Shared Permission Question
MariusRZR
Member Posts: 92 ■■■□□□□□□□
Hey Guys,
I found this question in Don Poulton's Cert Guide book.
I picked D and it was wrong. Can't really figure out why...
You have created a shared folder named Documents on your Windows
Server 2012 R2 computer, which is a member server in your company’s AD
DS domain. You have assigned the Engineers global group the Full Control
NTFS permission to this share. In addition, you have assigned the Interns
group the Read permission to a subfolder of the Documents folder that is
named Specifications. You do not want the members of the Interns group to
be able to modify this folder. What should you do?
a. Access the Advanced Security Settings dialog box for the Specifications
folder and click the Disable inheritance command button. On the
Block Inheritance dialog box that appears, select Remove all inherited
permissions from this object.
b. Access the Advanced Security Settings dialog box for the Specifications
folder and click the Disable inheritance command button. On the
Block Inheritance dialog box that appears, select Convert inherited
permissions into explicit permissions on this object.
c. Access the Security tab of the Permissions dialog box for the Specifications
folder. In this dialog box, select the Interns group and then select
the Full Control permission under the Deny column.
d. You do not need to do anything because you have not granted any other
permission to the Interns group.
In the book, the correct answer is A. I picked D.
Engineers Global Group have Full control NTFS Permissions to Documents
The Interns Group have Read Permissons to a subfolder of documents, Specifications.
Interns will not be able to modify anything, since all they have are Read Permissions to the Specifications Subfolder.
Why do I have to disable Inheritance? Since Interns don't have rights to the parent folder?
I found this question in Don Poulton's Cert Guide book.
I picked D and it was wrong. Can't really figure out why...
You have created a shared folder named Documents on your Windows
Server 2012 R2 computer, which is a member server in your company’s AD
DS domain. You have assigned the Engineers global group the Full Control
NTFS permission to this share. In addition, you have assigned the Interns
group the Read permission to a subfolder of the Documents folder that is
named Specifications. You do not want the members of the Interns group to
be able to modify this folder. What should you do?
a. Access the Advanced Security Settings dialog box for the Specifications
folder and click the Disable inheritance command button. On the
Block Inheritance dialog box that appears, select Remove all inherited
permissions from this object.
b. Access the Advanced Security Settings dialog box for the Specifications
folder and click the Disable inheritance command button. On the
Block Inheritance dialog box that appears, select Convert inherited
permissions into explicit permissions on this object.
c. Access the Security tab of the Permissions dialog box for the Specifications
folder. In this dialog box, select the Interns group and then select
the Full Control permission under the Deny column.
d. You do not need to do anything because you have not granted any other
permission to the Interns group.
In the book, the correct answer is A. I picked D.
Engineers Global Group have Full control NTFS Permissions to Documents
The Interns Group have Read Permissons to a subfolder of documents, Specifications.
Interns will not be able to modify anything, since all they have are Read Permissions to the Specifications Subfolder.
Why do I have to disable Inheritance? Since Interns don't have rights to the parent folder?
Comments
-
OctalDump Member Posts: 1,722I think they are pointing to you to the possibility that a folder higher in the hierarchy has more permissions.
Block inheritance means that you can be more certain of the permission which apply to a particular object. There exists a possibility that someone could be a member of both groups.
I think that an explicit deny will over ride, but I'm rusty on this since I am not touching Windows Server for a couple of months. It's the kind of scenario which I would want to actually test.
There's a little info here.2017 Goals - Something Cisco, Something Linux, Agile PM -
636-555-3226 Member Posts: 975 ■■■■■□□□□□Bad wording, missing some details. It doesn't mention what kind of access the Interns have to the root folder Documents. If they have read-only already to Documents then that defaults to inheriting down to read-only for Specificiations. Besides, if they already have read-only access to Specifications then you don't need to do anything, assuming they have access to the main Documents folder already. Best answer is D.
-
MariusRZR Member Posts: 92 ■■■□□□□□□□Thank you. I was thinking the same thing. That's why I picked D.
-
BornToBeMild Member Posts: 69 ■■□□□□□□□□It is a poorly worded question. If a member of Interns was also a member of Engineers, then A is technically correct, although not practical as it also denies access to Specifications folder to all Engineers.
If a member of Interns is not also a member of Engineers then D is correct.
D was my gut feeling answer.
As frequently happens, the best answer was not on the list. -
joeswfc Member Posts: 118 ■■■□□□□□□□I would go with A...
Like others have said, maybe it is focussing on the possibility that more permissions have been inherited from the folder above. -
OctalDump Member Posts: 1,722BornToBeMild wrote: »It is a poorly worded question. If a member of Interns was also a member of Engineers, then A is technically correct, although not practical as it also denies access to Specifications folder to all Engineers.
If a member of Interns is not also a member of Engineers then D is correct.
D was my gut feeling answer.
As frequently happens, the best answer was not on the list.
The problem is that the requirements are a bit odd. You are asked to ensure only that Interns cannot modify the Specifications folder. There is no requirement that members of Engineers can access the folder. There is a possibility that a user could be a member of both, or a member of Interns and some other unspecified group (Domain Administrators?).
In reality, there would be a whole bunch of other things to check as well.
B and C you can dismiss easily. D has in it the implicit assumption that the only permissions that might affect members of Interns are those which you explicitly gave. However, this assumption is false, since permissions can be inherited. This could happen from a user being member of multiple groups, or could be permissions inherited from Documents (which we are not told about which permissions it has) or a higher folder.
So A is a better answer, although not entirely satisfactory.2017 Goals - Something Cisco, Something Linux, Agile PM -
BornToBeMild Member Posts: 69 ■■□□□□□□□□You are correct, I freely admit I would probably have been wrong if it was in a test. Lucky for me it wasn't . This is a case where real world experience can play against you - It just feels wrong to pick an answer that would break things in real life.
-
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□The question should have really said the "EngInterns" group or something like that instead of just calling it "Interns" group. No other group in that company has interns! I call BS! Horribly worded question or the sys admin there has a horribly worded group name!
-
MariusRZR Member Posts: 92 ■■■□□□□□□□Hopefully questions like these won't be on the actual exam. I got the feeling some of these tests are doing more harm than good.
-
joeswfc Member Posts: 118 ■■■□□□□□□□Hopefully questions like these won't be on the actual exam. I got the feeling some of these tests are doing more harm than good.
You will probably find a lot of them are on the exam, but the answers in the **** aren't always right. Always make sure you research it and don't just believe the answer that these **** provide. -
BornToBeMild Member Posts: 69 ■■□□□□□□□□To be fair to the OP, this question is in Don Poulton's MCSA 70-410 Cert Guide book. Page 124 in my copy.