Chapter 1 - 5 Midterm (Windows Admin I)

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Singe Schema Forestwide administrative accounts (schema admins & enterprise admins) Operations masters Global catalog Trusts b/w domains Replication b/w domains

Characteristics of a Forest

You're having replication problems with your GPOs and suspect that the version numbers have somehow gotten out of sync between the GPT and the GPC. What can you do to verify the version numbers on a GPO?

Check the versionNumber attribute of the GPC and open the GPT.ini file

Active Directory forest

Collection of one or more trees. Can consist of single tree or several, each with a hierarchy of parent and child domains, each tree has a different naming structure.

dcgpofix.exe Resets both the default domain policy and the default domain controllers policy dcgpofix.exe /target:DC Resets the Default Domain Controllers policy dcgpofix.exe /target:domain Reset the Default Domain Policy

Command to revert back to original settings from changes made

csvde (uses comma-separated values csv format) - creates objects only ldifde (uses ldap directory interchange format, useful w/ LDAP apps) - creates and modify objects

Commands used to import and export AD data in bulk?

Which of the following are considered security principals? (Choose all that apply.)

Computer accounts User accounts

Which of the following members can belong to the global group? (Choose all that apply.)

Computer accounts User accounts

Which of the following is a default folder object created when Active Directory is installed?

Computers

Software settings Contains software installation extension, enables admin to install and manage applications remotely by assigning them to install automatically. Windows settings contains Name Resolution Policy node, scripts extension, security settings node, and policy-based QoS node. Admins can create scripts that run at computer startup or shutdown. Administrative Templates Contains Control Panel, Network, Printers, System, and Windows Components folders. Affects computer settings that apply to all logged-on users.

Configuration Node 3 folders

You want all users to have the company home page and two other Web sites loaded in tabs when they start Internet Explorer, but you want them to be able to change their home pages if they like. What should you do?

Configure an Internet Options preference, and change the defaults in the Common tab

You want to centrally back up the files that users store in the Documents folder in their user profiles, but you don't want users to have to change the way they access their files. What's the best way to go about this?

Configure folder redirection in the User Configuration node of a GPO

You want to set a group policy preference that affects only computers with a CPU speed of at least 4.0 GHz. What's the best way to do this?

Configure item-level targeting

Saved Queries folder

Contains a list of Active Directory queries you can save to repeat Active Directory searches easily.

Global Catalog Sever

Contains information about all objects in the forest. Facilitates domain and forestwide searches used to speed searching for objects across domains in the forest and Facilitates logon across domains allowing users to sign in to any domain in the forest using UPN (user principal name username@domain). W/o users could only sign in to computers on same domain. Holds universal group membership information and resolves user group membership rights and permissions.

Security Settings node

Contains the lions share of policies that affect computer security (including account policies, user rights, wireless network policies, registry and file system permissions and network communication policies

You have been working with ADMX files to modify existing Administrative Templates and create new templates. You work on different domain controllers, depending on your location. Despite a concerted effort, your ADMX files are getting out of sync. How can you solve this problem?

Create an ADMX store in the SYSVOL share, and copy the ADMX files to the ADMX store

Managed Service Accounts Folder

Created specifically for services to access domain resources, is added to the schema in Windows Server 2008 R2. The password is managed by the system, alleviating the admin of this task. This folder is initially empty.

Group Policy Results gpresult.exe

Creates a report to show which policy settings apply to a user, computer, or both.

What type of task can be defined to allow you fine-grained control over the management tasks a user can perform in an OU?

Custom

Which of the following is not part of Active Directory's logical structure?

DC

Schema Attributes

Define what type of information is stored in each object, such as first name, last name, and password for a user account object

Default Domain Policy

Defines several account policies, such as password and account lockout settings.

Default Domain Controller Policy

Defines user rights assignment policies but no account policies

GPO scope

Defines which objects a GPO affects

Which of the following is a subfolder in the User Configuration node but not the Computer Configuration node of a GPO?

Desktop

Jane has left the company. Her user account is a member of several groups and has permissions and rights to a number of forestwide resources. Jane's replacement will arrive in a couple of weeks and needs access to the same resources. What's the best course of action

Disable Jane's account. When the new employee arrives, rename Jane's account, assign it a new password, and enable it again.

You have configured a group policy preference that creates a VPN connection for all computers in the GPO's scope. One user says the connection was there yesterday, but it's no longer showing in his Network Connections window. You suspect he might have deleted the connection accidentally. What can you do to make sure that the VPN connection is re-created even if a user deletes it?

Disable the Apply once and do not reapply option

user accounts contacts other distribution groups security groups computers

Distribution & Security group objects members?

Leaf domain

Doesn't contain other objects, and usually represent security account, network resource, or GPO.

Which container has a default GPO linked to it?

Domain

Which of the following is the core logical structure container in Active Directory?

Domain

An account named SrAdmin created an OU named QandA under the Operations OU. Which of the following is true by default?

Domain Admins is the owner of the QandA OU

Group Policy Template (GPT) Group Policy Container (GPC) have same traits: naming structure and folder structure.

Domain GPOs consist of what two separate parts?

You have a forest named PLAB.com and two domains, PLABA and PLABB. You want to add the users from both the domains to a group that should be restricted within the PLABA domain. Which type of group scope should you set for this group?

Domain Local

You have decided to follow Microsoft's best practices to create a group scope that will allow you to aggregate users with similar rights requirements. Which group scope should you initially create?

Domain Local

Which is responsible for management of adding, removing, and renaming domains in a forest?

Domain Naming master

Which of the following is true about the Users domain local group?

Domain Users is a member.

Which of the following is a directory partition? (Choose all that apply.)

Domain directory partition Schema directory partition Configuration partition

Which direct group scope conversion is allowed?

Domain local to universal provided no domain local group is already a member

To which of the following can a GPO be linked? (Choose all that apply.)

Domains Sites

other DC's present

During the installation of the 1st DNS server on your domain, what would allow you to create DNS delegations? First DC No other DC's Other DC's present None of these

Create GPOs Link GPOs Perform Group Policy Modeling analyses Read Group Policy Modeling analyses Read Group Policy Results data Read Read (from Security Filtering) Edit settings, delete, modify security Edit Settings

Eight permissions that can be applied to GPOs and container objects they are linked to through delegations

Active Directory's hierarchical database

Enables administrators organize users and network resources to reflect organization of the environment in which its used.

The dcpromo.exe command is the preferred method for installing Active Directory on Server Core.

False

The recommended minimum number of Active Directory domain controllers in a domain environment is three

False

The second DC is always configured as GC server

False

The second DC is always configured as a GC server

False

Which of the following is a feature of Active Directory? (Choose all that apply.)

Fine-grained access controls Can be distributed among many servers

Bulletin Computers Foreign Security Principals Managed Services Accounts Users *can delegate admin control on all folders but Bulletin folder. All objects in a folder a subject to group policies defined at the domain level. You can move objects from their default folders (ex: Bulletin) to OU's that you create

Five folders created when active directory installed? You can not create new folder objects, or apply group policies to folder policies to folder objects.

Read Write Create all child objects Delete all child objects Full control

Five standard permissions are available for most objects:

synchronous processing

Forces group policy processing to finish before other system task can be performed.

DNS server * Global catalog server * Forestwide administrative accounts ^ Operations masters ^ * can be installed on other DC's for fault tolerance ^ must reside on a DC in the forest root domain.

Functions of forest root domain

security filtering uses GPO permissions WMI filtering (Windows Management Instrumentation) uses queries to select a group of computers based on certain attributes, and then applies or doesn't apply policies based on the query's results.

GPO filtering methods include:

Local policies Site-Linked GPO's Domain-linked GPO's OU-linked GPO's

GPO's are applied in what order?

Domain level

GPO's at this level should contain settings that apply to all objects in the domain Account policies and a few critical security policies should be set at this level.

Site GPO (Group Policy Objects)

GPO's linked to a site object affect all users and computers physically located at the site. Can be used to set up different policies for mobile users.

Creating & Linking

GPOs are created in the Group Policy management console & can be linked to one or more AD containers.

True

GPOs set at the domain level should contain settings that you want to apply to all objects in the domain.

File Replication Service (FRS) used when running in a mixed environment of differing Windows Server operating systems Distributed File System Replication (DFSR) used when all DC's are running Windows Server 2008 *more efficient and reliable

GPT's located in the SYSVOL share, are replicated by (one) of the following methods?

Active Directory User and Computers (ADUC)

GUI tool for managing AD objects and accounts?

Which of the following is a valid group scope? (Choose all that apply.)

Global Domain Local

Which of the following is associated with installing the first domain controller in a forest?

Global Catalog

All domains in the same forest have which of the following in common? (Choose all that apply.)

Global Catalog Schema

What windows servers are the only domain controllers that hold universal group membership information?

Global catalog

Which of the following can be a member of a universal group? (Choose all that apply.)

Global groups from any domain in the forest Other universal groups

Name of the GPO File path the GPT Version Status

Group Policy Container (GPC) contains which of the following attributes?

Summary Information about which GPOs affect the specified computer and user Details displays information about the computer and group policy components Policy Events Displays all events in Event Viewer that are generated by group policies

Group Policy Result repot tabs?

GPOs Replication Creating and Linking Scope and inheritance

Group policy architecture and functions:

foreground processing

Group policy processing that occurs when the system boots or a user logs on

What does the group nesting depend on?

Group scope of the groups being nested

domain local global universal local (applies only to groups created in the SAM - Security Account Manager - database of a member computer or stand-alone computer)

Group scope options:

Active Directory tree

Grouping of domains that share a common naming structure. Consist of a parent domain and maybe one or more child domains

If you enable WinRM using a GPO, which protocol does it use?

