Thursday, February 3, 2011

Windows Admin Basics: Security 101

\\Server1\e$\FolderA (NTFS):
(local) Administrators = Full Control
(local) Users = Read
(domain) SalesManagers = Modify

\\Server1\FolderSales (Shared: "FolderA")
Everyone = Read
(local) Administrators = Change

User "jdoe" is a member of "SalesManagers" AD security group.  He gets an "access denied" message when trying to save a file into the folder "\\Server1\FolderSales".  Which of the following actions can be taken to allow "jdoe" to save the file into this shared location without requiring "jdoe" to log off and log back onto the domain?

1. Add user "jdoe" to the local "Administrators" security group on Server1.

2. Add the "SalesManagers" domain security group to have Change rights to the FolderSales share permissions.

3. Add user "jdoe" to the "Server Admins" domain security group, which is a member of the local "Administrators" group on every server in the domain.

2 comments:

Marc C. said...

Why stop there? Why not add hime to the Domain Admins group? LOL.
I pick number 2. Although personally I think Share permissions ought to be Everyone Full Control and then control the actual permissions using NTFS that way the permissions are in effect no matter how the person accesses the file.

skatterbrainz said...

You are correct. Over the last ten years it seems that one in four MCSE/MCITP folks get that question wrong. It came up yesterday and again the engineer I was talking with insisted all three required a logoff/logon.