Microsoft Press mcsa mcse self paced training kit exam 70 - 270 phần 4 doc

To prevent a situation like the one that happened with Raymond in which rights and permissions to resources were assigned directly to Martin’s user account and werethus difficult to reco

2 Where should you create these user names?

3 The file server in the workgroup contains a folder named Coal Research, to which

each of the workers needs access You would like to minimize the number oftimes you have to assign permissions to the Research folder How would you dothis?

4 When creating passwords for the users on their workstations, what must you

ensure so that the users can access the file server?

Troubleshooting Lab

1 Martin’s user account was assigned permissions to access a number of resources on

the computer and Raymond is not sure exactly what permissions were assigned Hewants to recover the deleted user account Can he do this? If so, how?

2 If you really mean to delete the user account, what is often a better way to handle

the situation than simply deleting the user account?

3 To prevent a situation like the one that happened with Raymond (in which rights and

permissions to resources were assigned directly to Martin’s user account and werethus difficult to reconstruct), what is a better way to assign rights and permissions?

4 Soon after creating a new user account for Martin, Raymond contacts you and tells

you that Martin has forgotten his new password Can you reset his password? How?

5 What should you tell Martin to do so that he can recover his own password should

this happen again?

Chapter Summary

■ Local user accounts allow users to log on at and access resources on only the puter on which you create the local user account Domain user accounts allowusers to log on to the domain and access resources anywhere on the network

com-■ Local user account names must be unique on the computer on which you createthe account, and domain user accounts must be unique to the directory Pass-words can be up to 128 characters long; a minimum of 8 characters is recom-mended Use a mixture of uppercase and lowercase letters, numerals, and validnonalphanumeric characters in creating passwords

■ You can administer local user accounts using the following two tools:

❑ The User Accounts tool allows administrators to create a new user account,change an existing account, and change the way a user logs on or logs off

❑ The Computer Management snap-in allows you to create, modify, and deleteuser accounts for the local computer on which you are working If your com-puter is part of a network, you can use the Computer Management snap-in on

a remote computer

■ After creating a user account, you can modify the properties for the account byusing the Properties dialog box for the user account in Computer Management

■ Groups simplify administration by allowing you to assign permissions and rights

to a group of users rather than to individual user accounts Windows XP sional creates local groups in the local security database, so you can use localgroups only on the computer on which you create them

■ Allow Guest access only in low-security workgroups, and always assign a word to the Guest account You can rename the Guest account, but you cannotdelete it

pass-Exam Highlights

■ You should understand the guidelines for creating strong passwords In particular,remember that a password should be a minimum of eight characters and shouldinclude a mix of uppercase and lowercase letters, numbers, and symbols.

■ After you delete a user account, there is no way to recover the rights and sions associated with that user account A better practice than deleting useraccounts is to disable them until you are sure they are no longer needed

permis-Key Terms

Computer Management A console that provides access to a number of ment utilities for administering a computer, including the ability to create, manage,and monitor shared folders

manage-domain user account An account that allows you to log on to a domain to accessnetwork resources

group A collection of user accounts Groups simplify administration by allowing you

to assign permissions and rights to a group of users rather than to each useraccount individually

local security database A database on a computer running Windows XP sional that holds local user accounts and groups

Profes-local user account An account that allows you to log on to a specific computer toaccess resources on that computer

naming convention An organization’s established standard for identifying users

password reset disk A floppy disk that contains encrypted password informationand allows users to change their password without knowing the old password

Permissions Permissions control what users can do with a resource such as a folder,

1 Where do local user accounts allow users to log on and gain access to resources?

Only on the computer on which the local user account is created.

2 Where should you create user accounts for computers running Windows XP

Pro-fessional that are part of a domain?

You should create it on one of the domain controllers You should not use local user accounts

on Windows XP Professional computers that are part of a domain.

3 Which of the following statements about domain user accounts are correct?

(Choose all that apply.)

a Domain user accounts allow users to log on to the domain and gain access to

resources anywhere on the network, as long as the users have the requiredaccess permissions

b If at least one computer on the network is configured as a domain controller,

you should use domain user accounts only

c The domain controller replicates the new user account information to all

other computers in the domain

d A new domain user account is established in the local security database on

the domain controller on which you created the account

The correct answers are A and B C is not correct because the domain controller replicates user account information only to other domain controllers in a domain—not to every computer D is not correct because a domain user account is established in Active Directory, not in the local security database A local user account is established in the local security database.

4 Which of the following statements about built-in accounts are correct? (Choose all

that apply.)

a You can delete the Guest account.

b You cannot delete the Administrator account.

c You cannot rename the Guest account.

d You can rename the Administrator account.

The correct answers are B and D A is not correct because you cannot delete the Guest account (or any built-in local user accounts, for that matter) C is not correct because you can rename the Guest account.

Questions and Answers

5 How do you disable the Guest account?

Click Start, click Control Panel, and then click User Accounts In the User Accounts window, click the Guest icon In the What Do You Want To Change About The Guest Account window, click Turn Off The Guest Account The Guest Account is now disabled.

Lesson 2 Review

Page

7-12

1 The maximum number of characters that Windows XP Professional recognizes in

a local user account name is

3 Passwords can be up to characters long with a minimum length of

characters recommended

128, 8

Page

7-22

Lesson 3 Practice: Exercise 2

6 What two new options appear for User1’s account? What option is no longer

1 What type of account is User3? (Get answer.)

The account type for User3 is Limited Account.

15 How does the password appear on the screen? Why?

The password is displayed as large dots as you type This prevents others from viewing the password as you type it.

