HOTSPOT
Your network contains an Active Directory named contoso.com.
You have users named User1 and user2.
The Network Access Permission for User1 is set to Control access through NPS Network Policy. The
Network Access Permission for User2 is set to Allow access.
A policy named Policy1 is shown in the Policy1 exhibit. (Click the Exhibit button.)
A policy named Policy2 is shown in the Policy2 exhibit. (Click the Exhibit button.)
A policy named Policy3 is shown in the Policy3 exhibit. (Click the Exhibit button.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. Each
correct selection is worth one point.
Seems like this should be
Yes : Easy, Policy 1 and 2 don’t have any restrictions for Thursdays
No : This is an explicit deny for Friday
No : This is an explicit deny for Friday
This is correct – policy 1 allows ppl to connect mon , tue , wed,
– policy 2 blocks ppl on friday
– policy 3 grants access to domain users
user 1 = allowed to connect mon , tue , wed , thurs since no block policies are in set for thurs
user 2 is not affected by NPS…. so he can connect all the time , nps polies dont apply to him ,
yes
no
yes
Yes, No, Yes. User2 is always allowed access. User1 is restricted by policy
@perkyjerky is correct. Correct answer is yes, no, no.
Source: https://technet.microsoft.com/en-us/library/cc732724(v=ws.10).aspx
“Authorization is performed when NPS checks the dial-in properties of user accounts in Active Directory and when NPS evaluates the connection request against the network policies configured in the NPS console.
In the Active Directory Users and Computers snap-in, on the Dial-in tab of user account properties, the Network Access Permission setting is used by NPS to make authorization decisions, as follows:
• If the value of Network Access Permission is Deny access, the user is always denied access to the network by NPS, regardless of any settings in network policy.
• If the value of Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user.
• If the value of Network Access Permission is Control access through NPS Network Policy, NPS makes authorization decisions based solely on network policy settings.”
I think answer is right.
“The user account setting Network Access Permission , which is configured on the dial-in properties of user accounts, overrides the network policy access permission setting. ”
https://msdn.microsoft.com/en-us/library/cc772123.aspx
I agree. The given answers are correct.
When access is managed by NPS, those users are bound to the policy/policies in NPS. When being managed by the users Dial-in access, in this case to allow for user2, then it doesn’t matter what the NPS policy says. AD overrides NPS.
In the exam I found this question but with a SMALL change:
“The Network Access Permission for User2 is set to DENY access.”
In that case the answer is Yes, No, Yes?
Thanks
I think the answer would then be Yes, No, No as the Deny access in the user settings will always override anything set in the network policy
I received the slightly different question that Nelson shared during my exam also. The answer would be Y,N,N as User 2 would never be allowed to connect.
User 2 is granted rights and not bound by the policies
Manca is correct. Yes, No, No
https://technet.microsoft.com/en-us/library/cc732724(v=ws.10).aspx
I’m a little confused.
In the exhibit you can see that policy 2 is disabled. So there is no active restriction policy for friday.
If you look at the status next to each of the policies, they all show enabled. It has a red x on it because it’s a deny access policy.
New 70-411 Exam Questions Updated Recently (6/May/2016):
NEW QUESTION 435
You have a server named Server1 that is a number of a domain named contoso.com. You view the properties of a service on Server1 as shown in the graphic.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4351_thumb.png
Use the drop-down menus to select the answer choice that completes each statement. NOTE: Each correct selection is worth one point.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4352_thumb.jpg
Answer:
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4353_thumb.jpg
Explanation:
Virtual accounts are “managed local accounts” that provide the following features to simplify service administration:
– No password management is required.
– The ability to access the network with a computer identity in a domain environment.
Virtual accounts require very little management. They cannot be created or deleted, nor do they require any password management. You must be a member of the Administrators group on the local computer to perform the following procedures. To configure a service to use a virtual account:
– Click Start, point to Administrative Tools, and then click Services.
– In the details pane, right-click the service that you want to configure, and then click Properties.
– Click the Log On tab, click This account, and then type NT SERVICE\ServiceName. When you are finished, click OK.
– Restart the service for the change to take effect.
READ MORE — technet.microsoft.com/en-us/library/dd548356%20(v=WS.10).aspx
NEW QUESTION 436
You have a Windows Server Update Services (WSUS) server named Server1. Server1 synchronizes from Microsoft Update. You plan to deploy a new WSUS server named Server2. Server2 will synchronize updates Server2 will be separated from Server1 by a firewall from Server1. You need to identify which port must be open on the firewall so that Server2 can synchronize the updates. Which port should you identify?
