1.
Which of the following are required to create a domain controller successfully?
(Choose all that apply.)chapter 1 lesson 1
Correct Answer(s)
A. A valid DNS domain name
B. A valid NetBIOS name
Explanation
A. Correct: A domain controller will create or join an Active Directory domain, which must have a valid DNS name.
B. Correct: A domain must have a NetBIOS name to support earlier applications that use NetBIOS names.
C. Incorrect: A DHCP server is not necessary. In fact, a domain controller should have statically assigned IP addresses.
D. Incorrect: Although a DNS server is required for the functionality of a domain, if a DNS server does not exist, the Active Directory Installation
2.
You are logged on as Administrator to SERVER02, one of four domain controllers in thecontoso.com domain that run Server Core. You want to demote the domain controller. Which of the following is required?chapter 1 lesson 2
Correct Answer
A. The local Administrator password
Explanation
A. Correct: A password is required so that it can be assigned to the local Administrator account on the server after AD DS is removed.
B. Incorrect: SERVER02 is currently a domain controller, and you are logged on as Administrator. Therefore, you already have the credentials required to perform the
demotion operation.
C. Incorrect: SERVER02 is currently a domain controller, and you are logged on as Administrator. Therefore, you already have the credentials required to perform the
demotion operation. The Domain Controllers group contains computer accounts for domain controllers.
3.
SERVER02 is running Server Core. It is already configured with the AD DS role. You want to add Active Directory Certificate Services (AD CS) to the server. What must you do?chapter 1 lesson 2
Correct Answer
D. Reinstall the server as Windows Server 2008 (Full Installation).
Explanation
A. Incorrect: AD CS is not supported on Server Core.
B. Incorrect: AD FS is not supported on Server Core.
C. Incorrect: AD RMS is not supported on Server Core.
D. Correct: AD CS is not supported on Server Core, so you must reinstall the server with the full installation of Windows Server 2008.
4.
You are a support professional for Contoso, Ltd. The domain’s administrators have distributed a custom console with the Active Directory Users and Computers snap-in. When you open the console and attempt to reset a user’s password, you receive Access Denied errors. You are certain that you have been delegated permission to reset passwords for users. What is the best solution?
Correct Answer
C. Close the custom console, and then right-click the console and choose Run As Administrator. Type the credentials for your secondary administrative account.
Explanation
A. Incorrect: The Active Directory snap-in in Server Manager, if launched, will be run with the same credentials as the custom console. An Access Denied error will continue to occur.
B. Incorrect: Although dsa.msc is a shortcut to opening the Active Directory Users And Computers console, it will be run with the same credentials as the custom console. An Access Denied error will continue to occur.
C. Correct: An Access Denied error indicates that your credentials are not sufficient to perform the requested action. The question indicates that you are certain that you have permission. The answer introduces the assumption that you have a secondary account. Even though that account is not the Administrator, it is administrative. This is the best answer to the question.
D. Incorrect: DSMOD USER with the –p switch can be used to reset a user’s password; however, the question is targeting the Access Denied error. There is no suggestion that the command prompt was launched with different credentials; therefore, you will continue to receive Access Denied errors.
5.
You have opened a command prompt, using Run As Administrator, with credentials in the Domain Admins group. You use the Dsrm command to remove an OU that had been created accidentally by James, a member of the Administrators group of the domain. You receive the response: Dsrm Failed: Access Is Denied. What is the cause of the error?
chapter 2 lesson 2
Correct Answer
D. The OU is protected from deletion.
Explanation
A. Incorrect: An Active Directory task, whether performed using command-line commands, scripts, or remote server administration tools, can be performed by any user who has been delegated permission to the task.
B. Incorrect: Domain Admins are members of the Administrators group in the domain, so any permissions assigned to Administrators would also be assigned to you as a member of the Domain Admins group.
C. Incorrect: The ability to delete an OU or any object in Active Directory is related to permissions, not to ownership.
D. Correct: New organizational units are created with protection from deletion. You must remove the protection before deleting the OU. Protection can be removed using the Active Directory Users And Computers snap-in, with Advanced Features view, on the Object tab of an OU’s properties dialog box.
6.
You want to enable your help desk to reset user passwords and unlock user accounts. Which of the following tools can be used? (Choose all that apply.)chapter 2 lesson 3
Correct Answer(s)
A. The Delegation of Control Wizard
B. DSACLS
D. The Advanced Security Settings dialog box
Explanation
A. Correct: Assigning an administrative task requires modifying the DACL of an object such as an OU. The Advanced Security Settings dialog box provides the most direct access to the permissions in the DACL. The Delegation of Control Wizard masks the complexities of object ACEs by stepping you through the assignment of permissions to groups. DSACLS can be used to manage Active Directory permissions from the command prompt.
