Respuestas ASO1

TRUE/FALSE

1. ANS: F
EXPLANATION: A DNS server is required to complete the installation of a domain controller, but it need not be present before the installation is started. If, during the installation process, Windows Server 2003 does not find a DNS server, you will be prompted to install DNS on the system. (Discussion starts on page 20.)

DIF: Application REF: Chapter 1

2. ANS: F
EXPLANATION: Power Users is a local group. Local groups do not exist on Active Directory domain controllers. (Discussion starts on page 221.)

DIF: Application REF: Chapter 7

MULTIPLE CHOICE

3. ANS: D
EXPLANATION: The 64-bit version of Windows Server 2003 Datacenter Edition supports up to 64 processors. (Discussion starts on page 7.)

DIF: Demonstration REF: Chapter 1

4. ANS: E
EXPLANATION: Windows Server 2003 is available in Standard, Enterprise, Datacenter, and Web editions. It is not available in a Corporate edition. (Discussion starts on page 4.)

DIF: Demonstration REF: Chapter 1

5. ANS: B
EXPLANATION: The 32-bit version of Windows Server 2003 Datacenter Edition supports 64 GB of RAM. (Discussion starts on page 7.)

DIF: Demonstration REF: Chapter 1

6. ANS: D
EXPLANATION: A branch is not an organizational element of Active Directory. Trees, organizational units, and domains are all organizational elements of Active Directory. (Discussion starts on page 27.)

DIF: Demonstration REF: Chapter 1

7. ANS: B
EXPLANATION: One reason to implement more than one domain controller per domain is to provide fault tolerance. When more than one domain controller is used per domain, each still holds a complete copy of the Active Directory database. The domain database is not split up. The use of multiple administrators is not related to how many domain controllers are in use. When more than one domain controller is used per domain, each still holds a complete copy of the Active Directory database. Therefore, using multiple controllers will not reduce the number of objects stored in the database on each domain controller. (Discussion starts on page 28.)

DIF: Application REF: Chapter 1

8. ANS: C
EXPLANATION: To provide an additional property for a user account, you would use the Active Directory Schema snap-in to add an attribute to the user account property. You would not create a new object called Employer ID Code–it is a new property that is required. (Discussion starts on page 30.)

DIF: Application REF: Chapter 1

9. ANS: D
EXPLANATION: Windows Server 2003 Enterprise Edition supports up to eight processors. Windows Server 2003 Web Edition supports only 10 inbound SMB connections, making it unsuitable for supporting the file and print requirements of 78 users. Additionally, the Web Edition supports only up to two processors. Windows Server 2002 Datacenter Edition can be purchased only preinstalled on qualified hardware. Windows Server 2003 Standard Edition supports only up to four processors. (Discussion starts on page 4.)

DIF: Application REF: Chapter 1

10. ANS: A
EXPLANATION: The main drawback of using answer files for a mass operating system deployment is that each computer requires its own file. This is because some of the settings supplied during the installation must be unique, such as the computer name and IP address. There are no restrictions on how many copies of the answer file can be used at once. Answer files can be used with any edition of Windows Server 2003. Answer files do not need to have RIS installed and available on the network in order to work. (Discussion starts on page 9.)

DIF: Application REF: Chapter 1

11. ANS: B
EXPLANATION: The standard CAL model does not apply to computers running the Web Edition. The operating system supports an unlimited number of Web connections, but it is limited to 10 simultaneous Server Message Block (SMB) connections. A computer running the Web Edition can be a member of an Active Directory domain, but it cannot function as a domain controller. The ICF and ICS features are not included with the Web Edition, preventing the computer from functioning as an Internet gateway. A computer running the Web Edition cannot function as a DHCP server. (Discussion starts on page 5.)

DIF: Application REF: Chapter 1

12. ANS: B
EXPLANATION: The Datacenter Edition can be purchased only preinstalled on a system. Therefore, an existing system cannot be upgraded to the Datacenter Edition. The Datacenter Edition supports 64 GB of RAM in the 32-bit version and 512 GB of RAM in the 64-bit version. The Datacenter Edition supports up to 64-way symmetric multiprocessing (SMP) in the 64-bit version and 32-way SMP in the 32-bit version. It cannot be installed on a system incapable of at least eight processors. (Discussion starts on page 7.)

DIF: Synthesis REF: Chapter 1

13. ANS: B
EXPLANATION: Windows Server 2003 Enterprise Edition provides support for 64-bit Intel Itanium processors, ICF, ICS, and DHCP. It also supports Terminal Services, which provides the required remote administration functionality. Windows Server 2003 Datacenter Edition does not support ICF or ICS. Windows Server 2003 Standard Edition is not available in a 64-bit version. Windows Server 2003 Web Edition does not support 64-bit hardware or the ICF or ICS. It also does not support any more than 2 GB RAM. (Discussion starts on page 7.)

