Your network contains an Active Directory domain named contoso.com.
The network contains a file server named Server1 that runs Windows Server 2012.
You create a folder named Folder1. You share Folder1 as Share1.
The NTFS permissions on Folder1 are shown in the Folder1 exhibit.
The Everyone group has the Full control Share permission to Folder1.
You configure a central access policy as shown in the Central Access Policy exhibit.
Members of the IT group report that they cannot modify the files in Folder1.
You need to ensure that the IT group members can modify the files in Folder1.
The solution must use central access policies to control the permissions.
Which two actions should you perform? (Each correctanswer presents part of the solution. Choose two.)
A.
On the Security tab of Folder1, remove the permission entry for the IT group.
B.
On the Classification tab of Folder1, set the classification to “Information Technology”
C.
On the Security tab of Folder1, assign the Modifypermission to the Authenticated Users group.
D.
On Share1, assign the Change Share permission to the IT group.
E.
On the Security tab of Folder1, add a conditionalexpression to the existing permission entry for the IT
group.
Explanation:
NB : added the missing exhibits by searching for a piece of the question on google => i did get an answer (a pdf
file with a few questions and exhibits, but how to be sure they’re ok…)
initial answer :
On the Classification tab of Folder1, set the classification to Information Technology. => true
On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT group.
=> false
it took me a whole day and a hole night to find that, but now i’m sure of the answer.
Let me explain my point of view
You first set the Folder1 classification to “Information Technology” so it meets the target resource
requirement and the Central Access Policy can be applied to it, no problem about that.
But my problem is about the second answer, to me none of them is good :
A : On the Security tab of Folder1, remove the permission entry for the IT group. => tested => it failed of
course, users don’t even have read permissions anymore
D : On Share1, assign the Change share permission to the IT group => Everyone already has the full control
share permission => won’t solve the problem which is about the NTFS Read permission
E : On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT
group => how could a condition, added to a read permission, possibly transform a read to a modify
permission??
if they had said “modify the permission and add a conditional expression” => ok (even if that’s stupid, it works)
a condition is applied to the existing permissionsto filter existing access to only matching users or groups
so if we apply a condition to a read permission, the result will only be that less users (only them matching the
conditions) will get those read permissions, which actually don’t solve the problem neither
so only one left :
C : On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group=> for sure
it works and it’s actually the only one which works, but what about security?
well i first did not consider this method => “modify” permission for every single authenticated users??
But now it looks very clear :
THE MORE RESTRICTIVE PERMISSION IS ALWAYS THE ONE APPLIED!!
So “Modify” for Authenticated Users group and this will be filtered by the DAC who only allows IT
group.
and it matches the current settings that no other user (except admin, creator owner, etc…) can even
read the folder.
======================
and this link confirms my theory :
http://autodiscover.wordpress.com/2012/09/12/configuring-dynamic-access-controls-and-file-classification-part4-winservr-2012-dac-microsoft-mvpbuzz/
Configuring Dynamic Access Controls and File Classification
Note: In order to allow DAC permissions to go into play, allow everyone NTFS full
control permissions and then DAC will overwrite it,if the user doesnt have NTFS
permissions he will be denied access even if DAC grants him access.
====================
Tested in my lab and this is correct, IT group members can modify the files in Folder1 when B & C are done
nicely done
I know that we’re in Exam World here and not real life, but can anybody explain to me why you wouldn’t really just go into the NTFS permissions for the shared folder and give the IT group Modify? The proposed solution seems time-consuming and likely to cause confusion for other administrators.
No one would do this in the real world.
AB for sure just check my answer on http://www.aiotestking.com/microsoft/which-two-actions-should-you-perform-807/
Hm looks like the answers have been rearranged on this one. BE here