1. You administer a Windows Server
2003 network that consists of a single domain. The domain
consists of 5 domain controllers, 500 Windows XP computers
and 200 Windows NT Workstation 4.0 computers. You want
to prevent all users from changing their desktop configurations
on their computers. These settings must apply to all
computers on the network.
Which of the following actions should you take to
accomplish your objective? (Choose all that apply)
A. Create a system policy file named config.pol and
save it to the SYSVOL share of a domain controller.
B. Create a GPO with the appropriate policy settings for the Windows
XP computers and link the GPO to the domain.
C. Create a system policy file named Ntconfig.pol and save it to the
NETLOGON share on a domain controller.
D. Create a GPO that is linked to the Windows NT Workstation 4.0 computers.
Save the GPO to the NETLOGON folder on a domain controller.
Answer: B, C
Group Policy Objects (GPO) require Active Directory
and only apply to Windows Server 2003 and higher computers.
To restrict Windows Server 2003 and higher users from
accessing the Control Panel, you should create a GPO
linked to the domain that will be activated on the
Windows XP computers. However, the GPO will not apply
to the Windows NT Workstation 4.0 computers. If you
want to manage settings for Windows NT 4.0 users within
the domain, you must use system policies. The System
Policy Editor utility can be used to create system
policy files named Ntconfig.pol. By saving the Ntconfig.pol
file to the NETLOGON share on a domain controller,
Active Directory replication will copy the file to
the other domain controllers in the domain.
Config.pol is the name of the system policy file for
a Windows 95 or Windows 98 computer.
You cannot link GPOs to individual computers.
Objective 4: "Planning and Implementing Group
Policy"
2. You are the network administrator for a Windows Server 2003 domain.
The domain includes 1000 Windows XP computers. You have a new application
that is packaged in native Windows Installer format. You want only
members of the Programmers and Engineers groups to be able to install
the application.
Which of the following actions should you take to
accomplish your objectives?
A. Create a GPO linked to the users in the Programmers
and Engineers group. Assign the application under the
Computer Configuration node.
B. Create a GPO linked to the computers used by the Programmers and Engineers
groups. Assign the Read and Apply Group Policy permissions to the Programmers
and Engineers group.
C. Publish the Windows Installer package in a GPO and link the GPO to
the Programmers and Engineers groups.
D. Create a new organizational unit (OU). Add the Programmers and Engineers
group to the OU. Publish the Windows Installer package in a GPO linked
to the new OU.
Answer: D
To ensure that only the members of the Programmers
and Engineers groups can install the new application,
you should take the following actions. Create a new
organizational unit (OU) and add the Programmers and
Engineers group to the OU. Publish the Windows Installer
package in a GPO linked to the new OU. Additionally,
you should remove the Authenticated Users group and
assign the Read and Apply Group Policy permissions
to the Programmers and Engineers group.
GPOs cannot be linked to computers or user accounts.
GPOs cannot be linked to groups.
Objective 4: "Planning and Implementing Group
Policy"
3. The Windows Server 2003 network that you manage consists of a single
domain. The company you work for runs a customer support department
that includes 200 employees. You have created an organizational unit
(OU) for these employees. Because of the large turnover rate for the
employees in the Customer Support OU, you want to increase security.
You decide to implement a policy that will lock an account after three
consecutive failed logon attempts.
Which of the following actions should you take to
implement the account lockout policy?
A. Create a GPO and link it to the Customer Support
OU. Enable the "Account lockout threshold" setting
in the Computer Configuration\Windows Settings\Security
Settings\Account Policies node for the GPO
B. Create a GPO and link it to the Customer Support OU. Enable the "Account
lockout threshold" setting in the Computer Configuration\Windows
Settings\Security Settings\Account Policies\Account Lockout Policy node
for the GPO
C. Enable the "Account lockout threshold" setting in the Computer
Configuration\Windows Settings\Security Settings\Account Policies node
of the Default Domain Policy GPO.
D. Enable the "Account lockout threshold" setting in the Computer
Configuration\Windows Settings\Security Settings\Account Policies\Account
Lockout Policy node of the Default Domain Policy GPO.
