Objective 4.3 Questions

 < Day Day Up > 



1. 

Your organization consists of three Active Directory forests running Windows Server 2003. The forests are all configured at the Windows Server 2003 functional level. Each of the three forests has a single domain tree. The first forest’s root domain is adatum.com. The first forest hosts the child domains western.adatum.com and northern.adatum.com. The second forest’s root domain is proseware.com. The second forest hosts the child domains sydney.proseware.com, adelaide.proseware.com, and melbourne.proseware.com. The third forest’s root domain is contoso.com. The third forest hosts only a single child domain, node.contoso.com. Forest trust relationships exist between the first and the second forests and between the second and third forests. A two-way external trust relationship exists between northern.adatum.com and contoso.com.

You are configuring the folder permissions for a file server located in the node.contoso.com domain. Which of the following users and groups will you be able to assign permissions to? (Select all that apply.)

  1. Global groups created in the contoso.com domain

  2. Global groups created in the northern.adatum.com domain

  3. Universal groups created in the melbourne.proseware.com domain

  4. Global groups created in the adelaide.proseware.com domain

  5. Universal groups created in the western.adatum.com domain

 correct answers: c and d a. incorrect the fact that all forests are configured at the windows server 2003 functional level implies that all domains in the forest are also configured at the windows server 2003 functional level. at this level, global groups from domains in the same forest can be assigned permissions to shared folders. b. incorrect although a two-way external trust relationship exists between northern.adatum.com and contoso.com, that trust doesn t filter down to the child domain node.contoso.com. there is no forest trust relationship between the adatum.com and contoso.com forests. even though there are trust relationships between both adatum.com and contoso.com with the proseware.com forest, forest trusts are not transitive. c. correct because a forest trust relationship exists between the contoso.com forest and the proseware.com forest, universal groups created in the proseware.com domain can be assigned permissions to local resources. d. correct global groups from trusted forests can be assigned permissions to local resources. e. incorrect although a two-way external trust relationship exists between northern.adatum.com and contoso.com, that trust doesn t filter down to the node.contoso.com child domain or to the western.adatum.com domain. there is no forest trust relationship between the adatum.com and contoso.com forests. even though there are trust relationships between both adatum.com and contoso.com with the proseware.com forest, forest trusts are not transitive.

2. 

You are configuring permissions for an important file share on a member server running Windows Server 2003 in the resources.proseware.com domain. The resources.proseware.com domain is a member of the forest that has proseware.com as its root domain. The adatum.com and contoso.com domain trees are also members of the same forest as the proseware.com tree. The proseware.com forest is running at the Windows Server 2003 functional level.

The user principal names (UPNs) of specific users are as follows:

Rooslanrooslan @core.adatum.com

Foleyfoley @users.proseware.com

Mickmick @cheltenham.contoso.com

Lahertylaherty @blackburn.contoso.com

Rooslan is a member of the Easternsub universal group that was created in the eastern.adatum.com domain. Foley and Mick are members of the Bayside universal group that was created in the core.proseware.com domain. Laherty is a member of the Northsub universal group that was created in the core.contoso.com domain. Two domain local groups have been created in the resources.proseware.com domain. The first domain local group, which is named Chatter, includes in its membership the Easternsub universal group. The second domain local group, which is named Redux, includes in its membership the Northsub and Bayside universal groups.

Share and folder permissions for the important file share are as follows:

User or Group

Permission

Chatter

Read (Allow)

Redux

Change (Allow)

Easternsub

Full Control (Allow)

Bayside

Modify (Allow)

Northsub

Write (Allow)

mick@cheltenham.contoso.com

Full Control (Deny)

Given this set of permissions, which of the users will be able to delete a file named test.xls that is located in this file share and subject to the permissions listed above?