DIF: Synthesis REF: Chapter 1

14. ANS: D
EXPLANATION: The Windows System Resource Manager (WSRM) can be used to restrict the amount of system resources that can be used by a Terminal Server user at any one time. Microsoft Metadirectory Services (MMS) is a means of integrating multiple information sources into a single, unified directory. MMS makes it possible to combine Active Directory information with other directory services and to create a unified view of all available information about a given resource. The Internet Connection Firewall (ICF) provides protection for Internet connections. Network Load Balancing (NLB) allows network traffic to be distributed among multiple network interfaces in a single system. (Discussion starts on page 7.)

DIF: Synthesis REF: Chapter 1

15. ANS: B
EXPLANATION: The best solution is most likely the Standard Edition because it includes the functionality of Microsoft Internet Information Services (IIS) 6, it supports the available hardware, and it can provide file and print services for the 17 members of the Web development team. Although the Web Edition might seem like the most obvious choice in this situation, there is an issue with the fact that the 17-person development team also needs to access the server. The Web Edition accommodates only 10 inbound connections for the purposes of file access, so it would not be suitable. There is no Corporate Edition of Windows Server 2003. While the Enterprise Edition would meet the needs for your intranet, your needs do not justify its purchase over the Standard Edition. (Discussion starts on page 5.)

DIF: Synthesis REF: Chapter 1

16. ANS: C
EXPLANATION: Terminal Services uses TCP/IP port 3389. TCP/IP port 110 is used by the POP3 protocol. TCP/IP port 80 is used by the HTTP protocol. TCP/IP port 1863 is used by Windows Messenger. (Discussion starts on page 54.)

DIF: Demonstration REF: Chapter 2

17. ANS: B
EXPLANATION: By default, only members of the Administrators group are granted remote access permission. (Discussion starts on page 47.)

DIF: Demonstration REF: Chapter 2

18. ANS: B
EXPLANATION: Windows Server 2003 includes the Remote Desktop Connection files on the installation CD and also copies them to the Systemroot\System32\Clients\Tsclient\Win32 folder. It must be shared out to make the files in this folder available to users. (Discussion starts on page 51.)

DIF: Demonstration REF: Chapter 2

19. ANS: D
EXPLANATION: Although there are no specific rules about the communication of invitations and corresponding passwords, best practice dictates that you instruct users to supply the expert with the password using a different medium from the one they are using to send the invitation. (Discussion starts on page 55.)

DIF: Application REF: Chapter 2

20. ANS: A
EXPLANATION: User Mode: Limited Access, Single Window prevents users from opening new windows or accessing a portion of the console tree, and it allows them to view only one window in the console. User Mode: Limited Access, Multiple Windows prevents users from opening new windows or accessing a portion of the console tree, but it allows them to view multiple windows in the console. There is no console mode called User Mode: Limited Access, Single Window, No Open. There is also no console mode called User Mode: Full Access, Single Window. (Discussion starts on page 44.)

DIF: Application REF: Chapter 2

21. ANS: C
EXPLANATION: For a Remote Assistance session to be started, a user must be present at the client console to grant the expert access. You cannot use Remote Assistance to connect to an unattended computer.
The answer “If you are logged in as an administrator” is incorrect. Being logged in as administrator does not allow you to open a Remote Assistance session on an unattended computer.
The answer “If the password to the administrator account on the unattended computer is the same as the administrator account on your system” is also incorrect. Password synchronization between systems is not a requirement of Remote Assistance.
The answer “If you have a valid invitation issued from that computer” is incorrect because a valid invitation is required to connect to a remote computer. If the computer is unattended, a Remote Assistance session cannot be started. (Discussion starts on page 57.)

DIF: Application REF: Chapter 2

22. ANS: A
EXPLANATION: To issue an invitation for Remote Assistance, you would Select Help And Support from the Start menu to open the Help And Support Center window and then click the Remote Assistance hyperlink.
The answer “Select Help And Support from the Start Menu to open the Help And Support Center window, click the Get Help hyperlink, and then select Remote Assistance” is incorrect. There is no Get Help hyperlink in the Help And Support Center window. Help And Support Center is not found in Control Panel. (Discussion starts on page 55.)

DIF: Application REF: Chapter 2

23. ANS: B
EXPLANATION: You must have port 3389 open on the firewall to provide remote desktop functionality. Port 1863 must be open on the firewall for invitations to be sent via Windows Messenger. Opening ports 2289 and 1863 would allow Windows Messenger traffic to pass through the firewall, but Remote Assistance traffic would not be allowed through. Opening ports 2058 and 1863 would allow Windows Messenger traffic to pass through the firewall, but Remote Assistance traffic would not be allowed through. Opening ports 3389 and 2058 would allow Terminal Services traffic through the firewall but would not allow Windows Messenger traffic through. (Discussion starts on page 57.)

DIF: Synthesis REF: Chapter 2

24. ANS: D
EXPLANATION: Time restrictions are configured from the Logon Hours button on the Account page of a user’s properties. There is no Logon Hours page in the user account properties. (Discussion starts on page 181.)

DIF: Demonstration REF: Chapter 6

25. ANS: C
EXPLANATION: A mandatory profile can be changed by the user, but when the user logs off, the changes are not saved. A roaming profile can be accessed by the user no matter what system on the network she is logging on from. Fixed and static are not profile types. (Discussion starts on page 199.)

