Information Technology Reference
In-Depth Information
and Advertising users tend to leak information before it should be discussed outside the com-
pany. You could create a new share, but the Sales Department users prefer a subfolder of the
existing share.
1. Log on to your server as Administrator, if necessary.
2. Open Windows Explorer, and click to open the
QData
volume and then the
Marketing
folder. Create a subfolder of the Marketing folder named
SalesConf
.
3. Open the Properties dialog box of the SalesConf folder, and click the
Security
tab. Remove
the
MktgDocs-DL
group from the DACL. (
Hint
: You need to disable inheritance first; be
sure to copy existing permissions.)
4. Add the
Sales-G
group to the DACL, and give the group
Read & execute
and
Write
per-
missions. Click
OK
until you close the SalesConf folder's Properties dialog box.
Note
: These
steps violate the AGDLP best practice because you didn't use a domain local group to assign
permissions. AGDLP is not a hard-and-fast rule, however, but a best practice recommenda-
tion. For simplicity's sake, it isn't used in this step.
5. Log on to your Vista computer as
advuser1
. Open Windows Explorer, and click to open the
Marketing
share. Try to open the SalesConf folder. You get an “Access is denied” message.
Click
OK
.
6. Log off, and then log on to your Vista computer as
salesperson1
using
Password02
. Open
Windows Explorer, and click to open the
Marketing
share. Verify that you can open the
SalesConf folder and create a file named
SalesPerson1
.
7. Log off your Vista computer.
In this activity, you restricted access to a folder by simply including in the DACL groups that
are allowed access. Although the entire Marketing Department was granted access to the
Marketing share, the fact that only the Sales-G group was in the SalesConf DACL effectively
blocked all other Marketing Department users from accessing the share's subfolder. Using a Deny
permission might have worked, too, but it wasn't necessary in this example. The Deny permis-
sion should be used cautiously and only for exceptions. For example, if all members of a group
except a few should have access to a resource, users can be added to a group and the group can
be added to the DACL with a Deny permission, as you see in Activity 6-14.
6
Activity 6-14: Restricting Access with Deny Permissions
Time Required:
15 minutes
Objective:
Restrict a single user's access to a folder.
Description:
A new employee has just been hired in the Sales Department. Company policy
states that all employees must be with the company for a 120-day probationary period before
being allowed access to confidential material. This new employee should have access to all
nonconfidential material and, therefore, be a member of the global Sales-G group. Your solu-
tion is to create a global group called DenySales-G and add new users to this group. You then
add this group to the DACL of any confidential folders and assign the Deny Full Control per-
mission. After the user is past the probationary period, you can remove this user account
from the DenySales-G group. By using a group instead of the user account to deny access,
you don't need to hunt down all the confidential folders and remove the user account from
their DACLs.
1. Log on to your server as Administrator, if necessary.
2. Open Active Directory Users and Computers. Browse to the
Sales
OU under the Marketing
OU.
3. Create a new global group named
DenySales-G
. Use the _Sales Template account (created in
Chapter 5) to create a user with the full name
New Sales1
and logon name
newsales1
. Assign
the password
Password01
and click to clear the
User must change password at next logon
and
Account is disabled
check boxes.
Search WWH ::
Custom Search