Group Policy
You are a domain administrator for a single-domain network. The domain has several organizational units (OUs) representing each department in the organization. You have delegated complete administration for each OU to appropriate users in each department. You have made these users members of the Group Policy Creator Owners group. You create a Group Policy Object (GPO) named Corporate Desktop that configures the desktop environment for users in the company. You link the GPO to the domain. Later, you discover that some of the settings are not being applied to users in the Development department. How can you make sure that all settings in the Corporate Desktop GPO get applied to all users in the company?
Configure the Enforced option for the Corporate Desktop GPO
You manage a Windows domain in a dynamic network environment that requires frequent changes to your Group Policy settings.
Group Policy Remote Update Firewall Ports
You need to add Spanish language support for your administrative templates to a Windows Server 2012 R2 system.
.adml files
You need to add German language support for your administrative templates to a Windows Server 2012 R2 system.
.admx files
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You would like to define a granular password policy for these users. Which tool should you use?
ADSI Edit
As a part of your organization's security policy, you need to configure the following security settings for all users: • At least 15 unique passwords must be used before an old password can be reused. • Passwords must be changed after 30 days. • Passwords must be in effect for at least 1 day before they can be changed. • Passwords must be at least 10 characters long and contain both upper and lower case characters along with a number or symbol. You have decided to configure and test local security policies to meet these requirements and then import them into the appropriate domain GPOs. Click on the GPO security settings category where these policies are located.
Account Policies
As a part of your organization's security policy, you need to configure the following security settings for all users: • User accounts should be locked after 3 invalid logon attempts. • Locked accounts should stay locked for 15 minutes. • The account lockout counter should be reset after 1 minute. You have decided to configure and test local security policies to meet these requirements and then import them into the appropriate domain GPOs. Click on the GPO security category where these policies are located.
Account Policies
To meet the requirements of your organization's security policy, you have been instructed to implement GPOs that tightly control the software used on each domain user's workstation. The policies in the GPO must: • Allow users to run only the applications you specify. • Be applied to specific users or groups. • Apply to all existing, future, or previous versions of an application. All workstations involved run either Windows 7 or Windows 8. You have decided to configure and test local security policies to meet these requirements and then import them into the appropriate domain GPOs. Click on the GPO security setting category where these policies are located.
Application Control Policies
You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use advanced auditing to track who performs these actions. You want to only monitor the necessary events and no others. What should you do? (Select two. Each choice is a required part of the solution.)
Audit successful system security state changes. Create a GPO to configure auditing. Link the GPO to the domain.
You need to add administrative templates for Microsoft Office products to a Window Server 2012 R2 server.
C:\Windows\PolicyDefinitions
You have enabled Group Policy caching in your domain. Using this feature, Group Policy settings are saved locally on each domain-joined host.
C:\Windows\System32\GroupPolicy\datastore
You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the Accounting, Sales, and Shipping departments. User and computer accounts for each department are in their respective OU. At 5:30 pm, you get a call from Mary Hurd, a user in the Sales department, stating that she can't log in. You use Active Directory Users and Computers and see the information show in in the image. You need to make sure Mary can log in. What should you do? (Select two. Each answer is a possible solution.)
Change the log on hours to extend past 530 pm Unlock Mary's account
You are in charge of managing several servers. Your company requires many custom firewall rules in Windows Firewall with Advanced Security. What should you do? Configure each computer individually. Use Secedit.exe to import a custom security policy. Create a PowerShell script that applies the firewall setting each time a server boots. Apply this script to all applicable servers. Configure firewall settings in Group Policy. Apply the GPO so that it applies to all applicable servers.
Configure firewall settings in Group Policy. Apply the GPO so that it applies to all applicable servers.
You are the network administrator for eastsim.com. You have been asked to build a domain controller that will be deployed to the eastsim.com office in Germany.
Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller.
You want to create a central store for the administrative templates on a Windows Server 2012 R2 domain controller.
Copy the local .admx and .adml files to C:\Windows\SYSVOL\domain_name\Policies\PolicyDefinitions
You are the administrator for the widgets.com domain. As you manage Group Policy objects (GPOs), you find that you often make similar user rights, security options, and Administrative Template settings in different GPOs.
Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs. Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs.
