True/False
Indicate whether the sentence or statement is true or false.
____ 1. Before you create a domain controller, a DNS server must be available on the network.
____ 2. On a domain controller, members of the Power Users group can create user and group accounts and modify the users and groups they have created.
Multiple Choice
Identify the letter of the choice that best completes the statement or answers the question.
____ 3. How many processors does the 64-bit version of Windows Server 2003 Datacenter Edition support?
a. 4
b. 8
c. 32
d. 64
____ 4. Which of the following is not an edition of Windows Server 2003?
a. Enterprise
b. Datacenter
c. Standard
d. Web
e. Corporate
____ 5. What is the maximum amount of RAM supported by the 32-bit version of Windows Server 2003 Datacenter Edition?
a. 32 GB
b. 64 GB
c. 128 GB
d. 512 GB
____ 6. Which of the following is not an organizational element of Active Directory?
a. Tree
b. Organizational unit
c. Domain
d. Branch
____ 7. Why is it common practice to implement more than one domain controller per domain?
a. So the Active Directory database can be divided among multiple systems
b. To provide fault tolerance
c. So administration of the directory can be distributed among multiple administrators
d. So each domain controller holds records for fewer objects
____ 8. You are installing an application that requires the Active Directory schema to be extended. The application itself does not extend the schema, but the documentation included with the application specifies that each user account must have a property for the personal employer ID code. What steps would you take to achieve this?
a. Using the Schema Extender, add an object called Employer ID Code.
b. Using the Schema Manager, add an attribute to the user account object for Employer ID Code.
c. Using the Active Directory Schema snap-in, add an attribute to the user account property for Employer ID Code.
d. Using the Active Directory Schema snap-in, add an object called Employer ID Code.
____ 9. You are setting up a new server to provide file and print services for the corporate accounting department of your company. The accounting department has 78 users and four printers. The server assigned to the accounting department is an eight-processor system with 2 GB of RAM. The server used to be a corporate database server, but a recent upgrade has made the system available. What edition of Windows Server 2003 are you most likely to install on the server?
a. Web
b. Datacenter
c. Standard
d. Enterprise
____ 10. Which of the following is a disadvantage of using answer files to automate the installation of Windows Server 2003 on multiple systems?
a. Certain parameters in the file must be changed for each installation.
b. Only one copy of the file can be used at a time.
c. Answer files can be used only for Web Edition and Standard Edition systems.
d. Use of an answer file requires that RIS be installed and available on the network.
____ 11. Which of the following statements about Windows Server 2003 Web Edition is true?
a. A computer running the Web Edition can be a member of an Active Directory domain and function as a domain controller.
b. The standard Client Access License (CAL) model does not apply to computers running the Web Edition.
c. The Internet Connection Firewall (ICF) and Internet Connection Sharing (ICS) features allow the Web Edition to be used as an Internet gateway.
d. A computer running the Web Edition can function as a Dynamic Host Configuration Protocol (DHCP) server.
____ 12. You have assigned a junior member of your team the task of producing a specification for upgrading a mission-critical server from Windows 2000 to Windows Server 2003. No additional budget is available for server hardware, so one major consideration is that you cannot upgrade hardware. The existing server is a four-processor system with 64 GB of RAM and fault-tolerant storage and network subsystems. The junior team member has reviewed the technical specs and requirements and has suggested that the most appropriate choice for the server is Windows Server 2003 Datacenter Edition. What issues, if any, can you see with this proposal?
a. None. The recommendation is appropriate.
b. The Datacenter Edition is available only preinstalled on OEM equipment. It cannot be purchased separately.
c. The Datacenter Edition supports only 32 GB of RAM.
d. The Datacenter Edition supports only two-processor systems.
____ 13. You have been asked to recommend a server for a small programming team that develops enterprise-level data warehousing applications. The team sometimes uses testing processes that can diminish network performance, so it will be placed on a separate network from the rest of the organization.
To create an environment similar to the one in which the applications they develop will be used, you intend to purchase a four-processor Intel Itanium system with 32 GB of RAM for their exclusive use. Aside from the operating system, you want to avoid purchasing any additional software. They will need automatic IP address allocation, secure Internet access, and remote administration capabilities. Which of the following solutions would you recommend?
a. Buy a system with Windows Server 2003 Datacenter Edition and enable the Internet Connection Firewall (ICF), Internet Connection Sharing (ICS), Dynamic Host Configuration Protocol (DHCP), and Terminal Services.
b. Buy a system with Windows Server 2003 Enterprise Edition and enable ICF, ICS, DHCP, and Terminal Services.
c. Buy a system with Windows Server 2003 Standard Edition and enable ICS, DHCP, and Terminal Services.
d. Buy a system with Windows Server 2003 Web Edition and enable ICS, Domain Name System (DNS), and Terminal Services.
____ 14. You are the systems administrator for a college with more than 700 students on a single campus. You have two servers, one running Windows Server 2003 Enterprise Edition and the other running the Standard Edition. The college has two libraries, one for business students and another for arts students. Both libraries run a client management application from the Enterprise Edition server over Terminal Services. The library manager for the arts library calls to tell you that he is experiencing performance problems with the client management application. You call the manager of the business library, who tells you that she has been running a client inventory program for over an hour and has had no performance problems.
Upon investigation, you determine that when the business library manager is running the inventory program, the performance of the arts library application is affected. Which of the following tools would you use to manage this issue?
a. MMS
b. ICF
c. NLB
d. WSRM
____ 15. You are the network administrator for a customs brokerage in Columbus, Ohio. You have been asked to recommend a server operating system to support your company’s new intranet site. The server assigned for the purpose is a dual-processor system with 512 MB of RAM. In addition to providing support for the intranet site, the server will also act as a departmental server for the 17-person Web development team. Which of the following editions of Windows Server 2003 are you most likely to recommend?
a. Web Edition
b. Standard Edition
c. Corporate Edition
d. Enterprise Edition
____ 16. What TCP/IP port number is used by Terminal Services?
a. 110
b. 80
c. 3389
d. 1863
____ 17. By default, members of which groups are assigned remote access permission?
a. Administrators and Server Operators
b. Administrators
c. Administrators and RAS Admins
d. Server Operators
____ 18. Which of the following folders would you share out to make the Remote Desktop Connection client software available to users?
a. Systemroot\System\Clients\Tsclient\Win32
b. Systemroot\System32\Clients\Tsclient\Win32
c. Systemroot\System32\Clients\RDP\Win32
d. Systemroot\System32\Clients\Tsclient\Winx
____ 19. You are the network administrator for a large finance house. You have a user who wants to create an invitation for you to provide him with Remote Assistance. Which of the following is the best way for the user to supply you with the invitation and the password for the invitation?
a. E-mail the password and attach the invitation as a file to the same e-mail.
b. Create a text file with the password in it, and attach the text file and the invitation to an e-mail.
c. Transfer the invitation file to you via Windows Messenger, and then supply the password in an instant message.
d. E-mail the invitation to you as an attachment, and then call you with the password.
____ 20. You are the senior network administrator for an insurance company in Lincoln, NE. You want to create some customized MMC consoles for a junior administrator who has recently joined the company. You want to prevent him from opening new windows or accessing a portion of the console tree, and you want to allow him to view only one window in the console. Which of the following modes would you configure for the custom MMC console?
a. User Mode: Limited Access, Single Window
b. User Mode: Limited Access, Multiple Windows
c. User Mode: Limited Access, Single Window, No Open
d. User Mode: Full Access, Single Window
____ 21. Under what circumstances can you use Remote Assistance to connect to an unattended computer?
a. If you are logged in as an administrator.
b. If the password for the administrator account on the unattended computer is the same as the password for the administrator account on your system.
c. You cannot connect to an unattended computer using Remote Assistance.
d. If you have a valid invitation issued from that computer.
____ 22. On a computer running Windows Server 2003, which of the following procedures would you follow to issue an invitation for Remote Assistance?
a. Select Help And Support from the Start menu to open the Help And Support Center window, and then click the Remote Assistance hyperlink
b. Select Help And Support from the Start Menu to open the Help And Support Center window, click the Get Help hyperlink, and then select Remote Assistance.
c. Double-click the Help And Support applet in Control Panel to open the Help And Support Center window, and then click the Remote Assistance hyperlink
d. Double-click the Remote Assistance applet in Control Panel to open the Help And Support Center window, and then click the Remote Assistance hyperlink
____ 23. You are the network administrator for a property management firm with its head office in Boulder, CO. The company has 16 offices across the United States. Each site has a Windows Server 2003 system and 4 to 16 Windows XP Professional client computers. Each site is linked via an ISDN line, and even though this creates a private WAN, you are implementing firewalls at each location to provide security.
You are designing the specifications for the firewall, and you decide to provide Remote Assistance to users on the remote sites. You also decide to allow users to send invitations for Remote Assistance to the technical support department in Boulder over Windows Messenger. How would you configure the firewall to accommodate this configuration?
a. Open ports 2289 and 1863
b. Open ports 3389 and 1863
c. Open ports 2058 and 1863
d. Open ports 3389 and 2058
____ 24. In Active Directory Users And Computers, where do you configure logon time restrictions for a user?
a. The Logon Hours page of the user account properties
b. The General Page of the user account properties
c. The Sessions page of the user account properties
d. The Account page of the user account properties
____ 25. What term describes a type of user profile that the user can change but that does not save those changes when the user logs off?
a. Fixed
b. Roaming
c. Mandatory
d. Static
____ 26. Which of the following utilities can you use to modify an existing object in Active Directory?
a. Dsmod.exe
b. Csvde.exe
c. Dsadd.exe
d. Adobjedit.exe
____ 27. Which of the following properties cannot be configured for multiple users at a single time?
a. Terminal Services session settings
b. Address
c. Logon Hours
d. E-mail address
____ 28. A user calls to report that his account has been locked after he entered the incorrect password four times. Which tab of the user’s account properties do you go to unlock his account?
a. Account
b. General
c. Sessions
d. User
____ 29. Which of the following client operating systems requires additional client software to access the complete functionality of Active Directory?
a. Windows 98
b. Windows NT 4
c. Windows Me
d. All of the above
____ 30. Which of the following items is not included in a user profile?
a. Shortcuts and cookies for favorite locations on the Internet
b. Links to other computers on the network
c. Application data and user-defined configuration settings
d. Logon time restrictions
____ 31. If the Password Must Meet Complexity Requirements policy is enabled, which of the following passwords is not acceptable?
a. 111aaaBBB
b. !!@TRPP%%
c. aa2324!@
d. TTee@#P1
____ 32. When you configure the Password Policy, why would you enable the option to store passwords using reversible encryption?
a. So that if a user forgets her password it can be recovered
b. So that the user can find her password by providing a password clue if she forgets it
c. So the administrator can view the password to ensure that it meets complexity requirements
d. So that other applications can access the password information
____ 33. A user calls you because he cannot log on to the system. After verifying his identity, you determine that he recently returned from vacation and is unsure of his password. You decide to reset the password. How do you do accomplish this?
a. In the Active Directory Users And Computers MMC snap-in, select the user and then select Reset Password from the Action menu. Enter the existing password, and then enter a new password. Retype the new password in the Confirm Password box, and click OK.
b. In the Active Directory Users And Computers MMC snap-in, select the user and then select Reset Password from the Action menu. Enter the new password, retype the new password in the Confirm Password box, and click OK.
c. In the Active Directory Users And Computers MMC snap-in, select the user. On the Account properties page for the user, click Change Password and then enter a new password. Retype the password in the Confirm password box, and click OK.
d. On the General properties page for the user, click Change Password and then enter a new password for the user. Retype the password in the Confirm password box, and click OK.
____ 34. You have set the Account Lockout Duration setting of the Account Lockout Policy to 0. What does this mean?
a. The account lockout threshold will become ineffective because accounts that are locked by exceeding the account lockout threshold will immediately unlock.
b. An account that has exceeded the account lockout threshold cannot be unlocked until the administrator resets the password for the user.
c. The Enforce Password History setting will automatically record all of the incorrect passwords that are being tried.
d. An account that has exceeded the account lockout threshold must be manually unlocked.
____ 35. You are attempting to use the Csvde.exe tool to import a new set of user accounts to the directory. You confirm that the import file is formatted correctly, and then you issue the command csvde -f newusers -k. When you check in Active Directory, none of the new user accounts appears. What is the most probable cause of the problem?
a. The -k switch tells Csvde.exe that it should create the users only at the next database synchronization.
b. The default mode for Csvde.exe is export; if you want to import objects, you must use the -i switch.
c. The Csvde.exe command can be used only to import group and computer accounts, not user accounts.
d. The correct switch for specifying the filename for a Csvde.exe command is -fn, not -f.
____ 36. What information is transferred from a user’s Account tab when you copy the user’s account?
a. Everything except the Logon Hours
b. Everything except the Group Memberships
c. Everything except the User Logon Name and User Logon Name (Pre–Windows 2000)
d. Everything except the Street Address
____ 37. You have configured Logon Hours restrictions for a specific user. The user is not a member of any group policy objects. If the user is already logged on when the allowed logon time ends, what happens?
a. The user is forcibly disconnected.
b. The user is granted a 15-minute grace period.
c. The user is given a 5-minute warning and then is forcibly disconnected.
d. The user can continue working.
____ 38. What does setting an account lockout threshold of 0 achieve?
a. Any account that was locked out by the account lockout threshold remains locked indefinitely.
b. Any account that was locked by the account lockout threshold is unlocked immediately.
c. Any account that has exceeded the account lockout threshold needs the administrator to manually unlock it.
d. Any account that has exceeded the account lockout threshold is not locked out.
____ 39. You are looking at ways to automate the creation of user accounts. You do not have a large turnover of staff in your organization, so you decide to use templates as a shortcut to user creation. Which of the following statements about the use of template user accounts is true?
a. All new users created with the template have the same initial password.
b. All new users created with the template have the same group memberships.
c. All new users created with the template have the same file permissions as the template user.
d. All new users created with the template have the same street address.
____ 40. After numerous support calls from a user who is creating problems by making changes to his Windows settings, you get management approval to configure the user with a profile that will not allow him to save any changes. How do you go about doing this?
a. Open the Advanced page from the System Properties dialog box on the system that holds the profile, select the relevant profile, and click Set As Mandatory.
b. Locate the profile folder for the user and rename the Ntuser.man file to Ntuser.dat.
c. Configure the permissions to the folder holding the profile to read-only.
d. Locate the profile folder for the user, and rename the Ntuser.dat file to Ntuser.man.
____ 41. You have recently been employed as the network administrator for a commercial real estate company. The company is relatively small and has a highly mobile workforce. The company has two Windows Server 2003 systems and one Windows 2000 system. Active Directory is configured at a Windows 2000 mixed domain functional level.
