1. You are the network administrator
for Contoso, Ltd. The network consists of a single Active
Directory domain, contoso.com. All network servers run
Windows Server 2003. All client computers run Windows
XP Professional.
Contoso's headquarters is in Washington, D.C. with
an offshore branch in Tel Aviv. You have configured
the local Tel Aviv branch with a Group Policy Object
(GPO) that redirects the users' Start menu to a shared
folder on a local server named Server1. Several users
report that although they can still access files on
Server1, some of the programs they use are now missing
from their Start menus.
What should you do?
Choose two actions. Each action represents a complete
solution.
A. Launch the Group Policy Management Console (GPMC).
Run Resultant Set of Policy (Resultant Set of Policy)
against one of the affected user accounts in logging
mode.
B. Launch the Group Policy Management Console (GPMC). Run Resultant Set
of Policy (RSoP) against Server1 in planning mode.
C. Run the secedit command against an affected user account.
D. Run the gpresult command against an affected user account.
E. Run the gpupdate command against an affected user account.
Answer: A, D
The most likely cause of the problem is a combination
of policies. You can isolate the problem by one of
two methods. You can run Resultant Set of Policy (Resultant
Set of Policy) against one of the affected user accounts
in logging mode. You would access it through the Group
Policy Management Console (GPMC). An alternative method
is to run the gpresult command against an affected
user account.
Objective 10: "Managing and Maintaining Group
Policy"
2. You are the network administrator for Contoso, Ltd. The network consists
of a single Active Directory domain, contoso.com. All network servers
run Windows Server 2003. All client computers run Windows XP Professional.
Contoso has a location in London and a location in
Brussels. Each location is configured as an Active
Directory site and has two domain controllers.
Before users can log in, a legal notice must be displayed
on the local desktop. Users receive the notice and
then log in. The legal department informs you that
a new notice must be put in effect immediately. You
make the change to the text and apply Group Policy
using the gpupdate tool. Users in London receive the
new notice, but a week later, users in Brussels are
still receiving the old notice.
What should you do?
A. Temporarily assign one of the London domain controllers
to the Brussels site. Reassign the domain controller
to London after 24 hours.
B. Force Active Directory replication between the sites.
C. From a London domain controller, log onto a Brussels domain controller
and seize the infrastructure master role.
D. Create a new security group for all of the Brussels client computers.
Grant this group permission to read and apply the Group Policy Object
(GPO).
E. Create a new security group for all of the Brussels computers. Grant
this group permission to read and apply the Group Policy Object (GPO).
Answer: B
Because Brussels is still receiving the old notice,
this indicates that Active Directory replication has
not yet taken place. You can correct the problem by
forcing Active Directory replication between the sites.
Objective 10: "Managing and Maintaining Group
Policy"
3. You are the network administrator for Contoso, Ltd. The network consists
of a single Active Directory domain, contoso.com. All network servers
run Windows Server 2003. All client computers run Windows XP Professional.
Users in the Sales department are members of the Sales
security group and the Sales Users organizational unit
(OU). Contoso purchases a new Customer Relationship
Management (CRM) application that must be installed
on all client computers in the Sales Users OU. The
application is bundled in a .msi file which you have
copied to a shared folder named \\Server1\SalesApps.
You have assigned the Sales group the Allow - Read
permission for the SalesApps share. Now you need to
enable Sales users to download and install the application
on their own computers.
What will you do?
Choose two actions. Each action represents a complete
solution.
A. Create a new Group Policy Object (GPO) linked to
the Sales Users OU. Enable the Always install with
elevated privileges setting in the Windows Installer
node under the Computer Configuration node. Instruct
users to launch the .msi file in the \\Server1\SalesApps
folder.
B. Create a new Group Policy Object (GPO) linked to the Sales Users OU.
Disable the Never install with elevated privileges setting in the Windows
Installer node under the Computer Configuration node.
