Knowledge Check 8 - Group Policy
Which of the following character types are allowed in a UPN? (Select two.)
# !
Click on the user right policy that is used to grant a user local access to the desktop of a Windows server.
'Allow log on locally' Policy
You've just deployed a new Active Directory domain, as shown in the figure below. You now need to deploy Group Policy objects (GPOs) to apply configuration settings and enforce security policies. Click the container(s) to which a GPO can be applied.
'Corp' container & 'Domain Controllers' container
Which file type applies only to Windows applications that are purchased through the Windows Store? Answer .dll
.appx
Which file types are included in the Script rule type?
.cmd and .bat
You are the IT security administrator for a small corporate network. A group of desktop administrators needs administrative rights to all of the workstations in the domain. The workstations are located in the Workstations OU on CorpDC. In this lab, your task is to: Create a global security group named Desktop Admins in the Admins OU. (Members of the group will be added later.) Configure a restricted group policy in the WorkstationGPO object that adds the domain Desktop Admins group to the local Administrators group on all the workstations.
1. Access the CorpDC virtual server. a. From Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC to access the server. 2. Create a group. a. From Server Manager, select Tools > Active Directory Users and Computers. b. From the left pane, expand CorpNet.local. c. Right-click the Admins and select New > Group. d. In the Group name field, enter Desktop Admins. e. Select OK. f. Close Active Directory Users and Computers. 3. Create a restricted group. a. From Server Manager, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. Expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. d. Right-click WorkstationGPO and select Edit. e. Under Computer Configuration, expand Policies > Windows Settings > Security Settings. f. Right-click Restricted Groups and select Add Group. g. Select Browse. h. In the Enter the object names to select box, enter Desktop Admins and then select OK. i. Select OK to add the group. j. For This group is a member of, select Add. k. Enter Administrators (do not browse) and then select OK. l. Select OK.
You are the IT administrator of a large network. You need to create a starter GPO to use as a template, and then create a new GPO using that starter GPO. This needs to be completed on the CorpDC server. In this lab, your task is to: Enable the Administrative Templates central store by creating a Starter GPOs folder. Create a starter GPO named DNS Settings. Configure the DNS Settings policies:DNS Servers:State: EnableIP addresses: 192.168.0.11 and 192.168.10.11(Use a space to separate the two addresses.)Primary DNS Suffix:State: EnableDNS suffix: CorpNet.localRegister PTR Records:State: EnabledOption: RegisterDynamic Update:State: EnabledTurn off smart multi-home Name Resolution:State: Enabled(Enabling the policy turns off LLMNR.) Create a new GPO named CommonGPO using the new starter GPO you created. Do not link the GPO at this time. Verify that the starter GPO settings were applied to the CommonGPO.
1. Access the CorpDC virtual server. a. From Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC to connect to the virtual server. c. Maximize the window for better viewing. 2. Create a starter GPO folder. a. From Server Manager, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. Expand Forest: CorpNet.local > Domains > CorpNet.local. d. Select Starter GPOs. e. From the right pane, select Create Starter GPOs Folder. 3. Create a starter GPO. a. From the left pane, right-click Starter GPOs and select New. b. In the Name field, use DNS Settings for the name of the starter GPO and then select OK. 4. Configure the starter GPO policies. a. Right-click DNS Settings and select Edit. b. Under Computer Configuration, expand and select Administrative Templates > Network > DNS Client. c. From the right pane, double-click the policy you want to edit. d. Select Enabled or Disabled for the setting. e. Configure additional parameters as required. f. Select OK. g. Repeat steps 4c-4f for each policy. h. Close the Group Policy Starter GPO Editor. 5. Create a GPO using a starter GPO. a. From the left pane, expand Starter GPOs. b. Right-click DNS Settings and select New GPO From Starter GPO. c. Use the name of CommonGPO for the new GPO and then select OK. 6. Verify the CommonGPO policy settings. a. From the left pane, select Group Policy Objects. b. From the right pane, right-click CommonGPO and select Edit. c. Maximize the window for better viewing. d. Under Computer Configuration, expand Administrative Templates > Network. e. Select DNS Client. f. Verify that the values set in the starter GPO have been applied to the new policy.
