Questions and Answers | MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)

< Day Day Up >

Page
3-16

Which predefined security template can be used to improve the ability of Users to run applications without being logged on as an administrator?

Which predefined security template can be used to return a system to its original security settings?

Which of the following tools can be used to copy a security template? (Choose all that apply.)

Answers

1.	b. The Compatws.inf security template makes the default permissions for the Users group less restrictive so that older applications are more likely to run correctly.
2.	a. The Setup Security.inf security template contains the security settings that Windows Server 2003 uses by default.
3.	c, f. The Security Templates snap-in and Windows Explorer can both be used to copy security templates.

Page
3-29

Which is the correct tool to use to most efficiently deploy a security template to a single domain member?

Which is the correct tool to use to most efficiently deploy a security template to hundreds of computers in a domain?

Which is the correct tool to use to most efficiently deploy a security template to dozens of standalone computers?

Answers

1.	d. The Local Security Policy console snap-in is the most efficient way to apply a security template to a single system because it is graphical and allows the administrator to apply security settings with a few clicks.
2.	a. Group Policy objects, configured by using the Group Policy Object Editor snap-in, are the most efficient way to apply a security template to multiple systems in a domain.
3.	e. The Secedit command-line tool is the most efficient way to deploy a security template to multiple computers that are not in a domain, because the security policy can be applied to a system by using scripts.

Page
3-44

Which of the following tools can be used to identify which GPOs were applied to a computer? (Choose all that apply.)

Which of the following tools can be used to identify the current Minimum Password Length setting and the responsible GPO? (Choose all that apply.)

Which of the following tools can be used to force a computer to refresh all Group Policy objects?

Answers

1.	a, b, c, g. RSoP, Help And Support Center, Gpresult, and the Registry Editor can all be used to determine which GPOs were applied to a computer.
2.	a, c. RSoP and Gpresult will show current policy settings and the GPO that defined them.
3.	d. Gpupdate is used to force the computer to immediately download and apply GPOs.

Page
3-46

1.	How many different security templates will you create, and what will each one be used for?
2.	Which of the following is the right choice for deploying security templates in your environment? Importing the security templates into Local Group Policy. Importing the security templates by using Secedit. Importing the security templates by using the Security Configuration And Analysis tool. Importing the security templates by using GPOs linked to Active Directory.
3.	Which of the portable and desktop computers will not be able to use Group Policy? The computers running Windows XP Professional The computers running Windows NT Workstation 4.0 The computers running Windows XP Home Edition The computers running Windows 2000 Professional The computers running Windows Millennium Edition The computers running Windows 95
4.	How will you apply security settings to those systems that do not support Group Policy?

Answers

1.	Your answer will vary, but you should at a minimum create nine security templates for the following roles: File server Domain controller Mail server External Web server Internal Web server Proxy server Database server Portable computer Desktop computer
2.	d. The only efficient way to manage the security of such a large number of computers is to use GPOs linked to Active Directory. Applying security templates to individual computers would be time consuming and difficult to maintain.
3.	b, c, e, f. Of the desktop platforms you have deployed, only the computers running Windows XP Professional and Windows 2000 Professional will be able to use Group Policy. Fortunately, these make up the majority of your computers.
4.	Ideally, you can convince management to upgrade these computers to Windows XP Professional, which supports Group Policy. That is the only way to ensure that end users do not change the security settings on their computers. If this is not possible, you can use System Policy or manually configure the security settings on each computer. However, that solution does not meet management’s original requirements.

Page
3-48

1.	Why was the Portable Computers Policy not applied?
2.	How will you resolve the problem?
3.	Why was the Local Group Policy not applied?
4.	Which other tools could you have used to identify the source of the problem?

Answers

1.	Gpresult identified the problem as Security, which indicates that the client computer did not have sufficient permissions to apply the Group Policy.
2.	View the properties for the GPO, and examine the security settings. Either the computer account, or one of the security groups the computer is a member of, was denied access to the Group Policy object. You must identify the group membership that is denied access and allow that group access to the Group Policy object. It is also possible that the computer was not denied access, but was also not granted access. If this is the case, modify the permissions for the Group Policy object to allow the Apply Group Policy permission to one of the groups the computer is a member of.
3.	The Local Group Policy was not applied because it is empty. Since there are no settings to apply, this is the expected behavior and is not indicative of a problem.
4.	There are no other tools that would reveal filtered GPOs.

< Day Day Up >