NET-122 (TestOut Chapter 10)

16. The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following allow NTFS permissions: Write Read and execute List folder contents Read In addition, the Everyone principal has been assigned the allow read share permission. The smarsden user is a member of the westsim.com\Users group. She accesses data in the folder through the network share from her Windows workstation. What permissions does this user have to data in the folder?

Allow read

Explicit Assignment

An explicit assignment exists when an object is added directly to the access control list (ACL) of a folder or file. The ACL entry identifies: The user or group with permission. The specific permissions assigned to the user or group. Whether the permissions are allowed or denied.

1. You are the network administrator for your company. A Windows server named Srv1 has a shared folder called SalesResearch that shares the F:\Sales\Research folder. This folder has three subfolders, Projects, Analysis, and Reports. Permission inheritance is enabled on F:\Sales\Research and all subfolders and files. Only the Administrators group and one designated employee have permission to each subfolder. Permissions are configured as follows: Resource Type of Permission Effective Permissions SalesResearch share Share Everyone: Allow-Full Control F:\Sales\Research NTFS Administrators: Allow-Full Control F:\Sales\Research\Analysis NTFS Anne: Allow-ModifyAdministrators: Allow-Full Control F:\Sales\Research\Projects NTFS Billy: Allow-ModifyAdministrators: Allow-Full Control F:\Sales\Research\Reports NTFS Gavin: Allow-ModifyAdministrators: Allow-Full Control Stan needs to read all of the documents within the SalesResearch share and its subfolders. Stan does not need to make changes to these documents. You need to give Stan appropriate permissions without giving him unnecessary permissions. What should you do?

Assign Stan the allow read NTFS permission to F:\Sales\Research.

1. You need to share a folder that contains data used by your accounting department. You want Phil, the manager of the department, to be able to add and remove files. You want members of the department to be able to connect to the share and see the files it contains, but you do not want them to have the ability to make changes. Everyone else in the company should be blocked from connecting to the share. There is a global group called Accounting that contains all the accounting department users, including Phil. You need to configure permissions on the share. What should you do?

Assign allow change permissions for Phil, allow read for Accounting, and nothing else.

Write

Change folder or file data and attributes.

4. You are the network administrator for your company. You recently replaced the previous network administrator. The sales manager, Jim, calls you and reports that he cannot update a file in the \\ACCTSRV1\Reports share, which the previous network administrator created for him last Wednesday. Jim is a member of the Managers group, which should have full control of all files in the share. You examine the Reports share and the D:\Data\Reports folder on the server. Following is a summary of the current configuration: Folder NTFS Permissions Share Permissions D:\Data\ReportsShared as Reports Administrators (Allow-Full Control)Managers (Allow-Full Control)Everyone (Allow-Read) Everyone (Allow-Read) You need to give Jim the permissions intended for the Managers group and let him update files in the Reports share. What should you do?

Change the Reports share permissions for the Everyone group to allow full control.

5. On a Windows server, you share a folder named Public using the default share name and share permissions. Later you receive a phone call from Sally, a member of the Sales group, claiming that she cannot save a file to the Public shared folder. You examine the NTFS permissions for the folder and see share and NTFS permissions shown in the exhibits. No other permissions are granted or denied. Sally is not a member of any other groups. You want to make sure Sally and other members of the Sales group can open, edit, save, and delete files to the Public shared folder. You want to make as few assignments as possible without affecting permissions for other users. What should you do?

Grant Everyone the change share permission. Grant the Sales group the allow modify NTFS permission.

Inheritance

Inheritance means that permissions granted to a parent container object flow down to child objects within the container. As a general principal, inheritance works with most security assignments types. For example, a user given the Read permission to a folder receives the Read permission to all files and subfolders within the folder through inheritance.

3. You've configured an NFS share on your Windows server to support Linux client systems already joined to your domain. Click the options in the NFS Advanced Sharing window you would use to allow these clients to connect to the share. (Select three.)

Kerberos v5 privacy and authentication [Krb5p] Kerberos v5 integrity and authentication [Krb5i] Kerberos v5 authentication [Krb5]

4. You've configured an NFS share on your Windows Server to support Linux client systems that are not joined to your domain. Click the option in the NFS Advanced Sharing window you would use to allow these clients to use anonymous access when connecting to the share.

No server authentication [Auth_SYS]

Explicit Permissions

Permissions set directly on an object such as a file or folder.

To find a user's effective NTFS permissions, examine the access control list of the target file or folder. Look for:

Permissions the user has for the object, including inherited permissions. Permissions for every group the user belongs to, including inherited permissions. The Allow or Deny settings for each permission. Deny permissions always override Allow permissions. For example, if a user belongs to two groups, and a specific permission is allowed for one group and denied for the other, the permission is denied. Explicit permissions override inherited permissions, even Deny permissions. If an object has an explicit Allow permission entry, inherited Deny permissions do not prevent access to the object. You can use the Effective Permissions tab to view the effective permissions a user has to a folder or a file. The Effective Permissions tab can produce only an approximation of effective permission. Effective permissions to shared folders are the more restrictive of the share or NTFS permissions.

