Re: MCSA/MCSE Self-training book from MS PRESS for exam 70-215 incorrect on file permission questions?

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 03/25/04 

Date: Wed, 24 Mar 2004 16:12:57 -0800

>Why have an "EVERYONE" group? Why have User's groups, domain users,
authenticated users? etc.

That was either sarcasm or not. In case of the "not" . . .
Different groups have different scopes. A local user isn't the same as a
domain user. I'm not sure, but I believe that an authenticated user may be
from a different domain. The Everyone group includes anonymous logons in
addition to everybody else that Authenticated Users has (except on XP,
Server 2003, or later).

In case it was sarcasm . . .
The etc. group is there to cover anything that we might have missed in the
scope of the Everyone group. ;-) 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Leonard Hopkins" <leonard.hopkins@lphopkins.com> wrote in message
news:Ba98c.71241$SR1.132113@attbi_s04...
> Thanks so much for writing. The "EVERYONE" special group is an enigma to
me.
> I can't find much on what it is, it's purpose, etc. Why have an "EVERYONE"
> group? Why have User's groups, domain users, authenticated users? etc.
>
> The "EVERYONE" special group is what confused me here. I failed to realize
> that the other groups are members of it, (doooh! as Homer Simpson would
> say). Guess I need to study a little harder. Your response has helped.
> Thanks again.
>
> "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> wrote in message
> news:Obms7PVEEHA.2768@tk2msftngp13.phx.gbl...
> > NTFS permissions don't always trump share perms.  A user's permissions
on
> > one of them are going to be the greatest allowed by group membership
minus
> > anything denied.  The sum of the permissions granted going through both
> file
> > and share will be only the ones granted by both.
> >
> > Aren't members of both groups also members of Everyone?
> >
> > Result:
> > - Accounting group has full control via NTFS and full control via the
> share
> > ('cause they're part of Everyone).
> > - AccountAdmin group has same.
> >
> > That said, I can't say that I entirely like the wording of the test
> > question.  I had to read it a couple of times before I could tell what
> "only
> > ..." and "specified files" was supposed to mean for certain.
> > -- 
> > Drew Cooper [MSFT]
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Leonard Hopkins" <leonard.hopkins@lphopkins.com> wrote in message
> > news:Sy08c.76470$_w.1033915@attbi_s53...
> > > I have been working on my MCSE on my own and flaws like this don't
make
> it
> > > any easier. I could be wrong and hope that I am but a sample test
> question
> > > on page 962 goes as follows.
> > >
> > > 70-215.02.03.003
> > >
> > >
> > >
> > > You are the administrator of a Windows 2000 Server computer that is
> > > configured with a 10-GB FAT32 partition on its only hard disk. The
> > partition
> > > includes the AccountingDept folder, which contains documents specific
to
> > the
> > > accounting department. You create two user groups: the Accounting
group
> > and
> > > the AccountAdmin group. The Accounting group includes all members of
the
> > > Accounting department.
> > >
> > > The AccountAdmin group includes about 10 members of the Accounting
> > > department who manage accounting-related documents.
> > >
> > >
> > >
> > > You want to accomplish the following goals:
> > >
> > >
> > >
> > > . Only the Accounting group should have read-only access to content in
> the
> > > AccountingDept folder.
> > >
> > >
> > >
> > > . Only the AccountAdmin group should have full control over content in
> the
> > > AccountingDept folder.
> > >
> > >
> > >
> > > . Only the Accounting group and the AccountAdmin group should have
full
> > > control over specified files in the AccountingDept folder.
> > >
> > >
> > >
> > > You convert the FAT32 partition to an NTFS partition and share the
> > > AccountingDept folder. You implement share-level security for the
> > > AccountingDept folder by granting Read permission to the Accounting
> group
> > > and by granting Full Control permission to the AccountAdmin group. You
> > > implement NTFS permissions on the specified files within the
> > AccountingDept
> > > folder, granting full control to members of the Accounting group and
the
> > > AccountAdmin group and removing the Everyone group.
> > >
> > >
> > >
> > > Which result or results does your installation achieve?
> > >
> > >
> > >
> > >
> > >
> > > A. Only the Accounting group will have read-only access to content in
> the
> > > AccountingDept folder.
> > >
> > >
> > >
> > > B. Only the AccountAdmin group will have full control over content in
> the
> > > AccountingDept folder.
> > >
> > >
> > >
> > > C. Only the Accounting group and the AccountAdmin group will have full
> > > control over specified files in the AccountingDept folder.
> > >
> > >
> > >
> > > D. The proposed solution does not meet any of the required results.
> > >
> > >
> > >
> > >
> > >
> > > The book answer states the only correct answer is D. How can this be?
