CV0-003 · Question #151
An administrator has been promoted to architect when trying to access one of the servers, the architect receives the error: "Authentication failure: Account is not allowed". Which of the following exp
The correct answer is D. Discretionary ACL are enabled. A Discretionary Access Control List (DACL) explicitly defines which accounts are permitted or denied access to a specific resource, and a missing or deny entry for the architect's new account produces the 'Account is not allowed' error.
Question
An administrator has been promoted to architect when trying to access one of the servers, the architect receives the error: "Authentication failure: Account is not allowed". Which of the following explains why access was denied?
Options
- ARole-based ACL are enabled
- BMultifactor authentication is partially working
- CFederated information is not completely populated
- DDiscretionary ACL are enabled
How the community answered
(62 responses)- A3% (2)
- B8% (5)
- C16% (10)
- D73% (45)
Why each option
A Discretionary Access Control List (DACL) explicitly defines which accounts are permitted or denied access to a specific resource, and a missing or deny entry for the architect's new account produces the 'Account is not allowed' error.
Role-based ACLs restrict access by group membership or role, which would typically produce a 'insufficient privileges' or 'access denied' error tied to the role rather than an account-not-allowed message.
A partial multifactor authentication failure would produce errors related to a missing or invalid second factor, not a message indicating the account itself is prohibited.
Incomplete federated identity information causes authentication failures across trust boundaries between identity providers, not a local DACL-level account restriction on a specific server.
A DACL is controlled by the resource owner and contains Access Control Entries (ACEs) that grant or deny specific accounts access. When the architect's account was promoted, the DACL on the target server was not updated to include the new account, so the system evaluated the ACL and returned an explicit denial because no matching allow entry existed.
Concept tested: Discretionary ACL account-level access control
Source: https://learn.microsoft.com/en-us/windows/win32/secauthz/dacls-and-aces
Topics
Community Discussion
No community discussion yet for this question.