Answer: D
To implement a policy that will lock an account after
three consecutive failed logon attempts, you should
enable the "Account lockout threshold" setting
in the Default Domain Policy GPO. This setting can
be found in the Computer Configuration\Windows Settings\Security
Settings\Account Policies\Account Lockout Policy node
of the Default Domain Policy GPO. In order for account
policies to be enforced in a Windows Server 2003 network,
the policy must be linked to the domain. You can specify
the number of failed logon attempts before the account
becomes locked down. The account lockout policy that
you implement, in this scenario, will affect all domain
users, including users in the Customer Support OU.
Account policies linked to an OU will be not be implemented.
They must be linked to the domain.
Objective 4: "Planning and Implementing Group
Policy"
4. You manage a Windows Server 2003 network. You have just installed
a new database application on Windows Server 2003 member server. In
order to run the built-in administrative mode, a computer requires
certain settings. A logon script that came from the manufacturer of
the database application will configure the appropriate settings required
by the administrative mode. You have designated 5 employees as the
database administrators and added their user accounts to a group named
Data Admins. All user accounts and groups are currently a member of
the Employees OU. You want the logon script to load only when the database
administrators log on to the domain.
Which of the following steps should you take to accomplish
your objective?
A. Create a Group Policy Object (GPO) and specify the logon script. Link
the GPO to the Employees OU. Filter the scope of the GPO so that only
members of the Data Admins group are affected by the GPO.
B. Create a local Group Policy on the Windows Server 2003 member server
and specify the logon script. Filter the scope of the GPO so that only
members of the Data Admins group are affected by the GPO.
C. Copy the logon script to the SYSVOL folder on the Windows Server 2003
member server.
D. Copy the logon script to the NETLOGON folder on a domain controller.
Answer: A
In this scenario, you should create a GPO containing
the logon script, and link the GPO to the Employees
OU. By using the Access Control List (ACL), you can
filter out all users, groups and/or OUs that will be
affected by the GPO. Only the Data Admins group should
be affected by the OU. To access the ACL, go to Active
Directory Users and Computers, right-click the Employees
OU, and select Properties from the shortcut menu. Then,
click on the Group Policy tab, select the appropriate
GPO, and click the Properties button.
A local Group Policy on the Windows Server 2003 member
server would affect only users that log on locally.
The SYSVOL folder exists on domain controllers. Member
servers do not contain a SYSVOL folder.
You should add the logon scripts to the NETLOGON folder
if you want to apply them to pre-Windows Server 2003
computers.
Objective 4: "Planning and Implementing Group
Policy"
5. The network you administer consists of a central office and two branch
offices. A Remote Installation Server is located at the central office.
You want to use RIS to install Windows XP on 100 computers in a branch
office. When you attempt to begin the installation on a single test
computer, the installation fails and you receive an error message stating
that the DHCP packets could not be forwarded.
Which of the following is the most likely cause of
the problem?
A. The disk size of the test computer is larger than
the disk size of the source computer.
B. A DHCP Relay Agent has not been installed in the remote office.
C. The test computer does not have a RIS boot disk.
D. The RIS server has not been authorized in Active Directory.
Answer: B
Of the given solutions, only the absence of a DHCP
Relay Agent would result in an error message stating
that the DHCP packets could not be forwarded. RIS clients
rely on DHCP broadcasts to receive TCP/IP configurations
and to locate the RIS server. If a non RFC-1542 compliant
router is between the RIS client and the RIS server,
the client will be unable to contact the RIS server.
A router that is non RFC-1542 compliant is unable to
forward DHCP/BOOTP packets. By installing the DHCP
Relay Agent on either the router or a Windows Server
2003 computer in the remote office, you will enable
the router to forward DHCP/BOOTP packets.
The disk size of the source computer must be smaller
than the disk size of the client computer. The actual
space taken up by the files that will be installed
is irrelevant. However, the error message received
in this scenario does not indicate a problem of this
nature.
In order for a new computer to boot properly and locate
a RIS server, the computer must be equipped with a
PXE-compliant network adapter, or you must use a RIS
boot disk. The error message received in this scenario
does not indicate a boot problem.
In order for RIS to function, it must be authorized
in Active Directory.
Objective 4: "Planning and Implementing Group
Policy"
|
