Adv Server Chp 3-4 Study Guide

Ace your homework & exams now with Quizwiz!

74. What option under the folder redirection settings redirects everyone's folder to the same location?

Basic

15. Timestamps within Kerberos are used to help guard against what type of attack?

Replay attack

84. What policy allows an administrator to control the membership of both domain groups and local groups on member computers?

Restricted Groups

37. What type of account provides the same functions as managed service accounts but can be managed across multiple servers as in a server farm or a load-balancing arrangement?

group managed service account

11. The Default Domain Policy sets the maximum password age to what value?

42 days

24. By default, the maximum tolerance for computer clock synchronization is set to what value?

5 minutes

17. By default, what is the maximum period during which a TGT can be renewed?

7 days

27. How can an administrator test an MSA to ensure that it can access the domain with its current credentials, or can be installed on a member computer?

By using the Test-ADServiceAccount cmdlet

60. A published application can be installed automatically.

False

26. What PowerShell cmdlet can be used to show an MSA's properties?

Get-ADServiceAccount

31. What specific tool allows you to create GPOs, view a GPO's settings, link and unlink GPOs with containers, and manage the inheritance settings of GPOs?

Group Policy Management console

72. Settings under the User Configuration node affect what Registry key?

HKEY_LOCAL_USER

20. If using virtual accounts to access the network, how are permissions added to a network resource to allow the virtual account access?

The resource must have proper permissions set for ComputerName$, where ComputerName is the name of the computer attempting to access the resource.

52. Local GPOs are edited with the gpedit.msc tool.

True

12. Select the Account Lockout Policy item that determines how many failed logins can occur on an account before the account is locked.

Account lockout threshold

87. What type of application can be installed automatically when the user logs on to a computer in the domain?

Assigned

77. What tool within Windows Server 2016 must be used in order to change the default auditing settings?

Auditpol.exe

63. The standard DACL for a package object assigns read permissions to what group by default?

Authenticated Users

68. How often are computer and user policies applied after a user has logged into a computer?

Every 90 minutes

1. The GPO policy defines which objects a GPO affects.

False

10. When a client wants to connect to a service, it finds the service based solely on the instance name.

False

4. Kerberos policies, found in a GPO, control settings related to user authentication and logon.

False

53. Administrative template files are in HTML format, using the .admx extension.

False

55. The Backup Operators group is a group in local computers only.

False

56. The Security Configuration and Analysis Snap-in can not be used to apply a security template to a computer.

False

8. A managed service account (MSA) enables administrators to manage rights and permissions for services but with strict manual password management policies.

False

76. If a domain consists of DCs that are running versions of Windows Server earlier than Windows Server 2008, what replication method is used?

File Replication Service (FRS)

19. Select below the option that is not one of the three built-in service accounts.

Local Operator

35. What setting specifies how long a service ticket can be used before a new ticket must be requested to access the resource for which the ticket was granted?

Maximum lifetime for service ticket

23. Which command line utility below can be used to change an SPN?

Setspn

71. In the User Configuration node, where are policies that determine whether a user can publish DFS root folders in Active Directory?

Shared Folders

80. After running the Security Configuration and Analysis snap-in with a template, what does a check mark in a green circle mean?

The template policy and current computer policy are the same

5. Account policies set in GPOs linked to an OU containing computer accounts affect only local user accounts defined in the computer's SAM database.

True

54. User Account Control policies determine what happens on a computer when a user attempts to perform an action that requires elevation.

True

57. If you want to create a security template using a baseline of settings from an existing desktop computer or server, you can begin by opening secpol.msc.

True

58. The Restricted Groups policy, under Security Settings, Controls group membership for both domain groups and local SAM groups.

True

59. Command scripts are just a series of commands saved in a file with a .bat extension.

True

6. Mutual authentication means that the identity of both parties is verified.

True

7. A service account is a user account that Windows services use to log on to a computer or domain with a specific set of rights and permissions.