B. Correct: Assigning an administrative task requires modifying the DACL of an object such as an OU. The Advanced Security Settings dialog box provides the most direct access to the permissions in the DACL. The Delegation of Control Wizard masks the complexities of object ACEs by stepping you through the assignment of permissions to groups. DSACLS can be used to manage Active Directory permissions from the command prompt.
C. Incorrect: DSUTIL is used to manage the domain and directory service properties but is not used to manage object permissions.
D. Correct: Assigning an administrative task requires modifying the DACL of an object such as an OU. The Advanced Security Settings dialog box provides the most direct access to the permissions in the DACL. The Delegation of Control Wizard masks the complexities of object ACEs by stepping you through the assignment of permissions to groups. DSACLS can be used to manage Active Directory permissions from the command prompt.
7.
You are an administrator at a large university, and you have just been sent an Excel file containing information about 2,000 students who will enter the school in two weeks. You want to create user accounts for the new students with as little effort as possible. Which of the following tasks should you perform?
chapter 3 lesson 1
Correct Answer
C. Use CSVDE -i.
Explanation
A. Incorrect: Although a user account template will enable you to copy several dozen attributes of it to a new user account, you would have to copy the template 2,000 times to complete this task.
B. Incorrect: The LDIFDE command imports objects from LDIF files, which are not the format natively managed by Microsoft Office Excel.
C. Correct: The CSVDE command imports objects from comma-delimited text files. Excel can open, edit, and save these files.
D. Incorrect: The Dsadd command enables you to create a user from the command line, but you would need to run the command 2,000 times to complete your task.
8.
You are an administrator at a large university. Which command can be used to delete user accounts for students who graduated?
chapter 3 lesson 1
Correct Answer
A. LDIFDE
Explanation
A. Correct: LDIFDE supports adding, modifying, or deleting Active Directory objects.
B. Incorrect: Dsmod modifies properties of an existing object.
C. Incorrect: DEL is a command that erases a file.
D. Incorrect: CSVDE can import users but cannot delete them.
9.
You want to create a user object with Windows PowerShell. Which of the following must you do?
chapter 3 lesson 2
Correct Answer
C. Invoke the Create method of an OU.
Explanation
A. Incorrect: There is no native cmdlet in Windows PowerShell for creating users.
B. Incorrect: ADSI does not provide a NewUser method.
C. Correct: A container, such as an OU or domain, provides a Create method to create objects of a specified class.
D. Incorrect: This is VBScript syntax, recognizable by its use of the Set statement.
10.
You want to create a user object with a single command. Which of the following should you do?
chapter 3 lesson 2
Correct Answer
D. Use the Dsadd command.
Explanation
A. Incorrect: There is no native cmdlet in Windows PowerShell for creating users.
B. Incorrect: The SetInfo method commits a new user and its properties to Active Directory, but it must be used in conjunction with commands that create the object and its attributes. It cannot be used as a single command.
C. Incorrect: A container, such as an OU or domain, provides a Create method to create objects of a specified class, but until the SetInfo method is used, the object is not saved to Active Directory. Therefore, Create is not sufficient as a single command.
D. Correct: The Dsadd command can create a user with a single command.
11.
Which of the following lines of Windows PowerShell code are necessary to create a user object in the People OU?
(Choose all that apply. Each correct answer is a part of the solution.)
chapter 3 lesson 2
Correct Answer(s)
A. $objUser=$objOU.Create("user","CN=Jeff Ford")
B. $objUser.SetInfo()
D. $objOU=[ADSI]"LDAP://OU=People,DC=contoso,DC=com"
Explanation
A. Correct: An object is created by invoking the Create method of a container such as an OU.
B. Correct: The SetInfo method commits a new user and its properties to Active Directory. If the SetInfo method is not used, the new object and changes to its properties occur in your local representation of the object only.
C. Incorrect: This code is invalid. It is similar to code that would be used in VBScript, though not in the creation of user objects.
D. Correct: You must connect to the container in which the user will be created.
12.
You want to set the Office property of ten users in two different OUs. The users currently
have the Office property configured as Miammi. You recently discovered the typographic error and want to change it to Miami. What can you do to make the change? (Choose all that apply.)
chapter 3 lesson 3
Correct Answer
C. Use Dsquery and Dsmod.
Explanation
A. Incorrect: You can use the Ctrl key to multiselect users, but they must be in a single OU. The ten users in this scenario are in different OUs.
B. Incorrect: Dsmod will enable you to change the Office property, but Dsget will not locate the objects. Dsget is used to display attributes, not locate objects.
C. Correct: You can use the Dsquery command to identify users whose Office property is set to Miammi and pipe the results to the Dsmod command to change the Office property.