HTTP

LostAndFound Program Data System NTDS Quotas TPM (Trusted Platform Module) Devices

Hidden system folders displayed by enabling the Advanced Features option from the View menu are:

Bulletins folder

House default groups created by Windows and is mainly used to assign permission to users who have administrative responsibilities in the domain.

object

How all information in the active directory database is organized.

When installing an additional DC in an existing domain, which of the following is an option for reducing replication traffic?

IFM

HTTP it listens to the requests on the HTTP transport over the default HTTP port.

If you enable WinRM using a GPO, which protocol does it use? HTTP SSH RDP1 HTTPS

Why should there be more than one domain controller in a domain? [Choose all that apply.]

Improved performance redundancy Enhance recoverability

You want to see the permissions set on an OU, so you open Active Directory Users and Computers, right-click the OU, and click Properties. After clicking all the available tabs, you can't seem to find where permissions are set in the Properties dialog box. What should you do?

In Active Directory Users and Computers, click View, Advanced Features

You have hired a new junior administrator and created an account for her with the logon name JrAdmin. You want her to be able to reset user accounts and modify group memberships for users in the Operations department whose accounts are in the Operations OU. You want to do this with the least effort and without giving JrAdmin broader capabilities. What should you do?

In Active Directory Users and Computers, right-click the Operations OU and click Delegate Control.

Protected Users

In Active Directory the administrator account is NOT a member of which of the following domains? Enterprise Admins Schema Admins Domain Admins Protected Users All of these

service ticket

In Kerberos security, a permanent ticket good for the duration of a logon session (or for another period of time specified by the server administrator in the account policies) that enables the computer to access network resources (beginning with the Logon service). a digital message used by Kerberos that is requested by an account when it wants to access a network resource, such as a shared folder.

Where is a GPT stored?

In a folder named the same as the GUID of the GPO in the SYSVOL share

Windows Server 2008 R2

In order to use the Active Directory Recycle Bin, all DCs in the forest must be running at least what Windows Server operating system?

You need to find a policy related to an application that was installed several years ago. You know that the policy is persistent when the computer that it's applied to falls out of scope, but you can't remember its name. You remember a word or two that might be in the policy name or comments. What can you do to find this policy quickly?

In the Group Policy Management Editor, configure a filter; set Managed to No, and enable Keyword Filters.

You have created a custom administrative template. You want this template to be available to all DCs so that policies can be configured with it from any DC. Where should you save it?

In the central store

Computer Configuration node in Software Installation extension to assign to computers create a shared folder on a server that gives the computer read & execute permission

In what node are software packages only assigned to target computers configure startup/shutdown scripts

first DC in a domain

In which condition is a RODC not an option? creating IFM data First DC in a domain Creating a GC server Multiple DC's

Configure the service to log on as NT Service\LocSvc.

In your Windows Server 2016 domain, you have a member server also running Windows Server 2016. You want to install the LocSvc service, which will be accessing only local resources. You need to configure authentication for this service but don't want to use one of the built-in service accounts and want to do this with the least administrative effort. What should you do? Create an MSA with PowerShell, and configure the service to log on as the MSA. Configure the service to log on as NT Service\LocSvc. Create a local user on the server, and configure the service to log on as that user. Create a domain user, and in the Delegation tab, select LocSvc.

Network account object

Includes severs, domain controllers, file shares, printers, and so forth.

Security account object

Includes users, groups, and computer

attribute value

Information stored in each attribute (Mary)

Active Directory

Is a directory service based on standards for defining, storing, and accessing directory service objects.

Domain

Is active directory's core structural unit. Contains OU's and folder container objects, also leaf objects (user, groups, etc) & represents administrative, security, and policy boundaries. Each has a default GPO linked to it that can affect all objects in the domain. In ADUC is represented by three tower computers

Computers Folder

Is the default location for computer accounts created when a new computer or sever becomes a domain member.

Active Directory replication

Is the transfer of information among all domain controllers to make sure they have consistent and up to date information

What is the output of the following command? Enter-PSSession -ComputerName PLABDM01

It will open a remote PowerShell session on PLABDM01.

Disable Jane's account. When the new employee arrives, rename Jane's account, assign it a new password, and enable it again.

Jane has left the company. Her user account is a member of several groups and has permissions and rights to a number of forestwide resources. Jane's replacement will arrive in a couple of weeks and needs access to the same resources. What's the best course of action? Find all groups Jane is a member of and make a note of them. Delete Jane's user account and create a new account for the new employee. Add the new account to all the groups Jane was a member of. Disable Jane's account. When the new employee arrives, rename Jane's account, assign it a new password, and enable it again. Copy Jane's user account and give the copy another name. Export Jane's account and then import it when the new employee arrives. Rename the account and assign it a new password.

Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization

Kerberos Policy Settings?

Key Distribution Center (KDC) Ticket-granting Tickets (TGT) Service Tickets Timestamp

Kerberos components:

The protocol for accessing Active Directory objects and services is based on which of the following standards?

LDAP

Which of the following tool allows you to modify the Active Directory Schema?

LDIFDE

Which of the following tool is likely to provide an output in the following manner: dn: OU=APAC,DC=PRACTICELABS,DC=COM dn: OU=IT,OU=APAC,DC=PRACTICELABS,DC=COM dn: CN=GlobalIT,OU=IT,OU=APAC,DC=PRACTICELABS,DC=COM

LDIFDE

Which of the following are user account categories? (Choose all that apply.)

Local Domain

On your Windows 10 system, if you execute the command gpedit.msc in the Run dialog box, which of the following snap-in will open?

Local Group Policy Editor

Local user accounts domain user accounts and computer accounts from any domain in the forest domain local groups from the same domain global and universal groups from any domain in the forest

Local group can have what 4 account type members?

Which type of account is not found in Active Directory?

Local user account

In what order are group policy settings applied?

Local, Site, Domain, OU

system managed password automatic SPN support tied to specific computer can be assigned rights and permissions can't be used for interactive logon can't be locked out used only a single server

MSA (Managed Service Account) has the following attributes:

Set-ADServiceAccount GET-ADServiceAccount Remove-ADServiceAccount Reset-ADServiceAccount Uninstall ADServiceAccount Test-ADServiceAccount

MSA related PowerShell cmdlets

Assigned Apllication

Made available as an icon in the Start screen the next time a user affected by the policy sign in to a computer in the domain.

Published Application

Made available via Group Policy for a user to install by using Programs and Features in Control Panel.

Allow separate administration and to define policy boundaries.

Main reason for using multiple domains

service principal name (SPN)

Name by which a client uniquely identifies an instance of a service. a type of authentication in which identities of both the client and server are verified.

The Computer Configuration settings are disabled. The computer accounts have Deny Read permission.

No computers in an OU seem to be getting computer policies from the GPO linked to the OU, but users in the OU are getting user policies from this GPO. Which of the following are possible reasons that computer policies in the GPO aren't affecting the computers? (Choose all that apply.) The GPO link is disabled. The Computer Configuration settings are disabled. The computer accounts have Deny Read permission. The OU has the Block Inheritance option set.

Which of the following are true about organizational units? (Choose all that apply.)

OUs can be nested. A group policy can be linked to an OU.

Replay Attack

Occurs when the attacker captures a portion of a communication between two parties and retransmits it at a later time.

Local Group Policy Editor

On your Windows 10 system, if you execute the command gpedit.msc in the Run dialog box, which of the following snap-in will open? Group Policy Management Console Group Policy Editor Local Group Policy Editor Local Security Policy Editor

Universal Group

Only group that can contain accounts from other domains

Which statement is true regarding the global catalog?

Only one global catalog exists per forest

Schema Admins

Only users that can make changes to the schema.

You have installed an application that can be configured with Group Policy. The application came with a custom ADM file that must be replicated to all DCs. What should you do first?

Open the file with ADMX Migrator

Four Organizing components of Active Directory:

Organizational units Domains Trees Forests

Specify which computers Tom can sign in to in the domain by using the Log On To option in his account's properties.

Over the past several months, Tom, who has access to sensitive company information, has signed in to computers in other departments and left them without signing out. You have discussed the matter with him, but the problem continues to occur. You're concerned that someone could access these sensitive resources easily. What's the best way to solve this problem? Move Tom's account and computer to another domain, thereby making it impossible for him to sign in to computers that are members of different domains. Disable local logon for Tom's account on all computers except Tom's. Specify which computers Tom can sign in to in the domain by using the Log On To option in his account's properties. Ensure that all computers Tom is signing in to have screen savers set to lock the computer after 15 minutes of inactivity.

Background Processing

Periodic group policy processing that occurs after a computer is running or a user is logged on.

Active Directory Structure

Physical Structure Logical Structure

Invoke-GPUpdate

PowerShell cmdlet that automates the updating of GPOs applied to remotely located computers.

Move-ADObject

Powershell command to move an account?

Rename-ADObject DistingulsedName -NewName "NewName:

Powershell command to rename an account?

Set-ADAcount Password LogonName -Reset

Powershell command to reset password?

Blocking Inheritance

Prevents GPOs linked to parent containers from affecting children containers When enabled the OU or domain object are displayed w/ blue exclamation point

Group Policy Management console (GPMC) Group Policy Management Editor (GPME) - no save option, changes immediately

Primary tools used for managing, creating, and editing GPOs are?

You want to deploy a software package that's available to all users in the domain if they want to use it, but you don't want the package to be installed unless a user needs it. How should you configure the software installation policy?

