Home > Articles > Microsoft > MCTS

  • Print
  • + Share This
This chapter is from the book

Exam Cram Questions

  1. Evan is responsible for configuring Group Policy in his company’s domain. The domain functional level is set to Windows Server 2003. Evan’s manager has requested that he implement an account policy that specifies that all user accounts will be locked out if an incorrect password is entered five times within a one-quarter hour period. The account is to remain locked out until a support technician unlocks it.

    How should Evan configure the account policy? (Each correct answer represents part of the solution. Choose three answers.)

    bull.jpg

    A.

    Set the account lockout threshold to 0.

    bull.jpg

    B.

    Set the account lockout threshold to 1.

    bull.jpg

    C.

    Set the account lockout threshold to 4.

    bull.jpg

    D.

    Set the account lockout duration to 0.

    bull.jpg

    E.

    Set the account lockout duration to 1.

    bull.jpg

    F.

    Set the reset account lockout counter value to 0.25.

    bull.jpg

    G.

    Set the reset lockout counter to 15.

    bull.jpg

    H.

    Set the reset lockout counter to 900.

  2. Laura is the systems administrator for a company that operates an AD DS domain. The domain and forest functional level are set to Windows Server 2008. She has configured a password policy for users in her company’s domain that specifies that passwords must be at least seven characters long. The CIO has informed her that users in the legal department should have highly secure passwords. She configures a password policy in a GPO linked to the Legal OU that specifies that passwords be at least 12 characters long.

    A few days later, she receives a call from the CIO asking her why she has not yet implemented the stricter password policy. What must Laura do to implement the policy with the least amount of administrative effort?

    bull.jpg

    A.

    She needs to create a global security group, add the required users to this group, and ensure that the group has the Allow–Apply Group Policy permission applied to it.

    bull.jpg

    B.

    She needs to create a new domain, place the legal users and their computers in this domain, and then reapply the password policy to this domain.

    bull.jpg

    C.

    She needs to create a password settings object containing the required password settings and apply this object to the Legal OU.

    bull.jpg

    D.

    She needs to create a global security group and add the required users to this group. She then needs to create a password settings object containing the required password settings and apply this object to the group containing these users.

  3. You are excited about the new capability of configuring fine-grained password policies and want to try it out. To which of the following groups should your user account belong so that you can configure a fine-grained password policy?

    bull.jpg

    A.

    Account Operators

    bull.jpg

    B.

    Domain Admins

    bull.jpg

    C.

    Enterprise Admins

    bull.jpg

    D.

    Schema Admins

  4. Dennis is responsible for configuring security settings on a Windows Server 2008 computer. This computer runs specialized software and is configured as a standalone server that is not a member of his company’s AD DS domain. He needs to configure security settings that are similar to those applied to member servers in the domain.

    What should Dennis do to accomplish this task with the least amount of administrative effort?

    bull.jpg

    A.

    He should use the Security Templates snap-in to create a security database of the settings on a member server. He should then use the Security Configuration and Analysis snap-in to configure the standalone server with the settings contained in the database.

    bull.jpg

    B.

    He should use the Security Configuration and Analysis snap-in to analyze the security settings on the member server and then use this snap-in to configure the standalone server with the settings contained in the database.

    bull.jpg

    C.

    He should use the Security Templates snap-in to configure the security settings on the standalone server with settings contained in the Securews.inf security template.

    bull.jpg

    D.

    He should copy the settings on the member server and configure these settings manually on the standalone server.

  5. You are the administrator of a company that operates an AD DS network that contains two domains. Both domains operate at the Windows Server 2003 domain and forest functional levels. You have installed a new Windows Server 2008 computer and promoted this server to be an additional domain controller in your domain.

    Having heard about the new capability of configuring fine-grained password policies, you decide to give it a try and configure a PSO that specifies a minimum of 10 characters. You then associate this PSO with your user account and attempt to change your password to a new one that is 8 characters long.

    When this attempt succeeds, you wonder why the new PSO was not applied to your account. Which of the following is the reason you were able to specify an 8-character password?

    bull.jpg

    A.

    You need to associate the PSO with a global security group to which your user account belongs before it is applied.

    bull.jpg

    B.

    You need to associate the PSO with an OU to which your user account belongs before it is applied.

    bull.jpg

    C.

    You need to upgrade all domain controllers in the domain to Windows Server 2008 and set the domain functional level to Windows Server 2008 before the PSO is effective.

    bull.jpg

    D.

    You need to upgrade all domain controllers in both domains of the forest to Windows Server 2008 and set the domain and forest functional levels to Windows Server 2008 before the PSO is effective.

  6. Ruth is the administrator of an AD DS network that operates at the Windows Server 2008 domain and forest functional level. Her manager has asked her to implement success and failure auditing of directory service changes on the domain controller. The manager does not want success auditing of directory service access to be implemented because problems have occurred with events being overwritten in security logs before Ruth has had time to check them.

    Which of the following tools should Ruth use to configure auditing as requested?

    bull.jpg

    A.

    Auditpol.exe

    bull.jpg

    B.

    ADSIEdit.exe

    bull.jpg

    C.

    Ntdsutil.exe

    bull.jpg

    D.

    Group Policy Management Editor

  7. Barry is the network administrator for Examcram.com, which operates an AD DS network. The network includes servers running Windows Server 2003 and Windows Server 2008 and client computers running Windows XP Professional and Windows Vista Business. His manager has requested that he implement auditing of the following:

    • Attempts to log on to any local computer
    • Creation of a user account or group or changing of a user account password

    What auditing components should Barry configure? (Each correct answer represents part of the solution. Choose two answers.)

    bull.jpg

    A.