D. Incorrect: These cmdlets are not used with Active Directory objects.
13.
You want to move a user from the Paris OU to the Moscow OU. Which tools can you use? (Choose all that apply.)chapter 3 lesson 3
Correct Answer(s)
B. The MoveHere method of the Moscow OU
C. Dsmove
Explanation
A. Incorrect: Move-Item is a valid Windows PowerShell cmdlet that moves objects in a namespace, but Windows PowerShell does not yet expose Active Directory as a namespace.
B. Correct: VBScript uses the MoveHere method of a container to move a user to the container.
C. Correct: You can use the Dsmove command to move an object in Active Directory.
D. Incorrect: The Redirusr.exe command is used to configure Active Directory so that new user objects created without specifying an OU will go to a container other than the default Users container.
E. Incorrect: The Active Directory Migration Tool is used to migrate accounts between domains.
14.
A user reports that she is receiving a logon message that states, "Your account is configured to prevent you from using the computer. Please try another computer." What should you do to enable her to log on to the computer?
chapter 3 lesson 3
Correct Answer
A. Click the Log On To button on the Account tab of her user account.
Explanation
A. Correct: Computer restrictions limit the computers that a user can log on to. On the Account tab of her user account, you can click the Log On To button and add the computer by name to the list of allowed workstations.
B. Incorrect: When a computer account is created, you can control who is allowed to join the computer to the domain with this button, but it has nothing to do with who can log on to the computer after it is a domain member.
C. Incorrect: Dsmove is used to move an object in Active Directory.
D. Incorrect: Although the user right to log on locally is required, the error message that she reports is not the message that would be received if she did not have the right to log on locally.
15.
A new project requires that users in your domain and in the domain of a partner organization have access to a shared folder on your file server. Which type of group should you
create to manage the access to the shared folder?
Chapter 4 lesson 1
Correct Answer
B. Domain local security group
Explanation
A. Incorrect: Universal security groups cannot contain users or groups from trusted external domains. They can contain users, global groups, and other universal groups from any domain in the forest.
B. Correct: Domain local security groups can contain members from trusted external domains.
C. Incorrect: Global security groups cannot contain users or groups from trusted external domains. They can contain users and other global groups from the same domain only.
D. Incorrect: Distribution groups cannot be assigned permissions to resources.
16.
Your domain includes a global distribution group named Company Update. It has been used to send company news by e-mail to its members. You have decided to allow all members to contribute to the newsletter by creating a shared folder on a file server. What must you do to allow group members access to the shared folder?
Chapter 4 lesson 1
Correct Answer
D. Use Dsmod with the –secgrp yes switch.
Explanation
A. Incorrect: The group is a distribution group, which cannot be assigned permission. Changing the scope will not address that limitation.
B. Incorrect: The group is a distribution group, which cannot be assigned permission. Changing the scope will not address that limitation.
C. Incorrect: The group is a distribution group. Adding it to the Domain Users group will not enable its members to access the shared folder.
D. Correct: The –secgrp yes switch will change the group type to a security group, after which you can add it to the ACL of the shared folder.
17.
You have created a global security group in the contoso.com domain named Corporate Managers. Which members can be added to the group?
(Choose all that apply.)
Chapter 4 lesson 1
Correct Answer(s)
B. Linda Mitchell, a user in the tailspintoys.com domain, a domain in the contoso.com forest
C. Jeff Ford, a user in the fabrikam.com domain, a trusted domain of a partner company
D. Mike Danseglio, a user in the contoso.com domain
E. Sales Executives, a global group in the contoso.com domain
Explanation
A. Incorrect: Global groups cannot contain global groups from other domains.
B. Correct: Global groups can contain users in the same forest.
C. Correct: Global groups can contain users in trusted domains.
D. Correct: Global groups can contain users in the same domain.
E. Correct: Global groups can contain global groups in the same domain.
18.
Which of the following can be used to remove members from a group?
(Choose all that apply.)
Chapter 4 lesson 2
Correct Answer(s)
B. Dsrm
C. Dsmod
D. D. LDIFDE
Explanation
A. Incorrect: The Remove-Item cmdlet in Windows PowerShell cannot be used to remove members of a group because groups are not exposed in a namespace.
B. Correct: Dsrm is used to delete a group.
C. Correct: Dsmod with the –remmbr option can remove members from a group.
D. Correct: LDIFDE with a change type of modify and a delete:member operation can remove members from a group.
E. Incorrect: CSVDE can import new groups. It cannot modify existing groups.
19.
You are using Dsmod to add a domain local group named GroupA to a global group named GroupB. You are receiving errors. Which command will solve the problem so that
you can then add GroupA to GroupB?
