Your network contains an Active Directory domain named adatum.com. All domain controllers run
Windows Server 2008 R2.
The domain contains a file server named Server6 that runs Windows Server 2012 R2. Server6
contains a folder named Folder1. Folder1 is shared as Share1. The NTFS permissions on Folder1 are
shown in the exhibit. (Click the Exhibit button.)
The domain contains two global groups named Group1 and Group2.
You need to ensure that only users who are members of both Group1 and Group2 are denied access
to Folder1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
Remove the Deny permission for Group1 from Folder1.
B.
Deny Group2 permission to Folder1.
C.
Install a domain controller that runs Windows Server 2012 R2.
D.
Create a conditional expression.
E.
Deny Group2 permission to Share1.
F.
Deny Group1 permission to Share1.
Explanation:
* Conditional Expressions for Permission Entries Windows Server 2008 R2 and Windows 7 enhanced
Windows security descriptors by introducing a conditional access permission entry. Windows Server2012 R2 takes advantage of conditional access permission entries by inserting user claims, device
claims, and resource properties, into conditional expressions. Windows Server 2012 R2 security
evaluates these expressions and allows or denies access based on results of the evaluation. Securing
access to resources through claims is known as claims-based access control. Claims-based access
control works with traditional access control to provide an additional layer of authorization that is
flexible to the varying needs of the enterprise environment.
http://social.technet.microsoft.com/wiki/contents/articles/14269.introducingdynamicaccesscontrol-en-us.aspx
Should be C and D, you need a 2012 R2 DC, also group one isn’t set to deny (if it was you’d need to do that too though).
0
0
adatum\group1 is set to type=deny for read/exec.
0
0
ah it is set to deny so really you’d need all three… stupid question.
Prerequisites
Claims-based authorization and auditing requires:
• Windows Server 2012
• At least one Windows Server 2012 domain controller accessible by the Windows client in the user’s domain
• At least one Windows Server 2012 domain controller in each domain when using claims across a forest trust
Windows 8 client (required when using device claims)
http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamic-access-control.aspx
0
0
Poorly worded. Since DAC cannot be used, and assuming DAC is the desired solution, the correct answer would be A, C, and D.
0
0
Actually, A and D are correct. You do not need a 2012 R2 domain controller for group-based central access control. You simply need the schema to be updated to 2012. You can update 2008 to 2012 schema without having any 2012 DCs. So you can have an environment that supports group-based conditional access with a 2012 R2 file server and 2008 R2 DCs as long as the DCs have been updated to the 2012 schema. If you want to use user claims, you need a 2012 DC.
“To use Dynamic Access Control with security groups you need the following in your environment:
A Windows Server 2012 File Server
A domain with a Windows Server 2012 schema (so that you can define central access policies)”
https://technet.microsoft.com/en-us/library/hh831366.aspx
0
0
…but D implies DAC, and you need 2012 functional level to use DAC, even with a 2012 R2 file server. Raising a domain functional level without having an associated DC of that (or higher) level is not a standard practice for production use and is not supported by Microsoft.
0
0
DAC uses enhanced security descriptors introduced in Windows Server 2008 R2 and Windows 7 to allow conditional expressions in user and device claims and
resource properties. This allows a file resource, for example, to be limited to members of the sales department who reside in Canada.
See https://redmondmag.com/articles/2013/08/01/implement-the-new-windows-server-2012-dac.aspx.
So in order to use conditional expressions, 2008R2 is enough, you dont need to install DC that runs W2012 R2.
You need to ensure that only users who are members of both Group1 and Group2 are denied access
to Folder1. User must be member of both groups, so condition is IF user is member of Group1 AND Group2,
so you need to Remove the Deny permission for Group1 from Folder1, because Users who are members of only Group1 should
have access to Folder1.
Correct answers are : A,D.
0
0
Ex is right. you can use DAC in a domain with only 2008 servers, but a schema update is required. The file server needs to be 2012/R2
So the correct answer, as provided above, is A and D
0
0
Hello folks,
Should be C and D.
https://technet.microsoft.com/en-us/library/dn408191(v=ws.11).aspx
“Applies To: Windows Server 2012 R2, Windows Server 2012”; “Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.”
0
0
C and D
http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamic-access-control.aspx
Prerequisites
Claims-based authorization and auditing requires:
• Windows Server 2012
• At least one Windows Server 2012 domain controller accessible by the Windows client in the user’s domain
• At least one Windows Server 2012 domain controller in each domain when using claims across a forest trust
•Windows 8 client (required when using device claims)
0
0
I disagree with C and D.
I would pick C and D ONLY if Group1 did not appear on the permissions tab at all. Since Group1 has explicit deny permissions, if you go for C and D it will not work. A is a must.
As Ex explained above, you don’t need a 2012 DC to perform this action, therefore A and D is the correct answer in this case.
Again, if Group1 did not appear at all on the permissions tab, I would’ve went for C and D, since having a 2012 schema and running only 2008R2 servers is not really a good practice.
0
0
Correction: running only 2008R2 DCs*
0
0