290: Q for server based profiles

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by Korbin, Sep 25, 2010.

  1. Korbin

    Korbin New Member

    2
    0
    1
    Hi, I am training for the 290 exam with some pools of questions. Some answers that are stated to be true are quite confusing. I hope you don't mind if I ask for it, because I just don't want to learn the answers. I want to understand them.

    Here is one question:
    Single AD, Servers are 2003 R2, Clients XP
    User1 frequently logs on to several different computers.
    You need to ensure that the documents and shortcuts User1 stores on his desktop are available on the desktop of each computer he uses.

    Which two actions should you perform?

    Number one is clear:
    From AD modify the properties of the User1 account.

    But then:
    a) On a file server, create a folder named Profiles and assign the change share permission to Everyone group.
    or
    b) On a file server, create a folder named Profiles and assign the Full Control share permission to the Everyone group

    B) is stated to be true, but I would say A), because the change share permission is the sufficient right, isn't it?

    The only reason for Full Control is the ability to change permissions in his profile. Is this usually wanted?
     
  2. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    The profile will have NTFS permissions though. Remember NTFS permissions override share permissions.

    As a test if you try creating the profile, log onto the server as domain admin you will get an “access denied” error message if you try to the access the profile.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  3. Korbin

    Korbin New Member

    2
    0
    1
    That's not exactly correct. Not the NTFS permissions override the share permissions. They override each other to the restrictive one.

    I know what you mean. But that "mysteria" only exists, when you create a profile with %username%.

    However, I don't see the solution for the problem in the question. Change permissions are sufficient for a userprofile. Also, nothing is said about NTFS permissions. It's all about share permissions. Of course, I can give Full access from the share permission and restrict it through the NTFS permissons. But if no User needs to modify permissions, why should I give it in the share? It is always said not to give more permissions than needed.
     
  4. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    I did make a mistake there. Basically if you give read only permissions for the share and full control for NTFS then users will only have read only access to the contents of the shared folder.

    In many cases (not always) the share will have the everyone group with all permissions selected and then the folders within it are controlled by NTFS permissions.
     
    Last edited: Sep 25, 2010
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  5. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    MS like you to always select full control on shares and then nail the security down at the NTFS folder security level. If you tried to secure everything at the share level then it would not stop someone logging on the server directly and bypassing the share security completely.

    If I see any question in a MS exam giving a choice of setting a share to change or full I would go for the full.
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA
  6. Theprof

    Theprof Petabyte Poster

    4,607
    83
    211
    I too as best practice sometimes give everyone full control on the share permissions and then restrict the access on the NTFS permissions. It makes it easier when troubleshooting permissions.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.