(Choose all that apply.)
Chapter 4 lesson 2
Correct Answer
B. Dsmod.exe
Explanation
A. Incorrect: Dsrm deletes a group. Deleting a group will not solve the problem.
B. Correct: You can use Dsmod with the –scope switch to change the scope of GroupA to a universal group, then to a global group. You will then be able to add GroupA to GroupB. This is a tricky question. Sometimes questions are not quite what they appear to be about on the surface. This question was not about using commands or even about adding one group to another—it was about group scope.
C. Incorrect: Dsquery searches Active Directory for objects. It cannot make a change, so it will not solve the problem.
D. Incorrect: Dsget retrieves an attribute of an object. It cannot make a change, so it will not solve the problem.
20.
Your management has asked you to produce a list of all users who belong to the Special Project group, including those users belonging to groups nested into Special Project.
Which of the following can you use?
Chapter 4 lesson 2
Correct Answer
D. Dsget.exe
Explanation
A. Incorrect: Get-Members is a Windows PowerShell cmdlet that gets the members of an programmatic object, not of a group.
B. Incorrect: Dsquery queries Active Directory for objects matching a search filter. It does not list group membership.
C. Incorrect: LDIFDE can be used to export a group and thereby its members, but only direct members.
D. Correct: Dsget can return an attribute of an object, including the member attribute of group objects. With the expand option, Dsget can return the full membership of
a group.
21.
Your company is conducting a meeting for a special project. The data is particularly confidential. The team is meeting in a conference room, and you have configured a folder on
the conference room computer that grants permission to the team members. You want to ensure that team members access the data only while logged on to the computer in
the conference room, not from other computers in the enterprise. What must you do?
Chapter 4 lesson 3
Correct Answer
D. Assign the Deny Full Control permission to the Network group.
Explanation
A. Incorrect: The team members already have permission. This permission will not prevent them from accessing the folder from other computers.
B. Incorrect: The team members already have permission. This permission will not prevent them from accessing the folder from other computers.
C. Incorrect: This permission will not prevent users from accessing the folder from other computers.
D. Correct: A Deny permission overrides Allow permissions. If a team member attempts to connect to the folder from another computer, he or she will be a member of the Network special identity group and will be denied access. If the same team member logs on locally to the conference room computer, he will be a member of Interactive and not Network, so the permissions assigned to him as a member of the team will allow access.
22.
You want to allow a user named Mike Danseglio to add and remove users from a group called Special Project. Where can you configure this permission?
Chapter 4 lesson 3
Correct Answer
D. The Managed By tab of the group
Explanation
A. Incorrect: The Members tab of the group enables you to add and remove members but not to delegate the administration of membership.
B. Incorrect: The Security tab of Mike Danseglio’s user object determines who is delegated the ability to perform tasks on his object, not what Mike is able to do.
C. Incorrect: The Member Of tab of Mike Danseglio’s user object determines the groups to which Mike belongs, not the groups to which Mike has been delegated control.
D. Correct: The Managed By tab of a group enables you to specify
23.
Which of the following groups can shut down a domain controller?
(Choose all that apply.)
Chapter 4 lesson 3
Correct Answer(s)
B. Print Operators
C. Backup Operators
D. Server Operators
Explanation
A. Incorrect: Account Operators does not have the right to shut down a domain controller.
B. Correct: Print Operators has the right to shut down a domain controller.
C. Correct: Backup Operators has the right to shut down a domain controller.
D. Correct: Server Operators has the right to shut down a domain controller.
E. Incorrect: The Interactive special identity group does not have the right to shut down a domain controller.
24.
You want to require all new computer accounts created when computers join the domain to be placed in the Clients OU. Which command should you use?
Chapter 5 lesson 1
Correct Answer
D. Redircmp
Explanation
A. Incorrect: Dsmove is a command-line utility that moves existing objects in Active Directory. It does not control the default location for new objects.
B. Incorrect: Move-Item is a Windows PowerShell cmdlet that moves existing objects in a namespace.
C. Inorrect: Netdom is a command-line utility that enables you to join a domain, rename a computer, and perform other computer-related activities, but it does not control the default location for new computers.
D. Correct: Redircmp is a command-line utility that redirects the default computer container to an alternate OU.
25.
You want to prevent non administrative users from joining computers to the domain. What should you do?
Chapter 5 lesson 1
Correct Answer
A. Set ms-DS-MachineAccountQuota to zero.
Explanation
A. Correct: The ms-DS-MachineAccountQuota attribute of the domain by default allows all authenticated users the ability to join ten computers to the domain. This
quota is checked when a user is joining a computer to the domain without a prestaged account. Set this attribute to zero.
B. Incorrect: This attribute configures the default quota for all Active Directory objects, not just for new computer accounts.
