Feb 01

Windows Server 2016 might cost more than you want to pay

I’ve got it up and running in the lab. Now I see this article;

 

A few years ago, Microsoft switched from per-processor to per-core licensing in SQL Server, and it’s about to do the same with Windows Server 2016. You may not be thrilled with the results.

“Microsoft’s auditors likely will have a field day with these new requirements for Windows Server, in the same way that they have used the ever-more-complex licensing rules for SQL Server to increase the company’s audit-based revenue in recent years,” warned Christopher Barnett, an associate attorney with Scott & Scott LLP.

Read the full text here;

http://www.pcworld.com/article/3028525/windows-server-2016-could-cost-you-more-than-you-think.html

Dec 28

HP Envy M6 AE 151 DX case removal opening to access drives, memory

This is simply a quick video showing how to open the case on this HP Envy M6  AE 151 D laptop since there didn’t seem to be anything online. These were a pretty popular Black Friday sales item this year (2015) so there are probably a few people working on replacing the default mechanical 1 Tb drive with a SSD, adding memory, etc.

These came without a optical drive. The battery is NOT removable. But you can upgrade the battery also by opening the case. I’ve had a couple open replacing the drive with a SSD.

 

Dec 04

SCAM ALERT – Microsoft Tech Support – WITH Audio Recording

So I got a call tonight from those scammers that try to get you to let them connect to your computer. I

Microsoft scammers webpage

Microsoft scammers webpage

recorded the call if you want to listen to what it sounds like. I’m not as dumb as I sound on the audio; it was an act to drag it out and build rapport to try to get more information. It’s about 30 minutes. Everything I say on the call is made up; I was trying to stretch it out but finally I had other things to do. When I told him there was someone at the door I actually made me some dinner. This is actually a fairly unsophisticated attack, entirely based on social engineering and not technical. Some tips to avoid this type of attack, based on this call (based on my 20 years in IT, some in Director roles);

1) It was a blocked number on caller ID. This alone is already illegal.
2) Who INITIATED the call?  If THEY initiated the call, you are at risk. If you have a problem with your computer, go fix it, don’t wait for someone legit to call you.
3) I it was pretty obvious it was a crowded, lots of background noise, and not very good English. A real Microsoft support person has a very professional demeanor.
4) Even without being technical, it was/should be a red flag when the Microsoft guy said they could also fix Apple.  One guy said they COULD fix Android, one said they could not.
5) The website they directed me to was a “free” hosted website company. I have already contacted them, and the site is being shut down.
6) Technically; they ask you to open Event Viewer, and look at the Critical Events, and you’re supposed to get panicked, but there are ALWAYS bad looking events in there.
7) Then, they directed me to a website, which had several remote control links on it, I’m sure the next step was to get me to install one of them. The tools listed on that site; Teamviewer, Goto Meeting, etc, are legit tools, just being used for a scam.
8) I started asking about a phone number, for my “friends” to call them. They hung up. Most of their website and phone activity can be faked, but a call back number would be a way to identify them, and they knew it.

From what I’ve read, if it works, they get you to go to a Western Union site and send them money to pay for their “help” fixing your computer.

Here are a couple of searches to see more about the scam;
Microsoft Support scam; https://www.google.com/search?q=microsoft+technicians+are+one+step+ahead+scam&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&gws_rd=ssl

https://www.google.com/search?q=call+from+microsoft+support+scam&oq=call+from+microsoft+support+scam&aqs=chrome..69i57.6294j0j9&sourceid=chrome&es_sm=122&ie=UTF-8

Dec 02

Windows Server 2016 Technical Preview 4 install and first boot

Here are two quick videos showing the install and first boot of Server 2016 Technical Release 4

Server 2016 Technical Review 4

Server 2016 Technical Review 4

 

number1This first video we install and boot to Core. Core is the default of the two options; Core or GUI. So, if you select all the defaults, you will have Core.

