CNA 234 | Ch.2, Managing OUs
dsget
Command that displays an object's properties onscreen. Output can optionally be redirected to a file.
dsquery
Command that finds and displays objects in Active Directory that meet specified criteria.
dsmod
Command that modifies existing Active Directory objects.
dsmove
Command that moves objects in a domain to another folder or OU or it can be used to rename an object.
dsrm
Command to remove or delete objects from Active Directory.
djoin.exe
Command used to perform an offline domain join.
False. ldifde is the more powerful command because of this.
True or False? csvde is a more powerful command than ldifde, because of it's capability to modify Active Directory objects.
Piping
Sending the output of one command as input to another command.
Logon name
What is the only absolutely required field for a valid user?
AGGUDLP
What mnemonic device should be used in multi-domain environments?
AGDLP
What mnemonic device should be used in single-domain environments?
header
A CSV file requires a ________ record, which normally includes at minimum the distinguished name, the SAM account name, the UPN, and the object class attribute.
Active Directory Administrative Center (ADAC)
A GUI tool for managing Active Directory objects and accounts that is built on top of Windows PowerShell.
Active Directory Users and Computers (ADUC)
A GUI tool for managing Active Directory objects and accounts.
ldifde
A command that can import or export Active Directory data in bulk and uses LDAP Directory Interchange Format.
csvde
A command that can import or export Active Directory data in bulk and uses comma-separated values (CSV).
dsadd
A command that's used mainly for adding account objects but can also be used to create OUs and contacts.
security levels
A current trend is designing OUs based on grouping users and resources according to their _________________.
Security Accounts Manager (SAM) database
A database on domain member and workgroup computers that holds the users and groups defined on the local computer.
C. Authenticated Users
A domain user logging on to the domain becomes a member of which special identity group? A. Creator Owner B. System C. Authenticated Users D. Anonymous Logon
Offline domain join
A feature that allows a running computer or offline virtual disk to join a domain without contacting a domain controller.
Universal group membership caching
A feature that stores universal group membership information retrieved from a global catalog server.
blob file
A file with metadata that's used with the djoin.exe command on the computer that's being joined.
System access control list (SACL)
A form of Access Control List used for establishing system-wide security policies for actions such as logging or auditing resource access.
Local group
A group created in the local SAM database on a member server or workstation or a stand-alone computer.
Universal group
A group scope that can contain users from any domain in the forest and be assigned permission to resources in any domain in the forest.
Domain local group
A group scope that's the main security principal recommended for assigning rights and permissions to domain resources.
Global group
A group scope used to group users from the same domain with similar access or rights requirements.
Distribution group
A group type used when you want to group users together, mainly for sending emails to several people at once with an Active Directory-integrated email application.
Special identity groups
A group whose membership is controlled dynamically by Windows and doesn't appear as an object in Active Directory Users and Computers or Active Directory Administrative Center.
Batch file
A text file that's used to enter a command or series of commands normally typed at the command prompt.
User template
A user account that's copied to create users with common attributes.
InetOrgPerson
A user and contact class defined in Active Directory for LDAP compatibility that has three more predefined tasks that can be delegated than normal.
C. Reset the computer account, remove the computer from the domain, and rejoin it to the domain.
A user is having trouble signing in to the domain from a computer that has been out of service for several months, and nobody else can seem to sign in from the computer. What should you try first to solve the problem? A. Reinstall Windows on the workstation and create a new computer account in the domain. B. Rename the computer and create a new computer account with the new name. C. Reset the computer account, remove the computer from the domain, and rejoin it to the domain. D. Disable the computer account, remove the computer from the domain, and rejoin it to the domain.
LostandFound
Advanced feature folder that contains objects created at the same time as their container is deleted.
Program Data
Advanced feature folder that is initially empty, but is available to store application-specific objects
NTDS Quotas
Advanced feature folder that stores NT Directory Services (NTDS) quota information that limits the number of Active Directory objects a user, group, computer, or service can create.
TPM Devices
Advanced feature folder that stores Trusted Platform Module (TPM) information about Windows 8 and later computer accounts.
System
Advanced feature folder used by Windows system services that are integrated with Active Directory.
whoami /groups
All group memberships, including current membership in special identity groups can be viewed by entering what command prompt command?
Contact
An Active Directory object that usually represents a person for informational purposes only.
security descriptor
An Active Directory object's security settings are composed of three components, collectively referred to as the object's _____________.
A. Domain Admins is the owner of the QandA OU.
An account named SrAdmin created an OU named QandA under the Operations OU. Which of the following is true by default? A. Domain Admins is the owner of the QandA OU. B. SrAdmin is the owner of the QandA OU and all objects created inside it. C. SrAdmin has all standard permissions except Full control for the QandA OU. D. The Everyone group has Read permission to the QandA OU.
Discretionary access control list (DACL)
An internal list attached to an object in Active Directory that specifies which users and groups can access the object and what kinds of operations they can perform.
Add workstations to domain
By default, the Authenticated Users group is granted the ________________ right, which allows a user to join computers to the domain and create up to 10 computer accounts in the domain.