  1. Rooslan

  2. Foley

  3. Mick

  4. Laherty

  5. None of the above

 correct answers: b a. incorrect rooslan is a member of the easternsub and chatter groups. at the share level, his permission will be read (allow). at the ntfs level, his permission will be full control (allow). the effective overall permission is the most restrictive of the share and ntfs permissions, which leaves his permission at read. b. correct foley is a member of the bayside and redux groups. at the share level, his permission will be change (allow). at the ntfs level, his permission will be modify (allow). both of these permissions allow for the deletion of files, hence foley will be able to delete the file named test.xls. c. incorrect mick is a member of the bayside and redux groups. at the share level, his permission will be change (allow). at the ntfs level, his permission will be full control (deny) because a permission is set explicitly for his account. a deny permission overrides other set permissions. mick will be unable to delete the test.xls file. d. incorrect laherty is a member of the northsub and redux groups. at the share level, his permission will be change (allow). at the ntfs level, his permission will be write (allow). of these permissions, write (allow) is more restrictive. laherty will be unable to delete the test.xls file. e. incorrect foley has access, hence this answer is incorrect.

3. 

Agim is the systems administrator for the department of arts at the local University. He has spoken with his manager James about problems that the department has been having with students accessing computers that they are not supposed to access. Some students have been attempting to access staff files on the three departmental file servers. It has also been noted that some academic staff members allow their postgraduate students to log on to their computers when they are not in the office. Finally, some undergraduate students are using the postgraduate computer lab for network access when there are no available computers in the undergraduate lab.

The faculty has a single Windows Server 2003 forest that contains only one domain. All departmental file servers are located in the Memberserv OU. The user accounts of all students, both undergraduate and postgraduate, are stored in the Students OU. All staff computer accounts are stored in the Staffwkstn OU. All computer accounts for the postgraduate lab are in the Postgradlab OU, and all computer accounts for the undergraduate lab are in the Undergradlab OU. All postgraduate students are members of the Postgrad domain global group. All undergraduate students are members of the Undergrad domain global group.

To address his concerns, James creates the following list of goals for Agim to implement:

Primary goal: Deny network access to the three departmental file servers to all user accounts in the Students OU.

First secondary goal: Deny all postgraduate students the ability to log on locally to a staff member’s computer.

Second secondary goal: Deny all undergraduate students the ability to log on locally to computers in the postgraduate laboratory.

Agim performs the following actions:

He creates a GPO and applies it to the Staffwkstn OU. In the \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment node, he configures the Deny Log On Locally policy to include the Postgrad and Undergrad groups.

He creates a GPO and applies it to the Postgradlab OU. In the \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment node, he configures the Deny Log On Locally policy to include the Undergrad group.

He creates a GPO and applies it to the Memberserv OU. In the \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment node, he configures the Deny Log On Locally policy to include the Undergrad and Postgrad groups.

After Agim has performed these actions, which of James’ goals has he achieved?

  1. Agim has achieved the primary goal and both secondary goals.

  2. Agim has achieved the primary goal and one secondary goal.

  3. Agim has achieved the primary goal only.

  4. Agim has achieved both secondary goals. Agim has not achieved the primary goal.

  5. Agim has achieved one of the secondary goals. Agim has not achieved the primary goal.

 correct answers: d a. incorrect agim correctly restricts postgraduate students from logging on locally to computers in the staffwkstn ou. this meets the first secondary goal. he also restricts undergraduate students, but this is irrelevant to the question. agim correctly restricts undergraduate students from logging on to computers in the postgradlab ou. this meets the second secondary goal. agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. this means that he has not met the primary goal. b. incorrect agim correctly restricts postgraduate students from logging on locally to computers in the staffwkstn ou. this meets the first secondary goal. he also restricts undergraduate students, but this is irrelevant to the question. agim correctly restricts undergraduate students from logging on to computers in the postgradlab ou. this meets the second secondary goal. agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. this means that he has not met the primary goal. c. incorrect agim correctly restricts postgraduate students from logging on locally to computers in the staffwkstn ou. this meets the first secondary goal. he also restricts undergraduate students, but this is irrelevant to the question. agim correctly restricts undergraduate students from logging on to computers in the postgradlab ou. this meets the second secondary goal. agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. this means that he has not met the primary goal. d. correct agim correctly restricts postgraduate students from logging on locally to computers in the staffwkstn ou. this meets the first secondary goal. he also restricts undergraduate students, but this is irrelevant to the question. agim correctly restricts undergraduate students from logging on to computers in the postgradlab ou. this meets the second secondary goal. agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. this means that he has not met the primary goal. e. incorrect agim correctly restricts postgraduate students from logging on locally to computers in the staffwkstn ou. this meets the first secondary goal. he also restricts undergraduate students, but this is irrelevant to the question. agim correctly restricts undergraduate students from logging on to computers in the postgradlab ou. this meets the second secondary goal. agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. this means that he has not met the primary goal.