Many of the sales representatives spend a great deal of time on the road and use the dial-in features of Windows Server 2003. The others are based primarily in the office and rarely work remotely. Late one evening, a user who normally works from the office pages you to report that he can’t gain access to the system over his dial-up link. He is calling from a hotel, where he is staying while at a conference. He explains that he connected the previous night from home without any problems, but this is the first time he has tried to connect from anywhere other than his home. Since you started working with the company, you have not made any changes to the user’s account properties. Based on the information he has provided, which of the following could be the problem?
a. The user has Verify Caller ID enabled, and his home phone number is defined for that property.
b. The static routes for the user have been configured to only allow the user to connect from his home phone number.
c. The Always Callback To property on the user’s Dial-In page has been configured with the user’s home phone number.
d. The phone number that the user is calling from is not listed on the Telephones properties page.
____ 42. You are the system administrator for a company that manufactures electronics equipment for the aerospace industry. The company has more than 150 employees, but only the administrative staff of 24 people has PCs. The other employees are involved in production and manufacturing and do not require a PC to perform their job. The client workstations are a mix of Windows 95, Windows 98, and Windows 2000 Professional systems. You have a single Windows Server 2003 system that provides file and print services and runs DHCP, DNS, and WINS services. Each employee has a browser-based e-mail account that is accessed via the company’s intranet.
Your manager has asked you to configure a single user account that will be used to log on from three PCs in the company cafeteria so employees can access the company intranet and their e-mail. Which of the following approaches are you most likely to take?
a. In the Account page of the user’s properties, configure the Log On To restrictions for the user by entering the IP address of the systems the user is permitted to use. Assign the user a mandatory profile by renaming the user account’s Ntuser.dat file to Ntuser.man and placing it on a server in the network. Configure the user’s profile path so it points to the location of the profile.
b. In the Account page of the user’s properties, configure the Log On To restrictions for the user by entering the MAC address of the systems the user is permitted to use. Assign the user a mandatory profile by renaming the user account’s Ntuser.man file to Ntuser.dat and placing it on a server in the network. Configure the user’s profile path so it points to the location of the profile.
c. In the Account page of the user’s properties, configure the Log On To restrictions for the user by entering the NetBIOS machine name of the systems the user is permitted to use. Assign the user a mandatory profile by renaming the user account’s Ntuser.dat file to Ntuser.man and placing it on a server in the network. Configure the user’s profile path so it points to the location of the profile.
d. In the Account page of the user’s properties, configure the Log On To restrictions for the user by entering the NetBIOS machine name of the systems the user is permitted to use. Assign the user a mandatory profile by renaming the user account’s Ntuser.pfl file to Ntuser.man and placing it on a server in the network. Configure the user’s profile path so it points to the location of the profile.
____ 43. You are the network administrator for a media company with 27 employees. You have recently implemented a new Windows Server 2003 system. Your manager is concerned about the security of your network. She has asked you to configure an Account Lockout Policy to provide additional security. She wants you to make sure that if a user tries to log on with the wrong password more than four times, that user’s account is disabled. She also wants to make sure that the user must call you when the account is locked so you can determine what the problem is before the user can attempt to gain access to the system again. Which of the following statements describes the Account Lockout Policy settings you would choose?
a. Set the Account Lockout Duration policy to 4, the Account Lockout Threshold policy to 0, and the Reset Account Lockout Counter After policy to 60.
b. Set the Account Lockout Duration policy to 0, the Enforce Password History policy to 0, and the Reset Account Lockout Counter After policy to 60.
c. Set the Enforce Password History policy to 4, the Account Lockout Threshold policy to 0, and the Reset Account Lockout Counter After policy to 30.
d. Set the Account Lockout Duration policy to 0, the Account Lockout Threshold policy to 4, and the Reset Account Lockout Counter After policy to 30.
____ 44. You are the network administrator for a large computer manufacturer in Portland, Oregon. Another computer manufacturer has recently acquired the company, and you are in the process of transitioning your IT infrastructure, including Active Directory, to the naming standards and schemes used by the takeover company. Your Active Directory structure uses domains with names based on geographical locations, so no reconfiguration of domain names is necessary. However, the domain name used for e-mail and the corporate Web page has changed. You have been asked to reconfigure all of the user accounts with the new e-mail address and Web page information. In total, you have to reconfigure 325 users in three organizational units. Which of the following is the easiest way to do this?
a. Select multiple user objects at once, and then edit the user’s properties and enter the new e-mail and Web page information.
b. Use Csvde.exe, and specify new values for the Web Page and E-Mail Address fields.
c. Use the Dsmod.exe command, and specify new values for the Web Page and E-Mail Address fields.
d. Edit the Web Page and E-Mail Address values for the OU objects. Then select Allow Inheritance Of Values From This Object on the OU.
____ 45. You are the network administrator for a healthcare provider in Denver, Colorado. The network comprises three Windows Server 2003 systems. You have recently installed a new database application that requires a service account to be created. This service account needs to impersonate a client to access computer resources on behalf of other user accounts. Which of the following approaches do you take to do this?
a. Create a new user account. Then, in the General properties tab for that user account, select the Account Is Trusted For Delegation check box.
b. Create a new user account. Then, in the Account properties tab for that user, select the Account Is Trusted For Delegation check box.
c. Create a new user account. Then, in the Advanced properties tab for that user, select the Account Is Trusted For Delegation check box.
d. Use an existing user account. In the Account properties tab for that user, select the Account Is Trusted for Delegation check box.
____ 46. You have recently installed Microsoft Internet Information Services (IIS) on your Windows Server 2003, Enterprise Edition server so that you can create an intranet for your company. Anonymous access to the IIS server has been enabled. The intranet is intended solely as a source of publicly available corporate information. It will also contain a mirror of the company’s Internet Web site.
In addition to providing access to employees, you also want the public to be able to access the intranet from two terminals in the reception area of the building. The terminals will be configured with third-party software that will restrict access to any application other than Microsoft Internet Explorer. Because employees in the company already have user accounts for the network, you will not need to make any changes to their configuration in order to allow access to the intranet. What do you do with respect to user accounts to enable users in the reception area to access the intranet?
a. Create one user account in Active Directory. Restrict logon through station restrictions to the systems in the reception area.
b. Create two user accounts, one for each system in the reception area, in Active Directory. Restrict logon through station restrictions to the systems in the reception area.
c. Create two user accounts, one for each system in the reception area, in Active Directory. Restrict logon through station restrictions to the systems in the reception area. In the General Properties tab, grant the user accounts the Use IIS right.
d. Nothing.
____ 47. You are the network administrator for a footwear distributor in Georgia. After a recent break-in, your manager is concerned that the criminals might have been able to access the computer systems. She asks you to tighten up security of user accounts and passwords. She asks you to propose settings for an Account Lockout Policy. You propose the following values for the Account Lockout Policy:
Account Lockout Threshold = 3
Account Lockout Duration = 0
Reset Account Lockout Counter After = 15
What would the result of these policies be?
a. If a user enters the incorrect password more than three times, the account is disabled. The account is automatically enabled after 15 minutes.
b. If a user enters the incorrect password more than three times, the account is locked. The account is automatically unlocked after 15 minutes.
c. If a user enters the incorrect password more than three times, the account is locked. The administrator must manually clear the lock on the account.
d. The account is never locked, regardless of how many attempts are made to access the system using the incorrect password.
____ 48. You are the network administrator for a soft-toy manufacturer in Wisconsin. The network comprises three Windows Server 2003 systems operating at a Windows 2000 mixed mode domain functional level. There are 135 users, each of whom has a Windows XP Professional system.
The Sales department has been based solely in Green Bay, at the company headquarters, but management has decided to split it into two teams, one of which will telecommute. You are given the names of the users who will be part of the new remote sales team, and you are asked to configure the user accounts with some new information. Specifically, you must specify a new Manager and Department name. You must also provide each user with dial-in capability to the system, which they have never had. Which of the following approaches are you most likely to take?
a. Configure the properties on multiple objects. Edit the Manager and Department fields in the Organization Properties tab. Grant the dial-in permission on the Dial-In tab, and configure the dial-in permissions on a per-user basis.
b. Configure the properties on multiple objects. Edit the Manager and Department fields in the Organization Properties tab. Enable the Control Access Through Remote Access Policy.
c. Open each user’s account individually. Edit the Manager and Department fields in the Organization Properties tab. Grant the dial-in permission in the Dial-In tab, and configure the dial-in permissions on a per-user basis.
d. Using Dsadd.exe, configure a script to modify the parameters for the dial-in permission and the Manager and Department fields.
____ 49. You are the network administrator for a pottery distributor in Utah. You are in the process of upgrading the corporate network from another operating system to Windows Server 2003. You ask a junior administrator to design an effective Password Policy. He offers the following suggestion:
Enforce Password History = 10
Maximum Password Age = 30
Minimum Password Age = 15
Minimum Password Length = 6
Password Must Meet Complexity Requirements = Yes
What would the result of this policy be?
a. The user can use a password of 33$#54 but must change it every 30 days. She cannot change it any sooner than 15 days. She cannot reuse the same password until she has changed her password 10 times.
b. The user can use a password of 23%&678 but must change it every 30 days. She cannot change her password any sooner than 15 days. She cannot reuse the same password until she has changed her password 10 times.
c. The user can use a password of $$r763 but must change it every 30 days. She cannot change it any sooner than 15 days. She cannot reuse the same password until she has changed her password 10 times.
d. The user can use a password of $P%#TR but must change it every 15 days. She cannot change it any sooner than 30 days. She cannot reuse the same password until she has changed her password 10 times.
____ 50. Which of the following is not a domain functional level supported by Windows Server 2003?
a. Windows 2000 mixed
b. Windows Server 2003 interim
c. Windows Server 2003 mixed
d. Windows Server 2003
____ 51. Which of the following is not a built-in Active Directory group?
a. Backup Operators
b. Power Users
c. Account Operators
d. Network Configuration Operators
____ 52. What happens to the local Administrators group when a computer is added to the domain?
a. The Domain Admins global group is added to the local Administrators group.
b. The local Administrators group is added to the Domain Admins global group.
c. The Domain Admins global group is added to the Computers local group.
d. The Domain Admins global group is added to the Power Users group.
____ 53. Where do you change the group scope?
a. In the Scopes properties tab of the group in Active Directory Users and Computers
b. In the General properties tab of the group in Active Directory Users and Computers
c. In the Members properties tab of the group in Active Directory Users and Computers
d. In the Type properties tab of the group in Active Directory Users and Computers
____ 54. Which of the following statements is not true of universal groups?
a. Universal groups can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests.
b. Universal groups are available only in the Windows 2000 native and Windows Server 2003 functional levels.
c. Universal groups can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members.
d. Universal groups can be granted access permissions only for resources in the domain in the forest in which they are created.
____ 55. Which of the following Active Directory built-in groups does not have the right to back up files and directories?
a. Account Operators
b. Server Operators
c. Administrators
d. Backup Operators
____ 56. Which of the following statements is true of global groups?
a. Global groups can include only users from within their domain.
b. Global groups can include users from any domain in the tree.
c. Global groups can include users from any domain in the forest.
d. Global groups can include users from any domain in Active Directory.
____ 57. Which of the following tools do you use to raise the domain functional level of Active Directory?
a. Active Directory Sites and Services
b. Active Directory Users and Computers
c. Active Directory Domains and Trusts
d. Security Configuration and Analysis
____ 58. You have installed a new Windows Server 2003 system on your test network. After completing the installation, you run the Manage Your Server Wizard and configure the system as a domain controller. There are no other servers on the network. What will the domain functional level of the system be?
a. Windows 2000 mixed
b. Windows 2000 native
c. Windows Server 2003 interim
d. Windows Server 2003 single server
____ 59. A user who is connected to the system via a Remote Desktop connection automatically becomes a member of what special identity?
a. Remote Users
b. Interactive
c. Dialup
d. Anonymous Logon
____ 60. You are creating a script to streamline the process of adding new groups to Active Directory. You add the following command to the file:
dsadd group
"CN=Sales,CN=Users,DC=contoso,DC=com"
–member "CN=Administrator,CN=Users,DC=contoso,DC=com"
-scope g
What is the result of this command?
a. The command produces an error.
b. A universal group called sales.users.constoso.com is created, with the user Administrator as a member.
c. A global group called sales.users.contoso.com is created, with the user Administrator as a member.
d. The user administrator is removed from the sales.users.contoso.com group, and the scope is changed to global.
____ 61. Under what circumstances can you convert a global group to a universal group?
a. Only when the global group contains users from only one domain.
b. Only when the global group is not a member of another global group.
c. There are no restrictions on converting a global group to a universal group.
d. You cannot convert a global group to a universal group under any circumstances.
____ 62. The technical support department has a new member who needs rights to perform system functions and Active Directory administration tasks such as creating new user accounts, shutting down and restarting the server, backing up files and directories, and loading and unloading device drivers. You want to make the user a member of only one group, but you also want to avoid assigning more rights than necessary. Which of the following groups should you make the new hire a member of?
a. Administrators
b. Server Operators
c. Backup Operators
d. Domain Admins
____ 63. You have a laser printer in the Sales department. The Sales group is assigned permissions to print to that printer. The members of the Sales department are all members of the Sales group. No other users or groups are assigned permissions to the printer. What happens if you delete the Sales group?
a. The Sales group is removed from the ACL for the printer, but members of the Sales group can still print to the printer.
b. The Sales group is removed from the ACL for the printer, but the individual user accounts that were members of the Sales group are added to the ACL of the printer, thereby allowing them to print.
c. The Sales group is removed from the ACL for the printer, and members of the Sales department can no longer print.
d. Any user account that is a member of the Sales group is deleted.
____ 64. To redistribute some of the administrative burden on your network, your manager suggests having a member of the customer help desk act as your assistant. To allow this person to perform account management tasks, you make him a member of the Account Operators built-in Active Directory group. Which of the following tasks will the user be allowed to perform?
a. Adding user accounts to the Administrators group
b. Changing the password for the Administrator account
c. Adding user accounts to the Domain Admins group
d. Creating new user accounts
____ 65. You want to implement group policy on your network to provide control over user accounts on the network. Which of the following entities cannot be assigned group policy?
a. Organizational units
b. Domains
c. Groups
d. Sites
____ 66. When you join a computer to the domain, what happens to the membership of the local Guests group?
a. The Domain Guests predefined global group is added to the local Guests group.
b. The special identity Guests is added to the local Guests group.
c. Any user accounts defined as members of the local Guests group are added to the Domain Guests group.
d. The local Guests group is deleted.
____ 67. You are the network administrator for a clothing manufacturer in Boise, Idaho. The network comprises three domains. Each domain is assigned to a specific division in the company. You have six Windows Server 2003 systems running Standard Edition. Active Directory is running at a Windows Server 2003 domain functional level. You have a group of auditors who move from department to department in the course of their work. Because they move around, they need access to the nearest printer at any given time. Which of the following do you do to accommodate this?
a. Create a global group, place the user accounts for the auditors in that group, and then assign the global group permissions to all of the printers in each of the domains.
b. Create a universal group, place the user accounts for the auditors in that group, and then assign the universal group permissions to all of the printers in each of the domains.
c. Create a universal group, place the user accounts for the auditors in that group, and then place the universal group into the local printer users group on the domain controllers that host a printer.
d. Create a universal group, and place the user accounts for the auditors in that group. Create a global group, and place the auditors universal group into that global group. Finally, assign the global group permissions to the printers in each domain.