You work as the IT administrator for a small business and are responsible for the corporate network. You are increasing network security by implementing AppLocker. Your first step is to prevent applications from running on computers that are not located in the Windows directory or the Program Files directory. In addition, there is a custom call center application used by the support team. The call center application runs from C:\CallCenter\CallStart.exe and must be allowed to run. You also want future versions of the call center application to run without having to change any settings. In this lab, your task is to configure AppLocker in the WorkstationGPO on CorpDC as follows: Configure AppLocker to enforce executable rules. For AppLocker, create default executable rules to ensure you maintain access to:All files located in the Program Files folder.All files located in the Windows folder. Create an AppLocker rule using the following file attributes:Allow the Support group to run the call center software.Make sure the application is signed by the software publisher.Use C:\CallCenter\CallStart.exe as the reference file.Allow the rule to be applied to only the publisher of the file.Do not a
1. Access the CorpDC virtual server. a. From Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC to connect to the virtual server. c. Maximize the window for better viewing. 2. Enforce AppLocker rules for executable rules. a. From Server Manager, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. From the left pane, expand Forest:CorpNet.local > Domains > CorpNet.local > Group Policy Objects. d. Right-click WorkstationGPO and select Edit. e. Maximize the window for better viewing. f. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Application Control Policies. g. Select AppLocker. h. From the right pane, select Configure rule enforcement. i. Under Executable rules, select Configured. j. Make sure Enforce rules appears in the drop-down list. k. Select OK. 3. Create default executable rules. a. From the left pane, expand AppLocker. b. Right-click Executable Rules and select Create Default Rules. c. From the right pane, notice that the three default executable rules that allow the group Everyone access to the Windows and Program Files directories were created. 4. Configure a Publisher rule and allow the Support group to run the call center software. a. From the left pane, right-click Executable Rules and select Create New Rule. b. Select Next. c. Make sure Allow is selected. d. For User or group, click Select. e. Enter Support for the required group and then select OK. f. Select Next. g. Make sure Publisher is selected and then select Next. h. For Reference files, select Browse. i. Browse to and select C:\CallCenter\CallStart.exe. j. Select Open. k. Slide the pointer from File version to Publisher and then select Next. l. Select Next. m. Select Create to accept the default name.Notice that the Publisher rule was created.
You work as the IT administrator for a small business and are responsible for the corporate network. You are working on improving the security of network resources. In this lab, your task is to add the following groups to the associated User Rights Assignment policy, located in the ServerGPO policy object, from the CorpDC server: User Rights Assignment PolicyGroupAllow log on locallyAdministratorsAllow log on through Remote Desktop ServicesAdministratorsManage auditing and security logEvent Log ReadersPerform volume maintenance tasksAdministratorsShut down the systemAdministrators
1. Access the CorpDC virtual server. a. From Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC to open the virtual server. 2. Access the Group Policy Management Editor for the ServerGPO group policy object. a. From Server Manager, select Tools > Group Policy Management. b. Expand Forest:CorpNet.local > Domains > CorpNet.local > Group Policy Objects. c. Right-click ServerGPO and select Edit. d. Maximize the window for better viewing. 3. Configure the User Rights Assignments. a. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. b. Select User Rights Assignment. c. Double-click the policy you want to edit. d. Select Define these policy settings. e. Select Add User or Group. f. Enter the name of the group (or use Browse, if desired), and then select OK. g. Select OK. h. Repeat steps 3c-3g to define the remaining policy settings.
You are the IT administrator for a small corporate network. You must configure a password policy for the domain on the CorpDC server. In this lab, your task is to edit the Default Domain Policy and configure the account policy settings as follows: Configure the password polices.New passwords must be different from the previous 10 passwords.Users must change passwords every 90 days.Users cannot change a new password for at least 14 days.Passwords must be at least 10 characters long.Passwords must contain uppercase letter, lowercase letter, number, and symbol characters. Configure the account lockout policies.If 5 incorrect passwords are entered, lock the account.After a failed logon attempt, lock the account for 10 minutes.Keep accounts locked for 60 minutes and then unlock the account automatically.
1. Access the CorpDC virtual server. a. In Hyper-V Manager, select CORPSERVER. b. Under Virtual Machines, double-click CorpDC to connect to the virtual server. 2. Modify the password policies. a. From Server Manager, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. From the left pane, expand Forest: CorpNet.local > Domains > CorpNet.local. d. Right-click Default Domain Policy and select Edit. e. Maximize the window for better viewing. f. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Account Policies. g. Select Password Policy. h. From the right pane, double-click the policy you want to edit. i. Make sure Define this policy setting is selected. j. Edit the value for the policy, and then select OK. k. Repeat steps 2h-2j for each policy. 3. Modify account lockout policies. a. From the left pane, select Account Lockout Policy. b. From the right pane, double-click the policy you want to edit. c. Make sure Define this policy setting is selected. d. Edit the value for the policy and then select OK. e. Repeat steps 3b-4d for additional policies.
