nerdexam
CompTIA

CV0-003 · Question #151

An administrator has been promoted to architect when trying to access one of the servers, the architect receives the error: "Authentication failure: Account is not allowed". Which of the following exp

The correct answer is D. Discretionary ACL are enabled. A Discretionary Access Control List (DACL) explicitly defines which accounts are permitted or denied access to a specific resource, and a missing or deny entry for the architect's new account produces the 'Account is not allowed' error.

Security

Question

An administrator has been promoted to architect when trying to access one of the servers, the architect receives the error: "Authentication failure: Account is not allowed". Which of the following explains why access was denied?

Options

  • ARole-based ACL are enabled
  • BMultifactor authentication is partially working
  • CFederated information is not completely populated
  • DDiscretionary ACL are enabled

How the community answered

(62 responses)
  • A
    3% (2)
  • B
    8% (5)
  • C
    16% (10)
  • D
    73% (45)

Why each option

A Discretionary Access Control List (DACL) explicitly defines which accounts are permitted or denied access to a specific resource, and a missing or deny entry for the architect's new account produces the 'Account is not allowed' error.

ARole-based ACL are enabled

Role-based ACLs restrict access by group membership or role, which would typically produce a 'insufficient privileges' or 'access denied' error tied to the role rather than an account-not-allowed message.

BMultifactor authentication is partially working

A partial multifactor authentication failure would produce errors related to a missing or invalid second factor, not a message indicating the account itself is prohibited.

CFederated information is not completely populated

Incomplete federated identity information causes authentication failures across trust boundaries between identity providers, not a local DACL-level account restriction on a specific server.

DDiscretionary ACL are enabledCorrect

A DACL is controlled by the resource owner and contains Access Control Entries (ACEs) that grant or deny specific accounts access. When the architect's account was promoted, the DACL on the target server was not updated to include the new account, so the system evaluated the ACL and returned an explicit denial because no matching allow entry existed.

Concept tested: Discretionary ACL account-level access control

Source: https://learn.microsoft.com/en-us/windows/win32/secauthz/dacls-and-aces

Topics

#DACL#access control#role-based access#authentication failure

Community Discussion

No community discussion yet for this question.

Full CV0-003 Practice