HOTSPOT
Your network contains an Active Directory named contoso.com.
You have users named User1 and user2.
The Network Access Permission for User1 is set to Control access through NPS Network
Policy. The Network Access Permission for User2 is set to Allow access.
A policy named Policy1 is shown in the Policy1 exhibit. (Click the Exhibit button.)
A policy named Policy2 is shown in the Policy2 exhibit. (Click the Exhibit button.)
A policy named Policy3 is shown in the Policy3 exhibit. (Click the Exhibit button.)
For each of the following statements, select Yes if the statement is true. Otherwise, select
No. Each correct selection is worth one point.
Answer: 
Explanation:
Why is user2 able to connect on a Friday?
Because it is explicitly set to allow access, so it will not read any of these policies.
Think I know why now
“The Network Access Permission for User1 is set to Control access through NPS Network Policy. The Network Access Permission for User2 is set to Allow access” This is set in AD user settings, think set to NPS by default. So user2 doesn’t use anyone of the NPS rules.
http://technet.microsoft.com/en-us/library/cc732724(v=ws.10).aspx
Answer is simple and I will explain:
* NAP says user1 goto NPS
* NAP says user2 allow Access… take care!!! this mean that only explicit denies from NPS are to be applied!
Policies condition permission
P1 mon, tue, wed domain users allow
P2 fri deny
P3 domain users allow
Does User1 establish a connection on thu? P1 conditions are not met (day is not mon, tue, wed), P2 conditions are not met (day is not fri), P3 condition is met (user is in domain users), so action is allow due to P3.
Does User 1 establish a connection on fri? P1 conditions are not met (day is not mon, tue, wed), P2 condition is met (day is fri), so action is deny.
Does User 2 establish a connection on fri? P2, the deny policy is applied and the condition is met (day is fri), so action is deny.
conclusion answer should be yes, no, no
To whom is Policy2 applied ?? There are no Groups in the Conditions.
Everyone.
Nice explanation Wim.
Yes, No, No
With regards to the last selection your link states:
If the value of Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user.
Only one policy is applied for connection. User1 checks P1, it doesn’t let him connect on FRI, so he does not connect.
I agree, but if I attend the exam, what should I answer?!
Yes, No, Yes – looks right.
Network Access Permission for user 2 is setup to Allow Access, it is not configured to go thru NPS, thus network policies do not apply even though all users are members of Domain Users. The configuration setup for Users is found under in the User account properties in ADUC, Dial-in tab, Network Access Permission – Allow Access, Deny access, Control access through NPS Network Policy.
Yes no no
https://technet.microsoft.com/en-us/library/dd197420%28v=ws.10%29.aspx
I mean yes no yes
@Wim:
When grant access is set in ADUC, explicit denies are only in effect when the NPS policy is configured to ignore user account dial-in properties.
https://technet.microsoft.com/en-us/library/cc772123%28v=ws.10%29.aspx
The question does not mention this, assuming this setting is not configured.
Yes
No
Yes
https://technet.microsoft.com/en-us/library/dd197420%28v=ws.10%29.aspx
“If the Ignore-User-Dialin-Properties attribute is set to False, NPS checks the Network Access Permission setting in user account dial-in properties for the user attempting the connection:
If Deny access is selected, NPS rejects the connection request.
If Allow access is selected, NPS applies the user account properties and network policy constraints:
If the connection request does not match the settings of the user account properties and network policy constraints, NPS rejects the connection request.
If the connection request matches the settings of the user account properties and network policy constraints, NPS accepts the connection request.”
So it’s, yes, no, no…
Policy2 is an explicit Deny that hits User2 on Friday because the condition matches.
No matter if dial in property setting:
https://technet.microsoft.com/de-de/library/Cc732724%28v=WS.10%29.aspx
“If the value of Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user.”
yes
no
no
BTW: did any of you “yes,no,yes” sayers verified it in lab?
I did…and I see in the log file that the test user is being denied despite of his dial in properties, as the deny policy is being applied!
When grant access is set in ADUC, explicit denies are only in effect when the NPS policy is configured to ignore user account dial-in properties.
https://technet.microsoft.com/en-us/library/cc772123%28v=ws.10%29.aspx
You’ll need to clarify if this was setup in your “lab”.
So the answer is Yes, no ,no
The policy will only apply if the conditions are met, if not it will go to the next in processing order until the first one that meet the conditions will be applied and the rest ignored.
So User 1 on Thrusday = Policy1 does not apply on thrusdays, goes to next, Policy2 does not apply on Thrusdays go to next, Policy 3 applies to all domain users and grant access.
Next, User1 access on a Friday. Policy1 does not apply on fridays, go the Policy2 that does apply and deny access.
Last User2 is set to allow access in AD Users and Computers, NPS policies won’t be used and USer2 will be granted access.
Answer must be:
yes
No
Yes
I think it’d be:
NO – it only processes the first policy for each user. So, user1 is part of Domain Users so this is the only policy that will apply to him. He cannot authenticate on Thursday.
NO – same as above.
YES – it’s set to allow, so none of this policies matter.
If the value of Network Access Permission is Deny access, the user is always denied access to the network by NPS, regardless of any settings in network policy.
If the value of Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user.
If the value of Network Access Permission is Control access through NPS Network Policy, NPS makes authorization decisions based solely on network policy settings.
so YES,NO,NO