DIF: Demonstration REF: Chapter 6

26. ANS: A
EXPLANATION: The Dsmod.exe utility allows you to modify an object in Active Directory. The Comma Separated Value Data Exchange utility (Csvde.exe) can be used only to import or export information to or from the directory. It cannot be used to modify an existing directory object. Dsadd.exe can be used only to add objects to the directory, not to modify an existing object. There is no such utility as Adobjedit.exe. (Discussion starts on page 195.)

DIF: Demonstration REF: Chapter 6

27. ANS: A
EXPLANATION: When you configure the properties of more than one user at a time, you cannot configure the Terminal Services Session settings. All of the other items can be edited for multiple users at once. (Discussion starts on page 186.)

DIF: Demonstration REF: Chapter 6

28. ANS: A
EXPLANATION: The Account Is Locked Out check box is in the Account tab of a user’s properties. If the account is locked as a result of settings in the Account Lockout Policy, the check box is selected. Clearing it unlocks the account. The Account Is Locked Out check box is not in the General or Sessions tab of a user’s account properties. There is no tab in the user’s account properties called User. (Discussion starts on page 181.)

DIF: Demonstration REF: Chapter 6

29. ANS: D
EXPLANATION: All of the operating systems listed require additional client software to access the complete functionality of Active Directory. (Discussion starts on page 201.)

DIF: Demonstration REF: Chapter 6

30. ANS: D
EXPLANATION: Logon time restrictions are part of a user’s account properties. They are not part of the user profile. All of the other items are included in a user profile. (Discussion starts on page 196.)

DIF: Demonstration REF: Chapter 6

31. ANS: B
EXPLANATION: For a password to meet complexity requirements, it must contain at least three of the following four elements: uppercase alphabetic characters, lowercase alphabetic characters, numbers, or special characters (such as !@#). It must also be at least six characters long and not be based on the username. The !!@TRPP%% password contains only special characters and uppercase letters. All of the other passwords conform to the complexity requirements. (Discussion starts on page 168.)

DIF: Application REF: Chapter 6

32. ANS: D
EXPLANATION: If a password is stored using reversible encryption, it can be accessed by other applications. This approach poses a security risk, and it should be implemented only if absolutely necessary. There is no way for a user account password to be recovered, nor is there any facility in Windows Server 2003 for providing users with password clues. The administrator cannot view users’ passwords. (Discussion starts on page 182.)

DIF: Application REF: Chapter 6

33. ANS: B
EXPLANATION: You can reset a user account password in Active Directory Users And Computers by selecting Reset Password from the Action menu. You must enter and confirm the new password. You do not need to know the existing password to reset the password. User passwords are not reset from the Account properties page for the user, nor are they reset from the General properties page for the user. (Discussion starts on page 177.)

DIF: Application REF: Chapter 6

34. ANS: D
EXPLANATION: A value of 0 for the Account Lockout Duration policy setting means that any account locked out by exceeding the account lockout threshold must be unlocked manually. This value does not cause a locked account to immediately unlock. Resetting a password for the user does not unlock the account. The Enforce Password History policy is part of the Password Policy and is not related to settings in the Account Lockout Policy. (Discussion starts on page 200.)

DIF: Application REF: Chapter 6

35. ANS: B
EXPLANATION: The default mode for Csvde.exe is export. Unless you use the -i switch in the command, Csvde.exe will attempt an export to the specified file, not an import from the file. The -k switch tells Csvde.exe to ignore errors such as duplicate users. It does not (nor does any other switch) determine when the user accounts should be added. Csvde.exe can be used to import a wide range of directory objects, including users, groups, and computer accounts. The -f switch is correct for specifying the comma-separated value file that is to be used for the import. (Discussion starts on page 192.)

DIF: Application REF: Chapter 6

36. ANS: C
EXPLANATION: All values except the Logon Name are copied from the Account tab when a user account is copied to create a new user account. Group Memberships are listed in the Members Of tab of the user’s account properties, not the Account tab. The logon hours are copied from the Account tab when a user account is copied to create a new account. The Street Address value is in the Address tab, not the Account tab. (Discussion starts on page 190.)

DIF: Application REF: Chapter 6

37. ANS: D
EXPLANATION: If the user is already logged on when the allowed logon time ends, service is not interrupted—except if the security option in group policy objects called Network Security: Force Logoff When Logon Hours Expire is enabled. In this case, the user is forcibly disconnected when her logon hours expire. (Discussion starts on page 181.)

DIF: Application REF: Chapter 6

38. ANS: D
EXPLANATION: The account lockout threshold specifies the number of invalid logon attempts that triggers an account lockout. A value of 0 prevents accounts from ever being locked out. (Discussion starts on page 200.)

DIF: Application REF: Chapter 6

39. ANS: B
EXPLANATION: When you create a new user account from a template, group memberships are copied to the new user. In addition, all address information is copied except the street address. Password and file permissions granted to the original user are not transferred over. (Discussion starts on page 190.)

