Windows Server Final
You manage the certificate services for the eastsim.com domain. You have a single CA named CA1 installed as a root enterprise CA. You have windows server 2003 that is a domain member and is configured as a router. You want to obtain a certificate for this server in order to use IPsec. If the test is successful you will use a similar method to obtain certs for other network devices. For this reason you would like the process to be as simple as possible. What should you do?
Configure a certificate template for autoenrollment. Issue the certificate on CA1. Restart the router to automatically request the certificate
You manage a Certificate Services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2008. You want to configure auto enrollment for computer certificates. When you edit the computer cert template the auto enroll permission does not exist within the certificate template. What should you do?
duplicate the computer certificate
You are the admin of a large company. You have a mix of Windows 2003 and 2008 servers throughout your organization and clients include Windows XP and Windows Vista Business. You work in the engineering research dept. Your company has a standalone root CA installed at your site that is used for e-mail confidentiality and digital signatures. Due to the increasing number of laptop computers being used in the dept a new policy requiring EFS will be issued. You want to make sure that EFS policies are applied evenly throughout the domain. What changes if any will need to be made to your CA architecture?
Add an enterprise root CA to issue EFS certificates
You are the manager for the westsim.com domain. You have previously installed Active Directory Certificate services on a Windows 2008 server named CA1. CA1 is configured as an enterprise root of CA. You install a new CA named CA2 as a subordinate standalone CA to CA1. Following the installation you are unable to start the certificate services service. The error message indicates that you can't establish a trust chain to CA1. What should you do?
Add the certificate from CA1 to the trusted root store on CA2.
You are working at as an admin for a single active directory domain running Windows Server 2003 functional level. The network consists of multiple domain controllers and members running Windows Server 2008. On one of the member servers you install enterprise root CA. One of your tasks is to enroll smartcards for user accounts. To accomplish this task you dedicate a workstation as a smartcard enrollment station. You create a separate group GG-EnrollmentAgent and add your user account as a member of the group. After you duplicate your smart card enrollment agent certificate template you add the cert temp to the list of issued cert templates on the CA. You are trying to enroll a smartcard agent cert through your web browser but the cert is not listed. What should you do?
Add the group GG-EnrollmentAgent to the ACL of the certificate template and select Read and Enroll Permission
You are the network admin for eastsim.com The network consists of a single active directory domain. All servers run Windows Server 2008 R2. All clients run Windows 7. Users in the eastsim.com domain log on their workstations using smart cards. The network is also running Network Access Protection (NAP) with IPsec enforcement. Frequently the enterprise certification authority (CA) experiences problems due to shortage of disk space. You need to reduce the amount of disk space required by CA to avoid outages. What should you do?
Configure the CA for non-persistent certificate crossing.
You manage cert services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2008. You duplicate the IPsec cert template and configure the CA to issue the cert. You would like cert requests for IPsec template to be submitted and approved automatically. How should you complete the configuration of the cert template?
Configure the subject name to be built from Active Directory information Grant computers the read, enroll and autoenroll permissions.
You manage cert services for the eastsim.com domain. You have a single CA named CA1 installed as the root enterprise CA. You want to be able autoenrollment for computer certs. You duplicate the computer cert template and grant authenticated computers group the read, enroll and autoenroll permissions. You configure the CA to issue the new cert. As a test you reboot the computer and then check cert services console to see if the cert has been issued. You don't see a request or issued cert even after waiting several minutes. What should you do?
Configure the default domain policy GPO. In the computer configuration, configure the certificate services client-Auto-enrollment policy
You manage certificate services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows 2008. You duplicate the basic EFS cert template and configure the CA to issue the certificate. You want users to request EFS cert using Web enrollment pages. When a request is submitted you want the cert to be approved automatically. How should you complete the configuration of the cert template?
Configure the template to not require the CA certificate manager approval Grant users the read write and enroll permissions
You are the network admin for eastsim.com. The network consists of on Active Directory domain. All servers run Windows 2008 all clients run Windows 7. The company has a main office in New York and several international locations including facilities in Germany and France. You have been asked to build a domain controller that will be deployed to the eastsim.com office in Germany. The network admin in Germany plan to use group policy admin templates to manage group policy in their location. You need to install the German version of Group policy admin templates so they will be available when the new domain controller is deployed to Germany. What should you do?
Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller
You are the admin for the widgets.com domain. Organizational Units (OU) have been created for each company department. User and computer accounts for each dept have been moved to their respective departmental OU's. As part of your security plan you've analyzed the use of Internet Explorer in your organization. You have defined three different groups of users. Each group has different needs for using Internet Explorer. For example, one group needs ActiveX controls enabled while you want to disable it for the other two groups. You would like to create three templates that contain the necessary settings for each group. When you create a GPO you'd apply the settings in the corresponding template rather than manually set the corresponding Admin Template settings for Internet Explorer. What should you do?
Create 3 starter GPO's with the necessary settings. When creating the GPO's select the starter GPO with the desired setting
You are the admin for the widgets.com domain. Organizational Units have been created for each company dept. User and computer accts for each dept have been moved into their respective departmental OUs. As you manage group policy objects (GPO) you find that you often make similar user rights, security options and admin template settings in different GPO's. Rather than make these same settings each time you would like to create some templates that contain your most common settings. What should you do?
Create GPO's with common settings. Take a backup of each GPO. After creating new GPO's import the settings from one of the backed up GPO's Create GPO's with the common settings. When creating the new GPO's copy one of the existing GPO's.
You are the admin for the widgets.com domain. Organizational Units have been created for each company dept. User and computer accts for each dept have been moved into their respective departmental OUs. Users in the accounting dept use a custom app that requires specific registry setting. You need to configure all 50 computers in the accounting dept in this setting. Once set users should not be able to modify the setting. What should you do?
Create a GPO linked to the Accounting OU. In the policies section, of the GPO configure a registry policy with the necessary value. Configure permissions to allow read for the value.
You are the admin for the westsim.com domain. Organizational Units have been created for each company dept. User and computer accts for each dept have been moved into their respective departmental OUs. Computers in the accounting dept use a custom app. During installation the app creates a local group named AcctMagic. This group is used to control access to the program. By default the account used to install the app is made a member of the group. You install the app on each computer in the accounting dept. All accounting users must be able to run the app on any computer in the dept. You need to add each user as a member of the AcctMagic group. You create a domain named accounting and make each user a member of this group. You then create a GPO named Acct Software linked to the Accounting OU. You need to define the restricted group settings. What should you do?
Create a restricted group named AcctMagic. Add the accounting domain group as a member
You manage a Certificate Services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2008. You would like to configure issuance requirements for the basic EFS template. When you edit the template properties you cannot find the settings you need. In addition most of the template options are disabled and cannot be changed. What should you do?
Duplicate the template as a Windows 2003 or 2008 template
You are the admin of a single domain active directory forest. Your domain controllers are running Windows 2008 and your clients are running a mix of Windows XP Professional and Windows Vista Business. You want to deploy a standalone root CA on Windows 2008 Server. You want all 200 users in the sales OU to be issued the basic EFS cert with the minimum amount of effort. What should you do?
Email the users with instructions on how to use the web enrollment page to request the certificate
You are the admin for the widgets.com domain. Organizational Units (OU) have been created for each company department. User and computer accounts for each dept have been moved to their respective departmental OU's. From your workstation you create a GPO that configures settings from a custom .admx file. You link the GPO to the sales OU. You need to make some modifications to the GPO settings. Instead of using your desktop system you decide to use a laptop that runs Windows Vista Business. When you open the GPO the customer Admin Template settings are not shown. What should you do?
Enable the admin templates central store in Active Directory. Copy the .admx file to the central store location. Copy the .admx file to the %systemroot%\policyPreferences folder on the laptop
You manage a Certificate Services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2008. You duplicate the basic EFS certificate template and configure the CA to issue the certificate. You want to allow one of your assistants to manage certificates used for EFS. Your assistant needs to be able to edit the cert template and modify all the settings except for modifying permissions. You want to grant sufficient permissions to allow her to do this without granting to many permissions. What should you do?
Grant Read and Write Permissions to the certificate template
You are a domain admin for a child domain in a multi domain Active Directory Forest. You company does no presently have certification authority (CA) hierarchy implemented. You want to install the CA that will issue certificates for smart card authentication to users in your domain. What should you do?
Have a member of the Enterprise Admins Group install an enterprise root CA in your child domain and configure it to issue smart card certificates.
You are the admin for the westsim.private network which has a single domain. The forest and domains are at Windows 2003 Functional Level. You want to implement certificates for secure email members of the research group. You install an enterprise certification authority (CA) and configure automatic enrollment for the certificate. You test the cert as a member of the Research group but find that the cert isn't issued. You try the action again from another user account with the same results. What should you do?
