|
Home > Archive > 70-218 > October 2002 > QoD - Mon 14 Oct
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| sanjbatra 2002-10-14, 10:47 am |
| ruscorp is the administrator of a large company with offices throughout the US. It has a Windows 2000 network running in mixed mode. The company has confidential information from several other companies that needs to be kept that way. ruscorp created a shared folder named confidential and published it in AD to contain this confidential information. frazang is the manager of the department that manages this information and she has requested that ruscorp disable slinky's access to the share. When ruscorp checks the properties of the share, he notices that a domain local group called Secret and another domain local group called Temporary have permissions to the confidential share. He notices that slinky is the only a member of the Temporary group, so instead of modifying slinky's account directly with a deny to the share, he simply deletes the group. ruscorp immediately gets a call from frazang that she has changed her mind and that slinky needs access to the resources. ruscorp re-creates the Temporary group and adds slinky back into the group. The next day ruscorp gets a call from slinky saying that he cannot access the resources. What is the best way for ruscorp to provide access for slinky to the resource ?
A. Add slinky to the Secret group
B. Grant slinky direct access to the share
C. Grant access to the confidential folder for the Temporary group
D. Add the Temporary group into the Secret group | |
| ruscorp 2002-10-14, 11:05 am |
| Oh god. This is a typically wordy Micro$oft question.
I'm guessing, uhm, "C"?  | |
| frazang 2002-10-14, 11:28 am |
| "C" after a big think on it. I knew not to go with B, but the other 3 answers seemed reasonable. Then I figured it's called the Secret group because they get to see other secret stuff that slinky isn't approved for. So to limit his access to anything but the share in question - "C"...whew!  | |
| CyberDude 2002-10-14, 11:53 am |
| I'll go for C as well.  | |
| Slinky 2002-10-14, 2:35 pm |
| I wanna be in the secret group dammit. Anser is indeed C. | |
|
| Yup, typical wordy MS question.
"C" | |
| sanjbatra 2002-10-14, 3:57 pm |
| The answer was indeed, C
Once you delete a security principal such as a local domain group, it is lost forever, and any new one, even with the same name, needs to have the permissions reapplied to become effective. ruscorp could add slinky to the secret group, but he doesn't know what other resources slinky would get access to by becoming a member of this group. Giving slinky direct access to the share would work, but it is not best practice. One should always use groups to apply resources in order to maintain manageability of the network. Since the network is in mixed mode, you cannot nest groups other than adding a global group into a domain local group.
Source: Sybex Study Guide (chapter 6)
(The names were changed !)
Who is next ? |
|
|
|
|