HOTSPOT
Your network contains an Active Directory named contoso.com.
You have users named User1 and user2.
The Network Access Permission for User1 is set to Control access through NPS Network Policy. The Network
Access Permission for User2 is set to Allow access.
A policy named Policy1 is shown in the Policy1 exhibit. (Click the Exhibit button.)
A policy named Policy2 is shown in the Policy2 exhibit. (Click the Exhibit button.)
A policy named Policy3 is shown in the Policy3 exhibit. (Click the Exhibit button.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. Each correct
selection is worth one point.
Answer: 
Explanation:
I disagree with the suggested answer.
*
*
*
*
*
*
User 1 Thursday = Yes: Policy 1 and 2 do not apply on a Thursday. Policy 3 does and it allows access.
User 1 Friday = No: Policy 2 applies on a Friday and denies access.
User 2 Friday = No: Policy 2 applies on a Friday and denies access.
I notice that the User Group condition Contoso\Domain Users doesn’t exist in Policy 2 but if no User Group condition exists does that mean it applies to all users?
The suggested answer is correct as for User 2, the user is configured not to use NPS policies, but instead be always allowed access.
If the value of Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user.
According to network policies processing order:
http://i61.tinypic.com/j9ov3l.jpg
original answer seems correct.
Hey guys, I had this test on my exam today. I passed with a 9xx/1000.
This question was on my test and I can tell you 100% that the question here is written wrong.
THE QUESTION FOR USER 2 IS AS FOLLOWS:
The Network Access Permission for User1 is set to Control access through NPS Network Policy. The
Network Access Permission for User2 is set to >>>>>DENY<<<<< access.
"User2 can access VPN on MONDAY?"
The answer is NO.
The Questions for User1 remained the same.
ANSWER IS:
YES
NO
NO
I got perfect in the NPS portion of the exam.
The answer is right. As it says in the question User2 isn’t using a policy and is set to allow access. Only User1 is bound by the policies given.
that’s wrong, a Deny Policy will be applied as soon as processing oder and conditions match:
https://technet.microsoft.com/de-de/library/Cc732724%28v=WS.10%29.aspx
“If the value of Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user.”
it’s not possible to override a Deny Policy if the condition(s) match(es)
Looks like your right. That’s some bullshit right there…
Ignore user account dial-in properties
You CAN configure NPS network policy to ignore the dial-in properties of user accounts by selecting or clearing the Ignore user account dial-in properties check box on the Overview tab of network policy. NORMALLY when NPS performs authorization of a connection request, it checks the dial-in properties of the user account…
NPS server will NOT Deny Access for User2.
The deny policy wins…Yes,No,No. The policy is set for everyone
The question on the exam is different. The last option is:
User2 will be able to establish a VPN connection on Monday
The first and second options on the exam are the same
Hey guys, I had this test on my exam today. I passed with a 9xx/1000.
This question was on my test and I can tell you 100% that the question here is written wrong.
THE QUESTION FOR USER 2 IS AS FOLLOWS:
The Network Access Permission for User1 is set to Control access through NPS Network Policy. The
Network Access Permission for User2 is set to >>>>>DENY<<<<< access.
"User2 can access VPN on MONDAY?"
The answer is NO.
The Questions for User1 remained the same.
ANSWER IS:
YES
NO
NO
I got perfect in the NPS portion of the exam.
User 2 will NOT be able to connect:
Remote Access Permission (Dial-in or VPN)
You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt.
https://technet.microsoft.com/en-us/library/cc738142(v=ws.10).aspx
Testtaker, you article is from January 21, 2005. So, i either from the beginning have shared your point.
I did some test in my testing lab on 2012 R2 platforms. Conclusion is that: It does not matter what you have in your policies, if you have on Dial-In tab of user account Allow access, then access will be granted. User account parameter wins.
There is scenario when user account parameter is not taken into business. It is when on policy on the tab OVERVIEW a check box is checked near “Ignore user account dial-in properties”. Then it will be shown on the above exhibit, but it is not.
Concluding: original answer is correct.
According to this you’re wrong:
https://technet.microsoft.com/en-us/library/dd197420%28v=ws.10%29.aspx
“If the Ignore-User-Dialin-Properties attribute is set to False, NPS checks the Network Access Permission setting in user account dial-in properties for the user attempting the connection:
If Deny access is selected, NPS rejects the connection request.
If Allow access is selected, NPS applies the user account properties and network policy constraints:
If the connection request does not match the settings of the user account properties and network policy constraints, NPS rejects the connection request.
If the connection request matches the settings of the user account properties and network policy constraints, NPS accepts the connection request.”