DIF: Application REF: Chapter 6

40. ANS: D
EXPLANATION: The basic procedure for making a profile mandatory is to locate the Ntuser.dat file related to the user account and rename it to Ntuser.man. There is no Set As Mandatory button in the Advanced page of the System Properties dialog box. Although setting read-only permissions for the user’s profile folder might prevent the user from making any changes to his profile, this is not the accepted way of making a profile mandatory. (Discussion starts on page 199.)

DIF: Application REF: Chapter 6

41. ANS: C
EXPLANATION: The most likely answer of those listed is that the Callback Options on the Dial-In page for the user have been configured to always call back his home phone number. When the user tries to establish a dial-in connection, the server he is connecting to drops the connection and then calls his home number. The Verify Caller ID property is not available when Active Directory is configured in Windows Server 2003 mixed mode. Static routes determine which areas of the network are available to the user if he connects over a dial-in or VPN connection, and what areas of the network are inaccessible. They affect the user after he connects, not while he is trying to connect. Also, because you have made no changes to the account and the user was able to connect the previous day, this is unlikely to be the problem. The telephone numbers listed on the Telephones page of the user’s account properties are unrelated to the dial-in properties. (Discussion starts on page 186.)

DIF: Synthesis REF: Chapter 6

42. ANS: C
EXPLANATION: To configure Log On To restrictions, you enter the NetBIOS machine names of the system that you will permit the user account to log on from. You can assume that the company is using NetBIOS because it has a WINS server. To create a roaming mandatory profile for the user, you rename the Ntuser.dat file for the user to Ntuser.man. Log On To restrictions are not configured using the IP address of the systems that the user is permitted to log on from, nor are they configured using the MAC address. The user profile file is not named Ntuser.pfl. (Discussion starts on page 195.)

DIF: Synthesis REF: Chapter 6

43. ANS: D
EXPLANATION: If you set the Account Lockout Duration policy to 0, locked accounts must be manually unlocked by the administrator. The administrator would find out when an account becomes locked because the user must ask the administrator to unlock the account. Setting the Account Lockout Threshold policy to 4 causes the account to become locked after four incorrect logon attempts. These settings would satisfy the manager’s requirements. Setting the Account Lockout Threshold policy to 0 would cause the system to lock the account after the first incorrect logon attempt. Setting the Account Lockout Duration policy to 4 would cause the lockout to be cleared after 4 minutes. The Enforce Password History policy is part of the Password Policy, not the Account Lockout Policy. (Discussion starts on page 200.)

DIF: Synthesis REF: Chapter 6

44. ANS: A
EXPLANATION: The Web Page field and the E-Mail Address field are available for edit by selecting multiple users at one time. The Csvde.exe utility is used for importing or exporting objects from the directory. It is not used for editing the properties of existing objects. The Dsmod.exe utility can be used for editing the properties of existing objects, but in this case it would almost certainly be simpler to just edit the properties of multiple objects at a time. There is no facility for user objects inheriting values from an OU. (Discussion starts on page 188.)

DIF: Synthesis REF: Chapter 6

45. ANS: B
EXPLANATION: When a service account is required, you should create a new user account for that purpose. If the account needs to impersonate a client to access computer resources on behalf of other user accounts, you must select the Account Is Trusted For Delegation check box, which is in the Account properties tab for a user account. (Discussion starts on page 181.)

DIF: Synthesis REF: Chapter 6

46. ANS: D
EXPLANATION: When you install IIS, a user account is created called IUSR_computername. This account allows anonymous users to connect to the server and access Web pages on it. There is no need, in this example, to create user accounts in Active Directory. There is no Use IIS right in the General Properties tab. (Discussion starts on page 173.)

DIF: Synthesis REF: Chapter 6

47. ANS: C
EXPLANATION: A value of 0 for the Account Lockout Duration means that a locked account must be manually unlocked by an administrator. The Reset Account Lockout Counter After value determines the “memory” of the system for incorrect passwords in a given time period. In this example, the user can enter an incorrect password twice every 15 minutes and still not lock the account. After three incorrect passwords are entered in a 15-minute period, the account is locked. Triggering the Account Lockout policy locks an account—it does not disable it. A disabled account cannot be used, even with the correct password. The policy as described allows a user three incorrect logon attempts before the account is locked. (Discussion starts on page 200.)

DIF: Synthesis REF: Chapter 6

48. ANS: A
EXPLANATION: The Manager and Department fields can be edited on multiple objects at a time. The dial-in permission must be edited on a per-user basis. Configuration by Remote Access Policy is not supported on a Windows 2000 mixed mode domain functional level. The Dsadd.exe utility is used to add objects to Active Directory, not to edit the properties of existing objects. (Discussion starts on page 177.)

DIF: Synthesis REF: Chapter 6

49. ANS: C
EXPLANATION: For a password to meet complexity requirements, it must include characters from at least three of the following four categories: uppercase letters, lowercase letters, numbers, and symbols. In this example, the password $$r763 fulfills these requirements. The Maximum Password Age setting requires that the user change her password at least every 30 days, but the Minimum Password Age value prevents the user from changing her password any sooner than 15 days. The Enforce Password History value of 10 ensures that the user must change her password 10 times before using a previous password. (Discussion starts on page 168.)