You are the network administrator for your company. Your company has three standalone servers that run Windows Server 2012 R2. All servers are located in a single location. You have decided to create a single Active Directory domain for your network. Currently, each department has one employee designated as the department's computer support person. Employees in this role create user accounts and reset passwords for the department.
Create a organizational unit structure where each department has its own OU. Use the delegation of Control wizard to grant each computer support user appropriate permission to their department OUs.
Your company has just decided to upgrade from an older non-directory-based server operating system to Windows Server 2012 R2.
Create an Organizational Unit object for each department. Train a member of each department to perform limited administrative duties. Use the Delegation of Control wizard to give a member of each OU enough rights to perform the necessary administrative tasks only in the appropriate OU.
You are the administrator for the widgets.com domain. Organizational Units have been created for each company department. User and accounts for each department have been moved into their respective departmental OUs. As part of your security plan, you ahve analyzed the use of Internet Explorer in your organization.
Create three starter GPOs with the necessary settings. When creating the GPOs, select the starter GPO with the desired settings.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. there is a main office located in New York and a branch office located in Los Angeles. You have been directed to set up wireless access for clients in the New York office. You create a new Group Policy Object (GPO) that specifies the wireless network settings for the New York office and link it to the New York site. Users from the Los Angeles office complain that when they travel to New York they are unable to connect to the wireless network in New York. Your need to enable the traveling users to connect to the wireless network. What should you do?
Direct the visiting users to first connect to the New York network using a wired connection to receive the wireless network settings.
To speed up the boot process for hosts in your domain, you want to reconfigure Group Policy processing so that computers download the latest version of your policies and store them locally.
Enable Group Policy Caching for Servers
You manage a network with a single domain. Organizational units (OUs) have been created for each department. User and computer accounts for each department have been placed in their corresponding OU. The network has three locations: Portland, Denver, and Phoenix. The Denver location is connected to Portland with a 1 Mbps WAN link. The Phoenix location is connected to Portland with a 256 Kbps WAN link. You want to implement a software installation policy to install an application for all members of the Accounting team. The application should be added to the Add/Remove Programs list, and should be installed only when a user manually adds it. The application should not be installed across the WAN links to the Denver and Phoenix locations. What should you do? (Select two. Each choice is a required part of the solution.) In a GPO linked to the Accounting OU, assign the software to users. Enable the Group Policy slow link detection policy and configure it with a value of 1024. Enable the Group Policy slow link detection policy and configure it with a value of 0. In a GPO linked to the Accounting OU, assign the software to computers. In a GPO linked to the Accounting OU, publish the software to users. Enable the Group Policy slow link detection policy and configure it with a value of 500.
Enable the Group Policy slow link detection policy and configure it with a value of 1024. In a GPO linked to the Accounting OU, publish the software to users.
As a result of a recent security audit, you have made several critical changes to your domain's security configuration in Group Policy.
Group Policy Update...
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. What should you do?
Implement a granular password policy for the users in the Directors OU
You manage the network for the eastsim.com domain. You want to take a backup of GPO and starter GPOs.
In Group Policy Management, back up all GPOs. Back up all starter GPOs separately.
You are the administrator of the westsim.com Active Directory domain. You delegate administration of the Sales OU and Research OU to other administrators. You want to prevent the administrators of those OUs from creating any other Group Policy objects with settings that conflict with those you have configured for the domain. What should you do?
In Group Policy objects linked to the westsim.com domain, set the Enforced option.
You are the administrator for the westsim.com domain. You have created a GPO named AccountingGPO and linked it to the Accounting OU.
In the Group Policy Management console, add the user to the Delegation tab for the GPO.
You are the network Administrator for eastsim.com . The network consists of one Active Directory domain. All the servers run Windows Server 2012 R2. All of the clients still run Windows Vista. The domain functional level of the domain is set to Windows Server 2008.
Install the client-side extensions (CSEs) on all of the client computers.
Your organization's security policy dictates that the security level of the Local Intranet and Trusted Sites zones in Internet Explorer be set to Medium-High on all user workstations. Rather than configure each workstation individually, you decide to use a Group Policy preference setting in a GPO to make the change.
Internet Settings
As a result of a recent security audit, you have made several critical changes to your domain's security configuration using Group Policy. You need these changes to be applied immediately. Which PowerShell cmdlet should you use to do this form your Windoes Server 2012 R2 domain controller?