C. Create a new Group Policy Object (GPO) linked to the Sales Users OU.
Assign the new application to all client computers.
D. Create a new Group Policy Object (GPO) linked to the Sales Users OU.
Enable a policy that creates a link to the shortcut for the installation
executable. Grant permission to the Sales users to create temporary files
in the \\Server1\SalesApps folder.
Answer: A, C
There are two ways to publish applications through
Group Policy. One way is to enable users to install
applications with elevated privileges. This enables
users to install applications without requiring membership
in a security group that has local administrator privileges
on the local computer. You could do this by creating
a new Group Policy Object (GPO) linked to the Sales
Users OU. Then you would enable the Always install
with elevated privileges setting in the Windows Installer
node under the Computer Configuration node. Finally,
instruct users to launch the .msi file in the \\Server1\SalesApps
folder.
An alternative and much simpler method is to create
a new Group Policy Object (GPO) linked to the Sales
Users OU. Then use the GPO to assign the new application
to all client computers. This method is preferable,
as it does not raise the security issue of installing
future applications which may have unintentional or
intentional malevolent effects.
Objective 10: "Managing and Maintaining Group Policy"
4. You are the network administrator for Contoso, Ltd. The network consists
of a single Active Directory domain, contoso.com. Contoso has locations
in Atlanta and Chicago. Each location has two domain controllers.
A new user application needs to be deployed to corporate
users. You create a new Group Policy Object (GPO) named
App1 and link it to the domain. You configure the User
Configuration node of App1 to assign the application.
Users in Atlanta report that the application is not
available. Users in Chicago can use the application.
You need to make the application available to all users.
What will you do?
A. Run the gpresult command on domain controllers
in Atlanta.
B. Run the gporesult command on domain controllers in Atlanta.
C. Run the gpotool command on domain controllers in Atlanta.
D. Run the gpupdate command on domain controllers in Atlanta.
E. Force directory replication between all domain controllers in the
domain.
Answer: E
The problem in this scenario is that Group Policy
updates have not made it to the domain controllers
in Atlanta. You can correct the problem by forcing
directory replication between all domain controllers
in the domain. There is not a Group Policy command-line
utility that will enable you to correct this problem.
Objective 10: "Managing and Maintaining Group
Policy"
5. You are the network administrator for Contoso, Ltd. The network consists
of a single Active Directory domain, contoso.com. The domain functional
level is Windows Server 2003. All network servers run Windows Server
2003. All client computers run Windows XP Professional. Built-in groups
are installed with the default memberships.
There are two domain controllers in the domain. Domain
controllers are backed up nightly. You are testing
some Group Policy changes to enhance security. You
accidentally disable the local Administrator account
in the Default Domain Policy Group Policy Object (GPO).
You are no longer able to log onto either of the domain
controllers as Administrator.
What should you do?
A. Restore the entire hard disk of one of the domain
controllers using the last full backup preceding the
change to the Default Domain Policy. Restart the domain
controller. Allow Active Directory replication to take
place.
B. Restart one of the domain controllers in Safe mode. Log on locally
as Administrator. Create a second administrator account. Restart the
domain controller. Use the new administrator account to undo the change
to the Default Domain Policy.
C. Restart one of the domain controllers in Directory Services Restore
Mode. Perform an authoritative restore of the Domain Controllers organizational
unit (OU) using the last full backup preceding the change to the Default
Domain Policy. Restart the domain controller.
D. Restart one of the domain controllers and run the Recovery Console
from the Windows Server 2003 CD. Stop the GPC service. Restart the domain
controller.
Answer: B
To solve the problem in this scenario, you need a
valid administrative account to undo the change to
Group Policy. To create the account, you can restart
one of the domain controllers in Safe mode and log
on locally as Administrator. Then create a second administrator
account. After restarting the domain controller, use
the new administrator account to undo the change to
the Default Domain Policy.
Objective 10: "Managing and Maintaining Group Policy"
|