 

 

number2In this second video we install and boot to the GUI install.

 

Oct 29

How to tell if your information was affected by data breach

http://error.000webhost.com/ hacked

Today the news came out that http://error.000webhost.com/ was hacked and 13,000,000 user’s information was released.  This isn’t even the biggest breach. In order of size the Adobe breach was still the largest at 152,000,000. The site is now in “maintenance” mode for all, causing a lot of alarm with the user community.

The background of the issue, and the site’s reluctance to face the issue is outlined in numerous articles

Has my account been compromised or hacked? Look it up here.

Has my account been compromised or hacked? Look it up here.

online so I won’t go over that.

What I do want to show you is a site or two that can tell you IF your data was included in any of the recent hacks. You can find out quickly here; https://haveibeenpwned.com/

 

 

Others include;

https://pwnedlist.com/query

https://breachalarm.com/

Oct 11

Flashcard App sets for 70-410 PowerShell and ITIL

Flashcard Sets for ITIL and PowerShell for 70-410, 411, 412, 417

I have created two flashcard sets at http://www.flashcardmachine.com/, one for ITIL Foundations terms (remember, no acronym memorization is needed for Foundations test).

ITIL – 52 flashcards on the key terms and definitions.

70-410, 411, 412 and 417 PowerShell commands.

You can review these online, or you can download an APP to study them on your phone. The app is

Flashcard Machine ITIL and PowerShell sets

Flashcard Machine flashcards for ITIL and 70-410

called Flashcard Machine, and it’s FREE. To find my two flashcard sets search for these terms on FlashCardMachine.com;

ITIL – ITIL 2011 JL Key Service Management Terms (53 cards)

70-410 PowerShell – 70-410 JL PowerShell Commands (68 cards)

As you can see, I have “JL” in each title so you can make sure you’re getting my sets.

Sep 12

Server 2012 R2 Core, Minimal GUI, GUI

SO, what are all the options with core?  What is “minimal  GUI”?  How do you move from one to the other?

I wanted to post to outline these options as this understanding will probably be included on several questions in the 70-412 or 70-417 tests.

There are THREE options for the interface on Server 2012.

From the most basic, to the most features, they look like this;

  1. Server Core – always installed and enabled; the baseline feature for all Windows Servers. This includes the fundamental capabilities that cannot be removed and are core to the OS.
    1. What you get; ONLY command prompt (Powershell)
  2. Minimal Server Interface; Server Graphical Management Tools & Infrastructure – functionality for Minimal Server Interface;
    1. What you get; Server Manager and command prompt, and MMC
  3. Server Graphical Shell – equivalent to Server with a GUI
    1. What you get; this is the full GUI interface that most Administrators work with

Link to overview and diagram shown below.

Server 2012 GUI Layers

Server 2012 GUI Layers

 

We are going to demonstrate scenarios with VIDEO

  1. Starting with Server Graphical Shell (normal full blown GUI)
    1. We remove the Graphical Shell, which takes us to MINIMAL SERVER INTERFACE.  Then we return to the Server Graphical Shell.
      1. Link to video going from Server Graphical Shell to Minimal Server Interface, and back. Also looking at the tools in Minimal Server Interface, and how you restart your tools if you close them all and are looking at a black, blank desktop in Minimal Server Interface.
      2. https://youtu.be/O1mNgwzUewQ 
    2. We remove Graphical Shell and minimal interface and go directly to CORE, then we return to Graphical Shell
      1. This command gets you from CORE to Minimal Server Interface; Install-WindowsFeature Server-Gui-Mgmt-Infra
      2. Add this command as well, and you go back to full Server Graphical Shell; Install-WindowsFeatureServer-Gui-Shell 
      3. So, to go from Core back to Server Graphical Shell in one step, this is your command; Install-WindowsFeature Server-Gui-Mgmt-Infra, Server-Gui-Shell
      4. Link to video going from Server Graphical Shell to Core, and back. Also looking at the tools in Core, and how you restart your tools if you close them all and are looking at a black, blank desktop in Core.
      5. https://youtu.be/sAwOOpuD4mA
Sep 02

Windows Server 2012 R2 (70-412) Identity and Access Solutions – Study Guide

Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics and2012GregShields cmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.