Invoke-GPUpdate
Your network consists of a single Active Directory domain. You also want to ensure that all client computers have strong password policies applied, and that an administrator is required to unlock locked user accounts for the Research and Human Resources departments.
Link DefaultSec to the HQ_West OU Configure password policies on a GPO linked to the domain Link HiSec to the HR and Research OUs
You are the server administrator for your network. Recently, the system time on several servers has been modified. You want to find out who has been making the change. You enable the Audit Security State Change audit policy. After several days, you decide to check to see if any events have been logged. You want to view only those events that related to auditing that might indicate someone had changed the system time. What should you do?
Look in the Security log. Filter to look for successful audit events.
You are consulting with the owner of a small network which has a Windows Server 2012 R2 functioning as a workgroup server. There are six client desktop computers, each of which is running Windows 2007. There is no Internet connectivity. The owner of the company has heard of a case where the owner of a network was found legally liable for misuse of the corporate computers, because insufficient care was taken to prevent unauthorized access. The server contains possibly sensitive information and due care needs to be taken to ensure that no unauthorized access occurs. Specifically, the owner of the company wants you to configure auditing so that access to sensitive files can be tracked. You need to check and ensure that the files generate audit results. What should you do?
Make sure the Audit File System policy is configured for success and failure. Make sure the correct users and groups are listed in the File System policy. Make sure the files to be audited are on NTFS partitions.
You are the administrator for the westsim.com domain. In Group Policy, you have created a GPO linked to the domain that sets domain-wide settings. Additional GPOs linked to each OU configure department-specific settings. You want to allow user Julia Chow to create GPOs and manage settings in all GPOs.
Make the user a member of the Group Policy Creator Owners group. In the Group Policy Management console, add the user to the Delegation tab on the Group Policy Objects container.
You want to configure your Kerberos policies so that users' ticket-granting ticket (TGT) may be used for a maximum of 9 hours. For a user to continue using a resource after the time expires, the TGT must be renewed or a new one requested. Click the Kerberos Group Policy you would enable
Maximum lifetime for user ticket
To reduce your network's exposure to replay attacks, you want to configure your Kerberos policies so that the time on your domain-joined hosts must be within 3 minutes of the time on the domain controller providing Kerberos authentication. Click the Kerberos Group Policy setting you would use to enable this configuration.
Maximum tolerance for computer clock synchronization
Outside Sales employees in your organization se a VPN connection to access your internal network while traveling to customer sites.
Network Options
You are the Administrator for a network with a single active directory domain named widgets.local . The widgets.local domain has an Organizational Unit object for each major department in the company, including the Information Systems department.
On the Group Policy object's access control list, deny the Apply Group Policy permission for members of the Domain Admins group.
You are the desktop administrator for your company. You manage a group of windows 8 Professional computers used by a part-time sales staff.
Redirect each part-time sales employee's Documents folder to a folder on a network share.
You have decided to redirect the contents of the local Documents folder for all domain users on all workstations to the C:\Shares shared folder on a Windows Server 2012 system named FS2. The server is a member of the eastsim.com domain. You configured Basic redirection to redirect all users' local Documents folder to C:\Shares on the server. However, after applying the policy, you find that shared folder on the server remains empty. Click on the setting in the folder redirection policy for Documents that is configured incorrectly.
Root Path: C:\Shares
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8.
Run the dcgpofix /target:dc command on a domain controller.
You are the network administrator for your company. Your company uses Windows 8 as its desktop operating system. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to manipulate files on computers that have been secured through NTFS permissions. You want to use an advanced audit policy to accomplish this. What should you do? (Choose two. Both selections are part of the complete solution.)
Select Failure for Audit File System. Enable File system; then configure the security principles and types of access you want to audit.
You are the network administrator for your network. Your network consists of a single Active Directory domain. All servers run Windows Server 2012. Your company recently mandated the following user account criteria: • User accounts must be deactivated after three unsuccessful logon attempts. • User account passwords must be at least 12 characters long. • User accounts must be manually reset by an administrator once they are locked out. You must make the changes to affect everyone in the domain. You are editing the Default Domain Group Policy object. What should you do? (Choose three. Each correct choice represents part of the solution.)
