TestOut Server 2016 Chapter 8
You are the network administrator for eastsim.com. The network consists of one Active Directory domain. You have been instructed to map a drive to a department share for all users. The company no longer uses login scripts, so you must ensure that the department share is mapped using Group Policy. What should you do?
Configure a Drive Maps policy in a GPO linked to the domain.
You would like to prevent users from running any software with .exe or.com extensions on computers in the domain unless they have been digitally signed. The rule should apply to all known and unknown software. How should you configure this rule in AppLocker?
Configure an executable rule with a publisher condition.
Click on the user right policy that is used to grant a user local access to the desktop of a Windows Server.
Allow log on locally
You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use auditing to track who performs these actions. What should you do to only monitor the necessary events and no others? (Select two. Each choice is a required part of the solution.)
Audit successful system events Create a GPO to configure auditing. Link the GPO to the domain.
You are the administrator of a network with a single Active Directory domain. The domain includes two domain controllers. Your company's security policy requires that locked out accounts are unlocked by administrators only. Upon reviewing the account lockout policy, you notice the account lockout duration of 99999. You need to configure your domain's account lockout policy to comply with your company's security policy/ What should you do next? Configure Account lockout duration as 1. Configure Reset account lockout counter after as 0. Configure Reset account lockout counter after as 1. Configure Account lockout duration as 0.
Configure Account lockout duration as 0.
You are the network administrator for eastsim.com. The network consists of one Active Directory domain. Several users have received new computers to replace their older systems that were out of warranty. You are preparing to join the new computers to the domain. Your company has several limitations on what users can do with their workstations. For example, users are not allowed to use USB removable media devices or create any kind of executable files. You must make sure each new computer configuration is in compliance with these limitations, but you do not want to go from computer to computer to make the changes. Which of the following can you preform to meet these requirements with the least possible effort?
Configure Group Policy preferences.
You manage several Windows workstations in your domain. You want to configure a GPO that will make them prompt for additional credentials whenever a sensitive action is taken. What should you do?
Configure User Account Control (UAC) settings.
You want to prevent users from running any file with a .bat or .vbs extension unless the file is digitally signed by your organization. How should you configure this rule in AppLocker?
Create a script rule with a publisher condition.
You want to find out who has been running a specific game on the client computers. You do not want to prevent users from running the program, but instead want to log information when the file runs. The application is not digitally signed. How should you configure this rule in AppLocker?
Create an executable rule with a path condition that identifies the file. Set the enforcement mode to audit only.
You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You enable successful auditing of directory service access events in a GPO and link the GPO to the domain. After several days, you check Event Viewer, but you do not see any events listed in the event log indicating changes to Active Directory objects. What should you do?
Edit the access list for the OU. Identify specific users and events to audit.
After configuring a password policy to require users to create a strong passwords, you start to notice sticky notes stuck to monitors throughout the organization. The sticky notes often have strings of characters written on them that appear to be passwords. What can you do to prevent the security risk that this practice presents? Educate users on how to create and remember strong passwords. Reduce the limit on the number of failed login attempts. Require users to change their passwords more often. Increase the minimum length for passwords.
Educate users on how to create and remember strong passwords.
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. How can you make the change with the least amount of effort? (Select two.) Implement a granular password policy for each user in the Directors OU. Create a new domain. Move the contents of the Directors OU to the new domain. Configure the necessary password policy on the domain. In Active Directory Users and Computers, select all user accounts in the Directors OU. Edit the user account properties to require the longer password. Create a GPO linked to the Directors OU. Configure the password policy in the new GPO. Create a group for the members of the Directors OU and then apply a granular password policy to the group.
Implement a granular password policy for each user in the Directors OU. Create a group for the members of the Directors OU and then apply a granular password policy to the group.
You are managing rights on a standalone server. You want to make changes to the settings of the Restore Files and Directories policy. Which of the following is the tool you must use to make changes to this policy?
Local Group Policy Editor
Management is concerned that users are spending time during the day playing games and have asked you to create a restriction that will prevent all standard users and administrators from running the Games app. Click on the option you would use in Group Policy Management Editor to implement this restriction.