You are the IT administrator for a small corporate network. The Support department uses a call center application that runs from the network. They would like to make sure that all support computers have a shortcut to this application on the desktop for all users. In this lab, your task is to create a shortcut for all computers in the SupportGPO using the preference settings as follows: Action: Update Name: CallStart Target Type: File System Object Location: All Users Desktop Target Path: \\CorpFiles\CallCenter\CallStart.exe
1. Access the CorpDC virtual server. a. In Hyper-V Manager, select CORPSERVER. b. Under Virtual Machines, right-click CorpDC and select Connect. 2. Open the SupportGPO in the Group Policy Management Editor. a. In Server Manager, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. In the left pane, expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. d. Right-click SupportGPO and select Edit. e. Maximize the window for better viewing. 3. Create a new shortcut policy. a. Under Computer Configuration, expand Preferences > Windows Settings. b. Right-click Shortcuts and select New > Shortcut. c. Enter CallStart in the Name field. d. Using the Location drop-down, select All Users Desktop. e. Enter \\CorpFiles\CallCenter\CallStart.exe in the Target path field. f. Select OK.
You are the IT administrator for a small corporate network. You have noticed that several computer monitors are still on late at night, long after employees have left. You would like to use Group Policy to set consistent power options for computers throughout the company. All workstations are Windows 11 and reside in the Workstations OU. In this lab, your task is to configure the following Power Option policy settings in the WorkstationGPO policy: Set the policy Action to Update. Set the Balanced power plan as the active power plan for all workstations. Set the following advanced settings:SettingOn BatteryPlugged inHard disk: Turn off hard disk after60 Minutes120 MinutesDisplay: Turn off display after30 Minutes60 Minutes
1. Access the CorpDC2 virtual server. a. From Hyper-V Manager, select CORPSERVER. b. Under Virtual Machines, double-click CorpDC2 to access the server. 2. Access the WorkstationGPO Power Option policy. a. From Server Manager, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. From the left pane, expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. d. Right-click WorkstationGPO and select Edit. e. Maximize the window for better viewing. 3. Start a new power plan. a. From the left pane, under Computer Configuration, expand Preferences. b. Expand Control Panel Settings. c. Right-click Power Options and select New > Power Plan (At least Windows 7). 4. Configure your new power plan. a. From the Action drop-down list, make sure Update is selected. b. From the list of power plans, make sure Balanced is selected. c. Select Set as the active power plan. d. Expand Hard disk > Turn off hard disk after. e. Select On battery. f. In the On battery field, enter 60. g. Select Plugged in. h. In the Plugged in field, enter 120. i. Expand Display > Turn off display after. j. Select On battery. k. In the On battery field, enter 30. l. Select Plugged in. m. In the Plugged in field, enter 60. n. Select OK.
You are the IT administrator for a small corporate network. The company has a single Active Directory domain named CorpNet.local. You need to increase the domain's authentication security. You need to make sure that User Account Control (UAC) settings are consistent throughout the domain and in accordance with industry recommendations. In this lab, your task is to configure UAC settings in the Default Domain Policy on CorpDC as follows: User Account ControlSettingAdmin Approval mode for the built-in Administrator accountEnabledAllow UIAccess applications to prompt for elevation without using the secure desktopDisabledBehavior of the elevation prompt for administrators in Admin Approval modePrompt for credentialsBehavior of the elevation prompt for standard usersAutomatically deny elevation requestsDetect application installations and prompt for elevationEnabledOnly elevate executables that are signed and validatedDisabledOnly elevate UIAccess applications that are installed in secure locationsEnabledRun all administrators in Admin Approval modeEnabledSwitch to the secure desktop when prompting for elevationEnabledVirtualize file and registry write failures to per-user locationsEnabled
1. On CorpDC, access the CorpNet.local domain for Group Policy Management. a. From Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC. c. From Server Manager, select Tools > Group Policy Management. d. Maximize the window for easy viewing. e. Expand Forest: CorpNet.local > Domains > CorpNet.local. 2. Configure the UAC settings. a. Right-click Default Domain Policy and select Edit. b. Maximize the window for easier viewing. c. Under Computer Configuration, expand and select Policies > Windows Settings > Security Settings > Local Policies > Security Options. d. From the right pane, double-click the policy you want to edit. e. Select Define this policy setting. f. Select Enable or Disable as necessary. g. Edit the value for the policy as needed and then select OK. h. Repeat steps 2d-2g for each policy setting.
