CNA 234 / Chapter 2 - Managing OUs and Active Directory Accounts
Active Directory Administrative Center (ADAC)
A GUI tool for managing Active Directory objects and accounts that is built on top of Windows PowerShell.
Active Directory Users and Computers (ADUC)
A GUI tool for managing Active Directory objects and accounts.
Security Accounts Manager (SAM) database
A database on domain member and workgroup computers that holds the users and groups defined on the local computer.
C) Authenticated Users
A domain user logging on to the domain becomes a member of which special identity group? A) Creator Owner B) System C) Authenticated Users D) Anonymous Logon
universal group membership caching
A feature enabled on a domain controller that causes it to keep a local copy of universal group membership after querying a global catalog server.
offline domain join
A feature that allows a running computer or offline virtual disk to join a domain without contacting a domain controller.
local group
A group created in the local SAM database on a member server, workstation, or standalone computer.
universal group
A group scope that can contain users from any domain in the forest and be assigned permission to resources in any domain in the forest. See also group scope.
domain local group
A group scope that's the main security principal recommended for assigning rights and permissions to domain resources.
global group
A group scope used mainly to group users from the same domain who have similar access and rights requirements. A global group's members can be user accounts and other global groups from the same domain. See also group scope.
Security groups
A group type that's the main Active Directory object administrators use to manage network resource access and grant rights to users. See also group type.
distribution group
A group type used when you want to group users together, mainly for sending emails to several people at once with an Active Directory-integrated email application, such as Microsoft Exchange.
Special identity groups
A group whose membership is controlled dynamically by Windows and doesn't appear as an object in Active Directory Users and Computers or Active Directory Administrative Center; can be assigned permissions by adding it to resources' DACLs.
group type
A property of a group that defines it as a security group or a distribution group.
group scope
A property of a group that determines the reach of a group's application in a domain or a forest, for example, which security principals in a forest can be group members and to which forest resources a group can be assigned rights or permissions.
batch file
A text file with the .bat extension that's used to enter a command or series of commands normally typed at the command prompt.
user template
A user account that's copied to create users with common attributes.
C) Reset the computer account, remove the computer from the domain, and rejoin it to the domain.
A user is having trouble signing in to the domain from a computer that has been out of service for several months, and nobody else can seem to sign in from the computer. What should you try first to solve the problem? A) Reinstall Windows on the workstation and create a new computer account in the domain. B) Rename the computer and create a new computer account with the new name. C) Reset the computer account, remove the computer from the domain, and rejoin it to the domain. D) Disable the computer account, remove the computer from the domain, and rejoin it to the domain.
contact
An Active Directory object that usually represents a person for informational purposes only, much like an address book entry.
B) 3
An Active Directory object's security settings are made up of how many different components? Choose the best answer. A) 2 B) 3 C) 4 D) 5 E) None of the above
A) Domain Admins is the owner of the QandA OU.
An account named SrAdmin created an OU named QandA under the Operations OU. Which of the following is true by default? A) Domain Admins is the owner of the QandA OU. B) SrAdmin is the owner of the QandA OU and all objects created inside it. C) SrAdmin has all standard permissions except Full control for the QandA OU. D) The Everyone group has Read permission to the QandA OU.
delegation of control
In the context of Active Directory, the process by which a user with higher security privileges assigns authority to perform certain tasks to a user with lesser security privileges; usually used to give a user administrative permission for an OU.
C) Disable Jane's account. When the new employee arrives, rename Jane's account, assign it a new password, and enable it again.
Jane has left the company. Her user account is a member of several groups and has permissions and rights to a number of forest-wide resources. Jane's replacement will arrive in a couple of weeks and needs access to the same resources. What's the best course of action? A) Find all groups Jane is a member of and make a note of them. Delete Jane's user account and create a new account for the new employee. Add the new account to all the groups Jane was a member of. B) Copy Jane's user account and give the copy another name. C) Disable Jane's account. When the new employee arrives, rename Jane's account, assign it a new password, and enable it again. D) Export Jane's account and then import it when the new employee arrives. Rename the account and assign it a new password.
B) Specify which computers Tom can sign in to in the domain by using the "Log On To" option in his account's properties.
Over the past several months, Tom, who has access to sensitive company information, has signed in to computers in other departments and left them without signing out. You have discussed the matter with him, but the problem continues to occur. You're concerned that someone could access these sensitive resources easily. What's the best way to solve this problem? A) Ensure that all computers Tom is signing in to have screen savers set to lock the computer after 15 minutes of inactivity. B) Specify which computers Tom can sign in to in the domain by using the "Log On To" option in his account's properties. C) Move Tom's account and computer to another domain, thereby making it impossible for him to sign in to computers that are members of different domains. D) Disable local logon for Tom's account on all computers except Tom's.
piping
Sending the output of one command as input to another command.
downlevel user logon name
The user logon name field defined in a user account object that's used for backward-compatibility with OSs and applications that don't recognize the UPN format.
Discretionary Access Control List (DACL) Object owner System Access Control List (SACL)
What are the components of that make up an Active Directory object's security settings?
users, groups, and computers
What are the three types of security principals that can be assigned permission to an object?
C) The group remains in the DACL, but the ACE has no effect on members' access to the resource.
