"Tae Song" wrote in message
...

"LTCstudent" wrote in message
...

Ok... When I checked the forum for responses to my question this
morning
before school, I had 2 responses: One saying the answer was *E* and
the
other saying the answer was *B*.

What I said was that I thought the "expected answer" was *B*, not that
it was the *right* answer. Often what is taught in schools is not
*right*. My thinking was that the teacher may be stressing a point to be
considered during your current level of understanding. I didn't like any
of the choices given. I thought (and it might be stressed later on) that
creating a group with the desired permissions and placing that *user* in
that group would be best (occam's razor be damned) for manageability.
Then, is the user's need to have full access truly correct - does he or
she *need* "take ownership" or "change permissions" - perhaps "modify"
rights would be sufficient (least privilege). Is it really desired that
some permissions for that subfolder be contingent upon whatever changes
to the parent folder are made in the future? If so, you would want
inheritance to remain intact.

That kind of sucked, but I wasn't
worried because I figured I would just ask one of the teachers at
school.

They probably stress "Occam's razor" and have the simplest solution
being the *correct* solution.

Can you forsee the mess created by adding more individual users and and
their desired permissions by explicit deny or allow on an object? When
(and if) there comes a time to rescind access, will you be able to keep
track of who has access to what?

Well, I asked Teacher #1 who is really knowledgeable about Server and
permissions (he teaches Server, Exchange, etc at the school) and he
said
the answer was *B*. But then I mentioned it to Teacher #2 (who
actually
teaches the class where this question arose) and he said the answer
was
*E*. I guess 'street smarts' would say just go with the teacher who
is
teaching the class and be done with it, but i really want to
understand
this stuff.

Teacher two (teaching the class in question) will give you the *correct*
answer for that class, so go with it.

So now I've returned from school and it looks like the consensus on
this forum is that the correct answer is *E* which is fine. BUT
Teacher
#1 made a convincing point to me. He stated that the _only_
permission
assigned to a folder (c:\accounting\forms) that can override the
inheritance permission is the 'Deny' permission unless you -block the
permission inheritance-.

He is wrong. A specific allow will take precedence over an inherited
deny.

The first check (after any Mandatory Label check) is the first ACE entry
which "should be" the explicit deny, then the explicit allow, then the
inherited deny, then the inherited allow (followed by grandparent
inheritance etcetera as required).

OK, now you're just trying to come up with a scenario where answer B
might work better and misinterpreted what Teacher #1 is saying to fit
your argument.

If teacher #1 really said that specific allow won't take precendence
over inherited deny, I think he is wrong.

If *both* an allow and a deny appear at the same tier, the deny will
take precedence however.

There's three states of access control.

Expressly granted access
If your name is on the guest list you get in.
The host knows you and you been invited.

No access permission granted
Your name is not on the guest list, you are not getting in.
The host does not know you and you're not invited in.

Please mister bouncer, check your *other* list if no specific deny or
allow is found on *this* list.

(I'm in the "bartender" and "firewatch" groups - so if you want drinks
and fire extinguishers at the ready....)

[...]

"Tae Song" wrote in message
...

"LTCstudent" wrote in message
...

Ok... When I checked the forum for responses to my question this
morning
before school, I had 2 responses: One saying the answer was *E* and
the
other saying the answer was *B*.

What I said was that I thought the "expected answer" was *B*, not that
it was the *right* answer. Often what is taught in schools is not
*right*. My thinking was that the teacher may be stressing a point to be
considered during your current level of understanding. I didn't like any
of the choices given. I thought (and it might be stressed later on) that
creating a group with the desired permissions and placing that *user* in
that group would be best (occam's razor be damned) for manageability.
Then, is the user's need to have full access truly correct - does he or
she *need* "take ownership" or "change permissions" - perhaps "modify"
rights would be sufficient (least privilege). Is it really desired that
some permissions for that subfolder be contingent upon whatever changes
to the parent folder are made in the future? If so, you would want
inheritance to remain intact.

That kind of sucked, but I wasn't
worried because I figured I would just ask one of the teachers at
school.

They probably stress "Occam's razor" and have the simplest solution
being the *correct* solution.

Can you forsee the mess created by adding more individual users and and
their desired permissions by explicit deny or allow on an object? When
(and if) there comes a time to rescind access, will you be able to keep
track of who has access to what?

Well, I asked Teacher #1 who is really knowledgeable about Server and
permissions (he teaches Server, Exchange, etc at the school) and he
said
the answer was *B*. But then I mentioned it to Teacher #2 (who
actually
teaches the class where this question arose) and he said the answer
was
*E*. I guess 'street smarts' would say just go with the teacher who
is
teaching the class and be done with it, but i really want to
understand
this stuff.

Teacher two (teaching the class in question) will give you the *correct*
answer for that class, so go with it.

So now I've returned from school and it looks like the consensus on
this forum is that the correct answer is *E* which is fine. BUT
Teacher
#1 made a convincing point to me. He stated that the _only_
permission
assigned to a folder (c:\accounting\forms) that can override the
inheritance permission is the 'Deny' permission unless you -block the
permission inheritance-.

He is wrong. A specific allow will take precedence over an inherited
deny.

The first check (after any Mandatory Label check) is the first ACE entry
which "should be" the explicit deny, then the explicit allow, then the
inherited deny, then the inherited allow (followed by grandparent
inheritance etcetera as required).

OK, now you're just trying to come up with a scenario where answer B
might work better and misinterpreted what Teacher #1 is saying to fit
your argument.

If teacher #1 really said that specific allow won't take precendence
over inherited deny, I think he is wrong.

If *both* an allow and a deny appear at the same tier, the deny will
take precedence however.

