which result or results does your installation achieve?

A. Only the Accounting group will have read-only access to
content in the AccountingDept folder.

B. Only the AccountAdmin group will have full control over
content in the AccountingDept folder.

C. Only the Accounting group and the AccountAdmin group
will have full control over specified files in the
AccountingDept folder.

D. The proposed solution does not meet any of the required
results.

MCSE Training Kit-Microsoft Windows 2000 Server
70-215.02.03.003
Correct Answers: D

A. Incorrect: A shared folder is used to provide network
users with access to file resources. When a folder is
shared, users can connect to the folder over the network
and gain access to the files that it contains. However,
although the Accounting group has been granted Read
permission to the shared folder, all other network users
will have full control over the content because the
Everyone group was not removed from the share permissions.
By default, the Everyone group is granted Full Control
permission to a shared folder. If you grant Read
permission to the members of the Accounting group, these
users will be granted read-only access to all content
within the shared folder, including subfolders and all
files. Read permission allows users to display folder
names, filenames, file data, and file attributes; run
program files; and change folders within the shared
folders', However, Full Control permission allows users to
change file permissions, take ownership of files, create
folders, add files to folders, change data in files,
append data to files, change file attributes, delete
folders and files, and perform all actions permitted by
the Read permission. Users who are members of the
Accounting group are also, by default, members of the
Everyone group. When multiple permissions are granted to a
resource, the most restrictive permissions apply.

B. Incorrect: Although the AccountAdmin group has been
granted Full Control permission to the shared folder, all
other network users will have full control over the
content because the Everyone group was not removed from
the share permissions. By default, the Everyone group is
granted Full Control permission to a shared folder. As a
result, you must remove the Everyone group if you want to
restrict access to the share; otherwise, all users on the
network will have full control over all content in the
shared folder except those users who are specifically
allowed or denied specific permissions

C. Incorrect: Although the AccountAdmin group will have
full control over the specified files, the Accounting
group will not because the Accounting group was granted
read-only access at the share level. If share rights are
configured for a shared folder and NTFS permissions are
configured for folders or files within that shared folder,
the most restrictive rights become the user's effective
rights. (They are forgetting that the Everyone group still
has full access at the share level. Both the Accounting
group and AcccountingAdmin group are also members of the
Everyone group. In the context of share permissions a
user's effective permission is a combination of the
permissions assigned by each group membership. The
Accounting group may only have Read access as the share
level but they also have Full access due to their
membership in the Everyone group. Hence their accumulative
permission is READ and FULL. See page 195 of the book
where it spells this out clearly).

So even though the Accounting group has been granted full
control over the files, it still has read-only access to
those files. (This is not true. The Everyone group still
has Full control at the share level. The Everyone group
was removed from the NTFS permissions but not at the Share
level as pointed out in Answer B above.)

Another problem is that the Everyone group has full
control over the entire folder, (Guess this was forgotten
on the previous reason) so the AccountAdmin and Accounting
groups are not the only ones who will have full control
over the specified files. (This is wrong as well since the
files are setup with Full access for both groups. No other
permissions are set for the files and folders in the
share. If NTFS is employed and no permissions are assigned
to the files then no one can access the files regardless
of what the share permission is set at.

In general, you should use either share permissions or
NTFS permissions, but not both. Using both significantly
increases the complexity of resolving access permissions
for network resources. NTFS permissions are preferred
because they can be set on both files and folders. (These
answers seem to jump in and out of context of share and
NTFS permissions. It seems as if someone else may have
written the answer and someone else wrote the question.)

D. Correct: The proposed solution fails to meet any of the
requirements because the Everyone group was not removed
from the share permission, which granted all network users
full control over all content in the shared folder, In
addition, the solution fails because Read permission was
granted to the Accounting group at a share level, but Full
Control permission was granted to the group for individual
files, and the share-level Read permission overrides the
NTFS-Level Full Control permission for those files.

Relevant Pages