 

  1. Install and Configure AD Certificate Services. Essentially setting up internal certificate trusts to mirror, and and can negate the need for, external certificates like Microsoft, Verisign, etc.
    1. Install an Enterprise Certificate Authority
      1. The “issuing CA” creates the actual cert file. Issuing CA gets trust from Policy CA, who gets it from a Root CA
      2. Root is typically standalone, offline. Policy CA standalone or enterprise, typically online. Issuing CA typically enterprise online.
      3. Issuing CA is the one doing all the day to day work.
      4. Install CA ROLE, and the Online Responder ROLE2012CertificateServicesRoles
        1. optional web enrollment pieces, or can use the console to manage
      5. Post install configuration; configure active directory certificate services, requires member of local admins for some services, and Enterprise Admin for some.
      6. Decide what TYPE of CA you’re installing. 2012CertificateServicesRolePermissions
      7. Choose a NAME for the CA,  usually combination of server name, domain name. Choose validity period (default = 5 years)
      8. Certificate Templates – basic templates are provided, then when you fill them out with specific information it creates the actual certificate. Some are “available for issue” then there are dozens of additional ones that are not available for issue by default.
      9. refresh GP then root cert should be available through AD. certs are automatically trusted by any computer in the domain
      10. from a client, you can “request a new certificate”, and it automatically enrolls
    2. Configure CRL (certificate revocation list) Distribution Points
      1. when you need to manage expiration due to termination, employee leaving, new job responsibilities, etc.
      2. The CRL location shows up in the “details” tab on the actual cert
      3. set up CRL revocation list locations BEFORE passing out certs
      4.  you can’t delete crl revocations. Think about it, that makes sense.  But when the list gets really long there are ways to make the queries faster.
    3. Install and Configure Online Responder
      • Configure the Online Responder (which also needs a cert) OCSP response signing
      • Revocation Configuration for the Online Responder
      • Online responder downloads a copy of the CRL to make responses
      • enter the URL for the Online Responder in cert templates, and again have this set up prior to issuing any certs or you have to redo them all.
    4. Implement Administrative Separation
      1. Principle of Least Privilege
      2. Read this Technet on Role Based Administration
      3. In the security tab of the CA, set up the right permissions
      4. one additional command; PS certutil -setreg ca\RoleSeparationEnabled 1  https://technet.microsoft.com/en-us/library/Cc782357(v=WS.10).aspx
    5. Configure CA Backup and Recovery
      1. right click, all tasks, back up and restore recommend private key and logs (checkboxes)
      2. certutil can also do backups (old way)
      3. now of course PS Backup-CARoleService
  2. Manage Certificates
    1. Enrolling for Certificates
      1. instead of “find cert” start with “request”
      2. From IIS, you can create request and complete request from wizard on the right side of IIS.
      3. Example using a PS code signing certificate
    2. Manage Certificate Templates
      Cert tabs
      Certificate Template Tabs
      1. right click / manage, see “code signing certificate”
      2. copy “duplicate” the template, then modify the new duplicate for  use
      3. publish certificate in AD checkbox
      4. compatibility settings
      5. choose encrypt/signature or both
      6. auto renewal can force a different private key
      7. WHAT this cert is going to be  used for is baked in the cert configuration. For this example signing PS, this would be “code signing”
      8. “subject name” is usually the FQDN of the webserver. In this case, we specify the user name for our PS signing cert.
      9. you can configure manager approvals or signatures prior to approval
      10. security tab; read, enroll, auto-enroll.
    3. Implement and Manage Certificate Deployment, Validation and Revocation
      1. now that the template is created, we talk about deployment, validation and revocation
      2. now you have to right click on Certificate Templates, choose new certificate to issue and find the newly created template to issue.
      3. revoke certificate from a right click on the cert. This is PERMANENT and not reversible. Note there is a “HOLD” that can be a temporary hold.
      4. force a CRL update by “publish CRL”
      5. new crl once a week, new delta crl once a day.
    4. Configure and Manage Key Archival and Recovery
      1. there is no default capability to archive keys
      2. archive when enabled happens in AD
      3. KRA Key recovery agent cert can recover keys
      4. copy and modify certificate template
      5. then you “enroll” for the KRA certificate
      6. two commands to recover
        1. PS certutil -GetKey
        2. certutil -RecoverKey
    5. Manage Certificate Renewal
      1. manual non-GPO renewal
      2. in Certificate console, right click on template, “re-enroll all certificate users”
    6. Manage Certificate Enrollment and Renewal to Computers and Users using Group Policy
      1. to auto populate our PS code signing certificate, assigned to our IT group