You work as the IT security administrator for a small corporate network. As part of an ongoing program to improve security, you want to implement an audit policy for all workstations. You plan to audit user logon attempts and other critical events. In this lab, your task is to configure the following audit policy settings in WorkstationGPO: Local PoliciesSettingAudit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabledAudit: Shut down system immediately if unable to log security auditsEnabled Event LogSettingRetention method for security logDefine: Do not overwrite events (clear log manually) Advanced Audit Policy ConfigurationSettingAccount Logon: Audit Credential ValidationSuccess and FailureAccount Management: Audit User Account ManagementSuccess and FailureAccount Management: Audit Security Group ManagementSuccess and FailureAccount Management: Audit Other Account Management EventsSuccess and FailureAccount Management: Audit Computer Account ManagementSuccessDetailed Tracking: Audit Process CreationSuccessLogon/Logoff: Audit LogonSuccess and FailureLogon/Logoff: Audit LogoffSuccessPolicy Change: Audit Authentication Polic
1. Using Group Policy Management, access CorpNet.local's Group Policy Objects > WorkgroupGPO. a. From Server Manager's menu bar, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. Expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. 2. Access the WorkstationGPO's Security Settings Local Policies. a. Right-click WorkstationGPO and select Edit. b. Maximize the window for better viewing. c. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies. d. Select Security Options. 3. Modify Local Policies. a. From the right pane, double-click the policy you want to edit. b. Select Define this policy setting. c. Select the policy settings as required. d. Select OK. e. Select Yes to confirm changes as necessary. f. Repeat steps 3a - 3e for the additional policy setting. 4. Modify the Event Log. a. From the left pane, select Event Log. b. From the right pane, double-click the Retention method for security log. c. Select Define this policy setting. d. Select Do not overwrite events. e. Select OK. 5. Modify Advanced Audit Policy Configuration. a. From the left pane, expand Advanced Audit Policy Configuration > Audit Policies. b. Select the audit policy category. c. From the right pane, double-click the policy you want to edit. d. Select Configure the following audit events. e. Select the policy settings as required. f. Select OK. g. Repeat steps 5b-5f for additional policy settings.
You are the IT security administrator for a small corporate network. You are using Group Policy to enforce settings for certain workstations on your network. You have prepared and tested a security template file that contains policies that meet your company's requirements. In this lab, your task is to configure Group Policy on CorpDC as follows: Create a GPO named Workstation Settings. Link the Workstation Settings GPO to the following OUs:The TempMarketing OU (in the Marketing OU)The TempSales OU (in the Sales OU)The Support OU Import security settings from the security template (ws_sec.inf) located in C:\Templates for the Workstation Settings GPO.
1.Access the CorpNet.local domain. a.From Server Manager, select Tools > Group Policy Management. b.Maximize the window for better viewing. c.Expand Forest: CorpNet.local > Domains > CorpNet.local. 2.Create the Workstation Settings GPO and link it to the CorpNet.local domain. a.Right-click the Group Policy Objects OU and select New. b.In the Name field, use Workstation Settings and then select OK. 3.Link OUs to the Workstation Settings GPO. a.Right-click the OU and select Link an Existing GPO. b.Under Group Policy Objects, select Workstation Settings and then select OK. c.Repeat step 3 to link the additional OUs. 4.Import the ws_sec.inf security policy template. a.Expand Group Policy Objects. b.Right-click Workstation Settings and select Edit. c.Under Computer Configuration, expand Policies > Windows Settings. d.Right-click Security Settings and select Import Policy. e.Browse to the C:\Templates. f.Select ws_sec.inf and then click Open.
Group Policies can be used to set the same notification levels at the domain level that can be set for local machines using the User Account Control (UAC) tool. You need to configure the Notify me only when programs try to make changes to my computer notification level using Group Policy. Which of the following Group Policies must be set to complete this configuration?
1.The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries. 2.The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled.
How many old passwords can Windows remember?
24
How many characters can be entered before the "@" symbol and how many characters can be entered after the "@" symbol in a UPN?
64 before and 48 after the "@" symbol
Which of the following best describes a restricted groups policy?
A client configuration that can be used to control membership for groups that require high security.
Which of the following do you need in order to install the Group Policy Management Tools? (Select three.)
A server management VM that's joined to the managed domain An Azure Active Directory tenant An Azure AD DS managed domain
Permissions give you the ability to do which of the following?
Access a printer
You have created a group policy that prevents users in the accounting department from accessing records in a database that has confidential information. The group policy is configured to disable the search function for all users in the Accounting OU no matter which workstation is being used. After you configure and test the policy, you learn that several people in the Accounting OU have valid reasons for using the search function. These users are part of a security group named Managers. What can you do to prevent the Group Policy object (GPO) that you have configured from applying to members of the Managers group?
Add the Managers group to the GPO's discretionary access control list (DACL). Deny the apply Group Policy and read permissions to the Managers group.
Which group is assigned to the Allow log on locally right assigned to by default for workstations and member servers?
Administrators
You are an administrator over several Windows servers. You also manage a domain in Active Directory. Your responsibilities include managing permissions and rights to make sure users can do their jobs while also keeping them from doing things they should not be doing. With Windows Server systems and Active Directory, the concepts of permissions and rights are used to describe specific and different kinds of tasks. Drag the concept on the left to the appropriate task examples on the right. (Each concept can be used more than once.)