3. You share a folder named Public and configure the following permissions. Share Permissions NTFS Permissions Everyone = Full Control Administrators = Full ControlSales = ModifyAssistants = Deny Modify You receive a phone call from Sally, a member of the Sales group and Assistants group, claiming that she cannot save a file to the Public shared folder. You want to make sure that members of the Sales group (who are not members of the Assistants group) can save new files to the Public shared folder and access, update, and delete existing files in the Public share. You want to continue to ensure that members of the Assistants group cannot modify files in the Public shared folder even if they are members of the Sales group. However, you also want to let Sally update files in the Public share. What should you do?

Remove Sally from the Assistants group.

Scenario #3

Reports Share Permissions Administrators = Full Control D:\Reports NTFS Permissions Sales Group = List Contents, Read & Execute, Read, Write Mary's Effective Permissions Mary's effective permissions = None Mary is not a member of the Administrators group, so she does not get access to the share at all. Mary does get local access to files when logged in, but does not have network access.

Scenario #1

Reports Share Permissions Everyone = Change D:\Reports NTFS Permissions Users Group = List Contents, Read & Execute, Read Mary's Effective Permissions Mary's effective permissions = List Contents, Read & Execute, Read Mary gains share access because she is a member of Everyone. The NTFS permissions are more restrictive than the share permissions, so the NTFS permissions are her effective permissions.

Scenario #4

Reports Share Permissions Everyone = Full Control D:\Reports NTFS Permissions Administrators = Full Control Mary's Effective Permissions Mary's effective permissions = None Everyone has access to the share, but there are no NTFS permissions granted for Everyone or any group that Mary belongs to. The NTFS permissions are more restrictive, so they take effect.

Scenario #5

Reports Share Permissions Everyone = Full Control D:\Reports NTFS Permissions Everyone =List Contents, Read & Execute, Read, Deny WriteSales = Write, List Contents, Read & Execute, Read, Write Mary's Effective Permissions Mary's effective permissions = Modify, List contents, Read & Execute, Read NTFS permissions for the combination of Everyone and the Sales group are more restrictive and therefore take effect. The Deny permission overrides any allowed permission from other groups or the share permissions.

Scenario #2

Reports Share Permissions Everyone = Read D:\Reports NTFS Permissions Sales = Modify, List Contents, Read & Execute, Read, Write Mary's Effective Permissions Mary's effective permissions = List Contents, Read & Execute, Read Mary gains share access because she is a member of Everyone. The share permissions are more restrictive than the NTFS permissions, so the share permissions are her effective permissions.

2. Sally is an employee in the sales department. Important documents are stored in the D:\SalesDocs folder on a Windows server. Sally is a member of the Domain Users and Sales groups. The SalesDocs folder has been shared, and the following permissions are currently assigned to the SalesDocs folder: NTFS Permissions Share Permissions Domain Users = Allow-ReadSales = Allow-Modify Domain Users = Allow-ReadSales = Allow-Change Sally needs to read and modify all files in the SalesDocs folder except StyleGuide.doc. Sally should be able to read StyleGuide.doc, but not modify it. What should you do?

Set Sally's NTFS permission for StyleGuide.doc to deny write.

Changes made to a file or folder's ACL might not take effect for currently-logged on users. Users need to log off and back on again to get the updated permissions.

Use these suggestions to help you plan NTFS permissions. Identify the users and their access needs based on the actions they need to be able to perform. Create groups for multiple users with similar needs, and then make users members of groups. Assign each group the permissions appropriate to the group's data access needs. Grant only the permissions that are necessary. Consider inheritance when assigning permissions. Set permissions as high as possible on the parent container and allow each child container to inherit the permissions. Override inheritance on a case by case basis when necessary. Use the Deny permission carefully.

Read

View folder details and attributes. View file attributes; open a file.

Group Membership

You can add groups and users to the access control list (ACL) of a folder or file. All users who are members of the group added to a file or folder's ACL receive the same NTFS permissions that are assigned to the group. When granting NTFS permissions, best practice is to assign permissions to groups. Users should generally receive NTFS permission through group membership instead of permissions assigned directly to users.

5. You have created an NFS share on your file FS1 server in the corpnet.com domain. The path of the shared folder is C:\Shared\NFSShare. You are now testing the configuration by trying to mount it to the /mnt directory on your Linux workstation. Use the drop-down list to fill in the blank in the following to correctly enter the command that will mount this share. _______________ FS1.corpnet.com:/NFSShare /mnt -o nolock

mount -t nfs

Access-Based Enumeration (ABE)

A Windows (SMB protocol) feature which allows the users to view only the files and folders to which they have read access when browsing content on the file server.