4. 

You are responsible for training a group of interns in the art of systems administration. All of the interns are members of the Interns group. This week you want them to be able to log on to the member servers in your domain and make a backup. They don’t need to be able to restore any files. They should log on to each member server by using Remote Desktop. They should be restricted from logging on to each server locally.

You don’t want to add them to the Backup Operators group. Rather, you want to alter the rights assigned to the Interns group. You want to do this by editing a GPO applied to the OU that hosts the member servers in your domain and applying policies located in the \Computer Configuration\Windows Settings\Security Settings\User Rights Assignment node. Which of the following are the minimum rights that you should assign to the Interns group by editing policies in this node? (Select all that apply.)

  1. Back Up Files And Directories

  2. Bypass Traverse Checking

  3. Deny Log on Locally

  4. Allow Log On Through Terminal Services

  5. Impersonate A Client After Authentication

  6. Load And Unload Device Drivers

 correct answers: a, c, and d a. correct this policy will allow the members of the interns group to back up files and folders. b. incorrect this policy is not required to achieve your goals for the interns group. the abilities granted in this policy are already built into the back up files and directories policy. c. correct this will meet the requirement that members of the interns group should not be able to log on locally to the member servers in your domain. d. correct this policy is required if members of the interns group are to be able to log on by using the remote desktop protocol. e. incorrect this policy is not required to achieve your goals for the interns group. f. incorrect this policy is not required to achieve your goals for the interns group.

5. 

You want to calculate a user’s permissions with the least possible administrative effort. The user is a member of several groups that are assigned permissions to a particular folder. What should you do?

  1. Calculate the permissions manually.

  2. Use the Effective Permissions tool.

  3. From the command line, run the cacls tool with the /showperms user@domainname switch.

  4. Use the Security Configuration And Analysis tool.

 correct answers: b a. incorrect the effective permissions tool, which you can access by clicking the advanced button on the security tab of the folder s properties dialog box, can calculate the effective permissions of a user. b. correct the effective permissions tool, which you can access by clicking the advanced button on the security tab of the folder s properties dialog box, can calculate the effective permissions of a user. c. incorrect the cacls tool does not have this functionality. d. incorrect the security configuration and analysis tool does not have this functionality.

Answers

1. 

Correct Answers: C and D

  1. Incorrect The fact that all forests are configured at the Windows Server 2003 functional level implies that all domains in the forest are also configured at the Windows Server 2003 functional level. At this level, global groups from domains in the same forest can be assigned permissions to shared folders.

  2. Incorrect Although a two-way external trust relationship exists between northern.adatum.com and contoso.com, that trust doesn’t filter down to the child domain node.contoso.com. There is no forest trust relationship between the adatum.com and contoso.com forests. Even though there are trust relationships between both adatum.com and contoso.com with the proseware.com forest, forest trusts are not transitive.

  3. Correct Because a forest trust relationship exists between the contoso.com forest and the proseware.com forest, universal groups created in the proseware.com domain can be assigned permissions to local resources.

  4. Correct Global groups from trusted forests can be assigned permissions to local resources.

  5. Incorrect Although a two-way external trust relationship exists between northern.adatum.com and contoso.com, that trust doesn’t filter down to the node.contoso.com child domain or to the western.adatum.com domain. There is no forest trust relationship between the adatum.com and contoso.com forests. Even though there are trust relationships between both adatum.com and contoso.com with the proseware.com forest, forest trusts are not transitive.

2. 