    Audit account management, success

    bull.jpg

    B.

    Audit account logon events, success and failure

    bull.jpg

    C.

    Audit object access, success

    bull.jpg

    D.

    Audit logon events, success and failure

  8. Veronica is responsible for configuring Group Policy on her company’s AD DS network. She has deployed a new software package to all computers in the Financial OU. Users in this OU report that their computers are restarting spontaneously at frequent intervals.

    Veronica wants to enable an auditing policy in a GPO in an attempt to troubleshoot this problem. Which type of events should she audit?

    bull.jpg

    A.

    Logon events

    bull.jpg

    B.

    Process tracking events

    bull.jpg

    C.

    System events

    bull.jpg

    D.

    Privilege use events

    bull.jpg

    E.

    Policy change events

Answers to Exam Cram Questions

  1. C, D, G. Evan should specify an account lockout threshold of 4 passwords, and account lockout duration of 0, and a reset account lockout counter value of 15 minutes. The account lockout threshold specifies the number of incorrect passwords that can be entered before the account locks out. It can be set from 0 to 999, and a value of 0 means that the account never locks out. The account lockout duration can be set from 0 to 99,999 minutes, and a value of 0 means that the account remains locked out until unlocked by an administrator or individual who has been delegated this responsibility. The reset account lockout counter value specifies the number of minutes to wait until the lockout counter resets itself to 0. It can be set to any value between 0 and 99999; a value of 0 means that this counter is never reset. If Evan set an account lockout threshold to 0, the accounts would never lock out, and if he set it to 1, the accounts would lock out after one incorrect password, so answers A and B are incorrect. If Evan set the account lockout duration to 1, the accounts would lock out for one minute only, so answer E is incorrect. If he set the reset account lockout counter value to 0, the account lockout counter would never reset, so answer F is incorrect. If he set the reset account lockout counter to 900, the counter would not reset until 15 hours had elapsed. (The value of this counter is specified in minutes, not seconds.) Therefore, answer H is incorrect.

  2. D. Laura needs to create a global security group and add the required users to this group. She then needs to create a password settings object containing the required password settings and apply this object to the group containing these users. The new fine-grained password policy in Windows Server 2008 enables her to create a password policy that applies only to specified users or groups. Laura cannot link a GPO to a group, so answer A is incorrect. Laura could create a new domain and apply the policy in this manner. This was the method she would have needed to do before Windows Server 2008; however, application of a fine-grained password policy takes far less administrative effort and expense, so answer B is incorrect. It is not possible to apply a fine-grained password policy to an OU, so answer C is incorrect.

  3. B. Your user account must belong to the Domain Admins global group before you can create a fine-grained password policy. Membership in the Account Operators group is insufficient, so answer A is incorrect. Membership in either the Enterprise Admins or Schema Admins group is not required for creating a fine-grained password policy, so answers C and D are incorrect.

  4. A. Dennis should use the Security Templates snap-in to create a security database of the settings on a member server. He should then use the Security Configuration and Analysis snap-in to configure the standalone server with the settings contained in the database. This procedure copies the security settings that he has already configured to the standalone server; he can subsequently configure any additional settings that might be needed manually. The Security Configuration and Analysis snap-in does not create a database of settings, it compares existing settings to those in the database and configures the server to these settings; therefore, answer B is incorrect. The Securews.inf security template was used in Windows 2000 and Windows Server 2003 to configure security settings on member servers and workstations. It is no longer available in Windows Server 2008, so answer C is incorrect. Dennis could manually configure settings, but this would take far more administrative effort, so answer D is incorrect.

  5. C. To have a PSO apply properly, the domain functional level must be at the Windows Server 2008 functional level. To achieve this functional level, you must upgrade all domain controllers to Windows Server 2008. You can associate a PSO with a user account, so answer A is incorrect. It is not possible to associate a PSO with an OU, so answer B is incorrect. It is not necessary to upgrade other domains in the forest to Windows Server 2008 if no PSO is being applied in these domains, so answer D is incorrect.

  6. A. Ruth should use the Auditpol.exe command-line tool to configure auditing of directory service changes. This is a new auditing category that is included in the Directory Service Access category but must be configured from Auditpol.exe to be implemented on its own. Ruth would use ADSIEdit.exe to perform low-level editing of AD DS objects, including the implementation of fine-grained password policies. She would use Ntdsutil.exe to perform several AD DS management actions, including the seizure of operations masters roles. Neither of these tools can be used to configure auditing, so answers B and C are incorrect. Ruth could implement auditing of the Directory Service Access category from the Group Policy Management Console, but this would not fulfill the requirements of this scenario, so answer D is incorrect.

  7. A, D. The audit account management event includes creation, modification, or deletion of user accounts or groups, renaming or disabling of user accounts, or configuring and changing of passwords; and the audit logon events tracks logons at local computers. Audit account logon events are logon and logoff activity at member servers and client computers, so answer B is incorrect. Audit object access tracks when a user accesses an object such as a file, folder, Registry key, or printer that has its own SACL specified, so answer C is incorrect.

  8. C. Veronica should implement success auditing of system events to identify the cause of the problems that are being experienced. This tracks actions taking place on a computer, such as improper shutdowns or restarts. Logon events track logon and logoff activity at member servers and client computers, but they do not track the causes of improper shutdowns as experienced here, so answer A is incorrect. Process tracking events track actions performed by an application, but not improper shutdowns, so answer B is incorrect. Privilege use events track the use of system rights, so answer D is incorrect. Policy change events track the modification of policies including user rights assignment, trust, and audit policies. This also is not required here, so answer E is incorrect.

  • + Share This
  • 🔖 Save To Your Account