DIF: Synthesis REF: Chapter 6

50. ANS: C
EXPLANATION: Windows Server 2003 mixed is not a domain functional level supported by Windows Server 2003. All of the other answers are domain functional levels supported by Windows Server 2003. (Discussion starts on page 212.)

DIF: Demonstration REF: Chapter 7

51. ANS: B
EXPLANATION: Power Users is not a built-in Active Directory group. Backup Operators, Account Operators, and Network Configuration Operators are all valid Active Directory groups. (Discussion starts on page 226.)

DIF: Demonstration REF: Chapter 7

52. ANS: A
EXPLANATION: When a computer is added to the domain, the Domain Admins global group is added to the local Administrators group. It is not possible to add a local group to a global group, so it is not possible to add the local Administrators group to the Domain Admins global group. When a computer is added to the domain, the Domain Admins global group is not added to the Power Users group. There is no local group called Computers. (Discussion starts on page 221.)

DIF: Demonstration REF: Chapter 7

53. ANS: B
EXPLANATION: You change group scopes in the General properties tab of the group in Active Directory Users and Computers. There is no tab in Active Directory Users and Computers called Scopes, nor is there one called Type. Scope changes are not made in the Members properties tab of Active Directory Users and Computers. (Discussion starts on page 237.)

DIF: Demonstration REF: Chapter 7

54. ANS: D
EXPLANATION: Universal groups can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests. Universal groups are available only in the Windows 2000 native and Windows Server 2003 functional levels, and universal groups can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members. (Discussion starts on page 218.)

DIF: Demonstration REF: Chapter 7

55. ANS: A
EXPLANATION: The Account Operators group does not have the right to back up files and directories. The Server Operators, Administrators, and Backup Operators groups all have the rights to back up files and directories. (Discussion starts on page 226.)

DIF: Demonstration REF: Chapter 7

56. ANS: A
EXPLANATION: Global groups can include only users from within their domain. They cannot include members from other domains in the tree, the forest, or anywhere else in the Active Directory structure. (Discussion starts on page 217.)

DIF: Demonstration REF: Chapter 7

57. ANS: C
EXPLANATION: Active Directory Domains and Trusts is used to raise the domain functional level of Active Directory. None of the other tools listed can be used for this purpose. (Discussion starts on page 212.)

DIF: Demonstration REF: Chapter 7

58. ANS: A
EXPLANATION: Windows 2000 mixed is the default domain functional level. Windows 2000 native and Windows Server 2003 interim are valid domain functional levels, but they are not the default domain functional levels. Windows Server 2003 single server is not a recognized domain functional level. (Discussion starts on page 212.)

DIF: Application REF: Chapter 7

59. ANS: B
EXPLANATION: A user who connects to the system via a Remote Desktop connection automatically becomes a member of the Interactive special identity. The user does not become part of the Dialup or Anonymous Logon special identity. Remote Users is not a recognized special identity. (Discussion starts on page 229.)

DIF: Demonstration REF: Chapter 7

60. ANS: C
EXPLANATION: The Dsadd command is used to add new groups to Active Directory. The command creates a new global group called sales.users.contoso.com, and the user Administrator is made a member of that group. The answer “The command produces an error” is incorrect. The syntax and usage of the command is valid. The answer “A universal group called sales.users.constoso.com is created, with the user Administrator as a member” is incorrect. The “-scope g” would cause a global group to be created. The answer “The user administrator is removed from the sales.users.contoso.com group, and the scope is changed to global” is incorrect. Group membership cannot be changed using the Dsadd command. (Discussion starts on page 239.)

DIF: Application REF: Chapter 7

61. ANS: B
EXPLANATION: You can convert a global group to a universal group only if the global group is not a member of any other global group. The answer “Only when the global group contains users from only one domain” is incorrect. By definition, a global group can contain only users from a single domain. The answer “There are no restrictions when converting a global group to a universal group” is incorrect. There are restrictions on converting a global group to a universal group. The answer “You cannot convert a global group to a universal group under any circumstances” is incorrect. You can convert a global group to a universal group if the global group is not a member of another global group. (Discussion starts on page 220.)

DIF: Application REF: Chapter 7

62. ANS: A
EXPLANATION: Of the groups listed, only the Administrators group and the Domain Admins group have all of the required permissions. However, the Domain Admins group also has rights that are not required by the new hire. Therefore, the best choice is to add the user to the Administrators group. The Server Operators group does not have rights to create user accounts or load and unload device drivers. The Backup Operators group does not have rights to create user accounts or load and unload device drivers. (Discussion starts on page 226.)