True

44. What is the difference between domain user accounts created on a domain controller, and user accounts stored within a SAM database?

a. Domain user accounts enable users to sign in to any computer that's a domain member in the AD forest. They provide access to domain resources, other trusted entities that the account has permission, and can be managed by group policies and are subject to account policies linked to the domain. b. A user account stored on the SAM database is for a local computer only. The user can only sign in to and access resources on that specific computer.

91. What is the difference between a managed policy setting and an unmanaged policy setting?

a. Managed Policy Setting - the setting on the user or computer account reverts to its original state when the object is no longer in the scope of the GPO containing the setting. b. Unmanaged Policy Setting - persists on the user or computer account, meaning that it remains even after the computer or user object falls out of the GPO's scope.

41. Using the default setting "Password must meet complexity requirements," what constitutes a valid password?

a. at least 6 characters (or meeting the minimum password length policy, whichever is longer) b. doesn't contain more than 2 consecutive characters found in the user's account name or full name c. must contain characters from 3 of these 4 categories: uppercase letters, lowercase letters, numbers, and symbols ($, @, !, and so on)

81. How can an administrator remove all audit policy subcategories so that auditing is controlled only by Group Policy?

auditpol /clear

32. What option limits the delegation to specific services running on specific computers?

constrained delegation

21. In order to force a computer to immediately download and apply all group policies, what command should be run?

gpupdate /force

30. What Active Directory object enables an administrator to configure password settings for users or groups that are different from those defined in a GPO linked to the domain?

password settings object

33. What Active Directory object enables an administrator to configure password settings for users or groups that are different from those defined in a GPO linked to the domain?

password settings object

90. What enables you to target specific users or computers based on criteria?

Item-level targeting

62. ADMX and ADML files are placed under what directory within Windows?

%systemroot%\PolicyDefinitions

9. The built-in service account, Local System, is intended primarily for services and background applications that need few rights and privileges

. False

66. An administrative template file using what file extension provides a language specific user interface in the Group Policy Management Editor?

.adml

61. A transform file utilizes what file name extension?

.mst

78. By default, how many previous logons are cached locally to a computer?

10

16. A service ticket by default lasts for how long?

10 hours

88. Each Group Policy Object is assigned a globally unique identifier (GUID) of what length?

128 bits

99. What is the ADMX central store, and what critical function does it provide?

A centralized location for maintaining ADMX files so that when an ADMX file is modified form one domain controller, all DCs receive the updated file.

43. What is a virtual account?

A simple type of service account that doesn't need to be created, deleted, or managed by an administrator.

36. Which of the following tools allow you to create a password setting object? (Choose all that apply.)

ADAC , PowerShell , ADSI Edit

97. How can ADM files be adapted to be used with the central store provided by AD?

ADM files can be migrated to ADMX format so they can be used with the central store.

46. How can non-administrative user accounts or groups be given the ability to manage a PSO?

Add them to the discretionary access control list (DACL) and give them read and write permissions

96. When changes are made to an existing GPO that is already linked to an Active Directory container, how soon are changes in policy settings affected?

Changes in policy settings take effect as soon as client computers download them.

82. Under the Computer Configuration, which folder contains settings related to the Regional and Language Options, User Accounts, and Personalization options?

Control Panel

28. What policy is a GPO linked to the Domain Controllers OU and specifies the default policy settings for all domain controllers?

Default Domain Controllers Policy

79. What Active Directory replication method makes use of remote differential compression (RDC)?

Distributed File System Replication (DFSR)

40. Which of the following options are valid configuration options in the Kerberos Delegation tab? (Choose all that apply.)

Do not trust this user for delegation, Trust this user for delegation to any service, Trust this user for delegation to specified services only

93. Where are domain GPOs stored, and where can they be linked?

Domain GPOs are stored in Active Directory on domain controllers. They can be linked to a site, a domain, or an OU.

