Exam 70-741 topic 1 question 151 discussion

The domain users group isn't listed, so they would not have access unless they were members of one of the groups that are listed. Protected users is the name of a group, not sure how that implies a smart card is in use. I think the answers are: never applies to the user password

this is the rest of the question https://onedrive.live.com/?authkey=%21AE6YK818YburdH8&cid=C5D77F03F4D4DE29&id=C5D77F03F4D4DE29%21882&parId=C5D77F03F4D4DE29%21881&o=OneUp I think the correct answer is (never applies to the user, a virtual smart card)

I think 1st answer is "never applies to the user." Further if a user is a memver of the Protected Users or Domain Admins, the answer is "applies to the user on weekdays between 08:00 and 18:00."

As per the link of Kamikazekiller: https://onedrive.live.com/?authkey=%21AE6YK818YburdH8&cid=C5D77F03F4D4DE29&id=C5D77F03F4D4DE29%21882&parId=C5D77F03F4D4DE29%21881&o=OneUp the answer is logic: -Policy never Apply to the users (because only one condition is met) -Smart Card (2 Methods: smart card or other Certificate )

- Never applies to the user - Virtual smart card

The condition rules are standalone for each line and can contain multiple conditions within that one rule/line i.e. 1 line = 1 rule (which contains one or more conditions) However, the match needs to happen for 1 rule/line only. System checks for match one rule at a time by the processing order from lowest to highest. Given answer is correct.

I think answer is correct. After first condition is checked and met, second condition is not in question anymore. Virtual Smart Card bcos Authentication method is EAP - Microsoft: Smart Card or other certificate

Good answer is : 1- Never applies to the user 2- a virtual smart card (the settings conditions is just missing from this capture. The the one drive link) Here is why : In the MCST boot Exam Ref 70-741, Skill 4.3 : Implement NPS CHAPTER 4 page 213, Configure network Policies * Conditions : Contains the basci properties of a connection. You can define multiple conditions. For the policy to apply, the remote client must match ALL of the conditions specified in the policy. These include : ** Membership of a Win Group ** Day and time restrictions ** IP address of the remote client ** Authentication type ** RADIUS client properties, such as IP address or frendly name It's says samething on page 218 : "You can define multiple conditions, all of which must be matched by connection attempt for the policy to apply[...]

Network policies can be viewed as rules. Each rule has a set of conditions and settings. NPS compares the conditions of the rule to the properties of connection requests. If a match occurs between the rule and the connection request, the settings defined in the rule are applied to the connection. When multiple network policies are configured in NPS, they are an ordered set of rules. NPS checks each connection request against the first rule in the list, then the second, and so on, until a match is found. Each network policy has a Policy State setting that allows you to enable or disable the policy. When you disable a network policy, NPS does not evaluate the policy when authorizing connection requests. https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-overview So the second policy would never even be look at as the first one gives the domain uses access "this is the rest of the question https://onedrive.live.com/?authkey=%21AE6YK818YburdH8&cid=C5D77F03F4D4DE29&id=C5D77F03F4D4DE29%21882&parId=C5D77F03F4D4DE29%21881&o=OneUp" So the answer looks correct to me.

Never applies to user A virtual smart card Authentication method is EAP - Extensible Authentication Protocol Extensible Authentication Protocol being used is: Microsoft: Smart Card or other certificate

After more research on this, i found in the MCSA book that if you have Multiple policies Its important to place these policies in the correct order because once RRAS finds a match it stops processing additional policies. Coming back to the Question: The answers in this question is right.

As network policies are checked in descending order (https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-overview), isn't the answer correct as given because it would match the first condition and never reach the second?

never applies to the user

I agree with TMW and ovader, I do not see any mention the 1st group being a part of another group - so policy never applies and from most of my recent class knowledge most are PASSWORD, never heard any mentions of virtual smart cards etc. again not trying to read anything into the question per Microsoft.

If the conditions (all conditions in policy) do not match the connection request, NPS skips this policy and evaluates other policies, if additional policies are configured. So, first answer is POLICY never applies to the user (not condition), second answer is A PASSWORD

It does come from the "Protected Users" group. But I'm still not sure. I only see that NTLM doesn't work with those. https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

Where comes the virtual smartcard from?