____ 68. You are the network administrator for a real estate agency in Washington, D.C. The network comprises three Windows Server 2003 systems and 120 client systems running Windows XP Professional. You have two domains, one representing each of the two divisions of the company (residential and commercial). You receive a request to create a group called Marketing that will be assigned resource access to resources in both domains. However, when you go to create a new security group, in the Group Scope option the Universal option button is grayed out. Which of the following is the most likely cause of the problem?
a. You are running at a Windows 2000 mixed domain functional level.
b. You are running at a Windows 2000 native domain functional level.
c. You are running at a Windows Server 2003 domain functional level.
d. You have more than one domain.
____ 69. You are the network administrator for a company that sells computer books. The network comprises six Windows Server 2003 systems, three of which are domain controllers. The other servers are member servers. Active Directory is operating at a Windows Server 2003 functional level. One of the domain controllers hosts a database application, and you need to provide users in the Sales department with access to a folder on that server that contains the data files for the database. Which of the following is the best approach to take?
a. Assign each user in the Sales department access to the folder individually.
b. Create a global group called Database, and give that group the necessary permissions to the folder containing the data file. Create a domain local group called SalesData, and add the appropriate members of the Sales department to the SalesData domain local group. Add the SalesData domain local group to the Database global group.
c. Create a domain local group called Database, and give that group the necessary permissions to the folder containing the data file. Create a global group called SalesData, and add the appropriate members of the Sales department to the SalesData global group. Add the SalesData global group to the Database domain local group.
d. Create a local group called Database on the domain controller. Create a global group called SalesData, and add the appropriate members of the Sales department to the SalesData global group. Add the SalesData global group to the local group.
____ 70. You are the network administrator for a tire wholesaler with seven offices across the continental United States. Each site has a single Windows Server 2003 server operating at a Windows Server 2003 domain functional level. Each site is linked to the head office in Buffalo, New York, by a PRI-ISDN line. Each site has its own domain. The WAN links are used by a number of applications, including a sales order-processing system. The company is experiencing huge growth, and over the next three months the number of staff members is set to increase from 160 to 310.
You are in the process of reorganizing the group structure on the network. Many of the users require access to data and applications in more than one site, and up to this point many of the assignments have been made with a user account rather than a group. One of your fellow administrators suggests creating a number of universal groups and adding the users to the universal groups. Permissions to resources can then be granted via the universal groups. What issues, if any, do you see with this solution?
a. None. The suggestion is practical and valid.
b. Universal groups are not available on a Windows Server 2003 domain functional level.
c. It might create additional traffic on the already heavily used WAN links.
d. You can place global or domain local groups only in a universal group, not user accounts.
____ 71. If you are using a Windows 2000 native domain functional level, which of the following Active Directory objects can be a member of a domain local group?
a. User and computer accounts from the same domain
b. User and computer accounts and other global groups from the same domain
c. User and computer accounts, universal groups, and global groups from any domain; other domain local groups from the same domain
d. User and computer accounts and global groups from any domain
____ 72. You are the network administrator for a music publishing company in Los Angeles. The network comprises four Windows Server 2003 systems, two of which are domain controllers. The network is operating at a Windows Server 2003 domain functional level. You have a number of distribution groups in Active Directory that were created for contacts in an external public relations (PR) firm. However, the PR firm has been bought out by the firm you work for, and the entire PR operation has been moved in-house. A new department has been created for the PR function. Users in the new PR department need access to resources such as folders and printers. Which of the following do you do to provide them access?
a. Create user accounts to match the users listed in the distribution group, and then convert the distribution group to a global group. Assign the new global group to domain local groups as needed to provide access.
b. Convert the distribution group to a global group. Assign the new PR global group to the appropriate domain local group.
c. Create new user accounts for users from the PR department. Add the users to domain local groups as needed to provide access.
d. Create new user accounts for users from the PR department. Create a global group, and add the users to that group. Add the global group to domain local groups as needed to provide access.
____ 73. On a network operating at a Windows 2000 mixed domain functional level, which of the following are limitations on converting groups?
a. You cannot convert groups in Active Directory operating at a Windows 2000 mixed domain functional level.
b. You can convert a domain local group to a universal group, but only when the domain local group does not have other domain local groups as members.
c. You can convert from a global group to a universal group only when the global group is not a member of another global group.
d. You can convert from a universal group to a global group only when the universal group does not have other universal groups as members.
____ 74. You have recently been hired as the network administrator for a trading card manufacturing company in New York. The network comprises four Windows Server 2003 systems, two of which are domain controllers. Active Directory is configured at a Windows Server 2003 domain functional level. Twelve groups have been created for each of the departments in the organization. You will soon be implementing a new Active Directory–aware e-mail system, and your manager wants to be able to send messages to all users in a department at one time. How do you accommodate this?
a. Copy each of the departmental groups, and then convert the new group to a distribution group.
b. Create a distribution group for each department, and manually duplicate the membership of the security group for each department.
c. Convert the security group for each department to a distribution group.
d. Special group configuration is not necessary.
____ 75. You are the network administrator for a data storage device manufacturer in Yakima, Washington. The network comprises three domains. Each domain is assigned to a specific department in the company (Development, Sales, Administration). You have three Windows Server 2003 systems running Standard Edition. Active Directory is running at a Windows Server 2003 domain functional level.
You have recently acquired a new plotter, which is to be used by the 14 electronics designers, all of whom are in the Development department and are members of the Development global group. The manager informs you that he is expecting to recruit two more designers in the near future. Which of the following do you do to provide the electronics designers with access to the new plotter?
a. Create a domain local group called Plotter, create a global group called Plotter Users, and make the Development global group a member of the Plotter Users group.
b. Create a domain local group called Plotter. Place the Development global group into the Plotter group.
c. Create a domain local group called Plotter. Place the user accounts for the users in the Development department into that group.
d. Assign the users from the Development department access to the plotter by assigning permissions to their user accounts.
____ 76. You are the network administrator for an insurance company with its head office in San Francisco. The company has four other offices—in Detroit, New York, Vancouver, and Dallas. The network comprises six Windows Server 2003 systems, two in San Francisco and one at each of the other sites. Active Directory is operating at a Windows 2000 mixed domain functional level.
The company has a sales order-processing system with a local database in each location. The local databases are synchronized hourly with the central database in San Francisco. Users at every site have been experiencing problems with the database, so your manager has contracted two SQL database administrators (DBAs) for three months to determine the problem and make recommendations for optimizing the database. These DBAs, who will be based in San Francisco, need direct access to the database folders in each location. Which of the following do you do to achieve this?
a. Create a global group called DBA in the San Francisco domain. Create a domain local group in each of the other domains, and grant permissions to the folders containing the database data files to the respective domain local group. Assign the DBA global group to the domain local groups.
b. Create a universal group called SQL, and assign it to the folders containing the database data files. Create a global group in each domain called DBAs, and add the user accounts for the DBAs to the DBA group. Add the DBA group to the SQL universal group.
c. Create a global group in each location, and assign the global group permissions to folders containing the database data files. Add the DBAs from San Francisco to the global group in each location.
d. Create a universal group called SQLDBA, and assign it permissions to the folders containing the database data files. Make the DBAs’ user accounts members of the universal group.
____ 77. On a system running Active Directory at a Windows 2000 mixed domain functional level, what objects can be a member of a universal group?
a. User and computer accounts, universal groups, and global groups from any domain; other domain local groups from the same domain.
b. User and computer accounts, other universal groups, and global groups from any domain.
c. User and computer accounts and other global groups from the same domain.
d. None. Universal groups are not supported at the Windows 2000 mixed domain functional level.
____ 78. You are the network administrator for a frozen foods wholesaler. The network comprises 3 Windows 2000 Server systems and 165 workstations that run Windows XP Professional or Windows 2000 Professional. You are planning to install a new Windows Server 2003 system and want to configure the domain functional level for the highest level supported by both servers. You also want to use universal security and distribution groups, and group nesting. What domain functional level do you use after you have installed the Windows Server 2003 system?
a. Windows 2000 native
b. Windows Server 2003
c. Windows Server 2003 interim
d. Windows 2000 mixed
Short Answer
79. Explain the purpose and function of group policies.
80. Explain the functions of objects and attributes in Active Directory. Provide examples.
81. Explain the function of a taskpad in MMC and how you would create one.
82. Explain the purpose of the Minimum Password Age policy setting in the Password Policy.
83. Explain the purpose of the Apply Static Routes check box in the Dial-In Properties page of a user account.
84. Describe the elements of a domain user account, and explain what happens when a user logs on to the system with a user account.
85. Describe two ways to disable an existing domain user account in Active Directory Users And Computers.
86. You are the administrator for a law firm with more than 400 employees. The firm has a single office in New York. The network comprises three Windows Server 2003 systems and two Windows 2000 Server systems. Active Directory is configured at a mixed mode functional level. The servers provide DHCP, DNS, ICS, and file and print services. All workstation PCs are running Windows 2000 Professional. Employees almost always use the same PC, so you are using local profiles.
Your manager has asked you to create a user account for a student who will work at the firm during the summer. The student will spend a few days in each department to gain a wide range of experience in the firm. Your manager asks you to create a user account for the student but to restrict the account as much as possible so technical staff don’t have to spend time troubleshooting account problems. You inform the manager that among other restrictions, you will create a mandatory roaming profile for the user. He is unfamiliar with how profiles work and asks you to describe how to configure such a profile. Describe the process of configuring a mandatory roaming profile for a user account.
87. A new user has just joined the Sales department. His job is to prepare monthly sales figures, which up to this point has been the sole responsibility of the department manager. To simplify account creation for the new user, you copy the manager’s user account. The user can log on and access most of the resources that are available to the Sales department, but there are a number of files and directories that the manager has access to that the new user can’t see. What is the likely cause of this problem? How do you resolve the issue?
88. Describe the function of a security group.
89. Describe when and where the Enterprise Admins group is created. Also explain the powers that are assigned to the Enterprise Admins group, and describe the default group memberships for the Enterprise Admins group.
90. Describe the purpose and function of a distribution group.
Monday, July 27, 2009
Respuestas ASO1
TRUE/FALSE
1. ANS: F
EXPLANATION: A DNS server is required to complete the installation of a domain controller, but it need not be present before the installation is started. If, during the installation process, Windows Server 2003 does not find a DNS server, you will be prompted to install DNS on the system. (Discussion starts on page 20.)
DIF: Application REF: Chapter 1
2. ANS: F
EXPLANATION: Power Users is a local group. Local groups do not exist on Active Directory domain controllers. (Discussion starts on page 221.)
DIF: Application REF: Chapter 7
MULTIPLE CHOICE
3. ANS: D
EXPLANATION: The 64-bit version of Windows Server 2003 Datacenter Edition supports up to 64 processors. (Discussion starts on page 7.)
DIF: Demonstration REF: Chapter 1
4. ANS: E
EXPLANATION: Windows Server 2003 is available in Standard, Enterprise, Datacenter, and Web editions. It is not available in a Corporate edition. (Discussion starts on page 4.)
DIF: Demonstration REF: Chapter 1
5. ANS: B
EXPLANATION: The 32-bit version of Windows Server 2003 Datacenter Edition supports 64 GB of RAM. (Discussion starts on page 7.)
DIF: Demonstration REF: Chapter 1
6. ANS: D
EXPLANATION: A branch is not an organizational element of Active Directory. Trees, organizational units, and domains are all organizational elements of Active Directory. (Discussion starts on page 27.)
DIF: Demonstration REF: Chapter 1
7. ANS: B
EXPLANATION: One reason to implement more than one domain controller per domain is to provide fault tolerance. When more than one domain controller is used per domain, each still holds a complete copy of the Active Directory database. The domain database is not split up. The use of multiple administrators is not related to how many domain controllers are in use. When more than one domain controller is used per domain, each still holds a complete copy of the Active Directory database. Therefore, using multiple controllers will not reduce the number of objects stored in the database on each domain controller. (Discussion starts on page 28.)
DIF: Application REF: Chapter 1
8. ANS: C
EXPLANATION: To provide an additional property for a user account, you would use the Active Directory Schema snap-in to add an attribute to the user account property. You would not create a new object called Employer ID Code–it is a new property that is required. (Discussion starts on page 30.)
DIF: Application REF: Chapter 1
9. ANS: D
EXPLANATION: Windows Server 2003 Enterprise Edition supports up to eight processors. Windows Server 2003 Web Edition supports only 10 inbound SMB connections, making it unsuitable for supporting the file and print requirements of 78 users. Additionally, the Web Edition supports only up to two processors. Windows Server 2002 Datacenter Edition can be purchased only preinstalled on qualified hardware. Windows Server 2003 Standard Edition supports only up to four processors. (Discussion starts on page 4.)
DIF: Application REF: Chapter 1
10. ANS: A
EXPLANATION: The main drawback of using answer files for a mass operating system deployment is that each computer requires its own file. This is because some of the settings supplied during the installation must be unique, such as the computer name and IP address. There are no restrictions on how many copies of the answer file can be used at once. Answer files can be used with any edition of Windows Server 2003. Answer files do not need to have RIS installed and available on the network in order to work. (Discussion starts on page 9.)
DIF: Application REF: Chapter 1
11. ANS: B
EXPLANATION: The standard CAL model does not apply to computers running the Web Edition. The operating system supports an unlimited number of Web connections, but it is limited to 10 simultaneous Server Message Block (SMB) connections. A computer running the Web Edition can be a member of an Active Directory domain, but it cannot function as a domain controller. The ICF and ICS features are not included with the Web Edition, preventing the computer from functioning as an Internet gateway. A computer running the Web Edition cannot function as a DHCP server. (Discussion starts on page 5.)
DIF: Application REF: Chapter 1
12. ANS: B
EXPLANATION: The Datacenter Edition can be purchased only preinstalled on a system. Therefore, an existing system cannot be upgraded to the Datacenter Edition. The Datacenter Edition supports 64 GB of RAM in the 32-bit version and 512 GB of RAM in the 64-bit version. The Datacenter Edition supports up to 64-way symmetric multiprocessing (SMP) in the 64-bit version and 32-way SMP in the 32-bit version. It cannot be installed on a system incapable of at least eight processors. (Discussion starts on page 7.)
DIF: Synthesis REF: Chapter 1
13. ANS: B
EXPLANATION: Windows Server 2003 Enterprise Edition provides support for 64-bit Intel Itanium processors, ICF, ICS, and DHCP. It also supports Terminal Services, which provides the required remote administration functionality. Windows Server 2003 Datacenter Edition does not support ICF or ICS. Windows Server 2003 Standard Edition is not available in a 64-bit version. Windows Server 2003 Web Edition does not support 64-bit hardware or the ICF or ICS. It also does not support any more than 2 GB RAM. (Discussion starts on page 7.)