Group scope
Determines the reach of a group's application in a domain or a forest.
Every 30 days
Computer accounts have their passwords changed automatically by Windows OS how often?
C. Disable Jane's account. When the new employee arrives, rename Jane's account, assign it a new password, and enable it again.
Jane has left the company. Her user account is a member of several groups and has permissions and rights to a number of forest-wide resources. Jane's replacement will arrive in a couple of weeks and needs access to the same resources. What's the best course of action? A. Find all groups Jane is a member of and make a note of them. Delete Jane's user account and create a new account for the new employee. Add the new account to all the groups Jane was a member of. B. Copy Jane's user account and give the copy another name. C. Disable Jane's account. When the new employee arrives, rename Jane's account, assign it a new password, and enable it again. D. Export Jane's account and then import it when the new employee arrives. Rename the account and assign it a new password.
Object Security Attribute Editor
List two of the three new tabs that appear in the Property dialog boxes of domain, folder and OUs after Advanced Features has been enabled. (Name two)
Underscore (_)
What should be added to the beginning of a template account's name, to ensure it's easily recognizable as a template?
B. Specify which computers Tom can sign in to in the domain by using the "Log On To" option in his account's properties.
Over the past several months, Tom, who has access to sensitive company information, has signed in to computers in other departments and left them without signing out. You have discussed the matter with him, but the problem continues to occur. You're concerned that someone could access these sensitive resources easily. What's the best way to solve this problem? A. Ensure that all computers Tom is signing in to have screen savers set to lock the computer after 15 minutes of inactivity. B. Specify which computers Tom can sign in to in the domain by using the "Log On To" option in his account's properties. C. Move Tom's account and computer to another domain, thereby making it impossible for him to sign in to computers that are members of different domains. D. Disable local logon for Tom's account on all computers except Tom's.
Remove-Computer
PowerShell command used to remove a computer from a domain.
False. The authentication process is performed later on when the computer communicates with the DC for the first time.
True or False? Using offline domain join nullifies the need to authenticate joining devices to the DC.
csvde, ldifde
The _____ and ______ commands can import or export Active Directory data in bulk; the difference between them is mainly the format of files they uses.
redircmp.exe
The default location for computer accounts that are created automatically when they join domain can be altered by using the __________ command-line prompt.
Well-known groups
What is the alternate name for special identity groups?
Security Group
The main Active Directory object administrators use to manage network resource access and grant rights to users.
Delegation of control
The process by which a user with higher security privileges assigns authority to perform certain tasks to a user with less security privileges.
Group nesting
The process of making one group a member of another group.
Group type
The property that needs to be changed if you want to switch a security group to a distribution group, or vice versa.
Downlevel user logon name
The user logon name field defined in a user account object that's used for backward-compatibility with OSs and applications that don't recognize the UPN format.
True
True or False? Metadata created with the djoin.exe command contains very sensitive information, such as the computer account password and the domain's security ID. Precautions should be taken when transferring this file.
20
What is the maximum number of characters for a user account?
True
True or False? A global group can be made a member of a domain local group in any domain in the forest or trusted domains in other forests.
False. The difference being that they can't be deleted.
True or False? Built-in accounts have the exact same qualities as regular local or domain accounts.
True
True or False? Delegation of control of an OU is not an all-or-nothing proposition. Specific tasks can be assigned to a user to be performed on objects in an OU, or they can even delegate tasks to different users and groups.
True
True or False? Local user accounts are mainly used in a peer-to-peer network where Active Directory isn't running.
domain user accounts
User accounts created in Active Directory are referred to as ___________________.
Full control
Users with this control can perform all actions granted by the other four permissions, plus change permissions and take ownership of the object.
Write
Users with this permission can change an object's attributes.
Create all child objects
Users with this permission can create new child objects in the parent object.
Delete all child objects
Users with this permission can delete child objects in the parent object.
Read
Users with this permission can view objects and their attributes and permissions.
Set-ADAccountPassword TestUser3 -Reset
What PowerShell command would you issue to reset TestUser3's password?
Security and Distribution
What are the two group types?
domain local, global, and universal
What are three group scope options available in a Windows forest?
C. The group remains in the DACL, but the ACE has no effect on members' access to the resource
What happens if a security group that's an ACE in a shared folder is converted to a distribution group? A. A security group can't be converted to a distribution group if it has already been assigned permissions. B. The group is removed from the DACL automatically. C. The group remains in the DACL, but the ACE has no effect on members' access to the resource. D. The group remains in the DACL, and permissions assigned to the group affect access to the resource as though it were still a security group.
The user is created but disabled
What happens if a user is created without a password and the password policy requires a non-blank password?
Enable-ADAccount Disable-ADAccount
Which command can be used in PowerShell to enable user accounts? Which command disables user accounts?