      2. GPMC, new GPO
      3. user side, public key policies
        1. need certificate enrollment (AD)
        2. auto-enrollment (enable)
        3. auto-renewal   /log expiry events, other options
        4. auto renewal is 80% of cert lifespan, or the expiry of the renewal period
      4.  testing on machine, log in, gp runs, check for PS Signing cert
    7. Configure and Enroll a Hyper-V Replica Certificate
      1. If you choose replication in Hyper-V and select “encrypt”, then it will error as there is no dedicated custom cert
      2. copy and rename a “Computer” template
      3. then make it available for use
      4. now when you go back to Hyper-V Manager it shows up.
  3. Install and Configure AD Rights Management Services
    1. Install a Licensing or Certificate AD RMS Server
      1. RMS servers are referred to as “cluster”, just meaning multiple servers. You can also do a single server cluster. You need to be Enterprise Admin to complete this setup.
      2. If you go to a document on File Server, you go to “protect document” then  “restrict access” to connect to RMS and “get templates”. Will error if you have no RMS set up.
      3. Install Active Directory Rights Management Server ROLE.
      4. Post install configuration is required (yellow alert top right of Server Manager)
      5. RMS is tied to email field in AD properties general/email field. Even if you don’t have email in reality it just pulls from that field.
      6. Store RMS Cluster Key (keep this), password, website.
      7. For location, suggest CName instead of FQDN so you can adapt in the future if the hardware changes.
    2. Manage AD RMS Service Connection Point
    3. Manage RMS Templates
      1. Rights Policy Templates determine what/how you are going to offer to your users.
      2. example; content that Finance group needs to protect
      3. Name policy “Finance Protected Content”, add description.
      4. Tied to the email associated with the finance security group, and you can choose what they can do. Lots of rights / actions, and you can create custom ones as well. view/edit/save/print/save/save as/etc.
      5. you can disallow client side caching; they would have to be online to access the data
      6. define revocation policy; when you revoke the license, you revoke the ability to access that policy, you also provide a url where the policy resides.
    4. Configure Exclusion Policies
      1. you can determine  “Lockbox version exclusion” which is pretty bizarre, read about it on the link.
    5. Backup and Restore AD RMS
      1. what do you have to include in backups?
      2. Configuration DB, directory services DB, logging DB. Either in SQL or the Windows server internal SQL. The internal SQL requires a full server backup. So, from a backup perspective it’s better to use SQL.
      3. server certificate needs to be backed up
      4. cluster key password
      5. export trusted publishing domain
  4. Implement AD Federation Services – focus seems to be on Workplace Join
    1. Configure Workplace Join
      1. understanding Federation
        1. Traditionally, access is controlled by a user ID and login. Or, from AD permissions.
        2. Federation is used when access needs to be provided to users OUTSIDE of your domain. (Partner, merger, acquisition, etc.)
        3. Federation servers handle the federation process between organizations. It’s kind of a bridgehead or gateway for the access request/granting. It does this by generating “claims“.
        4. Relying Party (us) and Claims Provider (them)
        5. This happens from a pair of Trusts from each direction; Claims Provider Trust and Relying Party Trust.
      2. Think also for BYOD situations for non-domain joined devices. Device itself is added to AD.
      3. Typically connect through Web Application Proxy (not on the 412 test)
      4. Settings / network / “workplace” is where you see it.. on your desktop, not the server.
      5. Create a Group Managed Service Account.
      6. Create a certificate for AD FS
        1. domain computers needs to have enroll privileges
        2. Enroll from your AD FS server
        3. This will require entering additional information to enroll the cert; hostname, DNS name, etc.
        4. For non-domain devices, it’s a lot easier if you use a public cert, for access and CRL access which is open to non-domain users on the internet.
    2. Install AD FS
      1. Now create ADFS, create the first server in a federation server farm.
        1. associate to cert
        2. name it, add display name
        3. add service account (use an existing account)
        4. SQL or internal database.
        5. finalize the wizard. now you should be the Relying Party Trust.
    3. Implement Claims based Authentication including Relying Party Trusts
      1. in AD FS console, look under Relying Party Trusts to see the claims options.
    4. Configure Authentication Policies
      1. from PowerShell
        1. Initialize-ADDeviceRegistration
      2. Back in console, enable device authentication in the global policy
      3. This is just using “windows authentication” instead of Forms based, or other options.
    5. Configure Multi Factor Authentication
      1. This is a Authentication Policy in the console
      2. registered/unregistered, intranet/extranet
      3. now test Workplace Join from desktop. You just click “join” and it’s joined. Button changes from “join” to “leave”.