DIF: Application REF: Chapter 7

63. ANS: C
EXPLANATION: When a group is deleted, access control list (ACL) entries related to that group are removed. In this example, there are no other permissions assigned to the printer, so members of the Sales department can no longer print. The answer “The Sales group is removed from the ACL for the printer, but members of the Sales group can still print to the printer” is incorrect. If the group is removed and the users are not assigned permissions individually, the users cannot print. The answer “The Sales group is removed from the ACL for the printer, but the individual user accounts that were members of the Sales group are added to the ACL of the printer, thereby allowing them to print” is incorrect. When you delete a group, members of that group are not added to the ACL of any resource to which the group was assigned permissions. The answer “Any user account that is a member of the Sales group is deleted” is incorrect. Deleting a group causes only that group object to be deleted. User accounts that are a member of that group are not deleted. (Discussion starts on page 238.)

DIF: Application REF: Chapter 7

64. ANS: D
EXPLANATION: Members of the Account Operators group can create, delete, and modify user, computer, and group objects in the Users and Computers containers and in all OUs except domain controllers. Members do not have permission to modify the Administrators or Domain Admins groups, nor can they modify the accounts for members of those groups. (Discussion starts on page 226.)

DIF: Application REF: Chapter 7

65. ANS: C
EXPLANATION: Group policy objects (GPOs) can be assigned only to Active Directory domain, site, and OU objects. You cannot assign a group policy object to a group. (Discussion starts on page 211.)

DIF: Application REF: Chapter 7

66. ANS: A
EXPLANATION: When a computer is added to the domain, the Domain Guests predefined global group is automatically added to the local Guests group. The answer “The special identity Guests is added to the local Guests group” is incorrect. There is no Guests special identity. The answer “Any user accounts defined as members of the local Guests group are added to the Domain Guests group” is incorrect. When a computer is added to the domain, no changes are made to the Domain Guests group. The answer “The local Guests group is deleted” is incorrect. The local Guests group is not deleted when the computer is added to the domain. (Discussion starts on page 221.)

DIF: Application REF: Chapter 7

67. ANS: B
EXPLANATION: The correct answer is “Create a universal group, place the user accounts for the auditors in that group, and then assign the universal group permissions to all of the printers in each of the domains.” The answer “Create a global group, place the user accounts for the auditors in that group, and then assign the global group permissions to all of the printers in each of the domains” is incorrect. You cannot assign a global group permissions to resources in a domain other than the one in which it is created. The answer “Create a universal group, place the user accounts for the auditors in that group, and then place the universal group into the local printer users group on the domain controllers that host a printer” is incorrect. There is no local printer users group. The answer “Create a universal group, and place the user accounts for the auditors in that group. Create a global group, and place the auditors universal group into that global group. Finally, assign the global group permissions to the printers in each domain” is incorrect. You cannot place a universal group into a global group. (Discussion starts on page 218.)

DIF: Synthesis REF: Chapter 7

68. ANS: A
EXPLANATION: Universal groups are available only in the Windows 2000 native and Windows Server 2003 domain functional levels. They are not available in Active Directory operating at a Windows 2000 mixed domain functional level. The answer “You have more than one domain” is incorrect. The ability to create universal groups is not dependent on the number of domains in the directory, although the functionality they provide is not relevant in directory structures with only one domain. (Discussion starts on page 212.)

DIF: Synthesis REF: Chapter 7

69. ANS: C
EXPLANATION: Best practice dictates that you identify the resource to which users need access, and then create one or more domain local groups for those resources. Next you assign the permissions needed for access to the resources to the domain local group. Then you identify users with common job responsibilities and add their user objects to a global group. Finally, you make the global group a member of the appropriate domain local group. The answer “Assign each user in the Sales department access to the folder individually” is incorrect. This would not be the best way to give users from the Sales department access to the database. The answer “Create a global group called Database, and give that group the necessary permissions to the folder containing the data file. Create a domain local group called SalesData, and add the appropriate members of the Sales department to the SalesData domain local group. Add the SalesData domain local group to the Database global group” is incorrect. You cannot nest a domain local group in a global group. The answer “Create a local group called Database on the domain controller. Create a global group called SalesData, and add the appropriate members of the Sales department to the SalesData global group. Add the SalesData global group to the local group” is incorrect. You cannot create a local group on a domain controller. (Discussion starts on page 220.)

DIF: Synthesis REF: Chapter 7

70. ANS: C
EXPLANATION: To use universal groups effectively, the best practice is to create a global group in each domain, with user or computer accounts as members, and then make the global groups members of a universal group. This enables you to create a single universal group that is usable throughout the enterprise, but with a membership that does not change frequently. This method is preferable to adding users and computers to the universal group directly, because every change to the universal group’s membership causes the entire membership to be replicated to the global catalog, throughout the forest. Managing the users and computers in the global groups does not affect the universal group’s membership and therefore generates no additional replication traffic. In this scenario, with slow WAN links and universal group memberships that are likely to change, this would be of particular concern. The answer “None. The suggestion is practical and valid” is incorrect. There are issues with this solution. The answer “Universal groups are not available on a Windows Server 2003 domain functional level” is incorrect. Universal groups can be created in Active Directory running at a Windows Server 2003 domain functional level. The answer “You can place global or domain local groups only in a universal group, not user accounts” is incorrect. You can place individual user accounts into a universal group, although this is not recommended. (Discussion starts on page 218.)