Set Account lockout threshold to 3. Set Account lockout duration to 0. Set Minimum password length to 12.
on all workstations to a Windows Server 2012 system named FS3. The server is a member of the eastsim.com domain. You want each user's Documents folder redirected to their home directory. Click on the settings in the folder redirection policy for Documents that you must configure to accomplish this.
Setting drop down Target folder location
Your organization's security policy dictates that the security level for the Local Intranet and Trusted Sites zones in Internet Explorer be set to Medium-High on all user workstations.
The preference can be applied to specific systems based on criteria you specify. This preference is not available in local Group Policy.
The desktop workstations you recently purchased for the employees in your organization's Denver office came with two network boards installed: -A RealTek PCIe Fast Ethernet interface integrated into the motherboard. -A Broadcom NetXtreme 57xx Gigabit Ethernet interface installed in a motherboard slot.
The preference will be applied but not enforced.
Your network has a single Active Directory forest with two domains: eastsim.private and HQ.eastsim.private. You are in the process of designing Group Policy for the network. -You create a GPO called AutoEnroll that automatically enrolls user certificates.
eastsim.private: AutoEnroll GPO HQ.eastsim.prvate: AutoEnroll GPO /./ CustomAPP GPO Accounting: MyDoc Redirect GPO /./ No Override Marketing: (leave blank) Sales: (leave blank)
Your network has a single Active Directory forest with two domains: eastsim.private and HQ.eastsim.private. You are in the process of designing Group Policy for the network. You want to accomplish the following goals: -You want to enforce strong passwords throughout the entire forest for all computers.
eastsim.private: Password Settings HQ.eastsim.private: Password Settings Accounting: Accounting App Marketing: Desktop Settings Sales: Desktop Settings
You are the administrator for a domain named widgets.local. You have created a Group Policy object (GPO) named Deploy Virus Detection, configured it to assign virus detection software to all computers in the domain, and linked the GPO to the widgets.local domain. The virus detection software is installed using a Windows Installer (.msi) file that has all installation data integrated into it. You now want to update the virus detection software on all computers. You do not want this update to be optional. What should you do? (Select two. Each choice is a required part of the solution.) Assign a new software package to computers in the domain. Configure the new software package to upgrade over the existing virus detection software. Copy the updated virus signature file to the shared folder acting as a software distribution point. Redeploy the Deploy Virus Detection GPO. Update the Windows Installer (.msi) file in the shared folder acting as a software distribution point. Redeploy the Deploy Virus Detection GPO. Publish a new software package to users in the domain. Configure the new software package to upgrade over the existing virus detection software.
Assign a new software package to computers in the domain. Configure the new software package to upgrade over the existing virus detection software. Update the Windows Installer (.msi) file in the shared folder acting as a software distribution point. Redeploy the Deploy Virus Detection GPO.
You manage a single domain named widgets.com. Recently, you notice that there have been several unusual changes to objects in the Sales OU. You would like to use advanced auditing to keep track of those changes. You want to only enable auditing that shows you the old and new values of the changed objects. Which directory service auditing subcategory should you enable?
Directory Service Changes
You are the administrator for the westsim.com domain. Organizational units (OUs) have been created for each department, with all user accounts being moved into their departmental OUs.
Edit the ACL for the OU and remove the unnecessary permissions.
You are the administrator for eastsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. eastsim.com has one main site. There are two domain controllers named DC1 and DC2, which also provide DNS services to clients. There is a single Active Directory Integrated zone named eastsim.com. After users complain that they are unable to reach an application server in the main site, you determine that the record for the server has been deleted from the zone. You recreate the missing record. You need to ensure that if the record disappears again you can identify the cause of the deletion. Your solution must minimize the impact on servers not hosting the DNS role.
Enable Audit Directory Service Access in the Audit policy of the Default Domain Controllers Policy Group Policy Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone.
You are the network administrator for southsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012. All the clients run Windows 8. The current password policy requires complex passwords of at least 8 characters. These passwords expire every 90 days. southsim.com has obtained a contract with the United States Government. The contract requires that all engineers that work on the project have complex passwords with at least 14 characters that expire every 30 days. Management does not wish to change the password requirements for users who are not working on the new project. You need to ensure that the password requirements for the engineers working on the new project are enforced without affecting other users. What should you do?
Go to System \Password Settings Container in the Active Directory Administrative Center to create a new fine-grained password policy.