DIF: Synthesis REF: Chapter 1
14. ANS: D
EXPLANATION: The Windows System Resource Manager (WSRM) can be used to restrict the amount of system resources that can be used by a Terminal Server user at any one time. Microsoft Metadirectory Services (MMS) is a means of integrating multiple information sources into a single, unified directory. MMS makes it possible to combine Active Directory information with other directory services and to create a unified view of all available information about a given resource. The Internet Connection Firewall (ICF) provides protection for Internet connections. Network Load Balancing (NLB) allows network traffic to be distributed among multiple network interfaces in a single system. (Discussion starts on page 7.)
DIF: Synthesis REF: Chapter 1
15. ANS: B
EXPLANATION: The best solution is most likely the Standard Edition because it includes the functionality of Microsoft Internet Information Services (IIS) 6, it supports the available hardware, and it can provide file and print services for the 17 members of the Web development team. Although the Web Edition might seem like the most obvious choice in this situation, there is an issue with the fact that the 17-person development team also needs to access the server. The Web Edition accommodates only 10 inbound connections for the purposes of file access, so it would not be suitable. There is no Corporate Edition of Windows Server 2003. While the Enterprise Edition would meet the needs for your intranet, your needs do not justify its purchase over the Standard Edition. (Discussion starts on page 5.)
DIF: Synthesis REF: Chapter 1
16. ANS: C
EXPLANATION: Terminal Services uses TCP/IP port 3389. TCP/IP port 110 is used by the POP3 protocol. TCP/IP port 80 is used by the HTTP protocol. TCP/IP port 1863 is used by Windows Messenger. (Discussion starts on page 54.)
DIF: Demonstration REF: Chapter 2
17. ANS: B
EXPLANATION: By default, only members of the Administrators group are granted remote access permission. (Discussion starts on page 47.)
DIF: Demonstration REF: Chapter 2
18. ANS: B
EXPLANATION: Windows Server 2003 includes the Remote Desktop Connection files on the installation CD and also copies them to the Systemroot\System32\Clients\Tsclient\Win32 folder. It must be shared out to make the files in this folder available to users. (Discussion starts on page 51.)
DIF: Demonstration REF: Chapter 2
19. ANS: D
EXPLANATION: Although there are no specific rules about the communication of invitations and corresponding passwords, best practice dictates that you instruct users to supply the expert with the password using a different medium from the one they are using to send the invitation. (Discussion starts on page 55.)
DIF: Application REF: Chapter 2
20. ANS: A
EXPLANATION: User Mode: Limited Access, Single Window prevents users from opening new windows or accessing a portion of the console tree, and it allows them to view only one window in the console. User Mode: Limited Access, Multiple Windows prevents users from opening new windows or accessing a portion of the console tree, but it allows them to view multiple windows in the console. There is no console mode called User Mode: Limited Access, Single Window, No Open. There is also no console mode called User Mode: Full Access, Single Window. (Discussion starts on page 44.)
DIF: Application REF: Chapter 2
21. ANS: C
EXPLANATION: For a Remote Assistance session to be started, a user must be present at the client console to grant the expert access. You cannot use Remote Assistance to connect to an unattended computer.
The answer “If you are logged in as an administrator” is incorrect. Being logged in as administrator does not allow you to open a Remote Assistance session on an unattended computer.
The answer “If the password to the administrator account on the unattended computer is the same as the administrator account on your system” is also incorrect. Password synchronization between systems is not a requirement of Remote Assistance.
The answer “If you have a valid invitation issued from that computer” is incorrect because a valid invitation is required to connect to a remote computer. If the computer is unattended, a Remote Assistance session cannot be started. (Discussion starts on page 57.)
DIF: Application REF: Chapter 2
22. ANS: A
EXPLANATION: To issue an invitation for Remote Assistance, you would Select Help And Support from the Start menu to open the Help And Support Center window and then click the Remote Assistance hyperlink.
The answer “Select Help And Support from the Start Menu to open the Help And Support Center window, click the Get Help hyperlink, and then select Remote Assistance” is incorrect. There is no Get Help hyperlink in the Help And Support Center window. Help And Support Center is not found in Control Panel. (Discussion starts on page 55.)
DIF: Application REF: Chapter 2
23. ANS: B
EXPLANATION: You must have port 3389 open on the firewall to provide remote desktop functionality. Port 1863 must be open on the firewall for invitations to be sent via Windows Messenger. Opening ports 2289 and 1863 would allow Windows Messenger traffic to pass through the firewall, but Remote Assistance traffic would not be allowed through. Opening ports 2058 and 1863 would allow Windows Messenger traffic to pass through the firewall, but Remote Assistance traffic would not be allowed through. Opening ports 3389 and 2058 would allow Terminal Services traffic through the firewall but would not allow Windows Messenger traffic through. (Discussion starts on page 57.)
DIF: Synthesis REF: Chapter 2
24. ANS: D
EXPLANATION: Time restrictions are configured from the Logon Hours button on the Account page of a user’s properties. There is no Logon Hours page in the user account properties. (Discussion starts on page 181.)
DIF: Demonstration REF: Chapter 6
25. ANS: C
EXPLANATION: A mandatory profile can be changed by the user, but when the user logs off, the changes are not saved. A roaming profile can be accessed by the user no matter what system on the network she is logging on from. Fixed and static are not profile types. (Discussion starts on page 199.)
DIF: Demonstration REF: Chapter 6
26. ANS: A
EXPLANATION: The Dsmod.exe utility allows you to modify an object in Active Directory. The Comma Separated Value Data Exchange utility (Csvde.exe) can be used only to import or export information to or from the directory. It cannot be used to modify an existing directory object. Dsadd.exe can be used only to add objects to the directory, not to modify an existing object. There is no such utility as Adobjedit.exe. (Discussion starts on page 195.)
DIF: Demonstration REF: Chapter 6
27. ANS: A
EXPLANATION: When you configure the properties of more than one user at a time, you cannot configure the Terminal Services Session settings. All of the other items can be edited for multiple users at once. (Discussion starts on page 186.)
DIF: Demonstration REF: Chapter 6
28. ANS: A
EXPLANATION: The Account Is Locked Out check box is in the Account tab of a user’s properties. If the account is locked as a result of settings in the Account Lockout Policy, the check box is selected. Clearing it unlocks the account. The Account Is Locked Out check box is not in the General or Sessions tab of a user’s account properties. There is no tab in the user’s account properties called User. (Discussion starts on page 181.)
DIF: Demonstration REF: Chapter 6
29. ANS: D
EXPLANATION: All of the operating systems listed require additional client software to access the complete functionality of Active Directory. (Discussion starts on page 201.)
DIF: Demonstration REF: Chapter 6
30. ANS: D
EXPLANATION: Logon time restrictions are part of a user’s account properties. They are not part of the user profile. All of the other items are included in a user profile. (Discussion starts on page 196.)
DIF: Demonstration REF: Chapter 6
31. ANS: B
EXPLANATION: For a password to meet complexity requirements, it must contain at least three of the following four elements: uppercase alphabetic characters, lowercase alphabetic characters, numbers, or special characters (such as !@#). It must also be at least six characters long and not be based on the username. The !!@TRPP%% password contains only special characters and uppercase letters. All of the other passwords conform to the complexity requirements. (Discussion starts on page 168.)
DIF: Application REF: Chapter 6
32. ANS: D
EXPLANATION: If a password is stored using reversible encryption, it can be accessed by other applications. This approach poses a security risk, and it should be implemented only if absolutely necessary. There is no way for a user account password to be recovered, nor is there any facility in Windows Server 2003 for providing users with password clues. The administrator cannot view users’ passwords. (Discussion starts on page 182.)
DIF: Application REF: Chapter 6
33. ANS: B
EXPLANATION: You can reset a user account password in Active Directory Users And Computers by selecting Reset Password from the Action menu. You must enter and confirm the new password. You do not need to know the existing password to reset the password. User passwords are not reset from the Account properties page for the user, nor are they reset from the General properties page for the user. (Discussion starts on page 177.)
DIF: Application REF: Chapter 6
34. ANS: D
EXPLANATION: A value of 0 for the Account Lockout Duration policy setting means that any account locked out by exceeding the account lockout threshold must be unlocked manually. This value does not cause a locked account to immediately unlock. Resetting a password for the user does not unlock the account. The Enforce Password History policy is part of the Password Policy and is not related to settings in the Account Lockout Policy. (Discussion starts on page 200.)
DIF: Application REF: Chapter 6
35. ANS: B
EXPLANATION: The default mode for Csvde.exe is export. Unless you use the -i switch in the command, Csvde.exe will attempt an export to the specified file, not an import from the file. The -k switch tells Csvde.exe to ignore errors such as duplicate users. It does not (nor does any other switch) determine when the user accounts should be added. Csvde.exe can be used to import a wide range of directory objects, including users, groups, and computer accounts. The -f switch is correct for specifying the comma-separated value file that is to be used for the import. (Discussion starts on page 192.)
DIF: Application REF: Chapter 6
36. ANS: C
EXPLANATION: All values except the Logon Name are copied from the Account tab when a user account is copied to create a new user account. Group Memberships are listed in the Members Of tab of the user’s account properties, not the Account tab. The logon hours are copied from the Account tab when a user account is copied to create a new account. The Street Address value is in the Address tab, not the Account tab. (Discussion starts on page 190.)
DIF: Application REF: Chapter 6
37. ANS: D
EXPLANATION: If the user is already logged on when the allowed logon time ends, service is not interrupted—except if the security option in group policy objects called Network Security: Force Logoff When Logon Hours Expire is enabled. In this case, the user is forcibly disconnected when her logon hours expire. (Discussion starts on page 181.)
DIF: Application REF: Chapter 6
38. ANS: D
EXPLANATION: The account lockout threshold specifies the number of invalid logon attempts that triggers an account lockout. A value of 0 prevents accounts from ever being locked out. (Discussion starts on page 200.)
DIF: Application REF: Chapter 6
39. ANS: B
EXPLANATION: When you create a new user account from a template, group memberships are copied to the new user. In addition, all address information is copied except the street address. Password and file permissions granted to the original user are not transferred over. (Discussion starts on page 190.)
DIF: Application REF: Chapter 6
40. ANS: D
EXPLANATION: The basic procedure for making a profile mandatory is to locate the Ntuser.dat file related to the user account and rename it to Ntuser.man. There is no Set As Mandatory button in the Advanced page of the System Properties dialog box. Although setting read-only permissions for the user’s profile folder might prevent the user from making any changes to his profile, this is not the accepted way of making a profile mandatory. (Discussion starts on page 199.)
DIF: Application REF: Chapter 6
41. ANS: C
EXPLANATION: The most likely answer of those listed is that the Callback Options on the Dial-In page for the user have been configured to always call back his home phone number. When the user tries to establish a dial-in connection, the server he is connecting to drops the connection and then calls his home number. The Verify Caller ID property is not available when Active Directory is configured in Windows Server 2003 mixed mode. Static routes determine which areas of the network are available to the user if he connects over a dial-in or VPN connection, and what areas of the network are inaccessible. They affect the user after he connects, not while he is trying to connect. Also, because you have made no changes to the account and the user was able to connect the previous day, this is unlikely to be the problem. The telephone numbers listed on the Telephones page of the user’s account properties are unrelated to the dial-in properties. (Discussion starts on page 186.)
DIF: Synthesis REF: Chapter 6
42. ANS: C
EXPLANATION: To configure Log On To restrictions, you enter the NetBIOS machine names of the system that you will permit the user account to log on from. You can assume that the company is using NetBIOS because it has a WINS server. To create a roaming mandatory profile for the user, you rename the Ntuser.dat file for the user to Ntuser.man. Log On To restrictions are not configured using the IP address of the systems that the user is permitted to log on from, nor are they configured using the MAC address. The user profile file is not named Ntuser.pfl. (Discussion starts on page 195.)
DIF: Synthesis REF: Chapter 6
43. ANS: D
EXPLANATION: If you set the Account Lockout Duration policy to 0, locked accounts must be manually unlocked by the administrator. The administrator would find out when an account becomes locked because the user must ask the administrator to unlock the account. Setting the Account Lockout Threshold policy to 4 causes the account to become locked after four incorrect logon attempts. These settings would satisfy the manager’s requirements. Setting the Account Lockout Threshold policy to 0 would cause the system to lock the account after the first incorrect logon attempt. Setting the Account Lockout Duration policy to 4 would cause the lockout to be cleared after 4 minutes. The Enforce Password History policy is part of the Password Policy, not the Account Lockout Policy. (Discussion starts on page 200.)
DIF: Synthesis REF: Chapter 6
44. ANS: A
EXPLANATION: The Web Page field and the E-Mail Address field are available for edit by selecting multiple users at one time. The Csvde.exe utility is used for importing or exporting objects from the directory. It is not used for editing the properties of existing objects. The Dsmod.exe utility can be used for editing the properties of existing objects, but in this case it would almost certainly be simpler to just edit the properties of multiple objects at a time. There is no facility for user objects inheriting values from an OU. (Discussion starts on page 188.)
DIF: Synthesis REF: Chapter 6
45. ANS: B
EXPLANATION: When a service account is required, you should create a new user account for that purpose. If the account needs to impersonate a client to access computer resources on behalf of other user accounts, you must select the Account Is Trusted For Delegation check box, which is in the Account properties tab for a user account. (Discussion starts on page 181.)
DIF: Synthesis REF: Chapter 6
46. ANS: D
EXPLANATION: When you install IIS, a user account is created called IUSR_computername. This account allows anonymous users to connect to the server and access Web pages on it. There is no need, in this example, to create user accounts in Active Directory. There is no Use IIS right in the General Properties tab. (Discussion starts on page 173.)
DIF: Synthesis REF: Chapter 6
47. ANS: C
EXPLANATION: A value of 0 for the Account Lockout Duration means that a locked account must be manually unlocked by an administrator. The Reset Account Lockout Counter After value determines the “memory” of the system for incorrect passwords in a given time period. In this example, the user can enter an incorrect password twice every 15 minutes and still not lock the account. After three incorrect passwords are entered in a 15-minute period, the account is locked. Triggering the Account Lockout policy locks an account—it does not disable it. A disabled account cannot be used, even with the correct password. The policy as described allows a user three incorrect logon attempts before the account is locked. (Discussion starts on page 200.)
DIF: Synthesis REF: Chapter 6
48. ANS: A
EXPLANATION: The Manager and Department fields can be edited on multiple objects at a time. The dial-in permission must be edited on a per-user basis. Configuration by Remote Access Policy is not supported on a Windows 2000 mixed mode domain functional level. The Dsadd.exe utility is used to add objects to Active Directory, not to edit the properties of existing objects. (Discussion starts on page 177.)