Network File System (NFS)

A distributed file system protocol that allows a user on a client computer to access files over a computer network.

Access Control List (ACL)

A list of security protections that applies to an object.

Server Message Block (SMB)

A network file sharing protocol. When implemented in Microsoft Windows, it is known as Microsoft SMB Protocol.

Volume Shadow Copy Service (VSS)

A technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.

Read

Access the share

Change

Access the share; add, change, or delete content

6. You need to use the New Share wizard on a Windows server to create a new share for the C:\Shares\WidgetProject folder. Sales reps for your organization will connect to the share using Windows notebook systems. You want to configure the share so that Windows will hide the file or folder from users that do not have at least read permissions to a file or folder . Which option on the Settings screen should you enable?

Access-based enumeration

1. SRV02 holds a shared folder named Forecast for the Managers group. Maria is a member of the Managers group. You would like to grant the Managers group full control to the folder named Forecast, but limit Maria's access to read only. You have added the Managers group to the access list for the Forecast folder and granted Full Control access. You now need to limit Maria's access to the folder. What should you do? (Choose two. Each choice is a complete solution.)

Add Maria to the NTFS permissions for the folder. Grant read access. Remove Maria's account from the Managers group and grant read access.

7. On your Windows server, you share the D:\Reports folder using a share name Reports. You need to configure permissions on the shared folder as follows: Members of the Accounting group should be able to view files but not be able to modify them. Phil, a member of the Accounting group, needs to be able to open and edit files in the Shared folder. You need to assign the necessary permissions without assigning extra permissions beyond what is required and without affecting other access that might already be configured on the computer. You need to complete the task using the least amount of effort possible. What should you do?

Add the Accounting group and assign the read permission. Add the Phil user account and assign read/write permission.

Advanced File Sharing

Advanced file sharing gives you more control over sharing than you have using the File Sharing wizard. Advanced file sharing: Allows a custom name for the share. For example, administrators can create hidden shares by adding $ to the share name. Allows multiple share names with different share permissions to be assigned to the same shared folder. Assigning multiple share names to the same shared folder is not recommended. Allows the use of offline files. Use the Caching button to set up offline files.

17. The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following Allow NTFS permissions: Read and execute List folder contents Read The westsim.com\Administrators group has been granted the allow full control NTFS permission. In addition, the Everyone principal has been assigned the following allow share permissions: Full Control Change Read The vhammer user is a member of the westsim.com\Users and the westsim.com\Administrators group. She accesses data in the folder through the network share from her Windows workstation. What permissions does this user have to data in the folder?

Allow full control

14. The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following Allow NTFS permissions: Read and execute List folder contents Read In addition, the Everyone principal has been assigned the following Allow share permissions: Full Control Change Read The ksanders user is a member of the westsim.com\Users group. She accesses data in the folder through the network share from her Windows workstation. What permissions does this user have to data in the folder?

Allow read and execute, list folder contents, and read

15. The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following allow NTFS permissions: Write Read and execute List folder contents Read In addition, the Everyone principal has been assigned the allow read share permission. The jmarshall user is a member of the westsim.com\Users group. She accesses data in the folder by using Remote Desktop to establish a remote access session on the server. What permissions does this user have to data in the folder?

Allow write, read and execute, list folder contents, and read

Ownership

An NTFS file or folder attribute that denotes the owner, who is usually the person who creates the file or folder.

Access Control Entry (ACE)

An entry in an ACL that contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.

11. You need to control access to the D:\Reports folder as follows: Members of the Accounting group should be able to open and view all files, but not modify them. Mary needs to be able to modify existing files in the folder and add new files to the folder, but should not be able to delete or rename files. Mary is a member if the Accounting group. You want to assign NTFS permissions taking the least amount of actions possible. What should you do?

Assign allow read and execute, list folder contents, and read to the Accounting group. Assign allow write to Mary.

12. You need to control access to the D:\Reports folder as follows: Members of the Accounting group should be able to open and view all files, edit them, and add new files. They should not be able to delete or rename files. Mary needs to be able to open and view files, but should not be able to modify the files. Mary is a member if the Accounting group. You want to assign NTFS permissions taking the least amount of actions possible and affecting existing permissions as little as possible. What should you do?

Assign allow read and execute, list folder contents, read, and write to the Accounting group. For the Mary user account, deny the write permission.

2. You are configuring access for a shared folder on a Windows server. There is a global group called Appusers who need read-only access. However, there is a member of Appusers, jsmith, who should not have any access at all. How can you configure your share so that the members of Appusers have access but jsmith does not while creating the least disruption to your existing administrative structure?

Assign allow read permission to Appusers and assign deny read permissions to jsmith.