You are the network administrator for your company. Your company uses Windows 8 as its desktop operating system. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its Security event log. You want to use an advanced audit policy to accomplish this. What should you do?
Select failure for audit logon
You have decided to redirect the contents of the local Document folder for all domain users on all workstations to a Windows Server 2012 system named FS3.
Settings: Basic - Redirect everyone's folder to the same location
You are the administrator for WestSim Corporation. The network has a single domain, westsim.com. Five domain controllers, all running Windows 2008 server, are located on the network.
Use the delegation of control wizard. Grant each user administrator permission to modify passwords for their department OU.
You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You have two OUs that contain temporary users: TempSales and TempMarketing. For all users within these OUs, you want to restrict what the users are able to do. For example, you want to prevent them from shutting down the system or access computers through a network connection. Which GPO category would you edit to make the necessary changes? Account Policies Restricted Groups User Rights Security Options
User Rights
You are the administrator of a network with a single Active Directory domain. Your domain contains three domain controllers and five member servers. Your security policy states that all accounts should be locked out after three unsuccessful logon attempts, and that accounts must be reset only by an administrator. A GPO enforces these settings. You receive a call Monday morning from the Help Desk. There are seven users who are unable to log in to the domain. Upon further investigation, you notice all seven accounts have been locked-out. You need to unlock the user accounts with the least amount of administrative effort while complying with your security policy. What should you do next?
Using Active Directory Users and Computers, select Unlock Account for each account
You are the administrator for WestSim Corporation. The network has a single domain, westsim.com, running at Windows Server 2008 functional level.
Enable loopback processing in the SKUWare GPO
You are deploying two new applications to users in the company as follows: All computers should have Microsoft Word installed. All users in the Accounting department should have Microsoft Access installed. For other users in the company, you want to allow them to install Microsoft Access if desired by using the Add/Remove Programs applet in the Control Panel. Each department has its own organizational unit. How should you deploy these applications? (Select all that apply.) Assign Microsoft Access in a GPO linked to the Accounting OU. Publish Microsoft Access in a GPO linked to the domain. Assign Microsoft Word in a GPO linked to the domain. Assign Microsoft Word in a GPO linked to each department's OU. Assign Microsoft Access in a GPO linked to the domain. Publish Microsoft Word in a GPO linked to the domain.
Assign Microsoft Access in a GPO linked to the Accounting OU. Publish Microsoft Access in a GPO linked to the domain. Assign Microsoft Word in a GPO linked to the domain.
You administer a network with two Windows Server 2012 R2 servers and 70 Windows 7 computers. The network has a single domain, with OUs for each department. User and computer objects have been moved to their corresponding departmental OU. You create a Group Policy object (GPO) that deploys service packs. You want the service pack to be installed automatically to all client computers when the computer reboots. You edit a Group Policy object associated with the Marketing OU and assign the software package to all users. As a test, you reboot a computer. You find that the service pack has not been installed. What should you do? Assign the software package to all computers. Run the secedit /refreshpolicy user_policy command at the workstation. Publish the software package to all computers. Run the secedit /refreshpolicy machine_policy command at the workstation.
Assign the software package to all computers
You are the administrator of a network with a single Active Directory domain. The domain includes two domain controllers. Your company's security policy requires that locked out accounts are unlocked by administrators only. Upon reviewing the account lockout policy, you notice the Account lockout duration of 99999. You need to configure your domain's account lockout policy to comply with your company's security policy. What should you do next?
Configure the Account lockout duration to 0
You are the administrator of a single-domain network. The domain has an OU named Sales. All users in the Sales OU use an application named ContactTrack. You want to install this application to all computers in the Sales OU. You create a GPO named Deploy Software, configure it to assign the ContactTrack application to users, and link the GPO to the Sales OU. Although the shortcut appears in the Start menu for Sales users, the application is not installed until users click the shortcut. You want the GPO to install the application completely. What should you do? Add users in the Sales OU to the Deploy Software GPO's access control list, and grant them Read and Apply Group Policy permissions. Configure the Computer Configuration node rather than the User Configuration node of the Deploy Software GPO. Configure the Deploy Software GPO to refer to a network share where the ContactTrack installation files are located. Configure the Deploy Software GPO to publish rather than assign the ContactTrack software. Link the GPO to the domain rather than to the Sales OU.
