| < Day Day Up > |
|
Page
2-16
1. | Sam is a member of both the IT group and the Administrators group. Sam is attempting to access a file with the following permissions:
What are Sam's effective privileges to the file?
|
|
2. | Sam is a member of both the IT group and the Administrators group. Sam is attempting to access a file with the following permissions:
What are Sam's effective privileges to the file?
|
|
3. | Which of the following is a standard permission for a file or folder?
|
|
Answers
1. | a. Sam has Full Control over the file because he is a member of the Administrators group, and nothing has overridden the ACE assigning Full Control privileges to the Administrators group. |
2. | f. Sam will be denied access to the file because Sam is a member of the IT group. The Deny ACE assigned to the IT group overrides all ACEs that grant privileges. |
3. | c. Read & Execute is a standard file and folder permission. The other options are valid special permissions. |
Page
2-35
1. | Which of the following built-in groups is present on a domain controller?
|
|
2. | Which of the following special groups could you assign to an ACL to prevent access from unauthenticated users?
|
|
3. | Which of the following are not available at the Windows 2000 native domain functional level?
|
|
4. | Which of the following group types could be nested within a universal group?
|
|
Answers
1. | c. DHCP Users is a domain group. All the other options exist in the local user database of standalone or member servers. |
2. | b. The Anonymous Logon special group contains members who have not been authenticated. |
3. | d. Renaming domain controllers is not an option when using the Windows 2000 native domain functional level. |
4. | c. Global groups can be nested within universal groups. |
The following table provides the answers.
Existing group name | Description | Recommended group name |
---|---|---|
Sales-Main | Sales global group for all sales personnel | GG Sales All |
Sales-Mgr | Sales global group for sales managers | GG Sales Managers |
Sales-Main Office | Sales global group for sales personnel located in the main office | GG Sales Main Office |
Sales-Brn | Sales global group for personnel located in branch offices | GG Sales Branch Offices |
Sales-Prnt Mngr | Domain local group of sales personnel who can manage the printer located in building 25 | DL Sales Bldg25 Print Managers |
Sales-Prnt User | Domain local group of sales personnel who can print to the printer located in building 25 | DL Sales Bldg25 Print Users |
Page
2-45
1. | Which of the following group names was created with an effective group naming strategy?
|
|
2. | Is the User/ACL or the Account Group/ACL method more effective in large enterprises?
|
|
Answers
1. | b. The naming strategy used to create this group name produced a short but descriptive group name. |
2. | a. The principle of least privilege states that only the minimal rights required by users should be assigned. |
Page
2-54
1. | John is a member of both the IT and Finance groups. When John attempts to edit a file, he is denied access. Which of the following scenarios are potential causes of this problem? (Choose all that apply.)
|
|
2. | The Effective Permissions tool can be used to discover which of the following pieces of information? (Choose all that apply.)
|
|
Answers
1. | a, c. Both of these scenarios describe situations in which John cannot edit the file, either because one of his group memberships is explicitly denied access or because he has no permissions to the file. |
2. | c, d. The Effective Permissions tool is capable of showing what permissions a user or group has to an object. It cannot, however, enumerate group memberships. |
Page
2-55
1. | Which of the following group names is most fitting to an appropriate naming strategy?
|
|
2. | How will you recommend that Fabrikam enforce the group naming conventions? |
|
3. | Will you recommend the User/ACL, Account Group/ACL, or Account Group/ Resource Group authorization method? |
|
Answers
1. | c. Given Fabrikam's requirements, an appropriate group naming strategy would include the group scope and a concise description of the group. You do not need to include the location of the group in the name. Even though some resources will only be assigned to users in specific locations, the group design does not require that business groups be divided by location. Separate groups can be created for each of the three locations, and employees in each location can be added to those groups. |
2. | Although Windows Server 2003 does not include a way to enforce group naming conventions at the time a group is created, auditing works wonders to enforce standards. Ideally, you would recommend that Fabrikam's security team audit group names on a weekly or monthly basis to ensure conformance with the naming conventions. |
3. | Fabrikam has 600 users, so the User/ACL authorization method would be impossible to manage. The Account Group/Resource Group authorization model is probably the most appropriate choice here, though Account Group/ACL is also a valid choice. |
Page
2-57
1. | What is the best way to quickly determine what access Mary has to the file? |
|
2. | What permissions does Mary have to the file? |
|
3. | How can you identify the user membership that is causing Mary to be denied access to the file? |
|
4. | What access control entry is responsible for Mary's access being denied? |
|
5. | What should you do before modifying the permissions to grant Mary access? |
|
Answers
1. | You can use the Effective Permissions tool to determine Mary's user account permissions. You could also look up Mary's group memberships and manually calculate her effective permissions. However, this would be time-consuming. |
2. | Mary has no permission to the file. |
3. | First, view Mary's user account properties to determine the list of groups to which she belongs. Then use the Effective Permissions tool to test the permissions of each group. Using Effective Permissions is more effective than manually reviewing the list of permissions because groups can be nested, and it is not always obvious which groups a user belongs to. |
4. | The Deny Accounting group access control entry is responsible, because Mary is a member of Accounting. |
5. | You should determine why the Accounting group was initially denied access to the file. There is probably a legitimate reason for denying Mary access. If not, you must decide whether the entire Accounting group should have access to the file, or just Mary. If the entire Accounting group should have access to the file, grant the Accounting group access by removing the appropriate Deny permissions for the file. If only Mary should have access, you can add an explicit permission that will override the inherited Deny permission. Additionally, you must determine what level of access the Accounting group or Mary should have to the file. |
| < Day Day Up > |
|