Correct Answers: B

  1. Incorrect Rooslan is a member of the Easternsub and Chatter groups. At the share level, his permission will be Read (Allow). At the NTFS level, his permission will be Full Control (Allow). The effective overall permission is the most restrictive of the share and NTFS permissions, which leaves his permission at Read.

  2. Correct Foley is a member of the Bayside and Redux groups. At the share level, his permission will be Change (Allow). At the NTFS level, his permission will be Modify (Allow). Both of these permissions allow for the deletion of files, hence Foley will be able to delete the file named test.xls.

  3. Incorrect Mick is a member of the Bayside and Redux groups. At the share level, his permission will be Change (Allow). At the NTFS level, his permission will be Full Control (Deny) because a permission is set explicitly for his account. A deny permission overrides other set permissions. Mick will be unable to delete the test.xls file.

  4. Incorrect Laherty is a member of the Northsub and Redux groups. At the share level, his permission will be Change (Allow). At the NTFS level, his permission will be Write (Allow). Of these permissions, Write (Allow) is more restrictive. Laherty will be unable to delete the test.xls file.

  5. Incorrect Foley has access, hence this answer is incorrect.

3. 

Correct Answers: D

  1. Incorrect Agim correctly restricts postgraduate students from logging on locally to computers in the Staffwkstn OU. This meets the first secondary goal. He also restricts undergraduate students, but this is irrelevant to the question. Agim correctly restricts undergraduate students from logging on to computers in the Postgradlab OU. This meets the second secondary goal. Agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. This means that he has not met the primary goal.

  2. Incorrect Agim correctly restricts postgraduate students from logging on locally to computers in the Staffwkstn OU. This meets the first secondary goal. He also restricts undergraduate students, but this is irrelevant to the question. Agim correctly restricts undergraduate students from logging on to computers in the Postgradlab OU. This meets the second secondary goal. Agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. This means that he has not met the primary goal.

  3. Incorrect Agim correctly restricts postgraduate students from logging on locally to computers in the Staffwkstn OU. This meets the first secondary goal. He also restricts undergraduate students, but this is irrelevant to the question. Agim correctly restricts undergraduate students from logging on to computers in the Postgradlab OU. This meets the second secondary goal. Agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. This means that he has not met the primary goal.

  4. Correct Agim correctly restricts postgraduate students from logging on locally to computers in the Staffwkstn OU. This meets the first secondary goal. He also restricts undergraduate students, but this is irrelevant to the question. Agim correctly restricts undergraduate students from logging on to computers in the Postgradlab OU. This meets the second secondary goal. Agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. This means that he has not met the primary goal.

  5. Incorrect Agim correctly restricts postgraduate students from logging on locally to computers in the Staffwkstn OU. This meets the first secondary goal. He also restricts undergraduate students, but this is irrelevant to the question. Agim correctly restricts undergraduate students from logging on to computers in the Postgradlab OU. This meets the second secondary goal. Agim does not restrict network access to the departmental file servers to the students; he merely denies them the ability to log on locally. This means that he has not met the primary goal.

4. 

Correct Answers: A, C, and D

  1. Correct This policy will allow the members of the Interns group to back up files and folders.

  2. Incorrect This policy is not required to achieve your goals for the Interns group. The abilities granted in this policy are already built into the Back Up Files And Directories policy.

  3. Correct This will meet the requirement that members of the Interns group should not be able to log on locally to the member servers in your domain.

  4. Correct This policy is required if members of the Interns group are to be able to log on by using the Remote Desktop protocol.

  5. Incorrect This policy is not required to achieve your goals for the Interns group.

  6. Incorrect This policy is not required to achieve your goals for the Interns group.

5. 

Correct Answers: B

  1. Incorrect The Effective Permissions tool, which you can access by clicking the Advanced button on the Security tab of the folder’s properties dialog box, can calculate the effective permissions of a user.

  2. Correct The Effective Permissions tool, which you can access by clicking the Advanced button on the Security tab of the folder’s properties dialog box, can calculate the effective permissions of a user.

  3. Incorrect The cacls tool does not have this functionality.

  4. Incorrect The Security Configuration And Analysis tool does not have this functionality.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net