Questions and Answers

1. 

Sam is a member of both the IT group and the Administrators group. Sam is attempting to access a file with the following permissions:

• Administrators: Grant Full Control

• IT: Grant Modify

What are Sam's effective privileges to the file?

1. Full Control

2. Modify

3. Read & Execute

4. Read

5. Write

6. None

2. 

Sam is a member of both the IT group and the Administrators group. Sam is attempting to access a file with the following permissions:

• Administrators: Grant Full Control

• IT: Deny Full Control

What are Sam's effective privileges to the file?

1. Full Control

2. Modify

3. Read & Execute

4. Read

5. Write

6. None

3. 

Which of the following is a standard permission for a file or folder?

1. Read Attributes

2. Delete

3. Read & Execute

4. Take Ownership

1. 

a. Sam has Full Control over the file because he is a member of the Administrators group, and nothing has overridden the ACE assigning Full Control privileges to the Administrators group.

2. 

f. Sam will be denied access to the file because Sam is a member of the IT group. The Deny ACE assigned to the IT group overrides all ACEs that grant privileges.

3. 

c. Read & Execute is a standard file and folder permission. The other options are valid special permissions.

1. 

Which of the following built-in groups is present on a domain controller?

1. Administrators

2. Power Users

3. DHCP Users

4. Backup Operators

2. 

Which of the following special groups could you assign to an ACL to prevent access from unauthenticated users?

1. Everyone

2. Anonymous Logon

3. Authenticated Users

4. Interactive

3. 

Which of the following are not available at the Windows 2000 native domain functional level?

1. Universal groups

2. Nesting groups

3. Converting groups

4. Renaming domain controllers

5. SID history

4. 

Which of the following group types could be nested within a universal group?

1. Local group

2. Domain local group

3. Global group

4. Distribution group

1. 

c. DHCP Users is a domain group. All the other options exist in the local user database of standalone or member servers.

2. 

b. The Anonymous Logon special group contains members who have not been authenticated.

3. 

d. Renaming domain controllers is not an option when using the Windows 2000 native domain functional level.

4. 

c. Global groups can be nested within universal groups.

Sales-Main

Sales global group for all sales personnel

GG Sales All

Sales-Mgr

Sales global group for sales managers

GG Sales Managers

Sales-Main Office

Sales global group for sales personnel located in the main office

GG Sales Main Office

Sales-Brn

Sales global group for personnel located in branch offices

GG Sales Branch Offices

Sales-Prnt Mngr

Domain local group of sales personnel who can manage the printer located in building 25

DL Sales Bldg25 Print Managers

Sales-Prnt User

Domain local group of sales personnel who can print to the printer located in building 25

DL Sales Bldg25 Print Users

1. 

Which of the following group names was created with an effective group naming strategy?

1. HR

2. GG BOS HR

3. Cohowinery Global Group Boston Human Resources

4. Resources Human

2. 

Is the User/ACL or the Account Group/ACL method more effective in large enterprises?

1. Account Group/ACL. This method of assigning rights scales more effectively in large enterprises.

2. Which of the following describes the principle of least privilege?

1. Ensure that users have the minimal privileges necessary to do their jobs.

2. Ensure that users have no permissions unless they have authenticated with both a password and a smart card.

3. Create users with administrator privileges and then gradually reduce their privileges to the lowest level possible that allows applications to still function.

4. Unauthenticated users must have the lowest level of privileges on the network.

1. 

b. The naming strategy used to create this group name produced a short but descriptive group name.

2. 

a. The principle of least privilege states that only the minimal rights required by users should be assigned.

1. 

John is a member of both the IT and Finance groups. When John attempts to edit a file, he is denied access. Which of the following scenarios are potential causes of this problem? (Choose all that apply.)

1. The IT group has the Deny Read & Execute file permission assigned, and the Finance Group has the Grant Modify permission assigned.

2. The IT group has the Grant Modify permission assigned, and the Finance group has no permissions assigned.

3. Neither the IT group, the Finance group, nor John's user account have permissions to the object explicitly assigned.

4. The IT group has the Grant Modify permission assigned, and the Finance group has the Deny Change Permission special permissions assigned.

2. 

The Effective Permissions tool can be used to discover which of the following pieces of information? (Choose all that apply.)

1. That the user John is a member of the Interactive special group

2. That the user John is a member of the Finance security group

3. That the Finance security group has been denied access to a folder

4. That the user John will be denied access to a file because access is denied to a group of which John is a member

1. 

a, c. Both of these scenarios describe situations in which John cannot edit the file, either because one of his group memberships is explicitly denied access or because he has no permissions to the file.

2. 

c, d. The Effective Permissions tool is capable of showing what permissions a user or group has to an object. It cannot, however, enumerate group memberships.

1. 

Which of the following group names is most fitting to an appropriate naming strategy?

1. Accounts Payable

2. Boston AP

3. GG Accounts Payable

4. GG Ithaca Accounts Payable

5. GG Ithaca New York Accounts Payable

2. 

How will you recommend that Fabrikam enforce the group naming conventions?

3. 

Will you recommend the User/ACL, Account Group/ACL, or Account Group/ Resource Group authorization method?

1. 

c. Given Fabrikam's requirements, an appropriate group naming strategy would include the group scope and a concise description of the group. You do not need to include the location of the group in the name. Even though some resources will only be assigned to users in specific locations, the group design does not require that business groups be divided by location. Separate groups can be created for each of the three locations, and employees in each location can be added to those groups.

2. 

Although Windows Server 2003 does not include a way to enforce group naming conventions at the time a group is created, auditing works wonders to enforce standards. Ideally, you would recommend that Fabrikam's security team audit group names on a weekly or monthly basis to ensure conformance with the naming conventions.

3. 

Fabrikam has 600 users, so the User/ACL authorization method would be impossible to manage. The Account Group/Resource Group authorization model is probably the most appropriate choice here, though Account Group/ACL is also a valid choice.

1. 

What is the best way to quickly determine what access Mary has to the file?

2. 

What permissions does Mary have to the file?

3. 

How can you identify the user membership that is causing Mary to be denied access to the file?

4. 

What access control entry is responsible for Mary's access being denied?

5. 

What should you do before modifying the permissions to grant Mary access?

1. 

You can use the Effective Permissions tool to determine Mary's user account permissions. You could also look up Mary's group memberships and manually calculate her effective permissions. However, this would be time-consuming.

2. 

Mary has no permission to the file.

3. 

First, view Mary's user account properties to determine the list of groups to which she belongs. Then use the Effective Permissions tool to test the permissions of each group. Using Effective Permissions is more effective than manually reviewing the list of permissions because groups can be nested, and it is not always obvious which groups a user belongs to.

4. 

The Deny Accounting group access control entry is responsible, because Mary is a member of Accounting.

5. 

You should determine why the Accounting group was initially denied access to the file. There is probably a legitimate reason for denying Mary access. If not, you must decide whether the entire Accounting group should have access to the file, or just Mary. If the entire Accounting group should have access to the file, grant the Accounting group access by removing the appropriate Deny permissions for the file. If only Mary should have access, you can add an explicit permission that will override the inherited Deny permission. Additionally, you must determine what level of access the Accounting group or Mary should have to the file.