AD 1

You are the administrator for the westsim.com domain. Within the domain, you have OUs for the accounting, manufacturing, sales, and administration departments. You also have smaller OUs within each department OU, such as the ITAdmins OU in the Administration OU. You need to follow the principle of least privilege as you use the Delegation of Control wizard to complete the following: Give one user in each OU the rights necessary to manage user accounts in their OU. Give your assistants in the ITAdmins group rights to manage passwords for all users in the domain. Which of the following approaches can you use as you delegate control? (Select two. Each correct answer is part of the complete solution.)

- Create a PasswordAdmin group in the ITAdmins OU. Make your assistants members of the PasswordAdmin group. In the westsim.com domain, delegate control to the PasswordAdmin group to perform password tasks. - Create a UserAdmin group in each department OU. Make the user in each OU a member of the UserAdmin group. In each department OU, delegate control to the UserAdmin group to perform user account tasks in that OU.

You have received a call from a user telling you that his password no longer works. As you inquire about the reasons why the password doesn't work, he tells you that yesterday, he received a call from an administrator asking for his user account password, which he promptly supplied. You know that a legitimate administrator would have never made this request. You are concerned that the impersonator might have contacted other users with the same request. To protect your network, you would like to reset all user account passwords and force users to change their passwords at the next login. You want to accomplish this as quickly as possible. What should you do? (Select two. Each choice is a possible complete solution.)

- Create a script that runs Dsmod. Specify the new password and account properties in the script. Run the script. - Run Ldifde to export user account information. Edit the .ldif file to modify the user account properties and passwords. Run Ldifde to modify the existing user accounts.

You are the domain administrator for a single domain forest. Your company has based its top-level OU structure on the four divisions for your company, manufacturing, operations, marketing, and transportation. Each division has a global security group containing the user accounts for division managers. You want to have a single group that can be used for granting access to resources to all of your organization's managers. What should you do? (Select two. Each selection is a complete solution.)

- Create a universal security group called AllMgrs and make each of the existing Division Manager groups a member. - Create a global security group called AllMgrs and make each of the existing Division Manager groups a member.

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the Accounting, Sales, and Support departments. User and computer accounts for each department are in their respective OUs. The Support department has a very high turnover. Nearly every week, you need to add new user accounts. All user accounts have the same department and fax number settings. Each user account must also have permission to the Orders shared folder. You want to create a template account to use when creating new accounts in the future. What should you do? (Select three. Each is a required part of the solution.)

- Create a user account with the department and fax number settings. - Disable the user account. - Create a group called Support. Make the template account a member of the Support group. Assign permissions for the group to the Orders shared folder.

You are the administrator for a network with two domains, westsim.com and sales.westsim.com. You have a shared folder called Reports on the Sales1 server in the sales.westsim.com domain. The following two users need access to this shared folder: Mark in the westsim.com domain Mary in the sales.westsim.com domain You create a global group called Sales in westsim.com. You grant this group the necessary permissions to the Reports shared folder. You add Mark as a member of the group, but you are unable to add Mary as a group member. What should you do? (Select two. Each choice is a possible answer.)

- Delete the existing group. Create a domain local group in sales.westsim.com. Add Mark and Mary as members and assign permissions to the share. - Convert the group to a universal group.

You are the manager of the eastsim.com domain. Your Active Directory structure has organizational units (OUs) for each company department. Assistant administrators help you manage Active Directory objects. For each OU, you grant one of your assistants full control over the OU. You come to work one morning to find that while managing some user accounts the administrator in charge of the Sales OU has deleted the entire OU. You restore the OU and all of its objects from a recent backup. You want to make sure that your assistants can't delete the OUs they are in charge of. What should you do? (Select two. Each choice is a possible solution.)

- Edit the properties for each OU to prevent accidental deletion. - Remove full control permissions from each OU. Run the Delegation of Control wizard for each OU, granting permissions to perform the necessary management tasks.

Your network consists of a single Active Directory domain. The OU structure of the domain consists of a parent OU named HQ_West and the child OUs Research, HR, Finance, Sales, and Operations. You have created a Group Policy Object (GPO) named DefaultSec, which applies security settings that you want to apply to all users and computers. You have created a second GPO named HiSec, which has more restrictive security settings that you want to apply to the HR and research departments. Both GPOs use custom security templates. You also want to ensure that strong password policies are applied to all client computers. How should you link the GPOs to the OUs? (Select three. Each correct answer is part of the complete solution.)

- Link HiSec to the HR and Research OUs. - Configure password policies on a GPO linked to the domain. - Link DefaultSec to the HQ_West OU.