Allow members of the Admins group to back up the files in the Marketing folder on the CorpFiles server. correct answer: Rights Assign members of the Admins group read-only access to the files in the Marketing folder on the CorpFiles server. correct answer: Permissions Allow members of the Admins group to restore the files in the Marketing folder on the CorpFiles server. correct answer: Rights Assign members of the Marketing group read-write access to the files in the Marketing folder on the CorpFiles server. correct answer: Permissions Allow members of the Admins group to log on locally to the CorpFiles server. correct answer: Rights Allow members of the Admins group to shut down the CorpFiles server. correct answer: Rights Allow members of the Marketing group to send print jobs to the Marketing color printer. correct answer: Permissions
Which of the following requires rights to perform the action?
Allow members of the IT group to back up the files in the Sales folder on the SalesData server.
Which UAC level is recommended as the most secure configuration option because it will always provide a standard user the option to log in as an administrator?
Always notify.
Which of the following are true regarding the Members group name? (Select two.)
Any user not included in the Members list is removed from the restricted group. The exception is the administrator in the Administrators group. Any user included in the list who is not currently a member of the restricted group becomes a member of the restricted group automatically when the policy is applied.
You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use auditing to track who performs these actions. What should you do to only monitor the necessary events and no others? (Select two. Each choice is a required part of the solution.)
Audit successful system events. Create a GPO to configure auditing. Link the GPO to the domain.
A white exclamation mark inside a blue circle indicates which of the following about a Group Policy?
Block inheritance
You manage several Windows workstations in your domain. You want to configure a GPO that will make them prompt for additional credentials whenever a sensitive action is taken. What should you do?
Configure User Account Control (UAC) settings.
You would like to prevent users from running any software with .exe or .com extensions on computers in the domain unless they have been digitally signed. The rule should apply to all known and unknown software. How should you configure this rule in AppLocker?
Configure an executable rule with a publisher condition.
You are an administrator for a company that uses Windows servers. In addition to Active Directory, you provide file and print services, DHCP, DNS, and email services. There is a single domain and a single site. There are two member servers, one that handles file and print services only and one database server. You are considering adding additional servers as business increases. Your company produces mass mailings for its customers. The mailing list and contact information provided to your company by its clients are strictly confidential. Because of the private information sometimes contained in the data (one of your clients is a hospital), and because of the importance of the data to your operation, the data can also be considered a trade secret. You want to ensure the data stored on your member servers is only accessed by authorized personnel for business purposes. You've set file permissions to restrict access, but you want to track the authorized users. How should you configure your security policy to track access to the data files?
Configure object access auditing in a GPO and link it to the domain.
You are the security administrator for a large metropolitan school district. You are reviewing security standards with the network administrators for the high school. The school's computer center has workstations for anyone's use. All computers in the computer center are members of the Computer Center Computers global group. All workstations are currently located in the Computers container. The computer center computers have access to the internet so users can perform research. Any user who uses these computers should be able to run Internet Explorer only. Other computers in the high school should not be affected. To address this security concern, you create a Group Policy object (GPO) named Computer Center Security. How can you configure and apply this GPO to enforce the computer center's security?
Configure the Computer Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the Computer Center Computers group only.
You manage 20 Windows workstations in your domain network. You want to prevent the sales team members from making system changes. Whenever a change is initiated, you want to allow only those who can enter administrator credentials to be able to make the change. What should you do?
Configure the User Account Control: Behavior of the elevation prompt for standard users setting in Group Policy to prompt for credentials.
Your organization has been using an in-house custom-developed application. The team that developed that application created a Group Policy template in the form of an ADMX file, which you have used to assign necessary rights to a group of users who use the application. Another group of users now needs to have the same rights. This group belongs to an OU to which one of your assistants has full control management rights to. When your assistant tries to use the Group Policy template to assign rights to this group, she cannot find the template in Active Directory. What must you do to give your assistant access to this Group Policy template?
Create a central store on the SYSVOL share and copy the ADMX file into it.
You are the administrator for the westsim.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective department OUs. Computers in the accounting department use a custom application. During installation, the application creates a local group named AcctMagic. This group is used to control access to the program. By default, the account used to install the application is made a member of the group. You install the application on each computer in the accounting department. All accounting users must be able to run the application on any computer in the department. You need to add each user as a member of the AcctMagic group. You create a domain group named Accounting and make each user a member of this group. You then create a GPO named Acct Software linked to the Accounting OU. You need to define the restricted group settings. What should you do?
Create a restricted group named AcctMagic. Add the Accounting domain group as a member.
You want to find out who has been running a specific game on the client computers in your company. You do not want to prevent users from running the program, but instead want to log information when the file runs. The application is not digitally signed. How should you configure a rule in AppLocker to meet these requirements?
Create an executable rule with a path condition that identifies the file. Set the enforcement mode to Audit only.
Which of the following can be configured using permissions?
Deny access to files
Which identifier enables or disables devices using the Devices Group Policy?
Device class
When Active Directory is installed, several containers are created by default. Which default container would you be able to apply a Group Policy to?