There's three states of access control.

Expressly granted access
If your name is on the guest list you get in.
The host knows you and you been invited.

No access permission granted
Your name is not on the guest list, you are not getting in.
The host does not know you and you're not invited in.

Please mister bouncer, check your *other* list if no specific deny or
allow is found on *this* list.

(I'm in the "bartender" and "firewatch" groups - so if you want drinks
and fire extinguishers at the ready....)

[...]

Thanks for the feedback and the microscopic details I asked for. I
don't really care which answer was correct, but *B* seemed more thorough
so I was convinced it was correct and was confused as to why someone
would just do *E*.

If it is possible to have a NTFS permission (that is directly assigned)
override the inherited permission... then so be it. It just didn't
"feel" right to me and the book didn't specifically state it. But like I
said... thanks guys for clarifying it.


--
LTCstudent

Thanks for the feedback and the microscopic details I asked for. I
don't really care which answer was correct, but *B* seemed more thorough
so I was convinced it was correct and was confused as to why someone
would just do *E*.

If it is possible to have a NTFS permission (that is directly assigned)
override the inherited permission... then so be it. It just didn't
"feel" right to me and the book didn't specifically state it. But like I
said... thanks guys for clarifying it.


--
LTCstudent

LTCstudent wrote:
This is a question from my book that me my friend and I are struggling
with.



::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING.
They require full access to C:\ACCOUNTING\FORMS. This can be
accomplished by:*
::
*A)* not possible

*B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and
assigning the user Full control to C:\ACCOUNTING\FORMS

*C)* assigning the user Full control to C:\ACCOUNTING

*D)* blocking permission inheritance at C:\ACCOUNTING and assigning the
user Full control to C:\ACCOUNTING\FORMS

*E)* assigning the user Full control to C:\ACCOUNTING\FORMS






None of those answers are correct. A knowledgeable administrator will
never give "Full Control" to an ordinary user. At the most, one one
grant users "Modify" permissions.


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

LTCstudent wrote:
This is a question from my book that me my friend and I are struggling
with.



::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING.
They require full access to C:\ACCOUNTING\FORMS. This can be
accomplished by:*
::
*A)* not possible

*B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and
assigning the user Full control to C:\ACCOUNTING\FORMS

*C)* assigning the user Full control to C:\ACCOUNTING

*D)* blocking permission inheritance at C:\ACCOUNTING and assigning the
user Full control to C:\ACCOUNTING\FORMS

*E)* assigning the user Full control to C:\ACCOUNTING\FORMS






None of those answers are correct. A knowledgeable administrator will
never give "Full Control" to an ordinary user. At the most, one one
grant users "Modify" permissions.


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

"Bruce Chambers" wrote in message
...
LTCstudent wrote:
This is a question from my book that me my friend and I are struggling
with.



::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING.
They require full access to C:\ACCOUNTING\FORMS. This can be
accomplished by:*
::
*A)* not possible

*B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and
assigning the user Full control to C:\ACCOUNTING\FORMS

*C)* assigning the user Full control to C:\ACCOUNTING

*D)* blocking permission inheritance at C:\ACCOUNTING and assigning the
user Full control to C:\ACCOUNTING\FORMS

*E)* assigning the user Full control to C:\ACCOUNTING\FORMS






None of those answers are correct. A knowledgeable administrator will
never give "Full Control" to an ordinary user. At the most, one one grant
users "Modify" permissions.


--

Bruce Chambers


The problem with the "Modify" priv is that there are still a lot of programs
that require Full Control, even for non administrative users. Given this
real world restriction, E is the best answer.

Mike Ober.

"Bruce Chambers" wrote in message
...
LTCstudent wrote:
This is a question from my book that me my friend and I are struggling
with.



::*A user is assigned Read permission to the NTFS folder C:\ACCOUNTING.
They require full access to C:\ACCOUNTING\FORMS. This can be
accomplished by:*
::
*A)* not possible

*B)* blocking permission inheritance at C:\ACCOUNTING\FORMS and
assigning the user Full control to C:\ACCOUNTING\FORMS

*C)* assigning the user Full control to C:\ACCOUNTING

*D)* blocking permission inheritance at C:\ACCOUNTING and assigning the
user Full control to C:\ACCOUNTING\FORMS

*E)* assigning the user Full control to C:\ACCOUNTING\FORMS






None of those answers are correct. A knowledgeable administrator will
never give "Full Control" to an ordinary user. At the most, one one grant
users "Modify" permissions.


--

Bruce Chambers


The problem with the "Modify" priv is that there are still a lot of programs
that require Full Control, even for non administrative users. Given this
real world restriction, E is the best answer.

Mike Ober.

Michael D. Ober wrote:


None of those answers are correct. A knowledgeable administrator will
never give "Full Control" to an ordinary user. At the most, one one
grant users "Modify" permissions.


--

Bruce Chambers


The problem with the "Modify" priv is that there are still a lot of
programs that require Full Control, even for non administrative users.


Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
stations in both workgroup and domain environments for over a decade,
and never come across any application, no matter how poorly written,
that required the user to have full control. Have any specific examples?


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

Michael D. Ober wrote:


None of those answers are correct. A knowledgeable administrator will
never give "Full Control" to an ordinary user. At the most, one one
grant users "Modify" permissions.


--

Bruce Chambers


The problem with the "Modify" priv is that there are still a lot of
programs that require Full Control, even for non administrative users.


Curious. I've been supporting NTFS-formatted WinNT/Win2K/WinXP work
stations in both workgroup and domain environments for over a decade,
and never come across any application, no matter how poorly written,
that required the user to have full control. Have any specific examples?


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot