You have an Active Directory Rights Management Services (AD RMS) cluster.
You need to prevent users from encrypting new content. The solution must ensure that the users
can continue to decrypt content that was encrypted already.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
From the Active Directory Rights Management Services console, enable decommissioning.
B.
From the Active Directory Rights Management Services console, create a user exclusion policy.
C.
Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\licensing.
D.
Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
E.
From the Active Directory Rights Management Services console, modify the rights policy
templates.
Explanation:
* Decommissioning refers to the entire process of removing the AD RMS cluster and its associated
databases from an organization. This process allows you to save rights-protected files as ordinary
files before you remove AD RMS from your infrastructure so that you do not lose access to these
files.
Decommissioning an AD RMS cluster is achieved by doing the following:
/ Enable the decommissioning service. (A)
/ Modify permissions on the decommissioning pipeline.
/ Configure the AD RMS-enabled application to use the decommissioning pipeline.
* To modify the permissions on the decommissioning pipeline
1. Log on to ADRMS-SRV as cpandl\administrator.
2. Click Start, type %systemdrive%\inetpub\wwwroot\_wmcs in the Start Search box, and then
press ENTER.
3. Right-click the decommission folder, and then click Properties.
4. Click the Security tab, click Edit, and then click Add. (D)
Etc. Step 1: Decommission AD RMS Root Cluster
Correct – https://technet.microsoft.com/en-us/library/cc754967(v=ws.11).aspx
1
0
No. It’s not correct. You article describes the steps of decommissioning an AD RMS cluster.
Why do you have to decommission the whole cluster just to prevent some lousy users to encrypt new content? Correct answer is BE.
Think about it this way – you need to prevent new users from accessing adatum.com domain. What do you do? Decommission all DCs? NO – you can simply create the accounts as disabled.
I don’t understand this faulty logic according to which if you need to prevent something from happening you simply uninstall the feature/decommission a server or hell – burn it to the ground – that should prevent stuff! Wtf.
1
2
I think there were just some nerd dudes missing the point to teach from scratch when sharing their web links…
After consuming this:
https://technet.microsoft.com/en-us/library/jj590750(v=ws.11).aspx
I think I got it: encryption is the baseline for ADRMS to work, because protected documents are ALWAYS encrypted when using ADRMS.
So, disabling the encrytion and revert encryption of documents is like equivalent to decommission ADRMS completely. You just cannot have a fully operating ADRMS infrastructure without encryption.
in addition take a look at these screenshots, this is what you get and what to consider in short when decommissioning:
http://www.msxfaq.de/signcrypt/rms07.gif
http://www.msxfaq.de/signcrypt/rms08.gif
4
0
Agree
0
0
Answer is right for sure
Please just read: https://technet.microsoft.com/en-us/library/cc754967(v=ws.11)
2
0
It’s B and E, If you decommission the RMS cluster then any user can access any content with changes made to IIS virtual directories.
The question states “The solution must ensure that the users can continue to decrypt content that was encrypted already.” which is already possible but question requires users not to be able to encrypt, so B an exclusion policy can be used to prevent users from encrypting new content.
I’m going to do a lab and see where E comes in also.. but basically the other answers are to do with decommissioning which would defeat the purpose of RMS protection for users with a EUL to be able decrypt.
0
0
Also if you did decommission, no content would be encrypted anymore! Question requires users to be able to decrypt already encrypted content!
I win.
0
1
A hard one, but from what I managed to learn while looking for pro/cons for either B&E or A&D, I’m voting for B&E.
There is one simple explanation:
Decommissioning refers to the entire process of removing the AD RMS cluster and its associated databases from an organization. This process allows you to save rights-protected files as ordinary files before you remove AD RMS from your infrastructure so that you do not lose access to these files.
If we do that, that means that all files including the encrypted ones will become “normal” files.
We are NOT ASKED to change the files!
We are asked to ALLOW users to decrypt file content that is still encrypted while at the same time they are NOT allowed to create a new encrypted file.
0
1
I think it’s well explained here why B & E
Understanding AD RMS Exclusion Policies:
https://technet.microsoft.com/en-us/library/cc771228.aspx
AD RMS Policy Template Considerations:
https://technet.microsoft.com/en-us/library/dd996658(v=ws.10).aspx
0
1
the question is related to decommissioning AD RMS, if you decommission AD RMS user will not be able to encrypt any content but will still be able to decrypt contents that were encrypted previously.
To decommission AD RMS two things should be done:
1- Modify the file “decommissioning.asmx” which is located in %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
2- Enable “Decommissioning” in AD RMS console under “Security policies”.
https://technet.microsoft.com/en-us/library/cc754967(v=ws.11).aspx
0
0
so answers are A and D.
0
0