Configure the Computer Configuration node rather than the User Configuration node of the Deploy Software GPO.
You are the network administrator for a network with a single Active Directory domain. The domain's functional level is Windows Server 2003. Users are divided into OUs named Sales, Accounting, and Management. You are using Group Policy software distribution for all corporate applications. A sales application is deployed as user assigned in a GPO named Sales Applications that is linked to the Sales OU. Mary Hurd has been transferred to the Sales department to the Accounting department. You move the corresponding user account from the Sales Cu to the Accounting OU. After logging on to a new computer in the Accounting department, Mary reports that the sales application is still being applied. You do not want the sales application to be applied to the user. What should you do? Remove the sales application software package from the Sales Applications GPO and select the Immediately uninstall the software from users and computers option. Enable the Block Policy inheritance option for the Accounting OU. Reconfigure the sales application software package in the Sales Applications GPO to be published rather than assigned. Configure the Uninstall this application when it falls out of the scope of management option for the sales application software package.
Configure the Uninstall this application when it falls out of the scope of management option for the sales application software package.
You are the network administrator for the westsim.com domain. All client computers are running Windows 8 and all servers are running Windows Server 2008 R2 or Windows Server 2012 R2. Organizational Units (OUs) have been created for each department, and user and computer accounts have been moved into the department OUs. You have recently configured a Windows Server Update Services (WSUS) infrastructure on the network. All client computers are configured to download updates from your internal WSUS server. You have just received notification that the accounting software has a new update. The update is critical and must be deployed as quickly as possible to all computers in the accounting department. What should you do? On the WSUS server, approve the update. Use client-side targeting to apply the update to the accounting computers. Create a GPO linked to the Accounting OU. Publish the .msi file included with the update to computers. Create a GPO linked to the Accounting OU. Assign the .msi file included with the update to computers. Create a GPO linked to the domain. Create a custom script that runs the update file. Use WMI filtering to apply the GPO to the accounting computers.
Create a GPO linked to the Accounting OU. Assign the .msi file included with the update to computers.
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2012 R2. All of the clients run Windows 8. The computer objects for all of the file servers in the company have been placed into an organizational unit named FileServers. Human Resources has received a complaint that a user has been accessing secured material on the company's file servers. They have requested a list of all files accessed by this user on any file server in the company during the next two weeks. You must provide this information using the least amount of administrative effort.
Create a new group policy object and link it to the FileServers organizational unit. Enable Global Object Access Auditing for the File System and specify the user's account in the Auditing tab.
You are the network administrator for westsim.com. The network consists of one Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. You need to identify attempts by users to log on after their accounts have been locked out. Yoursolution should identify attempts made on any client computer in the domain. You must use the least amount of administrative effort. What should you do?
Create a new group policy object. In the Advanced Audit Policy Configuration, enable Audit Account Lockout.
You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs.
Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location.
You are the network administrator of a small network consisting of three Windwos Server 2012 R2 computers, 50 Windows 7 professional workstations, and 100 Windows 8 workstations. Your network has a password policy in place with the following settings:
Enable the Minimum password age setting Enable the password must meet complexity requirements.
You manage Group Policy for the westsim.com. You have set up a lab with a separate forest named westsim.test.
Take a backup of the UserSettings GPO. In westsim.com, create a new GPO. Import the settings from the backup.
You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server 2012 R2 for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers. You want to be able to check each server's log for the events. What should you do? (Choose two. Each choice is a required part of the solution.)
Link the GPO to the Member Servers OU. Enable the logging of Logon events
You have decided to redirect the contents of the local Documents folder for all domain users on all workstations to the C:\Shares shared folder on a Windows Server 2012 system named FS1.
Move the contents of Documents to the new location. Redirect the folder back to the local userprofile location when policy is removed.
You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You would like to configure all computers in the Sales OU to prevent the installation of unsigned drivers. Which GPO category would you edit to make the necessary changes?
Security Options
You are the network administrator for your company. Your company uses Windows 8 as its desktop operating system. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to change a user's security group membership in a computer's local database. You want to create a policy that meets these requirements. What should you do?
Select Failure for Security Group Management.
