Permissions of deleted groups...

rjbarlow

Hi all,

found this question on the ms press book for 70-270:

Which of the following statements about deleting local groups are correct? (Choose all that apply.)
a. Each group that you create has a unique identifier that cannot be reused. Yes, OK.

b. You can restore access to resources by recreating the group. NO, OK.

c. When you delete a group, you also remove the permissions and rights associated with it. Yes. WHY?

d. Deleting a group deletes the user accounts that are members of the group. NO, OK.

Correct answers are a and c for the book.

Focusing on the 3rd question, I see quietly that even if I delete a Group, permissions are NOT deleted from the ACL of the resource, just instead of the name, it shows a SID, then if I meet, in some way, the old SID with a new Group with the previous memberships, I recreate the same previous condition, I think.

Clearly if I delete a group, its members can't access the resource.
However permissions of a deleted group are definitely NOT deleted with the deletion of that group.

I mistake in something?

cisco_trooper

Don't quote me on this, I'm more of a Cisco character these days, but I think YOU are right. It's been a while but I distinctly remember SIDs showing up in the ACLs whenever I deleted users or groups back in my days of windows administration...

dynamik

I don't think you can simply create a new group and change it's SID to the SID of the old group. There might be a hack or some other utility that could do that, but I haven't come across anything like that in XP's built-in functionality. I think the point that question is trying to make is that you are effectively removing the permissions and rights associated with it, even though the SID remains. Even if you recreate the group exactly as you had done originally, it will not regain what it previously had.

Remember, the exam is going to test you on XP's base functionality, not things that could be theoretically achieved through things such as powertoys and other utilities. What you're saying logically makes sense. However, I'm pretty sure it's not something you can do with XP on its own, but it wouldn't surprise me if there was some way to do that.

cisco_trooper

dynamik wrote:

I don't think you can simply create a new group and change it's SID to the SID of the old group. There might be a hack or some other utility that could do that, but I haven't come across anything like that in XP's built-in functionality. I think the point that question is trying to make is that you are effectively removing the permissions and rights associated with it, even though the SID remains. Even if you recreate the group exactly as you had done originally, it will not regain what it previously had.

Remember, the exam is going to test you on XP's base functionality, not things that could be theoretically achieved through things such as powertoys and other utilities. What you're saying logically makes sense. However, I'm pretty sure it's not something you can do with XP on its own, but it wouldn't surprise me if there was some way to do that.

I agree with this too. You CANNOT simply recreate the group, it will get a new SID. There ARE third-party tools to do this, although it's been so long and I can't name them.

rjbarlow

dynamik wrote:

I don't think you can simply create a new group and change it's SID to the SID of the old group. There might be a hack or some other utility that could do that, but I haven't come across anything like that in XP's built-in functionality. I think the point that question is trying to make is that you are effectively removing the permissions and rights associated with it, even though the SID remains. Even if you recreate the group exactly as you had done originally, it will not regain what it previously had.

Remember, the exam is going to test you on XP's base functionality, not things that could be theoretically achieved through things such as powertoys and other utilities. What you're saying logically makes sense. However, I'm pretty sure it's not something you can do with XP on its own, but it wouldn't surprise me if there was some way to do that.

Of course. no built-in features of Windows XP permit to do that.
But the question was:
c. When you delete a group, you also remove the permissions and rights associated with it?

Since remains the old group SID and the old permissions such as they were, I thought definitely that permissions are not deleted anyway when I delete a Group.
It's a problem maybe on what is a Group in order to answer correctly this question, it's a SID or it's a name or it's a conjunction of a SID and a name?
Because I often read that the SID is the main part of a securitty principal, I was sure to answer that no, permissions are not deleted when I delete a group.
On the other hand, it's just a SID shown, not an existing group.

The key maybe is to answer basing on base functionality of Windows XP as You say and not complicating the life.

Cheers

undomiel

Maybe a better phrasing for it would be:

C. When you delete a group, you also disassociate the permissions and rights previously associated with it.

Since clearly the permissions and rights are no longer used since that SID has been retired and they can not be reassociated, only recreated.

rjbarlow

undomiel wrote:

Maybe a better phrasing for it would be:

C. When you delete a group, you also disassociate the permissions and rights previously associated with it.

Agreee on that, 100%.

ill.fated.guy

c. When you delete a group, you also remove the permissions and rights associated with it?

im just a newbie here and i hope it's just ok to participate. i also got a little confused on that statement. however, as i understand it after reading it a couple of times, it simply means that when you delete a group, the permission and rights associated with it are equally remove even if the SID still exist because its existence is actually useless. and we cannot recycle an old SID in the event we wanted to create the same group again.