Objective 1.4: Questions

1. 

In your Windows Server 2003 functional level domain CONTOSO.COM, you have a domain global group named SUPERUSERS. A security template has been configured that specifies the membership of the SUPERUSERS group as Rooslan, Oksana, Kasia, Shan, and Mick. This security template also assigns the SUPERUSERS group a large number of administrative rights. This security template has been imported into a GPO that is applied at the domain level and has been running perfectly for the past week. Today you get a call from your junior administrator who believes that he might have accidentally added the user accounts of Orin and Laherty to the SUPERUSERS group through the Active Directory Users and Computers console on the domain controller. You log on to the domain controller to check, and indeed these accounts have been added to the SUPERUSERS group. Which of the following steps should you take to most easily return the membership of the SUPERUSERS group to the original five users listed in the restricted groups policy as quickly as possible?

1. From the command prompt on the domain controller, issue the GPUPDATE/FORCE command.

2. Delete Orin, Laherty, and Mick’s user accounts from the membership of the SUPERUSERS group.

3. Remove the GPO that is applied to the domain. Import the new security template into the Default Domain Policy GPO.

4. Import the new security template back into the GPO that is applied to the domain.

5. From the command prompt on the domain controller, issue the SECEDIT/REFRESHPOLICY command.

2. 

Which of the following could be used to generate a rollback security template named ROLLBKIIS.INF to undo the effects of the application of a security configuration template named IISLOCK.INF?

1. Create a new GPO in the Group Policy Object Editor. Right-click the security node and select Export. In the dialog box, type ROLLBKIIS.INF as the name of the exported security template.

2. Create a new GPO in the Group Policy Object Editor. Right-click the security node, select Import, and then select the IISLOCK.INF security template. Right-click the security node again and select Export. Save the security template file with the name ROLLBKIIS.INF.

3. Create a new GPO in the Group Policy Object Editor. Right-click the security node, select Import, and then select the IISLOCK.INF security template. Right-click the security node again and select Rollback. Save the security template file with the name ROLLBKIIS.INF.

4. SECEDIT /GENERATEROLLBACK /CFG IISLOCK.INF /RBK ROLLBKIIS.INF

3. 

You configure a security template with the following settings:

Network Security: Do not store LAN Manager hash value on next password change (enabled).

Network Security: LAN Manager authentication level: Send NTLMv2 response only\refuse LM & NTLM.

Your network environment includes clients running Windows 98. You import the security template into a new GPO and apply the new GPO to the domain controllers container in Active Directory Users and Computers. Soon after you apply this policy, you receive reports that your Windows 98 users are having problems accessing resources on the network. Which of the following should you do to enable Windows 98 users to log on to the domain? (Select two answers.)

1. Install and configure the DSClient software on the Windows 98 clients.

2. Edit the security template so that the “Do not store LAN Manager hash value on next password change” policy is set to disabled.

3. Install the IPSec client on the clients running Windows 98.

4. Edit the security template so that the “LAN Manager authentication level” is set to “Send NTLMv2 responses only.”

4. 

You are the network administrator at Contoso, Ltd. There is a single domain named CONTOSO.COM. There is an OU named DEVELOPERS that hosts the developer’s computers and user accounts. This OU is a child OU of the ITSTAFF OU. There are two sites: Headquarters and Melbourne.

Security template Alpha has the following settings:

Shut down the system: CONTOSO\Administrators; CONTOSO\IISADMINS

Security template Beta has the following settings:

Shut down the system: CONTOSO\Administrators; CONTOSO\SUPERUSERS

Security template Gamma has the following settings:

Shut down the system: CONTOSO\Administrators; CONTOSO\DEVELOPERS

Security template Alpha has been imported into a GPO that is applied to the Melbourne site. Security template Beta has been imported into a GPO that is applied to the ITSTAFF OU. Security template Gamma has been imported into a GPO that is applied to the DEVELOPERS OU. You get a call from a user who is located at the Melbourne site. He complains that he is unable to shut down his computer. You look at his computer’s account and find that it is located in the DEVELOPERS OU. You ascertain that his user account is a member of the IISADMINS and DEVELOPERS security groups. Given that no other GPOs are in operation besides those listed here, which of the following might explain why this user is unable to shut down his computer?