 

Sep 01

FREE ebook 70-409

VEEAM is offering a FREE ebook on the Microsoft 70-409 certification; Server Virtualization with Windows Server Hyper-V and System Center. This book is by @orinthomas (http://orinthomas.com/) who is a great IT author and trainer, I’ve used a lot of his material. You could study this book, online resources, and use the Second Shot to pick up this cert. Here is the link to the download page on VEEAM; http://go.veeam.com/microsoft-certification-exam

Jul 30

Windows Server 2012 R2 (70-412) File and Storage Solutions – Study Guide

Prepare yourself for the Microsoft MCSA 70-412 exam. This course explores how to implement an advanced DHCP solution, implement an advanced DNS solution, and deploy and manage IP Address Management.

These notes are my personal notes from the FREE training on Pluralsight. You can get your FREE signup through technet/MSDN or Dreamspark. The title of this course is exactly the title of this post. These notes are from this specific course only. I use these as a refresher Study Guide. POWERSHELL topics and2012GregShieldscmdlets are in purple. I have a few notes with the “DEMO” each time the training included a DEMO just so you can see how many demos there were which were really helpful. Thanks to Greg Shields @ConcentratdGreg, the trainer, contact info at the end.

“Storage” – think more than just file server.

  1. Configure and Optimize Storage
    1. Configure Storage Spaces
      1. local disks
      2. create a Storage Pool
      3. all storage shows up (unused and available) in the PRIMORDIAL POOL
      4. new storage pool wizard
        1. during wizard can allocate “automatic” but can choose “manual” or “hot spare”
        2. leave it as automatic, can set RAID
      5. Then create a disk out of the storage pool. Then can create volumes on those disks as well.
      6. storage tiers checkbox is grayed out as tiering is not set up.
      7. can set simple/mirror/parity (RAID) in this wizard
      8. next button lets you choose thin or fixed provisioning.
      9. after creation, then create a volume on the new disk
      10. can enable data deduplication in next field (have to turn on the ROLE)
        1. general purpose or VDI de-dupe
        2. can choose exclusions, schedule, etc. Throughput optimization.
    2. Configure Tiered Storage
      1. Start with creating a new storage pool. Has the different type disks (SSD and spinning)
        1. (hack to create each with VMware workstation)
          1. Get-PhysicalDisk
          2. Get-PhysicalDisk | ft friendlyname,size,mediatype
          3. can set them in PS to be and appear as SSD or mechanical
          4. Set-PhysicalDisk -mediatype HDD
          5. So essentially you are setting them to have some SSD and some HDD so you can set up tiering.
        2. Now you have a different option in the wizard (Faster tier, Standard tier)
        3. the tiering is handled by the windows subsystem, no mgmt
        4. can set specific files to SSD by PS; Set-FileStorageTier
    3. Implement Thin Provisioning and TRIM
      1. we already talked about creating THIN
      2. tiered is THICK – cannot do THIN tiered
      3. see if THIN provisioning fits your needs
      4. TRIM – file delete notification. reclaim storage space. File Delete Notification is ON by default.
      5. disable file delete notification by registry setting if you want as it does add some overhead.
      6. PS Optimize-Volume
    4. Configure iSCSI Target and Initiator
      1. provides a method for any of the above disks accessible over network
      2. Target = where storage is, Initiator is who needs the storage,
      3. Configure; easier to create the initiator first (the remote network server)
        1. tools/start iSCSI initiator get alert box to start service each time
      4. iSCSI console