Domain Controllers OU
You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You enable successful auditing of directory service access events in a GPO and link the GPO to the domain. After several days, you check Event Viewer, but you do not see any events listed in the event log indicating changes to Active Directory objects. What should you do?
Edit the access list for the OU. Identify specific users and events to audit.
You are the network administrator for your company. Rodney, a user in the research department, shares a computer with two other users. One day, Rodney notices that some of his documents have been deleted from the computer's local hard drive. You restore the documents from a recent backup. Rodney now wants you to configure the computer, so he can track all users who delete his documents in the future. You enable auditing of successful object access events in the computer's local security policy. Rodney then logs on and creates a sample document. To test auditing, you then log on and delete the document. However, when you examine the computer's security log, no auditing events are listed. How can you make sure an event is listed in the security log whenever one of Rodney's documents is deleted?
Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit the success of the Delete permission.
You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. From your workstation, you create a GPO that configures settings from a custom .admx file. You link the GPO to the Sales OU. You need to make some modifications to the GPO settings from the server console. However, when you open the GPO, the custom administrative template settings are not shown. What should you do?
Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location.
You have been asked to troubleshoot a Windows workstation that is a member of your domain. The director who uses the machine said he is able to install anything he wants and change system settings on demand. He has asked you to figure out why User Account Control (UAC) is not being activated when he performs a sensitive operation. You verify that the director's user account is a standard user and not a member of the local Administrators group. You want the UAC prompt to show. What should you do?
Enable the Run all administrators in Admin Approval Mode setting in the Group Policy .
You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows servers for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. Computer accounts for workstations are located in the Workstations OU. You are creating a security template that you plan to import into a GPO. What should you do to log whenever a user is unable to log on to any computer using a domain user account? (Select two. Each choice is a required part of the solution.)
Enable the logging of failed account logon events. Link the GPO to the Domain Controllers OU.
You would like to have better control over the applications that run on the computers in your domain, so you have decided to implement AppLocker. You have created default rules and an executable rule that only allows the company's accounting application to run. When you test these rules, you find that you can still run any program on your test client. What should you do? (Select two. Each correct answer is part of the solution.)
Ensure that the enforcement mode for executable rules is set to Enforce rules. Start the Application Identity service on the client computers.
Which preference would you use to regularly clean up temporary folders?
Files Folders
Click on the tool you can use to configure Restricted Groups to control membership for groups that require high security.
Group Policy Management
Which tool can be used to customize existing GPOs or to create custom GPOs?
Group Policy Management Editor
You have configured a new GPO. You use a scoping method to prevent it from applying to a specific user using a specific computer. Which tool can you use to see if your scoping method is successful?
Group Policy Results
Which of the following is true about Group Policy inheritance?
Group Policy settings are applied to all objects below the container where the GPO is linked.
Which AppLocker rule condition uses the digital fingerprint of an application?
Hash
You want to prevent users in your domain from running a common game on their machines. This application does not have a digital signature. You want to prevent the game from running even if the executable file is moved or renamed. You decide to create an AppLocker rule to protect your computer. Which type of condition should you use when creating this rule?
Hash
Under which security option category would you enable a prompt for users to change their password before it expires?
Interactive logon.
Your organization's security policy dictates that the security level of the Local Intranet and Trusted Sites zones in Internet Explorer be set to medium-high on all user workstations. Rather than configure each workstation individually, you decide to use a Group Policy preference setting in a GPO to make the change. Click on the Control Panel Setting you would use to implement this configuration.
Internet Settings
You need to configure a Group Policy preference that configures notebook systems in the domain to use the Power Saver power plan when undocked. You have specified the appropriate power plan in the Advanced Settings tab of the Power Options Group Policy preference and have set it as the active power plan. Click on the option you must enable to apply the preference only to undocked notebook systems.
Item-level targeting.
Your network consists of a single Active Directory domain. The OU structure of the domain consists of a parent OU named HQ_West and the child OUs Research, HR, Finance, Sales, and Operations. You have created a Group Policy Object (GPO) named DefaultSec, which applies security settings that you want to apply to all users and computers. You have created a second GPO named HiSec, which has more restrictive security settings that you want to apply to the HR and research departments. Both GPOs use custom security templates. You also want to ensure that strong password policies are applied to all client computers. How should you link the GPOs to the OUs? (Select three. Each correct answer is part of the complete solution.)
Link DefaultSec to the HQ_West OU. Link HiSec to the HR and Research OUs. Configure password policies on a GPO linked to the domain.
You are managing rights on a standalone server. You want to make changes to the settings of the Restore files and directories policy. Which of the following is the tool you must use to make changes to this policy?
Local Group Policy Editor
What is the order of precedence for group policy processing?
