Re: Incorrect answer in MS Press MCSA/MCSE Exam 70-215

From: Colin Nash [MVP] (cnash-REMOVETHIS-_at_mvps.org)
Date: 04/01/04 

Date: Wed, 31 Mar 2004 19:38:45 -0500

I read through it and I agree with you :)

"Leonard Hopkins" <anonymous@discussions.microsoft.com> wrote in message
news:15f0b01c416c6$6448ba00$a301280a@phx.gbl...
> I have been working on my MCSE on my own and am having
> problems understanding an answer to a sample question from
> MS Press MCSA/MCSE Exam 70-215 for Windows 2000 Server. I
> disagree with their conclusion for Answer C and I give my
> reasons for doing so. I could be wrong and if I am I trust
> someone will correct my thinking. However, if I am
> correct, I am concerned that their are errors like this in
> tests that I have to take. Has anyone ever come across a
> situation where the you got a questin wrong but knew you
> were right? Anyhow here is the issue from a sample test
> question on page 962 goes as follows.
>
> 70-215.02.03.003
> You are the administrator of a Windows 2000 Server
> computer that is configured with a 10-GB FAT32 partition
> on its only hard disk. The partition includes the
> AccountingDept folder, which contains documents specific
> to the accounting department. You create two user groups:
> the Accounting group and the AccountAdmin group. The
> Accounting group includes all members of the Accounting
> department.
>
> The AccountAdmin group includes about 10 members of the
> Accounting department who manage accounting-related
> documents.
> You want to accomplish the following goals:
> . Only the Accounting group should have read-only access
> to content in the
> AccountingDept folder.
>
> . Only the AccountAdmin group should have full control
> over content in the
> AccountingDept folder.
>
> . Only the Accounting group and the AccountAdmin group
> should have full
> control over specified files in the AccountingDept folder.
>
> You convert the FAT32 partition to an NTFS partition and
> share the AccountingDept folder. You implement share-level
> security for the AccountingDept folder by granting Read
> permission to the Accounting group and by granting Full
> Control permission to the AccountAdmin group. You
> implement NTFS permissions on the specified files within
> the AccountingDept folder, granting full control to
> members of the Accounting group and the AccountAdmin group
> and removing the Everyone group.
>
>
> Which result or results does your installation achieve?
>
> A. Only the Accounting group will have read-only access to
> content in the AccountingDept folder.
>
> B. Only the AccountAdmin group will have full control over
> content in the AccountingDept folder.
>
> C. Only the Accounting group and the AccountAdmin group
> will have full control over specified files in the
> AccountingDept folder.
>
> D. The proposed solution does not meet any of the required
> results.
>
> MCSE Training Kit-Microsoft Windows 2000 Server
> 70-215.02.03.003
> Correct Answers: D
>
> A. Incorrect: A shared folder is used to provide network
> users with access to file resources. When a folder is
> shared, users can connect to the folder over the network
> and gain access to the files that it contains. However,
> although the Accounting group has been granted Read
> permission to the shared folder, all other network users
> will have full control over the content because the
> Everyone group was not removed from the share permissions.
> By default, the Everyone group is granted Full Control
> permission to a shared folder. If you grant Read
> permission to the members of the Accounting group, these
> users will be granted read-only access to all content
> within the shared folder, including subfolders and all
> files. Read permission allows users to display folder
> names, filenames, file data, and file attributes; run
> program files; and change folders within the shared
> folders', However, Full Control permission allows users to
> change file permissions, take ownership of files, create
> folders, add files to folders, change data in files,
> append data to files, change file attributes, delete
> folders and files, and perform all actions permitted by
> the Read permission. Users who are members of the
> Accounting group are also, by default, members of the
> Everyone group. When multiple permissions are granted to a
> resource, the most restrictive permissions apply.
>
>
> B. Incorrect: Although the AccountAdmin group has been
> granted Full Control permission to the shared folder, all
> other network users will have full control over the
> content because the Everyone group was not removed from
> the share permissions. By default, the Everyone group is
> granted Full Control permission to a shared folder. As a
> result, you must remove the Everyone group if you want to
> restrict access to the share; otherwise, all users on the
> network will have full control over all content in the
> shared folder except those users who are specifically
> allowed or denied specific permissions
>
> C. Incorrect: Although the AccountAdmin group will have
> full control over the specified files, the Accounting
> group will not because the Accounting group was granted
> read-only access at the share level. If share rights are
> configured for a shared folder and NTFS permissions are
> configured for folders or files within that shared folder,
> the most restrictive rights become the user's effective
> rights. (They are forgetting that the Everyone group still
> has full access at the share level. Both the Accounting
> group and AcccountingAdmin group are also members of the
> Everyone group. In the context of share permissions a
> user's effective permission is a combination of the
> permissions assigned by each group membership. The
> Accounting group may only have Read access as the share
> level but they also have Full access due to their
> membership in the Everyone group. Hence their accumulative
> permission is READ and FULL. See page 195 of the book
> where it spells this out clearly).
>
> So even though the Accounting group has been granted full
> control over the files, it still has read-only access to
> those files. (This is not true. The Everyone group still
> has Full control at the share level. The Everyone group
> was removed from the NTFS permissions but not at the Share
> level as pointed out in Answer B above.)
>
> Another problem is that the Everyone group has full
> control over the entire folder, (Guess this was forgotten
> on the previous reason) so the AccountAdmin and Accounting
> groups are not the only ones who will have full control
> over the specified files. (This is wrong as well since the
> files are setup with Full access for both groups. No other
> permissions are set for the files and folders in the
> share. If NTFS is employed and no permissions are assigned
> to the files then no one can access the files regardless
> of what the share permission is set at.
>
> In general, you should use either share permissions or
> NTFS permissions, but not both. Using both significantly
> increases the complexity of resolving access permissions
> for network resources. NTFS permissions are preferred
> because they can be set on both files and folders. (These
> answers seem to jump in and out of context of share and
> NTFS permissions. It seems as if someone else may have
> written the answer and someone else wrote the question.)
>
>
> D. Correct: The proposed solution fails to meet any of the
> requirements because the Everyone group was not removed
> from the share permission, which granted all network users
> full control over all content in the shared folder, In
> addition, the solution fails because Read permission was
> granted to the Accounting group at a share level, but Full
> Control permission was granted to the group for individual
> files, and the share-level Read permission overrides the
> NTFS-Level Full Control permission for those files.
>

Relevant Pages
Loading