Your network contains an Active Directory domain named contoso.com.
The network contains a file server named Server1 that runs Windows Server 2012 R2.
You create a folder named Folder1.
You share Folder1 as Share1. The NTFS permissions on Folder1 are shown in the Folder1 exhibit. (Click the
Exhibit button.)
The Everyone group has the Full control Share permission to Folder1.
You configure a central access policy as shown in the Central Access Policy exhibit. (Click the Exhibit button.)
Members of the IT group report that they cannot modify the files in Folder1.
You need to ensure that the IT group members can modify the files in Folder1.
The solution must use central access policies to control the permissions.
Which two actions should you perform? (Each correct answer presents part of the solution.
(Choose two.)
A.
On the Classification tab of Folder1, set the classification to Information Technology.
B.
On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT
group.
C.
On Share1, assign the Change Share permission to the IT group.
D.
On the Security tab of Folder1, remove the permission entry for the IT group.
E.
On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group.
Explanation:
Central access policies for files enable organizations to centrally deploy and manage authorization policies that
include conditional expressions that use user groups, user claims, device claims, and resource properties.
(Claims areassertions about the attributes of the object with which they are associated).
For example, to access high-business-impact (HBI) data, a user must be a full-time employee, obtain accessfrom a managed device, and log on with a smart card.
These policies are defined and hosted in Active Directory Domain Services (AD DS).
http://technet.microsoft.com/en-us/library/hh846167.aspx
The provided answer is wrong. Correct answer is D and E.
There is no need to modify the classification tab in the file properties because the Information Technology classification is already applied via the central access policy. Evidence of this is that the “Resource Properties” icon near the top right corner of the advanced security permissions. If the classification was not applied, that little dropdown would not be there.
That leaves us with modifying the security permissions. Members of the IT group report that they cannot modify the files in Folder1, they can only read them. This gives us evidence that the most restrictive of the permission are being applied. You could just modify the permissions of the IT group to modify, but then permissions would be applied through NTFS, not the CAP. In this case, our IT group should get the desired permissions through Central Access Policy that is shown. This is being held back by the Read only permission on the NTFS side for the IT group. IN THIS CASE, we must remove the IT group from the security tab in order to remove this restriction (Answer D).
The only other possible answer is giving Authenticated Users the modify permission. This way, all authenticated users would be able to modify the folder, but are restricted by the CAP (answer E).
0
6
AE are correct:
A) to match the Central Access Rule with the shared folder
E) To configure DAC, you normally want to select Authenticated Users as the principal (after Exam Ref book).
1
0
Given answer is correct. Question states that solution must use central access policies, so A and E.
3
0