1 Which of the following statements about the Windows XP Professional User

Accounts tool are correct? (Choose all that apply.)

a The User Accounts tool allows you to remotely create, modify, and delete

user accounts on all computers in the network running Windows XP sional

Profes-b The User Accounts tool allows you to view and modify all accounts on the

computer

c The tasks you can perform with the User Accounts tool depend on the type

of account you use to log on to the local computer

d The User Accounts tool allows users to delete, create, or remove their

individ-ual passwords

The correct answers are C and D A is not correct because you cannot use the User Accounts tool to administer a remote computer B is not correct because the User Accounts tool does not allow you to administer certain built-in accounts.

2 Which of the following tasks can both account types (Computer Administrator and

Limited) perform? (Choose all that apply.)

a Change your picture

b Change your account type

c Create, change, or remove your password

d Change your account name

The correct answers are A and C B and D are not correct because only computer tors can change the account type and account name.

administra-3 Which of the following statements about logging on or logging off a computer

running Windows XP Professional are true? (Choose all that apply.)

a When you use the Welcome screen to log on the local computer, you can

quickly switch to another user account without logging off and closing allprograms that you are running

b The User Accounts tool allows you to disable a local user account to prevent

users from using the disabled account to log on

c When you use the Welcome screen to log on the local computer, you can log

on using only one of the accounts displayed on the Welcome screen

d The User Accounts tool allows you to replace the Welcome screen with a

logon prompt that requires users to type their individual user names andpasswords

The correct answers are A and D B is not correct because the User Accounts tool allows you

to disable the Guest account, but not to disable other user accounts C is not correct because you can press C TRL +A LT +D ELETE at the Welcome screen to access the traditional logon dialog box, which allows you to type in a user name.

Questions and Answers

4 When you use the Computer Management snap-in to create a new user account,

which check box do you select to prevent a new employee from using the newaccount until the employee starts working for the company?

Account Disabled

Lesson 4 Practice: Modifying User Account Properties

Page

7-32

1 What happens? Why?

A User Accounts dialog box appears with the message Windows Cannot Change The Password This happens because you enabled the User Cannot Change Password option for User1.Lesson 4 Review

Page

7-33

1 When can you select the Account Is Locked Out check box for a user and why?

Never because the Account Is Locked Out check box is unavailable when the account is active and is not locked out of the system The system locks out a user if the user exceeds the limit for the number of failed logon attempts.

2 Which of the following statements about local user account properties are correct?

(Choose all that apply.)

a You can configure all of the default properties associated with each local user

account using the User Accounts tool located in Control Panel

b In Computer Management, the General tab in a user account’s Properties

dia-log box allows you to disable the account

c In Computer Management, the General tab in a user account’s Properties

dia-log box allows you to select the Account Is Locked Out check box to preventthe user from logging on to the computer

d You can use the Computer Management snap-in to configure all of the default

properties associated with each local user account

The correct answers are B and D A is not correct because the User Accounts tool only provides

a limited subset of the available options for a user account You must use the Computer agement snap-in to access all options for a user account C is not correct because you cannot select the Account Is Locked Out check box manually This check box is selected automatically when an account is locked out.

Man-3 Which of the following statements about user profiles are correct? (Choose all that

apply.)

a A user profile is a collection of folders and data that stores the user’s current

desktop environment, application settings, and personal data

b A user profile contains all the network connections that are established when

a user logs on to a computer

4 Which of the following statements about user profiles are correct? (Choose all that

apply.)

a Users should store their documents in home directories rather than in their

My Documents folders

b The Profile tab in the account-name Properties dialog box for a user account

allows you to create a path for the user profile, logon script, and home folder

c A user profile contains the My Documents folder, which provides a place for

users to store personal files

d When users change their desktop settings, the changes are reflected in their

user profiles

The correct answers are B, C, and D A is not correct because the My Documents folder is located within a user’s home directory automatically when a home directory is created Users

do not need to go looking for their home directory.

5 What three tasks must you perform to create a home folder on a network server?

First, create and share a folder in which to store all home folders on a network server Second, for the shared folder, remove the default Full Control permission from the Everyone group and assign Full Control to the Users group for users that will reside in this shared folder Third, pro- vide the path to the user’s home folder in the shared home directory folder on the Profile tab of the Properties dialog box for the user account.

Lesson 5 Review

Page

7-44

1 What are groups, and why do you use them?

A group is a collection of user accounts A group simplifies administration by allowing you to assign permissions and rights to a group of users rather than to each individual user account.

2 An administrator or owner of a resource uses to control what

users can do with a resource such as a folder, a file, or a printer

Permissions

3 You use local groups to assign permissions to resources residing

On the computer on which the local group is created

Questions and Answers

4 Which of the following statements about deleting local groups are correct?

(Choose all that apply.)

a Each group that you create has a unique identifier that cannot be reused.

b You can restore access to resources by re-creating the group.

c When you delete a group, you also remove the permissions and rights

asso-ciated with it

d Deleting a group deletes the user accounts that are members of the group.

The correct answers are A and C B is not correct because re-creating a group does not ate the membership of that group or any of the rights or permissions associated with that group D is not correct because deleting a group does not delete the user accounts that are members of the group Deleting a group does remove any rights and permissions that were extended to the members of the group by virtue of their membership.

re-cre-5 What is the difference between built-in system groups and built-in local groups

found on computers running Windows XP Professional? Give at least two ples of each type of group

exam-Built-in local groups give rights to perform system tasks on a single computer, such as backing

up and restoring files, changing the system time, and administering system resources Some examples of built-in local groups are Administrators, Backup Operators, Guests, Power Users, Replicator, and Users Built-in system groups do not have specific memberships that you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource You do not see system groups when you administer groups, but they are available for use when you assign rights and permissions to resources Some examples of built-in system groups are Everyone, Authenticated Users, Creator Owner, Network, Interactive, Anonymous Logon, and Dialup.