DIF: Synthesis REF: Chapter 6
49. ANS: C
EXPLANATION: For a password to meet complexity requirements, it must include characters from at least three of the following four categories: uppercase letters, lowercase letters, numbers, and symbols. In this example, the password $$r763 fulfills these requirements. The Maximum Password Age setting requires that the user change her password at least every 30 days, but the Minimum Password Age value prevents the user from changing her password any sooner than 15 days. The Enforce Password History value of 10 ensures that the user must change her password 10 times before using a previous password. (Discussion starts on page 168.)
DIF: Synthesis REF: Chapter 6
50. ANS: C
EXPLANATION: Windows Server 2003 mixed is not a domain functional level supported by Windows Server 2003. All of the other answers are domain functional levels supported by Windows Server 2003. (Discussion starts on page 212.)
DIF: Demonstration REF: Chapter 7
51. ANS: B
EXPLANATION: Power Users is not a built-in Active Directory group. Backup Operators, Account Operators, and Network Configuration Operators are all valid Active Directory groups. (Discussion starts on page 226.)
DIF: Demonstration REF: Chapter 7
52. ANS: A
EXPLANATION: When a computer is added to the domain, the Domain Admins global group is added to the local Administrators group. It is not possible to add a local group to a global group, so it is not possible to add the local Administrators group to the Domain Admins global group. When a computer is added to the domain, the Domain Admins global group is not added to the Power Users group. There is no local group called Computers. (Discussion starts on page 221.)
DIF: Demonstration REF: Chapter 7
53. ANS: B
EXPLANATION: You change group scopes in the General properties tab of the group in Active Directory Users and Computers. There is no tab in Active Directory Users and Computers called Scopes, nor is there one called Type. Scope changes are not made in the Members properties tab of Active Directory Users and Computers. (Discussion starts on page 237.)
DIF: Demonstration REF: Chapter 7
54. ANS: D
EXPLANATION: Universal groups can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests. Universal groups are available only in the Windows 2000 native and Windows Server 2003 functional levels, and universal groups can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members. (Discussion starts on page 218.)
DIF: Demonstration REF: Chapter 7
55. ANS: A
EXPLANATION: The Account Operators group does not have the right to back up files and directories. The Server Operators, Administrators, and Backup Operators groups all have the rights to back up files and directories. (Discussion starts on page 226.)
DIF: Demonstration REF: Chapter 7
56. ANS: A
EXPLANATION: Global groups can include only users from within their domain. They cannot include members from other domains in the tree, the forest, or anywhere else in the Active Directory structure. (Discussion starts on page 217.)
DIF: Demonstration REF: Chapter 7
57. ANS: C
EXPLANATION: Active Directory Domains and Trusts is used to raise the domain functional level of Active Directory. None of the other tools listed can be used for this purpose. (Discussion starts on page 212.)
DIF: Demonstration REF: Chapter 7
58. ANS: A
EXPLANATION: Windows 2000 mixed is the default domain functional level. Windows 2000 native and Windows Server 2003 interim are valid domain functional levels, but they are not the default domain functional levels. Windows Server 2003 single server is not a recognized domain functional level. (Discussion starts on page 212.)
DIF: Application REF: Chapter 7
59. ANS: B
EXPLANATION: A user who connects to the system via a Remote Desktop connection automatically becomes a member of the Interactive special identity. The user does not become part of the Dialup or Anonymous Logon special identity. Remote Users is not a recognized special identity. (Discussion starts on page 229.)
DIF: Demonstration REF: Chapter 7
60. ANS: C
EXPLANATION: The Dsadd command is used to add new groups to Active Directory. The command creates a new global group called sales.users.contoso.com, and the user Administrator is made a member of that group. The answer “The command produces an error” is incorrect. The syntax and usage of the command is valid. The answer “A universal group called sales.users.constoso.com is created, with the user Administrator as a member” is incorrect. The “-scope g” would cause a global group to be created. The answer “The user administrator is removed from the sales.users.contoso.com group, and the scope is changed to global” is incorrect. Group membership cannot be changed using the Dsadd command. (Discussion starts on page 239.)
DIF: Application REF: Chapter 7
61. ANS: B
EXPLANATION: You can convert a global group to a universal group only if the global group is not a member of any other global group. The answer “Only when the global group contains users from only one domain” is incorrect. By definition, a global group can contain only users from a single domain. The answer “There are no restrictions when converting a global group to a universal group” is incorrect. There are restrictions on converting a global group to a universal group. The answer “You cannot convert a global group to a universal group under any circumstances” is incorrect. You can convert a global group to a universal group if the global group is not a member of another global group. (Discussion starts on page 220.)
DIF: Application REF: Chapter 7
62. ANS: A
EXPLANATION: Of the groups listed, only the Administrators group and the Domain Admins group have all of the required permissions. However, the Domain Admins group also has rights that are not required by the new hire. Therefore, the best choice is to add the user to the Administrators group. The Server Operators group does not have rights to create user accounts or load and unload device drivers. The Backup Operators group does not have rights to create user accounts or load and unload device drivers. (Discussion starts on page 226.)
DIF: Application REF: Chapter 7
63. ANS: C
EXPLANATION: When a group is deleted, access control list (ACL) entries related to that group are removed. In this example, there are no other permissions assigned to the printer, so members of the Sales department can no longer print. The answer “The Sales group is removed from the ACL for the printer, but members of the Sales group can still print to the printer” is incorrect. If the group is removed and the users are not assigned permissions individually, the users cannot print. The answer “The Sales group is removed from the ACL for the printer, but the individual user accounts that were members of the Sales group are added to the ACL of the printer, thereby allowing them to print” is incorrect. When you delete a group, members of that group are not added to the ACL of any resource to which the group was assigned permissions. The answer “Any user account that is a member of the Sales group is deleted” is incorrect. Deleting a group causes only that group object to be deleted. User accounts that are a member of that group are not deleted. (Discussion starts on page 238.)
DIF: Application REF: Chapter 7
64. ANS: D
EXPLANATION: Members of the Account Operators group can create, delete, and modify user, computer, and group objects in the Users and Computers containers and in all OUs except domain controllers. Members do not have permission to modify the Administrators or Domain Admins groups, nor can they modify the accounts for members of those groups. (Discussion starts on page 226.)
DIF: Application REF: Chapter 7
65. ANS: C
EXPLANATION: Group policy objects (GPOs) can be assigned only to Active Directory domain, site, and OU objects. You cannot assign a group policy object to a group. (Discussion starts on page 211.)
DIF: Application REF: Chapter 7
66. ANS: A
EXPLANATION: When a computer is added to the domain, the Domain Guests predefined global group is automatically added to the local Guests group. The answer “The special identity Guests is added to the local Guests group” is incorrect. There is no Guests special identity. The answer “Any user accounts defined as members of the local Guests group are added to the Domain Guests group” is incorrect. When a computer is added to the domain, no changes are made to the Domain Guests group. The answer “The local Guests group is deleted” is incorrect. The local Guests group is not deleted when the computer is added to the domain. (Discussion starts on page 221.)
DIF: Application REF: Chapter 7
67. ANS: B
EXPLANATION: The correct answer is “Create a universal group, place the user accounts for the auditors in that group, and then assign the universal group permissions to all of the printers in each of the domains.” The answer “Create a global group, place the user accounts for the auditors in that group, and then assign the global group permissions to all of the printers in each of the domains” is incorrect. You cannot assign a global group permissions to resources in a domain other than the one in which it is created. The answer “Create a universal group, place the user accounts for the auditors in that group, and then place the universal group into the local printer users group on the domain controllers that host a printer” is incorrect. There is no local printer users group. The answer “Create a universal group, and place the user accounts for the auditors in that group. Create a global group, and place the auditors universal group into that global group. Finally, assign the global group permissions to the printers in each domain” is incorrect. You cannot place a universal group into a global group. (Discussion starts on page 218.)
DIF: Synthesis REF: Chapter 7
68. ANS: A
EXPLANATION: Universal groups are available only in the Windows 2000 native and Windows Server 2003 domain functional levels. They are not available in Active Directory operating at a Windows 2000 mixed domain functional level. The answer “You have more than one domain” is incorrect. The ability to create universal groups is not dependent on the number of domains in the directory, although the functionality they provide is not relevant in directory structures with only one domain. (Discussion starts on page 212.)
DIF: Synthesis REF: Chapter 7
69. ANS: C
EXPLANATION: Best practice dictates that you identify the resource to which users need access, and then create one or more domain local groups for those resources. Next you assign the permissions needed for access to the resources to the domain local group. Then you identify users with common job responsibilities and add their user objects to a global group. Finally, you make the global group a member of the appropriate domain local group. The answer “Assign each user in the Sales department access to the folder individually” is incorrect. This would not be the best way to give users from the Sales department access to the database. The answer “Create a global group called Database, and give that group the necessary permissions to the folder containing the data file. Create a domain local group called SalesData, and add the appropriate members of the Sales department to the SalesData domain local group. Add the SalesData domain local group to the Database global group” is incorrect. You cannot nest a domain local group in a global group. The answer “Create a local group called Database on the domain controller. Create a global group called SalesData, and add the appropriate members of the Sales department to the SalesData global group. Add the SalesData global group to the local group” is incorrect. You cannot create a local group on a domain controller. (Discussion starts on page 220.)
DIF: Synthesis REF: Chapter 7
70. ANS: C
EXPLANATION: To use universal groups effectively, the best practice is to create a global group in each domain, with user or computer accounts as members, and then make the global groups members of a universal group. This enables you to create a single universal group that is usable throughout the enterprise, but with a membership that does not change frequently. This method is preferable to adding users and computers to the universal group directly, because every change to the universal group’s membership causes the entire membership to be replicated to the global catalog, throughout the forest. Managing the users and computers in the global groups does not affect the universal group’s membership and therefore generates no additional replication traffic. In this scenario, with slow WAN links and universal group memberships that are likely to change, this would be of particular concern. The answer “None. The suggestion is practical and valid” is incorrect. There are issues with this solution. The answer “Universal groups are not available on a Windows Server 2003 domain functional level” is incorrect. Universal groups can be created in Active Directory running at a Windows Server 2003 domain functional level. The answer “You can place global or domain local groups only in a universal group, not user accounts” is incorrect. You can place individual user accounts into a universal group, although this is not recommended. (Discussion starts on page 218.)
DIF: Synthesis REF: Chapter 7
71. ANS: C
EXPLANATION: When you use Active Directory at a Windows 2000 native domain functional level, a domain local group can contain user and computer accounts, universal groups, and global groups from any domain, as well as other domain local groups from the same domain. All of the other answers are incorrect. (Discussion starts on page 219.)
DIF: Application REF: Chapter 7
72. ANS: D
EXPLANATION: The best practice is to add users to global groups, and then add global groups to domain local groups that have been assigned the appropriate access to resources. The answers “Create user accounts to match the users listed in the distribution group, then convert the distribution group to a global group. Assign the new global group to domain local groups as needed to provide access” and “Convert the distribution group to a global group. Assign the new PR global group to the appropriate domain local group” are both incorrect. You cannot convert a distribution group to a security group, which is what a global group is. The answer “Create new user account for users from the PR department. Add the users to domain local groups as needed to provide access” is incorrect. As indicated, the best practice is to add users to a global group, and then add global groups to domain local groups to provide access to resources. (Discussion starts on page 220.)
DIF: Synthesis REF: Chapter 7
73. ANS: A
EXPLANATION: You cannot convert groups when running Active Directory at a Windows 2000 mixed domain functional level. You can convert groups only when you are running Active Directory at a Windows 2000 native or Windows Server 2003 functional level. All of the other answers describe limitations on converting groups at either a Windows 2000 native or Windows Server 2003 domain functional level. (Discussion starts on page 220.)
DIF: Application REF: Chapter 7
74. ANS: D
EXPLANATION: Security groups can be used as distribution groups by directory-aware applications. Your manager can send messages to all users in a department just by using the security group, so special group configuration is not necessary. The answer “Copy each of the departmental groups, and then convert the new group to a distribution group” is incorrect. You cannot copy or convert groups. The answer “Create a distribution group for each department, and manually duplicate the membership of the security group for each department” is incorrect. There is no need to create distribution groups for each department. The answer “Convert the security group for each department to a distribution group” is incorrect. You cannot convert a security group to a distribution group, or vice versa. (Discussion starts on page 216.)
DIF: Synthesis REF: Chapter 7
75. ANS: B
EXPLANATION: Best practice dictates that global groups be added to domain local groups that have been assigned the appropriate access to resources, so you should create a domain local group called Plotter and place the Development global group into the Plotter domain local group. The answer “Create a domain local group called Plotter, create a global group called Plotter Users, and make the Development global group a member of the Plotter Users group” is incorrect. There is no need to create a global group called Plotter Users in this example. The answer “Create a domain local group called Plotter. Place the user accounts for the users in the Development department into that group” is incorrect. Best practice dictates that you use global groups to group people by job function, and then use these global groups in domain local groups to provide access to resources. The answer “Assign the users from the Development department access to the plotter by assigning permissions to their user accounts” is incorrect. Best practice dictates that you use groups, not individual user accounts, to provide access to resources. (Discussion starts on page 220.)
DIF: Synthesis REF: Chapter 7
76. ANS: A
EXPLANATION: At the Windows 2000 mixed domain functional level, domain local groups can contain global groups from any domain on the network. The answer “Create a universal group called SQL, and assign it to the folders containing the database data files. Create a global group in each domain called DBAs, and add the user accounts for the DBAs to the DBA group. Add the DBA group to the SQL universal group” and the answer “Create a universal group called SQLDBA, and assign it permissions to the folders containing the database data files. Make the DBAs’ user accounts members of the universal group” are incorrect. You cannot create universal groups in Active Directory running at a Windows 2000 mixed domain functional level. The answer “Create a global group in each location, and assign the global group permissions to folders containing the database data files. Add the DBAs from San Francisco to the global group in each location” is incorrect. On Active Directory running at a Windows 2000 mixed domain functional level, global groups can contain user and computer accounts only from the same domain. (Discussion starts on page 216.)
DIF: Synthesis REF: Chapter 7
77. ANS: D
EXPLANATION: Universal groups are supported only at the Windows 2000 native or Windows Server 2003 functional level. They are not supported at the Windows 2000 mixed or Windows Server 2003 interim functional level. (Discussion starts on page 219.)
DIF: Demonstration REF: Chapter 7
78. ANS: A
EXPLANATION: The Windows 2000 native domain functional level supports both Windows Server 2003 and Windows 2000 servers. It also supports universal security and distribution groups, and group nesting. The answer “Windows Server 2003” is incorrect. The Windows Server 2003 domain functional level supports domain controllers running Windows Server 2003 only. The answer “Windows Server 2003 interim” is incorrect. This domain functional level is used only when you upgrade domain controllers in Windows NT 4 domains to Windows Server 2003 domain controllers. The answer “Windows 2000 mixed” is incorrect. Although this domain functional level supports both Windows Server 2003 and Windows 2000 Server systems, it does not support universal security groups or group nesting. (Discussion starts on page 212.)