You manage user accounts in the southsim.com domain. Each department is represented by an organizational unit (OU). Computer and user accounts for each department have been moved to their respective OUs. You want to control access to a new color printer named ColorMagic. To do this, you create the following groups: A domain local group named ColorMagic-DL A global group named Sales-GG You want all users in the Sales department to have access to the new printer. What should you do? (Select three. Each choice is a required part of the solution.)

- On the Members Of tab for the Sales-GG group, add the ColorMagic-DL group. - On the ColorMagic printer object, assign permissions to the ColorMagic-DL group. - On the Members tab for the Sales-GG group, add all sales user accounts.

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the accounting, sales, and shipping departments. User and computer accounts for each department are in their respective OUs. Maria Hurd is going on a seven-week sabbatical and will not be into work during that time. Which of the following can you perform to secure her user account to prevent it from being used to access network resources while she is away? (Select two.)

- Set an account expiration time for the last day Maria will be in the office. - Disable the user account.

You have installed the Microsoft FTP Server service on a Windows Server 2016 host that is a member of the WestSim.com domain. The properties of this service are shown in the exhibit. You want the FTP Server service to log on and run on the system as a virtual service account named FTPSVC. Which should you do? (Select two.)

- Specify a logon account of NT SERVICE\FTPSVC. - Click the Log On tab in the properties of the Microsoft FTP Service.

You are the administrator of a network with a single Active Directory domain. The domain currently includes 75 user accounts. You have been asked to add 50 additional accounts. Your Human Resources manager has an existing database of employees that can be imported to Active Directory. You would like to use an automated method for data import if possible. What should you do? (Select two. Each choice is a complete solution.)

- Use the Ldifde.exe utility. - Use the Csvde.exe utility.

You manage a Windows server that functions as your company's domain controller. You want to test a new network application in a lab environment prior to rolling it on to your production network. To make the test as realistic as possible, you want to export all Active Directory objects from your production domain controller and import them to a domain controller in the test environment. Which tools could you use to do this? (Select two. Each option is a complete solution.)

- csvde - ldifde

You manage a Windows server that functions as your company's domain controller. Your organization was recently acquired by a larger organization, and the company name has changed as a result. You need to modify the Company property of each user account in Active Directory. Which tools could you use to make this change? (Select two. Each option is a complete solution.)

- dsmod - ldifde

Which of the following do you need in order to install the Group Policy Management Tools? (Select three.)

- An Azure AD DS managed domain - A server management VM that's joined to the managed domain - An Azure Active Directory tenant

- Prevents settings in GPOs linked to parent objects from being applied to child objects. - Causes computer settings to be reapplied after user login. - Prevents inheritance from being blocked for a specific GPO. - Causes computer settings to take precedence over user settings.

- Block Inheritance - Loopback Processing - Enforced - Loopback Processing

ou've just deployed a new Active Directory domain, as shown in the figure below. You now need to deploy Group Policy objects (GPOs) to apply configuration settings and enforce security policies. Click the container(s) to which a GPO can be applied.

- Corp - Domain Controllers

When Active Directory is installed, several containers are created by default. Which default container would you be able to apply a Group Policy to?

Domain Controllers OU

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the accounting, sales, and shipping departments. User and computer accounts for each department are in their respective OUs. At 5:30 p.m., you get a call from Mary Hurd, a user in the sales department, stating that she can't log in. You use Active Directory Users and Computers and see the information shown in the image. How can you make sure Mary can log in?

Enable Mary's account.

You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. From your workstation, you create a GPO that configures settings from a custom .admx file. You link the GPO to the Sales OU. You need to make some modifications to the GPO settings from the server console. However, when you open the GPO, the custom administrative template settings are not shown. What should you do?

Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location.

The first step when delegating the right to create and link Group Policy Objects is to run the Delegation of Control Wizard at the domain or OU where the group should be able to link GPOs and then select Manage Group Policy links in the tasks to delegate. Which of the following is the second step?

Grant the user or group the rights to access the GPO container.

Which tool can be used to customize existing GPOs or to create custom GPOs?

Group Policy Management Editor

You have configured a new GPO. You use a scoping method to prevent it from applying to a specific user using a specific computer. Which tool can you use to see if your scoping method is successful?

Group Policy Results

Which of the following is true about Group Policy inheritance?

Group Policy settings are applied to all objects below the container where the GPO is linked.

When following best practices for delegating administrative authority, which of the following is the first step in the process?