DIF: Synthesis REF: Chapter 7

71. ANS: C
EXPLANATION: When you use Active Directory at a Windows 2000 native domain functional level, a domain local group can contain user and computer accounts, universal groups, and global groups from any domain, as well as other domain local groups from the same domain. All of the other answers are incorrect. (Discussion starts on page 219.)

DIF: Application REF: Chapter 7

72. ANS: D
EXPLANATION: The best practice is to add users to global groups, and then add global groups to domain local groups that have been assigned the appropriate access to resources. The answers “Create user accounts to match the users listed in the distribution group, then convert the distribution group to a global group. Assign the new global group to domain local groups as needed to provide access” and “Convert the distribution group to a global group. Assign the new PR global group to the appropriate domain local group” are both incorrect. You cannot convert a distribution group to a security group, which is what a global group is. The answer “Create new user account for users from the PR department. Add the users to domain local groups as needed to provide access” is incorrect. As indicated, the best practice is to add users to a global group, and then add global groups to domain local groups to provide access to resources. (Discussion starts on page 220.)

DIF: Synthesis REF: Chapter 7

73. ANS: A
EXPLANATION: You cannot convert groups when running Active Directory at a Windows 2000 mixed domain functional level. You can convert groups only when you are running Active Directory at a Windows 2000 native or Windows Server 2003 functional level. All of the other answers describe limitations on converting groups at either a Windows 2000 native or Windows Server 2003 domain functional level. (Discussion starts on page 220.)

DIF: Application REF: Chapter 7

74. ANS: D
EXPLANATION: Security groups can be used as distribution groups by directory-aware applications. Your manager can send messages to all users in a department just by using the security group, so special group configuration is not necessary. The answer “Copy each of the departmental groups, and then convert the new group to a distribution group” is incorrect. You cannot copy or convert groups. The answer “Create a distribution group for each department, and manually duplicate the membership of the security group for each department” is incorrect. There is no need to create distribution groups for each department. The answer “Convert the security group for each department to a distribution group” is incorrect. You cannot convert a security group to a distribution group, or vice versa. (Discussion starts on page 216.)

DIF: Synthesis REF: Chapter 7

75. ANS: B
EXPLANATION: Best practice dictates that global groups be added to domain local groups that have been assigned the appropriate access to resources, so you should create a domain local group called Plotter and place the Development global group into the Plotter domain local group. The answer “Create a domain local group called Plotter, create a global group called Plotter Users, and make the Development global group a member of the Plotter Users group” is incorrect. There is no need to create a global group called Plotter Users in this example. The answer “Create a domain local group called Plotter. Place the user accounts for the users in the Development department into that group” is incorrect. Best practice dictates that you use global groups to group people by job function, and then use these global groups in domain local groups to provide access to resources. The answer “Assign the users from the Development department access to the plotter by assigning permissions to their user accounts” is incorrect. Best practice dictates that you use groups, not individual user accounts, to provide access to resources. (Discussion starts on page 220.)

DIF: Synthesis REF: Chapter 7

76. ANS: A
EXPLANATION: At the Windows 2000 mixed domain functional level, domain local groups can contain global groups from any domain on the network. The answer “Create a universal group called SQL, and assign it to the folders containing the database data files. Create a global group in each domain called DBAs, and add the user accounts for the DBAs to the DBA group. Add the DBA group to the SQL universal group” and the answer “Create a universal group called SQLDBA, and assign it permissions to the folders containing the database data files. Make the DBAs’ user accounts members of the universal group” are incorrect. You cannot create universal groups in Active Directory running at a Windows 2000 mixed domain functional level. The answer “Create a global group in each location, and assign the global group permissions to folders containing the database data files. Add the DBAs from San Francisco to the global group in each location” is incorrect. On Active Directory running at a Windows 2000 mixed domain functional level, global groups can contain user and computer accounts only from the same domain. (Discussion starts on page 216.)

DIF: Synthesis REF: Chapter 7

77. ANS: D
EXPLANATION: Universal groups are supported only at the Windows 2000 native or Windows Server 2003 functional level. They are not supported at the Windows 2000 mixed or Windows Server 2003 interim functional level. (Discussion starts on page 219.)

DIF: Demonstration REF: Chapter 7

78. ANS: A
EXPLANATION: The Windows 2000 native domain functional level supports both Windows Server 2003 and Windows 2000 servers. It also supports universal security and distribution groups, and group nesting. The answer “Windows Server 2003” is incorrect. The Windows Server 2003 domain functional level supports domain controllers running Windows Server 2003 only. The answer “Windows Server 2003 interim” is incorrect. This domain functional level is used only when you upgrade domain controllers in Windows NT 4 domains to Windows Server 2003 domain controllers. The answer “Windows 2000 mixed” is incorrect. Although this domain functional level supports both Windows Server 2003 and Windows 2000 Server systems, it does not support universal security groups or group nesting. (Discussion starts on page 212.)