Local group policy, Site policy, Domain policy, OU policy
You are consulting with the owner of a small network with a Windows server functioning as a workgroup server. There are six Windows desktop computers. There is no internet connectivity. The server contains possibly sensitive information, so the owner wants to make sure that no unauthorized access occurs. You suggest that auditing be configured so that access to sensitive files can be tracked. What can you do to ensure that the files generate audit results? (Select three. Each correct answer is part of the required solution.)
Make sure the files to be audited are on NTFS partitions. Make sure the Object Access auditing policy is configured for success and failure. Make sure the correct users and groups are listed in the auditing properties of the files.
Which of the following is a potential use for the restricted group policy?
Manage the membership of local groups on domain member servers and workstations.
What is stored in a GPO container?
Metadata including the GPO version, when it was created, and how often the computer and user settings were modified.
Which setting would you set to 0 to allow all users to reset their password immediately?
Minimum password age
Which of the following is a valid Azure AD password?
My Password
Outside sales employees in your organization use a VPN connection to access your internal network while traveling to customer sites. Currently, each user must manually create and manage the VPN connection settings on their notebook systems and frequently require Help Desk assistance. Rather than configure each workstation individually, you decide to use a Group Policy preference setting in a GPO to push down the correct VPN configuration settings for your organization's VPN server to the notebook systems. Click on the Control Panel Setting you would use to implement this process.
Network Options
Which of the following UAC levels prompts the user only when a program tries to change the computer or a program not included with Windows attempts to modify Windows settings?
Notify me only when apps try to make changes to my computer (do not dim my desktop)
You suspect that sensitive information has been leaked. Which audit logs could you review to track who opened a file containing the sensitive data?
Object access
You are the administrator for a network with a single Active Directory domain named widgets.local. The widgets.local domain has an organizational unit object for each major department in the company, including the Information Systems department. User objects are located in their respective departmental OUs. Users who are members of the Domain Admins group belong to the Information Systems department. However, not all employees in the Information Systems department are members of the Domain Admins group. To simplify employees' computing environment and prevent problems, you link a Group Policy object (GPO) to the widgets.local domain that disables the control panel for users. How can you prevent this Group Policy object from applying to members of the Domain Admins group?
On the Group Policy object's access control list, deny the apply Group Policy permission for members of the Domain Admins group.
Management is concerned that users are spending work hours playing games and has asked you to create a restriction that will prevent all standard users and administrators from running the Games app. Click on the option you would use in Group Policy Management Editor to implement this restriction.
Packaged app Rules
Which of the following are characteristics of Group Policy settings? (Select two.)
Policies require Group Policy-aware applications. Filtering is based on Windows Management Instrumentation (WMI) and requires writing WMI queries.
Which of the following BEST describes granular password policies?
Policies within a GPO that apply password policies for users and global groups.
You manage a single domain named widgets.com. This morning, you noticed that a trust relationship you established with another forest has changed. You reconfigured the trust, but you want to be able to identify if this change happens again in the future. You want to configure auditing to track this event. Which auditing category should you enable?
Policy change events
Which of the following is true about Group Policy preferences?
Preferences are not enforced.
Scoping allows you to target a given GPO to specific users and/or computers. Drag the scoping method on the left to the appropriate description on the right. (Methods can be used once, more than once, or not at all.)
Prevents settings in GPOs linked to parent objects from being applied to child objects. correct answer: Block Inheritance Causes computer settings to be reapplied after user login. correct answer: Loopback Processing Prevents inheritance from being blocked for a specific GPO. correct answer: Enforced Causes computer settings to take precedence over user settings. correct answer: Loopback Processing
You have a computer running Windows. Prior to installing some software, you turn off User Account Control (UAC), reboot the computer, and install the software. You turn UAC back on, but it does not prompt you before performing sensitive actions. You want the protection of UAC, but it is not working at all. What should you do?
Reboot the machine.
All your users are in the same city. Which preference would you use to set their time, date, and time zone preferences on their Windows device?
Regional options
Which of the following is the option provided by Azure AD for users that forget their password or get locked out of their account?
SSPR
You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You would like to configure all computers in the Sales OU to prevent the installation of unsigned drivers. Which GPO category would you edit to make the necessary changes?
Security Options
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its security database. How can you create a policy that meets these requirements?
Select Audit Failure for the enabled audit policy.
Which setting should you disable unless a specific application requires access to the plaintext password?
Store passwords using reversible encryption
You manage a single domain running Windows Server. You have configured a Restricted Group policy as shown in the image. When this policy is applied, which action will occur?
The Backup Operators group will be made a member of the Desktop Admins group.
You manage a single domain running Windows Server. You have configured a restricted Group Policy as shown in the image. When this policy is applied, which actions will occur? (Select two.)
The Desktop Admins group will be made a member of the Backup Operators group. Any other members of the Backup Operators group will be removed.