Packaged app Rules
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to change a user's group membership in a computer's local database. How can you create a policy that meets these requirements? Select Failure for Audit object access. Select Success for Audit object access. Select Failure for Audit system events. Select Success for Audit system events. Select Failure for Audit account management. Select Success for Audit account management.
Select Failure for Audit account management.
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to manipulate files on computers that have been secured through NTFS permissions. How can you create a policy that meets these requirements? Select Failure for Audit object access. Select Success for Audit object access. Select Failure for Audit system events. Select Success for Audit system events. Select Failure for Audit account management. Select Success for Audit account management.
Select Failure for Audit object access
You would like to have better control over the applications that run on the computers in your domain, so you have decided to implement AppLocker. You have created default rules and an executable rule that only allows the company's accounting application to run. When you test these rules, you find that you can still run any program on your test client. What should you do? (Select two. Each correct answer is part of the solution.)
Start the Application Identity service on the client. Ensure that the enforcement mode for executable rules is set to Enforce rules.
You manage a single domain running Windows Server. You have configured a restricted Group Policy as shown in the image. When this policy is applied, which action will occur?
The Backup Operators group will be made a member of the Desktop Admins group.
Group Policies can be used to set the same notification levels at the domain level that can be set for local machines using the User Account Control (UAC) tool. You need to configure the Notify me only when programs try to make changes to my computer notification level using Group Policy. Which of the following Group Policies must be set to complete this configuration?
The Behavior of the elevation prompt for Administrators in Admin Approval Mode policy settings is set to Prompt for consent for non-Windows binaries. The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled.
You manage a single domain running Windows Server. You have configured a restricted Group Policy as shown in the image. When this policy is applied, which actions will occur? (Select two.)
The Desktop Admins group will be made a member of the Backup Operators group. Any other members of the Backup Operators group will be removed.
You are the administrator for a domain named internal.widgets.com. This domain spans a single site (the Default-First-Site-Name site). You want to configure password and account lockout policies that Active Directory domain controllers will enforce. You have created a Group Policy object with the settings you want to apply. Most of the domain controllers are located in the Domain Controllers OU, although you have moved some domain controllers to a sub-OU called Secure Domain Controllers. Where should you link the Group Policy object that you created? The Default-First-Site-Name site. The internal.widgets.com domain. The Domain Controllers OU only. The Secure Domain Controllers OU only. Both the Domain Controllers OU and the Secure Domain Controllers OU.
The internal.widgets.com domain.
Recently, some users in your domain have downloaded and installed an open source program that contains malware. After download, the application is installed by running a program with a .msi extension. The file is not digitally signed. You have a copy of this open source program running on your server, and it did not install any malware. The users that got the malware likely obtained the program from a website they did not know was malicious. How can you prevent users from installing this software if it has been tampered with?
Use AppLocker to create a Windows installer rule with file hash condition.
You want to give the TPlask user the right to log on to any of the domain controllers in your domain and gain access to the desktop. This user does not belong to any of the default groups that have the Allow log on locally right by default. Which of the following steps can you take to give the Allow log on locally right to this user? (Select two. Each correct answer is a complete solution.)
Use Group Policy Management Editor to add the TPlask user account to the Allow log on locally policy. Use Active Directory Users and Computers to add the TPlask user account to the Administrators group.
You are the administrator for the wisgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You have two OUs that contain temporary users, TempSales and TempMarketing. For all users within these OUs, you want to restrict what the users are able to do. For example, you want to prevent them from shutting down the system or accessing computers through a network connection. Which GPO category would you edit to make the necessary changes? Account Policies Restricted Groups User Rights Security Options
User Rights
Select the policy node you would choose to configure who is allowed to manage the auditing and security logs.
User Rights Assignment
You want to use Restricted Groups to manage the membership of local groups on the domain member servers that you manage. You can define a restricted group in one of two ways: * Members of this group * This group is a member of The This group is a member of option is the preferred method for most use cases. Which of the following explains why this is the preferred method?
Using the This group is a member of option does not remove existing members of the group if they are not part of the restricted group.
