70-296 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for a W2K MCSE Online Class

Demo Question 10.

You work as the network administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory forest that contains several domains each of which further contain child domains. The functional level of the forest is set at Windows Server 2003. A file server named EliteCertify -SR05 hosts a shared folder that is being used by certain users and groups in the domain. Part of you job description includes the management of access to resources on the EliteCertify.com network. You are currently busy reviewing access permissions for this shared folder on EliteCertify -SR05. However, you discover that one entry in the list of security principals is displayed as a Security ID (SID. instead of a user name or even group name that it is supposed to represent. The following exhibit illustrates the access permissions: Exhibit: What could be the cause of this type of display output? (Each correct answer presents a complete solution. Choose three.)

A. The deletion of an incoming trust with an external domain.
B. The deletion of an outgoing trust with an external domain.
C. A disabled user account.
D. A deleted user account.
E. A renamed user account.
F. The absence of domain controllers for the trusting domain due to a network failure.
G. The absence of domain controllers for the trusted domain due to a network failure.


Display Answer

Answer: B, D, G

Explanation: The direction of a trust is from a trusting domain toward a trusted domain, thus a trusting domain has an outgoing trust with a trusted domain. Any user accounts, global and universal groups in the trusted domain are visible and can be assigned permissions for resources in the trusting domain. But if an outgoing trust becomes unavailable due to network failure for instance, then the security principals from the trusted domain that are specified in Access Control Lists (ACLs) are represented by their SIDs and not the common names. SIDs also appears in the ACL whenever a valid user account with the proper permissions for the resource has been deleted. Incorrect answers: A. A trust, per definition, is named from the trusting domain to the trusted domain rendering this option invalid, since it should rather read trusted domain. C. A disabled user account's representation in the ACL does not change. E. A renamed user account's representation is automatically changed to the new user name. F. As per the definition, a trust is named from the trusting domain to the trusted domain, thus this is incorrect to talk about the trusting domain. Instead the option should read the trusted domain.