Home > Articles > Microsoft > MCTS

MCTS 70-640 Exam Cram: Group Policy and Active Directory Security

Sep 30, 2008

📄 Contents

␡

Use of Group Policy to Configure Security
Auditing of Active Directory Services
Exam Cram Questions

⎙ Print

< Back Page 3 of 3

This chapter is from the book 

MCTS 70-640 Exam Cram: Windows Server 2008 Active Directory, Configuring

Learn More Buy

Exam Cram Questions

Evan is responsible for configuring Group Policy in his company’s domain. The domain functional level is set to Windows Server 2003. Evan’s manager has requested that he implement an account policy that specifies that all user accounts will be locked out if an incorrect password is entered five times within a one-quarter hour period. The account is to remain locked out until a support technician unlocks it.

How should Evan configure the account policy? (Each correct answer represents part of the solution. Choose three answers.)

	A.	Set the account lockout threshold to 0.
	B.	Set the account lockout threshold to 1.
	C.	Set the account lockout threshold to 4.
	D.	Set the account lockout duration to 0.
	E.	Set the account lockout duration to 1.
	F.	Set the reset account lockout counter value to 0.25.
	G.	Set the reset lockout counter to 15.
	H.	Set the reset lockout counter to 900.

Laura is the systems administrator for a company that operates an AD DS domain. The domain and forest functional level are set to Windows Server 2008. She has configured a password policy for users in her company’s domain that specifies that passwords must be at least seven characters long. The CIO has informed her that users in the legal department should have highly secure passwords. She configures a password policy in a GPO linked to the Legal OU that specifies that passwords be at least 12 characters long.

A few days later, she receives a call from the CIO asking her why she has not yet implemented the stricter password policy. What must Laura do to implement the policy with the least amount of administrative effort?

	A.	She needs to create a global security group, add the required users to this group, and ensure that the group has the Allow–Apply Group Policy permission applied to it.
	B.	She needs to create a new domain, place the legal users and their computers in this domain, and then reapply the password policy to this domain.
	C.	She needs to create a password settings object containing the required password settings and apply this object to the Legal OU.
	D.	She needs to create a global security group and add the required users to this group. She then needs to create a password settings object containing the required password settings and apply this object to the group containing these users.

You are excited about the new capability of configuring fine-grained password policies and want to try it out. To which of the following groups should your user account belong so that you can configure a fine-grained password policy?

	A.	Account Operators
	B.	Domain Admins
	C.	Enterprise Admins
	D.	Schema Admins

Dennis is responsible for configuring security settings on a Windows Server 2008 computer. This computer runs specialized software and is configured as a standalone server that is not a member of his company’s AD DS domain. He needs to configure security settings that are similar to those applied to member servers in the domain.

What should Dennis do to accomplish this task with the least amount of administrative effort?

	A.	He should use the Security Templates snap-in to create a security database of the settings on a member server. He should then use the Security Configuration and Analysis snap-in to configure the standalone server with the settings contained in the database.
	B.	He should use the Security Configuration and Analysis snap-in to analyze the security settings on the member server and then use this snap-in to configure the standalone server with the settings contained in the database.
	C.	He should use the Security Templates snap-in to configure the security settings on the standalone server with settings contained in the `Securews.inf` security template.
	D.	He should copy the settings on the member server and configure these settings manually on the standalone server.

You are the administrator of a company that operates an AD DS network that contains two domains. Both domains operate at the Windows Server 2003 domain and forest functional levels. You have installed a new Windows Server 2008 computer and promoted this server to be an additional domain controller in your domain.

Having heard about the new capability of configuring fine-grained password policies, you decide to give it a try and configure a PSO that specifies a minimum of 10 characters. You then associate this PSO with your user account and attempt to change your password to a new one that is 8 characters long.

When this attempt succeeds, you wonder why the new PSO was not applied to your account. Which of the following is the reason you were able to specify an 8-character password?

	A.	You need to associate the PSO with a global security group to which your user account belongs before it is applied.
	B.	You need to associate the PSO with an OU to which your user account belongs before it is applied.
	C.	You need to upgrade all domain controllers in the domain to Windows Server 2008 and set the domain functional level to Windows Server 2008 before the PSO is effective.
	D.	You need to upgrade all domain controllers in both domains of the forest to Windows Server 2008 and set the domain and forest functional levels to Windows Server 2008 before the PSO is effective.

Ruth is the administrator of an AD DS network that operates at the Windows Server 2008 domain and forest functional level. Her manager has asked her to implement success and failure auditing of directory service changes on the domain controller. The manager does not want success auditing of directory service access to be implemented because problems have occurred with events being overwritten in security logs before Ruth has had time to check them.

Which of the following tools should Ruth use to configure auditing as requested?

	A.	`Auditpol.exe`
	B.	`ADSIEdit.exe`
	C.	`Ntdsutil.exe`
	D.	Group Policy Management Editor

Barry is the network administrator for Examcram.com, which operates an AD DS network. The network includes servers running Windows Server 2003 and Windows Server 2008 and client computers running Windows XP Professional and Windows Vista Business. His manager has requested that he implement auditing of the following:

Attempts to log on to any local computer
Creation of a user account or group or changing of a user account password

What auditing components should Barry configure? (Each correct answer represents part of the solution. Choose two answers.)

	A.	Audit account management, success
	B.	Audit account logon events, success and failure
	C.	Audit object access, success
	D.	Audit logon events, success and failure

Veronica is responsible for configuring Group Policy on her company’s AD DS network. She has deployed a new software package to all computers in the Financial OU. Users in this OU report that their computers are restarting spontaneously at frequent intervals.