Publish the package under the User Configuration node

Resultant Set of Policy (RSoP)

Query engine that looks at GPOs and then reports its findings. Use this tool to determine the effective settings for a user or computer based on the combination of the local, site, domain, domain controller, and OU policies.

The default location for computer accounts that are created automatically after joining the domain can be changed using which command?

Redircmp.exe

Replication

Replicating important information b/w all domain controllers throughout the forest. Includes information stored in the global catalog, schema directory and configuration partitions.

Third node

Represents the domain and contains all the objects that make up the domain.

A user is having trouble signing in to the domain from a computer that has been out of service for several months, and nobody else can seem to sign in from the computer. What should you try first to solve the problem?

Reset the computer account, remove the computer from the domain, and rejoin it to the domain.

Which of the following specifies what types of actions a user can perform on a computer or network?

Rights

You're concerned that some domain controllers and workstations don't meet security requirements. What should you do to verify security settings on a computer against a list of known settings?

Run Security Configuration and Analysis on the computer to compare its security settings against a security database

Which of the following components are collectively grouped together and referred to as the object's security descriptor? (Choose all that apply.)

SACL Object owner DACL

You want to deploy a logon script by using Group Policy. You have several sites connected via a WAN with a DC at each site. You want to make sure the script is always available when users log on from any computer at any location. What should you do?

Save the script in the SYSVOL share

Which of the following defines the types of objects in Active Directory

Schema Classes

Which of the following defines the types of information stored in an Active Directory object?

Schema attributes

Which of the following creates a file named disabled.txt containing a list of disabled Active Directory accounts?

Search-ADAccount -AccountDisabled > disabled.txt

False

Security Principals define which resources user can access and what level of access they have. True or False

Perform Group Policy Modeling analyses

Select below the policy permission that grants a user or group the ability to use the GPO Modeling Wizard on a target container.

SYSVOL folder

Select the specific Windows folder that is a shared folder containing file-based information that is replicated to other domain controllers.

Group Policy Inheritane

Select the specific tab within the Group Policy Management Console that will allow you to view which policies affect a domain or OU and where the policies are inherited from.

You have noticed the inappropriate use of computers for gaming and Internet downloads by some employees who come in after hours and on weekends. These employees don't have valid work assignments during these times. You have been asked to devise a solution for these employees that doesn't affect other employees or these employees' computers during working hours. What's the best solution?

Set the Logon Hours options for their user accounts.

Policies Folder (under Computer Configuration & User Configuration nodes)

Settings applied are applied to users or computers and can't be overridden by users. Contains 3 folders (software settings, windows settings and administrative templates).

Which of the following is considered a leaf object? (Choose all that apply.)

Shared folder Computer account

Group Policy Inheritance

Shows which policies affect a domain or OU and where policies are inherited from.

Which of the following is a component of Active Directory's physical structure?

Sites

Over the past several months, Tom, who has access to sensitive company information, has signed in to computers in other departments and left them without signing out. You have discussed the matter with him, but the problem continues to occur. You're concerned that someone could access these sensitive resources easily. What's the best way to solve this problem?

Specify which computers Tom can sign in to in the domain by using the Log On To option in his account's properties.

Which of the following task must you perform before deleting the files from the C:\Windows\SoftwareDistribution folder?

Stop the wuauserv service

Name Resolution Policy

Stores configuration settings for DNS security and DirectAccess.

User Folder

Stores two default users (Administrators and Guest) and several default groups.

Which of the following is the responsibility of a domain controller? (Choose all that apply.)

Storing a copy of the domain data Providing data search and retrieval functions Providing authentication services

Domain Controller (DC) features:

Storing a copy of the domain data and replicating changes to that data to all other domain controllers throughout the domain. Providing data search and retrieval functions for users attempting to locate objects in the directory. Providing authentication and authorization services for users who sign in to the domain and attempt to access network resources.

Key Distribution Center (KDC)

System for granting authentication in Kerberos. Generates keys for users.

Remote Scheduled Tasks Management (RPC) Remote Scheduled Tasks Management (RPC-EPMAP) Windows Management Instrumentations (WMI-In)

Target clients computers must have these inbound firmware rules enabled on the domain profile for the remote group policy update to be successful?

.admx

The ADMX central store holds policy definition files used for updating changes b/w domain controllers. What is the file extension of these files? .adm .admx .xml .xlsx

.xml

The ADMX central store holds policy definition files used for updating changes b/w domain controllers. What is the format of these files? .adm .admx .xml .xlsx

True

The Knowledge Consistency Checker (KCC) runs on every DC to determine the replication topology.

Add AD DS

The command "Add-WindowsFeature AD-Domain-Services" is used to ________________. Add a domain feature Add AD DS Update the GC None of these

False

The directory partition holds configuration information that can affect the entire forest, such as details on how domain controllers should replicate with one another. True or False

Which of the following scenarios is not ideal for the deployment of a single domain structure?

The domain structure must be able to utilize different name identities

You have an Active Directory forest of two trees and eight domains. You haven't changed any operations master domain controllers. On which domain controller is the schema master?

The first domain controller in the forest root domain

forest root domain

The first domain created in a new forest. Provides functions that facilitate and manage communication b/w domains in the forest as well as b/e forest. (If it's down, the entire Active Directory stops working).

/sync

The gpupdate command in conjunction with which option below causes synchronous processing during the next computer restart or user logon?

What happens if a security group that's an ACE in a shared folder is converted to a distribution group?

The group remains in the DACL, but the ACE has no effect on members' access to the resource

Which of the following are true about user accounts in a Windows Server 2016 domain? (Choose all that apply.)

The name can be from 1 to 20 character The name can't be duplicated in the domain.

You have configured a policy setting in the User Configuration node of a domain GPO and linked the GPO to OU-X. Later, you discover that you linked it to the wrong OU, so you unlink it from OU-X and link it to OU-Y, which is correct. A few days later, you find that users in OU-X still have the policy setting applied to their accounts. What's the most likely cause of the problem?

The policy setting is unmanaged

LDAP (Lightweight Directory Access Protocol)

The protocol for accessing Active Directory objects and services is based on which of the following standards? LDAP DNS DHCP ICMP

False

The second DC is always configured as a GC server. True or False

Under what circumstances would a multi-domain structure not be an ideal choice?

The structure should facilitate easier access to resources

domain user accounts (user accounts created in AD)

These accounts can usually log on to any computer that's in the AD forest?

csvde -m -f mktusers.csv -d "ou=marketing,dc=marketing,dc=mcsa2016,dc=local" -r(objectClass=user)

This command creates a file called MktUsers.csv

OU Folder Domain

Three container objects

Domain Name System (DNS) server (install unless existing DNS server) Global Catalog (1st DC in a forest must be GC) Read only domain controller (RODC) disabled for 1st DC

Three options for domain controller capabilities

User Groups Computers

Three types of security principals can be assigned permission to an object.

Slow link processing Background processing Process even if the Group Policy objects haven't changed

Three ways to change the default processing of the way the client behave:

5985

To allow WinRM service to receive network request, which port should you open in the Windows Firewall policy? 443 53 5985 80 8080

Computer Configuration\Policies\Administrative Templates\System\Group Policy

To find a full list of policies and preferences that can have background processing disabled, where should you look?

Security Templates snap-in Security Configuration & Analysis snap-in

Tools for working w/ Security Templates

Dsquery can be used for displaying a list of objects based on particular criteria or piping data to commands such as dsmod for further processing

True

NTDS Quotas store NT Directory Service quota information that limits the number of Active Directory Objects a user, group,computer, or service can create.

True

Default Domain Policy (linked to domain object and specifies default settings that affect all users and computers in the domain, such as password and logon requirements) Default Domain Controllers Policy (linked to the Domain controllers OU and specifies default policy settings for all domain controllers in the domain, pertain mainly to users rights assignments, specify the types of actions users can perform on a DC.

Two GPO's are created and linked to two containers when Active Directory installed.

Provide a method for user authentication to the network Provide detailed information about a user

Two main functions of user accounts?

Local GPOs Domain GPOs

Two main types of GPOs?

Logging Planning (similar to group policy modeling)

Two modes of RSoP (Resultant Set of Policy)

Computer Configuration (affect all computers in the container (and child containers), to which GPO is linked. GPO's linked to domain objects affect all computers in the domain (includes all computers in Domain Controller OU and the computer folder). User Configuration (affect domain users w/in the GPO's scope regardless of which computer the uses signs in to. Each node contains a policies and preference folder.

Two nodes of GPO in GPMC

audit object access policy auditing on target objects policy (by changing the system access control list SACL for the object in the Auditing tab on the Advanced Security Settings dialog box for the object)

Two steps for auditing objects:

Slow link value Specifies the threshold for the response time from a domain controller to consider a link slow Timeout value The maximum time the Group Policy client wait for a response from a DC before determining there's no network connection to the DC

Two time parameters that can be changed if group policy caching enabled.

Blocking Inheritance GPO enforcement

Two ways to affect GPO inheritance?

If a domain is set in the Mixed mode and not in the native mode, which of the following group scope is unavailable

Universal

Password Settings Object (PSO)

Used to apply different password policies for users or groups in a domain

Container Objects

Used to organize and manage users and resources in a network A way to group objects for applying policies

Managed Backups

Used to restore a deleted GPO

Group Policy Management Console (GPMC)

Used to view, create, and manage GPO's

Software settings Contains software installation extension, application packages can be assigned or published. Windows settings contains scripts extension, security settings node, and policy-based QoS node. Admins can create scripts that run at user sign in or sign out. And control what software users can run. Administrative Templates Settings in enable admin to tightly control users' computer and network environments. Example control panel can be hidden from users, items can be made available

User Configuration Node 3 folders

Which of the following account options can't be set together? (Choose all that apply.)

