You have an Active Directory Rights Management Services (AD RMS) cluster.
You need to prevent users from encrypting new content. The solution must ensure that the
users can continue to decrypt content that was encrypted already.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
From the Active Directory Rights Management Services console, enable
decommissioning.
B.
From the Active Directory Rights Management Services console, create a user exclusion
policy.
C.
Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\licensing.
D.
Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
E.
From the Active Directory Rights Management Services console, modify the rights policy
templates.
The answer should be A & D
Decommission AD RMS
http://technet.microsoft.com/en-us/library/cc754967.aspx
Decommission AD RMS Root Cluster
http://technet.microsoft.com/en-us/library/cc771071(v=ws.10).aspx
Eric is right!! the answer should be A & D.
If you were to create a user exclusion policy, then that would “exclude” them from being able to access certain entities. Therefore, not being able to access decrypted content to begin with.
i checked everywhere, and the answers are B&E
Mahmoud Zakaria,
Don’t rely on dumps from anywhere, all dumps taking answers from each other even if the answer is wrong.
Do a research by yourself, this is for your benefits.
sad but true
@ mahmound zakaria did you find any different documentation
no i didnt. other sites put the answer without explanation
plz tell the correct ans ???
Hassan,
Try to contribute to the discussion, not just ask for correct answers
I agree, see him commenting with that on a lot of questions. Dick
I checked this out and found the original answer is the correct answer.
dont b/s plz.
As the premium file version 30.0
the right answer is:
A. From the Active Directory Rights Management Services console, enable decommissioning.
D. Modify the NTFS permissions of %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
Hi Liron, can you email me this premium version 30.0 file. [email protected]
it can be a great help
When you decommission AD RMS, the behavior of the AD RMS cluster is changed such that it can now provide a key that decrypts the rights-protected content that it had previously published. This key allows the content to be saved without AD RMS protection.
To decommission AD RMS
1 Log on to the server on which you want to decommission AD RMS.
2 Modify the access control list (ACL) on the decommissioning.asmx file by granting the Everyone group Read & Execute permissions. The default location for this file is %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
So A and D.
Answer is A and D.
Will go for B,E.
question ask prevent user encrypt new file doesn’t mean decommission the ADRMS, once it has decommission you can’t configure the RMS anymore this can’t be restore, if later on the organize want to re-enable user encrypt new files you will be in big trouble.
The question does not specify that the situation needs to be reversible, so decommissioning is exactly what is asked here:
“Before you remove the Active Directory Rights Management Services (AD RMS) role from a server, you should first decommission AD RMS. When you decommission AD RMS, the behavior of the AD RMS cluster is changed such that it can now provide a key that decrypts the rights-protected content that it had previously published. This key allows the content to be saved without AD RMS protection. This can be useful if you have decided to stop using AD RMS protection in your organization, or still need the information.”
https://technet.microsoft.com/en-us/library/cc754967.aspx
Configuring exclusion policies (From the guide, page 340)
You use exclusion policies to block specific entities (such as applications, users, and lockbox
versions) from interacting with AD RMS. You can configure the following types of exclusion:
■■ User Exclusion Allows you to block a user based on email address or the public key
assigned to the user’s Rights Account Certificate
■■ Lockbox Exclusion Allows you to block specific versions of the AD RMS client
■■ Application Exclusion Allows you to block specific applications based on
The question doesn’t mention blocked the users () but prevent them from encrypting new content. I vote for A and D.
https://technet.microsoft.com/en-us/library/cc771071(v=ws.10).aspx
Seems to be A and D… Decommissioning the server will stop more data from being encrypted but will also mean that existing data is decrypted correctly. To decommission you have to enable decommissioning and then give read/write rights to the decommission file (I believe
It’s A & D.
Following the same faulty logic… In order to prevent the users from logging into the domain… let’s just decommission the domain, or un-install the Active Directory Services from it.
Nothing in the question calls for decommissioning. How about just to power the RMS Cluster off, or stop/disable the RMS service/Cluster?
The Book on Page340 says you can just exclude the users, block/prevent them from interacting with AD RMS. Then why to decommission the RMS server? Wait, until your boss finds out. You needed to prevent a few user accounts from encrypting new content. But instead you took a liberty and decommissioned the server. Great!
I am using my brain, and going with what I read in the book, and what makes sense to me: Answer B alone is enough to prevent the users from communicating with RMS. I am going to answer: B,E on the exam.
Agreed with Peter.
Prevent does not mean you have to destroy the cluster..
What if the question stated you need to prevent newly created users from logging in to the adatum.com domain – what do you do in this case? Decommission the DCs?
That’s stupid AF if you ask me.
Based on the following below, I’m inclined to answer A and D.
http://blogs.technet.com/b/rms/archive/2012/04/29/decommissioning-ad-rms.aspx
If you plan to remove Active Directory Rights Management Services from your organization, you should first decommission the AD RMS cluster. This allows your AD RMS users to remove AD RMS protection from existing content. If you uninstall AD RMS without first decommissioning it, your protected content will no longer be accessible. Also, this process cannot be reversed. If you decommission a server, it cannot be restored to its previous AD RMS configuration.
B and E is the answer.
B – https://technet.microsoft.com/en-us/library/cc771228.aspx
E – https://technet.microsoft.com/de-de/library/dd996658%28v=ws.10%29.aspx
2 facts:
1. Prevent users from encrypting new content
2. Able to Decrypt already encrypted content.
By enable decommissioning you cover Nr.1 and Nr.2, as no user can enable to encrypt anymore and the key will be supplied to decrypt upon decommissioning.
A & D
To decommission AD RMS
Log on to the server on which you want to decommission AD RMS.
Modify the access control list (ACL) on the decommissioning.asmx file by granting the Everyone group Read & Execute permissions. The default location for this file is %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
Open the Active Directory Rights Management Services console and add the AD RMS cluster.
Expand the AD RMS cluster, expand Security Policies , and then select Decommissioning .
Select the Enable Decommissioning option in the Actions pane.
Click Decommission .
When prompted, click Yes to confirm that you want to permanently decommission the AD RMS installation.
Repeat steps 1–7 for all AD RMS servers in the cluster.
A&D
The answer is B & E:
Check out: http://www.free-online-training-courses.com/configuring-ad-rms/
Preparing Exclusion Policies
When you decide the scope of your rights-protection policy implementation, you can configure exclusion policies or policies that will exclude users and computers from participating in your AD RMS implementation.
You can create exclusion policies for four entities: users, applications, lockboxes, and Windows operating systems.
When you do so, the list of the specified exclusion members is included in the use license for the content. You can remove an excluded entity from an exclusion list, but remember that if you remove the entity from the list, it will no longer be added to the use licenses. Existing content, however, will already contain it because use licenses are issued only once, by default……..
Also view: https://technet.microsoft.com/en-us/library/dd996658(v=ws.10).aspx
I get why the policy template is part of it,but why does exclusion needed if i want to apply the policy to all users?,the exclusion part seems redundant.
A & D
The key here is the part of the question that states ” The solution must ensure that the
users can CONTINUE TO DECRYPT content that was encrypted already” … that is achieved by decommissioning the AD RMS.
Shut the fuck up, Joe.