Your network contains an Active Directory domain named contoso.com. The network contains a file
server named Server1 that runs Windows Server 2012 R2. You create a folder named Folder1. You share
Folder1 as Share1.
The NTFS permissions on Folder1 are shown in the Folder1 exhibit. (Click the Exhibit button.)
The Everyone group has the Full control Share permission to Folder1.
You configure a central access policy as shown in the Central Access Policy exhibit. (Click the Exhibit
button.)
Members of the IT group report that they cannot modify the files in Folder1. You need to ensure that
the IT group members can modify the files in Folder1. The solution must use central access policies to
control the permissions. Which two actions should you perform? (Each correct answer presents part of
the solution. Choose two.)
A.
On the Security tab of Folder1, remove the permission entry for the IT group.
B.
On the Classification tab of Folder1, set the classification to “Information Technology”.
C.
On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group.
D.
On Share1, assign the Change Share permission to the IT group.
E.
On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT
group.
Explanation:
A: On the Security tab of Folder1, remove the permission entry for the IT group. => tested => it failed of
course, users don’t even have read permissions anymore
D: On Share1, assign the Change share permission to the IT group =>Everyone already has the full
control share permission => won’t solve the problem which is about the NTFS Read permission
E: On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT
group=> how could a condition, added to a read permission, possibly transform a read to a modify
permission? If they had said “modify the permission and add a conditional expression” => ok (even if
that’s stupid, it works) a condition is Applied to the existing permissions to filter existing access to only
matching users or groups so if we Apply a condition to a read permission, the result will only be that less
users (only them matching the conditions) will get those read permissions, which actually don’t solve the
problem neither so only one left:
C: On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group => for
sure it works and it’s actually the only one which works, but what about security? well i first did not
consider this method => “modify” permission for every single authenticated users? But now it looks very
clear:
THE MORE RESTRICTIVE PERMISSION IS ALWAYS THE ONE APPLIED!! So “Modify” for Authenticated
Users group and this will be filtered by the DAC who only allows IT group. and it matches the current
settings that no other user (except admin, creator owner, etc…) can even read the folder. and this link
confirms my theory:
http://autodiscover.wordpress.com/2012/09/12/configuring-dynamic-access-controlsandfileclassificationpart4-winservr-2012-dac-microsoft- mvpbuzz/
Configuring Dynamic Access Controls and File Classification
Note:
In order to allow DAC permissions to go into play, allow everyone NTFS full control permissions and then
DAC will overwrite it, if the user doesn’t have NTFS permissions he will be denied access even if DAC
grants him access.
And if this can help, a little summary of configuring DAC:
