Yournetwork contains an Active Directory domain named adatum.com.
All domain controllers run Windows Server 2008 R2.
The domain contains a file server named Server6 that runs Windows Server 2012 R2.
Server6 contains a folder named Folder1. Folder1 is shared as Share1.
The NTFS permissions on Folder1 are shown in the exhibit. (Click the Exhibit button.)
The domain contains two global groups named Group1 and Group2.
You need to ensure that only users who are members of both Group1 and Group2 are denied access
to Folder1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
Remove the Deny permission for Group1 from Folder1.
B.
Deny Group2 permission to Folder1.
C.
Install a domain controller that runs Windows Server 2012 R2.
D.
Create a conditional expression.
E.
Deny Group2 permission to Share1.
F.
Deny Group1 permission to Share1.
Explanation:
* Conditional Expressions for Permission Entries Windows Server 2008 R2 and Windows 7 enhanced
Windows security descriptors by introducing a conditional access permission entry. Windows Server
2012 R2 takes advantage of conditional access permission entries by inserting user claims, device
claims, and resource properties, into conditional expressions. Windows Server 2012 R2 security
evaluates these expressions and allows or denies access based on results of the evaluation.
Securing access to resources through claims is known as claims-based access control. Claims-based
access control works with traditional access control to provide an additional layer of authorization
that is flexible to the varying needs of the enterprise environment.
http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamicaccesscontrol-en-us.aspx
Why wouldn’t the Deny be removed as well? (A)
2
0
There must be at least one DC running 2012 R2 in the domain. As stated here:
http://windowsitpro.com/windows-8/q-what-are-domain-requirements-use-dynamic-access-control-dac-windows-8
But I agree that deny should be removed
0
0
Nope. Nobody is asking you to allow users who only belongs to group 1 to access the shared folder.
0
1
Answer Above seems correct:
“Windows Server 2008 R2 and Windows 7 enhanced Windows security descriptors by introducing a conditional access permission entry. Windows Server 2012 takes advantage of conditional access permission entries by inserting user claims, device claims, and resource properties, into conditional expressions. Windows Server 2012 security evaluates these expressions and allows or denies access based on results of the evaluation. Securing access to resources through claims is known as claims-based access control.”
https://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamic-access-control.aspx
Should be: Upgrade the domain functional level to Server 2012(R2)
(C, D)
Install Server 2012 R2
Create a conditional Expression
1
0
This is a really bad question. It asks to ensure that ONLY users that are a member of BOTH group 1 and group 2 be denied. Until the deny permission is removed, every member of group 1 will be denied regardless of if they are in group 2 or not, so to meet the requirement, you must remove the deny to group 1. I am in agreement that C and D also need to be completed, so to meet the requirement, 3 things must be done, A, c, & D.
1
0
Answer: C & D
Not sure why people are referencing the remove deny permission, since it isn’t showing any deny permissions in the image. Perhaps the image was updated at some point?
1
2
Group1 is denied read and execute. Look at the left column where it would have either Deny or Allow. Group1 is set to “Deny”
1
0