Case Scenario Exercise

Page

7-46

1 Your first task is to create a naming convention for these workers The museum

management would like the user names to reflect that these are temporary ers, but not require too complicated a user name for the workers to type Use thefollowing table to create names for the workers

work-Full Name User Account Name

7-57 There are a number of ways you could create these user names One way would be to use the first initial and last name of each person to create the user name and then to prepend each user name with a T to indicate the workers’ temporary status This could give you the following user names:

2 Where should you create these user names?

You must create a local user name for each user on the user’s workstation You must also ate a local user name for each user on the file server so that you can assign permissions.

cre-3 The file server in the workgroup contains a folder named Coal Research, to which

each of the workers needs access You would like to minimize the number oftimes you have to assign permissions to the Research folder How would you dothis?

You should create a local group on the file server You should name the group something simple like Coal Researchers and then add each of the workers’ user names to that group You can then assign permissions to the group for the Coal Research folder rather than assigning per- missions to each user name.

4 When creating passwords for the users on their workstations, what must you

ensure so that the users can access the file server?

You must not create blank passwords for the users on their workstations Although blank words would allow the users to log on to their workstations and access local resources, the default security configuration on the file server is to enable the Accounts: Limit Local Account Use Of Blank Passwords To Console Logon Only security setting, which would prevent users with blank passwords from being able to access resources on the file server remotely.Troubleshooting Lab

pass-Page

7-47

1 Martin’s user account was assigned permissions to access a number of resources

on the computer and Raymond is not sure exactly what permissions wereassigned He wants to recover the deleted user account Can he do this? If so,how?

After a user account is deleted, it cannot be recovered All permissions and rights assigned to the user account are lost.

Questions and Answers

2 If you really mean to delete the user account, what is often a better way to handle

the situation than simply deleting the user account?

It is usually better to disable the account instead of deleting it When an account is disabled,

no user can log on by using it If the account is needed again, you can re-enable it, and all rights and permissions are retained When you are sure that you no longer need a disabled account, you can then delete it.

3 To prevent a situation like the one that happened with Raymond (in which rights and

permissions to resources were assigned directly to Martin’s user account and werethus difficult to reconstruct), what is a better way to assign rights and permissions?You should assign rights and permissions to local groups rather than directly to local user accounts You should then make the user accounts members of the appropriate groups This way, if a user account is accidentally deleted, you can create a new user account and place it

in the appropriate groups again, rather than having to reconstruct rights and permissions on the user account Using groups also helps to manage rights and permissions better in other sit- uations, such as when a user no longer needs access to particular resources or when a new user joins the company.

4 Soon after creating a new user account for Martin, Raymond contacts you and tells

you that Martin has forgotten his new password Can you reset his password?How?

Yes You must log on to Martin’s computer and use the Computer Management snap-in (or use the Computer Management snap-in remotely) to reset the password You should also configure Martin’s user account so that he must change the password the next time he logs on, so that the password is known only to him.

5 What should you tell Martin to do so that he can recover his own password should

this happen again?

You should show Martin how to create a password reset disk.

NTFS Permissions

Exam Objectives in this Chapter:

■ Monitor, manage, and troubleshoot access to files and folders

❑ Control access to files and folders by using permissions

Why This Chapter Matters

This chapter introduces you to NT file system (NTFS) folder and file permissionsfor Windows XP Professional You will learn how to assign NTFS folder and filepermissions to user accounts and groups, and you will see how moving or copy-ing files and folders affects NTFS file and folder permissions You will also learnhow to troubleshoot common resource access problems

Lessons in this Chapter:

■ Lesson 1: Introduction to NTFS Permissions 8-2

■ Lesson 2: Assigning NTFS Permissions and Special Permissions 8-8

■ Lesson 3: Supporting NTFS Permissions 8-23

Before You Begin

To complete this chapter, you must have a computer that meets the minimum ware requirements listed in the preface, “About This Book.” You must also haveMicrosoft Windows XP Professional installed on the computer

hard-Lesson 1: Introduction to NTFS Permissions

You use NTFS permissions to specify which users and groups can access files and

folders and what they can do with the contents of the files or folders NTFS permissions

are available only on NTFS volumes; they are not available on volumes formatted with

file allocation table (FAT) or FAT32 file systems NTFS security is effective whether auser accesses the file or folder at the local computer or over the network

The permissions you assign for folders are different from the permissions you assign forfiles Administrators, the owners of files or folders, and users with Full Control permissioncan assign NTFS permissions to users and groups to control access to files and folders

After this lesson, you will be able to

■ Identify the standard NTFS folder permissions

■ Identify the standard NTFS file permissions

■ Describe how Windows XP Professional uses access control lists (ACLs)

■ Explain how effective permissions are calculated when multiple sets of NTFS sions are in effect

permis-■ Explain how permissions inheritance is controlled

Estimated lesson time: 30 minutes

Standard NTFS Folder Permissions

You assign folder permissions to control the access that users have to folders and to thefiles and subfolders that are contained within the folders Table 8-1 lists the standardNTFS folder permissions that you can assign and the type of access that each provides.Table 8-1 NTFS Folder Permissions

This NTFS Folder

Permission Allows the User To

attributes (such as Read-Only, Hidden, Archive, and System)

attributes, and view folder ownership and permissions

do not have permission for those folders, and perform actions ted by the Read permission and the List Folder Contents permission

permission and the Read & Execute permission

plus perform actions permitted by all other NTFS folder permissions

8-3You can deny permission to a user account or group To deny all access to a useraccount or group for a folder, deny the Full Control permission.