C. Incorrect: Removing this user right does not prevent Authenticated Users from joining computers to the domain.
D. Incorrect: Setting this permission will prevent all users, including administrators, from creating computer accounts.
26.
You want to join a remote computer to the domain. Which command should you use?
Chapter 5 lesson 1
Correct Answer
B. Netdom.exe
Explanation
A. Incorrect: Dsadd creates new objects, including computer objects, but does not join a computer to the account.
B. Correct: Netdom Join can join the local computer or a remote computer to the domain
C. Incorrect: Dctest tests various components of a domain controller.
D. Incorrect: System.cpl is the System Properties control panel application. It enables you to join the local computer to a domain, but not to join a remote computer to a
domain.
27.
Your manager has just asked you to create an account for DESKTOP234. Which of the following enables you to do that in one step?
Chapter 5 lesson 2
Correct Answer
C. Dsadd
Explanation
A. Correct: CSVDE can import one or more computers from a .csv file, and Excel can save a worksheet as a .csv file.
B. Incorrect: LDIFDE can import one or more computers, but the LDIF format cannot be created using Excel.
C. Incorrect: Dsadd enables you to create computer objects one at a time.
D. Correct: Windows PowerShell enables you to use ADSI to create computers and can use a .csv file as a data source.
E. Correct: VBScript enables you to use ADSI to create computers and can use a .csv file as a data source.
28.
Your hardware vendor has just given you an Excel worksheet containing the asset tags of computers that will be delivered next week. You want to create computer objects for the computers in advance. Your naming convention specifies that computers’ names are their asset tags. Which of the following tools can you use to import the computers?
(Choose all that apply.)
Chapter 5 lesson 2
Correct Answer(s)
A. CSVDE
D. Windows PowerShell
E. VBScript
Explanation
A. Correct: CSVDE can import one or more computers from a .csv file, and Excel can save a worksheet as a .csv file.
B. Incorrect: LDIFDE can import one or more computers, but the LDIF format cannot be created using Excel.
C. Incorrect: Dsadd enables you to create computer objects one at a time.
D. Correct: Windows PowerShell enables you to use ADSI to create computers and can use a .csv file as a data source.
E. Correct: VBScript enables you to use ADSI to create computers and can use a .csv file as a data source.
29.
A server administrator reports Failed To Authenticate events in the event log of a file server. What should you do?
Chapter 5 lesson 3
Correct Answer
A. Reset the server account.
Explanation
A. Correct: Such events are symptomatic of a broken secure channel. Resetting the computer’s account is the correct step to take to address the issue.
B. Incorrect: The event does not reflect user authentication problems.
C. Incorrect: Disabling the server account will prevent the server from authenticating. Enabling it will not fix the problem.
D. Incorrect: The event does not reflect user authentication problems.
30.
A computer has permissions assigned to its account to support a system service. It also belongs to 15 groups. The computer is being replaced with new hardware. The new
hardware has a new asset tag, and your naming convention uses the asset tag as the computer name. What should you do?
(Choose all that apply. Each correct answer is a part of the solution.)
Chapter 5 lesson 3
Correct Answer(s)
C. Reset the computer account for the existing system.
D. Rename the computer account for the existing system.
E. Join the new system to the domain.
Explanation
A. Incorrect: Deleting the computer account will cause its SID to be removed and its group memberships to be lost. You will be forced to add the new account to the same groups and to assign permissions to the new account.
B. Incorrect: Creating a new account for the new system creates a new SID. Permissions will have to be reassigned and group memberships re-created.
C. Correct: Resetting the computer account makes it available for a system to join the domain using the account. The account’s SID and group memberships are
preserved.
D. Correct: You must rename the account so that it can be joined by the new system using its name.
E. Correct: After resetting and renaming the account, you must join the new system to the domain.
31.
Your enterprise recently created a child domain to support a research project in a remote location. Computer accounts for researchers were moved to the new domain. When you open Active Directory Users And Computers, the objects for those computers are displayed with a down-arrow icon. What is the most appropriate course of action?
Chapter 5 lesson 3
Correct Answer
C. Enable the accounts.
Explanation
A. Incorrect: A down arrow indicates that computer accounts are disabled. It is not necessary to reset the accounts.
B. Incorrect: A down arrow indicates that computer accounts are already disabled.
C. Correct: A down arrow indicates that the accounts are disabled. You need to enable them.
D. Incorrect: A down arrow indicates that computer accounts are disabled. It is not necessary to delete the accounts.
32.