I
> > > don't care what folder you share, as long as you have NTFS permissions
> on
> > > the folder and its contents, this trumps any shared permission. I have
> > > demonstrated this exactly in my lab. Domain admins can't gain access
to
> a
> > > shared folder as described in the preceding scenario after I set the
> > folder
> > > and file permissions to full control by the Accounting and
> AccountAdmin's
> > > groups. It doesn't matter that the "EVERYONE" group has full control
on
> > > share permissions, only the groups with the appropriate NTFS
permission
> > have
> > > authority. If not, then the whole NTFS security concept is a fantasy.
I
> > > would like this addressed by someone from Microsoft. If I am wrong,
> please
> > > show me where. If I am correct, then I would like to know how flawed
> > > questions make it into training books and possibly even tests.
> > >
> > >
> > >
> > > MCSE Training Kit-Microsoft Windows 2000 Server
> > >
> > >
> > >
> > > 70-215.02.03.003
> > >
> > >
> > >
> > > ~ Correct Answers: D
> > >
> > >
> > >
> > > A. Incorrect: A shared folder is used to provide network users with
> access
> > > to file resources. When a folder is shared, users can connect to the
> > folder
> > > over the network and gain access to the files that it contains.
However,
> > > although the Accounting group has been granted Read permission to the
> > shared
> > > folder, all other network users will have full control over the
content
> > > because the Everyone group was not removed from the share permissions.
> By
> > > default, the Everyone group is granted Full Control permission to a
> shared
> > > folder. If you grant Read permission to the members of the Accounting
> > group,
> > > these users will be granted read-only access to all content within the
> > > shared folder, including subfolders and all files. Read permission
> allows
> > > users to display folder names, filenames, file data, and file
> attributes;
> > > run program files; and change folders within the shared folders',
> However,
> > > Full Control permission allows users to change file permissions, take
> > > ownership of files, create folders, add files to folders, change data
in
> > > files, append data to files, change file attributes, delete folders
and
> > > files, and perform all actions permitted by the Read permission. Users
> who
> > > are members of the Accounting group are also, by default, members of
the
> > > Everyone group. When multiple permissions are granted to a resource,
the
> > > most restrictive permissions apply,
> > >
> > >
> > >
> > >
> > >
> > > B. Incorrect: Although the AccountAdmin group has been granted Full
> > Control
> > > permission to the shared folder, all other network users will have
full
> > > control over the content because the Everyone group was not removed
from
> > the
> > > share permissions. By default, the Everyone group is granted Full
> Control
> > > permission to a shared folder. As a result, you must remove the
Everyone
> > > group if you want to restrict access to the share; otherwise, all
users
> on
> >
> > > the network will have full control over all content in the shared
folder
> > > except those users who are specifically allowed or denied specific
> > > permissions
> > >
> > >
> > >
> > > C. Incorrect: Although the AccountAdmin group will have full control
> over
> > > the specified files, the Accounting group will not because the
> Accounting
> > > group was granted read-only access at the share level. If share rights
> are
> > > configured for a shared folder and NTFS permissions are configured for
> > > folders or files within that shared folder, the most restrictive
rights
> > > become the user's effective rights. So even though the Accounting
group
> > has
> > > been granted full control over the files, it still has read-only
access
> to
> > > those files. Another problem is that the Everyone group has full
control
> > > over the entire folder, so the AccountAdmin and Accounting groups are
> not
> > > the only ones who will have full control over the specified files, In
> > > general, you should use either share permissions or NTFS permissions,
> but
> > > not both, Using both significantly increases the complexity of
resolving
> > > access permissions for network resources. NTFS permissions are
preferred
> > > because they can be set on both files and folders.
> > >
> > >
> > >
> > > D. Correct: The proposed solution fails to meet any of the
requirements
> > > because the Everyone group was not removed from the share permission,
> > which
> > > granted all network users full control over all content in the shared
> > > folder, In addition, the solution fails because Read permission was
> > granted
> > > to the Accounting group at a share level, but Full Control permission
> was
> > > granted to the group for individual files, and the share-level Read
> > > permission overrides the NTFS-Level Full Control permission for those
> > files.
> > >
> > >
> > >
> > >
> >
> >
>
>

Relevant Pages