Your network has a single Active Directory forest with two domains, eastsim.private and HQ.eastsin.private. The organizational units Accounting, Marketing, and Sales represent departments of the HQ domain. Additional OUs (not pictured) exist in both the eastsim.private and HQ.eastsim.private domains. All user and computer accounts for all departments company-wide are in their respective departmental OUs. You are in the process of designing Group Policy for the network. You want to accomplish the following goals: * You want to enforce strong passwords throughout the entire forest for all computers. All computers in both domains should use the same password settings. * The Accounting department has a custom software application that needs to be installed on computers in that department. * Computers in the marketing and sales departments need to use a custom background and prevent access to the Run command. You create the following three GPOs with the appropriate settings: Password Settings, Accounting App, and Desktop Settings. How should you link the GPOs to meet the design objectives? To answer, drag the label corresponding to the GPO to the appropriate boxes. Part A: eastsim.private HQ.eastsim.private Accounting Marketing Sales Part B: Password Settings (leave blank) (leave blank) Password Settings (leave blank) (leave blank) Accounting App (leave blank) Desktop Settings (leave blank) Desktop Settings (leave blank)
eastsim.private - blank, Password Settings, blank HQ.eastsim.private - Password Settings, blank, blank Accounting - Accouting App, blank Marketing - Desktop Settings, blank Sales - Desktop Settings, blank
You are an administrator over several Windows servers. You also manage a domain in Active Directory. You also manage a domain in Active Directory. Your responsibilities include managing permissions and rights to make sure users can do their jobs while also keeping them from doing things they should not be doing. With Windows Server systems and Active Directory, the concepts of permissions and rights are used to describe specific and different kinds of tasks. Drag the concept on the left to the appropriate task examples on the right. (Each concept can be used more than once.)
Allow members of the Admins group to back up the files in the Marketing folder on the CorpFiles server - Rights Assign members of the Admins group read-only access to the files in the Marketing folder on the CorpFiles server - Permissions Allow members of the Admins group to restore the files in the Marketing folder on the CorpFiles server - Rights Assign members of the Marketing group read-write access to the files in the Marketing flder on the CorpFiles server - Permissions Allow members of the Admins group to log on locally to the CorpFiles server - Rights Allow members of the Admins group to shut down the CorpFiles server - Rights Allow members of the Marketing group to send print jobs to the Marketing color printer - Permissions
Your network consists of single Active Directory domain. The OU structure of the domain consists of a parent OU named HQ_West and the child OUs Research, HR, Finance, Sales, and Operations. You have created a Group Policy Object (GPO) named DefaultSec, which applies security settings that you want to apply to all users and computers. You have created a second GPO named HiSec, which has more restrictive security settings that you want to apply to the HR and research departments. Both GPOs use custom security templates. You also want to ensure that strong password policies are applied to all client computers. How should you link the GPOs to the OUs? (Select three. Each correct answer is part of the complete solution.) Link HiSec to each child OU. Link DefaultSec to the HQ_West OU. Link DefaultSec to each child OU. Link HiSec to the HR and Research OUs. Configure password policies on a GPO linked to the domain. Link HiSec to the HQ_West OU. Configure password policies on a GPO linked to the HQ_West OU.
Configure password policies on a GPO linked to the domain. Link DefaultSec to the HQ_West OU. Link HiSec to the HR and Research OUs.
You manage 20 Windows workstations in your domain. You want to prevent the sales team members from making system changes. Whenever a change is initiated, you want to allow only those who can enter administrator credentials to be able to make the change. What should you do?
Configure the User Account Control: Behavior of the elevation prompt for standard users settings in Group Policy to prompt for credentials.
You've just deployed a new Active Directory domain, as shown in the figure below. You now need to deploy Group Policy objects (GPOs) to apply configuration settings and enforce security policies. Click the container(s) to which a GPO can be applied. Builtin Computers Corp Domain Controllers Foreign Security Principal Managed Service Accounts Users
Corp Domain Controllers
You are the network administrator for eastsim.com. The network consists of a Single Active Directory domain. The company has a main office in New York and several international locations, including facilities in Germany and France. You have been asked to build a domain controller that will be deployed to the eastsim.com office in Germany. The network administrators in Germany plan to use Group Policy administrative templates to manage Group Policy in their location. You need to install the German version of the Group Policy administrative templates so they will be available when the new domain controller is deployed to Germany. What should you do? Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller. Copy the NTDS.dit file to the appropriate directory in the SYSVOL on a local domain controller. Copy the German .ADMX files to the appropriate directory in the SYSVOL on a local domain controller. Copy the German .ADM files to the appropriate directory in the SYSVOL on a local domain controller.
Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller.
You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You want to only enable auditing that shows you the old and new values of the changed objects. Which directory service auditing subcategory should you enable?
Directory Service Changes
When Active Directory is installed, several containers are created by default. Which default container would you be able to apply a Group Policy to? Domain Controllers OU Builtin container Computers container Users container
Domain Controllers OU
You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. From your workstation, you create a GPO that configures settings from a custom .admx file. You link the GPO to the Sales OU. You need to make some modifications to the GPO settings from the server consol. However, when you open the GPO, the custom administrative template settings are not shown. What should you do? Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location. Install PowerShell on the server. On the Administrative Template node, right-click the node and choose Add/Remove Templates.... Browse and select the .admx file to add. Right-click the Security Settings node and select Import Policy....
Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location.
You are the network administrator of a small network consisting of three Windows servers and 150 Windows workstations. Your network has a password policy in place with the following settings: * Enforce password history: 10 passwords remembered * Maximum password age: 30 days * Minimum password age: 0 days * Minimum password length: 8 characters * Password must meet complexity requirements: Disabled * Store password using reversible encryption: Disabled One day, while sitting in the cafeteria, you overhear a group of co-workers talk about how restrictive the password policy is and how they found ways to beat it. When required to change the password, they simply change the password 10 times at the same sittings. Then they go back to the previous password. Your company has started a new security crackdown, and passwords are at the top of the list. You thought you had the network locked down, but now you see that you need to put an end to this practice. Users need to have passwords that are combination of letters and numbers and do not contain a complete dictionary word. Users should not be able to reuse a password immediately. What should you do? (Choose two. Each answer is part of the solution.) Enable the Store password using reversible encryption setting. Schedule a meeting with each co-worker's supervisor to explain that the co-worker is violating the corporate security policies. Schedule a meeting with the co-worker to explain the password policy in more detail and explain why it is in place. Enable the Minimum password age setting. Enable the Password must meet complexity requirements setting.
Enable the Minimum password age setting. Enable the Password must meet complexity requirements settings.
You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server domain controllers and Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers. What should you do to be able to check each server's log for the events? (Choose two. Each choice is required part of the solution.) Link the GPO to the Member Servers OU. Enable the logging of system events. Enable the logging of object access events. Link the GPO to the Domain Controllers OU. Enable the logging of account logon events. Enable the logging of logon events.
Enable the logging of logon events. Link the GPO to the Member Servers OU.
Click on the tool you can use to configure Restricted Groups to control membership for groups that require high security.
Group Policy Management
You have configured a new GPO. You use a scoping method to prevent it from applying to a specific user using a specific computer. Which tool can you use to see if your scoping method is successful? Group Policy Results Group Policy Modeling Security Group Filtering Group Policy Management
Group Policy Results
You are the network administrator of the westsim.com domain. You have several users in the Sales OU who use Windows laptop machines because they travel frequently. These laptops are all in the Computers OU along with the desktop computers used by other users in the Sales OU. The Computers OU is a child of the Sales OU. There is a service preference that need to be applied to the laptops that does not need to be applied to desktop computers. You configure a Group Policy preference for this service that you want to apply to just the laptops. You link this Group Policy to the Computers OU. Click on the Group Policy preferences Common option setting you would use to configure the preference to apply only to the laptop computers in the Computers OU.
Item-level targeting.
You are consulting with the owner of a small network that has a Windows server functioning as a workgroup server. There are six Windows desktop computers. There is no Internet connectivity. The server contains possibly sensitive information, so the owner wants to make sure that no unauthorized access occurs. You suggest that auditing be configured so that access to sensitive files can be tracked. What can you do to make sure that the files generate audit results? (Choose three. Each correct answer is part of the required solution.) Make sure the correct users and groups are listed in the auditing properties of the files. Make sure the files to be audited are on NTFS partitions. Make sure the Object Access auditing policy is configured for success and failure. Make sure the properties on the Security log allow writes by all users. Make sure the account you logged into has permission to read the security log.