Identifying administrative rolls based on specific administrative function or job

You manage a network with a single Active Directory domain. Organizational Units have been created for the accounting, sales, and shipping departments. User and computer accounts for each department are in their respective OUs. You have hired a temporary worker named John Miller to work in the shipping department during the holidays. John should only be allowed to log on to the Ship01 workstation and no others. What should you do?

In John's user account, add Ship01 to the Log On To list.

You are the domain administrator for north.westsim.com, which is a child domain in westsim.com. You have a high-end color laser printer that is shared on a server in north.westsim.com. Because of the high price per page, you have removed the print permission from the Everyone group. You need to grant the print permissions to marketing users in the north.westsim.com, east.westsim.com, and west.westsim.com domains. What should you do?

In the North domain, create a Domain Local group called CLR-PRT. In all three domains, create a global group named Marketing. Add all three global groups to the North CLR-PRT group and assign the print permission to the group.

Which built-in local user account is a member of the local Administrators group?

Local System

What is the order of precedence for group policy processing?

Local group policy, Site policy, Domain policy, OU policy

Select the container in Active Directory where group-managed service accounts are created by default.

Managed Service Account

What is stored in a GPO container?

Metadata including the GPO version, when it was created, and how often the computer and user settings were modified.

You are the network administrator for your company. There is one main office and seven branch offices. You have been asked to create a script that can be used in the event of a disaster that destroys the entire network. The script must be able to recreate the company's Active Directory users, computers, and groups, as well as sites and subnet objects. Which command should you use in your script?

New-ADObject

You are working in PowerShell on a Windows Server 2016 domain controller. You need to create a group-managed service account that will be used by a new service that you will install later on the server. Which cmdlet should you use to do this?

New-ADServiceAccount

You are working in PowerShell on a Windows Server 2016 domain controller. You need to create a new group-managed service account to be used by a new application that will be installed later on the Windows 7 workstations that are members of the domain. The domain functional level is set to Windows Server 2008. Can you do this?

No. Group managed service accounts cannot be used by Windows operating systems prior to Windows 8.

You are the administrator for a network with a single Active Directory domain named widgets.local. The widgets.local domain has an organizational unit object for each major department in the company, including the Information Systems department. User objects are located in their respective departmental OUs. Users who are members of the Domain Admins group belong to the Information Systems department. However, not all employees in the Information Systems department are members of the Domain Admins group. To simplify employees' computing environment and prevent problems, you link a Group Policy object (GPO) to the widgets.local domain that disables the control panel for users. How can you prevent this Group Policy object from applying to members of the Domain Admins group?

On the Group Policy object's access control list, deny the apply Group Policy permission for members of the Domain Admins group.

What is the key difference between a managed service account and a group-managed service account?

A managed service account can be used on only one computer in a domain.

Which of the following BEST describes ADUC?

A management console used for administering Active Directory objects.

Which of the following BEST describes a service account?

A special user account that an application or service uses to interact with the OS.

You are the administrator of a network with two Active Directory domains. Each domain currently includes 35 global groups and 75 domain local groups. You have been reading the Windows Server help files and have come to the conclusion that universal groups may be the answer to ease administrative management of these groups. You decide to incorporate universal groups. How can you make sure to not include changes to any group that will affect group member's assigned permissions?

Add global groups to universal groups and then add those to domain local groups.

You have created a group policy that prevents users in the accounting department from accessing records in a database that has confidential information. The group policy is configured to disable the search function for all users in the Accounting OU no matter which workstation is being used. After you configure and test the policy, you learn that several people in the Accounting OU have valid reasons for using the search function. These users are part of a security group named Managers. What can you do to prevent the Group Policy object (GPO) that you have configured from applying to members of the Managers group?

Add the Managers group to the GPO's discretionary access control list (DACL). Deny the apply Group Policy and read permissions to the Managers group.

Which of the following is one of the BEST benefits of a group managed service account over a basic domain user account used for a service?

Passwords are managed and reset automatically.

A white exclamation mark inside a blue circle indicates which of the following about a Group Policy?

Block inheritance

Which of the following best describes deprovisioning?

Removing access rights from a user account when the user leaves the organization.

You are the administrator of a small network. You have approximately 50 users who are served by a single Windows server. You are providing Active Directory, DNS, and DHCP with this server. Your clients all use Windows workstations. Last week, an employee quit. A replacement has been hired and will be starting next Monday. The new user will need to have access to everything the previous user had, including document files held in the Home folder. You need to set up an account for the new user with all the access required. What should you do?

Rename the existing account, changing the name fields to match the new employee.

