Testout ch 5
IT administrators can use Azure Active Directory for which of the following management strategies? -User access control through Group Policy objects. -Directory control through organizational units. -Authentication through Kerberos or NTLM protocols. -Automation of user provisioning between existing Windows server Active Directory and cloud-based apps.
-Automation of user provisioning between existing Windows server Active Directory and cloud-based apps.
Which of the following authentication services do current subscribers of Microsoft 365, Office 365 and Dynamic CRM already have an account with? -DNS server -Azure Active Directory -Kerberos authentication -Active Directory Domain Services
-Azure Active Directory
Which of the following is a benefit offered by Azure Active Directory to application developers? -By using Azure AD, application developers can integrate a user's preexisting credentials into the app for single sign-on authentication. -By using Azure AD, application developers can implement Kerberos authentication for secure sign-on for users. -By using Azure AD, application developers can create domains, trees, and forests for managing user data. -By using Azure AD, application developers can use schema extensibility to replicate changes to the user experience with each application update.
-By using Azure AD, application developers can integrate a user's preexisting credentials into the app for single sign-on authentication.
You attempt to run a program but don't have full access to all features. Which options let you run the program with needed permissions using the least amount of effort? (Select two.) -Change your account type to Administrator. -Enable Secondary Logon and run as a privileged user. -Adjust the permissions of the program to include your local account. -Log out and log back in as a local administrator. -Right-click the program shortcut and select Run as administrator.
-Enable Secondary Logon and run as a privileged user. -Right-click the program shortcut and select Run as administrator.
Which of the following is true of groups on a Windows system? -Group members have the access rights that are assigned to the group. -Users and local resources, such as printers and shared folders, can be made members of a group. -Users can log on as a group and have all the assigned access rights. -A group allows multiple users to share a single logon.
-Group members have the access rights that are assigned to the group.
You have been assigned to the Performance Log Users group for several Windows 11 workstations. Which of the following are you allowed to do on those workstations? (Select two.) -Schedule logging of performance counters. -Manage the system's network configuration. -Perform cryptographic operations. -Access the workstations remotely using -Remote Desktop Client. Enable trace providers.
-Schedule logging of performance counters -Enable trace providers
Which of the following are characteristics of built-in Active Directory (AD) containers that make them different from other AD containers? (Select two.) -They cannot be moved, renamed, or deleted. -They are created by the AD administrator. -They have very few editable properties. -They can only hold leaf objects. -They cannot hold other objects.
-They cannot be moved, renamed, or deleted. -They have very few editable properties.
What are the requirements for implementing Credential Guard?
-Windows 10 Enterprise or Education *64 bit edition *Hyper-V *Windows secure boot -CPU includes virtualization extensions *for intel CPUs: VT-x *For AMD CPUs: AMD-v -CPU supports Second Layer Address Translations(SLAT) -Virtualization enabled in the UEFI firmware -Motherboard has a Trusted Platform Module(TPM) chip
What are some benefits to using Azure Active Directory?
-centralization of user management -increased security, because it eliminates the need for all the various applications to keep a databse of the users credentials
You need to run the zip.exe executable on your Windows system as the Admin (a member of the Administrators group) on your system. To accomplish this, which option should you use with the runas command? /noprofile /savecred /profile /user:Admin
/user:Admin
What are the advantages of a workgroup?
1-its easy 2- you don't have to purchase any specialized equipment.
Virtual Secure Mode (VSM)
A Windows feature that uses virtualization extensions of the Central Processing Unit(CPU). This mode protects data in memory from malicious attacks.
Local Security Authority (LSA)
A Windows sub-security process that authenticates to the local system, stores security-related information, and creates access tokens.
Which of the following BEST describes Azure Active Directory? A cloud-based authentication service. An on-premises directory service. A cloud-based domain service managed by Microsoft. A directory and access service which offers control through Group Policy objects.
A cloud-based authentication service.
Identity as a Service(IDaaS)
A cloud-based identity and access management service provided by a third party.
Azure Active Directory Domain Services(Azure AD DS)
A cloud-based implementation of domain services, such as Windows Domain Join, Group Policy, LDAP, and Kerberos authentication.
Group
A collection of user accounts you can use to assign rights and permissions to multiple users.
Windows Secure Boot
A component of the Windows operating system that helps protect the system during the startup or boot process.