So it’s, yes, no, no…
October 31, 2016 at 5:53 pm
Hey guys, I had this test on my exam today. I passed with a 9xx/1000.
This question was on my test and I can tell you 100% that the question here is written wrong.
THE QUESTION FOR USER 2 IS AS FOLLOWS:
The Network Access Permission for User1 is set to Control access through NPS Network Policy. The
Network Access Permission for User2 is set to >>>>>DENY<<<<< access.
"User2 can access VPN on MONDAY"
The answer is NO. The Questions for User1 remained the same.
ANSWER IS
YES
NO
NO
I got perfect in the NPS portion of the exam.
The red cross on the Policy2 means that the policy hasn’t been applied. So, we should focus on Policy 1 and 3. And the correct answer will be Yes, Yes, Yes. Am I right?
The answer is wrong. Always is Deny Access win. That’s all. Foot stop.
This is a very difficult topic.
The policy will only apply if the conditions are met, if not it will go to the next in processing order until the first one that meet the conditions will be applied and the rest ignored.
So User 1 on Thrusday = Policy1 does not apply on thrusdays, goes to next, Policy2 does not apply on Thrusdays go to next, Policy 3 applies to all domain users and grant access.
Next, User1 access on a Friday. Policy1 does not apply on fridays, go the Policy2 that does apply and deny access.
Last User2 is set to allow access in AD Users and Computers, NPS policies won’t be used and USer2 will be granted access.
Answer must be:
yes
No
Yes
This is correct.
Ditto. This is correct.
https://technet.microsoft.com/en-us/library/cc732724(v=ws.10).aspx
If the Ignore-User-Dialin-Properties attribute is set to False (default), NPS checks the Network Access Permission setting in user account dial-in properties for the user attempting the connection:
If Allow access is selected, NPS applies the user account properties and network policy constraints.
NPS applies the user account properties and network policy constraints.
and network policy constraints.
and network policy constraints.
so according to microsoft:
Yes
No
No
ignore dial-in properties set to false by default:
https://technet.microsoft.com/en-us/library/cc732252(v=ws.10).aspx
No it is not correct.
Explicit deny policies in NPS override NAP Allow policies.
So User2 will not be able to VPN on Friday
Hey guys, I had this test on my exam today. I passed with a 9xx/1000.
This question was on my test and I can tell you 100% that the question here is written wrong.
THE QUESTION FOR USER 2 IS AS FOLLOWS:
The Network Access Permission for User1 is set to Control access through NPS Network Policy. The
Network Access Permission for User2 is set to >>>>>DENY<<<<< access.
"User2 can access VPN on MONDAY?"
The answer is NO.
The Questions for User1 remained the same.
ANSWER IS:
YES
NO
NO
I got perfect in the NPS portion of the exam.
October 31, 2016 at 5:53 pm
Hey guys, I had this test on my exam today. I passed with a 9xx/1000.
This question was on my test and I can tell you 100% that the question here is written wrong.
THE QUESTION FOR USER 2 IS AS FOLLOWS:
The Network Access Permission for User1 is set to Control access through NPS Network Policy. The
Network Access Permission for User2 is set to >>>>>DENY<<<<< access.
"User2 can access VPN on MONDAY?"
The answer is NO.
The Questions for User1 remained the same.
ANSWER IS:
YES
NO
NO
I got perfect in the NPS portion of the exam.
Why user 1 can establish connection on thursday if policy 1 says Grant access if the following conditions are met: (Monday,Tuesday and Wenesday)… in Implicit way the policy let user1 establish connection on Thursday? Because I know that when you deny access to selected days of week the status is “deny always” in this case show “Monday,Tuesday,Wenesday 00:00:24:00″(allow)…then, can someone explain me please? I´m very confused.
This drove me crazy because even Microsoft docs seem to contradict each other. So I spent a couple of hours testing it in my lab. What I found is this:
AD user account Dial In properties set to allow and NPS policy set to deny, but **not** to ignore user account dial in properties — the account gets access granted
AD account Dial In properties set to Control access through network policy server and NPS policy set to deny, but **not** to ignore user account dial in properties — the account gets access denied
AD account Dial In properties set to allow and NPS policy set to deny, **and** to ignore user account dial in properties — the account gets access denied
So the answer should be:
Yes User1 is allowed because Thursday is allowed by policy 3
No User1 is denied because Friday is explicitly denied by policy 2
Yes User2 is set to allow, which again, through my testing overrides NPS policy when NPS is **not** set to ignore user account dial in properties.
Yes no Yes.
This answer is correct!