Veronica wants to enable an auditing policy in a GPO in an attempt to troubleshoot this problem. Which type of events should she audit?

	A.	Logon events
	B.	Process tracking events
	C.	System events
	D.	Privilege use events
	E.	Policy change events

Answers to Exam Cram Questions

C, D, G. Evan should specify an account lockout threshold of 4 passwords, and account lockout duration of 0, and a reset account lockout counter value of 15 minutes. The account lockout threshold specifies the number of incorrect passwords that can be entered before the account locks out. It can be set from 0 to 999, and a value of 0 means that the account never locks out. The account lockout duration can be set from 0 to 99,999 minutes, and a value of 0 means that the account remains locked out until unlocked by an administrator or individual who has been delegated this responsibility. The reset account lockout counter value specifies the number of minutes to wait until the lockout counter resets itself to 0. It can be set to any value between 0 and 99999; a value of 0 means that this counter is never reset. If Evan set an account lockout threshold to 0, the accounts would never lock out, and if he set it to 1, the accounts would lock out after one incorrect password, so answers A and B are incorrect. If Evan set the account lockout duration to 1, the accounts would lock out for one minute only, so answer E is incorrect. If he set the reset account lockout counter value to 0, the account lockout counter would never reset, so answer F is incorrect. If he set the reset account lockout counter to 900, the counter would not reset until 15 hours had elapsed. (The value of this counter is specified in minutes, not seconds.) Therefore, answer H is incorrect.
D. Laura needs to create a global security group and add the required users to this group. She then needs to create a password settings object containing the required password settings and apply this object to the group containing these users. The new fine-grained password policy in Windows Server 2008 enables her to create a password policy that applies only to specified users or groups. Laura cannot link a GPO to a group, so answer A is incorrect. Laura could create a new domain and apply the policy in this manner. This was the method she would have needed to do before Windows Server 2008; however, application of a fine-grained password policy takes far less administrative effort and expense, so answer B is incorrect. It is not possible to apply a fine-grained password policy to an OU, so answer C is incorrect.
B. Your user account must belong to the Domain Admins global group before you can create a fine-grained password policy. Membership in the Account Operators group is insufficient, so answer A is incorrect. Membership in either the Enterprise Admins or Schema Admins group is not required for creating a fine-grained password policy, so answers C and D are incorrect.
A. Dennis should use the Security Templates snap-in to create a security database of the settings on a member server. He should then use the Security Configuration and Analysis snap-in to configure the standalone server with the settings contained in the database. This procedure copies the security settings that he has already configured to the standalone server; he can subsequently configure any additional settings that might be needed manually. The Security Configuration and Analysis snap-in does not create a database of settings, it compares existing settings to those in the database and configures the server to these settings; therefore, answer B is incorrect. The Securews.inf security template was used in Windows 2000 and Windows Server 2003 to configure security settings on member servers and workstations. It is no longer available in Windows Server 2008, so answer C is incorrect. Dennis could manually configure settings, but this would take far more administrative effort, so answer D is incorrect.
C. To have a PSO apply properly, the domain functional level must be at the Windows Server 2008 functional level. To achieve this functional level, you must upgrade all domain controllers to Windows Server 2008. You can associate a PSO with a user account, so answer A is incorrect. It is not possible to associate a PSO with an OU, so answer B is incorrect. It is not necessary to upgrade other domains in the forest to Windows Server 2008 if no PSO is being applied in these domains, so answer D is incorrect.
A. Ruth should use the Auditpol.exe command-line tool to configure auditing of directory service changes. This is a new auditing category that is included in the Directory Service Access category but must be configured from Auditpol.exe to be implemented on its own. Ruth would use ADSIEdit.exe to perform low-level editing of AD DS objects, including the implementation of fine-grained password policies. She would use Ntdsutil.exe to perform several AD DS management actions, including the seizure of operations masters roles. Neither of these tools can be used to configure auditing, so answers B and C are incorrect. Ruth could implement auditing of the Directory Service Access category from the Group Policy Management Console, but this would not fulfill the requirements of this scenario, so answer D is incorrect.
A, D. The audit account management event includes creation, modification, or deletion of user accounts or groups, renaming or disabling of user accounts, or configuring and changing of passwords; and the audit logon events tracks logons at local computers. Audit account logon events are logon and logoff activity at member servers and client computers, so answer B is incorrect. Audit object access tracks when a user accesses an object such as a file, folder, Registry key, or printer that has its own SACL specified, so answer C is incorrect.
C. Veronica should implement success auditing of system events to identify the cause of the problems that are being experienced. This tracks actions taking place on a computer, such as improper shutdowns or restarts. Logon events track logon and logoff activity at member servers and client computers, but they do not track the causes of improper shutdowns as experienced here, so answer A is incorrect. Process tracking events track actions performed by an application, but not improper shutdowns, so answer B is incorrect. Privilege use events track the use of system rights, so answer D is incorrect. Policy change events track the modification of policies including user rights assignment, trust, and audit policies. This also is not required here, so answer E is incorrect.

< Back Page 3 of 3

🔖 Save To Your Account

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Privacy Notice

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
Such marketing is consistent with applicable law and Pearson's legal obligations.
Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

As required by law.
With the consent of the individual (or their parent, if the individual is a minor)
In response to a subpoena, court order or legal process, to the extent permitted or required by law
To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
To investigate or address actual or suspected fraud or other illegal activities
To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020

Email Address