Your network contains an Active Directory domain named contoso.com.
The network contains a file server named Server1 that runs Windows Server 2012 R2.
You create a folder named Folder1.
You share Folder1 as Share1.
The NTFS permissions on Folder1 are shown in the Folder1 exhibit. (Click the Exhibit button.)
The Everyone group has the Full control Share permission to Folder1.
You configure a central access policy as shown in the Central Access Policy exhibit. (Click the Exhibit
button.)
Members of the IT group report that they cannot modify the files in Folder1.
Youneed to ensure that the IT group members can modify the files in Folder1.
The solution must use central access policies to control the permissions.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
On the Classification tab of Folder1, set the classification to Information Technology.
B.
On the Security tab of Folder1, add a conditional expression to the existing permission entry for
the IT group.
C.
On Share1, assign the Change Share permission to the IT group.
D.
On the Security tab of Folder1, remove the permission entry for the IT group.
E.
On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group.
Explanation:
Central access policies for files enable organizations to centrally deploy and manage authorization
policies that include conditional expressions that use user groups, user claims, device claims, and
resource properties. (Claims are assertions about the attributes of the object with which they are
associated). For example, to access high-business-impact (HBI) data, a user must be a full-time
employee, obtain access from a managed device, and log on with a smart card. These policies are
defined and hosted in Active Directory Domain Services (AD DS).
http://technet.microsoft.com/en- us/library/hh846167.aspx
I think the answer should be
A: set classification to … on Folder1
Here we make the Classification available for use
B: On the Security tab of Folder1, add a conditional expression to the existing permission entry for
the IT group.
Here we use the Classification to set the permissions
0
0
New Insight.
I still will go with A: Set classification to … on Folder1;
But for the second answer I go with D: On security Tab…..IT Group.
As DAC does not overwrite NTFS and/or Share perms, the Adatum/IT group still has READ perms.
3
0
Agreed
0
0
But removing the Read NTFS permission, then would not allow the DAC permissions. From my understanding if they don’t have READ access then they can add an DAC permissions.
https://www.petri.com/dynamic-access-control-dac-configure-deploy-central-access-policy
Before users can access files, any existing NTFS permissions must allow that access. If a conditional expression exists, the result of all expressions must be true for a given user or device before access is granted. Conditional expressions are processed after and in addition to NTFS permissions.
So my answer would be A&B.
Let the IT users have READ, so taht the DAC permissions can apply and give them modify.
0
0
The answer is correct. Check out the question here;
http://www.aiotestking.com/microsoft/which-two-actions-should-you-perform-474/
The answer explanation is probably the best I’ve seen for this question.
0
1
Best Answer is B & C
I just spent probably an hour or so playing with the settings to confirm how it is actually working, and the supplied answer seems to be wrong.
This rule is not checking for a condition of matching user Department & Classification Department. It is checking if the user has a specific Department value of “Information Technology” assigned to his user ID. As such folder classification value does not come into play.
Authenticated Users is not being granted any rights to the share folder via the Central Access Rule regardless of condition. As such Authenticated Users does not come into play.
The IT group needs to be granted Modify access & a condition needs to be added to it. Answer C states Change access, but it should be Modify access based on the question.
0
0
Actually at this point I am not really sure if something is not working correctly in my environment….so not really sure of the answer.
0
0
A & B would work, if B actually means Change the security permission of the IT group to Modify, and add a Conditional Expression of User Department Equals Resource Department.
I think I take these questions to literally sometimes. Just like when an answer for the CAs states duplicate a template and they actually mean duplicate a template and modify any setting in it on any tab.
0
0