8. On your Windows server, you share the D:\Apps folder using the share name Apps. You need to configure permissions to the share as follows: Members of the Appusers group should be able to open and view files in the shared folder. User JohnS should not have any access to files in the shared folder. JohnS is a member of the Appusers group. You need to assign the necessary permissions without assigning extra permissions beyond what is required and without affecting other access that might already be configured on the computer. You need to complete the task using the least amount of effort possible. What should you do?

Assign allow read permissions to Appusers and assign deny read permissions to JohnS.

Best practice for permissions include:

Assign permissions as high up in the folder structure as possible. Assign permissions to groups, not individual users. You can use special identities which is a group created by Windows. Use domain groups to set permissions. Set the Group scope as Domain local Set the Group type as Security

Schedule

By default, the system takes two snapshots (shadow copies) of volume data daily Monday through Friday. You can modify the schedule to customize when and how often snapshots are taken. You can also manually take a snapshot. Base your VSS scheduling on client work patterns. If possible, schedule copies to occur during off hours. Schedule copies to occur more or less frequently depending on how often the data changes. Do not schedule copies to occur more frequently than once per hour.

Storage

By default, up to 10% of the volume will be used for storing shadow copies. The amount of disk space required for each shadow copy is typically less than the size of the current file. This is because Shadow Copy saves only incremental changes that have been made to each file, not the entire file (unless necessary). You can customize disk space usage for past copies by using either a percentage or fixed amount. At least 300 MB of free space must be available. The system can store up to 64 shadow copies. When no more disk space is available, or when the 64 copy limit is reached, the oldest copy is deleted to make room for new copies. When deleted, a shadow copy cannot be retrieved. By default, shadow copies are saved on the same volume. It is best practice to place shadow copies on a different volume. Doing so improves performance and ensures that certain conditions will not affect the ability to save copies. To prevent losing existing copies, configure the copy location when you enable shadow copies. Consider the following when you configure VSS storage: Do not enable VSS on volumes that use mount points or dual-boot computers. The mounted drive is not included when shadow copies occur. volumes on which you plan to enable VSS with allocation unit sizes of 16 KB (kilobytes) or larger. If you plan to use NTFS compression on the source volume, do not use an allocation unit size larger than 4 KB, or you may lose older shadow copies faster than anticipated on very fragmented drives. Before deleting a volume, disable VSS. If the volume is deleted first, VSS continues to run and will generate Event ID: 7001 errors when the shadow copy event fails.

Full Control

Change data in the share and modify share permissions

3. Mr. Yamashita needs to be able to modify the contents of the Promo share, a shared folder on one of your Windows servers. The share has been assigned the following permissions: User/Group Permission Telesales global group Allow read Training global group Deny full control Managers global group Allow change Mr. Yamashita user Allow change Mr. Yamashita is a member of each of these groups. How should you modify the share permissions to allow the necessary access? (Choose three. Each choice is a complete solution.)

Change the Training group's permission to allow Read. Remove the Training group from the share. Remove Mr. Yamashita's user account from the Training group.

4. You are the network administrator for a small manufacturing company. You have ten regional sales people who travel extensively and have been provided Windows laptop computers. The mobile users have complained that, although they can take copies of important files with them into the field, occasionally they have been caught with out of date documents because no one told them the files had been updated. Additionally, some of these files need to be distributed to all the other sales staff. You need to address this problem and easily provide the appropriate access to these shared files. What should you do?

Configure Offline Files for the folder that contains these files.

5. You have a folder on your Windows server that you would like members of your development team to access. You want to restrict network and local access to only specific users. All other users must not be able to view or modify the files in the folder. What should you do? (Select two. Each choice is a required part of the solution.)

Configure both share and NTFS permissions. Place the files on an NTFS partition.

3. You are the server administrator for the Srv12 server. This server is running the File Services role and is used for user home folders. Each user has a folder that they can use for storing personal files. Management wants a solution that meets the following requirements: Allow only the specified user to save files in their home folder. User should not be allowed to view or edit files in other user's home folders. The list of files and folders that users can view should show only the files that they have rights to access. What should you do?

Configure share and NTFS permissions with access-based enumeration.

1. You are the network administrator for Corpnet.com. A small group of software developers in your organization have to use Linux workstations. You are creating a share for these Linux users on your file server, which is named File1. How can you allow clients running Linux-based operating systems to connect to a share on File1?

Create the share using the Network File System (NFS).

18. The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following allow NTFS permissions: Read and execute List folder contents Read The westsim.com\Research group has been granted the allow full control NTFS permission. In addition, the Everyone principal has been assigned the allow read share permission. The vhammer user accesses data in the folder through the network share from her Windows workstation. She is a member of the westsim.com\Users and westsim.com\Research groups. The vhammer user has also been assigned the deny read NTFS permission to the folder. What permissions does this user have to data in the folder?