Make sure the Object Access auditing policy is configured for success or failure. Make sure the correct users and groups are listed in the auditing properties of the files. Make sure the files to be audited are on NTFS partitions.
You are the network administrator of the westsim.com domain. You have several users who use Windows laptop machines because they travel frequently. When they are on the road, they need to use a VPN connection to access network resources in the domain. Click on the Group Policy preferences Control Panel setting you would use to configure these laptops with the correct VPN connection settings.
Network Options
You manage a single domain named widgets.com. This morning, you noticed that a trust relationship you established with another forest has changed. You reconfigured the trust, but you want to be able to identify if this change happens again in the future. You want to configure auditing to track this event. Which auditing category should you enable?
Policy change events.
Scoping allows you to target to given GPO to specific users and/or computers. Drag the scoping method on the left to the appropriate description on the right. (Methods can be used once, more than once, or not at all.) Part A: Prevents settings in GPOs linked to parent objects from being applied to child objects Causes computer settings to take precedence over user settings Causes computer settings to be reapplied after user login Prevents inheritance from being blocked for a specific GPO Part B: Block Inheritance Loopback Processing Enforced
Prevents settings in GPOs linked to parent objects from being applied to child objects - Block Inheritance Causes computer settings to be reapplied after user login - Loopback Processing Prevents inheritance from being blocked for a specific GPO - Enforced Causes computer settings to take precedence over user settings - Loopback Processing
You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You would like to configure all computers in the Sales OU to prevent the installation of unsigned drivers. Which GPO category would you edit to make the necessary changes? Restricted Groups Account Policies Security Options User Rights
Security Options
You are the network administrator of the westsim.com domain. You have several users who use Windows laptop machines because they travel frequently. These users have very sensitive information on their laptops, so you have been asked to take additional security measures with these machines. You install smart card readers on each laptop so that no one can access a lost or stolen laptop unless they also have the smart card. Click on the Group Policy preferences Control Panel setting you would use to configure these laptops so the Smart Card Reader services starts when the laptop is powered on.
Services
You are the network administrator for our network. Your network consists of a single Active Directory domain. Your company recently mandated the following user account criteria: * User accounts must be deactivated after three unsuccessful logon attempts * User accounts passwords must be at least 12 characters long * User accounts must be manually reset by an administrator once they are locked out. You must make the changes to affect everyone in the domain. You are editing the Default Domain Group Policy object. What should you do? (Choose three. Each correct choice represents part of the solution.) Enable Password must meet complexity requirements. Set Account lockout threshold to 3. Set Account lockout threshold to 0. Set Account lockout duration to 0. Set Minimum password length to 12. Set Maximum password age to 3. Set Reset account lockout counter after to 0. Set Account lockout duration to 999.
Set Account lockout threshold to 3 Set Minimum password length to 12 Set Accounts lockout duration 0
You have created a group policy that prevents users in the accounting department from accessing records in a database that has confidential information. The group policy is configured to disable the search function for all users in the Accounting OU no matter which workstation is being used. After you configure and test the policy, you learn that several people in the Accounting OU have valid reasons for using the search function. These users are part of a security group named Managers. What can you do to prevent the Group Policy object (GPO) that you have configured from applying to members of the Managers group? Move members of the Managers group to their own OU beneath the Accounting OU. Enable Block Policy inheritance for the new OU. Make sure that the Managers group is not on the GPO's discretionary access control list (DACL). Add the Managers group to the Accounting OU's discretionary access control list (DACL). Deny the apply Group Policy and read permissions to the Managers group. Add the Managers group to the GPO's discretionary access control list (DACL). Deny the apply Group Policy and read permissions to the Managers group.
Add the Managers group to the GPO's discretionary access control list (DACL). Deny the apply Group Policy and read permissions to the Managers group.
