CIS 237 Chapter 1-7

The folders containing Group Policy Templates (GPTs) can be found under what folder on a domain controller?

%systemroot%\SYSVOL\sysvol\domain\Policies

The gpupdate command in conjunction with which option below causes synchronous processing during the next computer restart or user logon?

/sync

By default, how many previous logons are cached locally to a computer?

10

How long does it take for a change made on a domain controller to trigger intrasite replication?

15 seconds, with a 3 second delay between each replication partner

By default, for how long are deleted objects stored within the Active Directory database before they are removed entirely?

180 days

The Knowledge Consistency Checker (KCC) ensures the maximum number of hops between any two domain controllers does not exceed what number?

3

By default, the maximum tolerance for computer clock synchronization is set to what value?

5 minutes

How often are Group Policy Objects updated on domain controllers?

5 minutes

By default, what is the maximum period during which a TGT can be renewed?

7 days

A partition stored on a domain controller in the HQ site isn't being replicated to other sites, but all other partitions on domain controllers in the HQ site are being replicated. The problem partition is stored on multiple domain controllers in HQ. What should you investigate as the source of the problem?

A manually configured bridgehead server

What feature, once activated, can not be disabled without reinstalling all domain controllers within a forest

Active Directory Recycle Bin

What PowerShell cmdlet below will install the Active Directory Domain Services role?

Add-WindowsFeature AD-Domain-Services

What folder under Policies within the Computer Configuration Node of a GPO contains the Control Panel, Network, Printers, System, and Windows Component folders?

Administrative Templates

Which of the following is not one of the five folder objects that are created when Active Directory is installed?

Administrators

Which special identity group specifically includes any user account (except the Guest) logged into a computer or domain with a valid username and password?

Authenticated Users

Which feature was first introduced with Windows Server 2012 R2, and are new Active Directory containers to which authentication policies can be applied to restrict where high-privilege user accounts can be used in the domain?

Authentication Policy silos

What option under the folder redirection settings redirects everyone's folder to the same location?

Basic

How can an administrator test an MSA to ensure that it can access the domain with its current credentials, or can be installed on a member computer?

By using the Test-ADServiceAccount cmdlet

A user's profile is stored in what directory on a local computer by default?

C:\Users\logonname

To find a full list of policies and preferences that can have background processing disabled, where should you look?

Computer Configuration\Policies\Administrative Templates\System\Group Policy

Under the Computer Configuration, which folder contains settings related to the Regional and Language Options, User Accounts, and Personalization options?

Control Panel

Which of the following are common ways to configure DNS for a forest trust? (Choose all that apply.)

Create conditional forwarders Create stub zones

What policy is a GPO linked to the Domain Controllers OU and specifies the default policy settings for all domain controllers?

Default Domain Controllers Policy

Which of the following default policies are designed to provide default security settings for all computers, including domain controllers, in the domain? (Choose all that apply.)

Default Domain Policy Default Domain Controllers Policy

An administrator has discovered that several critical parts of Active Directory have been deleted. What boot mode can be used to perform restoration?

Directory Services Restore Mode (DSRM)

What Active Directory replication method makes use of remote differential compression (RDC)?

Distributed File System Replication (DFSR)

What is the most typically used group type conversion?

Distribution group -> security group

Select the true statement regarding the conversion of group scope:

Domain local groups can be converted to universal, the domain local group must not contain other domain local groups

Select the GPO permission that provides the ability to change existing settings, import settings, and enable or disable a GPO, but is not granted to any user by default.

Edit Settings

How often are computer and user policies applied after a user has logged into a computer?

Every 90 minutes

f a domain consists of DCs that are running versions of Windows Server earlier than Windows Server 2008, what replication method is used?

File Replication Service (FRS)

To increase security of data stored on an RODC, what can be configured to specify domain objects that aren't replicated to RODCs?

Filtered attribute sets

The option to turn off background processing is not available for which type of policy below?

Folder redirection

What defines the objects that a Group Policy Object affects?

GPO scope

What PowerShell cmdlet can be used to show an MSA's properties?