Which of the following is true of a domain controller? -A domain controller can be a member of multiple domains. -Only certain domain controllers can make changes to the Active Directory database. -A domain controller is a Windows server that holds a copy of the Active Directory database. -A domain can contain only one domain controller.
A domain controller is a Windows server that holds a copy of the Active Directory database.
Directory Services
A hierarchical structure that contains objects and information for a network that can be accessed by network users or administrators.
Single sign-on (SSO)
A method of authenticating to multiple applications or resources with one set of credentials.
Active Directory object
A network resource such as a user account, group, application, or a device.
On-premises server
A physical server at an organization's physical location.
How does Azure Active Directory differ from AD DS and Azure AD DS?
AD DS- *On-premises *authentication *configuration *Hierarchical structure= forests, trees, domains *organizational units *LDAP, kerberos, NTLM *domain controller *schema extensibility Azure AD- *IDaaS *cloud based authentication *access external resources *access internal resources *OAuth, SAML *No group policy objects, no organizational units *can sync with AD DS for hybrid service Azure AD DS- *cloud based IDaaS *Kerberos, NTLM, LDAP *Microsoft maintains AD on 2 DCs *no domain admin rights *access external resources *access internal resources *Limited group policy support *no forest, trees or on premises domains
What is the name of the service included with the Windows Server operating system that manages a centralized database containing user account and security information? -Active Desktop -Active Directory -Access -SQL
Active Directory
Which of the following are features of Azure Active Directory? (Select three.) -An on-premises directory service. -Uses Windows Challenge/Response (NTLM) for authentication. -An Identity as a Service (IDaaS). -Can provide authentication through Security Assertion Markup Language (SAML). -A flat system (not hierarchical). -A hierarchical system with forests, trees, and domains. -Uses Lightweight Directory Access Protocol (LDAP) for authentication.
An Identity as a Service (IDaaS). Can provide authentication through Security Assertion Markup Language (SAML). A flat system (not hierarchical).
User Account
An account that identifies a specific user. You can assign rights and permissions to a user account.
Domain
An administratively defined collection of network resources that share a common directory and security policies.
What is an organizational unit (OU)?
An organizational unit is like a folder that subdivides and organizes network resources within a domain.
Which of the following is true of an organizational unit (OU)? -An organizational unit is like a folder that subdivides and organizes network resources within a domain. -An organizational unit cannot be created, moved, renamed, or deleted. -An organizational unit cannot contain other OUs. -An organizational unit has very few editable properties.
An organizational unit is like a folder that subdivides and organizes network resources within a domain.
If IT administrators want to create a hybrid directory service between Azure Active Directory and Active Directory Domain Services, they must use which of the following to create this hybrid service? Azure Active Directory Domain Services Dynamic CRM Azure AD Connect Microsoft 365
Azure AD Connect explanation: IT administrators must use Azure AD Connect to create a hybrid service between Azure Active Directory and Active Directory Domain Services.
You do not want any on-premises servers, and you want users to be able to sign in and access both internal and external resources. Which option would you select for user accounts? -Online user accounts -Local user accounts -Domain accounts -Azure AD accounts
Azure AD accounts
What is Azure Active Directory?
Azure AD is Microsoft's cloud based service for centralized authentication and access management. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone. This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials. Administrators and developers can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.
Jim is the network administrator for a large company with multiple offices. All the employees at the company need access to various services like the SQL database, machine learning, and Microsoft 365. Jim is spending a lot of time helping employees who have forgotten their credentials to the many different services they use for their jobs. Which of the following would be the BEST solution for Jim to implement to provide a single sign-on option for employees? Active Directory Domain Services Azure Active Directory NTLM authentication A DNS server
Azure Active Directory
SAML, OpenID, and OAuth 2.0 can be used by which of the following for cloud-based application authentication? Organizational units Azure Active Directory Group Policy objects Active Directory Domain Services
Azure Active Directory
Ben is developing a cloud-based application. He wants his application users to be able to use the same credentials that they use for their Microsoft 365 account. He also wants to use OpenID for a secure authentication process. Which of the following is the BEST match for what Ben wants? Azure Active Directory Kerberos Authentication Services Azure Active Directory Domain Services Active Directory Domain Services
Azure Active Directory explanation: Azure Active Directory would best match Ben's desire to integrate his cloud-based application to the same credentials as the users have for authenticating to Microsoft 365 through OpenID. Azure Active Directory Domain Services offers authentication through Kerberos, NTLM, or LDAP in a limited way. Active Directory Domain Services is an on-premises directory service that would not integrate with Ben's cloud-based application. AD DS offers a Kerberos authentication option and is an on-premises directory service. This option would not meet Ben's requirements.