You are an administrator for a company that uses Windows servers. In addition to Active Directory, you also provide file and print services, DHCP, DNS and email services. There is a single domain and a single site. There are two member servers, one that handles files and print services only, and one database server. You are considering adding additional servers as business increases. Your company produces mass mailings for its customers. The mailing list and contact information provided to your company by its clients is strictly confidential. Because of the private information sometimes contained in the data (one of your clients is a hospital), and because of the importance of the data to your operation, the data can also be considered a trade secret. You want to ensure the data stored on your member servers is only accessed by authorized personnel for business purposes. You've set file permissions to restrict access, but you want to track the authorized users. How should you configure your security policy to track access to the data files?
Configure object access auditing in a GPO and link it to the domain.
You are the security administrator for a large metroplitan school district. You are reviewing security standards with the network administrators for the high school. The school's computer center has workstations for anyone's use. All computers in the computer center are members of the Computer Center Computers global group. All workstations are currently located in the Computers container. The computer center computers have access to the Internet so users can perfrom research. Any user who uses these computers should be able to run Internet Explorer only. Other computers in the high school should not be affected. To address this security concern, you create a Group Policy object (GPO) named Computer Center Security. How can you configure and apply this GPO to enforce the computer center's security? Configure the User Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the Computer Center Computers group only. Configure the Computer Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the Computer Center Computers group only. Configure the Computer Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the Computers container and allow access to the Computer Center Computers group only. Configure the User Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the Computers container and allow access to the Computer Center Computers group only.
Configure the Computer Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the Computer Center Computers group only.
You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. As you manage Group Policy objects (GPOs), you find that you often make similar user rights, security options, and Administrative Template settings in different GPOs. Rather than make these same settings each time, you would like to create some templates that contain your most common settings. What should you do? (Select two. Each choice is a possible solution.) Create starter GPOs. When creating new GPOs, select the appropriate starter GPO. Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs. Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs. Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, restore one of the backed up GPOs. Create custom .admx files with the necessary settings. Copy these files to the central store. After creating the GPO, import the settings from the .admx files.
Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs. Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs.
Your organization has been using an in-house custom-developed application. The team that developed that application created a Group Policy template in the form of an ADMX file, which you have used to assign necessary rights to a group of users who use the application. Another group of users now needs to have the same rights. This group belongs to an OU that one of your assistants has full control management rights to. When your assistant tries to use the Group Policy template to assign rights to this group, she cannot find the template in Active Directory. What must you do to give your assistant access to the Group Policy template? Create a GPO that gives your assistant access rights to the central store. Make your assistant a member of the Domain Admins group. Use security group filtering to allow your assistant to access the central store. Create a central store on the SYSVOL share and copy the ADMX file into it.
Create a central store on the SYSVOL share and copy the ADMX file into it.
You are the administrator for the westsim.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective department OUs. Computers in the accounting department uses a custom application. During installation, the application creates a local group named AcctMagic. This group is used to control access to the program. By default, the account used to install the application is made a member of the group. You install the application on each computer in the accounting department. All accounting users must be able to run the application on any computer in the department. You need to add each user as a member of the AcctMagic group. You create a domain group named Accounting and make each user a member of this group. You then create a GPO named Acct Software linked to the Accounting OU. You need to define the restricted group settings. What should you do?
Create a restricted group named AcctMagic. Add the Accounting domain group as a member.
You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. As part of your security plan, you have analyzed the use of Internet Explorer in your organization. You have defined three different groups of users. Each group has different needs for using Internet Explorer. For example, one group needs ActiveX controls enabled, and you want to disable ActiveX for the other two groups. You would like to create three templates that contain the necessary settings for each group. When you create a GPO, you want to apply the settings in the corresponding template rather than manually set the corresponding Administrative Template settings for Internet Explorer. What should you do? Identify three GPOs with the necessary settings. Take a backup of these GPOs. After creating a new GPO, right-click the GPO and choose Restore from Backup.... Create three starter GPOs with the necessary settings. When creating the GPOs, select the starter GPO with the desired settings. Create three custom .admx files. Copy these files to the central store location. When creating the GPOs, select the necessary .admx file. Create three custom .admx files. Copy these files to the local workstation that you use to manage GPOs. Use the Add/Remove Templates... feature to add the necessary template when creating the GPO.
Create three starter GPOs with the necessary settings. When creating the GPOs, select the starter GPO with the desired settings.