1. The Group Policy applied to the Melbourne site is set to “block inheritance.”

2. The Group Policy applied to the DEVELOPERS OU is set to “block inheritance.”

3. The Group Policy applied to the ITSTAFF OU is set to “block inheritance.”

4. The Group Policy applied to the Melbourne site is set to “no override.”

5. The Group Policy applied to the ITSTAFF OU is set to “no override.”

5. 

You have just installed Windows XP Professional for an organization that runs many customized applications that were originally written to run on Windows 98. Since the installation of Windows XP, you have received complaints that some of the applications don’t work. You’ve diagnosed this problem and found that in some cases ordinary users require higher levels of permissions than those that you’ve allowed in your security policy. You’ve placed all of the computer accounts for this group within a separate OU. You create a Group Policy object and apply it to this new OU. Which of the following preconfigured templates should you import to this OU to ensure that the users are able to run their customized Windows 98–based applications on their workstations that run Windows XP Professional?

1. security.inf

2. notssid.inf

3. rootsec.inf

4. hisecws.inf

5. compatws.inf

1. 

Correct Answers: A

1. Correct When the membership of a restricted group is altered manually by someone adding new members to the group, those members will remain until a policy update is forced. You can accomplish this instantly by running a GPUPDATE /FORCE from the command prompt. After this is done, the group membership will be returned to its proper state.

2. Incorrect This will not solve the problem. Mick’s user account is also supposed to be a part of the SUPERUSERS group.

3. Incorrect This step is not necessary; on the next Group Policy update the membership of the group will be returned to its proper state.

4. Incorrect This will not change anything; the GPO already has the correct security settings. The membership of the group will be returned properly when the next Group Policy update occurs.

5. Incorrect Although this technique would have worked with Windows 2000, in Windows Server 2003 SECEDIT /REFRESHPOLICY has been replaced by the GPUPDATE command.

2. 

Correct Answers: D

1. Incorrect The export command cannot be used on new Group Policy objects.

2. Incorrect All that this will do is generate a security template that is identical to the original one.

3. Incorrect The Group Policy Object Editor does not have this functionality.

4. Correct The SECEDIT command can be used to generate a rollback template for a specific security template. Although it is not important to remember every switch involved in commands such as SECEDIT and GPUPDATE for the exam, having knowledge of what can be accomplished with the command lines is important.

3. 

Correct Answers: A and D

1. Correct If the DSClient software is installed on the Windows 98 clients, they will be able to handle the increased security level of the LAN Manager authentication.

2. Incorrect Only clients running operating systems much earlier than Windows 98, and the occasional earlier application, require the LAN Manager hash value. Windows 98 is able to interact with the domain if the LAN Manager hash value is not stored.

3. Incorrect IPSec has nothing to do with the problems currently being experienced by the clients running Windows 98.

4. Correct This approach will also work because this is the maximum LAN Manager authentication level that clients running Windows 98 can handle without the installation of the DSClient software.

4. 

Correct Answers: E

1. Incorrect This behavior cannot be explained by the GPO applied to the Melbourne site being set to “block inheritance.”

2. Incorrect This behavior cannot be explained by the GPO applied to the DEVELOPERS OU being set to “block inheritance.”

3. Incorrect This behavior cannot be explained by the GPO applied to the ITSTAFF OU being set to “block inheritance.”

4. Incorrect If this were the case, because the user is a member of the IISADMINS group, he would be able to shut down his computer.

5. Correct The only explanation for this behavior is that the policy being applied to the ITSTAFF OU is overriding the policy being applied to the DEVELOPERS OU.

5. 

Correct Answers: E

1. Incorrect This is the default security template; it is created on each computer during the installation of Windows. It will not provide the required compatibility.

2. Incorrect This particular security policy is used with terminal servers running in application compatibility mode. It will not help users run customized Windows 98–based applications on workstations running Windows XP Professional.

3. Incorrect Rootsec.inf is used to specify permissions for the root directory of the system drive. It is used to set the NTFS permissions of the root directory. It is not used to ensure compatibility with applications customized for Windows 98.

4. Incorrect This is the high security template for workstations. Of the preconfigured security templates that ship with Windows XP and Windows Server 2003, this is the strictest. Because of its strictness, it will not allow programs that require unusual access to the registry, such as those that are customized to run under Windows 98, to execute.

5. Correct The compatws.inf security template is designed to allow normal users to have a greater level of permissions than they would normally have under Windows XP Professional. The compatibility template alters the file and registry permissions that are granted to normal users. This alteration allows many applications that were written for Windows 98, rather than Windows 2000 or Windows XP, to run.