Your network contains an Active Directory domain named contoso.com.
The network contains a file server named Server1 that runs Windows Server 2012 R2.
You create a folder named Folder1.
You share Folder1 as Share1. The NTFS permissions on Folder1 are shown in the Folder1
exhibit. (Click the Exhibit button.)
The Everyone group has the Full control Share permission to Folder1.
You configure a central access policy as shown in the Central Access Policy exhibit. (Click the
Exhibit button.)
Members of the IT group report that they cannot modify the files in Folder1.
You need to ensure that the IT group members can modify the files in Folder1.
The solution must use central access policies to control the permissions.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
On the Classification tab of Folder1, set the classification to Information Technology.
B.
On the Security tab of Folder1, add a conditional expression to the existing permission entry for
the IT group.
C.
On Share1, assign the Change Share permission to the IT group.
D.
On the Security tab of Folder1, remove the permission entry for the IT group.
E.
On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group.
Explanation:
Central access policies for files enable organizations to centrally deploy and manage authorization
policies that include conditional expressions that use user groups, user claims, device claims, and
resource properties.
(Claims are assertions about the attributes of the object with which they are associated).
For example, to access high-business-impact (HBI) data, a user must be a full-time employee,
obtain access from a managed device, and log on with a smart card.
These policies are defined and hosted in Active Directory Domain Services (AD DS).
http://technet.microsoft.com/en-us/library/hh846167.aspx
Shouldn’t this be D and E?
As Long as the IT Group has only “read” permission in NTFS Security, they cant’ get more rights (e.g. modify) with Access Policies.
0
1
In my opinion it’s also D and E. Classification is nice but it isn’t helping to change the rights (only read).
0
0
Question says it wants central access policies to control access, that is why it needs the classification entry, that is what the policy is based off of.
The Authenticated Users group’s permissions should overwrite the IT group’s entry granting them modify permission, then the central access policy would cut out everyone’s access that aren’t listed in or part of the groups listed in the Current Permissions box… the only caveat is you have to make sure to apply the permission otherwise it’s free reign.
4
0
Provided answer is correct – Tested on my lab setup
1
0
I disagree. With A + Central Access Policy, the only thing we don’t need is the Read permission for th IT group, so I think the correct answers are A and D.
Keisari, take into account that IT members are Authenticated Users, so if you assign Modify permissions to that group, obviously IT members have been assigned with that permission.
0
0
Actually, classification is needed, since Central Access Policy rule will only apply to folders with department=”Information Technology”. And we are esplicitly asked to configure access through DAC.
Also, Central Access Policy does not override the NTFS permissions of the file system. It’s in addition to the NTFS permissions that are on the file system.
When DAC permissions are combined with the NTFS and share permissions, the most
restrictive permissions always apply to the account requesting access.
So A is mandatory.
Next step is to set NTFS permissions straight, so E is also correct.
No need to remove existing permission entry for the IT group, it will be superseded by Authenticated Users right (E)
Answer provided (A,E) is correct.
6
0
I am sorry, but this is one of the typical exam questions which in real life make no sense. Why would I go through all this trouble If I grant authenticated users modify? I don’t need any of the other stuff. So my opinion is also A,B. It is controlled by central access policy, and still secured if that policy cannot be applied.
0
2
After I initially commented I seem to have clicked the -Notify me when new comments are added- checkbox and from now on each time a comment is added I get four emails with the same comment. Is there a way you can remove me from that service? Kudos!|
0
0
“The solution must use central access policies to control the permissions.”
Shouldn’t this be A and D?
A to classify the folder in order to have the DAC policy apply, and D because the way it is now, permissions are explicitly assigned, not through DAC as required in the above quotation.
If you remove the IT group from the security tab, the permissions will be replaced by the DAC rule. Also, I don’t see any permissions for the authenticated users on the the policy, so why E?
0
0
Tested in my lab as I still couldn’t get this one.
– created a folder mirroring the same permissions as the one on the exhibit
– created an IT group
– created a DAC policy for the IT department
– configured Kerberos armoring
– created a user who’s member of the IT department and the IT group
– tested modify access as is – nothing changed, we still only have read permissions
– added the “Department = IT” classification to my shared folder
– tested modify access – still no luck
– added a conditional expression to the existing permission entry for the IT group (Resource.Department Equals.Value = IT) => modify access
– tested modify access, the IT department can now modify the files
– removed the conditional expression and reconfigured the IT group permissions to Read only
– created a new conditional expression assigning it to the Authenticated Users group and added the IT policy to the Central Access Policies GPO
– tested modify access with an IT department member, success again, we can now modify the files
Conclusion
1) you don’t have to remove the current permissions for the IT group
2) both modifying the current permissions of the IT group through a conditional expression and adding modify access to authenticated users who are member of the IT department are valid options
C is wrong, D is not needed. We are left with ABE
A is a must
B works
E ONLY works if you ALSO add a conditional expression to the Authenticated Users permissions otherwise you’re just granting everyone modify access to the folder.
Since E does not mention anything about adding a conditional expression – I believe this is also wrong.
My answer is A and B.
0
1
Thank you!! No lab here so I was just busting my head over it..
0
0
You grant everyone modify access to the folder yes, but the Current Permissions section of the Central Access Policy doesn’t mention Authenticated Users so unless they are part of a group in the specified box, they will not be able to use their permissions on the folder once the policy is enacted.
The question states “The solution must use central access policies to control the permissions.” that would be making it so that the Central Access Policy is the one controlling access, adding the conditional expression would make it so that the conditional expression is responsible for determining access.
1
1
Also labbed it, I agree with MalotJean.
E. (On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group) is needed because the Central Access Policy applies as an extra filter after the NTFS permissions, it can reduce the permissions but not add to them. Seems a bit dangerous by the way, got to have the NTFS permissions more generous than you want, so if you forget to apply the Central Access Policy…
A (On the Classification tab of Folder1, set the classification to Information Technology) is needed because everything else looks ok so in this scenario the admin forgot to set the classification.
2
0
I strongly maintain that these answers are flawed and make no sense (most of them). Nobody in real life grants wide access via NTFS, then “restricts” via CAP. You have some permissions via NTFS, usually local groups, then you grant some extra via CAP, based on claim. That is how it works.
1
0