User must change password at next logon Password never expires.

Configure asynchronous processing when a slow link is detected

Users who log on from a branch office connected to the DC via a slow WAN link are complaining of slow logon times when you assign applications via group policies. What can you do to speed their logons? Perform a remote group policy update Configure asynchronous processing when a slow link is detected Disable Group Policy caching Configure synchronous processing when a slow link is detected

All your domain controllers are running Windows Server 2016. You're noticing problems with GPT replication. What should you do?

Verify that DFSR is operating correctly

global catalog

What Windows servers are the only domain controllers that hold universal group membership information?

Computer configuration used to set policies that apply to computers in the GPO's scope. User configuration used to set policies that apply to all users in the GPO's scope.

What are 2 main nodes in GPMC?

Hierarchical organization Centralized but distributed database Scalability Security Flexibility Policy-based administration

What are Active Directory features?

Link status: unlinked Link status: Enabled Link status: Disabled GPO status: Enabled GPO status: User configuration settings disabled GPO status: Computer configuration settings disabled GPO status: All settings disabled Details tab

What are GPO states once created? And when do you view the status?

Service Type Instance Name Port Number Service Name

What are elements SPN (Service Principal Name) consist of?

Audit Policy User Rights Assignment Security Options

What are the three Local Policies Folders?

Local Services Network Services Local System

What are the three built-in service accounts?

software settings uses Microsoft Software Installation (MSI) files windows settings administrative templates *policy settings can be managed (not configured w/ object outside of policy scope) or unmanaged (persistent)

What are the three folders under the Group Policy Settings under the Policies Folder?

Password policy contains the policies that control password properties Account Lockout Policy contains the policies that control user account lockout Kerberos Policy administrators can use to fine-tune parameters for Kerveros & how long authentication tickets are active.

What are three subnodes under account policies?

AD Administrative Center (ADAC) ADSI Edit PowerShell cmdlets

What can you use to create PSOs?

ADUserC ADAdminC PowerShell cmdlets: -Enable-ADAccount -Disable-ADAccount dsmod user command

What can you use to enable and disable accounts?

The group remains in the DACL, but the ACE has no effect on members' access to the resource.

What happens if a security group that's an ACE in a shared folder is converted to a distribution group? The group remains in the DACL, and permissions assigned to the group affect access to the resource as though it were still a security group. The group is removed from the DACL automatically. The group remains in the DACL, but the ACE has no effect on members' access to the resource. A security group can't be converted to a distribution group if it has already been assigned permissions.

To provide a common Active Directory environment in which all domains in all trees can communicate with one another and share information yet allow independent operation and administration of each domain.

What is the main purpose of a forest?

Disables the user accounts in the Helpdesk OU

What is the output of the following command: Get-ADUser -Filter 'Name -like "*"' -SearchBase "ou=HelpDesk,ou=EMEA,dc=practicelabs,dc=com" | Disable-ADAccount Enables the disabled user accounts in the Helpdesk OU Lists the disabled user accounts in the Helpdesk OU Displays an error since no username is defined Disables the user accounts in the Helpdesk OU

It will open a remote PowerShell session on PLABDM01.

What is the output of the following command? Enter-PSSession -ComputerName PLABDM01 It will start a telnet PLABDM01. It will trigger a remote PowerShell session initiation from PLABDM01. It will open a local PowerShell session on PLABDM01. It will open a remote PowerShell session on PLABDM01.

Background processing

What kind of group policy processing always occurs when a user is logged on to the computer at the time a group policy refresh occurs? Selective processing Background processing Foreground processing Slow link processing

Logging

What mode of the Resultant Set of Policy (RSoP) snap-in produces a database of policy results that you browse in a similar manner to using the Group Policy Management Editor?

read

What permission is given to the Enterprise Domain Controllers universal group on all GPOs by default, and grants permission to view settings and back up a GPO?

Disabled by default

What statement is true regarding the Active Directory Recycle Bin? Disabled by default Can be disabled easily Runs on Windows Server 2003 or later All of these

default domain policy lined to the domain object and specifies default settings for all users and computers in the domain. default domain controller policy linked to the Domain Controllers OU and specifies default policy settings for all domain controllers in the domain.

What two GPO's are created and linked to two containers, when AD is installed?

local user account

What type of account is not found in Active Directory?

GPT.int Machine User

When GPO is created each GPT folder contains at least three items:

True Should be used for exceptions to policies set at a higher level

When OU (organizational units) are nested, the GPO (Group Policy Object) linked to the OU nested the deepest takes precedence over all other GPOs. True False

Administrator domain admin global group is made a member User domain user global group is made a member

When a computer joins a domain, Windows changes the membership of which two local groups automatically?

group name group type group scope

When a group is created in ADUC what are 3 settings?

all of these

When adding Role and Features with Server Manager, which of the choices are recommended in the Domain Services Configuration Wizard? Administrator account has a strong password Your network settings are configured The latest security updates are installed All of these

SYSVOL

When configuring DNS options, which choice is a shared system folder that is replicated to other domain controllers? SYSVOL Database Log files all of these

Domain Administrator accounts

When in forest root domain, has full access to all aspects of the forest.

DNS Server role

When installing AD DS on a domain controller, what must also be present or installed? GC server DNS Server role AD child domain None of these

IFM

When installing an additional DC in an existing domain, which of the following is an option for reducing replication traffic? Child domain New site GC server IFM

domain controller

When performing an offline join, which is the first system on which the djoin.exe needs to be run? offline system additional domain controller any system that is on the network but not a member of the domain domain controller

Full name User logon name User logon name (pre-Wind 200) Password & Confirm Password Checked boxes: -user must change password at next logon -user can't change password -password never expires -account is disabled

When using ADUC to add users, must enter the these attributes:

MgSa

When working w/ managed service accounts to be used on multiple servers, which account type would be used? GSA MgSa gSA gMSA

False

When you back up a GPO, the policy settings are backed up, but not the security filtering settings, delegation settings, and WMI filter links.

SAM database

Where are user accounts stored on a standalone computer? SAM database SQL database Active Directory A flat file

Service Ticket

Which Kerberos authentication and authorization component is also known as a session ticket? Ticket-granting tickets Service Ticket Timestamp Renewal Ticket

Active Directory Domains and Trusts ADSI Edit

Which MMC is added after Active Directory installation? (Choose all that apply.) Active Directory Domains and Trusts Active Directory Groups and Sites ADSI Edit Active Directory Restoration Utility

Set-GPPermission

Which PowerShell cmdlet below can be used to set permissions for a security principal to a GPO or to all GPOs?

Set-ADServiceAccount

Which PowerShell cmdlet would change the MSA settings? Set-ADServiceAccount GET-ADServiceAccount SET-ADSA All of these

Password Replication to RODC

Which RODC password Replication option is NOT available to the domain local user group? Password Replication to RODC Password expiration Password time restriction All of these

b. move computer account into a custom OU

Which action would you take to apply Group Policies to a computer account? a. use Active Directory Users and Computers b. move computer account into a custom OU c. change default location d. none of these

dsquery and dsmod

Which commands can you use together to change attributes of several users at once? dsget and dsmod dsquery and dsmod dsget and dsadd dsquery and dsget

Computers

Which container has a default GPO linked to it? Printers Users Computers Domain

Domain local to universal provided no domain local group is already a member

Which direct group scope conversion is allowed? Domain local to universal provided no domain local group is already a member Domain local to global provided no domain local group is already a member Global to domain local without restriction Universal to global without restriction

d. all of the above

Which groups are granted Add workstations to domain rights by default? a. domain admins b. account operators c. authenticated users d. all of the above

domain naming master

Which is responsible for management of adding, removing, and renaming domains in a forest? Schema master Domain naming master RID master Infrastructure master

denied RODC password replication group

Which local group is used as a security measure to prevent sensitive passwords from being stored on RODCs? denied RODC password replication group domain admins enterprise admins schema admins

Default Domain Policy Default Domain Controllers Policy

Which of the following GPOs are created by default when Active Directory is installed? (Choose all that apply.) Default Domain Controllers Policy Default Group Policy Default Active Directory Domain Policy Default Domain Policy

User must change password at next logon. Password never expires.

Which of the following account options can't be set together? (Choose all that apply.) User must change password at next logon. Store password using reversible encryption. Password never expires. Account is disabled.

The system manages passwords. You can't be locked out.

Which of the following are advantages of using a managed service account instead of a regular user account for service logon? (Choose all that apply.) The system manages passwords. You can assign rights and permissions precisely. You can use the account to log on interactively. You can't be locked out.

Local system Network Service

Which of the following are built-in service accounts? (Choose all that apply.) Anonymous Logon Local system Network Service Authenticated Users

Administrator Guest

Which of the following are built-in user accounts? (Choose all that apply.) Administrator Operator Anonymous Guest

Computer accounts User accounts

Which of the following are considered security principals? (Choose all that apply.) Contacts Computer accounts User accounts Distribution groups

User authentication Detailed information

Which of the following are the main functions of user accounts? (Choose all that apply.) User authentication Biometric identity Autonomous access Detailed information

OUs can be nested. A group policy can be linked to an OU.

Which of the following are true about organizational units? (Choose all that apply.) OUs can be added to an object's DACL. OUs can be nested. A group policy can be linked to an OU. Only members of Domain Administrators can work with OUs.

The name can be from 1 to 20 characters. The name can't be duplicated in the domain.

Which of the following are true about user accounts in a Windows Server 2016 domain? (Choose all that apply.) The name can be from 1 to 20 characters. The name is case sensitive. The name can't be duplicated in the domain. Using default settings, PASSWORD123 is a valid password.