The desktop workstations you recently purchased for the employees in your organization's Denver office came with two network boards installed: A RealTek PCIe Fast Ethernet interface integrated into the motherboard. A Broadcom NetXtreme 57xx Gigabit Ethernet interface installed in a motherboard slot. You used the gigabit controller to connect these systems to the network. Because the integrated interface is not used, you set up a Devices Group Policy preference that disables the RealTek adapter. However, because this affects only the employees in the Denver office, you set up an item-level target that specifies that the preference only be applied to hosts in the Denver site in Active Directory. Which of the following is true concerning this Group Policy preference when it is applied?
The preference will be applied, but not enforced
User Account Control (UAC) is a tool that generates an alert when a task or operation needs administrative privileges. You use the UAC settings in Control Panel to configure the sensitivity of UAC. Drag the UAC notification level on the left to the appropriate description of what it does on the right.
The user is prompted only when programs try to make changes to the computer or Windows settings. The secure desktop is not displayed. correct answer: Notify me only when apps try to make changes to my computer (do not dim the desktop) A UAC prompt and the secure desktop are displayed for 150 seconds. The user cannot perform any other actions until they respond to the prompt. correct answer: Always notify The user is prompted only when programs try to make changes to the computer or Windows settings. The secure desktop is displayed for 150 seconds. correct answer: Notify me only when apps try to make changes to my computer If logged on as a standard user, all actions requiring privilege elevation are automatically denied. correct answer: Never notify
Which of the following is a password restriction that applies to Azure AD?
There is a global banned password list.
Match the group name on the left with the correct descriptions on the right.
This policy does not remove the restricted group from other groups. correct answer: Members of Any user included in the list who is not currently a member of the restricted group becomes a member of the restricted group automatically when the policy is applied. correct answer: Members Any user not included in the Members list is removed from the restricted group. The exception is the administrator in the Administrators group. correct answer: Members You can use this option to define membership in a local group by adding a restricted group. correct answer: Members of The restricted group to be added to the local group must be a group defined in Active Directory. correct answer: Members of
There are two restricted group properties that an administrator can define - members and members of. Which of the following is true about the members of property?
This policy ensures that the restricted group is a member of the defined groups but does not remove the restricted group from other groups.
Your organization's security policy dictates that the security level for the Local Intranet and Trusted Sites zones in Internet Explorer be set to medium-high on all user workstations. Rather than configure each workstation individually, you decide to use a Group Policy preference setting in a GPO to make the change. Which of the following is true concerning this Group Policy preference? (Select two.)
This preference is not available in Local Group Policy. The preference can be applied to specific systems based on the criteria you specify.
Recently, some users in your domain have downloaded and installed an open source program that contains malware. After download, the application is installed by running a program with an .msi extension. The file is not digitally signed. You have a copy of this open-source program running on your server, and it did not install any malware. The users that got the malware likely obtained the program from a website they did not know was malicious. How can you prevent users from installing this software if it has been tampered with?
Use AppLocker to create a Windows installer rule with a file hash condition.
You want to give the TPlask user the right to log on to any of the domain controllers in your domain and gain access to the desktop. This user does not belong to any of the default groups that have the Allow log on locally right by default. Which of the following steps can you take to give the Allow log on locally right to this user? (Select two. Each correct answer is a complete solution.)
Use Group Policy Management Editor to add the TPlask user account to the Allow log on locally policy. Use Active Directory Users and Computers to add the TPlask user account to the Administrators group.
You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You have two OUs that contain temporary users, TempSales and TempMarketing. For all users within these OUs, you want to restrict what the users are able to do. For example, you want to prevent them from shutting down the system or accessing computers through a network connection. Which GPO category would you edit to make the necessary changes?
User Rights
Select the policy node you would choose to configure who is allowed to manage the auditing and security logs.
User Rights Assignment
If a standard user tries to perform an administrative task, they will be prompted to enter administrative credentials. Which security option is responsible for this prompting?
User account control
Which of the following are Azure AD default password policies? (Select three.)
Users cannot use the last password again when changing or resetting their password. The maximum password age (password expiration policy) is 90 days. Users are notified of expiration 14 days before the password expires.
You want to use Restricted Groups to manage the membership of local groups on the domain member servers that you manage. You can define a restricted group in one of two ways: Members of this group This group is a member of The This group is a member of option is the preferred method for most use cases. Which of the following explains why this is the preferred method?
Using the This group is a member of option does not remove existing members of the group if they are not part of the restricted group.
Privilege use tracks which of the following? (Select two.)
When a user exercises a user right When an administrator takes ownership of an object
Which service provides filtering based on hardware and software characteristics such as CPU, memory, disk space, registry data, or application data?
Windows Management Interface (WMI) filtering
Which command should you enter at the command line to directly access the local Group Policy snap-in?
gpedit
You want to prevent users from running any file with a .bat or .vbs extension unless the file is digitally signed by your organization. How should you configure this rule in AppLocker?
reate a script rule with a publisher condition.