A. 8530
B. 3389
C. 443
D. 80
Answer: A
Explantion:
WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. By default, these ports are configured as follows:
– On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS
– On WSUS 6.2 and later (at least Windows Server 2012), port 8530 for HTTP and 8531 for HTTPS The firewall on the WSUS server must be configured to allow inbound traffic on these ports
READ MORE — technet.microsoft.com/en-us/library/hh852346.aspx
NEW QUESTION 437
A technician installs a new server that runs Windows Server 2012 R2. During the installation of Windows Server Update Services (WSUS) on the new server, the technician reports that on the Choose Languages page of the Windows Server Update Services Configuration Wizard, the only available language is English. The technician needs to download updates in French and English. What should you tell the network technician to do to ensure that the required updates are available?
A. Complete the Windows Server Update Services Configuration Wizard, and then modify the update language on the server.
B. Uninstall all instances of the Windows Internal Database.
C. Change the update languages on the upstream server.
D. Change the System Local of the server to French.
Answer: C
Explanation:
Configure upstream servers to synchronize updates in all languages that are required by downstream replica servers.
You will not be notified of needed updates in the unsynchronized languages.
The Choose Languages page of the WSUS Configuration Wizard allows you to get updates from all languages or from a subset of languages. Selecting a subset of languages saves disk space, but it is important to choose all the languages that are needed by all the downstream servers and client computers of a WSUS server.
Downstream servers and client computers will not receive all the updates they need if you have not selected all the necessary languages for the upstream server. Make sure you select all the languages that will be needed by all the client computers of all the downstream servers.
You should generally download updates in all languages on the root WSUS server that synchronizes to Microsoft Update. This selection guarantees that all downstream servers and client computers will receive updates in the languages that they require.
To choose update languages for a downstream server:
If the upstream server has been configured to download update files in a subset of languages:
In the WSUS Configuration Wizard, click Download updates only in these languages (only languages marked with an asterisk are supported by the upstream server), and then select the languages for which you want updates.
READ MORE — technet.microsoft.com/en-us/library/hh328568(v=ws.10).aspx
NEW QUESTION 438
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question. Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. You have a GPO named GPO1 that is linked to the domain. You need to configure GPO1 to apply settings to Group1 only. What should you use?
A. Dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gpedit. msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember
Answer: C
NEW QUESTION 439
……
NEW QUESTION 440
Your network contains one Active Directory forest named contoso.com. You create a starter Group Policy object (GPO) named Starter_GPO1. From the Delegation tab of Starter_GPO1, you add a group named GPO_Admins and you assign the Edit settings permissions to the group. You create a new GPO named GPO1 from Starter_GPO1. You need to identity which action can he performed by the members of the GPO Admins group. What should you identify?
A. Modify the Delegation settings of Starter_GPO1.
B. Modify the Group Policy Preferences in Starter_GPO1.
C. Link a WMI filter to GPO1.
D. Modify the Administrative Templates in GPO1.
Answer: A
Explanation:
Permission rights applied to starter GPO objects are relative to the starter GPO objects only; they are not inherited from actual GPOs created from starter GPOs.
B is wrong because Starter GPOs do not have preferences, only Administrative Template policy settings.
READ MORE — technet.microsoft.com/en-us/library/cc753200.aspx
NEW QUESTION 441
……
P.S. These New 70-411 Exam Questions Were Just Updated From The Real 70-411 Exam, You Can Get The Newest & Valid 70-411 Dumps In PDF And VCE From — http://bitly.com/70-411-dumps-vce-pdf (447q)
Good Luck !!!
BTW, NEW 70-411 PDF Dumps from Google Drive for Free: https://drive.google.com/open?id=0B-ob6L_QjGLpfnVfbXEwbmlUa1paemdDc19zQ1JWdVpqU1poRlB2TnktaWlBUFhfQXNJZVU
After a lot of reading…
Answer is
YES
NO
NO
Why? Taken from https://technet.microsoft.com/en-us/library/cc772123(v=ws.10).aspx
The user account setting Network Access Permission, which is configured on the dial-in properties of user accounts, overrides the network policy access permission setting. When network access permission on a user account is set to the Control access through NPS Network Policy option, the network policy access permission setting determines whether the user is granted or denied access.
When Network Policy Server (NPS) evaluates connection requests against configured network policies, it performs the following actions:
If the conditions of the first policy are not matched, NPS evaluates the next policy, and continues this process until either a match is found or all policies have been evaluated for a match.
If the conditions and constraints of a policy are matched, NPS either grants or denies access, depending on the value of the Access permission setting in the policy.
If the conditions of a policy match but the constraints in the policy do not match, NPS rejects the connection request.
If the conditions of all policies do not match, NPS rejects the connection request.
Exactly, so the answer would be:
Yes
No
Yes
If you go to the user in AD and click on the Dial-In tab, it has Network Access permissions. If it is set to control through NPS, then it would abide by the Network Policies, but since user2 has Network Access Permission set to Allow Access, they completely ignore all network policies and are allowed to connect to the VPN anytime they want without any conditions or constraints set.