Standard NTFS File Permissions

You assign file permissions to control the access that users have to files Table 8-2 liststhe standard NTFS file permissions that you can assign and the type of access that eachprovides

How Windows XP Professional Uses Access Control Lists

NTFS stores an access control list (ACL) with every file and folder on an NTFS

vol-ume The ACL contains a list of all user accounts and groups that have been assignedpermissions for the file or folder, as well as the permissions that they have beenassigned When a user attempts to gain access to a resource, the ACL must contain an

entry, called an access control entry (ACE), for the user account or a group to which

the user belongs The entry must allow the type of access that is requested (for ple, Read access) for the user to gain access If no ACE exists in the ACL, the user can-not access the resource

exam-How Effective Permissions Are Calculated When Multiple Sets of NTFS Permissions Are in Effect

It is possible for multiple sets of NTFS permissions to apply to a user for a particularresource For example, a user might be a member of two different groups, each ofwhich is assigned different permissions to access a resource To assign permissionseffectively, you must understand the rules and priorities by which NTFS assigns andcombines multiple permissions and NTFS permissions inheritance

Table 8-2 NTFS File Permissions

This NTFS File

Permission Allows the User to

permissions

permission

permission and the Read & Execute permission

permitted by all other NTFS file permissions

Lesson 1 Introduction to NTFS Permissions

What Are Effective Permissions?

A user’s effective permissions for a resource are the sum of the NTFS permissions

that you assign to the individual user account and to all the groups to which the userbelongs If a user is granted Read permission for a folder and is a member of a groupwith Write permission for the same folder, the user has both Read and Write permis-sions for that folder

Exam Tip To manually calculate effective NTFS permissions, first combine all allow sions from all sources Next, determine any deny permissions the user has Deny permis- sions override allow permissions The result is the user’s effective permissions for the

permis-resource.

How File Permissions Override Folder Permissions

NTFS permissions assigned to files take priority over NTFS permissions assigned to thefolder that contains the file If you have access to a file, you can access the file if youhave the Bypass Traverse Checking security permission—even if you do not haveaccess to the folder containing the file You can access the files for which you have per-missions by using the full Universal Naming Convention (UNC) or local path to openthe file from its respective application, even if you have no permission to access thefolder that contains the file In other words, if you do not have permission to access thefolder containing the file you want to access, you must have the Bypass TraverseChecking security permission and you have to know the full path to the file to access

it Without permission to access the folder, you cannot see the folder, so you cannotbrowse for the file

See Also The Bypass Traverse Checking security permission is described further in Lesson 2,

“Assigning NTFS Permissions and Special Permissions.”

How Deny Permissions Override Allow Permissions

In addition to granting a permission, you can also specifically deny a permission(although this is not the recommended method of controlling access to resources).Denying a permission overrides all instances in which that permission is allowed Even

if a user has permission to access a file or folder as a member of a group, denying mission to the user blocks any other permissions the user might have (see Figure 8-1)

per-In Figure 8-1, User1 has Read permission for FolderA and is a member of Group A andGroup B Group B has Write permission for FolderA Group A has been denied Writepermission for File2

!

F08us01

Figure 8-1 You must be able to calculate effective NTFS permissions.

The user can read and write to File1 The user can also read File2, but cannot write toFile2 because she is a member of Group A, which has been denied Write permissionfor File2

How NTFS Permissions Inheritance Is Controlled

By default, permissions that you assign to the parent folder are inherited by and agated to the subfolders and files contained in the parent folder However, you can

prop-prevent permissions inheritance, as shown in Figure 8-2.

• NTFS permissions are cumulative.

• File permissions override folder permissions.

• Deny overrides other permissions.

NTFS volume

File A R/W

By default, whatever permissions you assign to the parent folder also apply to subfoldersand files contained within the parent folder When you assign NTFS permissions to giveaccess to a folder, you assign permissions for the folder and for any existing files and sub-folders, as well as for any new files and subfolders that are created in the folder.

You can prevent permissions that are assigned to a parent folder from being inherited

by subfolders and files that are contained within the folder That is, you can change thedefault inheritance behavior and cause subfolders and files to not inherit permissionsthat have been assigned to the parent folder containing them

The folder for which you prevent permissions inheritance becomes the new parentfolder The subfolders and files contained within this new parent folder inherit the per-missions assigned to it

Lesson Review

Use the following questions to help determine whether you have learned enough tomove on to the next lesson If you have difficulty answering these questions, reviewthe material in this lesson before beginning the next lesson You can find answers tothese questions in the “Questions and Answers” section at the end of this chapter

1 Which of the following statements correctly describe NTFS file and folder

permis-sions? Choose all that apply

a NTFS security is effective only when a user gains access to the file or folder

over the network

b NTFS security is effective when a user gains access to the file or folder on the

local computer

c NTFS permissions specify which users and groups can gain access to files and

folders and what they can do with the contents of the file or folder

d NTFS permissions can be used on all file systems available with Windows XP

Professional

2 Which of the following NTFS folder permissions allow you to delete the folder?

Choose the correct answer

a Read

b Read & Execute

c Modify

d Administer

3 Which of the NTFS file permissions should you assign to a file if you want to allow

users to delete the file but do not want to allow users to take ownership of a file?

4 What is an access control list (ACL), and what is the difference between an ACL

and an access control entry (ACE)?

5 What are a user’s effective permissions for a resource?

6 By default, what inherits the permissions that you assign to the parent folder?

■ It is possible for multiple sets of NTFS permissions to apply to a user for a ular resource A user’s effective permissions for a resource are the sum of theNTFS permissions that you assign to the individual user account and to all thegroups to which the user belongs

partic-■ By default, permissions that you assign to the parent folder are inherited by andpropagated to the subfolders and files contained in the parent folder However,you can prevent permissions inheritance

Lesson 1 Introduction to NTFS Permissions

Lesson 2: Assigning NTFS Permissions and Special

Permissions

You should follow certain guidelines for assigning NTFS permissions Assign sions according to group and user needs, which include allowing or preventing per-missions to be inherited from parent folders to subfolders and files that are contained

permis-in the parent folder

After this lesson, you will be able to

■ Assign or modify NTFS folder and file permissions to user accounts and groups

■ Grant or deny special permissions

■ Take ownership of files and folders

■ Prevent permissions inheritance

■ Identify guidelines for planning NTFS permissions

Estimated lesson time: 70 minutes

How to Assign or Modify Permissions

Administrators, users with the Full Control permission, and owners of files and folderscan assign permissions to user accounts and groups