Prior to installing Active Directory on your network, you set up a test network in your lab. You created several user accounts that correspond to actual network users. Now that your test is done, you'd like to move all user accounts from your test network to a new domain that you've just installed. You decide to use the Ldifde command to import the user accounts into the production domain. You want to set passwords for the new user accounts. How can you perform this task with the least amount of effort?

Run Ldifde to export the user accounts. Run Ldifde to import the user accounts. Edit the .ldif file to specify user account passwords. Run Ldifde to modify the existing accounts.

You are the network administrator. The network consists of a single Active Directory domain. All the servers run Windows Server 2016, and all the clients run Windows 10. Company policy requires all users in the domain to change their passwords every 30 days. An application named App1 uses a service account named App1Svc. Every 30 days, App1 fails. When the App1Svc account password is reset, the application works fine. You need to prevent App1 from failing in the future without compromising corporate security standards. What should you do?

Run the New-ADServiceAccount cmdlet.

You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You would like to configure all computers in the Sales OU to prevent the installation of unsigned drivers. Which GPO category would you edit to make the necessary changes?

Security Options

Which of the following is true about local user accounts?

The local Security Accounts Manager manages the user account information.

The Delegation of Control Wizard allows you to delegate administrative tasks to other administrators or groups. Which of the following IT security principles are you covering by performing this task?

The principle of least privilege

Which of the following is true when working with the Delegation of Control Wizard?

The rights delegated at the OU level will flow to the child OUs.

Which of the following is true when using group managed service accounts?

There are no domain or forest functional level requirements for using group managed service accounts.

Delegating administrative authority means not only sharing administrative tasks with other users, but also which of the following?

Tightly controlling the permissions granted to each administrator.

You are the administrator of a network with a single Active Directory domain. You need to create 75 user accounts in the domain Users container. You have a list of new user accounts that include an IP telephone number. The user accounts are available via an export from your company's HR application in the form of a comma-delimited file. You want to create the new accounts as quickly and easily as possible. What is the easiest way to accomplish this task?

Use Csvde to import user accounts using the .csv file.

You are the security administrator for a large metropolitan school district. You are reviewing security standards with the network administrators for the high school. The school's computer center has workstations for anyone's use. All computers in the computer center are members of the Computer Center Computers global group. All workstations are currently located in the Computers container. The computer center computers have access to the internet so users can perform research. Any user who uses these computers should be able to run Internet Explorer only. Other computers in the high school should not be affected. To address this security concern, you create a Group Policy object (GPO) named Computer Center Security. How can you configure and apply this GPO to enforce the computer center's security?

Configure the Computer Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the Computer Center Computers group only.

You are the administrator of a multi-domain Active Directory forest. You have a universal group called SalesExecs. This group has successfully been used as an email distribution group. Later, you try to assign the group permissions to a shared folder, but SalesExecs does not appear as a choice. What should you do?

Convert the SalesExecs group from a distribution group to a security group.

You are the administrator for ABC corporation. Your network has a single Active Directory domain called xyz.com. The Sales team has a shared folder on Srv1 that is used to hold sales contact information. You need to control access to this folder so that only members of the sales team can access the folder. You create a group called Sales and add all members of the Sales team as members of the group. However, when you try to assign permissions to the shared folder, the Sales group you created does not show in the list of available objects. You check the properties of the group and find the details shown in the image. What do you need to do to assign permissions to the sales team?

Convert the group to a security group.

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the accounting, sales, and shipping departments. User and computer accounts for each department are in their respective OUs. Mary Hurd is a manager in the sales department. Mary is a member of the Managers global group. This group also has members from other organizational units. The Managers group has been given the read share permission to the Reports shared folder. Mary's user account (mhurd) has also been given the change share permission to the Reports shared folder. You need to create several new user accounts that have the same group membership and permission settings as the mhurd user account. How can you complete this configuration with the least amount of effort?

Copy the mhurd user account. Assign the new account the change share permission to the Reports shared folder.

Your organization has been using an in-house custom-developed application. The team that developed that application created a Group Policy template in the form of an ADMX file, which you have used to assign necessary rights to a group of users who use the application. Another group of users now needs to have the same rights. This group belongs to an OU to which one of your assistants has full control management rights to. When your assistant tries to use the Group Policy template to assign rights to this group, she cannot find the template in Active Directory. What must you do to give your assistant access to this Group Policy template?

Create a central store on the SYSVOL share and copy the ADMX file into it.

