Re: MCSA/MCSE Self-training book from MS PRESS for exam 70-215 incorrect on file permission questions?

From: Leonard Hopkins (leonard.hopkins_at_lphopkins.com)
Date: 03/24/04 

Date: Wed, 24 Mar 2004 05:39:45 GMT

Thanks so much for writing. The "EVERYONE" special group is an enigma to me.
I can't find much on what it is, it's purpose, etc. Why have an "EVERYONE"
group? Why have User's groups, domain users, authenticated users? etc.

The "EVERYONE" special group is what confused me here. I failed to realize
that the other groups are members of it, (doooh! as Homer Simpson would
say). Guess I need to study a little harder. Your response has helped.
Thanks again.

"Drew Cooper [MSFT]" <dcoop@online.microsoft.com> wrote in message
news:Obms7PVEEHA.2768@tk2msftngp13.phx.gbl...
> NTFS permissions don't always trump share perms. A user's permissions on
> one of them are going to be the greatest allowed by group membership minus
> anything denied. The sum of the permissions granted going through both
file
> and share will be only the ones granted by both.
>
> Aren't members of both groups also members of Everyone?
>
> Result:
> - Accounting group has full control via NTFS and full control via the
share
> ('cause they're part of Everyone).
> - AccountAdmin group has same.
>
> That said, I can't say that I entirely like the wording of the test
> question. I had to read it a couple of times before I could tell what
"only
> ..." and "specified files" was supposed to mean for certain.
> --
> Drew Cooper [MSFT]
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Leonard Hopkins" <leonard.hopkins@lphopkins.com> wrote in message
> news:Sy08c.76470$_w.1033915@attbi_s53...
> > I have been working on my MCSE on my own and flaws like this don't make
it
> > any easier. I could be wrong and hope that I am but a sample test
question
> > on page 962 goes as follows.
> >
> > 70-215.02.03.003
> >
> >
> >
> > You are the administrator of a Windows 2000 Server computer that is
> > configured with a 10-GB FAT32 partition on its only hard disk. The
> partition
> > includes the AccountingDept folder, which contains documents specific to
> the
> > accounting department. You create two user groups: the Accounting group
> and
> > the AccountAdmin group. The Accounting group includes all members of the
> > Accounting department.
> >
> > The AccountAdmin group includes about 10 members of the Accounting
> > department who manage accounting-related documents.
> >
> >
> >
> > You want to accomplish the following goals:
> >
> >
> >
> > . Only the Accounting group should have read-only access to content in
the
> > AccountingDept folder.
> >
> >
> >
> > . Only the AccountAdmin group should have full control over content in
the
> > AccountingDept folder.
> >
> >
> >
> > . Only the Accounting group and the AccountAdmin group should have full
> > control over specified files in the AccountingDept folder.
> >
> >
> >
> > You convert the FAT32 partition to an NTFS partition and share the
> > AccountingDept folder. You implement share-level security for the
> > AccountingDept folder by granting Read permission to the Accounting
group
> > and by granting Full Control permission to the AccountAdmin group. You
> > implement NTFS permissions on the specified files within the
> AccountingDept
> > folder, granting full control to members of the Accounting group and the
> > AccountAdmin group and removing the Everyone group.
> >
> >
> >
> > Which result or results does your installation achieve?
> >
> >
> >
> >
> >
> > A. Only the Accounting group will have read-only access to content in
the
> > AccountingDept folder.
> >
> >
> >
> > B. Only the AccountAdmin group will have full control over content in
the
> > AccountingDept folder.
> >
> >
> >
> > C. Only the Accounting group and the AccountAdmin group will have full
> > control over specified files in the AccountingDept folder.
> >
> >
> >
> > D. The proposed solution does not meet any of the required results.
> >
> >
> >
> >
> >
> > The book answer states the only correct answer is D. How can this be? I
> > don't care what folder you share, as long as you have NTFS permissions
on
> > the folder and its contents, this trumps any shared permission. I have
> > demonstrated this exactly in my lab. Domain admins can't gain access to
a
> > shared folder as described in the preceding scenario after I set the
> folder
> > and file permissions to full control by the Accounting and
AccountAdmin's
> > groups. It doesn't matter that the "EVERYONE" group has full control on
> > share permissions, only the groups with the appropriate NTFS permission
> have
> > authority. If not, then the whole NTFS security concept is a fantasy. I
> > would like this addressed by someone from Microsoft. If I am wrong,
please
> > show me where. If I am correct, then I would like to know how flawed
> > questions make it into training books and possibly even tests.
> >
> >
> >
> > MCSE Training Kit-Microsoft Windows 2000 Server
> >
> >
> >
> > 70-215.02.03.003
> >
> >
> >
> > ~ Correct Answers: D
> >
> >
> >
> > A. Incorrect: A shared folder is used to provide network users with
access
> > to file resources. When a folder is shared, users can connect to the
> folder
> > over the network and gain access to the files that it contains. However,
> > although the Accounting group has been granted Read permission to the
> shared
> > folder, all other network users will have full control over the content
> > because the Everyone group was not removed from the share permissions.
By
> > default, the Everyone group is granted Full Control permission to a
shared
> > folder. If you grant Read permission to the members of the Accounting
> group,
> > these users will be granted read-only access to all content within the
> > shared folder, including subfolders and all files. Read permission
allows
> > users to display folder names, filenames, file data, and file
attributes;
> > run program files; and change folders within the shared folders',
However,
> > Full Control permission allows users to change file permissions, take
> > ownership of files, create folders, add files to folders, change data in
> > files, append data to files, change file attributes, delete folders and
> > files, and perform all actions permitted by the Read permission. Users
who
> > are members of the Accounting group are also, by default, members of the
> > Everyone group. When multiple permissions are granted to a resource, the
> > most restrictive permissions apply,
> >
> >
> >
> >
> >
> > B. Incorrect: Although the AccountAdmin group has been granted Full
> Control
> > permission to the shared folder, all other network users will have full
> > control over the content because the Everyone group was not removed from
> the
> > share permissions. By default, the Everyone group is granted Full
Control
> > permission to a shared folder. As a result, you must remove the Everyone
> > group if you want to restrict access to the share; otherwise, all users
on
>
> > the network will have full control over all content in the shared folder
> > except those users who are specifically allowed or denied specific
> > permissions
> >
> >
> >
> > C. Incorrect: Although the AccountAdmin group will have full control
over
> > the specified files, the Accounting group will not because the
Accounting
> > group was granted read-only access at the share level. If share rights
are
> > configured for a shared folder and NTFS permissions are configured for
> > folders or files within that shared folder, the most restrictive rights
> > become the user's effective rights. So even though the Accounting group
> has
> > been granted full control over the files, it still has read-only access
to
> > those files. Another problem is that the Everyone group has full control
> > over the entire folder, so the AccountAdmin and Accounting groups are
not
> > the only ones who will have full control over the specified files, In
> > general, you should use either share permissions or NTFS permissions,
but
> > not both, Using both significantly increases the complexity of resolving
> > access permissions for network resources. NTFS permissions are preferred
> > because they can be set on both files and folders.
> >
> >
> >
> > D. Correct: The proposed solution fails to meet any of the requirements
> > because the Everyone group was not removed from the share permission,
> which
> > granted all network users full control over all content in the shared
> > folder, In addition, the solution fails because Read permission was
> granted
> > to the Accounting group at a share level, but Full Control permission
was
> > granted to the group for individual files, and the share-level Read
> > permission overrides the NTFS-Level Full Control permission for those
> files.
> >
> >
> >
> >
>
>

Relevant Pages