Exam 70-741 topic 1 question 161 discussion

Access based enumeration is set at the namespace level, not the folder level. rules out ans A. your stated goal is to provide both users with access, so denying user1 DFS read permission will not work either. this rules out ans D. User2 already has NTFS full control, therefore Ans. C appears to me to be correct. Access based enumeration is different than "set explicit permissions" If you set explicit permissions, your choice is read, or deny. that is all. In my home lab, if you set explicit permissions to deny, it overrides NTFS permissions. even full control. Explicit permissions are not being used here. When using access based enumeration, you create folders within the DFS folder, and block folder inheritance. That way you can set your own permissions, allowing access based enumeration to work. if the user does not have NTFS permission, they cannot see the folder. if they do, they can see it. I hope this helps. I was baffled when I saw this, but it seems more clear now. The answer is C.

By default the DFS namespace system inherits permission from NTFS Permissions to determine if a user could see a published folder or not. As you can see User1 is lacking of NTFS Read permission, to counter this, grant User1 NTFS Read permission to let User1 to utilize DFS namespace to see Folder1, also the question had mentioned that Access-Based Enumeration is disabled, and this is good for the situation mentioned.

Spun up a test environment for this question alone. I can say without a single doubt in my mind, that B is the corrent answer. Remember to log off and back on when disabling Access Based Enumeration to see the results. With (DFS) ABE on: Only User1 can see the folder With (DFS) ABE off: Both users can see the folder Wouldn't make sense to add NTFS read permissions for User1 as User1 can already see the folder.

Answer on Exam will be C. But, there is a variant where C does not refer to NTFS permissions, in that variant the answer will be A.

On the exam the NTFS permissions for user 1 wasn't an option for me, it was changed to Share permission. I went for disable ABE for the namespace as it was the only one that would have worked.

2 more variants: What should you do? A. Assign User2 the read DFS permission to Folder1. B. Assign User1 the read NTFS permission to Folder1 C. Run the Set-DfsnFolderTarget cmdlet. D. Assign User1 the read Share permission to Folder1 Offered Answer: B Explanation References: https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/enable-access-basedenumeration-on-a What should you do? A. Disable access-based enumeration for Namespace1. B. Run the Set-DfsnFolder cmdlet. C. Run the Set-DfsFolderTarget cmdlet. D. Deny User1 the read DFS permission to Folder1. Offered Answer: A

I have seen the same question but with more option: A. Enable access-based enumeration for Folder1. B. Disable access-based enumeration for Namespace1. C. Assign User1 the read NTFS permission to Folder1. D. Deny User1 the read DFS permission to Folder1. E. Run the Set-DfsnFolder cmdlet. F. Run the Set-DfsnFolderTarget cmdlet. G. Assign User1 the read Share permission to Folder1. The answer offered is B Disable access-based enumeration for Namespace1.

Answer is: C

Answer is: C " Access-based enumeration does not prevent users from getting a referral to a folder target if they already know the DFS path. Only the share permissions or the NTFS file system permissions of the folder target (shared folder) itself can prevent users from accessing a folder target. DFS folder permissions are used only for displaying or hiding DFS folders, not for controlling access, making Read access the only relevant permission at the DFS folder level. For more information " https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/enable-access-based-enumeration-on-a-namespace

with access base enumeration enabled, you have to have Read DFS permissions, only viable answer here is to disable access base enumeration

The question says that: You need to ensure that both User1 and User2 can see Folder1 when they access \\Contoso.com\NameSpace1 I have tested in my home lab. The answer is B. In this scenario, explicit permissions for DFS folder is set. When you use explicit permission on DFS folder then you need to put every user/group in the list to whom you want to see the folder. In this scenario, he put user1 in DFS folder explicit permission list but did not put user2 in the list, which results that user2 cannot see the folder when he opens \\Contoso.com\Namespace1. Now come to user1 access: User1 getting read permission of DFS folder so he can see the DFS folder when he opens \\Contoso.com\Namespace1 but he does not have any NTFS permission of \\Server1\Folder1 (Target of \\Contoso.com\Namespace1\Folder1), it means that he cannot access the \\Server1\Folder1. When he will open \\Contoso.com\Namespace1 he will see folder1, but if he want to access folder1 the access will be denied. Confirmed in my home lab.

The correct answer is B - If you went with c, then browsing to the name space wouldnt allow you to SEE folder 1 as access-based enumeration is enabled on the namespace, and user 2 DFS permissions is set to none. If you disabled access-based enumeration then browsing to the namespace will allow you to SEE folder1, regarding of whether you can access it or not. - DFS folder permissions are used only for displaying or hiding DFS folders, not for controlling access

B is correct

Anyone else tested it?!

Answer is B, just testing in my Lab. The main thing to realize here is the difference, how you access the folder. \\Server1\Folder1 is something completely different than \\contoso\namespace1.

Answer is C. By default the DFS namespace system inherits permission from NTFS Permissions to determine if a user could see a published folder or not. https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/using-inherited-permissions-with-access-based-enumeration

C. Assign User1 the read NTFS permission to Folder1.