Susan is the administrator for a Windows 2012 domain named internal.widgets.com. This domain spans a single site (the Default-First-Site-Name site). She wants to configure password and account lockout policies that Active Directory domain controllers will enforce. She has created a Group Policy object with the settings she wants to apply. Most of the domain controllers are located in the Domain Controllers OU, although she has moved some domain controllers to a sub OU called Secure Domain Controllers. Where should Susan link the Group Policy object that she has created?
The internal.widgets.com domain
As a part of your organization's security policy, you have been instructed to lock down all workstations by restricting remote access via Remote Desktop Services to specific users and groups. You have decided to configure and test local security policies to meet this requirement and then import them into the appropriate domain GPOs. Click on the GPO security setting category where the required policies are located.
User Rights Assignment
You are the administrator for the westsim.com domain. Organizational units (OUs) have been created for each department. You want to give the TWhite user account the ability to link and unlink GPOs on the Sales OU. You want to assign the least amount of permissions as possible. What should you do?
Run the Delegation of Control wizard
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer. He would like his account to have even more strict password policies than is required for other members of the Directors OU. What should you do?
Create a granular password policy for Matt. Apply the new policy directly to Matt's user account.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. What should you do?
Create a granular password policy. Apply the policy to all users in the Directors OU
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. What should you do?
Create a granular password policy. Create a global security group. Apply the policy to the group. Add all users in the Directors OU to the group.
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2012 R2. All of the clients run Windows 8. The manager of the Sales business unit informs you that critical files have been inappropriately modified. You need to determine who has modified the files and what permissions have allowed them to do so. What should you do?
Create a new group policy object and link it to the organizational unit that contains the computer account of the file server. Enable the Audit File System and Audit Handle Manipulation policies in the Advanced Audit Policy Configuration node. On the Auditing tab in the Advanced Security Settings dialog box for the file, specify the Everyone group.
Your company has just purchased 120 licenses for a new application that will be used by all users. It is up to you to test and deploy the application as simply as possible. You decide to use a Group Policy object (GPO) to roll out the new application using the Windows Installer functionality. You create a software distribution point named Apps on the Serverl server and grant Read and Execute permissions to all users who will install the software. You then create a Group Policy object and edit the software installation properties under the User Configuration node. You configure the following properties: Default package location: C:\apps When adding new packages to user settings: Display the Deploy Software dialog box Installation user interface options: Maximum Uninstall the applications when they fall out of the scope of management: Enabled You create a software distribution package based on the above settings that assigns the appropriate Windows Installer package. However, when you test the package, Windows Installer doesn't execute and install the software. You need to find out why and make the appropriate changes. What should you do? Grant the Full Control permission to all users who will use the software distribution point. Change the Installation user interface options setting to Basic. Disable the Uninstall the applications when they fall out of the scope of management option. Change the Default package location setting to \\Server1\Apps\. Delete and recreate the software distribution package.
Change the Default package location setting to \\Server1\Apps\. Delete and recreate the software distribution package.
You are the administrator of a single-domain network. All servers in the domain run Windows Server 2008 R2 or Windows Server 2012 R2. All client computers run Windows 8. The domain has an OU named Sales. All users in the Sales OU use an application named ContactTrack. You want all Sales users to have a shortcut to the ContactTrack application in their Start menu. The first time they click the shortcut, you want the ContactTrack application to be installed. You create a GPO named Deploy Software, configure it to publish the ContactTrack application to users, and link the GPO to the Sales OU. You soon discover that the shortcut does not appear in any user's Start menu. What should you do? Configure the Deploy Software GPO to assign rather than publish the ContactTrack software. Link the GPO to the domain rather than to the Sales OU. Add users in the Sales OU to the Deploy Software GPO's access control list, and grant them Read and Apply Group Policy permissions. Configure the Deploy Software GPO to refer to a network share where the ContactTrack installation files are located. Configure the Computer Configuration node rather than the User Configuration node of the Deploy Software GPO.