Deny read

6. The D:\ drive in your Windows server is formatted with NTFS. The Sales group on your computer has been given allow modify permissions to the D:\Sales folder. The Mary user account is a member of the Sales group. You want to accomplish the following: Mary should not be allowed access to the D:\Sales\2013sales.doc file. Mary should be able to read, write, and create new files in the D:\Sales folder. Your solution should not affect the abilities of other Sales group members to access files in the D:\Sales folder. What should you do?

Edit the properties for the file; assign Mary the deny full control permission.

2. You are the manager for Windows servers at your company. You have configured Windows Server Backup to take regular backups once per day and save those backups to an external disk. You find that users working on a new project are constantly overwriting files and asking you to restore older versions of files that exist on backups from as far back as a week ago. You would like to implement a solution that allows users to restore files without an administrator's help. What should you do?

Enable VSS on the volume that holds user data.

4. You are the server administrator for the westsim.com domain. You have a server named FS12 that holds a shared folder named Reports. Within this folder, subfolders have been created for each company department. All company employees have read access to the shared folder. The board of directors uses a subfolder in the shared folder named BoardReports for their reports. They would like this subfolder to only be visible to members of the board of directors and specific people that they authorize to see the folder and its contents. What should you do?

Enable access-based enumeration on the shared folder. Configure NTFS permissions on the BoardReports folder to control access.

7. Which of the following is a task that you are not able to perform with the Volume Shadow Copy service (VSS)?

Enable shadow copies on specific folders or files.

Network File System (NFS)

For many years, the Network File System (NFS) protocol was the most commonly used file sharing protocol for UNIX systems. It's still supported by modern Linux distributions. To support Linux and UNIX client systems in a heterogeneous environment, Windows Server includes support for NFS shares. Modern Linux distributions support the SMB protocol using the Samba daemon, which allows a Linux system to mount SMB Windows shares on a Windows server and even join an Active Directory domain. The NFS protocol allows users to mount the file systems of a remote computer and access the contents of that file system as if they were stored locally. Like SMB sharing, NFS uses a client-server model: On the NFS server, you define a folder to export. An export is similar to a folder shared with the SMB protocol. NFS clients mount the export to access the files in the shared directory. To create an NFS export on a Windows server, perform the following: 1. Install the Server for NFS role on the server. 2. Access the properties of the directory you want to share on the server and create the export on the NFS Sharing tab. 3. Configure NFS export options, such as share permissions and authentication options. 4. Mount the export on the Linux client system using the mount command. The syntax is: mount -t nfs server_FQDN:/export_name local_directory. This command mounts the remote shared directory on the Windows server in the specified local folder. When the user accesses the local folder, they are switched to the exported directory on the server and can access its contents.

Change Permissions

Full Control X Modify Read &Execute List FolderContents Read Write

Take Ownership

Full Control X Modify Read &Execute List FolderContents Read Write

Create Folders/Append Data

Full Control X Modify X Read &Execute List FolderContents Read Write X

Write Attributes

Full Control X Modify X Read &Execute List FolderContents Read Write X

Delete

Full Control X Modify X Read &Execute List FolderContents Read Write

Read Extended Attributes

Full Control X Modify X Read &Execute X List Folder Contents X Read X Write

Traverse Folder/Execute file

Full Control X Modify X Read &Execute X List FolderContents X Read Write

List Folder/Read Data

Full Control X Modify X Read &Execute X List FolderContents X Read X Write

Read Attributes

Full Control X Modify X Read &Execute X List FolderContents X Read X Write

Read Permissions

Full Control X Modify X Read &Execute X List FolderContents X Read X Write X

Write Extended Attributes

Full Control X Modify X Read &Execute List FolderContents Read Write X

Create Files/Write Data

Full Control X Modify X Read &Execute List FolderContents Read Write X

Delete Subfolders and Files

Full Control X Modify Read &Execute List FolderContents Read Write

10. You are the owner of the D:\Reports folder. Judith needs to be able to see the files and subfolders in the D:\Reports folder. Dalton needs to be able to do these same things and also delete folders. You need to assign the necessary NTFS permissions to the D:\Reports folder. What should you do?

Grant read and execute to Judith and modify to Dalton.

1. You are a technical consultant for many businesses in your community. One of your clients, a small law firm, has a single Active Directory domain and two Windows servers. Both servers are configured as domain controllers while also serving as file and printer servers. This client is calling you on a regular basis because users are deleting or damaging their files. You must visit the client's site and restore the files from backup. Your client has asked you to create an alternate solution. What should you do?

Implement shadow copies on the relevant data.

Modify

Includes all Read & Execute and Write actions and adds the ability to add or delete files.

Read & Execute

Includes all Read actions and adds the ability to run programs.

