Lesson 2: Troubleshooting Group Membership


When resources are protected by both share and NTFS permissions, calculating effective permissions can be a little tricky. When a user cannot access a particular resource, you have to take into account the share permissions that are applied and the NTFS permissions that are applied, and then take the more restrictive of the cumulative permissions for both. When a user is a member of more than one group, or if group membership has been recently changed, the problem of calculating effective permissions is exacerbated.

After this lesson, you will be able to

  • Explain what happens when users are members of more than one group.

  • Troubleshoot problems related to group membership.

Estimated lesson time: 10 minutes

When Users Are Members of More than One Group

When users are members of multiple groups, they will have multiple permissions on the files and folders that they have access to. When calculating effective permissions for a specific folder, do the following:

  1. List the folder’s assigned share permissions for each group the user is a member of, and calculate the effective share permissions. List the most lenient permission.

  2. List the folder’s assigned NTFS permissions for each group the user is a member of, and calculate the effective NTFS permissions. List the most lenient permission.

  3. Compare the most lenient permissions in step 1 and step 2. Choose the more restrictive permission. This is the effective permission.

    Exam Tip

    Although you will not see too many questions about combining permissions on the exam, you may see a few, so it is worth knowing how it works. First figure out the NTFS permissions that a user has by combining the permissions of all the groups in which the user is a member and taking the least restrictive combination. Remember, though, that if any group is denied permission to the object, the user is denied permission. Next figure out the share permissions on the object in the same way—by combining the share permissions of the groups in which the user is a member and taking the least restrictive combination. (Again, a Deny permission for any group yields a Deny permission for the user.) Finally, combine the NTFS and share permissions and take the most restrictive combination of those two.

Changes in Group Membership

Other problems occur when a user’s group membership changes. This is especially true if a user was a member of the Power Users group and has been downgraded to the Users group or if a worker has been demoted and given more restrictive permissions to resources. When troubleshooting resource access, be sure you note any changes to the user’s group status.

Practice: Add a User to the Backup Operators Group

In this practice, you will create a local user and then add that user to the Backup Operators local group.

  1. Log on to Windows XP using an account with administrator privileges.

  2. From the Start menu, right-click My Computer, and select Manage.

  3. In the Computer Management console, in the console tree, expand System Tools, and then expand Local Users And Groups.

  4. Right-click the Users folder, and select New User.

  5. In the New User dialog box, type the following information:

    • User Name: ksanchez

    • Full Name: Ken Sanchez

    • Password and Confirm Password: lion54dunk!

  6. In the New User dialog box, clear the User Must Change Password At Next Logon check box, and then click Create. Click Close.

  7. In the right-hand pane of the Computer Management console, right-click ksanchez and select Properties.

  8. In the ksanchez Properties dialog box, on the Member Of tab, click Add.

  9. In the Select Groups dialog box, click Advanced.

  10. In the second Select Groups dialog box, click Find Now.

  11. In the search pane, select Backup Operators and click OK.

  12. In the Select Groups dialog box, click OK.

  13. In the ksanchez Properties dialog box, click OK.

  14. Close the Computer Management console.

Lesson Review

The following question is intended to reinforce key information presented in this lesson. If you are unable to answer the question, review the lesson materials and try the question again. You can find answers to the question in the “Questions and Answers” section at the end of this chapter.

  1. A user named John is a member of several groups in a domain: the Research Group, the Marketing Group, and the Support Group. Each group he belongs to has access to a different set of folders and data. However, one folder named Help And Support is shared so that all users in the company can access it, although some users have more access than others. John’s group membership and the permissions assigned to the Help And Support folder for each group are listed here. What is John’s effective permission for the folder?

    Group

    Share Permissions

    NTFS Permissions

    Research

    Read and Change

    Read, Write, List Folder Contents, Read And Execute

    Marketing

    Read

    Read, Read And Execute

    Support

    Full Control

    Modify, Read And Execute, List Folder Contents, Read, Write

    1. Read

    2. Write

    3. Modify

    4. Full Control

Lesson Summary

  • A user’s group membership determines the level of access to the computer and its files and folders.

  • When a user is a member of multiple groups, the permissions for all groups are combined and the least restrictive permission is applied.

  • Changes in group membership affect users’ access to resources. Take membership into account when troubleshooting access.




McDst Self-Paced Training Kit (Exam 70-272(c) Supporting Users and Troubleshooting Desktop Applications on a[... ]ystem)
McDst Self-Paced Training Kit (Exam 70-272(c) Supporting Users and Troubleshooting Desktop Applications on a[... ]ystem)
ISBN: N/A
EAN: N/A
Year: 2006
Pages: 237

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net