Shared Permission Question
MariusRZR
MCP, MCSA Server 2012, Azure Administrator, VCP6-DCVRomaniaMember Posts: 92 ■■■□□□□□□□
Hey Guys,
I found this question in Don Poulton's Cert Guide book.
I picked D and it was wrong. Can't really figure out why...
You have created a shared folder named Documents on your Windows
Server 2012 R2 computer, which is a member server in your company’s AD
DS domain. You have assigned the Engineers global group the Full Control
NTFS permission to this share. In addition, you have assigned the Interns
group the Read permission to a subfolder of the Documents folder that is
named Specifications. You do not want the members of the Interns group to
be able to modify this folder. What should you do?
a. Access the Advanced Security Settings dialog box for the Specifications
folder and click the Disable inheritance command button. On the
Block Inheritance dialog box that appears, select Remove all inherited
permissions from this object.
b. Access the Advanced Security Settings dialog box for the Specifications
folder and click the Disable inheritance command button. On the
Block Inheritance dialog box that appears, select Convert inherited
permissions into explicit permissions on this object.
c. Access the Security tab of the Permissions dialog box for the Specifications
folder. In this dialog box, select the Interns group and then select
the Full Control permission under the Deny column.
d. You do not need to do anything because you have not granted any other
permission to the Interns group.
In the book, the correct answer is A. I picked D.
Engineers Global Group have Full control NTFS Permissions to Documents
The Interns Group have Read Permissons to a subfolder of documents, Specifications.
Interns will not be able to modify anything, since all they have are Read Permissions to the Specifications Subfolder.
Why do I have to disable Inheritance? Since Interns don't have rights to the parent folder?
I found this question in Don Poulton's Cert Guide book.
I picked D and it was wrong. Can't really figure out why...
You have created a shared folder named Documents on your Windows
Server 2012 R2 computer, which is a member server in your company’s AD
DS domain. You have assigned the Engineers global group the Full Control
NTFS permission to this share. In addition, you have assigned the Interns
group the Read permission to a subfolder of the Documents folder that is
named Specifications. You do not want the members of the Interns group to
be able to modify this folder. What should you do?
a. Access the Advanced Security Settings dialog box for the Specifications
folder and click the Disable inheritance command button. On the
Block Inheritance dialog box that appears, select Remove all inherited
permissions from this object.
b. Access the Advanced Security Settings dialog box for the Specifications
folder and click the Disable inheritance command button. On the
Block Inheritance dialog box that appears, select Convert inherited
permissions into explicit permissions on this object.
c. Access the Security tab of the Permissions dialog box for the Specifications
folder. In this dialog box, select the Interns group and then select
the Full Control permission under the Deny column.
d. You do not need to do anything because you have not granted any other
permission to the Interns group.
In the book, the correct answer is A. I picked D.
Engineers Global Group have Full control NTFS Permissions to Documents
The Interns Group have Read Permissons to a subfolder of documents, Specifications.
Interns will not be able to modify anything, since all they have are Read Permissions to the Specifications Subfolder.
Why do I have to disable Inheritance? Since Interns don't have rights to the parent folder?
Comments
Block inheritance means that you can be more certain of the permission which apply to a particular object. There exists a possibility that someone could be a member of both groups.
I think that an explicit deny will over ride, but I'm rusty on this since I am not touching Windows Server for a couple of months. It's the kind of scenario which I would want to actually test.
There's a little info here.
If a member of Interns is not also a member of Engineers then D is correct.
D was my gut feeling answer.
As frequently happens, the best answer was not on the list.
Like others have said, maybe it is focussing on the possibility that more permissions have been inherited from the folder above.
The problem is that the requirements are a bit odd. You are asked to ensure only that Interns cannot modify the Specifications folder. There is no requirement that members of Engineers can access the folder. There is a possibility that a user could be a member of both, or a member of Interns and some other unspecified group (Domain Administrators?).
In reality, there would be a whole bunch of other things to check as well.
B and C you can dismiss easily. D has in it the implicit assumption that the only permissions that might affect members of Interns are those which you explicitly gave. However, this assumption is false, since permissions can be inherited. This could happen from a user being member of multiple groups, or could be permissions inherited from Documents (which we are not told about which permissions it has) or a higher folder.
So A is a better answer, although not entirely satisfactory.
You will probably find a lot of them are on the exam, but the answers in the **** aren't always right. Always make sure you research it and don't just believe the answer that these **** provide.