List Folder Contents

Includes all Read actions and adds the ability to view a folder's contents.

Full Control

Includes all other actions and adds the ability to take ownership of and change permissions on the folder.

4. You have a folder on your Windows server that you would like to share with members of your development team. Users should be able to view and edit any file in the shared folder. You share the folder and give everyone full control permission to the shared folder. Users connect to the shared folder and report that they can open the files, but they cannot modify any of the files. What should you do?

Modify the NTFS permissions on the folder.

9. You manage a Windows server. For the D:\Reports\Finances.xls file, you explicitly grant the Mary user account the Allow Modify NTFS permissions. You need to move the file from the existing folder to the D:\Confidential folder. You want to keep the existing NTFS permissions on the file. You want to accomplish this with the least amount of effort possible. What should you do?

Move the file to the new folder.

Special permissions allow granular (i.e. very specific) configuration beyond the six standard NTFS permissions. The following table illustrates how the special permissions correlate with the standard NTFS permissions:

NTFS Permission Special Permission

NTFS Permissions

NTFS permissions on previous versions depend on the action taken: Restoring a file retains the file's permissions. Copying a file to a different location sets the file permissions to the default permissions of the new location.

Permissions are assigned to resources, not users or groups. The two types of permissions are:

NTFS permissions, which control access to folders and files stored on an NTFS partition. Each file and folder has an access control list (ACL). The ACL identifies the users or groups and their level of access to the folder or file. NTFS file permissions are available only on NTFS volumes or partitions. NTFS permissions are in effect when files are accessed through the network or locally. The two types of NTFS permissions are: Standard permissions Special permissions

Ownership

Ownership affects access and assigning permissions as follows: Every object, including files and folders, has an owner. The owner is typically the user who created the file. The owner has full control over the file and can assign permissions to the file. Administrators have the Take Ownership right to all objects. Administrators can assign ownership of a file or folder even if they do not have permissions to access the file. You can reassign ownership of a file or folder to give a user all permissions. You might reassign ownership when someone leaves your organization. If you cannot access a file because of insufficient permissions, take ownership of the file and modify the permissions.

Explicit vs. Inherited Permissions

Permissions are also called Access Control Entries (ACE). An ACE can either allow or deny access, and can be configured explicitly or inherited. Explicit permissions are set on the object; inherited permissions are set on the parent object and apply to the contents of the folder. By default, when new files or folders are created, they inherit the permissions of their parent folder. You can block inheritance by deselecting Allow inheritance in the NTFS permissions window. When blocking inheritance, a recommended practice is to copy the inherited permissions, so you will have a record of the inheritable permissions. If you need to reset the inherited permissions for a file or folder, select the parent folder and then select the Replace the permissions of all existing child objects option under the Advanced options of the Security tab. Removing inheritance is an advanced NTFS permission option. The allow permission grants the user, group, or computer the specified permission to the object. The deny permission restricts access to the object. The deny permission overrides the allow permission, unless the deny permission is inherited and the allow permission is explicit. Explicit permissions take precedence over inherited permissions, even inherited deny permissions. Use the deny permission only when you want to override specific permissions that are already assigned. Permissions are cumulative. Users gain the sum of all permissions granted to the user account and any groups. You can check the effective permissions for a file or folder on the Effective Access tab. The permissions shown in the Effective Permissions tab are approximate permissions, and can vary depending on how a user logs in or how they access the resource.

Inherited Permissions

Permissions set on the parent folder that are applied to the files an folders contained by the parent folder.

Share Permissions

Permissions that control access to a shared folder

NTFS Permissions

Permissions that control access to folders and files stored in an NTFS partition.

NTFS quotas limit the amount of space that a user can use on an NTFS volume. Be aware of the following regarding quotas:

Quotas are tracked based on file ownership. A quota amount applies to all users in the group. Quota entries can be used to specify a different limit for a designated user. If you use a soft quota, the administrator is notified when a user meets the quota limit. If you use a hard quota, a user is not allowed to use more disk space. You can set a warning limit that notifies the user when a specified percentage of their quota limit is reached. File Server Resource Manager provides an administrator more flexibility by allowing quotas on a folder basis.

13. You need to control access to the D:\Reports folder as follows: Members of the Accounting group should be able to open and view all files, edit them, add new files, and rename and delete files. Mary needs to be able to open and view files, but should not be able to modify the files, rename files, or delete them. Mary is a member if the Accounting group. You want to assign NTFS permissions taking the least amount of actions possible and affecting existing permissions as little as possible. What should you do?

Remove Mary from the Accounting group. Assign allow read and execute, list folder contents, read, and modify to the Accounting group. Assign Allow allow read and execute, list folder contents, and read to Mary.