How does Credential Guard work?
Credential Guard implements a technology called virtualization-based security(VBS). VBS is used to harden the LSA process running on the local workstation by blocking access to the data stored within the LSA. When you implement Credential Guard you are placing the LSA process that's running on the host operating system inside a minimal virtual machine space. This prevents unauthorized process running on the host system, like malware, from accessing the LSA process and compromising the tickets it stores.
What does Active Directory use to locate and name network objects? Containers DNS IPv4 Domain controller
DNS
You have used the runas command with the /savecred option to start an application on your Windows system. For security reasons, you have changed your mind and don't want to keep the password in Windows Vault. How can you delete the stored password? -Run the runas command with the /noprofile option. -From Credential Manager, remove the credential from the Vault. -From Credential Manager, remove the credential from the backed-up Vault. -Use Account Policies in Group Policy to change the Maximum password age policy setting.
From Credential Manager, remove the credential from the Vault.
You have a computer running Windows 11 Enterprise. The computer is a member of a domain. A file server on the network named Server1 runs Windows Server 2012 R2. You log onto the computer using an account named Fred. With the least amount of effort possible, you need to ensure that every time you connect to a shared folder on Server1, you authenticate using a domain account named Bill. What should you do? -From Credential Manager, select Add a Windows credential. -From Local Security Policy, modify the Access this computer from the network user right. -From the command line, run the runas /user:admin command. -From User Accounts, select Configure advanced user profile properties.
From Credential Manager, select Add a Windows credential.
Azure Active Directory accesses resources through which of the following? NTML LDAP HTTP Kerberos
HTTP
A user calls to report a problem. She is trying to install an application on her new Windows 11 system, but the installation will not proceed. Her user account is a member of the Users group. What is MOST likely causing the installation issue? -Her group membership does not allow her to install new software. -She is not using an app from the Microsoft Store. -She is not a member of the Power Users group. -The application is incompatible with Windows 11.
Her group membership does not allow her to install new software.
Which vulnerability is Windows Defender Credential Guard designed to protect against?
Kerberos tickets and other security-related information are stored on the local system in the Local Security Authority(LSA). This creates a vulnerability.
Where are user's Kerberos tickets and other security-related information stored? Active Directory Credential Manager Local Security Authority Windows Defender
Local Security Authority
Which of the following is a valid distinguished name for the MarketSpace common domain name? MarketSpace_com MarketSpace/com Market.Space.org MarketSpace.org
MarketSpace.org
What is a distribution group used for?
Meant to be email distribution lists.
Which of the following Azure Active Directory (AD) group types lets you give people outside your organization access to the group? Microsoft 365 group Global group Universal group Security group
Microsoft 365 group
You have several personal mobile devices that you use on a daily basis. You want to be able to authenticate to each device with the same user account, so you can share your personal data and apps regardless of which mobile device you use. Which type of user account must you create? -Local user account -Domain user account -Microsoft user account -Azure AD user account
Microsoft user account
Workgroup
Microsoft's implementation of peer-to-peer networking.
Hyper-V
Microsoft's virtual machine-creation software that can create software-based virtual computers within a Windows system.
You are your company's Active Directory system administrator. The company has branch offices in several countries, including Mexico, Argentina, Canada, and the UK. The company only has a total of 250 employees organized in the same departments in each office. However, the company is projected to expand rapidly in the next two years. You want to create a tree of organizational units (OUs) that can adapt to rapid growth without re-organizing the OU structure in the near future. You also want to be able to easily assign rights to certain network resources based on departmental organizational roles. Which of the following solutions would BEST meet your requirements? -Organize the OUs at the top level by office (country), then use group accounts to help control resource rights. -Organize the OUs at the top level by department, then use group accounts to help control resource rights. -Organize the OUs at the top level by resource and office (country), then assign specific rights to each user. -Organize the OUs at the top level by employee and resource, then assign specific rights to each user.
Organize the OUs at the top level by office (country), then use group accounts to help control resource rights.