DIF: Synthesis REF: Chapter 7
SHORT ANSWER
79. ANS:
Answers may vary.
EXPLANATION: Group policies enable you to specify security settings, deploy software, and configure operating system and application behavior on a computer without ever having to touch it directly. Instead, you implement the desired configuration settings in a special Active Directory object called a group policy object (GPO) and then link the GPO to an Active Directory object containing the computers or users you want to configure. (Discussion starts on page 32.)
DIF: Application REF: Chapter 1
80. ANS:
Answers may vary.
EXPLANATION: An object is a component that represents a specific network resource. An Active Directory can contain objects representing physical resources, such as computers and printers; human resources, such as users and groups; software resources, such as applications and DNS zones; and administrative resources, such as organizational units (OUs) and sites.
Every Active Directory object consists of a set of attributes, which are pieces of information about that object. A user object, for example, contains attributes specifying the user’s account name, password, address, telephone number, and other identifying information. (Discussion starts on page 30.)
DIF: Application REF: Chapter 1
81. ANS:
Answers may vary.
EXPLANATION: The taskpad is an area of the details pane for a particular snap-in that contains links to frequently used functions from that snap-in (as shown in Figure 2-10 in the textbook chapter). To create a taskpad, you select a snap-in in the scope pane and then select New Taskpad View from the Action menu. The New Taskpad View Wizard then takes you through the process of specifying how and where you want the taskpad to appear. (Discussion starts on page 43.)
DIF: Application REF: Chapter 2
82. ANS:
Answers may vary.
EXPLANATION: The Minimum Password Age policy allows you to specify the minimum number of days a user must wait before changing her password. This prevents a user from reverting to an old password too quickly, although the Enforce Password History setting must be set to a value greater than zero for the Minimum Password Age policy to be effective. (Discussion starts on page 169.)
DIF: Demonstration REF: Chapter 6
83. ANS:
Answers may vary.
EXPLANATION: The Apply Static Routes check box allows you to specify routes accessible to the user from the dial-in connection. You can thus determine which areas of the network are available to the user if he connects over a dial-in or VPN connection, and what areas of the network will be inaccessible to him. (Discussion starts on page 186.)
DIF: Application REF: Chapter 6
84. ANS:
Answers may vary.
EXPLANATION: A domain user account consists of a logon name and a password, as well as a unique security identifier (SID). During logon, Active Directory authenticates the username and password entered by the user. The security subsystem then builds a security access token that represents that user. The access token contains the user account’s SID, as well as the SIDs of groups to which the user belongs. That token is used to verify user rights assignments, including the right to log on locally to the system, and to authorize access to resources secured by access control lists (ACLs). (Discussion starts on page 167.)
DIF: Application REF: Chapter 6
85. ANS:
Answers may vary.
EXPLANATION: You can disable an existing user account in one of three ways: 1. Right-click the account and select Disable Account; 2. Select the account, and select Disable Account from the Action menu; or 3. On the Account page of the user’s properties, select the Account Is Disabled option in the Account Options area of the tab. (Discussion starts on page 172.)
DIF: Application REF: Chapter 6
86. ANS:
Answers may vary.
EXPLANATION: Determine what network location you will use to store the roaming profiles. Create a folder to hold the profiles, and then create a share on that system so it can be accessed via the network. From the Profile page of the user account properties, configure the Profile Path field to point to the share that you created to hold the profiles. Log on as the user, and make any necessary changes to the profile. Then locate the Ntuser.dat file for that user account and rename it to Ntuser.man. (Discussion starts on page 195.)
DIF: Synthesis REF: Chapter 6
87. ANS:
Answers may vary.
EXPLANATION: The new user cannot access the resources because the manager has been assigned permissions to those resources as an individual user rather than as a member of the Sales group. When a user account is copied, group memberships are copied but permission assignments made to the template account on an individual basis are not copied. The best way to resolve the issue is to determine what resources the user is trying to access but cannot, and then assign permissions to those resources on an individual basis. (Discussion starts on page 190.)
DIF: Synthesis REF: Chapter 6
88. ANS:
Answers may vary.
EXPLANATION: Security groups are used to assign access permissions for network resources. Programs that are designed to work with Active Directory can also use security groups for nonsecurity-related purposes, such as retrieving user information for use in a Web application. (Discussion starts on page 216.)
DIF: Application REF: Chapter 7
89. ANS:
Answers may vary.
EXPLANATION: The Enterprise Admins group appears only in the forest root domain, which is the first domain created in the forest. Its members have full administrative control over all domains in the forest. By default, the Enterprise Admins group is a member of the Administrators domain local group, and the domain Administrator user object is a member of Enterprise Admins. (Discussion starts on page 224.)
DIF: Application REF: Chapter 7
90. ANS:
Answers may vary.
EXPLANATION: Distribution groups are intended for use by applications as lists for nonsecurity-related functions. You use distribution groups when the only function of the group is not security-related, such as sending e-mail messages to a group of users at the same time. You cannot use distribution groups to assign rights and permissions. Only applications that are designed to work with Active Directory can use distribution groups. For example, Microsoft Exchange uses distribution groups as mailing lists for sending e-mail messages. (Discussion starts on page 216.)
DIF: Application REF: Chapter 7
1. ANS: F
EXPLANATION: A DNS server is required to complete the installation of a domain controller, but it need not be present before the installation is started. If, during the installation process, Windows Server 2003 does not find a DNS server, you will be prompted to install DNS on the system. (Discussion starts on page 20.)
DIF: Application REF: Chapter 1
2. ANS: F
EXPLANATION: Power Users is a local group. Local groups do not exist on Active Directory domain controllers. (Discussion starts on page 221.)
DIF: Application REF: Chapter 7
MULTIPLE CHOICE
3. ANS: D
EXPLANATION: The 64-bit version of Windows Server 2003 Datacenter Edition supports up to 64 processors. (Discussion starts on page 7.)
DIF: Demonstration REF: Chapter 1
4. ANS: E
EXPLANATION: Windows Server 2003 is available in Standard, Enterprise, Datacenter, and Web editions. It is not available in a Corporate edition. (Discussion starts on page 4.)
DIF: Demonstration REF: Chapter 1
5. ANS: B
EXPLANATION: The 32-bit version of Windows Server 2003 Datacenter Edition supports 64 GB of RAM. (Discussion starts on page 7.)
DIF: Demonstration REF: Chapter 1
6. ANS: D
EXPLANATION: A branch is not an organizational element of Active Directory. Trees, organizational units, and domains are all organizational elements of Active Directory. (Discussion starts on page 27.)
DIF: Demonstration REF: Chapter 1
7. ANS: B
EXPLANATION: One reason to implement more than one domain controller per domain is to provide fault tolerance. When more than one domain controller is used per domain, each still holds a complete copy of the Active Directory database. The domain database is not split up. The use of multiple administrators is not related to how many domain controllers are in use. When more than one domain controller is used per domain, each still holds a complete copy of the Active Directory database. Therefore, using multiple controllers will not reduce the number of objects stored in the database on each domain controller. (Discussion starts on page 28.)
DIF: Application REF: Chapter 1
8. ANS: C
EXPLANATION: To provide an additional property for a user account, you would use the Active Directory Schema snap-in to add an attribute to the user account property. You would not create a new object called Employer ID Code–it is a new property that is required. (Discussion starts on page 30.)
DIF: Application REF: Chapter 1
9. ANS: D
EXPLANATION: Windows Server 2003 Enterprise Edition supports up to eight processors. Windows Server 2003 Web Edition supports only 10 inbound SMB connections, making it unsuitable for supporting the file and print requirements of 78 users. Additionally, the Web Edition supports only up to two processors. Windows Server 2002 Datacenter Edition can be purchased only preinstalled on qualified hardware. Windows Server 2003 Standard Edition supports only up to four processors. (Discussion starts on page 4.)
DIF: Application REF: Chapter 1
10. ANS: A
EXPLANATION: The main drawback of using answer files for a mass operating system deployment is that each computer requires its own file. This is because some of the settings supplied during the installation must be unique, such as the computer name and IP address. There are no restrictions on how many copies of the answer file can be used at once. Answer files can be used with any edition of Windows Server 2003. Answer files do not need to have RIS installed and available on the network in order to work. (Discussion starts on page 9.)
DIF: Application REF: Chapter 1
11. ANS: B
EXPLANATION: The standard CAL model does not apply to computers running the Web Edition. The operating system supports an unlimited number of Web connections, but it is limited to 10 simultaneous Server Message Block (SMB) connections. A computer running the Web Edition can be a member of an Active Directory domain, but it cannot function as a domain controller. The ICF and ICS features are not included with the Web Edition, preventing the computer from functioning as an Internet gateway. A computer running the Web Edition cannot function as a DHCP server. (Discussion starts on page 5.)
DIF: Application REF: Chapter 1
12. ANS: B
EXPLANATION: The Datacenter Edition can be purchased only preinstalled on a system. Therefore, an existing system cannot be upgraded to the Datacenter Edition. The Datacenter Edition supports 64 GB of RAM in the 32-bit version and 512 GB of RAM in the 64-bit version. The Datacenter Edition supports up to 64-way symmetric multiprocessing (SMP) in the 64-bit version and 32-way SMP in the 32-bit version. It cannot be installed on a system incapable of at least eight processors. (Discussion starts on page 7.)
DIF: Synthesis REF: Chapter 1
13. ANS: B
EXPLANATION: Windows Server 2003 Enterprise Edition provides support for 64-bit Intel Itanium processors, ICF, ICS, and DHCP. It also supports Terminal Services, which provides the required remote administration functionality. Windows Server 2003 Datacenter Edition does not support ICF or ICS. Windows Server 2003 Standard Edition is not available in a 64-bit version. Windows Server 2003 Web Edition does not support 64-bit hardware or the ICF or ICS. It also does not support any more than 2 GB RAM. (Discussion starts on page 7.)
DIF: Synthesis REF: Chapter 1
14. ANS: D
EXPLANATION: The Windows System Resource Manager (WSRM) can be used to restrict the amount of system resources that can be used by a Terminal Server user at any one time. Microsoft Metadirectory Services (MMS) is a means of integrating multiple information sources into a single, unified directory. MMS makes it possible to combine Active Directory information with other directory services and to create a unified view of all available information about a given resource. The Internet Connection Firewall (ICF) provides protection for Internet connections. Network Load Balancing (NLB) allows network traffic to be distributed among multiple network interfaces in a single system. (Discussion starts on page 7.)
DIF: Synthesis REF: Chapter 1
15. ANS: B
EXPLANATION: The best solution is most likely the Standard Edition because it includes the functionality of Microsoft Internet Information Services (IIS) 6, it supports the available hardware, and it can provide file and print services for the 17 members of the Web development team. Although the Web Edition might seem like the most obvious choice in this situation, there is an issue with the fact that the 17-person development team also needs to access the server. The Web Edition accommodates only 10 inbound connections for the purposes of file access, so it would not be suitable. There is no Corporate Edition of Windows Server 2003. While the Enterprise Edition would meet the needs for your intranet, your needs do not justify its purchase over the Standard Edition. (Discussion starts on page 5.)
DIF: Synthesis REF: Chapter 1
16. ANS: C
EXPLANATION: Terminal Services uses TCP/IP port 3389. TCP/IP port 110 is used by the POP3 protocol. TCP/IP port 80 is used by the HTTP protocol. TCP/IP port 1863 is used by Windows Messenger. (Discussion starts on page 54.)
DIF: Demonstration REF: Chapter 2
17. ANS: B
EXPLANATION: By default, only members of the Administrators group are granted remote access permission. (Discussion starts on page 47.)
DIF: Demonstration REF: Chapter 2
18. ANS: B
EXPLANATION: Windows Server 2003 includes the Remote Desktop Connection files on the installation CD and also copies them to the Systemroot\System32\Clients\Tsclient\Win32 folder. It must be shared out to make the files in this folder available to users. (Discussion starts on page 51.)
DIF: Demonstration REF: Chapter 2
19. ANS: D
EXPLANATION: Although there are no specific rules about the communication of invitations and corresponding passwords, best practice dictates that you instruct users to supply the expert with the password using a different medium from the one they are using to send the invitation. (Discussion starts on page 55.)
DIF: Application REF: Chapter 2
20. ANS: A
EXPLANATION: User Mode: Limited Access, Single Window prevents users from opening new windows or accessing a portion of the console tree, and it allows them to view only one window in the console. User Mode: Limited Access, Multiple Windows prevents users from opening new windows or accessing a portion of the console tree, but it allows them to view multiple windows in the console. There is no console mode called User Mode: Limited Access, Single Window, No Open. There is also no console mode called User Mode: Full Access, Single Window. (Discussion starts on page 44.)
DIF: Application REF: Chapter 2
21. ANS: C
EXPLANATION: For a Remote Assistance session to be started, a user must be present at the client console to grant the expert access. You cannot use Remote Assistance to connect to an unattended computer.
The answer “If you are logged in as an administrator” is incorrect. Being logged in as administrator does not allow you to open a Remote Assistance session on an unattended computer.
The answer “If the password to the administrator account on the unattended computer is the same as the administrator account on your system” is also incorrect. Password synchronization between systems is not a requirement of Remote Assistance.
The answer “If you have a valid invitation issued from that computer” is incorrect because a valid invitation is required to connect to a remote computer. If the computer is unattended, a Remote Assistance session cannot be started. (Discussion starts on page 57.)
DIF: Application REF: Chapter 2
22. ANS: A
EXPLANATION: To issue an invitation for Remote Assistance, you would Select Help And Support from the Start menu to open the Help And Support Center window and then click the Remote Assistance hyperlink.
The answer “Select Help And Support from the Start Menu to open the Help And Support Center window, click the Get Help hyperlink, and then select Remote Assistance” is incorrect. There is no Get Help hyperlink in the Help And Support Center window. Help And Support Center is not found in Control Panel. (Discussion starts on page 55.)
DIF: Application REF: Chapter 2
23. ANS: B
EXPLANATION: You must have port 3389 open on the firewall to provide remote desktop functionality. Port 1863 must be open on the firewall for invitations to be sent via Windows Messenger. Opening ports 2289 and 1863 would allow Windows Messenger traffic to pass through the firewall, but Remote Assistance traffic would not be allowed through. Opening ports 2058 and 1863 would allow Windows Messenger traffic to pass through the firewall, but Remote Assistance traffic would not be allowed through. Opening ports 3389 and 2058 would allow Terminal Services traffic through the firewall but would not allow Windows Messenger traffic through. (Discussion starts on page 57.)
DIF: Synthesis REF: Chapter 2
24. ANS: D
EXPLANATION: Time restrictions are configured from the Logon Hours button on the Account page of a user’s properties. There is no Logon Hours page in the user account properties. (Discussion starts on page 181.)