Get-ADServiceAccount

What Active Directory directory partition holds the DNS database?

Global catalog partition

What specific tool allows you to create GPOs, view a GPO's settings, link and unlink GPOs with containers, and manage the inheritance settings of GPOs?

Group Policy Management console

What tool can be used to determine what policy settings would apply to a computer or user account if it were moved to a different container?

Group Policy Modeling

Settings in the Computer Configuration node of Administrative Templates will impact which registry key below?

HKEY_LOCAL_MACHINE

Settings under the User Configuration node affect what Registry key?

HKEY_LOCAL_USER

Select the command that is used to import settings from a backed-up GPO to an existing GPO.

Import-GPO

Select the operations master role responsible for ensuring that changes made to object names in one domain are updated in references to the object in other domains.

Infrastructure master

Which FSMO role is responsible for ensuring that changes made to object names within one domain are updated in references to those objects in other domains?

Infrastructure master

What command can be used to cause a group policy refresh remotely on Windows Vista and later clients?

Invoke-GPUpdate

What specific authentication protocol used in a Windows domain environment to authenticate logons and grant accounts access to domain resources?

Kerberos

Select the GPO state where the GPO is in the Group Policy Objects folder but hasn't been linked to any container objects.

Link status: unlinked

Select below the option that is not one of the three built-in service accounts.

Local Operator

What mode of the Resultant Set of Policy (RSoP) snap-in produces a database of policy results that you browse in a similar manner to using the Group Policy Management Editor?

Logging

What is a downlevel user logon name used for?

Logging into older Windows OSs or using older Windows applications

What setting specifies how long a service ticket can be used before a new ticket must be requested to access the resource for which the ticket was granted?

Maximum lifetime for service ticket

Which of the following are requirements to raise the forest functional level to Windows Server 2016? (Choose all that apply.)

Member of Enterprise Admins group The Schema FSMO role must be available

What is the primary container object for organizing and managing resources in a domain?

OUs

By default, replication between DCs when no changes have occurred is scheduled to happen how often?

Once per hour

Which of the following is associated with an Active Directory tree? (Choose all that apply.)

One or more domains A common naming structure Parent and child domains

Which statement is true regarding the global catalog?

Only one global catalog exists per forest

An administrator has received a call indicating that some users are having difficulty logging on after a password change. Which FSMO role should be investigated?

PDC emulator

The RID master FSMO role is ideally placed on the same server as what other role?

PDC emulator

Select the operations master role that is responsible for providing backward compatibility with Windows NT servers configured as Windows NT backup domain controllers or member servers.

PDC emulator master

Select below the policy permission that grants a user or group the ability to use the GPO Modeling Wizard on a target container.

Perform Group Policy Modeling analyses

Within the Security Configuration and Analysis snap-in, what does an exclamation point in a white circle indicate?

Policy doesn't exist on the computer

Which tab in the Group Policy Results window shows all events in Event Viewer that are generated by group policies, and can be used to view the relevant information on a remote computer?

Policy events

What permission is given to the Enterprise Domain Controllers universal group on all GPOs by default, and grants permission to view settings and back up a GPO?

Read

If a central store for policy definition files has been created, where should the PolicyDefinitions folder reside?

SYSVOL folder

Select the specific Windows folder that is a shared folder containing file-based information that is replicated to other domain controllers.

SYSVOL folder

What Active Directory partition contains the information needed to define objects and object attributes for all domains in the forest?

Schema directory partitio

An administrator has attempted to change the forest functional level, but the attempt failed due to the failure of an FSMO role. Which FSMO role should be investigated?

Schema master

Which of the following choices is one of the two forest-wide FSMO roles?

Schema master

What features should you configure if you want to limit access to resources by users in a trusted forest, regardless of permission settings on these resources?

Selective authentication

Which of the following choices is not one of the three user account types defined in Windows Server 2016?

Service user account

Which PowerShell cmdlet below can be used to set permissions for a security principal to a GPO or to all GPOs?