Local Domain

Which of the following are user account categories? (Choose all that apply.) Local Global Domain Universal

A service similar to a database program but with the capability to manage objects

Which of the following best describes a directory service? A program for managing folders, files, and permissions on a distributed server A program for managing the user interface on a server A service similar to a database program but with the capability to manage objects A service similar to a list of information in a text file

Defines the number of times a user's password can be entered incorrectly

Which of the following best describes the Account lockout threshold setting? Defines the number of times a user's password can be entered incorrectly Defines the number of times a user can enter an incorrect user name Specifies how many minutes a user's account is locked Specifies the number of minutes that must elapse between failed logon attempts

Global groups from any domain in the forest Other universal groups

Which of the following can be a member of a universal group? (Choose all that apply.) User accounts from the local domain only Global groups from any domain in the forest Other universal groups Domain local groups from the local domain only

a. ADAC c. ADSI Edit d. PowerShell

Which of the following can be used by a Windows Server 2016 administrator to create a PSO? (Choose all that apply.) ADAC Server Manager ADSI Edit PowerShell

ADAC ADSI Edit PowerShell

Which of the following can be used by a Windows Server 2016 administrator to create a PSO? (Choose all that apply.) ADAC Server Manager ADSI Edit PowerShell

Service user account

Which of the following choices is not one of the three user account types defined in Windows Server 2016?

schema master

Which of the following choices is one of the two forest-wide FSMO roles?

SACL Object owner DACL

Which of the following components are collectively grouped together and referred to as the object's security descriptor? (Choose all that apply.) SACL Object owner OUs DACL

Search-ADAccount -AccountDisabled > disabled.txt

Which of the following creates a file named disabled.txt containing a list of disabled Active Directory accounts? Search-ADAccount -AccountDisabled > disabled.txt ldifde -accounts -property=enabled -value=false net accounts /show disabled Query-Account -Disable=True | disabled.txt

schema attributes

Which of the following defines the types of information stored in an Active Directory object? Attribute values Schema classes GPOs Schema attributes

schema classes

Which of the following defines the types of objects in Active Directory? GPOs Attribute values Schema attributes Schema classes

Sites

Which of the following is a component of Active Directory's physical structure? Organizational units Folders Sites Domains

Schema directory partition Configuration partition

Which of the following is a directory partition? (Choose all that apply.) Domain directory partition Group policy partition Schema directory partition Configuration partition

Fine-grained access controls Can be distributed among many servers

Which of the following is a feature of Active Directory? (Choose all that apply.) Fine-grained access controls Can be distributed among many servers Can be installed on only one server per domain Has a fixed schema

Global Domain local

Which of the following is a valid group scope? (Choose all that apply.) Global Domain local Forest Domain global

Can contain trees with different naming structures Allows independent domain administration Represents the broadest element in Active Directory

Which of the following is associated with an Active Directory forest? (Choose all that apply.) Can contain trees with different naming structures Allows independent domain administration Contains domains with different schemas Represents the broadest element in Active Directory

Global catalog

Which of the following is associated with installing the first domain controller in a forest? Global catalog Child domain DHCP RODC

computer account shared folder

Which of the following is considered a leaf object? (Choose all that apply.) Computer account Organizational unit Domain controller Shared folder

Password Policy Account Lockout Policy Kerberos Policy

Which of the following is included in account policies for a GPO? (Choose all that apply.) Password Policy Authorization Policy Account Lockout Policy Kerberos Policy

Sam*Snead35

Which of the following is not a valid user account name? Sam$Snead1 SamSnead!24 Sam23Snead Sam*Snead35

A leaf object that can be linked to a GPO

Which of the following is not associated with an Active Directory tree? A group of domains A leaf object that can be linked to a GPO A common naming structure Parent and child domains

DC

Which of the following is not part of Active Directory's logical structure? Tree DC Forest OU

Domain

Which of the following is the core logical structure container in Active Directory? OU Domain Forest Site

domain

Which of the following is the primary identifying and administrative unit in Active Directory?

Storing a copy of the domain data Providing data search and retrieval functions Providing authentication services

Which of the following is the responsibility of a domain controller? (Choose all that apply.) Storing a copy of the domain data Providing data search and retrieval functions Servicing multiple domains Providing authentication services

Account policies are under the Computer Configuration node.

Which of the following is true about GPOs? They affect all groups in their scope. The Default Domain Policy affects only user accounts. Account policies are under the Computer Configuration node. Account policies are under the User Configuration node.

Domain Users is a member.

Which of the following is true about the Users domain local group? Domain Users is a member. It can be converted to a global group. It's in the Users folder. Its members can log on locally to a domain controller.

SPN

Which of the following is used to uniquely identify a service instance to a client? KDC SPN TGT Service ticket

Computer accounts User accounts

Which of the following members can belong to the global group? (Choose all that apply.) Computer accounts Global groups from any domain User accounts Universal groups

Local GPOs, site, domain, OU

Which of the following represents the correct order in which GPOs are applied to an object that falls within the GPO's scope? Site, domain, OU, local GPOs Local GPOs, domain, site, OU Local GPOs, site, domain, OU Domain, site, OU, local GPOs

Group managed service account

Which of the following service accounts can be managed across multiple servers? AD managed service account Multi-managed service account Group managed service account Managed service account

Stop the wuauserv service

Which of the following task must you perform before deleting the files from the C:\Windows\SoftwareDistribution folder? Stop the wuauserv service Assign write permission on the folder Disconnect the system from the domain Kill the Windows Update process

LDIFDE

Which of the following tool allows you to modify the Active Directory Schema? Dsadd Windows PowerShell CSVDE LDIFDE

LDIFDE

Which of the following tool is likely to provide an output in the following manner: dn: OU=APAC,DC=PRACTICELABS,DC=COMdn: OU=IT,OU=APAC,DC=PRACTICELABS,DC=COMdn: CN=GlobalIT,OU=IT,OU=APAC,DC=PRACTICELABS,DC=COM Windows PowerShell CSVDE LDIFDE Dsadd

Need for differing account policies For differing policies for different business units, Password Settings Objects can be used. Need different names identities Replication control reduced by creating separate domains Need for internal versus external domains Need for tight security

Why choose a multi-domain?

Simplicity Don't need multiple identities, separate administration, or differing account policies Lower cost Easier management Easier to move users b/w OU's than different domains Easier access to resources

Why choose a single domain?

to control the frequency of Active Directory Domain replication and to assign policies based on physical location.

Why define multiple sites?

Redundancy Improved performance

Why should there be more than one domain controller in a domain? [Choose all that apply.] Redundancy Improved performance Faster authentication Data integrity Enhanced recoverability Load balancing

In order to use the Active Directory Recyle bin, all DC's in the forest must be running at least what Windows Server operating system.

Windows Server 2008 R2

Item-level targeting

You are configuring common GPO properties for folders. You want to specify that only portable computers that are docked have a preference applied. Which choice will accomplish this? Item-level targeting stop processing items in this extension if an error occurs run in logged-on user's security context (user policy option) apply once and do not re-apply

Password Setting Object (PSO)

You are configuring fine-grained password policies to configure multiple password and account lockout policies for different sets of user accounts. Which acronym describes the Active Directory object you are configuring? GPO PPAL PSO FGPP

Change the value for the Minimum password age setting.

You discovered that a user changed his password 10 times in one day. When you ask why he did this, he replied that the system required him to change his password. He wanted to use his favorite password, but the system wouldn't accept it until he changed it 10 times. What should you do to prevent this user from reusing the same password for at least 60 days? Enable the Password must meet complexity requirements setting. Change the value for the Maximum password age setting. Change the value for the Minimum password age setting. Change the value for the Enforce password history setting.

Configure loopback policy processing in Computer Configuration. Configure the desktop settings in User Configuration and link the GPO to the OU containing the demonstration computers.

You don't have policies that force settings for the look of users' computer desktops. Each user's chosen desktop settings are applied from his or her roaming profile to any computer he or she signs in to. You think it's important for users to have this choice, but you'd like a consistent look for computers used for product demonstrations to customers. What's the best way to do this without affecting users when they sign in to other computers? Create a user named Demo. Configure Demo's desktop settings and use only this user account to sign in to demonstration computers. Configure desktop policies in the Computer Configuration node of a GPO and link this GPO to the OU containing the demonstration computers. Create a GPO with a start-up script that configures desktop settings suitable for demonstration computers when these computers are started. Link the GPO to the OU containing the demonstration computers. Instruct users to restart demonstration computers before using them. Configure loopback policy processing in Computer Configuration. Configure the desktop settings in User Configuration and link the GPO to the OU containing the demonstration computers.

Setspn.exe (Service Principal Name)

You have a Sharepoint web application named portal. Portal is configured to use NTLM authentication. From Central Administration you configure Portal to use Kerberos authentication. You need to ensure that Kerberos can be used to authenticate Portal. What tool should you use?

Slow link processing

You have a branch office connected to the main office with a sometimes unreliable and slow WAN link. Users are complaining about long logon times. Which Group Policy client feature are you most likely to configure to solve the problem? Remote update processing Slow link processing Background processing Synchronous processing

The first domain controller in the forest root domain

You have an Active Directory forest of two trees and eight domains. You haven't changed any operations master domain controllers. On which domain controller is the schema master? All domain controllers The first domain controller in each tree The first domain controller in the forest root domain The last domain controller installed

Trust this user for delegation to specified services only

You have been asked to set up Kerberos constrained delegation on a domain account used as a service account. This would limit delegation to specific services on specific servers. Which Delegation tab option would you choose? Do not trust this user for delegation Trust this user for delegation to specified services only Trust this user for delegation to any service (Kerberos only) Restrict service delegation

Which of the following are local GPOs on a Windows 10 computer? (Choose all that apply.)

