This chapter is from the book
Answers to Exam Cram Questions
- B. Ideally, Jon will simplify the domain structure and utilize OUs to give himself the benefit of delegated administration that wasn't available in Windows NT 4 (which forced the use of multiple domains). Answer A is incorrect because a new deployment is a perfect time to analyze existing structure and make changes that will be beneficial. Windows NT 4 had limitations that forced the organization into a multidomain environment, but these limitations aren't present in Windows Server 2003. Answer C is incorrect because this is the Windows NT way of structuring things. Answer D is incorrect because although using OUs is desirable, maintaining the four domains adds an unnecessary administrative burden.
- A, C, D. By using OUs, you can simplify your domain structure because you can effectively delegate administrative permissions at the OU level without granting them at the domain level. As a result, you can also apply permissions and policies through Group Policy only to specific OUs without this affecting other OUs or the rest of the domain. Answer B is incorrect because the use of OUs has no impact on logon times.
- B, C, E. Using OUs allows you to effectively limit the scope of administrative privileges, so you would create a QA OU and delegate the ability to create and manage accounts as well as the ability to reset passwords and force password changes. You would create a security group and delegate permissions to it rather than to individual user accounts. Answer A is incorrect because delegating these permissions at the domain level gives too much access. Answer D is incorrect because the scenario only calls for the QA group to manage their test user accounts and lab machines, not their regular domain accounts. Again, they would have too much administrative control if you moved their regular accounts under their control.
- B, C, D. As the number of domains in your organization increases, so does the number of trust relationships that have to be managed between domains and potentially between forests. The more complex the trust relationship structure, the more likely it is that one domain will be able to connect to another domain that it shouldn't have access to. Also, the use of domains often requires a duplication of administrative effort to configure policies and settings, making it less efficient than using OUs within a smaller number of domains. Group Policies are easier to manage with OUs because you can easily apply different policies to different OUs without this affecting other OUs or the domain. To create domains for every business unit that needs separate permissions or needs to administer itself would be an administrative headache. Answer A is incorrect because access to resources is a permissions issue, and permissions can be granted and managed across domains. From an end-user standpoint, it is no easier or harder to access resources from one domain to another if trusts are in place.
- A, B, C, D. OUs can be used to delegate permissions to tighten control over an OU as well as to grant limited rights to an expanded set of users. In this situation, it makes more sense to create an OU to hold the admin level accounts and delegate authority to it to the two "super admins" than it would be to move 500 or so user accounts and groups to another OU. As a result, answer C is better than answer D because it would involve less administrative effort.
- B. By default, the Enterprise Admins and Domain Admins groups will have administrative rights over any OU that is created in the domain. In this case, another network administrator, who is a member of Domain Admins but not Enterprise Admins, is able to perform account-management tasks on the OU. By removing Domain Admins, Louise will ensure that only Enterprise Admins and HR Admins can perform these tasks. As a result, answer D is incorrect because the scenario states that Enterprise Admins should have rights to the OU. Answer A is incorrect because it isn't necessarily the domain administrator account being used; rather, any member of Domain Admins would currently have administrative rights to the OU. Answer C is incorrect because using an OU is a better choice than using a domain, which is unnecessary to accomplish the goal of the scenario.
- A, C. Active Directory Users and Computers supports dragging and dropping objects from one container to another in Windows Server 2003. Bill could also select all the objects he wants to move (he could do this one at a time as well, but it's less efficient), right-click and choose Move from the context menu, and then select the destination OU when prompted. Answer B is incorrect because this isn't a permissions issue. The console simply doesn't support the method Bill is trying to use. Answer D is incorrect because there is no option to populate an OU during the process of creating it.
- C. Permissions, by default, propagate downward, but they do not propagate upward. As a result, the HR administrators would have administrative permissions to the HR Admins OU, but not to the HR OU. By default, if Holly had delegated control of the HR OU, the HR administrators would also have permissions to the HR Admins OU. Answer A is incorrect because it doesn't matter where the physical accounts are located. Answer B is incorrect because Jeff would not need to log off and on before being able to administer the OU he was delegated control of. Answer D is true in the sense that it is better to apply permissions to groups rather than individual user accounts, but it is incorrect in that there is no requirement to delegate control to a security group.
- B. OUs are a means of organizing Active Directory objects, such as user accounts, for the purpose of delegating administrative control or applying differing policies. The user login process is irrelevant to the use of OUs because users will log in to the domain and access resources that they have been given permission to through security groups. In that respect it is no different from what users currently do. Answer A is incorrect because users don't log on to OUs. Answer C is incorrect because domain resources are still subject to permissions granted to security groups and individual accounts. Answer D is incorrect because OUs are not entities like domains that have trusts between them. An OU in and of itself is simply a container of Active Directory objects, and membership in an OU doesn't by itself grant any type of access to network resources.
- A, B. To make the required changes to the permissions currently granted, it would be best to edit the properties of the OU and go to the Security tab. From there Robert could review the currently assigned permissions and configure new ones as necessary. Answer B would technically work because the changes made by the wizard are cumulative, but it might not be the best answer because when Robert reruns the Delegation of Control Wizard he would be unable to see what security groups and users currently have any privileges on the OU. Furthermore, he couldn't see what permissions had been granted. As a result, it would be difficult to know what permissions he had already granted and needed to grant, which can be done only through the Security tab of the object's properties. Answer C is incorrect because the security is set on the object itself (in this case, the Developers OU), not on the security group. Answer D is incorrect because there is no need to remove and re-create the Developer Admins security group; in fact, this would likely cause more problems than it would solve because the SID associated with the security group would be lost in the process.