        1. quick connect option might not be the best for enterprise use
      5. you have to click the ADVANCED button to choose adapter and initiator IP (critical when using a separate storage network)
      6. at this point, we haven’t create the storage target on the fileserver yet
      7. new iSCSI virtual disk wizard
        1. create new iSCSI disk name, size, dynamically expanding, etc.
        2. next screen asks for target name, and the previously created one shows up. (which is why we created it first)
        3. can enable CHAP authentication
        4. “CONNECT”, then go to ADVANCED to verify IP, network, etc. If you don’t specify the right network, you could end up sending storage traffic over your production network.
        5. the remote server shows the disk just like it was a local disk, needing brought online, format, etc.
        6. PS commands for iSCSI
          1. Connect-IscsiTarget
          2. Disconnect-IscsiTarget
    5. Configure iSNS (Internet iStorage Name Service Server)
      1. used to simplify management of complex and large iSCSI setups (who is that?)
      2. registers initiators
      3. to register targets, you need PS command Set-WmiInstance -namespace root\wmi -Class WT_iSNSServer -Arguments @{ServerName=”actual server name”}
      4. after that, initiators and targets both show in iSNS console
    6. Manage Server Free Space using Features on Demand.2012SpecifyAlternateSourcePath
      1. basically allows you to remove unused roles to save space.
      2. this gives you the Specify Alternate Source Path window (screenshot)
      3. this is a good article to show where it searches.
      4. you can create a “feature file store” and put it on the network. it’s the SXS folder.
  2. Configure Advanced File Services
    1. Configure a NFS file datastore
      1. NFS more interested in computers not users
      2. “Server for NFS” ROLE (under file server)
      3. New NFS Sharing tab on share properties
      4. incoming client settings, permissions (which machines)
      5. by DEFAULT all machines have read access, and root access is disallowed.
      6. PS NfsShare, Get-NfsShare, etc.
    2. Configure file access auditing
      1. 50 new sub-categories, but same way to set up as previously
      2. Group Policy or local security policy
      3. 9 different original policies. Audit Object Access. Typically this is how we used to turn this on
      4. “Advanced Audit Policy Configuration”
      5. SACL; auditing view on file/folder properties, now you can also add CONDITIONS.
    3. Configure BranchCache
      1. transparent; cache documents in remote locations. I.E., branch offices. Bandwidth was historical a reason. Used to need Enterprise Windows versions, limiting it’s use. Now any version of Windows 8 works. Turn it on and don’t think about. File server, web server, or BITS data.
      2. First access of document initiates the copy to the branch.
      3. Distributed Mode (stores on desktop machine) or server based Hosted Mode.
      4. file is split into chucks that are hashed then only changed chunks are updated.
      5. One piece only does files, different piece does Web and BITS. These are in different places in FEATURES
      6. Turn it on via GPO, choose hash type, configure client side “turn on branch cache”, set hosted cache server name, set cache expiration, etc.
      7. You can pre-populate bia PS Publish-BCFileContent, Export-BCCachePackage
  3. Implement Dynamic Access Control (DAC) DAC is supposedly heavily represented on 70-412 and 70-417 tests. Here is a great example and scenario about how to use DAC in a real-world situation, from the Microsoft Storage Team; http://mints4.rssing.com/chan-3739609/all_p2.html
    1. Addresses file permissions getting lost/changed during file moves. New security requirements also drive this advancement in security.