-Local Non-Administrators -Local Administrators

Which of the following are true about GPOs? (Choose all that apply.)

-The <CTX>gpedit.msc </CTX> tool can be used to edit local GPOs. -Domain GPOs can be linked to Active Directory sites.

Which of the following are methods for creating a GPO? (Choose all that apply.)

-Use the Group Policy Objects folder of the Group Policy Management console -Link it to a container

You are creating a new Active Directory (AD)forest. How many naming contexts for the entire AD Fores

1

An authenticated user can add up to how many computer accounts to the domain , by default?

10

How often is the password for a computer account changed by Active Directory?

30 days

To allow WinRM service to receive network requests, which port should you open in the Windows Firewall policy?

5985

but settings in a GPO linked to an OU override the settings in a GPO linked to the domain if there are conflicts.

A GPO linked to a domain affects all computers and users in the domain, with what exception?

loopback policy processing

A Group Policy setting that applies user settings based on the GPO whose scope the logon computer (the one the user is logging on to) falls into. Ex: an OU ConfRoomComputers w/ all computers accounts of computers in conference rooms.

Group Policy Caching

A client-side feature that loads policy information from a cache on the local computer instead of having to always download it from a domain controller

GPO Scope

A combination of GPO linking, inheritance, and filtering that defines which objects are affected by the settings in a GPO.

c. reset computer account

A computer has been offline for 60 days. When you bring it online, it will not access the domain. How do you resolve this? a. synchronize the computer password b. reset computer password c. reset computer account d. all of the above

Network directory service

A database composed of records or objects describing users and available network resources, such as servers, printers, and applications, including features to add, modify and delete information.

Authenticated Users

A domain user signing in to the domain becomes a member of which special identity group? Authenticated Users Creator Owner Anonymous Logon System

local group

A group created in the local SAM database on a member server or workstation or a stand-alone computer.

Create a PSO in ADAC, configure the password policy, and apply it to the Research Department group.

A group of users in the Research Department has access to sensitive company information, so you want to be sure that the group members' passwords are strong with a minimum length of 12 characters and a requirement to change their passwords every 30 days. The current password policy requires passwords with a minimum length of 7 characters that users must change every 120 days. You don't want to inconvenience other users in the domain by making their password policies more stringent. What can you do? Create a PSO in ADAC, configure the password policy, and apply it to the Research Department group. Create a GPO, configure the password policy for the Research Department, and link it to the domain. Block inheritance on all other OUs in the domain. Create a GPO, configure the password policy for the Research Department, and link it to the domain. Configure a security filter for the Research group. Create a PSO in ADAC, configure the password policy, and link it to the Research Department OU.

Right-click the Group Policy Objects folder and click Manage Backups.

A junior administrator deleted a GPO accidentally, but you had backed it up. What should you do to restore the deleted GPO? Right-click the Group Policy Objects folder and click Manage Backups. Create a GPO, right-click the new GPO, and click Restore from Backup. Right-click the GPO backup file in File Explorer and click Restore. Open the Active Directory Recycle Bin, right-click the GPO object, and click Restore.

Password policies can be set only at the domain level.

A junior administrator is configuring settings for the Password Policy of a new GPO he created and sets the minimum password length to 4. He links the GPO to the EngUsers OU containing the user and group accounts for the Engineering Department. A user in the Engineering Department calls and says he's trying to change the password on his domain user account to A$c1, but the system isn't taking the new password. What's the problem? The user's computer account isn't in the EngUsers OU. Password policies can be set only at the domain level. The user can't use the $ symbol in the password. The user doesn't belong to the Engineering group.

Which of the following is not associated with an Active Directory tree?

A leaf object that can be linked to a GPO

Migration table

A list of security principals and UNC paths in a GPO that can be mapped to the security principals and UNC paths in a destination domain a GPO is being copied to.

Group Policy Object (GPO)

A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory. Can specify settings, deploy software, and configure a user's desktop. Can affect an entire domain, site, users or computers in an OU. Provides default security settings for all computer including domain controllers in the domain. Can be applied in four places: local computer, site, domain, and OU *Don't define any user specific policies.

GPO filtering

A method to alter the normal scope of a GPO and exclude certain objects from being affected by its settings.

Which of the following best describes a directory service?

A service similar to a database program but with the capability to manage objects

GPO enforcement

A setting on a GPO that forces inheritance of settings on all child objects in the GPO's scope, even if a GPO with conflicting settings is linked to a container at a deeper level. If multiple are set at different levels, the highest takes precedence.

SYSVOL folder

A shared folder that stores information from Active Directory that's replicated to other domain controllers.

WMI filtering

A type of GPO filtering that uses queries to select a group of computers based on certain attributes, and then applies or doesn't apply policies based on the query's results.

Reinstall Windows on the workstation and create a new computer account in the domain.

A user is having trouble signing in to the domain from a computer that has been out of service for several months, and nobody else can seem to sign in from the computer. What should you try first to solve the problem? Disable the computer account, remove the computer from the domain, and rejoin it to the domain. Reset the computer account, remove the computer from the domain, and rejoin it to the domain. Reinstall Windows on the workstation and create a new computer account in the domain. Rename the computer and create a new computer account with the new name.

A service ticket

A user is signed in to a Windows Server 2016 domain from a Windows 10 computer and requests access to a shared folder. What must the user account request before the shared folder can be accessed? An access code A service ticket A KDC A TGT

Group Policy Modeling

A what-if tool for group policies

Which MMC is added after Active Directory installation? (Choose all that apply.)

ADSI Edit Active Directory Domains and Trusts

Domain

Account policies that affect domain logins can be defined only at the ______________ level.

Discretionary Access Control List (DACL) Object owner System access control list (SACL)

Active Directory object security settings are composed of three components (collectively referred to as the object's security descriptor):

Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account Accounts: Rename guest account Interactive logon: Do not display last user name Interactive logon: Do not require CTL + ALT + DEL Microsoft network server: Disconnect clients when logon hours expire

Additional Security Options commonly configured:

Which of the following is best described as policy definition files saved in XML format?

Administrative templates

Which of the following are built-in user accounts? (Choose all that apply.)

Administrator Guest

Folder Redirection node

Admins can use to redirect users' profile folders to a network share.

Object used to view detailed info about a container object Security used to view and modify an object's permissions Attribute Editor used to view and edit an object's attributes

Advanced features options in AD user and computers properties dialog box of domain, folder, and OU objects will have 3 new tabs when enabled?

scripts are replicated automatically and can be retrieved by clients from a DC in the domain. *will need GUID of GPO to locate the correct folder if stored in this folder

Advantage of using the SYSVOL share

single sign-on active directory search group policies remote management

Advantages to having users log on to computers that are domain members:

GPO status: Enabled Link status: Enabled GPO status: All Settings Disabled

After a GPO is created, which of the following are possible states for the new GPO? (Choose all that apply.) GPO status: Enabled GPO status: Unlinked Link status: Enabled GPO status: All Settings Disabled

Schema (objects and their attributes)

All domains in a forest share the same ____________. This is why some would like to operate w/ separate trusted forests.

Schema Global catalog

All domains in the same forest have which of the following in common? (Choose all that apply.) Domain name Schema Domain administrator Global catalog

Asynchronous processing

Allows displaying the user logon prompt while Computer Configuration policies are still being processed. You can force when a slow link is detected.

Organizational Unit (OU)

An Active Directory container used to organize a network's users and resources into logical administrative units. Contains active directory objects (user accounts, groups, computer accounts, printers, shared folder, applications, servers, and domain controllers). Example: each department

Block inheritance

An OU structure in your domain has one OU per department, and all the computer and user accounts are in their respective OUs. You have configured several GPOs defining computer and user policies and linked the GPOs to the domain. A group of managers in the Marketing Department need different policies that differ from those of the rest of the Marketing Department users and computers, but you don't want to change the top-level OU structure. Which of the following GPO processing features are you most likely to use? WMI filtering GPO enforcement Block inheritance Loopback processing

Domain Admins is the owner of the QandA OU.

An account named SrAdmin created an OU named QandA under the Operations OU. Which of the following is true by default? SrAdmin has all standard permissions except Full control for the QandA OU. Domain Admins is the owner of the QandA OU. The Everyone group has Read permission to the QandA OU. SrAdmin is the owner of the QandA OU and all objects created inside it.

Delegation settings Security filtering settings WMI filter links

An administrator has just backed up a GPO to save specific policy settings. Which of the following additional settings and information were also backed up in this procedure? (Choose all that apply.) Delegation settings Security filtering settings Network Policy Updates WMI filter links

Group Policy caching

An administrator would like to configure a computer to load policy information that is stored locally to speed system start-up. What client-side feature should the administrator select? Locals processing Group Policy caching WMI filtering Network Location Awareness

directory service

An application that stores, organizes, and provides access to information in a directory.

Client-side extension (CSE)

An extension to the standard group policy client that applies specific types of group policy settings to client computers. Activated when group policy determines that a GPO should be downloaded. Used to apply group policy preferences

By default, when are policies set in the User Configuration node applied?

At user Logon

A domain user signing in to the domain becomes a member of which special identity group?

Authenticated Users

domain GPOs

Better for a singular site and domain environment Group Policy Objects stored in Active Directory on domain controllers. They can be linked to a site, a domain, or an OU and affect users and computers whose accounts are stored in these containers.

At user logon

By default, when are policies set in the User Configuration node applied? At computer restart Immediately At user logon Every 5 minutes

Enterprise Admins

Can add or remove domains from th forest and have administrative access to every domain in the forest.