Configure the Deploy Software GPO to assign rather than publish the ContractTrack software
You are the administrator of a single-domain network. The domain has an OU named Sales. All users in the Sales OU use an application named ContactTrack. You want this application to be available in the Add/ Remove Programs applet of all computers in the Sales OU. You do not want a shortcut to the program to appear on users' Start menu. You create a GPO named Deploy Software, configure it to assign the ContactTrack application to users, and link the GPO to the Sales OU. However, after doing so, the shortcut appears in the Start menu for all Sales users. What should you do to prevent the shortcut from appearing? Configure the Deploy Software GPO to publish rather than assign the ContactTrack software. Deny all sales users the Write permission to the Start Menu folder. Add users in the Sales OU to the Deploy Software GPO's access control list, and grant them Read and Apply Group Policy permissions. Link the GPO to the domain rather than to the Sales DU. Configure the Deploy Software GPO to refer to a network share where the ContactTrack installation files are located. Configure the Computer Configuration node rather than the User Configuration node of the Deploy Software GPO.
Configure the Deploy Software GPO to publish rather than assign the ContactTrack software.
You are responsible for all application installations on your network. You are also responsible for applying all service packs, hot fixes, and application upgrades. Presently, you need to upgrade an application that has been deployed using a GPO and the Windows Installer process. Before the installation of the upgrade, you must uninstall the previous version of the application. What should you do? Manually uninstall the previous version, then use the GPO to perform the upgrade. Use the GPO to remove the previous version, then manually install the upgrade. Manually uninstall the previous version, then manually install the upgrade. Configure the GPO to remove the software when it falls outside of the scope of management. Delete the current GPO and create a new one that installs the updated version. Configure the GPO to uninstall the previous version before it installs the new upgrade.
Configure the GPO to uninstall the previous version before it installs the new upgrade
You are the network administrator of a very large network. There are approximately 50 servers in the organization that all require the latest Microsoft service pack. You have acquired an MSI package that installs the latest service pack. All servers are located in an Active Directory OU called Servers. How should you deploy the service pack to all of the servers using the least administrative effort? (Select two. Each choice is a required part of the solution.) Create a Group Policy Object and link it to the Servers OU. Assign the MSI package using Computer Configuration. Configure a startup script for the installation. Assign it using Computer Configuration. Configure a startup script for the installation. Assign it using User Configuration. Create a Group Policy Object and link it at the Domain level. Assign the MSI package using User Configuration.
Create a Group Policy Object and link it to the Servers OU. Assign the MSI package using Computer Configuration.
Your company has just purchased 120 licenses for an application that will be used by all company users. You must test and deploy the application as simply as possible. You decide to use a Group Policy object (GPO) to deploy the new application using the Windows Installer functionality. You create a software distribution point named Apps on the Server1. You then create a Group Policy object and edit the software installation properties under the User Configuration node. You configure the following properties: Default package location: \\Server1\Apps\ When adding new packages to user settings: Display the Deploy Software dialog box Installation user interface options: Maximum Uninstall the applications when they fall out of the scope of management: Enabled You create a software distribution package based on the above settings that assigns the appropriate Windows Installer package. However, when you test the package, Windows Installer never executes and installs the package. You need to find out why and make the appropriate changes. What should you do? Change the Installation user interface options setting to Basic. Change the Default package location setting to C:\Server1\Apps\. Then delete and recreate the software distribution package. Disable the Uninstall the applications when they fall out of the scope of management option. Grant the Read and Execute permission to all users who will use the software distribution point.
Grant the Read and Execute permission to all users who will use the software distribution point.
You manage a network with a single domain. Organizational units (OUs) have been created for each department. User and computer accounts for each department have been placed in their corresponding OU. The network has three locations: Portland, Denver, and Phoenix. The Denver location is connected to Portland with a 1 Mbps WAN link. The Phoenix location is connected to Portland with a 256 Kbps WAN link. You want to implement a software installation policy to install an application on all computers in the Sales department. The application should be installed automatically, and should be on the computer regardless of which user is logged on. The application should be installed, even across slow WAN links. User profiles should not be applied across slow links. What should you do? (Select two. Each choice is a required part of the solution.) In a GPO linked to the Sales OU, publish the software to users. Enable the Group Policy slow link detection policy and configure it with a value of 1024. In a GPO linked to the Sales OU, assign the software to computers. Enable the Group Policy slow link detection policy and configure it with a value of 0. Enable the Software Installation policy processing policy and select Allow processing across a slow network connection. In a GPO linked to the Sales OU, assign the software to users.
In a GPO linked to the Sales OU, assign the software to computers. Enable the Software Installation policy processing policy and select Allow processing across a slow network connection.