      1. needs to have characteristics set in AD
      2. Also settings on file servers.
      3. Scenario; you can filter all documents for SSN, and then disallow anyone from viewing such document unless the user is in certain group, site, etc.
      4. Can filter and scan files as they are updated (SSN added to file that did not previously have one)
      5. Think big IF THEN statement; IF this user is in FINANCE group, AND user is in DENVER, then allow read/write/etc.
      6. DAC scans documents regularly to keep up with changes.
    2. Configure User and Device Claim Types
      1. Install File Server Resource Manager ROLE (screenshot)2012FileServerResourceManager
      2. CLASSIFICATION tab in properties on your file server now.
      3. Active Directory Administrative Center (different from ADUC) has DAC
        1. Trying to get steps in order here;
        2. create claim types in ADAC for USERS
        3. Resource properties for files set up in ADAC / DAC console. Some examples built in are; Personal Use, Project, Intellectual Property, Immutable (?), Department, Compliancy, Personally Identifiable Information, etc. Then there are different values; NOT PII, Public, Low, Moderate, High, and you can create/edit values. These are set up then used later in AD to apply to files and folders
        4. Resource property lists ( add resource property to global) This is just a container of resource properties. Grouping these makes it more manageable to attach to documents. To use this, use PS Update-FSRMClassificationproperyDefinition, which enables the property list. Now it shows up on folder/share/file “Properties” as a new TAB. Users aren’t going to use this manually very much so you have to use server options; screen templates, file screens, classification management. This is the first step to determine what type of content you’re looking for in files / folders. You can scope to specific types of files; user files/ backup files, application files, etc. Scope this down to only the ones interested in, or you can get into resource issues. After picking scope, then choose the TYPE of classifier; for this a “content classifier” which looks at file content. Then you set the content classifier to “high, low, etc.” to apply that to hits that it finds. then you build the classification parameters which are detailed search expressions. you can look up the patterns on the internet or wherever like this one for SSNs.  Now schedule to determine when and how often it searches. Check-box ” enable fixed schedule” then choose the times/dates/recurrence. You CAN force it to “run now” to see if it works. It allows logging and post scan reports. When if finds a HIT, then it actually will show as an updated “properties” tab on the file. You also can configure email request assistance and notification for remediation.
        5. Create new central access rule. This is in ADAC / DAC to set up how you want to apply the settings above to control access based on the detail above. Generally apply to “authenticated users” , they get access when certain defined conditions exist; user is in Kansas City, and belongs to HR, etc.
        6. Create central access policy is how the rule above gets applied to file servers. Then use Group Policy to deploy. New GPO for DAC policy. This would apply to File Servers. Then go back to properties on the share/folder and there is a “Central Policy” tab that you have to choose the policy.
        7. I guarantee this is a test question that MS uses. Keep in mind test questions are random so it might not be on EVERY test, but it’s on one I took.
    3. Implement Policy Changes and Staging
    4. Create and Configure Resource Properties and Lists
    5. Configure File Classification
    6. Perform Access Denied Remediation
    7. Create and Configure Central Access Rules and Policies