Policy-based QoS node

Can be used to prioritize and control outgoing network traffic from a computer.

Which of the following is associated with an Active Directory forest? (Choose all that apply.)

Can contain trees with different naming structures Allows independent domain administration Represents the broadest element in Active Directory

Members of property

adds the target group to group on the list that it isn't already a member of

Kerveros Delegation

allows a server to impersonate a client so that client doesn't have to authenticate to more than one server, but use the clients credentials to authenticate to other services on client's behalf.

Restricted Group Policy

allows an administrator to control the membership of both domain groups and local groups on member computers

GPO

an object containing policy settings that affect user and computer operating environments and security. Can be local or AD objects. contains policy settings for managing many aspects of domain controllers, member servers, member computers, and user focus on a category of settings, then name when creating

Audit Policy (in local policies)

applies to what users can and can't do on the local computer to which they log on admins can audit events such as logon and logogg, file and folder access, Active Directory access, and system and process events. events listed in the Security log

User Rights Assignment Policies (under local policies)

are defined actions users can take on domain controllers.

Computer Configuration (GPP)

are refreshed every 90 minutes or when computer restarts

User Configuration (GPP)

are refreshed every 90 minutes or when user logon

Domain GPOs

are stored in Active Directory on domain controllers

Local GPOs

are stored on local computers, and are edited via the Group Policy Object Editor snap-in

Security Templates

are text files w/ an .inf extention that contain information to define policy settings in the ComputerConfiguration\Policies\WindowsSettings\Security Settings node used to create & deploy security settings to a local or domain GPO verify current security settings on a computer against it's settings

Security groups

are the main AD objects administrators use to manage network resource access and grant rights to users. Only these can be added to a DACL (domain access control list)

/force - all settings from all applicable GPO's are reapplied /wait: value - specifies the # of seconds the command should wait for policy processing to finish before returning to the command prompt. /logoff - the user is logged off after policy processing is finished /boot - the computer restarts after policy processing is finished /sync - causes synchronous processing during the next computer restart or user logon /target: Computer or User - specify that you want only computer or user policy settings to be updated.

gpupdate.exe command used to update group policy switches:

Child domains (sub-domains)

have the same second-level and top-level domain names as the parent domain.

contact

if i part of a security group that is assigned permission to a resource, it does not make use of the permissions (it is not a security principal)

Security Account Manager (SAM)

is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.

Active Directory Objects

is a group of information that describes a network resource, such as a shared printer, an organizing structure, such as domain or OU; or an account, such as user, group, or computer.

Starter GPO

is a template for creating GPOs (not a GPT)

Group Policy Container (GPC)

is stored in the System\Policies folder store GPO properties and status information but no policy settings uses a GPO's GUID for a folder name replicated w/ Active Directory

domain local group

is the main security principal recommended for assigning rights and permissions to domain resources. is a single domain environment, or when users from only one domain are assigned access to a resource, use AGDLP Accounts are made of members of Global groups, which are made members of Domain Local groups, which are assigned Permissions to resources

OU (Organizational Unit)

is the primary container object for organizing and managing resources in a domain. Used to organize objects into logical administrative groups. Can use to apply policies that affect all objects in it. In ADUC represented by folder w/ book inside.

published

isn't installed automatically, a link to install the application is available in Control Panel's Programs & Features

Active Directory Users and Computers (ADUC)

most popular GUI tool among administrators, has two panes.

What process makes one group a member of another group?

nesting

group policy

powerful tool for network admins to manage domain controllers, member servers, member computers, and users

Group type

property of a group that defines it as a security group or distribution group

Ticket-Granting Ticket (TGT)

provides proof that a sub has authenticated thru a KDC and is authorized to request tickets to access other obj's -this is enc'd and includes a symm key, expiration time

Group Managed Service Accounts (gMSA)

provides the same functions as an MSA but can be managed across multiple servers.

DAP

required (OSI) Open Systems Interconnection protocol stack for accessing directory objects.

User Account Control Policies (of Security Options in Local Policies)

should be configured right away. determines what happens on a computer when user attempts to perform an action that requires elevation.

Top Node

shows the server and domain being managed.

Virtual Accounts (managed local accounts)

simplest service account to use. configure the service to log on as NT Service\ServiceName w/no password access the network w/ the credentials of computer account where they're used. a simple type of service account that doesn't need to be created, deleted, or managed by an administrator.

User Configuration node in Software Installation extension

software packages can be assigned to target computers and deployed to users by being published or assigned. configure logon/logoff scripts

Settings in local GPOs

that are inherited from domain GPOs can't be changed on the local computer. that are undefined or not configured by domain GPOs can be edited locally.

Kerberos

the authentication protocol used in a Windows domain environment to authenticate logons and grant accounts access to domain resources. provides mutual authentication the basis for authorization to network resources in a Windows domain. use shared key encryption

Scope and inheritance

the scope of a group defines which users and computers are affected by its settings

global group

used mainly to group users from the same domain w/ similar access or rights requirements. can be made a member of a domain local group in any domain in the forest or trusted domain in other forests. created for each dept, location, or both in a single-domain environment, can be added to domain local groups for assigning resource permissions

batch file (.bat extension)

used to create command scripts, which is a series of commands saved in a this file

distribution group

used to group users together (usually to send emails to several ppl at once: Microsoft Exchange)

Group Policy Management console (GPMC)

used to view, create, manage GPO's

Group Policy Object Editor

what snap-in do you add to access GPO's on these? Local Administrators GPO Local Non-Administrators GPO User-specific GPO

unmanaged policy setting

when a group or user group policy settings is in the scope of a GPO it is managed by GPO. What type of scope is changed to its original configuration outside the GPO? managed policy settings unmanaged policy settings log on locally none of these

Create a global group and add the three users as members. Configure GPO security filtering so that the global group is denied access to the GPO.

You have created a GPO named RestrictU and linked it to the Operations OU (containing 30 users) with link order 3. RestrictU sets several policies in the User Configuration node. After a few days, you realize the Operations OU has three users who should be exempt from the restrictions in this GPO. You need to make sure these three users are exempt from RestrictU's settings, but all other policy settings are still in effect for them. What's the best way to proceed? Set the Enforced option on RestrictU with a WMI filter that excludes the three user accounts. Create an OU under Operations, and move the three users to this new OU. Create a GPO and link it to this new OU. Configure the new OU to block inheritance of the RestrictU GPO. Move the three users to a new OU. Create a GPO with settings suitable for the three users, and link it to the new OU. Create a global group and add the three users as members. Configure GPO security filtering so that the global group is denied access to the GPO.

GPO enforcement

You have created a GPO that sets certain security settings on computers. You need to make sure that these settings are applied to all computers in the domain. Which of the following GPO processing features are you most likely to use? GPO enforcement Loopback processing WMI filtering Block inheritance

On ldsServ1, run the Install-ADServiceAccount cmdlet.

You have created an MSA on DC1 to run a service on the ldsServ1 server. What's the last thing you should do before using the Services MMC to configure the service to use the new MSA? On DC1, run the Install-ADServiceAccount cmdlet. On DC1, run the Add-ADComputerServiceAccount cmdlet. On ldsServ1, run the Install-ADServiceAccount cmdlet. On ldsServ1, run the Add-ADComputerServiceAccount cmdlet.

Domain local

You have decided to follow Microsoft's best practices to create a group scope that will allow you to aggregate users with similar rights requirements. Which group scope should you initially create? Universal Global Local Domain local

Create a group and add the servers' computer accounts to it. Run the New-ADServiceAccount cmdlet.

You have four servers running a service in a load-balancing configuration, and you want the services on all four servers to use the same service account. What should you do? Move the four servers' computer accounts to the Managed Service Accounts folder in Active Directory. Run the New-gMSAServiceAccount cmdlet and specify the four servers in the SPN. Run the New-ADServiceAccount cmdlet and configure constrained Kerberos delegation. Create a group and add the servers' computer accounts to it. Run the New-ADServiceAccount cmdlet.

In Active Directory Users and Computers, right-click the Operations OU and click Delegate Control.

You have hired a new junior administrator and created an account for her with the logon name JrAdmin. You want her to be able to reset user accounts and modify group memberships for users in the Operations department whose accounts are in the Operations OU. You want to do this with the least effort and without giving JrAdmin broader capabilities. What should you do? Open the Operations Security tab and add JrAdmin to the DACL. In Active Directory Administrative Center, right-click the Operations OU, click Properties, and click Managed By. In Active Directory Users and Computers, right-click the Operations OU and click Delegate Control. Add JrAdmin to the Password Managers domain local group.

You need to configure the firewall on the computers.

You have just finished configuring a GPO that modifies several settings on computers in the Operations OU and linked the GPO to the OU. You right-click the Operations OU and click Group Policy Update. You check on a few computers in the Operations department and find that the policies haven't been applied. On one computer, you run gpupdate and find that the policies are applied correctly. What's a likely reason the policies weren't applied to all computers when you tried to update them remotely? You need to configure the firewall on the computers. The Computer Configuration node of the GPO is disabled. A security filter that blocks the computer accounts has been set. The Operations OU has Block Inheritance set.

Run the Get-ADComputer and Invoke-GPUpdate PowerShell cmdlets.

You have just made changes to a GPO that you want to take effect as soon as possible on several user and computer accounts in the Sales OU. Most of the users in this OU are currently signed in to their computers. There are about 50 accounts. What's the best way to update these accounts with the new policies as soon as possible? Use the gpupdate /target:Sales /force command. Configure a script preference that runs gpupdate the next time the user signs out. Run the Get-ADComputer and Invoke-GPUpdate PowerShell cmdlets. Configure the GPO to perform foreground processing immediately.

