NET140 TestOut Chapter 8.3 Group Policy
You are the administrator of a network with a single Active Directory domain. The domain includes two domain controllers. Your company's security policy requires that locked out accounts are unlocked by administrators only. Upon reviewing the account lockout policy, you notice the account lockout duration of 99999. You need to configure your domain's account lockout policy to comply with your company's security policy. What should you do next?
Configure Account lockout duration as 0. Explanation Configuring the Account lockout duration to 0 will require an administrator to unlock all accounts. This setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.
After configuring a password policy to require users to create strong passwords, you start to notice sticky notes stuck to monitors throughout the organization. The sticky notes often have strings of characters written on them that appear to be passwords. What can you do to prevent the security risk that this practice presents?
Educate users on how to create and remember strong passwords. Explanation Educate users on how to create and remember strong passwords. Enforcing strict password restrictions might actually weaken network security if you do not educate users about proper procedures to take to protect logon credentials. If users do not understand the restrictions that have been implemented, they might try to circumvent these restrictions by writing down passwords. Take the following measures to educate users: Tell users that they should not write down passwords or share logon credentials with other users. Teach users how to construct and remember complex passwords. For example, for the password bw2Fs3d, users might create the following sentence: bob went 2 the "capital" Florist shop 3 times daily. Educate users about social engineering tactics. Instruct them not to respond to requests for passwords from administrators or other seemingly trusted personnel. Implement policies that prevent administrators from asking for sensitive information. If you require users to change their passwords more often, reduce the limit on the number of failed login attempts, or increase the minimum length for passwords, you are likely to push more users to write their passwords down so they don't forget them.
You are the network administrator of a small network consisting of three Windows servers and 150 Windows workstations. Your network has a password policy in place with the following settings: Enforce password history: 10 passwords remembered Maximum password age: 30 days Minimum password age: 0 days Minimum password length: 8 characters Password must meet complexity requirements: Disabled Store password using reversible encryption: Disabled One day, while sitting in the cafeteria, you overhear a group of co-workers talk about how restrictive the password policy is and how they have found ways to beat it. When required to change the password, they simply change the password 10 times at the same sitting. Then they go back to the previous password. Your company has started a new security crackdown, and passwords are at the top of the list. You thought you had the network locked down, but now you see that you need to put an end to this practice. Users need to have passwords that are a combination of letters and numbers and do not contain a complete dictionary word. Users should not be able to reuse a password immediately. What should you do? (Choose two. Each answer is part of the solution.)
Enable the Password must meet complexity requirements setting. Enable the Minimum password age setting. Explanation Enable the Minimum password age setting. This will force the user to use the new password for whatever length of time you determine before changing it again. Also, enable the Password must meet complexity requirements setting. By enabling this setting, the user passwords cannot contain the user name, the user's real name, the company name, or a complete dictionary word. The password must also contain multiple types of characters, such as upper and lowercase letters, numbers, and symbols.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. How can you make the change with the least amount of effort? (Select two.)
Implement a granular password policy for each user in the Directors OU. Create a group for the members of the Directors OU and then apply a granular password policy to the group. Explanation Use granular password policies to force different password policy requirements for different users or groups. Password and account lockout policies are enforced only in GPOs linked to the domain, not to individual OUs. Creating a new domain for the directors would require an unnecessary amount of effort. You cannot use the Active Directory Users and Computers tool to configure granular passwords; you must use the Active Directory Administrative Center for this task.
You are the network administrator for your network. Your network consists of a single Active Directory domain. Your company recently mandated the following user account criteria: User accounts must be deactivated after three unsuccessful logon attempts. User account passwords must be at least 12 characters long. User accounts must be manually reset by an administrator once they are locked out. You must make the changes to affect everyone in the domain. You are editing the Default Domain Group Policy object. What should you do? (Choose three. Each correct choice represents part of the solution.)
Set Account lockout threshold to 3. Set Account lockout duration to 0. Set Minimum password length to 12. Explanation To meet the company's requirements: Set Minimum password length to 12. Set Account lockout threshold to 3. Set Account lockout duration to 0. Minimum password length configures how many characters a valid password must have. Account lockout threshold configures how many incorrect passwords can be entered before being locked out. Account lockout duration identifies how long an account will stay locked out once it has been locked. A value of 0 indicates that an administrator must manually unlock the account. Any other number indicates the number of minutes before the account will be automatically unlocked. The requirements do not provide enough information to configure maximum password age, reset account lockout counter after, or password must meet complexity requirements.
You are the administrator for a domain named internal.widgets.com. This domain spans a single site (the Default-First-Site-Name site). You want to configure password and account lockout policies that Active Directory domain controllers will enforce. You have created a Group Policy object with the settings you want to apply. Most of the domain controllers are located in the Domain Controllers OU, although you have moved some domain controllers to a sub-OU called Secure Domain Controllers. Where should you link the Group Policy object that you created?
The internal.widgets.com domain. Explanation Domain controllers ignore account policy settings in GPOs that are not linked to the domain. To change a domain's account policy settings, use a GPO linked to the domain, such as the Default Domain Policy GPO.