As the systems administrator for an international trading firm, your company uses Azure Active Directory (AD) to manage users and devices, enrolling these users and devices in Microsoft Intune as well. You want to create an Intune app protection policy for everyone with the Sales Representative title that meets the following company requirements: *Personal devices don't need to be enrolled in Intune. *Employees can use their personal iOS and Android devices to access company apps. *Employees must use the Intune Company Portal to download and install company apps. *Employees can only use Microsoft OneDrive for cloud storage of company data. Which of the following Azure Active Directory (AD) group types would you create to include all Sales Representatives in the app protection policy? Distribution group Global group Microsoft 365 group Security group
Security group
You need to enable Secondary Logon on your system. Where do you go to do this? Control Panel Services Local Security Policy Group Policy
Services
A new computer has been added to the sales department and needs to be joined to the CorpNet domain. Which of the following System Properties settings must you use to make the change? System Properties > Advanced System Properties > System Protection System Properties > Computer Name System Properties > Remote
System Properties> Computer Name
Which of the following statements are true regarding creating user accounts? (Select two.) -The Windows Settings app allows you to disable or enable an account. -The Computer Management method requires you to create three security questions. -The Windows Settings app requires you to create three security questions. -The Windows Settings app does not require you to enter a secure password. -The Computer Management method allows you to restrict the user from changing their password.
The Windows Settings app requires you to create three security questions. The Computer Management method allows you to restrict the user from changing their password.
You attempt to execute a program in the C:\Program Files\AccWiz directory on your Windows system, but you receive a prompt to elevate your privileges. How can you execute the program without receiving a prompt for elevated privileges while also preventing harmful applications from making unwanted changes to the system? -Add your user account to the local Power Users group. -Modify the permissions of the C:\Program Files\AccWiz directory. -Modify the User Account Control (UAC) settings. -Use the runas command to execute the program in the C:\Program Files\AccWiz directory.
Use the runas command to execute the program in the C:\Program Files\AccWiz directory.
You need to enable Credential Guard on a Windows 11 Enterprise system. Which Windows features needs to be enabled to accomplish this? (Select two.) Virtualization in the IEFI firmware Windows Process Activation Service Hyper-V Management Tools Hyper-V Hypervisor Data Center Bridging
Virtualization in the IEFI firmware Hyper-V Hypervisor
What is Windows Hello?
Windows Hello is a new way to sign into your devices, apps, online services and networks. more secure because you sign in with your face, iris, or fingerprint, or pin.
Which of the following are the minimum requirements to implement Credential Guard? (Select three.) 4 GB RAM Windows Secure Boot Windows 10 Home edition or above TPM chip on motherboard 2 GHz CPU CPU virtualization extensions 32-bit version of Windows
Windows Secure Boot TPM chip on motherboard CPU virtualization extensions
You have recently purchased a third-party application and installed it on your workstation. However, after doing some maintenance work on the users and groups on your Windows system, the application begins to display error messages each time you try to run it. What is the MOST likely cause of the issue? -You deleted a group that was created by the third-party application. -You assigned the wrong permissions to your user account. -You switched from a domain account login to a local login. -You assigned the application user account to the Users group.
You deleted a group that was created by the third-party application. Explanation says: Many Windows features or third party applications create additional groups in order to access rights and permissions. If you delete the group, the application probably won't launch or work properly. I believe this is stupid because 3rd party apps should really not have all these permissions that require a whole other user account.
Your user account is User1. You want to sign in to the corpwest domain from a computer that you haven't used before. You are at the sign-in screen. Just below the username and password fields, you see that this computer will try to sign in to the corpsouth domain by default. Which of the following should you enter in the username field to change the domain the computer signs onto? corpwest\User1 User1@corpwest User1\corpwest corpwest@User1
corpwest\User1
What is the difference between local authentication and domain authentication?
local authentication is when the computer checks your credentials on the local system you are using. Domain authentication is when you are a part of a domain and can use any of the computers connected to the domain to login because it is authenticated through the domain.
You are the owner of a small startup company that consists of only five employees. Each employee has their own computer. Due to the type of services your company offers, you don't foresee the employee count increasing much in the next year or two. As a startup company, you want to keep costs low and facilitate easier file sharing and internet, printer, and local network resource access. Which of the following would be the BEST implementation for your business? A forest A tree A workgroup A domain
workgroup
How is a workgroup different from a domain?
workgroup is Microsofts version of peer-to-peer networking. Each computer/host speaks for itself, has it's own security, login, storage etc. domain- uses client server model, where each host has a specific role. clients request and consume information from servers. Servers provide user management, security, printing and storage in the form of file servers or mapped drives.
