What should you install on Server2?

Your network contains an Active Directory domain named contoso.com. The domain
contains a file server named Server1 that runs Windows Server 2012 R2. Server1 has a
share named Share1.
When users without permission to Share1 attempt to access the share, they receive the
Access Denied message as shown in the exhibit. (Click the Exhibit button.)

You deploy a new file server named Server2 that runs Windows Server 2012 R2.
You need to configure Server2 to display the same custom Access Denied message as
Server1.
What should you install on Server2?

Your network contains an Active Directory domain named contoso.com. The domain
contains a file server named Server1 that runs Windows Server 2012 R2. Server1 has a
share named Share1.
When users without permission to Share1 attempt to access the share, they receive the
Access Denied message as shown in the exhibit. (Click the Exhibit button.)

You deploy a new file server named Server2 that runs Windows Server 2012 R2.
You need to configure Server2 to display the same custom Access Denied message as
Server1.
What should you install on Server2?

A.
The Remote Assistance feature

B.
The Storage Services server role

C.
The File Server Resource Manager role service

D.
The Enhanced Storage feature

Explanation:
Access-Denied Assistance is a new role service of the File Server role in Windows Server 2012.

We need to install the prerequisites for Access-Denied Assistance.
Because Access-Denied Assistance relies up on e-mail notifications, we also need to
configure each relevant file server with a Simple Mail Transfer Protocol (SMTP) server
address. Let’s do that quickly with Windows PowerShell:
Set-FSRMSetting -SMTPServer mailserver. nuggetlab.com -AdminEmailAddress
[email protected] -FromEmailAddress [email protected]
You can enable Access-Denied Assistance either on a per-server basis or centrally via
Group Policy. To my mind, the latter approach is infinitely preferable from an administration
standpoint.
Create a new GPO and make sure to target the GPO at your file servers’ Active Directory
computer accounts as well as those of your AD client computers. In the Group Policy Object
Editor, we are looking for the following path to configure Access-Denied Assistance:
\Computer Configuration\Policies\Administrative Templates\System\Access-Denied Assistance

The Customize message for Access Denied errors policy, shown in the screenshot below,
enables us to create the actual message box shown to users when they access a shared file
to which their user account has no access.

What’s cool about this policy is that we can “personalize” the e-mail notifications to give us
administrators (and, optionally, file owners) the details they need to resolve the permissions
issue quickly and easily.
For instance, we can insert pre-defined macros to swap in the full path to the target file, the
administrator e-mail address, and so forth. See this example:
Whoops! It looks like you’re having trouble accessing [Original File Path]. Please click
Request Assistance to send [Admin Email] a help request e-mail message. Thanks!
You should find that your users prefer these human-readable, informative error messages to
the cryptic, non-descript error dialogs they are accustomed to dealing with.
The Enable access-denied assistance on client for all file types policy should be enabled to
force client computers to participate in Access-Denied Assistance. Again, you must make
sure to target your GPO scope accordingly to “hit” your domain workstations as well as your
Windows Server 2012 file servers.
Testing the configuration
This should come as no surprise to you, but Access-Denied Assistance works only with
Windows Server 2012 and Windows 8 computers. More specifically, you must enable the
Desktop Experience feature on your servers to see Access-Denied Assistance messages on
server computers.
When a Windows 8 client computer attempts to open a file to which the user has no access,
the custom Access-Denied Assistance message should appear:

If the user clicks Request Assistance in the Network Access dialog box, they see a
secondary message:

At the end of this process, the administrator(s) will receive an e-mail message that contains
the key information they need in order to resolve the access problem:
The user’s Active Directory identity
The full path to the problematic file
A user-generated explanation of the problem
So that’s it, friends! Access-Denied Assistance presents Windows systems administrators
with an easy-to-manage method for more efficiently resolving user access problems on
shared file system resources. Of course, the key caveat is that your file servers must run
Windows Server 2012 and your client devices must run Windows 8, but other than that, this
is a great technology that should save admins extra work and end-users extra headaches.
http: //4sysops. com/archives/access-denied-assistance-in-windows-server-2012/



Leave a Reply 2

Your email address will not be published. Required fields are marked *


John

John

C. The File Server Resource Manager role service