65. Which of the following is not one of the criteria that can be used within an administrative templates filter?

Enable Action Filters

45. Why is it important for a client computer to maintain clock synchronization with domain controllers?

If the time difference falls outside the maximum tolerance, the message is considered invalid.

95. What benefit does using folder redirection in conjunction with roaming profiles have?

It decreased the network bandwidth needed to upload and download a user's roaming profile.

98. What is the Security Configuration and Analysis snap-in used for?

It is useful for checking a computer's existing security settings against the known settings in security template files that have been imported into a security database. It can also be used to apply a security template to a computer.

34. What specific authentication protocol used in a Windows domain environment to authenticate logons and grant accounts access to domain resources?

Kerberos

92. Where are local GPOs stored, and how can they be edited?

Local GPOs are stored on local computers and can be edited with the Group Policy Object Editor snap-in added through MMC or gpedit.msc.

69. Within the Security Configuration and Analysis snap-in, what does an exclamation point in a white circle indicate?

Policy doesn't exist on the computer

39. What configuration tool must be used to create and manage MSAs?

PowerShell

70. If a central store for policy definition files has been created, where should the PolicyDefinitions folder reside?

SYSVOL folder

86. Which of the following is a series of commands saved in a text file to be repeated easily at any time?

Script

89. Which of the following are text files with a .inf extension that contain information for defining policy settings in the Computer Configuration\Policies\Windows Settings\Security Settings node of a local or domain GPO?

Security templates

100. What functions does the File System node allow an administrator to perform?

Sets NTFS permissions and controls auditing and inheritance on files and folders on target computers

94. How can starter GPOs be shared with other administrators?

Starter GPOs can be shared by placing them in cabinet (CAB) files.

85. What Security Settings policy manages the startup mode and security settings of services on target computers?

System Services

22. Approximately 42 days after a service was configured to use a normal user account, the service has stopped working and refuses to run. An administrator has verified that the account still exists on the domain. Assuming default domain policy settings, what could be the issue?

The user account password expired

47. What is the advantage of using a built-in service account?

There are a few options for an administrator to configure different rights and permissions for different services and the accounts are shared among several services. The OS manages the password automatically. An admin can create a regular account for use by a service and manage rights and permissions for this account.

49. The service name component of a valid SPN generally consists of what information?

This element is usually the DNS name of the host providing the service.

29. Select the term that is a record of the time a message is sent and is used in Kerberos to determine a message's validity and prevent replay attacks.

Timestamp

2. The Default Domain Policy is linked to the domain object and specifies default settings that affect all users and computers in the domain.

True

3. Account policies are set in the Local Security Policy MMC on computers that aren't domain members.

True

51. A Group Policy Container (GPC) stores GPO properties and status information, but no actual policy settings.

True

64. What type of policy setting is persistent, remaining even after a computer or user object falls out of a GPO's scope until it's changed by another policy or manually?

Unmanaged policy setting

50. How is a ticket-granting ticket utilized?

When an account successfully authenticates with a domain controller, the account is issued a TGT. A TGT grants an account access to the domain controller and is used to request a service ticket without having to authenticate again.

48. Under what condition is the ability to specify a Kerberos delegation available?

When you use a domain account as a service account and the account has been assigned an SPN

83. What folder within the Computer Configuration node contains settings related to Event Viewer, File Explorer, Windows PowerShell, and Windows Update?

Windows Components

25. For automatic SPN support, what must the domain functional level be?

Windows Server 2008 R2 or higher

42. What does a service principal name (SPN) consist of?

a. Service type b. Instance name c. Port number d. Service name


Related study sets

Assessing Risk - SBE, CITI Questions

View Set

Driving School Unit One (Finished)

View Set

Combo with "Combo with "Honors World History Final" and 27 others" and 19 others

View Set

Chapter 5. The Court System in Texas

View Set

Anatomy Honors - Unit 3 Tissues Test

View Set

MED SURG NUR 440 Final Comp Exam

View Set