C. dsquery and dsmod
Which commands can you use together to change attributes of several users at once? A. dsget and dsadd B. dsget and dsmod C. dsquery and dsmod D. dsquery and dsget
A. Domain local to universal provided no domain local group is already a member
Which direct group scope conversion is allowed? A. Domain local to universal provided no domain local group is already a member B. Global to domain local without restriction C. Domain local to global provided no domain local group is already a member D. Universal to global without restriction
A. User must change password at next logon. C. Password never expires.
Which of the following account options can't be set together? (Choose all that apply.) A. User must change password at next logon. B. Store password using reversible encryption. C. Password never expires. D. Account is disabled.
A. Administrator D. Guest
Which of the following are built-in user accounts? (Choose all that apply.) A. Administrator B. Operator C. Anonymous D. Guest
B. Computer accounts C. User accounts
Which of the following are considered security principals? (Choose all that apply.) A. Contacts B. Computer accounts C. User accounts D. Distribution groups
B. OUs can be nested. C. A group policy can be linked to an OU. D. Only members of Domain Administrators can work with OUs.
Which of the following are true about organizational units? (Choose all that apply.) A. OUs can be added to an object's DACL. B. OUs can be nested. C. A group policy can be linked to an OU. D. Only members of Domain Administrators can work with OUs.
A. The name can be from 1 to 20 characters. C. The name can't be duplicated in the domain.
Which of the following are true about user accounts in a Windows Server 2016 domain? (Choose all that apply.) A. The name can be from 1 to 20 characters. B. The name is case sensitive. C. The name can't be duplicated in the domain. D. Using default settings, PASSWORD123 is a valid password.
A. Local C. Domain
Which of the following are user account categories? (Choose all that apply.) A. Local B. Global C. Domain D. Universal
B. Global groups from any domain in the forest C. Other universal groups
Which of the following can be a member of a universal group? (Choose all that apply.) A. User accounts from the local domain only B. Global groups from any domain in the forest C. Other universal groups D. Domain local groups from the local domain only
A. DACL B. Object owner C. SACL
Which of the following components are collectively grouped together and referred to as the object's security descriptor? (Choose all that apply.) A. DACL B. Object owner C. SACL D. OUs
D. Search-ADAccount -AccountDisabled > disabled.txt
Which of the following creates a file named disabled.txt containing a list of disabled Active Directory accounts? A. net accounts /show disabled B. ldifde -accounts -property=enabled -value=false C. Query-Account -Disable=True | disabled.txt D. Search-ADAccount -AccountDisabled > disabled.txt
A. Global B. Domain local
Which of the following is a valid group scope? (Choose all that apply.) A. Global B. Domain local C. Forest D. Domain global
B. Sam*Snead35
Which of the following is not a valid Windows Server 2016 user account name? A. Sam$Snead1 B. Sam*Snead35 C. SamSnead!24 D. Sam23Snead
C. Domain Users is a member.
Which of the following is true about the Users domain local group? A. It's in the Users folder. B. It can be converted to a global group. C. Domain Users is a member. D. Its members can log on locally to a domain controller.
A. Computer accounts C. User accounts
Which of the following members can belong to the global group? (Choose all that apply.) A. Computer accounts B. Global groups from any domain C. User accounts D. Universal groups
B. Domain local
You have decided to follow Microsoft's best practices to create a group scope that will allow you to aggregate users with similar rights requirements. Which group scope should you initially create? A. Global B. Domain local C. Local D. Universal
B. In Active Directory Users and Computers, right-click the Operations OU and click Delegate Control.
You have hired a new junior administrator and created an account for her with the logon name JrAdmin. You want her to be able to reset user accounts and modify group memberships for users in the Operations department whose accounts are in the Operations OU. You want to do this with the least effort and without giving JrAdmin broader capabilities. What should you do? A. In the Active Directory Administrative Center, right-click the Operations OU, click Properties, and click Managed By. B. In Active Directory Users and Computers, right-click the Operations OU and click Delegate Control. C. Open the Operations Security tab and add JrAdmin to the DACL. D. Add JrAdmin to the Password Managers domain local group.
C. Set the Logon Hours options for their user accounts.
You have noticed the inappropriate use of computers for gaming and Internet downloads by some employees who come in after hours and on weekends. These employees don't have valid work assignments during these times. You have been asked to devise a solution for these employees that doesn't affect other employees or these employees' computers during working hours. What's the best solution? A. Install personal firewall software on their computers in an attempt to block the gaming and Internet traffic. B. Request that the Maintenance Department change the locks on their office doors so that they can enter only during prescribed hours. C. Set the Logon Hours options for their user accounts. D. Before you leave each evening and before the weekend, disable these employees' accounts and re-enable them the next working day.
D. In Active Directory Users and Computers, click View, Advanced Features
You want to see the permissions set on an OU, so you open Active Directory Users and Computers, right-click the OU, and click Properties. After clicking all the available tabs, you can't seem to find where permissions are set in the Properties dialog box. What should you do? A. Log on as a member of Enterprise Admins and try again. B. In the Properties dialog box, click the Advanced button. C. Right-click the OU and click Security. D. In Active Directory Users and Computers, click View, Advanced Features.
Custom
_______ tasks allow fine-grained control over the management tasks a user can perform in an OU.