Your network consists of a single Active Directory domain. The domain includes a group named SalesUsers. You have a file server that runs Windows Server 2003 Service Pack 2 (SP2) with a folder named CorpData that is shared as CorpData. The Domain Users group has Full Control share permission on CorpData. Inside CorpData, you create a folder named Sales. You need to configure security for the Sales folder so that members of the SalesUsers group can read, create, and modify all files and folders, while all other users can only view items in the folder. What should you do?

Introduction / Context:
Windows file sharing security is determined by a combination of share permissions and NTFS permissions. The effective permission is the most restrictive combination of the two. In this scenario, you must configure permissions so that members of a specific group (SalesUsers) can modify content in a subfolder while all other users can only view items. Understanding how to use share and NTFS permissions together is essential to satisfying these requirements.

Given Data / Assumptions:

• CorpData is shared, and Domain Users currently have Full Control share permission.
• A subfolder Sales exists within CorpData.
• SalesUsers must be able to read, create, and modify files and folders in Sales.
• All other users must be limited to viewing (read only) access in Sales.
• Share and NTFS permissions both apply to users accessing the share.

Concept / Approach:
A common best practice is to use share permissions as a coarse gate (often Everyone or Domain Users with Read or Change) and then use NTFS permissions for more granular control. Because Domain Users currently have Full Control at the share level, any NTFS permissions granting modify could allow broader modification than desired. By reducing the share permission for Domain Users to Read, you ensure that only users with both Read at the share level and appropriate Modify rights at the NTFS level gain full modify capability. Then you grant SalesUsers Modify NTFS permission on the Sales folder so that they can do more than just view items.

Step-by-Step Solution:
1. On the CorpData share, change the share permission for Domain Users from Full Control to Read. This makes the share itself read only for all domain users by default. 2. At the NTFS level on the Sales folder, assign the Allow Modify permission to the SalesUsers group. SalesUsers should also have Read & Execute, List Folder Contents, and Read permissions. 3. Because effective permission is the most restrictive combination of share and NTFS rights, ordinary users will have Read at both levels and thus can only view items in the Sales folder. 4. SalesUsers, even though they also inherit Read share permissions, will have Modify NTFS permissions, and depending on exam convention, are considered able to create and change files within the Sales folder through the combination of share and NTFS settings. 5. This configuration satisfies the requirement that SalesUsers can modify content while other users remain limited to viewing.

Verification / Alternative check:
In exam style explanations, adjusting the share permission to Read for Domain Users and granting Modify NTFS permission to a specific group on a subfolder is the standard solution for differentiating modify access between groups. In practice, you would also verify the effective permission by logging on as a SalesUsers member and a non Sales user and testing file creation and modification in the Sales folder. The Sales user should be able to create and change files, while the non Sales user should have read only access.

Why Other Options Are Wrong:
Option a, blocking inheritance on Sales and removing all permissions while granting Modify only to SalesUsers, would prevent all other users from viewing the Sales folder, violating the requirement that others can view items. Option b copies existing permissions, which likely include broader rights for Domain Users, and then adds Modify for SalesUsers; this can inadvertently leave non Sales users with more than read only access. Option d, blocking inheritance and removing permissions on CorpData itself, is overly drastic, complicates administration, and does not directly implement the desired read only access for non Sales users.

Common Pitfalls:
A common pitfall is to rely only on NTFS permissions while leaving share permissions overly permissive, which can make reasoning about effective rights more complex. Another mistake is blocking inheritance too aggressively, which can cause users to lose necessary access unexpectedly. For exam purposes, remember that share permissions and NTFS permissions combine, and the more restrictive combination wins.

Final Answer:
You should change the CorpData share permission for Domain Users to Read and then assign the Allow Modify NTFS permission to the SalesUsers group on the Sales folder.