Litware, Inc., has three business units, each represented by an OU in the litwareinc.com domain. The business unit administrators want the ability to manage Group Policy for
the users and computers in their OUs. Which actions do you perform to give the administrators the ability to manage Group Policy fully for their business units? (Choose all
that apply. Each correct answer is a part of the solution.)
chapter 6 lesson 1
Correct Answer(s)
B. Add business unit administrators to the Group Policy Creator Owners group.
D. Delegate Link GPOs permission to the each business unit’s administrators in the business unit’s OU.
Explanation
A. Incorrect: The central store is used to centralize administrative templates so that they do not have to be maintained on administrators’ workstations.
B. Correct: To create GPOs, the business unit administrators must have permission to access the Group Policy Objects container. By default, the Group Policy Creator Owners group has permission, so adding the administrators to this group will allow them to create new GPOs.
C. Incorrect: Business unit administrators require permission to link GPOs only to their business unit OU, not to the entire domain. Therefore, delegating permission
to link GPOs to the domain grants too much permission to the administrators.
D. Correct: After creating a GPO, business unit administrators must be able to scope the GPO to users and computers in their OU; therefore, they must have the Link
GPOs permission.
33.
You are an administrator at Contoso, Ltd. At a recent conference, you had a conversation with administrators at Fabrikam, Inc. You discussed a particularly successful set of configurations you have deployed using a GPO. The Fabrikam administrators have asked you to copy the GPO to their domain. Which steps can you and the Fabrikam administrators perform?
chapter 6 lesson 1
Correct Answer
D. Right-click the Contoso GPO and choose Back Up. Create a GPO in the Fabrikam domain, right-click it, and choose Import Settings.
Explanation
A. Incorrect: A saved report is an HTML or XML description of a GPO and its settings. It cannot be imported into another GPO.
B. Incorrect: The Restore From Backup command is used to restore a GPO in its entirety.
C. Incorrect: You cannot paste settings into a GPO.
D. Correct: You can import settings to an existing GPO from the backed-up settings of another GPO.
34.
You want to deploy a GPO named Northwind Lockdown that applies configuration to all users at Northwind Traders. However, you want to ensure that the settings do not apply to members of the Domain Admins group. How can you achieve this goal?
(Choose all that apply.)
chapter 6 lesson 2
Correct Answer(s)
B. Link the Northwind Lockdown GPO to the domain, right-click the OU that contains the user accounts of all users in the Domain Admins group, and choose Block Inheritance.
C. Link the Northwind Lockdown GPO to the domain, and then assign the Domain Admins group the Deny Apply Group Policy permission.
Explanation
A. Incorrect: If you configure a domain to block inheritance, GPOs linked to sites will not be applied to users or computers in the domain. The Northwind Lockdown
GPO is linked to the domain and will apply to all users, including those in the Domain Admins group.
B. Correct: By blocking inheritance on the OU that contains all the users in the Domain Admins group, you prevent the policy settings from applying to those users.
C. Correct: The Deny Apply Group Policy permission, assigned to Domain Admins, exempts Domain Admins from the scope of the GPO, which otherwise applies to the Authenticated Users group.
D. Incorrect: All user accounts in the domain belong to the Domain Users group as their primary group. Therefore, the GPO will apply to all users, including those in the Domain Admins group.
35.
You want to create a standard lockdown desktop experience for users when they log on to computers in your company’s conference and training rooms. You have created a GPO
called Public Computers Configuration with desktop restrictions defined in the User Configuration node. What additional steps must you take? (Choose all that apply. Each
correct answer is a part of the solution.)
chapter 6 lesson 2
Correct Answer(s)
A. Enable the User Group Policy Loopback Processing Mode policy setting.
D. Link the GPO to the OU containing conference and training room computers.
Explanation
A. Correct: Because the desktop restrictions are in the User Configuration node but are being applied when users log on to specific computers, loopback policy processing
is required.
B. Incorrect: Linking the GPO to the OU containing user accounts causes the restrictions to apply to all users at all times, not only when they log on to conference and
training room systems.
C. Incorrect: The Block Inheritance option is not necessary and will prevent the application of all other GPOs from parent OUs, from the domain, and from sites.
D. Correct: To scope the GPO correctly, you must link it to the OU containing the computer objects of conference and training room systems.
36.
A user calls the help desk at your organization and reports problems that you suspect might be related to changes that were recently made to Group Policy. You want to examine
information regarding Group Policy processing on her system. Which tools can you use to gather this information remotely? (Choose all that apply.)
chapter 6 lesson 3
Correct Answer(s)
B. Group Policy Results Wizard
D. Gpresult.exe
Explanation
A. Incorrect: The Group Policy Modeling Wizard is used to simulate Group Policy application, not to report its actual application.
