Your network contains an Active Directory domain named adatum.com. All domain
controllers run Windows Server 2008 R2.
The domain contains a file server named Server6 that runs Windows Server 2012 R2.
Server6 contains a folder named Folder1. Folder1 is shared as Share1. The NTFS
permissions on Folder1 are shown in the exhibit. (Click the Exhibit button.)
The domain contains two global groups named Group1 and Group2.
You need to ensure that only users who are members of both Group1 and Group2 are
denied access to Folder1.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
Deny Group2 permission to Folder1.
B.
Remove the Deny permission for Group1 from Folder1.
C.
Deny Group1 permission to Share1.
D.
Deny Group2 permission to Share1.
E.
Install a domain controller that runs Windows Server 2012 R2
F.
Create a conditional expression.
Explanation:
* Conditional Expressions for Permission Entries
Windows Server 2008 R2 and Windows 7 enhanced Windows security descriptors by
introducing a conditional access permission entry. Windows Server 2012 takes advantage of
conditional access permission entries by inserting user claims, device claims, and resource
properties, into conditional expressions. Windows Server 2012 security evaluates these
expressions and allows or denies access based on results of the evaluation. Securing
access to resources through claims is known as claims-based access control. Claims-based
access control works with traditional access control to provide an additional layer of
authorization that is flexible to the varying needs of the enterprise environment.
http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamic-accesscontrol-en-us.aspx
I think it is B and F
B & F it is
https://technet.microsoft.com/en-us/library/jj134043.aspx
Conditional expressions are an enhancement to access control management in Windows Server 2012 and Windows 8 that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC).
I believe the answer is E&F. The domain in question only has 2008R2 domain controllers. In order to support conditional expressions which is part of DAC, a Windows 2012 DC is required.
Below is a snippet from a 70-417 upgrade course that I took which would seem to suggest E&F are the correct answers.
Windows Server 2012 is the first operating system that extends the authorization mechanism to support conditional expressions.
I say E and F
A, C and D No. This will deny all members access to the folder/share
B No. There is no deny permissions set in this exibit
There is, check the pic!
Ofcourse there is a Deny permission on the exibit, the very first one states Type: Deny, Principal: Group1, applies to FOLDER 1 (this folder, subfolders and files). Answer is definitely B and F.
Tricky question, because if we let the B option, members of Group1 will have the access denied as per first row in the image.
That means that members of Group1 will ALWAYS have this access (R&Execute) denied.
We do not need to install a DC running 2012 R2 to be able to use conditional expressions (to use Dynamic Access Control),because it is already effective in 2008 R2, as per the Explanation says ( link: http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamic-access-control.aspx ).
So, we need a conditional expression (because the denied access is based on the condition that a user belongs to Group1 and Group2.
And we also need to have the explicit deny to Group1, removed.
So, answer is : B and F </b)
Tricky question, because if we let the B option, members of Group1 will have the access denied as per first row in the image.
That means that members of Group1 will ALWAYS have this access (R&Execute) denied.
We do not need to install a DC running 2012 R2 to be able to use conditional expressions (to use Dynamic Access Control),because it is already effective in 2008 R2, as per the Explanation says ( link: http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamic-access-control.aspx ).
So, we need a conditional expression (because the denied access is based on the condition that a user belongs to Group1 and Group2.
And we also need to have the explicit deny to Group1, removed.
So, answer is : B and F
Answer B and F.
This is one is really tricky.
I tested it in the lab.
Conditional Expressions doesn’t require DAC to be implemented. To be able to use them you just need a 2012 member server in your domain, just like file server mentioned in the question.
http://windowsitpro.com/security/windows-server-2012-active-directory-security-changes
“Microsoft changed the Advanced Security Settings dialog boxes in Windows 8 and Server 2012 to allow you to configure conditional expressions in the authorization and auditing settings of files and folders. Figure 3 shows this new interface, illustrating the definition of a permission that includes a conditional expression on a folder named SharedData.”
You need at least one 2012 DC to support the CLAIMS for/from DAC. I checked lots of docs on this e but Piurlos link above confirms (Read Prerequisites section… Copied below)
“Claims-based authorization and auditing requires:
• Windows Server 2012
• At least one Windows Server 2012 domain controller accessible by the Windows client in the user’s domain
• At least one Windows Server 2012 domain controller in each domain when using claims across a forest trust”
…. E and F are required.
A & E
A because: If you do not remove the deny permission for Group1 then users who are members of only this
group will still be denied access. The question states that ONLY users who are members of BOTH group 1
and 2 should be denied
C because: You first need a Server 2012 Domain Controller to be able to use Dynamic Access Control and
Conditional Expressions
A & E.
A because: If you do not remove the deny permission for Group1 then users who are members of only this
group will still be denied access. The question states that ONLY users who are members of BOTH group 1
and 2 should be denied
C because: You first need a Server 2012 Domain Controller to be able to use Dynamic Access Control and
Conditional Expressions
Answer is B and F because of the following:
B because only the users that are part of group1 and group2 must be denied access, not all of group1.
F because you need to create a conditional expression so that only the users that are both part of group1 and group2 are denied access.
There is no 2012 R2 DC required, only a 2012 R2 file server, as per this link:
https://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamic-access-control.aspx
also, check this quote on the same page:
Your environment only requires a Windows Server 2012 KDC when you base authorization decisions on claims that are sourced from Active Directory attributes or certificates. Authorization decisions based on group memberships, including conditional expressions that use the memberOf operator do not require a Windows Server 2012 KDC.
and
Windows Server 2008 R2 and Windows 7 enhanced Windows security descriptors by introducing a conditional access permission entry. Windows Server 2012 takes advantage of conditional access permission entries by inserting user claims, device claims, and resource properties, into conditional expressions.
so its clear, its B and F. not E.