You will be required to manage the resources of your companies computer systems. This includes creating and deleting users and groups. You should know how to set permissions on resources and to insure a proper security model is in place.
Creating user accounts and groups are accomplished through the User Manager for Domains. There are several built in accounts you should be familiar with. There are two types of groups local and global. groups. Local groups are only pertinent on the local domain while global groups can span multiple domains. A user can belong to multiple groups at the same time
Built in Groups on Domain Controllers
Passwords - You can specify that a user's password follow certain rules including how old it can be, a minimum length, and uniqueness ( so a user can't just use the same password over and over). You can also set an account lockout after a user enters the incorrect password a certain number of times. This will help you keep hackers out of your system attempting to use brut force methods.
Auditing - Auditing is enabled through User Manager for Domains. You can then view it in the Event Viewer. The default for all accounts is do not audit. the events you can audit are included below:
You may want to implement a user domain wide policy. You do this by creating the profile and then placing it in the WinNT\System32\Repl\Export\Scripts\default user directory on the PDC
You can also create roaming profiles by specifying the location of the profile on a Domain Controller and configuring the user account(Through User Manager for Domains) to access it when they log on.
To create a mandatory profile, create the profile and assign it to the user just like roaming. And change the name from NTuser.dat to NTuser.man
Policies are applied to users in a predetermined manner and you should be familiar with it for the exam. The order is Individual User Policy => Group Policy => Default User Policy.
Permissions - are cumulative, but when accessing locally the least restrictive takes precedence and when accessing remotely the most restrictive takes precedence. No Access is the only exception.
Levels of share security
Moving and Copying in partitions
I had a lot of trouble understanding the difference between moving across a partition and copying.
If you move within a partition you just update the pointers to the file so the file will retain it's original permissions.
If you copy within a partition then you create a new file so the file inherits the permissions of the target folder.
Moving to another partition creates a new file, so the file inherits the permissions from the target folder.