B. Correct: The Group Policy Results Wizard can be used to report Group Policy application on a remote system.
C. Incorrect: Gpupdate.exe is used to initiate a manual policy refresh.
D. Correct: Gpresult.exe can be used with the /s switch to gather RSoP information remotely.
E. Incorrect: Msconfig.exe is used to gather system information and to control system startup.
37.
You are the administrator at Contoso, Ltd. The contoso.com domain has five GPOs linked to the domain, one of which configures the password-protected screen saver and screen
saver timeout required by corporate policy. Some users report that the screen saver is not launching after 10 minutes as expected. How do you know when the GPO was applied?
chapter 6 lesson 3
Correct Answer
A. Run Gpresult.exe for the users.
Explanation
A. Correct: Gpresult.exe produces an RSoP report that will indicate when the GPO was applied. Screen saver policy settings are user configuration settings, so you must run Gpresult.exe for user settings.
B. Incorrect: There is no –computer option for the Gpresult.exe command.
C. Incorrect: Screen saver settings are user, not computer, configuration.
D. Incorrect: Gpupdate.exe is used to trigger a policy refresh, not to report policy application
38.
The contoso.com domain contains a GPO named Corporate Help Desk, linked to the Clients OU, and a GPO named Sydney Support linked to the Sydney OU within the Clients
OU. The Corporate Help Desk GPO includes a restricted groups policy for the CONTOSO\ Help Desk group that specifies This Group Is A Member Of Administrators. The
Sydney Support GPO includes a restricted groups policy for the CONTOSO\Sydney Support group that specifies This Group Is A Member Of Administrators. A computer named DESKTOP234 joins the domain in the Sydney OU. Which of the following accounts will be a member of the Administrators group on DESKTOP234? (Choose all that apply.)
chapter 7 lesson 1
Correct Answer(s)
A. Administrator
B. Domain Admins
C. Sydney Support
D. Help Desk
Explanation
A. Correct: The local Administrator account is a default member of Administrators. It cannot be removed.
B. Correct: Domain Admins is added to Administrators when a computer joins the domain. The Member Of policy settings add specified groups to Administrators
and do not remove existing members.
C. Correct: Sydney Support is added to the Administrators group by the Sydney Support GPO. The Member Of policy settings add specified groups to Administrators
and do not remove existing members.
D. Correct: Help Desk is added to the Administrators group by the Corporate Help Desk GPO. The Member Of policy settings add specified groups to Administrators
and do not remove existing members.
E. Incorrect: The Remote Desktop Users group is not a default member of Administrators and is not added to Administrators by any of the GPOs.
39.
The contoso.com domain contains a GPO named Corporate Help Desk, linked to the Clients OU, and a GPO named Sydney Support linked to the Sydney OU within the Clients OU. The Corporate Help Desk GPO includes a restricted groups policy for the Administrators group that specifies the Members Of This Group setting to be CONTOSO\Help Desk. The Sydney Support GPO includes a restricted groups policy for the Administrators group that specifies the Members Of This Group setting to be CONTOSO\Sydney Support. A computer named DESKTOP234 joins the domain in the Sydney OU. Which of the following accounts will be a member of the Administrators group on DESKTOP234? .(Choose all that apply.)
chapter 7 lesson 1
Correct Answer(s)
A. Administrator
C. Sydney Support
Explanation
A. Correct: The local Administrator account is a default member of Administrators. It cannot be removed.
B. Incorrect: Domain Admins is added to Administrators when a computer joins the domain but is removed by the Sydney Support GPO, which specifies the authoritative
membership of the group.
C. Correct: Sydney Support is added to the Administrators group by the Sydney Support GPO.
D. Incorrect: Help Desk is specified as a member of the Administrators group by the Corporate Help Desk GPO, but the Sydney Support GPO has higher precedence
because it is linked to the OU in which DESKTOP234 exists. Therefore, the membership specified by the Sydney Support GPO’s Members Of This Group setting is authoritative.
E. Incorrect: The Remote Desktop Users group is not a default member of Administrators and is not added to Administrators by any of the GPOs.
40.
The contoso.com domain contains a GPO named Corporate Help Desk, linked to the Clients OU, and a GPO named Sydney Support linked to the Sydney OU within the Clients OU. The Corporate Help Desk GPO includes a restricted groups policy for the Administrators group that specifies the Members Of This Group setting to be CONTOSO\Help Desk. The Sydney Support GPO includes a restricted groups policy for the CONTOSO \Sydney Support group that specifies This Group Is A Member Of Administrators. A computer named DESKTOP234 joins the domain in the Sydney OU. Which of the following accounts will be a member of the Administrators group on DESKTOP234?