Set the Logon Hours options for their user accounts.

You have noticed the inappropriate use of computers for gaming and Internet downloads by some employees who come in after hours and on weekends. These employees don't have valid work assignments during these times. You have been asked to devise a solution for these employees that doesn't affect other employees or these employees' computers during working hours. What's the best solution? Before you leave each evening and before the weekend, disable these employees' accounts and re-enable them the next working day. Request that the Maintenance Department change the locks on their office doors so that they can enter only during prescribed hours. Set the Logon Hours options for their user accounts. Install personal firewall software on their computers in an attempt to block the gaming and Internet traffic.

Migration table

You manage a multidomain forest with domains named DomainA and DomainB. You want to use the GPOs from DomainA in DomainB without having to reconfigure all GPOs. What do you need to configure? Delegation GPO backup and restore Migration table RSoP

Run Group Policy Modeling.

You need to move some user and computer accounts in Active Directory, but before you do, you want to know how these accounts will be affected by the new group policies they'll be subject to. What can you do? Run RSoP in logging mode. Run secedit.exe with the planning option. Run Group Policy Modeling. Run Group Policy Results.

d. 0

You want the account lockout duration to be indefinite using the Account lockout duration policy. What is the number that you should specify to enable this? a. 4 b. 5 c. 3 d. 0 e. 2 f. 1

Search-ADAccount -LockedOut

You want to collect information about the locked-out user accounts in the domain. Which of the following commands should you use? Account -LockedOut Search-ADAccount -LockedOut Search-LockedOut Search-AD -LockedOut

gpresult

You want to create an HTML report that shows which policies and GPOs are applied to a particular user and computer. Which command should you use? rsop gpresult gpupdate Invoke-GPReport

Configure a WMI filter on the GPO that specifies Windows 8 as the OS. Link the GPO to the domain.

You want to create policies in a new GPO that affect only computers with Windows 8 installed. You don't want to reorganize your computer accounts to do this, and you want computers that are upgraded to Windows 10 to fall out of the GPO's scope automatically. What can you do? Create a group called Win8Computers. Place all computer accounts representing computers with Windows 8 installed in this group and use this group in a security filter on the GPO. Link the GPO to the domain. For each policy, use selective application to specify Windows 8 as the OS. Configure a WMI filter on the GPO that specifies Windows 8 as the OS. Link the GPO to the domain. Create a new OU, place all computer accounts representing computers with Windows 8 installed in this OU, and link the GPO to this O

Delete the system account from Active Directory Users and Computers

You want to remove a computer from the domain and then perform an offline join. To do this, you remove the system using the Remove-Computer command on the PowerShell on the system. What is the next step that you should perform? Delete the system account from Active Directory Users and Computers Run the djoin.exe on the domain controller Copy the offline metadata file on the system Restart the system

In Active Directory Users and Computers, click View, Advanced Features.

You want to see the permissions set on an OU, so you open Active Directory Users and Computers, right-click the OU, and click Properties. After clicking all the available tabs, you can't seem to find where permissions are set in the Properties dialog box. What should you do? Right-click the OU and click Security. In the Properties dialog box, click the Advanced button. Log on as a member of Enterprise Admins and try again. In Active Directory Users and Computers, click View, Advanced Features.

-WhatIf

You want to see what command in PowerShell cmdlet does without executing it. Which parameter will accomplish this? -Help -WhatIf -Get-Help -Add

Run gpofix.

You were hired to fix problems with group policies at a company. You open the GPMC to look at the default GPOs and see that extensive changes have been made to both. You want to restore settings to a baseline so that you know where to start. What should you do? Delete the default GPOs and create new GPOs with the same names. Run gpofix. Run gpupdate /revert. Create a domain and use GPO migration

On a domain controller, configure constrained delegation on the service account.

You're configuring a web-based intranet application on the WebApp server, which is a domain member. Users authenticate to the web-based application, but the application needs to connect to a back-end database server, BEdata, on behalf of users. What should you configure? On the WebApp server, create a local user account, and grant it permission to BEdata. Create an MSA on WebApp, and run Add-ADComputerServiceAccount with BEdata as the target. On the BEdata server, assign the Authenticate Users permission to the database files. On a domain controller, configure constrained delegation on the service account.

The time zone on the California server needs to be changed.

You're the network administrator for several Windows Server 2016 servers in New York. Your company just opened an office in California, and you sent one of the servers to the new office. The server was up and running within 2 days after you sent it. Now you're having authentication problems between the server in California and the domain controllers in New York. There's nothing wrong with the WAN connection, and you never had problems with the California server before, which seems to operate okay in every other way. What's a possible cause of this problem? The authentication protocol is incorrect. The time zone on the California server needs to be changed. The computer account needs to be reset. The California server's hard drive was damaged in the move.

Domain Controller (DC)

a configured server/computer running Windows 2016 w/ Active Directory Domain Services role. Can service only one domain.

GPO

a list of settings administrators use to configure user & computer operating environments remotely

Multiple

a multinational organization will generally have __________ domains. One Two Three Multiple

Active Directory site

a physical location in which domain controllers communicate and replicate information periodically. One or more IP subnets connected by high-speed LAN technology. Each physical location with a domain controller operating in a common domain connected to a WAN

Elevation

a process that occurs when a user attempts to perform an action requiring administrative rights and is prompted to enter credentials.

Timestamp

a record of the time a message is sent and are used in Kerveros to determine a message validity and prevent replay attacks.

script

a series of commands saved in a text file to be repeated easily at any time

X.500

a suite protocol developed by International Telecommunications Union (ITU), basis for structure and for how Active Directory objects are named and stored.

Service Account

a user account that Windows services use to log onto a computer or domain w/ a specific set of rights and permissions. os manages their passwords

auditpol.exe

command-line tool to have more control over the types of events that are audited. Managed audit policies from the command line. Use /get /category:* to list all audit policy sub categories

Active Directory Physical Structure

consist of sites and servers configured as domain controllers.

Group Policy Template (GPT)

contains all the policy settings that make up a GPO as well as related files, such as scripts, and is contained in the Sysvol share on a domain controller uses a GPO's GUID for a folder name

msi files (.msi extension)

contains the instructions Windows Installers needs to install the application correctly.

universal group

contains users from any domain in the forest and be assigned permission to resources in any domain in the forest can be a member of other universal groups or domain local groups from any domain in the forest membership information is stored only on global catalog server

Member property

controls which accounts can be members of the group

Lightweight Directory Access Protocol (LDAP)

created by the Internet Engineering Task Force (IETF), based on the X.500 Directory Access Protocol (DAP), but uses TCP/IP.

computer accounts

created in AD when a client computer b/c a member of a domain or user changes the computer membership from workgroup to Domain is a security principal w/ an SID and a password and must authenticate to the domain

Schema

defined by active directory's contents and the functions it performs in your network. defines the type, organization, and structure of data stored in the active directory database and is shared by all domains in an active directory forest.

Schema Classes

defines what type of objects that can be stored in Active Directory (user & computer accounts)

Which commands can you use together to change attributes of several users at once?

dsquery and dsmod

Group Policy Preference Both Computer Configuration & User Configuration nodes have 2 subfolders windows settings & control panel settings computers must have Group Policy Preference Client Side Extensions (GPP CSE) to recognize and download settings in the Preference folder when processing group polices

enable administrators to set up a baseline computing environment yet still allow user to make changes to configured settings must create when want to deploy

Managed Service Account (MSA)

enables administrators to manage rights & permissions for services but w/ auto password management.

File System node

enables an administrator to configure permissions and auditing on files and folders on any computer in the GPO on which the policy is configured.

Folder Redirection there are 13 folders you can redirect

enables an administrator to set policies that redirect folders in a user's profile directory. applies strictly to user accounts and is found only under the User Configuration node

Password Settings Object (PSO) Also known as msDS-PasswordSettings.

enables and administrator to configure password settings for users or groups that are different from those defined in a GPO linked to the domain. enables the use of Fine-Grained Password Policies.

Item level targeting

enables you to target specific users or computers based on criteria

Replication

ensures that all domain controllers have a current copy of each GPO

Administrator template files

collection of files in XML format referred to as ADMX files (.admx extension or adml - language specific user interface) XML formatted text files that define policies in the Administrative Template folder in a GPO options: computer configuration settings user configuration settings the ADMX central store Administrative Templates property filters Custom administrative templates migrating administrative templates files

redircmp.exe ex: to change the location for computer accounts to the MemberComputers OU in the csmtech.local domain redircmp ou=MemberComputer, dc+csmtech,dc=local

command to change default computer account location using command-line?

auditpol /clear

command to clear all audit policy subcategories so that auditing is controlled only by Group Policy

gpedit.msc

command to open a local GPO named Local Computer Policy containing Computer Configuration and User Configuration nodes

Directory Services Restore Mode (DSRM)

boot mode used to perform restore operations on Active Directory if it becomes corrupted or parts of it are accidentally deleted.

assigned

can be installed automatically when the user logs on to a computer in the domain.

Active Directory Administrative Center (ADAC)

central console for performing active directory tasks (creating & managing user, group, and computer accounts; managing OU's: and connecting other domain controllers in the same or different domain and change domain's functional level and enable the Active Directory Recycle Bin. Built on powershell, can use Windows Powershell history pane.


Set pelajaran terkait

NUR 190 EAQ - Basic Care and Comfort

View Set

(HESI PREP) Basic Physical Assessment

View Set

Chapter 37 Peds Diagnostic Therapeutic PrepU

View Set