To assign or modify NTFS permissions for a file or a folder, in the Security tab of theProperties dialog box for the file or folder, configure the options that are shown in Fig-ure 8-3 and described in Table 8-3

Table 8-3 Security Tab Options

change permissions or that you want to remove from the list

Permissions For group

or user name

Allows and denies permissions Select the Allow check box to allow a permission Select the Deny check box to deny a permission

select user accounts and groups to add to the Group Or User Names list (see Figure 8-4)

per-missions for the file or folder

so that you can grant or deny special permissions (see Figure 8-5)

Figure 8-3 Use the Security tab of the Properties dialog box for a folder to set NTFS permissions.Clicking the Add button on the Security tab of a file or folder’s Properties dialog boxdisplays the Select Users Or Groups dialog box (see Figure 8-4) Use this dialog box toadd users or groups so that you can assign them permissions for accessing a folder orfile The options available in the Select Users Or Groups dialog box are described inTable 8-4

or on the local computer

domain or on the local computer

Lesson 2 Assigning NTFS Permissions and Special Permissions

How to Grant or Deny Special Permissions

Click the Advanced button on the Security tab of a file or folder’s Properties dialog box

to display the Advanced Security Settings dialog box (shown in Figure 8-5), which liststhe users and groups and the permissions they have on this object The PermissionsEntries box also shows where the permissions were inherited from and where they areapplied

Enter The Object

Names To Select

Allows you to type in a list of built-in users or groups to be added

search for deleted accounts, accounts with passwords that do not expire, and accounts that have not logged on for a certain number of days

Table 8-4 Select Users Or Groups Dialog Box Options

F08us06

Figure 8-6 Select special permissions by using the Permission Entry For dialog box.

Table 8-5 Special Permissions

Permission Description

Traverse Folder/

Execute File

Traverse Folder is applied only to folders and allows a user to move (or

denies a user from moving) through folders even when the user has no missions set on the traversed folder (the folder that the user is moving through) For example, a user might not have permissions set on a folder named Sales, but might have permission to access a subfolder named Bro-chures that is in the Sales folder If allowed the Traverse Folder permission, the user could access the Brochures folder The Traverse Folder permission has no affect on users for whom the Bypass Traverse Checking user right is assigned

per-Execute File is applied only to files and allows or denies running executable files (application files) Execute File applies only to files

folder These attributes are defined by NTFS

Read Extended

Attributes

Read Extended Attributes allows or denies the viewing of extended attributes of a file or a folder These attributes are defined by programs.Create Files/

Exam Tip When you grant permissions, grant users the minimum permissions that they need to get their job done This is referred to as the principle of least privilege.

folder These attributes are defined by NTFS

Write Extended

Attributes

Write Extended Attributes allows or denies the changing of the extended attributes of a file or a folder These attributes are defined by programs.Delete Subfolders

And Files

Delete Subfolders And Files allows or denies the deletion of subfolders or files within a folder, even if the Delete permission has not been granted on the particular subfolder or file

file or folder even without having the Delete permission granted on that file

or folder, if the Delete Subfolder And Files permission has been granted to the user on the parent folder

Read Permissions Read Permissions allows or denies the reading of the permissions assigned

to the file or folder

Change

Permis-sions

Change Permissions allows or denies the changing of the permissions assigned to the file or folder You can give other administrators and users the ability to change permissions for a file or folder without giving them the Full Control permission over the file or folder In this way, the administrator

or user cannot delete or write to the file or folder, but can assign sions to the file or folder

permis-Take Ownership permis-Take Ownership allows or denies taking ownership of the file or folder The

owner of a file can always change permissions on a file or folder, regardless

of the permissions set to protect the file or folder

to synchronize with one another A multithreaded program performs ple actions simultaneously by using both processors in a dual-processor computer This permission is not assigned to users, but instead applies only

multi-to multithreaded programs

Table 8-5 Special Permissions

Permission Description

!

How to Take Ownership of Files and Folders

Every object (file or folder) on an NTFS volume has an owner who controls how missions are set on the object and to whom permissions are granted When a user cre-ates an object, that user automatically becomes the object’s owner

per-You can transfer ownership of files and folders from one user account or group toanother You can give someone the ability to take ownership and, as an administrator,you can take ownership of a file or folder

The following rules apply for taking ownership of a file or folder:

■ The current owner or any user with Full Control permission can assign the Full

Control standard permission or the Take Ownership special access permission toanother user account or group, allowing the user account or any member of thegroup to take ownership

■ An administrator can take ownership of a folder or file, regardless of assigned missions If an administrator takes ownership, the Administrators group becomesthe owner, and any member of the Administrators group can change the permis-sions for the file or folder and assign the Take Ownership permission to anotheruser account or group

per-For example, if an employee leaves the company, an administrator can take ownership

of the employee’s files and assign the Take Ownership permission to anotheremployee, and then that employee can take ownership of the former employee’s files

Note You cannot assign anyone ownership of a file or folder The owner of a file, an istrator, or anyone with Full Control permission can assign Take Ownership permission to a user account or group, allowing them to take ownership To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take owner- ship of the file or folder.

admin-To take ownership of a file or folder, the user or a group member with Take ship permission must explicitly take ownership of the file or folder, as follows:

Owner-1 In the Security tab of the Properties dialog box for the file or folder, click

Advanced

2 In the Advanced Security Settings dialog box, in the Owner tab, in the Change

Owner To list, select your name

3 Select the Replace Owner On Subcontainers And Objects check box to take

own-ership of all subfolders and files that are contained within the folder, and thenclick OK