(Choose all that apply.)
chapter 7 lesson 1
Correct Answer(s)
A. Administrator
C. Sydney Support
D. Help Desk
Explanation
A. Correct: The local Administrator account is a default member of Administrators. It cannot be removed.
B. Incorrect: Domain Admins is added to Administrators when a computer joins the domain but is removed by the Corporate Help Desk GPO, which specifies the membership of Administrators using the Members Of This Group setting.
C. Correct: Sydney Support is added to the Administrators group by the Sydney Support GPO. Because the Sydney Support GPO has higher precedence than the Corporate Help Desk GPO, DESKTOP234 applies the Sydney Support GPO after applying the Corporate Help Desk GPO; thus, the Sydney Support GPO’s members are added to the Administrators group.
D. Correct: Help Desk is specified as a member of the Administrators group by the Corporate Help Desk GPO. When this GPO is applied, all other members of
Administrators, except the Administrator account itself, are removed.
E. Incorrect: The Remote Desktop Users group is not a default member
41.
You want to deploy security settings to multiple servers by using Group Policy. The settings need to apply the user rights that you have configured and validated on a server in your test environment. Which tool should you use?
chapter 7 lesson 2
Correct Answer
B. Security Configuration And Analysis
Explanation
A. Incorrect: Local Security Policy enables you to configure the settings on a single server.
B. Correct: You can use Security Configuration And Analysis to compare the test environment configuration to a template, to reconcile discrepancies, and to export the resulting settings to a security template. The security template can then be imported into a GPO.
C. Incorrect: The Security Configuration Wizard does not manage user rights.
D. Incorrect: The Security Templates snap-in can create a security template but cannot export the settings of the test environment server. Security Configuration And Analysis is a better answer.
42.
You want to deploy security settings to multiple servers by using Group Policy. The settings need to configure services, firewall rules, and audit policies appropriate for servers in your enterprise that act as file and print servers. Which tool would be the best choice for you to use?
chapter 7 lesson 2
Correct Answer
C. Security Configuration Wizard
Explanation
A. Incorrect: Local Security Policy enables you to configure the settings on a single server.
B. Incorrect: Security Configuration And Analysis enables you to create security templates that can be imported into a GPO, but the tool is not role-based. The Security Configuration Wizard is a better answer.
C. Correct: The Security Configuration Wizard creates role-based security policies that manage services, firewall rules, and audit policies as well as certain registry settings.
D. Incorrect: Security Templates enables you to create security templates that can be imported into a GPO, but the tool is not role-based. The Security Configuration Wizard is a better answer.
43.
You created a security policy by using the Security Configuration Wizard. Now you want to deploy the settings in that security policy to the servers in your Servers OU. Which of the following steps are required?
(Choose two. Each correct answer is a part of the solution.)
chapter 7 lesson 2
Correct Answer(s)
A. Use Scwcmd.exe /transform.
D. Link the GPO to the Servers OU.
Explanation
A. Correct: The Scwcmd.exe /transform command creates a GPO that includes the settings in the specified security policy.
B. Incorrect: You do not need to create a GPO. The Scwcmd.exe command does that automatically.
C. Incorrect: You do not import settings from a security policy into a GPO. You can import the settings from a security template into a GPO.
D. Correct: The GPO created must be linked to an appropriate site, domain, or OU before its settings are applied to computers in that container.
44.
You want to raise the domain functional level of a domain in the contoso.com forest. Which tool can you use?
(Choose all that apply.)
chapter 12 lesson 1
Correct Answer(s)
A. Active Directory Users And Computers
D. Active Directory Domains And Trusts
Explanation
A. Correct: In Active Directory Users And Computers, you can right-click the root node of the snap-in or the domain, and you will find the Raise Domain Functional Level command.
B. Incorrect: Active Directory Schema is not used to raise the domain functional level.
C. Incorrect: Active Directory Sites And Services is not used to raise the domain functional level.
D. Correct: You can right-click the domain in the Active Directory Domains And Trusts snap-in and choose Raise Domain Functional Level.
45.
You are an administrator of the contoso.com domain. You want to add a read-only domain controller to a domain with one Windows Server 2003 domain controller and one Windows 2008 domain controller. Which of the following must be done before adding a new server as an RODC? (Choose all that apply. Each correct answer is part of the solution.)
chapter 12 lesson 1
Correct Answer(s)
B. Raise the domain functional level to Windows Server 2003.
D. Raise the forest functional level to Windows Server 2003.
E. Run Adprep /rodcprep.
Explanation
A. Incorrect: You must have one writable domain controller running Windows
Server 2008 before adding an RODC to a domain. You already have a Windows Server 2008 domain controller in the contoso.com domain.
B. Correct: The domain functional level must be at least Windows Server 2003 before adding an RODC.
C. Incorrect: You cannot raise the domain functional level to Windows Server 2008 because you have a domain controller running Windows Server 2003.