You manage a single domain named widgets.com. Organizational units (OUs) have been created for all company departments. Computer and user accounts have been moved into their corresponding department OUs. The CEO has requested the ability to send emails to managers and team leaders. He'd like to send a single email and have it automatically forwarded to all users in the list. Because the email list might change frequently, you do not want the email list to be used for assigning permissions. What should you do?

Create a distribution global group. For each user on the email list, make their user account a member of the group.

You are the domain administrator for a single domain forest. You have 10 file servers that are member servers running Windows Server. Your company has designed a top-level OU structure based on the 15 divisions for your company. Each division has a global security group containing the user accounts for division managers. You have folders on your file servers that all division managers should have permission to access. For some resources, all division managers will need full control. For others, they will only need read or change permissions. You need a group strategy that will facilitate the assignment of permissions but minimize administrative effort. What should you do?

Create a global group called AllMgrs. Make each of the existing division managers groups a member.

You are the administrator for a network with two domains, westsim.com and branch.westsim.com. User accounts for the Sales team are in both domains. You have a shared folder called Reports on the Sales1 server in the westsim.com domain. You also have a shared folder called Contacts on the Sales6 server in the branch.westsim.com domain. All Sales users need access to both shared folders. What do you need to do to implement a group strategy to provide access to the necessary resources?

Create a global group in each domain. Add users within each domain to the group. Create a universal group in westsim.com. Add the global groups from each domain to the universal group. Add the universal group to domain local groups in each domain. Assign permissions to the domain local groups.

You are the administrator for the westsim.com domain, which has five domain controllers running Windows Server. All user and computer accounts have been placed in the department OUs. Main offices are located in Orlando, with additional offices in Boston, New York, and Chicago. There are three departments within the company: sales, marketing, and accounting. Employees from each department are at each location. You want to appoint an employee in each department to help with changing passwords for users within their department. They should not be able to perform any other tasks. What should you do?

Use the Delegation of Control wizard. Grant each user administrator permissions to modify passwords for their department OU.

A user account name combined with DNS domain name is which of the following name types?

User Principal Name

You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You have two OUs that contain temporary users, TempSales and TempMarketing. For all users within these OUs, you want to restrict what the users are able to do. For example, you want to prevent them from shutting down the system or accessing computers through a network connection. Which GPO category would you edit to make the necessary changes?

User Rights

You are the administrator of a network with a single Active Directory domain. Your domain contains three domain controllers and five-member servers. Your security policy states that all accounts should be locked out after three unsuccessful login attempts and that accounts must be reset only by an administrator. A GPO enforces these settings. On Monday morning, you receive a call from the help desk. There are seven users who are unable to log in to the domain. Upon further investigation, you notice all seven accounts have been locked out. You need to unlock the user accounts with the least amount of administrative effort while complying with your security policy. What should you do next?

Using Active Directory Users and Computers, select Unlock Account for each account.

Which service provides filtering based on hardware and software characteristics such as CPU, memory, disk space, registry data, or application data?

Windows Management Interface (WMI) filtering

You are the administrator of a network with a single Active Directory domain. You would like to create a script the Help Desk support staff can use to create domain user accounts. The Help Desk staff will input various user account values, and these values will be used in the script. Which of the following commands should your script include?

dsadd

You are the administrator of a network with a single Active Directory domain. The domain includes a user account named Bob Smith. The network security group has asked you to provide a list of all the domain groups to which Bob Smith is a member. You would prefer to use a command line utility so that the output can be saved and printed. Which command should you use?

dsget

You are the network administrator for your company. Your company has three standalone servers that run Windows Server. All servers are located in a single location. You have decided to create a single Active Directory domain for your network. Currently, each department has one employee designated as the department's computer support person. Employees in this role create user accounts and reset passwords for the department. As you design Active Directory, your goal is to allow these users to maintain their responsibilities while not giving them more permissions than they need. Which of the following design plans will best meet your goals?

Create an organizational unit (OU) structure where each department has its own OU. Use the Delegation of Control wizard to grant each computer support user appropriate permissions to their department OUs.

You are in charge of designing the Active Directory tree. You have a small company that has only one location. You have determined that you will have approximately 500 objects in your completed tree. Your company is organized with four primary departments, accounting, manufacturing, sales, and administration. Each area is autonomous and reports directly to the CEO. The managers in each department want to make sure that some management control of their users and resources remains in the department. Which of the following design plans will best meet these requirements?

Create an organizational unit object for each department. Train a member of each department to perform limited administrative duties. Use the Delegation of Control wizard to give a member of each OU enough rights to perform the necessary administrative tasks only in the appropriate OU.

Which command should you enter at the command line to directly access the local Group Policy snap-in?

gpedit