7. You have a Windows server that is maintained by multiple administrators. Sally wants to access a file in the Reports folder. A group named Sales has been granted the full control permission to the Reports folder and all subfolders and files. You add Sally as a member of the Sales group, but she still cannot access the file that she needs. You want to let Sally access the Reports folder. What should you do?

Remove Sally from any other groups that have been explicitly denied access to the Reports folder.

9. On your Windows server, you share the D:\Promo folder using the share name Promo. The share has been assigned the following permissions: User/Group Permission Telesales group Allow read Training group Deny full control Managers group Allow change Mary user Allow change The Mary user account is a member of the Training group. NTFS permissions allow all access. Mary needs to be able to edit documents in the shared folder but cannot. You need to modify the share permissions to allow her the necessary access. What should you do? (Choose two. Each choice is a possible solution.)

Remove the Mary user account from the Training group. Change the Training group permission to allow read.

6. You have decided to create a shared folder that will contain sensitive information about planned changes in the personnel structure. Most users will be denied access to the share, which is named REORG. You have successfully created the share and set appropriate permissions. However, management feels the effect of having this share on the server, which denies access to most users, is damaging morale. You need to keep the information available to the users who currently access it. What can you do to avoid having the REORG share listed when users view shares on the network?

Remove the REORG share. Share the folder again as REORG$ with the same permissions as before.

2. You are the network administrator for Corpnet.com. A small group of software developers in your organization have to use Linux workstations. You are creating a share for these Linux users on your file server, which is named File1. Which feature must be installed on the Windows server to accomplish this?

Server for NFS

Share permissions work with NTFS permissions to control access. When you manage share access, be aware of the following:

Share permissions are in effect only when files or folders are accessed through the network share. If files are accessed locally, then share permissions will not be used to control access. NTFS permissions can restrict access to files and folders for both local and network users. Both share and NTFS permissions must be configured for a user to access the share. If a user is allowed share access, but no NTFS permissions are set for the user or a group he belongs to, no access is allowed. Share permissions are cumulative: The most permissive permission will apply. Deny overrides Allow permissions. Effective permissions to shared folders are the more restrictive of either share or NTFS permissions. A user's effective permissions cannot be greater than the share permissions assigned to the user or a group he belongs to. For this reason, a common strategy for assigning permissions is to apply the following: Assign Full Control share permissions to Everyone. Even though Everyone has share permissions, only the users or groups with NTFS permissions will have access. Use NTFS permissions to control access. Whenever possible, assign permissions to groups rather than users. Add only necessary groups and assign only necessary permissions. Do not create nested shares.

5. SRV03 is a Windows server that holds the SalesDept folder. This folder contains documents specific to the sales department. You create two user groups: The Sales group includes all members of the sales department. The SalesAdmin group includes about ten members of the sales department who manage sales-related documents. You want the Sales group to have read only access to the content in the SalesDept folder. Members of the SalesAdmin group should have all permissions to the folder. No other users should have access. All access will be through the network. You want to assign as few permissions as possible. What should you do?

Share the SalesDept folder. Grant read permissions to the Sales group and full control permissions to the SalesAdmin group. Remove the Everyone group.

10. Your Windows server has a folder named D:\SalesDept. The D: drive is formatted with FAT32. You need to allow network access to the folder as follows: Members of the Sales group should have read-only access to the content in the folder. Members of the SalesAdmin group should be able to open, edit, and add new files to the folder. No other users should have access. Members of the SalesAdmin group are also members of the Sales group. What can you do to configure the needed access while assigning as few permissions as possible?

Share the SalesDept folder. Grant the read permission to the Sales group and the change permission to the SalesAdmin group. Remove Everyone from the access control list.

Share permissions, which are assigned to a shared folder. Key facts about share permissions include the following:

Shared folder permissions are in effect only when the resource is accessed from the network. For example, denying access using Shared folder permissions will have no effect on the user's ability to access files when the user logs on locally. In this case, only the NTFS permissions will control access. When both share and NTFS permissions apply: You determine the effective permissions of each type using the most permissive permission. You then compare the effective permissions of both NTFS and share permission. The more restrictive of the two sets of permissions takes effect.

Simple File Sharing

Simple file sharing uses the name of the folder as the share name: Folder names should be short. Folder names should contain no spaces. When the Simple File Sharing wizard completes, it provides the universal naming convention (UNC) name for the share. The UNC syntax is \\<server_name>\<share_name>.

2. Sally, a member of the sales department, is borrowing a laptop computer from her supervisor to do some work from home in the evenings. Sally contacts you and indicates that she cannot access the C:\Reports folder on the laptop. This folder contains documents that she needs to edit. You log on to the laptop as a domain administrator to check the folder's access control list. You are denied access to view the permissions. You contact Sally's supervisor to verify that Sally should receive access to the folder. Sally's supervisor indicates that Sally should be able to read, change, and delete documents in the folder, but that only the supervisor should be able to configure permissions. You need to grant Sally appropriate permissions to the C:\Reports folder. What should you do? (Choose two. Each correct choice is part of the solution.)

