| All questions for this chapter refer to the following scenario: Case Study: Smith and Deutsch Candy Smith and Deutsch is a candy manufacturer based in Sydney, Australia , with offices throughout the world. Currently, Smith and Deutsch maintains regional headquarters in the following locations: The Sydney regional headquarters also serves as the company's home office. Current LAN and Network Structure The regions run a mixture of Windows 95, 98, and NT 4.0 client computers on mostly twisted-pair Ethernet. Servers are predominantly NT 4.0, but some regions , most notably South America, still run some NT 3.51 servers. Proposed LAN and Network Structure All companies are scheduled to be upgraded to Windows 2000 within 12 months. The LAN infrastructure is basically sound, and only a few smaller offices in Asia and South America require upgrades. Current WAN Connectivity The regional offices are linked to headquarters using fractional T-1 data circuits. Each region has at least a 512Kbps data connection, with generally less than 50% utilization. Within the regions, data connections range from fractional T-1s to 19.2Kbps circuits in some of the more remote offices. Proposed WAN Connectivity Several remote offices will upgrade to VPN connections with bandwidths of at least 128Kbps. Directory Design Commentary Vice President, South America region: Several of our offices are in remote areas. These offices typically have very poor data connections to our central office in Bogot . Some of these offices are large, so we need to upgrade our network soon. CIO : As part of our Windows 2000 migration strategy, we plan to use the delegation of administration features of Active Directory extensively. In particular, we are looking to delegate most simple user management tasks to individual departments. However, management at headquarters is also interested in maintaining oversight of each of the regions. Executive Vice President : Decision-making at Smith and Deutsch is handled primarily at the regional offices. Only major corporate policy directions come from the home office. The IT function is managed in a similar manner. Although certain high-level decisions are made at the home office, most day-to-day management is performed regionally . Some of the regions have distinct security policies as a result of management decisions or local regulations. Current Internet Positioning Smith and Deutsch has an Internet presence, with a registered domain name of sdcandy.com . The company's Web servers are located in the Los Angeles office. | Question 1 | Based on this scenario, how should domains be structured at Smith and Deutsch? -
a. A single domain called sdcandy.com -
b. Three domains ” sdcandy.com , regions.sdcandy.com , and www.sdcandy.com ”all in a single forest -
c. Six domains, with a root domain of sdcandy.com and five regional child domains, all in a single forest -
d. Five forests, one for each region | | A1: | The correct answer is c. Because individual regions might require discrete security policies, you must create individual regional domains. Although this requirement could also be met with answer d, creating multiple forests will make the enterprise very difficult to manage. Answer a is also incorrect because maintaining separate security policies will be impossible . Answer b is incorrect for the same reason, because a single region's child domain does not provide the capability to independently set security policy. | | Question 2 | The administrative model for Smith and Deutsch appears to be which of the following? [Select two.] | | A2: | The correct answers are c and d. Both management and IT are decentralized, with strong local decision-making and control of IT resources. | | Question 3 | Using the following list of Active Directory objects and the list of object names appropriate for Smith and Deutsch, place the object names under the appropriate Active Directory objects. An object name can be used more than once or even not at all. Active Directory objects: Root domain Domain Organizational unit Object names: namerica.sdcandy.com Finance finance.sdcandy.com Manufacturing Human Resources sdcandy.com australia.sdcandy.com Computers Color Printers | | A3: | The correct answer is as follows : Root domain: sdcandy.com Domain: sdcandy.com australia.sdcandy.com namerica.sdcandy.com Organizational unit: Finance Manufacturing Human Resources Color Printers Note that Computers is not a valid OU because it is one of two default objects of the type Container created in Active Directory. | | Question 4 | Smith and Deutsch has created an OU called Information Technology in each of the six domains in the forest. A manager has been given administrative privileges for the Information Technology OU in the root domain. Will this give him administrative privileges to the other Information Technology OUs in all the child domains? | | A4: | The correct answer is b. Administrative privileges cannot be inherited across domains because domains are security boundaries. The administrator could be made a member of a universal group, and that universal group could be given administrative privileges to each Information Technology OU in each domain of the Smith and Deutsch forest. | | Question 5 | In planning for the delegation of administration, the Active Directory design team has interviewed the director of human resources. She gave them the following statement: "Managers in the HR department should be responsible for creating new user accounts, managing computers, and managing printers in the department. In addition, supervisors in HR should also be able to manage their own user accounts and manage all printers in the department. HR clerks should not be allowed to manage anything." Using the diagram in Figure 5.17, drag the appropriate OU name to the OU to create the delegation structure described by the director of human resources. Figure 5.17. Drag the OU name to the appropriate OU.  | | A5: | The Human Resources OU is the top-level OU defined for the hierarchy, and managers' user accounts will be placed in this OU. Supervisors and Clerks are second-level OUs because managers must have administrative privileges to manage these accounts. Printers are placed in the third-level OU so that both managers and supervisors have delegated administrative rights. Figure 5.18 shows the correct answer. Figure 5.18. The correct answer.  | | Question 6 | Normally, permissions are inherited, or flow , from the top-level OUs to the OUs below. However, in designing the OU hierarchy for the manufacturing department, it has been determined that inheritance should be blocked from a low-level OU. When blocking inheritance, which two options are available to the administrator? [Select two.] -
a. Copy previously inherited permissions to this object -
b. Delete all existing permissions for this object -
c. Only keep permissions that have been explicitly set on this object -
d. Allow full control to all attributes for this object | | A6: | The correct answers are a and c. When blocking inheritance, either all previously inherited permissions can be copied to the object or only the explicit settings are retained. The option you choose depends on what you are trying to do with the object after blocking the permission. Answer b is incorrect because explicitly set permissions are always retained. Answer d is incorrect because, when blocking inheritance, there is no option for allowing full access to the object. | | Question 7 | A consultant has suggested that Smith and Deutsch should use the single-domain model. His rationale is that because administrative permissions cannot cross domain boundaries, the home office IT staff will lose control of the regional domains. Is the consultant's rationale correct? | | A7: | The correct answer is b. The root domain contains the Enterprise Admins group, which has administrative rights to the entire forest. | | Question 8 | In the sales department, three administrative assistants will be responsible for resetting passwords for the sales staff. Do the administrative assistants have to be in the same OU as the salespeople? | | A8: | The correct answer is b. Permissions can be delegated to user accounts or, better yet, group accounts defined in any OU or container object within the domain. | | Question 9 | The CIO has questioned a portion of the Smith and Deutsch Active Directory design document. Specifically, she is concerned about the safeguards preventing a user from obtaining administrative capabilities without authorization. Which of the following points can you make to reassure the CIO that delegation of administration is safe? [Select all correct answers.] -
a. Delegation is more controlled than creating additional administrators, as is necessary with Windows NT 4.0. -
b. Users who have been granted permission to perform administrative tasks are not necessarily able to delegate those tasks to others. -
c. Active Directory does not allow standard users to delegate administrative tasks; you must be an administrator to delegate. -
d. Users who have been delegated permissions to administrative tasks are placed automatically in a DelegatedUser built-in security group. | | A9: | Answers a and b are correct. Delegation of control is much safer than simply adding more users to the Domain Admins security group. Delegation is very granular, so you can allow a user to perform a task without allowing him to delegate that task to others. Answer c is incorrect because users can be given the right to delegate administration. Answer d is incorrect because there is no DelegatedUser built-in group. | | Question 10 | The South American region of Smith and Deutsch has been sold to a Swiss chocolate firm. What changes will need to be made to the delegation settings for the other four regional domains as well as the home office? -
a. None. Domains are security boundaries, and administrative tasks cannot be delegated to users from other domains. -
b. The one-way trusts between samerica.sdcandy.com and the five other domains must be broken. -
c. Any security accounts from the samerica.sdcandy.com domain should be removed from security groups in the other regional domains as well as the root domain. -
d. All user accounts from the samerica.sdcandy.com domain must be deleted from the sdcandy.com root domain. | | A10: | The correct answer is c. Any references to security principals from the samerica.sdcandy.com domain should be removed from group accounts in the other domains. In this way, administrative privileges, which might have been assigned to groups, will no longer be assigned to members of the samerica domain. Answer a is incorrect because global and universal groups can contain members from other domains and can be directly or indirectly allowed administrative privileges. Answer b is incorrect because one-way trusts must be manually created in Windows 2000 and have no bearing on standard security. Answer d is incorrect because users should not be defined in more than one domain in a forest. | |