DIF: Demonstration REF: Chapter 6
25. ANS: C
EXPLANATION: A mandatory profile can be changed by the user, but when the user logs off, the changes are not saved. A roaming profile can be accessed by the user no matter what system on the network she is logging on from. Fixed and static are not profile types. (Discussion starts on page 199.)
DIF: Demonstration REF: Chapter 6
26. ANS: A
EXPLANATION: The Dsmod.exe utility allows you to modify an object in Active Directory. The Comma Separated Value Data Exchange utility (Csvde.exe) can be used only to import or export information to or from the directory. It cannot be used to modify an existing directory object. Dsadd.exe can be used only to add objects to the directory, not to modify an existing object. There is no such utility as Adobjedit.exe. (Discussion starts on page 195.)
DIF: Demonstration REF: Chapter 6
27. ANS: A
EXPLANATION: When you configure the properties of more than one user at a time, you cannot configure the Terminal Services Session settings. All of the other items can be edited for multiple users at once. (Discussion starts on page 186.)
DIF: Demonstration REF: Chapter 6
28. ANS: A
EXPLANATION: The Account Is Locked Out check box is in the Account tab of a user’s properties. If the account is locked as a result of settings in the Account Lockout Policy, the check box is selected. Clearing it unlocks the account. The Account Is Locked Out check box is not in the General or Sessions tab of a user’s account properties. There is no tab in the user’s account properties called User. (Discussion starts on page 181.)
DIF: Demonstration REF: Chapter 6
29. ANS: D
EXPLANATION: All of the operating systems listed require additional client software to access the complete functionality of Active Directory. (Discussion starts on page 201.)
DIF: Demonstration REF: Chapter 6
30. ANS: D
EXPLANATION: Logon time restrictions are part of a user’s account properties. They are not part of the user profile. All of the other items are included in a user profile. (Discussion starts on page 196.)
DIF: Demonstration REF: Chapter 6
31. ANS: B
EXPLANATION: For a password to meet complexity requirements, it must contain at least three of the following four elements: uppercase alphabetic characters, lowercase alphabetic characters, numbers, or special characters (such as !@#). It must also be at least six characters long and not be based on the username. The !!@TRPP%% password contains only special characters and uppercase letters. All of the other passwords conform to the complexity requirements. (Discussion starts on page 168.)
DIF: Application REF: Chapter 6
32. ANS: D
EXPLANATION: If a password is stored using reversible encryption, it can be accessed by other applications. This approach poses a security risk, and it should be implemented only if absolutely necessary. There is no way for a user account password to be recovered, nor is there any facility in Windows Server 2003 for providing users with password clues. The administrator cannot view users’ passwords. (Discussion starts on page 182.)
DIF: Application REF: Chapter 6
33. ANS: B
EXPLANATION: You can reset a user account password in Active Directory Users And Computers by selecting Reset Password from the Action menu. You must enter and confirm the new password. You do not need to know the existing password to reset the password. User passwords are not reset from the Account properties page for the user, nor are they reset from the General properties page for the user. (Discussion starts on page 177.)
DIF: Application REF: Chapter 6
34. ANS: D
EXPLANATION: A value of 0 for the Account Lockout Duration policy setting means that any account locked out by exceeding the account lockout threshold must be unlocked manually. This value does not cause a locked account to immediately unlock. Resetting a password for the user does not unlock the account. The Enforce Password History policy is part of the Password Policy and is not related to settings in the Account Lockout Policy. (Discussion starts on page 200.)
DIF: Application REF: Chapter 6
35. ANS: B
EXPLANATION: The default mode for Csvde.exe is export. Unless you use the -i switch in the command, Csvde.exe will attempt an export to the specified file, not an import from the file. The -k switch tells Csvde.exe to ignore errors such as duplicate users. It does not (nor does any other switch) determine when the user accounts should be added. Csvde.exe can be used to import a wide range of directory objects, including users, groups, and computer accounts. The -f switch is correct for specifying the comma-separated value file that is to be used for the import. (Discussion starts on page 192.)
DIF: Application REF: Chapter 6
36. ANS: C
EXPLANATION: All values except the Logon Name are copied from the Account tab when a user account is copied to create a new user account. Group Memberships are listed in the Members Of tab of the user’s account properties, not the Account tab. The logon hours are copied from the Account tab when a user account is copied to create a new account. The Street Address value is in the Address tab, not the Account tab. (Discussion starts on page 190.)
DIF: Application REF: Chapter 6
37. ANS: D
EXPLANATION: If the user is already logged on when the allowed logon time ends, service is not interrupted—except if the security option in group policy objects called Network Security: Force Logoff When Logon Hours Expire is enabled. In this case, the user is forcibly disconnected when her logon hours expire. (Discussion starts on page 181.)
DIF: Application REF: Chapter 6
38. ANS: D
EXPLANATION: The account lockout threshold specifies the number of invalid logon attempts that triggers an account lockout. A value of 0 prevents accounts from ever being locked out. (Discussion starts on page 200.)
DIF: Application REF: Chapter 6
39. ANS: B
EXPLANATION: When you create a new user account from a template, group memberships are copied to the new user. In addition, all address information is copied except the street address. Password and file permissions granted to the original user are not transferred over. (Discussion starts on page 190.)
DIF: Application REF: Chapter 6
40. ANS: D
EXPLANATION: The basic procedure for making a profile mandatory is to locate the Ntuser.dat file related to the user account and rename it to Ntuser.man. There is no Set As Mandatory button in the Advanced page of the System Properties dialog box. Although setting read-only permissions for the user’s profile folder might prevent the user from making any changes to his profile, this is not the accepted way of making a profile mandatory. (Discussion starts on page 199.)
DIF: Application REF: Chapter 6
41. ANS: C
EXPLANATION: The most likely answer of those listed is that the Callback Options on the Dial-In page for the user have been configured to always call back his home phone number. When the user tries to establish a dial-in connection, the server he is connecting to drops the connection and then calls his home number. The Verify Caller ID property is not available when Active Directory is configured in Windows Server 2003 mixed mode. Static routes determine which areas of the network are available to the user if he connects over a dial-in or VPN connection, and what areas of the network are inaccessible. They affect the user after he connects, not while he is trying to connect. Also, because you have made no changes to the account and the user was able to connect the previous day, this is unlikely to be the problem. The telephone numbers listed on the Telephones page of the user’s account properties are unrelated to the dial-in properties. (Discussion starts on page 186.)
DIF: Synthesis REF: Chapter 6
42. ANS: C
EXPLANATION: To configure Log On To restrictions, you enter the NetBIOS machine names of the system that you will permit the user account to log on from. You can assume that the company is using NetBIOS because it has a WINS server. To create a roaming mandatory profile for the user, you rename the Ntuser.dat file for the user to Ntuser.man. Log On To restrictions are not configured using the IP address of the systems that the user is permitted to log on from, nor are they configured using the MAC address. The user profile file is not named Ntuser.pfl. (Discussion starts on page 195.)
DIF: Synthesis REF: Chapter 6
43. ANS: D
EXPLANATION: If you set the Account Lockout Duration policy to 0, locked accounts must be manually unlocked by the administrator. The administrator would find out when an account becomes locked because the user must ask the administrator to unlock the account. Setting the Account Lockout Threshold policy to 4 causes the account to become locked after four incorrect logon attempts. These settings would satisfy the manager’s requirements. Setting the Account Lockout Threshold policy to 0 would cause the system to lock the account after the first incorrect logon attempt. Setting the Account Lockout Duration policy to 4 would cause the lockout to be cleared after 4 minutes. The Enforce Password History policy is part of the Password Policy, not the Account Lockout Policy. (Discussion starts on page 200.)
DIF: Synthesis REF: Chapter 6
44. ANS: A
EXPLANATION: The Web Page field and the E-Mail Address field are available for edit by selecting multiple users at one time. The Csvde.exe utility is used for importing or exporting objects from the directory. It is not used for editing the properties of existing objects. The Dsmod.exe utility can be used for editing the properties of existing objects, but in this case it would almost certainly be simpler to just edit the properties of multiple objects at a time. There is no facility for user objects inheriting values from an OU. (Discussion starts on page 188.)
DIF: Synthesis REF: Chapter 6
45. ANS: B
EXPLANATION: When a service account is required, you should create a new user account for that purpose. If the account needs to impersonate a client to access computer resources on behalf of other user accounts, you must select the Account Is Trusted For Delegation check box, which is in the Account properties tab for a user account. (Discussion starts on page 181.)
DIF: Synthesis REF: Chapter 6
46. ANS: D
EXPLANATION: When you install IIS, a user account is created called IUSR_computername. This account allows anonymous users to connect to the server and access Web pages on it. There is no need, in this example, to create user accounts in Active Directory. There is no Use IIS right in the General Properties tab. (Discussion starts on page 173.)
DIF: Synthesis REF: Chapter 6
47. ANS: C
EXPLANATION: A value of 0 for the Account Lockout Duration means that a locked account must be manually unlocked by an administrator. The Reset Account Lockout Counter After value determines the “memory” of the system for incorrect passwords in a given time period. In this example, the user can enter an incorrect password twice every 15 minutes and still not lock the account. After three incorrect passwords are entered in a 15-minute period, the account is locked. Triggering the Account Lockout policy locks an account—it does not disable it. A disabled account cannot be used, even with the correct password. The policy as described allows a user three incorrect logon attempts before the account is locked. (Discussion starts on page 200.)
DIF: Synthesis REF: Chapter 6
48. ANS: A
EXPLANATION: The Manager and Department fields can be edited on multiple objects at a time. The dial-in permission must be edited on a per-user basis. Configuration by Remote Access Policy is not supported on a Windows 2000 mixed mode domain functional level. The Dsadd.exe utility is used to add objects to Active Directory, not to edit the properties of existing objects. (Discussion starts on page 177.)
DIF: Synthesis REF: Chapter 6
49. ANS: C
EXPLANATION: For a password to meet complexity requirements, it must include characters from at least three of the following four categories: uppercase letters, lowercase letters, numbers, and symbols. In this example, the password $$r763 fulfills these requirements. The Maximum Password Age setting requires that the user change her password at least every 30 days, but the Minimum Password Age value prevents the user from changing her password any sooner than 15 days. The Enforce Password History value of 10 ensures that the user must change her password 10 times before using a previous password. (Discussion starts on page 168.)
DIF: Synthesis REF: Chapter 6
50. ANS: C
EXPLANATION: Windows Server 2003 mixed is not a domain functional level supported by Windows Server 2003. All of the other answers are domain functional levels supported by Windows Server 2003. (Discussion starts on page 212.)
DIF: Demonstration REF: Chapter 7
51. ANS: B
EXPLANATION: Power Users is not a built-in Active Directory group. Backup Operators, Account Operators, and Network Configuration Operators are all valid Active Directory groups. (Discussion starts on page 226.)
DIF: Demonstration REF: Chapter 7
52. ANS: A
EXPLANATION: When a computer is added to the domain, the Domain Admins global group is added to the local Administrators group. It is not possible to add a local group to a global group, so it is not possible to add the local Administrators group to the Domain Admins global group. When a computer is added to the domain, the Domain Admins global group is not added to the Power Users group. There is no local group called Computers. (Discussion starts on page 221.)
DIF: Demonstration REF: Chapter 7
53. ANS: B
EXPLANATION: You change group scopes in the General properties tab of the group in Active Directory Users and Computers. There is no tab in Active Directory Users and Computers called Scopes, nor is there one called Type. Scope changes are not made in the Members properties tab of Active Directory Users and Computers. (Discussion starts on page 237.)
DIF: Demonstration REF: Chapter 7
54. ANS: D
EXPLANATION: Universal groups can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests. Universal groups are available only in the Windows 2000 native and Windows Server 2003 functional levels, and universal groups can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members. (Discussion starts on page 218.)
DIF: Demonstration REF: Chapter 7
55. ANS: A
EXPLANATION: The Account Operators group does not have the right to back up files and directories. The Server Operators, Administrators, and Backup Operators groups all have the rights to back up files and directories. (Discussion starts on page 226.)
DIF: Demonstration REF: Chapter 7
56. ANS: A
EXPLANATION: Global groups can include only users from within their domain. They cannot include members from other domains in the tree, the forest, or anywhere else in the Active Directory structure. (Discussion starts on page 217.)
DIF: Demonstration REF: Chapter 7
57. ANS: C
EXPLANATION: Active Directory Domains and Trusts is used to raise the domain functional level of Active Directory. None of the other tools listed can be used for this purpose. (Discussion starts on page 212.)
DIF: Demonstration REF: Chapter 7
58. ANS: A
EXPLANATION: Windows 2000 mixed is the default domain functional level. Windows 2000 native and Windows Server 2003 interim are valid domain functional levels, but they are not the default domain functional levels. Windows Server 2003 single server is not a recognized domain functional level. (Discussion starts on page 212.)
DIF: Application REF: Chapter 7
59. ANS: B
EXPLANATION: A user who connects to the system via a Remote Desktop connection automatically becomes a member of the Interactive special identity. The user does not become part of the Dialup or Anonymous Logon special identity. Remote Users is not a recognized special identity. (Discussion starts on page 229.)
DIF: Demonstration REF: Chapter 7
60. ANS: C
EXPLANATION: The Dsadd command is used to add new groups to Active Directory. The command creates a new global group called sales.users.contoso.com, and the user Administrator is made a member of that group. The answer “The command produces an error” is incorrect. The syntax and usage of the command is valid. The answer “A universal group called sales.users.constoso.com is created, with the user Administrator as a member” is incorrect. The “-scope g” would cause a global group to be created. The answer “The user administrator is removed from the sales.users.contoso.com group, and the scope is changed to global” is incorrect. Group membership cannot be changed using the Dsadd command. (Discussion starts on page 239.)
DIF: Application REF: Chapter 7
61. ANS: B
EXPLANATION: You can convert a global group to a universal group only if the global group is not a member of any other global group. The answer “Only when the global group contains users from only one domain” is incorrect. By definition, a global group can contain only users from a single domain. The answer “There are no restrictions when converting a global group to a universal group” is incorrect. There are restrictions on converting a global group to a universal group. The answer “You cannot convert a global group to a universal group under any circumstances” is incorrect. You can convert a global group to a universal group if the global group is not a member of another global group. (Discussion starts on page 220.)
DIF: Application REF: Chapter 7
62. ANS: A
EXPLANATION: Of the groups listed, only the Administrators group and the Domain Admins group have all of the required permissions. However, the Domain Admins group also has rights that are not required by the new hire. Therefore, the best choice is to add the user to the Administrators group. The Server Operators group does not have rights to create user accounts or load and unload device drivers. The Backup Operators group does not have rights to create user accounts or load and unload device drivers. (Discussion starts on page 226.)