Set-GPPermission

In the User Configuration node, where are policies that determine whether a user can publish DFS root folders in Active Directory?

Shared Folders

Your network is configured in a hub-and-spoke topology. You want to control the flow of replication traffic between sites, specifically reducing the traffic across network links between hub sites to reach satellite sites. What should you configure?

Site link bridges

If the slow link detection policy is set at 0, what does this indicate?

Slow link detection is disabled

Before you configure a forest trust, what should you configure to ensure you can contact the forest root of both forests from both forests?

Stub zones

Which of the following statements is true regarding the built-in Guest account?

The Guest account should be renamed if it will be used

Using default settings, if a computer's clock differs more than 5 minutes than a Kerberos message's timestamp, what happens?

The Kerberos message is considered invalid

Which statement is true regarding the use of the Logon Hours option under a user's account?

The Logon Hours can't be used to disconnect a user that is already logged in

After a template account has been created, what can be done to ensure that the template account does not pose a security risk?

The account should be disabled

Which of the following scenarios is not ideal for the deployment of a single domain structure?

The domain structure must be able to utilize different name identities

What does the /target option do when used with the gpupdate command?

The option can specify whether computer or user policy settings should be updated

If using virtual accounts to access the network, how are permissions added to a network resource to allow the virtual account access?

The resource must have proper permissions set for ComputerName$, where ComputerName is the name of the computer attempting to access the resource.

Under what circumstances would a multi-domain structure not be an ideal choice?

The structure should facilitate easier access to resources

After running the Security Configuration and Analysis snap-in with a template, what does a check mark in a green circle mean?

The template policy and current computer policy are the same

Approximately 42 days after a service was configured to use a normal user account, the service has stopped working and refuses to run. An administrator has verified that the account still exists on the domain. Assuming default domain policy settings, what could be the issue?

The user account password expired

How is a computer's designated site determined, such that the computer is given a domain controller to request services from within the same site?

Through subnets added to the site

During garbage collection, what setting controls how long deleted objects remain within the database before such objects are completely removed?

Tombstone lifetime

How can the output of a command be redirected to a file instead of being displayed on the computer's screen

Type the > character followed by the file name

When creating a new user, the "User cannot change password" option can't be used in conjunction with what other option?

User must change password at next logon

In order to use the Active Directory Recycle Bin, all DCs in the forest must be running at least what Windows Server operating system?

Windows Server 2008 R2

For automatic SPN support, what must the domain functional level be?

Windows Server 2008 R2 or higher

Which of the following is true about the domain functional level?

You can have different functional levels within the forest

How can an administrator remove all audit policy subcategories so that auditing is controlled only by Group Policy?

auditpol /clear

What tool within Windows Server 2016 must be used in order to change the default auditing settings?

auditpol.exe

What option limits the delegation to specific services running on specific computers?

constrained delegation

What command below can be used to reset the default GPOs to their original settings?

dcgpofix

Which of the following is the primary identifying and administrative unit in Active Directory?

domain

What Windows servers are the only domain controllers that hold universal group membership information?

global catalog

In order to force a computer to immediately download and apply all group policies, what command should be run?

gpupdate /force

What type of Active Directory replication takes place between domain controllers in the same site?

intrasite

In what order are group policy settings applied?

local, site, domain, OU

What Active Directory object enables an administrator to configure password settings for users or groups that are different from those defined in a GPO linked to the domain?

password settings object

What type of application is made available via Group Policy for a user to install by using Programs and Features in Control Panel?

published

The default location for computer accounts that are created automatically after joining the domain can be changed using which command?

redircmp.exe

Which command line utility below can be used to change an SPN?

setspn

Which of the following defines Active Directory objects and their attributes and can be changed by an administrator or an application to best suit the organization's needs?

single schema

Select the term that is a record of the time a message is sent and is used in Kerberos to determine a message's validity and prevent replay attacks.

timestamp

In Active Directory, what defines how security principals from one domain can access network resources in another domain?

trust relationship

Which option below is not one of the three main methods for cleaning up metadata?

wbsadmin.exe