Question on Permissons and Rights

I am totally stumbled on this practice question:

You administer a Windows Server 2003 file server. You created a folder named Users that contains a folder for each user on the network; each folder is named according to the user's first initial and last name. You want to prevent users from creating folders within Users Folder while still permitting the users to create files and folders within their respective folders. Additionally, you want to deny users the permission to delete either the Users folder or any folders within the Users folder; you also want to prevent users from being able to access each other's folders.

Which of the following actions should take to meet the requirements of the scenario? (Select 3 choices)

a) You should assign Deny - Full Control NTFS permissions to the Everyone group for the Users folder.

b) You should grant the Allow - Read & Execute NFTS permission to the Everyone group for only the Users folder.

c) You should grant Allow - Read & Execute NFTS permissions to the Everyone group for the Users folder.

d) You should grant Allow - Full Control NTFS permissions to each user for his/her respective folder and modify the permission to prevent each user from deleting the folder.

e) You should assign Deny - Read & Execute NTFS permission to the Everyone group for each user's folder.

f) You should assign the Deny - Full Control NTFS permission to the Administrators group for each user's folder.

So far I have chosen b and d but the rest of the choices doesn't make any sense.

You can't deny permission for the Everyone group because it would effect the user as well.

Find more posts tagged with

Comments

georgemc

I'm not 100% sure but I would say A, D and E.

My own warped logic says:

A. this will prevent normal users from creating or deleting folders or files directly under the "USERS" folder.

D. this will allow each individual user to access there own folder. Permissions assigned directly to a user should override those assigned to the "everyone" group.

E. this will prevent individual user's from accessing/deleting/creating files and folder's in user (FLast) folders other than their own.

Can someone please confirm the accuracy or complete wrongness of this logic?

Georgemc

sprkymrk

I agree with the 2 you have chosen (though not the way I would do it, they are the only choices that make sense). I think you should then choose E, in this way you would lock out anyone other than the user who you just assigned explicit FC rights. I think the explicit FC granted to a specific user on a folder trumps an inherited deny to a group. Just a guess...

dynamik

The OP is correct, you cannot use A or E because deny permissions take precedence over allow permissions, so you would effectively deny all users access to the folders.

I would go with B because if you do not allow child objects to inherit permissions, only users who are explicitly granted access will be able to access those objects. This will allow everyone to read the contents of the directory but not create new items. I think C is incorrect because it will allow everyone to access each others folders. I think D is correct because it allows each user to control his or her folder without being able to delete it. By process of elimination, that leaves F, which doesn't really make any sense, but it doesn't really affect the scenario, so maybe that's what they're looking for. It wants to deny other users to others' folders, so maybe you need to explicitly deny the admins, so they don't get a look at sensitive data. Who knows.

As a general rule, it's best to not allow access by simply removing allow permissions instead of using deny permissions. Deny permissions make things extremely messy and should only be used as more of an emergency procedure, such as when you need to deny an individual user of a group that has access to a resource.

I wouldn't get to worked up about this question. It's poorly written and sample questions are prone to all kinds of errors (maybe it meant to ask which two are correct). Does it tell you which answers are correct?

sprkymrk

dynamik wrote:

The OP is correct, you cannot use A or E because deny permissions take precedence over allow permissions, so you would effectively deny all users access to the folders.

This is a generalization that can cause some confusion. The thing to remember is that there is something referred to as the "Canonical Order of ACEs" which states that:

1. All explicit ACEs are placed in a group before any inherited ACEs.
2. Within the group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.
3. Inherited ACEs are placed in the order in which they are inherited. ACEs inherited from the child object's parent come first, then ACEs inherited from the grandparent, and so on up the tree of objects.
4. For each level of inherited ACEs, access-denied ACEs are placed before access-allowed ACEs.

So by selecting "D" you just created an "explicit" allow for the user to his own folder. When you select "E", that comes down as an inherited, or "implicit" deny at the level below \USERS, which is the %username% folder. Since the Canonical Order of ACEs places "explicit" ACEs as higher priority than "implicit", the individual user will still have access to his/her own folder, but no one else will. Now if the DENY to EVERYONE was on the \%username% folders, then no one at all would have access since EXPLICIT DENY would take precedence over the EXPICIT ALLOW.

dynamik wrote:

As a general rule, it's best to not allow access by simply removing allow permissions instead of using deny permissions. Deny permissions make things extremely messy and should only be used as more of an emergency procedure, such as when you need to deny an individual user of a group that has access to a resource.

Very good advice. Agree 100%

dynamik wrote:

I wouldn't get to worked up about this question.

I also agree, but this is also just the kind of question MS likes to throw at you on the exam.