Grant the allow read enroll and autoenroll permissions to the certificate to research group
You are the admin for a large corporation. Your dept uses a single domain within the company's multi-tree forest. Your dept uses the entire building and is the only domain on the local subnet. You have a T3 connection to corporate headquarters. There is a global catalog server on site. Because your dept handles extremely sensitive info a decision has been made to require the use of smart cards within the domain. Your job is to modify the existing Windows Infrastructure to require the use of smart cards for logon. You will need to provide certificate services for smart card logons as well as for EFS but you will not need certificates for any other purposes. What kind of cert authority should you use?
Implement an enterprise root CA
You are the network admin for sales.westsim.com. The network consists of two active directory domains named sales.westsim.com and westsim.com. All the servers run Windows Server 2008 and the clients run Windows 7. An admin in the westsim.com has backed up a group policy object (GPO) named Windows 7 Security settings and delivered the backup to you on a removable hard drive. The backup is located in the E:\Backups directory. You need to deploy Windows 7 Security Settings GPO in the sales.westsim.com domain using the backup copy on the removable disk. Which cmdlet should you run?
Import-GPO
You manage a Group Policy for the westsim.com forest. The forest has 2 domains: westsim.com and us.westsim.com. In the westsim.com domain you create a GPO named UserSettings. You test this GPO and decide that you want to use it in the us.westsim.com domain as well. You need to copy the GPO to the us.westsim.com domain. You also want to copy the discretionary access control list (DACL) from the source GPO to the target GPO. What should you do?
In the group policy management console, copy the UserSettings GPO from westsim.com to us.westsim.com
You are the admin for a small network with a single active directory domain. The info produced by your company is very valuable and could devastate your company's business if leaked to competitors. You want to tighten network security by requiring all network users and computers to use digital certificates. You decide to create a certification authority (CA) hierarchy that will issue certificates only for your organization. To provide maximum security for the company's new CA you choose to host the CA on a computer that is not connected to the corporate domain. What should you do to set up the new CA?
Install a standalone root CA
You are the admin for your active directory domain. Your company uses Exchange 2003 and Outlook 2003. Your security policy requires that all executives have the ability to encrypt and sign email. The user and computer accounts for your executives are in the executives OU. All of the client computers are running Windows XP professional. Your goal is to make the deployment of certificates as easy as possible by using autoenrollement.
Install an enterprise root certificate server on a domain controller Configure a GPO with autoenrollment settings and link it to the Executives OU Duplicate the Exchange user template, configure your CA to issue the new template and assign the appropriate permissions
You are the network admin for eastsim.com. The network consists of on Active Directory domain. All the servers run Windows Server 2008 R2 and all the clients run Windows Vista. The domain functional level is set to Windows Server 2008. You have been instructed to use Active Directory group policy references to map a dept drive for each user. You create a new group policy object and link it to the domain. Then you configure the appropriate group policy settings however when you log a test user you discover that the dept drive has not been mapped. You run a result set of policy (RSoP) and determine that the appropriate group policy has been applied. You must ensure that the dept drives are mapped using group policy. What should you do?
Install the client-side extensions (CSEs) on all the client computers
You are the network admin for eastsim.com. The network consists of on Active Directory domain. All the servers run Windows Server 2008 R2 and all the clients run Windows XP. The domain functional level is set to Windows Server 2003. The previous network admin created a custom group policy (ADMX) template that delivers several registry settings required by an in-house application. Some of the settings have been changed and you need to edit the ADMX template. What should you do?
Install the group policy management console utility on your workstation upgrade your workstation to Windows Vista
You manage a network with a single domain named eastsim.com You have a single server running Windows 2008 Enterprise Edition. the server is not a member of the domain . You want to use this server to issue certificates using the auto enrollment feature. What should you do first to configure the CA?
Join the computer to the domain.
You are the network admin for westsim.com. The network consists of a single active directory domain. All the servers run Windows server 2008 and all clients run Windows 7. There is one main office and ten branch offices. There is one Windows server update services (WSUS) server located in the main office. You have created a new starter GPO named WSUS settings that points clients to the WSUS server. You need to create a new group policy object named Branch Client Settings for one of the branch offices located at the site branch named Branch Office 1. The new GPO should be based on the WSUS settings starter GPO. What should you run?
New-GPO-Name "Branch Client Settings" -StarterGPOName "WSUS Settings"
You manage a Certificate Services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2008. You want to allow users of the research dept to request certificates for EFS. You duplicate the basic EFS using the web enrollment pages. The EFS certificate template you created does not appear in the list of certs that can be requested. What should you do?