Lesson 2 Assigning NTFS Permissions and Special Permissions

How to Prevent Permissions Inheritance

By default, subfolders and files inherit permissions that you assign to their parentfolder This is indicated in the Advanced Security Settings dialog box (refer to Figure 8-5) when the Inherit From Parent The Permission Entries That Apply To Child Objectscheck box is selected To prevent a subfolder or file from inheriting permissions from

a parent folder, clear the check box You are then prompted to select one of theoptions described in Table 8-6

Guidelines for Planning NTFS Permissions

If you take the time to plan your NTFS permissions and follow a few guidelines, youwill find that permissions are more straightforward to manage than you might imagine.Use the following guidelines when you assign NTFS permissions:

■ To simplify administration, organize files into folders so that you can assign missions to folders instead of directly to files

per-■ Allow users only the level of access that they require If a user only needs to read

a file, assign the Read permission to his or her user account for the file Thisreduces the possibility of users accidentally modifying or deleting important doc-uments and application files

■ Create groups according to the access that the group members require forresources, and then assign the appropriate permissions to the group Assign per-missions to individual user accounts only when necessary

■ When you assign permissions to application folders, assign the Read & Executepermission to the Users group and the Administrators group This prevents appli-cation files from being accidentally deleted or damaged by users or viruses

■ When you assign permissions for public data folders, assign the Read & Executepermission and the Write permission to the Users group and the Full Control per-mission to the CREATOR OWNER By default, the user who creates a file is also

Table 8-6 Preventing Permissions Inheritance Options

Option Description

child and then deny subsequent permissions inheritance from the parent folder

the child and retain only the permissions that you explicitly assign here Clicking this button removes all permissions from the file or folder; if you do not grant yourself permissions immediately afterward, you could lose access to the file To recover access to the file, you would need to take ownership

8-15the owner of the file The owner of a file can grant another user permission to takeownership of the file This grants users the ability to read and modify documentsthat other users create (and the ability to read, modify, and delete the files andfolders that they create).

■ Do not make denying permissions a part of your permissions plan Deny sions only when it is essential to deny specific access to a specific user account orgroup

permis-■ Encourage users to assign permissions to the files and folders that they create andteach them how to do so

Real World Managing Permissions Structures

The availability of so many different permissions often lures administrators intocreating permission structures that are much more complicated than necessary Inaddition to following the guidelines set out in this chapter (such as applying per-missions to folders instead of files, and assigning permissions to groups instead ofuser accounts), you can make a permissions structure more manageable by doingthe following:

■ For most companies, you will want to err on the side of being too secure.Make it a practice to lock everything down with permissions and then grantaccess only to those that need it Also, grant only the level of permission thatusers need It is often tempting to grant Full Control to users just to avoidcomplaints from those users about not being able to perform tasks, but avoidthat temptation On smaller networks, you might want to take an oppositeapproach—one in which you allow access to everything and then secureonly those resources that need to be secured

■ Document your security decisions and encourage users to do so, as well.You should record which folders and files have which permissions, andmake notes on why you made the decision Although it seems an extra bur-den (and does require more work upfront), this documentation is invaluablewhen the time comes to change or troubleshoot the permissions structure

Practice: Planning and Assigning NTFS Permissions

In this practice, you will plan NTFS permissions for folders and files based on a ness scenario Then you will apply NTFS permissions for folders and files on your com-puter running Windows XP Professional in a workgroup environment, based on asecond scenario Finally, you will test the NTFS permissions that you set up to makesure that they are working properly

busi-Lesson 2 Assigning NTFS Permissions and Special Permissions

Complete the following six exercises, and answer any questions that are asked Youcan find answers to these questions in the “Questions and Answers” section at the end

of this chapter

Exercise 1: Preparing for This Practice

To prepare for subsequent exercises, log on with an account that is a member of theAdministrators group and create the Limited users listed in the following table

Create the following folders:

■ C:\Public

■ C:\Public\Library

Exercise 2: Determining the Default NTFS Permissions for a Folder

In this exercise, you determine the default NTFS permissions for the newly createdPublic folder located on a computer running Windows XP Professional in a workgroupenvironment

1 Log on with a user account that is a member of the Administrators group.

2 On the Start menu, right-click My Computer, and then click Explore.

3 Expand Local Disk (C:), right-click the Public folder, and then click Properties.

4 In the Public Properties dialog box, on the Security tab, note the default groups

and users that have permissions for the Public folder

Tip If you do not see a Security tab, there are two things to check: Is your partition ted as NTFS or FAT? Only NTFS partitions use NTFS permissions, so only NTFS partitions have

format-a Security tformat-ab Are you using Simple File Shformat-aring? Click Cformat-ancel to close the Public Properties dialog box On the Tools menu, click Folder Options In the Folder Options dialog box, click View Under Advanced Settings, clear the Use Simple File Sharing (Recommended) check box and click OK Repeat Steps 3 and 4 and continue with this practice.

5 Click each user and group in the Group Or User Names list, noting the default

per-missions assigned to each

6 What are the existing folder permissions?

7 Click OK to close the Public Properties dialog box.

8 Close Windows Explorer and log off.

Exercise 3: Testing the Folder Permissions for the Public Folder

1 Log on as User81, and then start Windows Explorer.

2 Expand the Public folder.

3 In the Public folder, create a text document named USER81 and type in the lowing text: The first four letters in the alphabet are a, b, c, and d.

fol-Tip With the Public folder selected in the folder tree (the left pane), on the File menu, click New, and then click Text Document to create the text document.