You are the network administrator for your company. Rodney, a user in the research department, shares a computer with two other users. One day, Rodney notices some of his documents have been deleted from the computer's local hard drive. You restore the documents from a recent backup. Rodney now wants you to configure the computer so he can track all users who delete his documents in the future. You enable auditing of successful object access events in the computer's local security policy. Rodney then logs on and creates a sample document. To test auditing, you then log on and delete the document. However, when you examine the computer's security log, no auditing events are listed. How can you make sure an event is listed in the security log whenever one of Rodney's documents is deleted? Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit failure of the Delete permission. Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Delete permission. Configure the local security policy to audit failed system events. Configure the local security policy to audit failed object access events. Configure the local security policy to audit successful system events. Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Modify permission.
Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for Everyone group. Configure the entry to audit success of the Delete permission.
You have been asked to troubleshoot a Windows workstation that is a member of your domain. The director who uses the machine said he is able to install anything he wants and change system settings on demand. He has asked you to figure out why User Account Control (UAC) is not being activated when he performs a sensitive operation. You verify that the director's user account is a standard user and not a member of the local Administrator group. you want the UAC prompt to show. What should you do?
Enable the Run all administrators in Admin Approval Mode setting in the Group Policy.
You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows servers for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for workstations are located in the Workstations OU. You are creating a security template that you plan to import into a GPO. What should you do to log whenever a user is unable to log on to any computer using a domain user account? (Select two. Each choice is a required part of the solution.) Link the GPO to the Domain Controllers OU. Enable the logging of successful logon events. Enable the logging of successful account logon events. Enable the logging of failed account logon events. Link the GPO to the Member Servers and Workstations OU. Enable the logging of failed logon events.
Enable the logging of failed account logon events. Link the GPO to the Domain Controllers OU.
You want to prevent users in your domain from runninf a common game on their machines. This application does not have a digital signature. You want to prevent the game from running even if the executable file is moved or renamed. You decide to create an AppLocker rule to protect your computer. Which type of condition should you use in creating this rule?
Hash
You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its security database. How can you create a policy that meets these requirements? Select Failure for Audit account logon events. Select Success for Audit account logon events. Select Failure for Audit logon events. Select Success for Audit logon events. Select Failure for Audit system events. Select Success for Audit system events.
Select Failure for Audit account logon events.
You are the administrator for a network with a single Active Directory domain named widgets.local. The widgets.local domain has an organizational unit object for each major department in the company, including the information systems department. User objects are located in their respective departmental OUs. Users who are members of the Domain Admins group belong to the Information Systems department. However, not all employees in the Information Systems department are members of the Domain Admins group. To simplify employees' computing environment and prevent problems, you link a Group Policy object (GPO) to the widgets.local domain that disables the control panel for users. How can you prevent this Group Policy object from applying to members of the Domain Admins group? On the Group Policy object's access control list, deny the read permission for members of the Domain Admins group. Link the Group Policy object to each organizational unit rather than to the domain. On the Group Policy object's access control list, deny the apply Group Policy permission for members of the Domain Admins group. Configure the Information Systems OU to block policy inheritance. Link the Group Policy object to each organizational unit (except the Information Systems OU) rather than to the domain.
On the Group Policy object's access control list, deny the apply Group Policy permission for members of the Domain Admins group.
You have a computer running Windows. Prior to installing some software, you turn off User Account Control (UAC), reboot the computer, and install the software. You turn UAC back on, but it does not prompt you before performing sensitive actions. You want the protection of UAC, but it is not working at all. What should you do?
Reboot the machine.
User Account Control (UAC) is a tool that generates an alert when a task or operation needs administrative privileges. You use the UAC settings in Control Panel to configure the sensitivity of UAC. Drag the UAC notification level on the left to the appropriate description of what it does on the right.
The user is prompted only when programs try to make changes to the computer or Windows settings. The secure desktop is not displayed - Notify me only when apps try to make changes to my comuter (do not dim the desktop) A UAC prompt and the secure desktop are displayed for 150 seconds. The user cannot perform any other actions until they respond to the prompt - Always notify The user is prompted only when programs try to make changes to the computer or Windows settings. The secure desktop is displayed for 150 seconds - Notify me only when apps try to make changes to my computer If logged on as a standard user, all actions requiring elevation are automatically denied - Never notify