On the CA, issue the certificate template
You are the network admin for eastsim.com. The network consists of a single active directory domain. All seven run windows server 2008 R2 and all clients run Windows 7. eastsim has one main office. There is an enterprise certification authority (CA) located in the main office that handles all cert requests for the domain. The company also maintains an Internet Information Services (IIS) server that is a member of the domain. The IIS server is located in a perimeter network. eastsim.com has a high volume of independent contractors that need to connect to the company network using a VPN connection to an ISA 2006 Server running L2TP/IPsec. The contractors are traveling trainers who must be able to obtain machine certs to be used for this purpose. Most of the computers do not belong to the active directory domain and the contractors do not often visit the corporate office. Some contractors are retained for projects without ever visiting the eastsim.com site. You must configure the enterprise CA to grant machine certs to the contractors. What should you do?
On the IIS server install the certificate enrollment web service
You manage a Group Policy for the westsim.com. You have set up a lab with a separate forest names westsim.test. In the lab domain you create a GPO named UserSettings. You test this GPO in the lab and then decide that you want to use it in your production domain. What should you do?
Take a backup of the UserSettings GPO. In westsim.com create a new GPO. Import the settings from the backup Establish a trust relationship between westsim.com and westsim.test. In the group policy management console drag the usersettings GPO from westsim.test to westsim.com
You are the admin for the widgets.com domain. Organizational Units (OU) have been created for each company department. User and computer accounts for each dept have been moved to their respective departmental OU's. Your workstation runs Windows Vista Business. You add a custom .admx file to the %systemroot% \policyDefinitions folder on your workstation. You then use Group Policy Object Editor to create a new GPO that uses settings in the .admx file. You need to make some modifications to the GPO settings. Instead of using your desktop system you decide to use a laptop that runs Windows XP professional with the latest service packs. What will you need to enable laptop to be able to edit the GPO with custom Admin Template files?
Upgrade the laptop to Windows Vista
You are the admin of an Active Directory domain. Your domain is in Windows Server 2003 functional level. You have 200 client computers running Windows XP and all your servers are Windows 2003 Enterprise Edition. All of your client computer accounts are in Workstations OU. Your company runs an antivirus app that modifies a registry key each time it runs. You discover that the app fails if the logged on user is not a member of the Admin or Power Users groups because it cannot modify the necessary registry value. What should you do?
Use group policy to assign users the necessary permission to the registry key file
You are the network consultant for westsim.com The network consists of a single active directory domain. All the servers run Windows Server 2008 R2. All the clients run Windows 7. westsim.com has one enterprise root certification authority (CA). A server named Web2 running Windows Internet Information Server (IIS) has been configured with web enrollment service. You create a new version 3 cert for a smart card enrollment and publish the template on the CA. However users complain that when they attempt to enroll the cert it is not available on the list of templates. You must enable users to enroll smart card certs using the web enrollment service on Web2. What should you do?
convert the certificate to a version 2 template
You are employed as a network admin for northsim.com which provides out-sourced technical support for other companies. northsim.com has a single active directory domain named northsim.com. All the servers run Windows 2008 R2 and all clients run Windows 7. northsim.com implemented Active Directory Certificate Services (AD CS) and has an enterprise root certification authority (CA) several issuing CAs. You have been assigned to work on a project for widgets.com The company has a single active directory domain named widgets.com All the servers run Windows 2008 R2. widgets.com requires that all employees log on using a smartcard. They do not wish to implement their own Public Key Infrastructure(PKI) They have requested the smart card certificates be issued by the northsim.com certificate authorities. You must be able to enable users from the widgets.com to obtain certificates from the northsim.com certificate authorities. What should you do first?
create a two-way forest trust between widgets.com and northsim.com
You manage cert services for the eastsim.com domain. You have a single CA named CA1 installed as a root enterprise CA. You configure the CA to issue certs for user authentication. On the CA you add the web enrollment pages feature. You want to use web pages to request a user cert. Which URL should you use?
http://ca1/certsrv
You are the admin for the widgets.com domain. Organizational Units have been created for each company dept. User and computer accts for each dept have been moved into their respective departmental OUs. You would like to configure all computers in the Sales OU to prevent installation of unsigned drivers. Which GPO category would you edit to make the necessary changes?
security options
You are the admin for the widgets.com domain. Organizational Units have been created for each company dept. User and computer accts for each dept have been moved into their respective departmental OUs. You have two OU's that contain temporary users: Tempsales and TempMarketing. For all users within these OU's you want to restrict what users are able to do. For example you want to prevent them from shutting down the system or access computers through a network connection. Which GPO category would you edit to make the necessary changes?
user rights