Take ownership of the C:\Reports folder. Grant Sally the allow modify permission to the C:\Reports folder.

3. An employee has quit under difficult circumstances. Unfortunately, the user had several files that are needed, and before the employee left, they assigned deny full control permission to domain users to all the files and folders. All users, including you, are now blocked from accessing these important files. You need to make these files available as quickly as possible. What should you do?

Take ownership of the files and change the permissions.

VSSAdmin

Use VSSAdmin to manage the Volume Shadow Copy service from the command line. Be aware of the following options: list shadows lists existing volume shadow copies. list writers lists subscribed volume shadow copy writers. revert shadow reverts a volume to a shadow copy. query reverts queries the status of in-progress revert operations.

Be aware of the following special permission details:

Use special permissions to determine the level of permissions propagation, such as applying to all files and folders and subfolders, or to only the files in the folder. Special permissions offer finer control over the actions that can be performed on the file or the folder. To edit these permissions, click the Advanced button on the Security tab in the file or folder properties. Permissions are cumulative. If you are a member of two groups, both with different NTFS or special permissions, you will have the combined permissions of both groups (known as effective permissions).

5. You are the network administrator for westsim.com. The network consists of a single domain. The company has a file server named FS1 that hosts a share named SalesData for the sales department. You need to configure the SalesData share so that users will be allowed to view only the files and folders to which they have rights. What should you do?

Use the Shares panel in Server Manager to enable Access-based Enumeration (ABE) on the SalesData share.

Using icacls

Use the icacls command to manage standard NTFS permissions from a command prompt. Be aware of the following switches: /grant grants the specified user access rights. /deny explicitly denies the specified user access rights. /save saves and enables the ability to restore the user access rights. /restore restores user access rights.

8. Your Windows Server has two volumes, C: and D:. For the D:\Reports\Finances.xls file, you explicitly grant the Mary user account the allow modify NTFS permission. You need to move the file from the existing folder to the C:\Reports2 folder. You want to keep the existing NTFS permissions on the file. You want to accomplish this with the least amount of effort possible. What should you do?

Use the robocopycommand to copy the file to the C:\Reports2 folder.

Recovery

You can recover a file, folder, or volume. When you use VSS, keep the following in mind: Restoring files overwrites existing files. Restoring folders restores deleted files and overwrites existing files but does not delete any new files that have been added since the shadow copy was made. Restoring large directories has a negative impact on performance. If possible, restore individual files instead of directories. You cannot revert a volume that contains system files. When recovering a file, folder, or volume: Open a volume, folder, or file to view the contents of the previous version. The previous version is opened in read-only mode, so you cannot make changes. To make changes to a previous version, save a copy to a new location or with a new name, and then make the changes.

Copying or Moving Files

You must have the following permissions to copy or move a file: To copy a file or folder, you must have Read permissions to the source file and Write permission to the destination location. To move a file or folder, you must have Read and Modify permission to the source file, and Write permission to the destination location. Copying or moving files or folders that have NTFS permissions assigned can affect the permissions on the file or folder. If you copy or move a file to a non-NTFS partition, all permissions are removed. If you copy or move a file to a different NTFS partition, the file will inherit the permissions assigned to the parent partition and folders. When a file has explicit NTFS permissions assigned to that file: If you copy or move the file to a different NTFS partition, the explicit permissions will be removed. If you move the file to a different folder on the same NTFS partition, the explicit permissions will be kept. If you copy the file to a different folder on the same NTFS partition, the explicit permissions will be removed. In all cases, the file will also inherit permissions from its new partition and folder. Use the robocopy and xcopy command line utilities to copy files while maintaining the NTFS permissions (even when copying between partitions).

Volume Shadow Copy Service (VSS)

is a feature that automatically makes copies of user files at regular intervals. Enabling VSS allows you to: Recover deleted files or folders. Recover a previous version of a modified file. Compare a file with a previous version of that file. Keep in mind the following concerning VSS: Shadow copies are enabled on a volume, not specific folders or files. Always perform regular file server backups. Shadow copy does not replace regular backups. Use the Shadow Copies tab to enable VSS and configure storage locations and schedules. Use the Previous Versions tab of a volume, folder, or file to view and manage previous versions.

Access-based Enumeration (ABE)

restricts users from seeing files and folders they don't have access to. ABE eliminates confusion caused when users connect to a file server and encounter a large number of files and folders that they cannot access. ABE applies to domain-joined computers; it is not active when you view files and folders in the local file system. To enable ABE: 1. Open File and Storage Services in Server Manager. 2. Open the Share folder and select the folder. 3. Mark the Enable access-based enumeration option in Properties > Settings.