4 Were you successful? Why or why not?

5 Attempt to perform the following tasks for the file that you just created:

❑ Open the file

❑ Modify the file

❑ Delete the file

6 Were you able to complete all of these tasks and why?

7 In the Public folder, re-create the text file named User81.

8 Log off Windows XP Professional.

Lesson 2 Assigning NTFS Permissions and Special Permissions

9 Log on as User82 and attempt to perform the following tasks on the USER81 text

document:

❑ Open the file

❑ Modify the file

❑ Delete the file

10 Which tasks were you able to perform and why?

Exercise 4: Assigning NTFS Permissions

In this exercise, you assign NTFS permissions for the Public folder

The permissions that you assign are to be based on the following criteria:

■ All users should be able to read documents and files in the Public folder

■ All users should be able to create documents in the Public folder

■ All users should be able to modify the contents, properties, and permissions of thedocuments that they create in the Public folder

■ User82 is responsible for maintaining the Public folder and should be able to ify and delete all files in the Public folder

mod-1 Based on what you learned in Exercise 1, what changes in permission assignments

do you need to make to meet each of these four criteria? Why?

2 You are currently logged on as User82 Can you change the permissions assigned

to User82 while logged on as User82? Why or why not?

3 Log on with a user account that is a member of the Administrators group, and then

start Windows Explorer

4 Expand the Public folder.

5 Right-click the Public folder, and then click Properties.

6 In the Properties dialog box for the folder, on the Security tab, click Add.

7 In the Select Users Or Groups dialog box, in the Enter The Object Names To Select text box, type User82, and then click Check Names.

8 Computer_name\User82 should now appear in the Enter The Object Names To

Select text box, indicating that Windows XP Professional located User82 on thecomputer and it is a valid user account Click OK to close the Select Users OrGroups dialog box

9 User82 now appears in the Group Or User Name box in the Public Properties

dia-log box Click User82 and note the assigned permissions

10 Which permissions are assigned to User82?

11 Click Advanced.

12 In the Advanced Security Settings For Public dialog box, ensure that User82 is

selected, and then click Edit

13 In the Permission Entry For Public dialog box (with User82 displayed in the Name

text box), in the Allow column, click Full Control

14 Click OK to close the Permission Entry For Public dialog box.

15 Click OK to close the Advanced Security Settings For Public dialog box.

16 Click OK to close the Public Properties dialog box.

17 Close Explorer and log off Windows XP Professional.

Lesson 2 Assigning NTFS Permissions and Special Permissions

Exercise 5: Testing the New NTFS Permissions for the Folder

1 Log on as User82.

2 Start Windows Explorer.

3 Expand Local Disk (C:), and then expand the Public folder.

4 Attempt to perform the following tasks on the USER81 text document:

❑ Modify the file

❑ Delete the file

5 Which tasks were you able to record and why?

6 Close Windows Explorer and then log off Windows XP Professional.

Exercise 6: Testing NTFS Permissions

In this exercise, you create a file in a subfolder and test how NTFS permissions areinherited through a folder hierarchy

1 Log on as User81, and then start Windows Explorer.

2 In Windows Explorer, expand the Public\Library folder.

3 Create a text document named USER81 in the Library folder.

4 Log off Windows XP Professional.

5 Log on as User82, and then start Windows Explorer.

6 Expand the Public\Library folder.

7 Attempt to perform the following tasks on the USER81 file:

❑ Open the file

❑ Modify the file

❑ Delete the file

8 Which tasks were you able to perform and why?

9 Log off Windows XP Professional.

Lesson Review

Use the following questions to help determine whether you have learned enough tomove on to the next lesson If you have difficulty answering these questions, reviewthe material in this lesson before beginning the next lesson You can find answers tothese questions in the “Questions and Answers” section at the end of this chapter

1 By default, when you format a volume with NTFS, the

permission is assigned to the Everyone group Fill in the blank

2 When you assign permissions for public data folders, it is recommended that you

assign the permission and the permission to the Users group, and the permission tothe CREATOR OWNER user Fill in the blanks

3 Which of the following users or groups can assign permissions to user accounts

and groups? Choose all that apply

a Administrators

b Power Users

c Users with the Full Control permission

d Owners of files and folders

4 Which of the following tabs in the Properties dialog box for the file or folder do

you use to assign or modify NTFS permissions for a file or a folder? Choose thecorrect answer

a Advanced

b Permissions

c Security

d General

5 What is the purpose of the Traverse Folder/Execute File special permission?

6 What is the difference between the Delete permission and Delete Subfolder And

Files permission?

Lesson 2 Assigning NTFS Permissions and Special Permissions

■ By default, subfolders and files inherit permissions that you assign to their parentfolder To stop subfolders and files from inheriting permissions that you assign totheir parent folder, clear the Inherit From Parent The Permission Entries ThatApply To Child Objects check box in the Advanced Security Settings dialog box.

■ Take the time to properly plan NTFS permissions following best-practice lines A well-planned permission structure is easier to administer and causes fewerproblems

Lesson 3: Supporting NTFS Permissions

When you assign or modify NTFS permissions to files and folders, problems mightarise When you copy or move files and folders, the permissions you set on the files orfolders might change Specific rules control how and when permissions change.Understanding these rules helps you solve permissions problems Troubleshootingthese problems is important to keep resources available for the appropriate users andprotected from unauthorized users

After this lesson, you will be able to

■ Describe the effect on NTFS file and folder permissions when files and folders are copied

■ Describe the effect on NTFS file and folder permissions when files and folders are moved

■ Troubleshoot resource access problems

Estimated lesson time: 40 minutes

Effect on NTFS File and Folder Permissions When Files and Folders Are Copied

When you copy files or folders from one folder to another or from one volume toanother, permissions change (as shown in Figure 8-7)

Permissions =

Destination folder

FAT volume

Permissions are lost.

Copy

Copy

Lesson 3 Supporting NTFS Permissions

When you copy a file within a single NTFS volume or between NTFS volumes, note thefollowing:

■ Windows XP Professional treats it as a new file As a new file, it takes on the missions of the destination folder

per-■ You must have Write permission for the destination folder to copy files and ers

fold-■ You become the creator and owner

Security Alert When you copy files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes do not support NTFS permissions.