DIF: Synthesis REF: Chapter 7

SHORT ANSWER

79. ANS:
Answers may vary.
EXPLANATION: Group policies enable you to specify security settings, deploy software, and configure operating system and application behavior on a computer without ever having to touch it directly. Instead, you implement the desired configuration settings in a special Active Directory object called a group policy object (GPO) and then link the GPO to an Active Directory object containing the computers or users you want to configure. (Discussion starts on page 32.)

DIF: Application REF: Chapter 1

80. ANS:
Answers may vary.
EXPLANATION: An object is a component that represents a specific network resource. An Active Directory can contain objects representing physical resources, such as computers and printers; human resources, such as users and groups; software resources, such as applications and DNS zones; and administrative resources, such as organizational units (OUs) and sites.
Every Active Directory object consists of a set of attributes, which are pieces of information about that object. A user object, for example, contains attributes specifying the user’s account name, password, address, telephone number, and other identifying information. (Discussion starts on page 30.)

DIF: Application REF: Chapter 1

81. ANS:
Answers may vary.
EXPLANATION: The taskpad is an area of the details pane for a particular snap-in that contains links to frequently used functions from that snap-in (as shown in Figure 2-10 in the textbook chapter). To create a taskpad, you select a snap-in in the scope pane and then select New Taskpad View from the Action menu. The New Taskpad View Wizard then takes you through the process of specifying how and where you want the taskpad to appear. (Discussion starts on page 43.)

DIF: Application REF: Chapter 2

82. ANS:
Answers may vary.
EXPLANATION: The Minimum Password Age policy allows you to specify the minimum number of days a user must wait before changing her password. This prevents a user from reverting to an old password too quickly, although the Enforce Password History setting must be set to a value greater than zero for the Minimum Password Age policy to be effective. (Discussion starts on page 169.)

DIF: Demonstration REF: Chapter 6

83. ANS:
Answers may vary.
EXPLANATION: The Apply Static Routes check box allows you to specify routes accessible to the user from the dial-in connection. You can thus determine which areas of the network are available to the user if he connects over a dial-in or VPN connection, and what areas of the network will be inaccessible to him. (Discussion starts on page 186.)

DIF: Application REF: Chapter 6

84. ANS:
Answers may vary.
EXPLANATION: A domain user account consists of a logon name and a password, as well as a unique security identifier (SID). During logon, Active Directory authenticates the username and password entered by the user. The security subsystem then builds a security access token that represents that user. The access token contains the user account’s SID, as well as the SIDs of groups to which the user belongs. That token is used to verify user rights assignments, including the right to log on locally to the system, and to authorize access to resources secured by access control lists (ACLs). (Discussion starts on page 167.)

DIF: Application REF: Chapter 6

85. ANS:
Answers may vary.
EXPLANATION: You can disable an existing user account in one of three ways: 1. Right-click the account and select Disable Account; 2. Select the account, and select Disable Account from the Action menu; or 3. On the Account page of the user’s properties, select the Account Is Disabled option in the Account Options area of the tab. (Discussion starts on page 172.)

DIF: Application REF: Chapter 6

86. ANS:
Answers may vary.
EXPLANATION: Determine what network location you will use to store the roaming profiles. Create a folder to hold the profiles, and then create a share on that system so it can be accessed via the network. From the Profile page of the user account properties, configure the Profile Path field to point to the share that you created to hold the profiles. Log on as the user, and make any necessary changes to the profile. Then locate the Ntuser.dat file for that user account and rename it to Ntuser.man. (Discussion starts on page 195.)

DIF: Synthesis REF: Chapter 6

87. ANS:
Answers may vary.
EXPLANATION: The new user cannot access the resources because the manager has been assigned permissions to those resources as an individual user rather than as a member of the Sales group. When a user account is copied, group memberships are copied but permission assignments made to the template account on an individual basis are not copied. The best way to resolve the issue is to determine what resources the user is trying to access but cannot, and then assign permissions to those resources on an individual basis. (Discussion starts on page 190.)

DIF: Synthesis REF: Chapter 6

88. ANS:
Answers may vary.
EXPLANATION: Security groups are used to assign access permissions for network resources. Programs that are designed to work with Active Directory can also use security groups for nonsecurity-related purposes, such as retrieving user information for use in a Web application. (Discussion starts on page 216.)

DIF: Application REF: Chapter 7

89. ANS:
Answers may vary.
EXPLANATION: The Enterprise Admins group appears only in the forest root domain, which is the first domain created in the forest. Its members have full administrative control over all domains in the forest. By default, the Enterprise Admins group is a member of the Administrators domain local group, and the domain Administrator user object is a member of Enterprise Admins. (Discussion starts on page 224.)

DIF: Application REF: Chapter 7

90. ANS:
Answers may vary.
EXPLANATION: Distribution groups are intended for use by applications as lists for nonsecurity-related functions. You use distribution groups when the only function of the group is not security-related, such as sending e-mail messages to a group of users at the same time. You cannot use distribution groups to assign rights and permissions. Only applications that are designed to work with Active Directory can use distribution groups. For example, Microsoft Exchange uses distribution groups as mailing lists for sending e-mail messages. (Discussion starts on page 216.)

DIF: Application REF: Chapter 7