What happens if a security group that's an ACE in a shared folder is converted to a distribution group? A) A security group can't be converted to a distribution group if it has already been assigned permissions. B) The group is removed from the DACL automatically. C) The group remains in the DACL, but the ACE has no effect on members' access to the resource. D) The group remains in the DACL, and permissions assigned to the group affect access to the resource as though it were still a security group.
security descriptor
What is the collective term for the components of an Active Directory's security settings?
C) dsquery and dsmod
Which commands can you use together to change attributes of several users at once? A) dsget and dsadd B) dsget and dsmod C) dsquery and dsmod D) dsquery and dsget
A) Domain local to universal provided no domain local group is already a member
Which direct group scope conversion is allowed? A) Domain local to universal provided no domain local group is already a member B) Global to domain local without restriction C) Domain local to global provided no domain local group is already a member D) Universal to global without restriction
A) User must change password at next logon. C) Password never expires.
Which of the following account options can't be set together? (Choose all that apply.) A) User must change password at next logon. B) Store password using reversible encryption. C) Password never expires. D) Account is disabled.
A) Administrator D) Guest
Which of the following are built-in user accounts? (Choose all that apply.) A) Administrator B) Operator C) Anonymous D) Guest
B) Computer accounts C) User accounts
Which of the following are considered security principals? (Choose all that apply.) A) Contacts B) Computer accounts C) User accounts D) Distribution groups
B) OUs can be nested. C) A group policy can be linked to an OU.
Which of the following are true about organizational units? (Choose all that apply.) A) OUs can be added to an object's DACL. B) OUs can be nested. C) A group policy can be linked to an OU. D) Only members of Domain Administrators can work with OUs.
A) The name can be from 1 to 20 characters. C) The name can't be duplicated in the domain.
Which of the following are true about user accounts in a Windows Server 2016 domain? (Choose all that apply.) A) The name can be from 1 to 20 characters. B) The name is case sensitive. C) The name can't be duplicated in the domain. D) Using default settings, PASSWORD123 is a valid password.
A) Local C) Domain
Which of the following are user account categories? (Choose all that apply.) A) Local B) Global C) Domain D) Universal
B) Global groups from any domain in the forest C) Other universal groups
Which of the following can be a member of a universal group? (Choose all that apply.) A) User accounts from the local domain only B) Global groups from any domain in the forest C) Other universal groups D) Domain local groups from the local domain only
A) DACL B) Object owner C) SACL
Which of the following components are collectively grouped together and referred to as the object's security descriptor? (Choose all that apply.) A) DACL B) Object owner C) SACL D) OUs
D) Search-ADAccount -AccountDisabled > disabled.txt
Which of the following creates a file named disabled.txt containing a list of disabled Active Directory accounts? A) net accounts /show disabled B) ldifde -accounts -property=enabled -value=false C) Query-Account -Disable=True | disabled.txt D) Search-ADAccount -AccountDisabled > disabled.txt
A) Global B) Domain local
Which of the following is a valid group scope? (Choose all that apply.) A) Global B) Domain local C) Forest D) Domain global
B) Sam*Snead35
Which of the following is not a valid Windows Server 2016 user account name? A) Sam$Snead1 B) Sam*Snead35 C) SamSnead!24 D) Sam23Snead
C) Domain Users is a member.
Which of the following is true about the Users domain local group? A) It's in the Users folder. B) It can be converted to a global group. C) Domain Users is a member. D) Its members can log on locally to a domain controller.
A) Computer accounts C) User accounts
Which of the following members can belong to the global group? (Choose all that apply.) A) Computer accounts B) Global groups from any domain C) User accounts D) Universal groups
B) Domain local
You have decided to follow Microsoft's best practices to create a group scope that will allow you to aggregate users with similar rights requirements. Which group scope should you initially create? A) Global B) Domain local C) Local D) Universal
B) In Active Directory Users and Computers, right-click the Operations OU and click Delegate Control.
You have hired a new junior administrator and created an account for her with the logon name JrAdmin. You want her to be able to reset user accounts and modify group memberships for users in the Operations department whose accounts are in the Operations OU. You want to do this with the least effort and without giving JrAdmin broader capabilities. What should you do? A) In the Active Directory Administrative Center, right-click the Operations OU, click Properties, and click Managed By. B) In Active Directory Users and Computers, right-click the Operations OU and click Delegate Control. C) Open the Operations Security tab and add JrAdmin to the DACL. D) Add JrAdmin to the Password Managers domain local group.
C) Set the Logon Hours options for their user accounts.
You have noticed the inappropriate use of computers for gaming and Internet downloads by some employees who come in after hours and on weekends. These employees don't have valid work assignments during these times. You have been asked to devise a solution for these employees that doesn't affect other employees or these employees' computers during working hours. What's the best solution? A) Install personal firewall software on their computers in an attempt to block the gaming and Internet traffic. B) Request that the Maintenance Department change the locks on their office doors so that they can enter only during prescribed hours. C) Set the Logon Hours options for their user accounts. D) Before you leave each evening and before the weekend, disable these employees' accounts and re-enable them the next working day.
D) In Active Directory Users and Computers, click View, Advanced Features.
You want to see the permissions set on an OU, so you open Active Directory Users and Computers, right-click the OU, and click Properties. After clicking all the available tabs, you can't seem to find where permissions are set in the Properties dialog box. What should you do? A) Log on as a member of Enterprise Admins and try again. B) In the Properties dialog box, click the Advanced button. C) Right-click the OU and click Security. D) In Active Directory Users and Computers, click View, Advanced Features.