Effect on NTFS File and Folder Permissions When Files and Folders Are Moved

When you move a file or folder, permissions might or might not change, depending onwhere you move the file or folder (see Figure 8-8)

F08us08

Figure 8-8 Move files or folders between folders or volumes.

Facts to Know About Moving Within a Single NTFS Volume

When you move a file or folder within a single NTFS volume, note the followingthings:

Write, Modify permissions

Permissions = Full Control

Move

C:/

Permissions = Full Control

Permissions =

Destination folder

FAT volume

Permissions are lost.

Move

Move Permissions = Full Control

■ The file or folder retains the original permissions

■ You must have the Write permission for the destination folder to move files andfolders into it

■ You must have the Modify permission for the source file or folder The Modify mission is required to move a file or folder because Windows 2000 deletes the file

per-or folder from the source folder after it is copied to the destination folder

■ You become the creator and owner

Facts to Know About Moving Between NTFS Volumes

When you move a file or folder between NTFS volumes, note the following:

■ The file or folder inherits the permissions of the destination folder

■ You must have the Write permission for the destination folder to move files andfolders into it

■ You must have the Modify permission for the source file or folder The Modify mission is required to move a file or folder because Windows XP Professionaldeletes the file or folder from the source folder after it is copied to the destinationfolder

per-■ You become the creator and owner

Security Alert When you move files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes do not support NTFS permissions.

Exam Tip When you move files or folders within an NTFS volume, permissions that have been directly assigned to the file or folder carry over to the new location In all other cases of moving and copying, existing permissions are lost, and the object will inherit permissions from the new parent When moving to a FAT volume, permissions are lost entirely.

How to Troubleshoot Common Permissions Problems

Table 8-7 describes some common permissions problems that you might encounterand provides solutions that you can use to try to resolve these problems

!

!

Lesson 3 Supporting NTFS Permissions

Practice: Managing NTFS Permissions

In this practice, you will observe the effects of taking ownership of a file Then you willdetermine the effects of permission and ownership when you copy or move files.Finally, you will determine what happens when a user with Full Control permission to

a folder has been denied all access to a file in that folder but attempts to delete the file.Complete the following two exercises, and answer any questions that are asked Youcan find answers to these questions in the “Questions and Answers” section at the end

of this chapter

Important To successfully complete this practice, you must have completed all exercises

in the Lesson 2 practice.

Exercise 1: Taking Ownership of a File

In this exercise, you observe the effects of taking ownership of a file To do this, youmust determine permissions for a file, assign the Take Ownership permission to a useraccount, and then take ownership as that user

Table 8-7 Permissions Problems and Troubleshooting Solutions

You add a user account to a

group to give that user access to a

file or folder, but the user still

cannot gain access

For access permissions to be updated to include the new group to which you have added the user account, the user must either log off and then log on again, or close all net-work connections to the computer on which the file or folder resides, and then make new connections

A user with Full Control

permis-sion to a folder deletes a file in

the folder, although that user

does not have permission to

delete the file itself You want to

stop the user from being able to

delete more files

You have to clear the special access permission, the Delete Subfolders And Files check box, for that folder to prevent users with Full Control of the folder from being able to delete files in it

To determine the permissions for a file

1 Log on with a user account that is a member of the Administrators group, and then

start Windows Explorer

2 In the Public folder, create a text document named OWNER.

3 Right-click OWNER, and then click Properties.

4 In the Owner Properties dialog box, click the Security tab Note the permissions

for the OWNER file

5 Click Advanced.

6 In the Advanced Security Settings For Owner dialog box, on the Owner tab, note

the current owner of the file

7 Who is the current owner of the OWNER file?

To assign permission to a user to take ownership

1 In the Advanced Security Settings For Owner dialog box, on the Permissions tab,

click Add

2 In the Select User Or Group dialog box, in the Enter The Object Names To Select text box, type User81, and then click Check Names.

3 User81 should now appear in the Enter The Object Names To Select text box,

indi-cating that Windows XP Professional located User81 on the computer and it is avalid user account Click OK

4 In the Permission Entry For Owner dialog box, notice that all the permission

entries for User81 are blank

5 Under Permissions, select the Allow check box next to Take Ownership, and then

click OK

6 In the Advanced Security Settings For Owner dialog box, click OK to return to the

Owner Properties dialog box

7 Click OK to apply your changes and close the Owner Properties dialog box.

8 Close Windows Explorer, and then log off Windows XP Professional.

To take ownership of a file

1 Log on as User81, and then start Windows Explorer.

2 Select the Public folder.

3 Right-click OWNER, and then click Properties.

Lesson 3 Supporting NTFS Permissions

4 In the Owner Properties dialog box, on the Security tab, notice the permissions for

the OWNER folder Click Advanced

5 In the Advanced Security Settings For Owner dialog box, on the Owner tab, in the

Change Owner To list, select User81, and then click Apply

6 Who is now the owner of the OWNER file?

7 Click OK to close the Advanced Security Settings For Owner dialog box.

8 Click OK to close the Owner Properties dialog box.

To test permissions for a file as the owner

1 While you are logged on as User81, assign User81 the Full Control permission for

the OWNER text document and click Apply

2 Click Advanced and clear the Inherit From Parent The Permission Entries That

Apply To Child Objects check box

3 In the Security dialog box, click Remove.

4 Click OK to close the Advanced Security Settings For Owner dialog box.

5 Click OK to close the Owner Properties dialog box.

6 Delete the OWNER text document.

Exercise 2: Copying and Moving Folders

In this exercise, you see the effects of permissions and ownership when you copy andmove folders

To create a folder while logged on as a user

1 While you are logged on as User81, in Windows Explorer, in the root folder of drive C, create a folder named Temp1.

2 What are the permissions that are assigned to the folder?

User or Group Permissions