DIF: Application REF: Chapter 7
63. ANS: C
EXPLANATION: When a group is deleted, access control list (ACL) entries related to that group are removed. In this example, there are no other permissions assigned to the printer, so members of the Sales department can no longer print. The answer “The Sales group is removed from the ACL for the printer, but members of the Sales group can still print to the printer” is incorrect. If the group is removed and the users are not assigned permissions individually, the users cannot print. The answer “The Sales group is removed from the ACL for the printer, but the individual user accounts that were members of the Sales group are added to the ACL of the printer, thereby allowing them to print” is incorrect. When you delete a group, members of that group are not added to the ACL of any resource to which the group was assigned permissions. The answer “Any user account that is a member of the Sales group is deleted” is incorrect. Deleting a group causes only that group object to be deleted. User accounts that are a member of that group are not deleted. (Discussion starts on page 238.)
DIF: Application REF: Chapter 7
64. ANS: D
EXPLANATION: Members of the Account Operators group can create, delete, and modify user, computer, and group objects in the Users and Computers containers and in all OUs except domain controllers. Members do not have permission to modify the Administrators or Domain Admins groups, nor can they modify the accounts for members of those groups. (Discussion starts on page 226.)
DIF: Application REF: Chapter 7
65. ANS: C
EXPLANATION: Group policy objects (GPOs) can be assigned only to Active Directory domain, site, and OU objects. You cannot assign a group policy object to a group. (Discussion starts on page 211.)
DIF: Application REF: Chapter 7
66. ANS: A
EXPLANATION: When a computer is added to the domain, the Domain Guests predefined global group is automatically added to the local Guests group. The answer “The special identity Guests is added to the local Guests group” is incorrect. There is no Guests special identity. The answer “Any user accounts defined as members of the local Guests group are added to the Domain Guests group” is incorrect. When a computer is added to the domain, no changes are made to the Domain Guests group. The answer “The local Guests group is deleted” is incorrect. The local Guests group is not deleted when the computer is added to the domain. (Discussion starts on page 221.)
DIF: Application REF: Chapter 7
67. ANS: B
EXPLANATION: The correct answer is “Create a universal group, place the user accounts for the auditors in that group, and then assign the universal group permissions to all of the printers in each of the domains.” The answer “Create a global group, place the user accounts for the auditors in that group, and then assign the global group permissions to all of the printers in each of the domains” is incorrect. You cannot assign a global group permissions to resources in a domain other than the one in which it is created. The answer “Create a universal group, place the user accounts for the auditors in that group, and then place the universal group into the local printer users group on the domain controllers that host a printer” is incorrect. There is no local printer users group. The answer “Create a universal group, and place the user accounts for the auditors in that group. Create a global group, and place the auditors universal group into that global group. Finally, assign the global group permissions to the printers in each domain” is incorrect. You cannot place a universal group into a global group. (Discussion starts on page 218.)
DIF: Synthesis REF: Chapter 7
68. ANS: A
EXPLANATION: Universal groups are available only in the Windows 2000 native and Windows Server 2003 domain functional levels. They are not available in Active Directory operating at a Windows 2000 mixed domain functional level. The answer “You have more than one domain” is incorrect. The ability to create universal groups is not dependent on the number of domains in the directory, although the functionality they provide is not relevant in directory structures with only one domain. (Discussion starts on page 212.)
DIF: Synthesis REF: Chapter 7
69. ANS: C
EXPLANATION: Best practice dictates that you identify the resource to which users need access, and then create one or more domain local groups for those resources. Next you assign the permissions needed for access to the resources to the domain local group. Then you identify users with common job responsibilities and add their user objects to a global group. Finally, you make the global group a member of the appropriate domain local group. The answer “Assign each user in the Sales department access to the folder individually” is incorrect. This would not be the best way to give users from the Sales department access to the database. The answer “Create a global group called Database, and give that group the necessary permissions to the folder containing the data file. Create a domain local group called SalesData, and add the appropriate members of the Sales department to the SalesData domain local group. Add the SalesData domain local group to the Database global group” is incorrect. You cannot nest a domain local group in a global group. The answer “Create a local group called Database on the domain controller. Create a global group called SalesData, and add the appropriate members of the Sales department to the SalesData global group. Add the SalesData global group to the local group” is incorrect. You cannot create a local group on a domain controller. (Discussion starts on page 220.)
DIF: Synthesis REF: Chapter 7
70. ANS: C
EXPLANATION: To use universal groups effectively, the best practice is to create a global group in each domain, with user or computer accounts as members, and then make the global groups members of a universal group. This enables you to create a single universal group that is usable throughout the enterprise, but with a membership that does not change frequently. This method is preferable to adding users and computers to the universal group directly, because every change to the universal group’s membership causes the entire membership to be replicated to the global catalog, throughout the forest. Managing the users and computers in the global groups does not affect the universal group’s membership and therefore generates no additional replication traffic. In this scenario, with slow WAN links and universal group memberships that are likely to change, this would be of particular concern. The answer “None. The suggestion is practical and valid” is incorrect. There are issues with this solution. The answer “Universal groups are not available on a Windows Server 2003 domain functional level” is incorrect. Universal groups can be created in Active Directory running at a Windows Server 2003 domain functional level. The answer “You can place global or domain local groups only in a universal group, not user accounts” is incorrect. You can place individual user accounts into a universal group, although this is not recommended. (Discussion starts on page 218.)
DIF: Synthesis REF: Chapter 7
71. ANS: C
EXPLANATION: When you use Active Directory at a Windows 2000 native domain functional level, a domain local group can contain user and computer accounts, universal groups, and global groups from any domain, as well as other domain local groups from the same domain. All of the other answers are incorrect. (Discussion starts on page 219.)
DIF: Application REF: Chapter 7
72. ANS: D
EXPLANATION: The best practice is to add users to global groups, and then add global groups to domain local groups that have been assigned the appropriate access to resources. The answers “Create user accounts to match the users listed in the distribution group, then convert the distribution group to a global group. Assign the new global group to domain local groups as needed to provide access” and “Convert the distribution group to a global group. Assign the new PR global group to the appropriate domain local group” are both incorrect. You cannot convert a distribution group to a security group, which is what a global group is. The answer “Create new user account for users from the PR department. Add the users to domain local groups as needed to provide access” is incorrect. As indicated, the best practice is to add users to a global group, and then add global groups to domain local groups to provide access to resources. (Discussion starts on page 220.)
DIF: Synthesis REF: Chapter 7
73. ANS: A
EXPLANATION: You cannot convert groups when running Active Directory at a Windows 2000 mixed domain functional level. You can convert groups only when you are running Active Directory at a Windows 2000 native or Windows Server 2003 functional level. All of the other answers describe limitations on converting groups at either a Windows 2000 native or Windows Server 2003 domain functional level. (Discussion starts on page 220.)
DIF: Application REF: Chapter 7
74. ANS: D
EXPLANATION: Security groups can be used as distribution groups by directory-aware applications. Your manager can send messages to all users in a department just by using the security group, so special group configuration is not necessary. The answer “Copy each of the departmental groups, and then convert the new group to a distribution group” is incorrect. You cannot copy or convert groups. The answer “Create a distribution group for each department, and manually duplicate the membership of the security group for each department” is incorrect. There is no need to create distribution groups for each department. The answer “Convert the security group for each department to a distribution group” is incorrect. You cannot convert a security group to a distribution group, or vice versa. (Discussion starts on page 216.)
DIF: Synthesis REF: Chapter 7
75. ANS: B
EXPLANATION: Best practice dictates that global groups be added to domain local groups that have been assigned the appropriate access to resources, so you should create a domain local group called Plotter and place the Development global group into the Plotter domain local group. The answer “Create a domain local group called Plotter, create a global group called Plotter Users, and make the Development global group a member of the Plotter Users group” is incorrect. There is no need to create a global group called Plotter Users in this example. The answer “Create a domain local group called Plotter. Place the user accounts for the users in the Development department into that group” is incorrect. Best practice dictates that you use global groups to group people by job function, and then use these global groups in domain local groups to provide access to resources. The answer “Assign the users from the Development department access to the plotter by assigning permissions to their user accounts” is incorrect. Best practice dictates that you use groups, not individual user accounts, to provide access to resources. (Discussion starts on page 220.)
DIF: Synthesis REF: Chapter 7
76. ANS: A
EXPLANATION: At the Windows 2000 mixed domain functional level, domain local groups can contain global groups from any domain on the network. The answer “Create a universal group called SQL, and assign it to the folders containing the database data files. Create a global group in each domain called DBAs, and add the user accounts for the DBAs to the DBA group. Add the DBA group to the SQL universal group” and the answer “Create a universal group called SQLDBA, and assign it permissions to the folders containing the database data files. Make the DBAs’ user accounts members of the universal group” are incorrect. You cannot create universal groups in Active Directory running at a Windows 2000 mixed domain functional level. The answer “Create a global group in each location, and assign the global group permissions to folders containing the database data files. Add the DBAs from San Francisco to the global group in each location” is incorrect. On Active Directory running at a Windows 2000 mixed domain functional level, global groups can contain user and computer accounts only from the same domain. (Discussion starts on page 216.)
DIF: Synthesis REF: Chapter 7
77. ANS: D
EXPLANATION: Universal groups are supported only at the Windows 2000 native or Windows Server 2003 functional level. They are not supported at the Windows 2000 mixed or Windows Server 2003 interim functional level. (Discussion starts on page 219.)
DIF: Demonstration REF: Chapter 7
78. ANS: A
EXPLANATION: The Windows 2000 native domain functional level supports both Windows Server 2003 and Windows 2000 servers. It also supports universal security and distribution groups, and group nesting. The answer “Windows Server 2003” is incorrect. The Windows Server 2003 domain functional level supports domain controllers running Windows Server 2003 only. The answer “Windows Server 2003 interim” is incorrect. This domain functional level is used only when you upgrade domain controllers in Windows NT 4 domains to Windows Server 2003 domain controllers. The answer “Windows 2000 mixed” is incorrect. Although this domain functional level supports both Windows Server 2003 and Windows 2000 Server systems, it does not support universal security groups or group nesting. (Discussion starts on page 212.)
DIF: Synthesis REF: Chapter 7
SHORT ANSWER
79. ANS:
Answers may vary.
EXPLANATION: Group policies enable you to specify security settings, deploy software, and configure operating system and application behavior on a computer without ever having to touch it directly. Instead, you implement the desired configuration settings in a special Active Directory object called a group policy object (GPO) and then link the GPO to an Active Directory object containing the computers or users you want to configure. (Discussion starts on page 32.)
DIF: Application REF: Chapter 1
80. ANS:
Answers may vary.
EXPLANATION: An object is a component that represents a specific network resource. An Active Directory can contain objects representing physical resources, such as computers and printers; human resources, such as users and groups; software resources, such as applications and DNS zones; and administrative resources, such as organizational units (OUs) and sites.
Every Active Directory object consists of a set of attributes, which are pieces of information about that object. A user object, for example, contains attributes specifying the user’s account name, password, address, telephone number, and other identifying information. (Discussion starts on page 30.)
DIF: Application REF: Chapter 1
81. ANS:
Answers may vary.
EXPLANATION: The taskpad is an area of the details pane for a particular snap-in that contains links to frequently used functions from that snap-in (as shown in Figure 2-10 in the textbook chapter). To create a taskpad, you select a snap-in in the scope pane and then select New Taskpad View from the Action menu. The New Taskpad View Wizard then takes you through the process of specifying how and where you want the taskpad to appear. (Discussion starts on page 43.)
DIF: Application REF: Chapter 2
82. ANS:
Answers may vary.
EXPLANATION: The Minimum Password Age policy allows you to specify the minimum number of days a user must wait before changing her password. This prevents a user from reverting to an old password too quickly, although the Enforce Password History setting must be set to a value greater than zero for the Minimum Password Age policy to be effective. (Discussion starts on page 169.)
DIF: Demonstration REF: Chapter 6
83. ANS:
Answers may vary.
EXPLANATION: The Apply Static Routes check box allows you to specify routes accessible to the user from the dial-in connection. You can thus determine which areas of the network are available to the user if he connects over a dial-in or VPN connection, and what areas of the network will be inaccessible to him. (Discussion starts on page 186.)
DIF: Application REF: Chapter 6
84. ANS:
Answers may vary.
EXPLANATION: A domain user account consists of a logon name and a password, as well as a unique security identifier (SID). During logon, Active Directory authenticates the username and password entered by the user. The security subsystem then builds a security access token that represents that user. The access token contains the user account’s SID, as well as the SIDs of groups to which the user belongs. That token is used to verify user rights assignments, including the right to log on locally to the system, and to authorize access to resources secured by access control lists (ACLs). (Discussion starts on page 167.)
DIF: Application REF: Chapter 6
85. ANS:
Answers may vary.
EXPLANATION: You can disable an existing user account in one of three ways: 1. Right-click the account and select Disable Account; 2. Select the account, and select Disable Account from the Action menu; or 3. On the Account page of the user’s properties, select the Account Is Disabled option in the Account Options area of the tab. (Discussion starts on page 172.)
DIF: Application REF: Chapter 6
86. ANS:
Answers may vary.
EXPLANATION: Determine what network location you will use to store the roaming profiles. Create a folder to hold the profiles, and then create a share on that system so it can be accessed via the network. From the Profile page of the user account properties, configure the Profile Path field to point to the share that you created to hold the profiles. Log on as the user, and make any necessary changes to the profile. Then locate the Ntuser.dat file for that user account and rename it to Ntuser.man. (Discussion starts on page 195.)
DIF: Synthesis REF: Chapter 6
87. ANS:
Answers may vary.
EXPLANATION: The new user cannot access the resources because the manager has been assigned permissions to those resources as an individual user rather than as a member of the Sales group. When a user account is copied, group memberships are copied but permission assignments made to the template account on an individual basis are not copied. The best way to resolve the issue is to determine what resources the user is trying to access but cannot, and then assign permissions to those resources on an individual basis. (Discussion starts on page 190.)
DIF: Synthesis REF: Chapter 6
88. ANS:
Answers may vary.
EXPLANATION: Security groups are used to assign access permissions for network resources. Programs that are designed to work with Active Directory can also use security groups for nonsecurity-related purposes, such as retrieving user information for use in a Web application. (Discussion starts on page 216.)
DIF: Application REF: Chapter 7
89. ANS:
Answers may vary.
EXPLANATION: The Enterprise Admins group appears only in the forest root domain, which is the first domain created in the forest. Its members have full administrative control over all domains in the forest. By default, the Enterprise Admins group is a member of the Administrators domain local group, and the domain Administrator user object is a member of Enterprise Admins. (Discussion starts on page 224.)
DIF: Application REF: Chapter 7
90. ANS:
Answers may vary.
EXPLANATION: Distribution groups are intended for use by applications as lists for nonsecurity-related functions. You use distribution groups when the only function of the group is not security-related, such as sending e-mail messages to a group of users at the same time. You cannot use distribution groups to assign rights and permissions. Only applications that are designed to work with Active Directory can use distribution groups. For example, Microsoft Exchange uses distribution groups as mailing lists for sending e-mail messages. (Discussion starts on page 216.)
DIF: Application REF: Chapter 7
Subscribe to:
Comments (Atom)