Installing and Configuring Windows Server 2012

QUESTION NO: 13

Your network contains an Active Directory domain named adatum.com.

The computer accounts for all member servers are located in an organizational unit (OU) named Servers.

You link a Group Policy object (GPO) to the Servers OU.

You need to ensure that the domain’s Backup Operators group is a member of the local Backup Operators group on each member server. The solution must not remove any groups from the local Backup Operators groups.

What should you do?

A. Add a restricted group named adatum\Backup Operators. Add Backup Operators to the This group is a member of list.

B. Add a restricted group named adatum\Backup Operators. Add Backup Operators to the Members of this group list.

C. Add a restricted group named Backup Operators. Add adatum\Backup Operators to the This group is a member of list.

D. Add a restricted group named Backup Operators. Add adatum\Backup Operators to the Members of this group list.

Answer: A

Explanation:

The Member Of list specifies which other groups the restricted group should belong to.

Incorrect answers:

B. Needs to be added to member of list.

C. Wrong group.

D. Wrong group.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and Manage Group Policy, Objective 6.2: Local Users and Groups, p. 325

http://technet.microsoft.com/en-us/library/cc957640.aspx

QUESTION NO: 14

Your company has an Active Directory domain. You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC). You need to access the Active Directory Schema snap-in.

What should you do?

A. Register Schmmgmt.dll.

B. Log off and log on again by using an account that is a member of the Schema Admins group.

C. Use the Ntdsutil.exe command to connect to the schema master operations master and open the schema for writing.

D. Add the Active Directory Lightweight Directory Services (AD/LDS) role to the domain controller by using Server Manager.

Answer: A

Explanation:

To install the Active Directory Schema snap-in you need to:

Open a Command Prompt and run the Regsvr32 schmmgmt.dll command to register schmmgmt.dll on your computer. Once you have schema management registered then you can proceed to install the Schema snap-in.

Incorrect answers:

B: This option assumes that the schema management snap-in has been installed already.

C: The ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.

D: Active Directory Lightweight Directory Services (AD LDS) is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the restrictions of Active Directory Domain Services (AD DS). In this case you first need to register schema management before you can access the snap-in.

References:

http://technet.microsoft.com/en-us/library/cc737499(v=ws.10).aspx

QUESTION NO: 15

Your network contains an Active Directory domain named contoso.com.

You have a starter Group Policy object (GPO) named GPO1 that contains more than 100 settings.

You need to create a new starter GPO based on the settings in GPO1. You must achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Run the New-GPStarterGPO cmdlet and the Copy-GPO cmdlet.

B. Create a new starter GPO and manually configure the policy settings of the starter GPO.

C. Right-click GPO1, and then click Back Up. Create a new starter GPO. Right-click the new GPO, and then click Restore from Backup.

D. Right-click GPO1, and then click Copy. Right-click Starter GPOs, and then click Paste.

Answer: D

Explanation:

Since it is mentioned that there is a starter GPO that contains more than 100 settings already, it would be less administrative effort to just copy the existing one to replace it with the new GPO1 settings by clicking and pasting.

Incorrect answers:

A: This option involves unnecessary administrative effort.

B: Creating a new starter GPO manually and then configuring the settings will work, but it does not represent the least amount of administrative effort.

C: Restoring a GPO from backup and then creating a new starter GPO that is already based on the existing GOP is not the least amount of administrative effort.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 5: Install and administer Active Directory, Objective 5.2: Create and Manage Active Directory Users and Computers, p. 277

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and Manage Group Policy, Objective 6.2: Configure Security Policies, p. 324

QUESTION NO: 16

Your network contains an Active Directory domain named contoso.com.

An organizational unit (OU) named OU1 contains the user accounts and the computer accounts for laptops and desktop computers.

A Group Policy object (GPO) named GP1 is linked to OU1.

You need to ensure that the configuration settings in GP1 are applied only to the laptops in OU1.

The solution must ensure that GP1 is applied automatically to new laptops that are added to OU1.

What should you do?

A. Modify the GPO Status of GP1.

B. Configure the WMI Filter of GP1.

C. Modify the security settings of GP1.

D. Modify the security settings of OU1.

Answer: B

Explanation:

WMI filtering

Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.

When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows Server, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.

Incorrect answers:

A: Changing the GPO status will only reflect the current status of the GPO, whether it is applied or not. It will not ensure that you only apply the configuration settings to the laptops in that organizational unit.

C: The laptops are part of the organizational unit which means that the security settings of the group policy will apply to the laptops as well as the other devices in the OU. You need to filter those out by using a WMI filter.

D: Changing the security settings of the Organizational unit will include all devices in the organizational unit and not just the laptops.

References:

Training Guide: Installing and Configuring Windows Server 2012: Chapter 10: Implementing Group Policy, p. 470, 482

http://technet.microsoft.com/en-us/library/jj134176

WMI filtering using GPMC

QUESTION NO: 17

Your network contains an Active Directory domain named contoso.com. All client computer accounts are in an organizational unit (OU) named AllComputers. Client computers run either Windows 7 or Windows 8.

You create a Group Policy object (GPO) named GP1.

You link GP1 to the AllComputers OU.

You need to ensure that GP1 applies only to computers that have more than 8 GB of memory.

What should you configure?

A. The Security settings of AllComputers

B. The Security settings of GP1

C. The WMI filter for GP1

D. The Block Inheritance option for AllComputers

Answer: C

Explanation:

WMI filtering

Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.

When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows Server, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.

Incorrect answers:

A: Changing the security settings of the Organizational unit will include all devices in the organizational unit and not just the laptops.

B: The 8 GB memory computers are part of the organizational unit which means that the security settings of the group policy will apply to them as well as the other devices in the OU. You need to filter those out by using a WMI filter.

D: Using Block inheritance will not ensure that you only apply the configuration settings to the computers with 8 GB memory, in that organizational unit.

References:

Training Guide: Installing and Configuring Windows Server 2012: Chapter 10: Implementing Group Policy, p. 470, 482

http://technet.microsoft.com/en-us/library/jj134176

WMI filtering using GPMC

QUESTION NO: 18 HOTSPOT

You have a server named Server1. Server1 runs Windows Server 2012. A user named Admin1 is a member of the local Administrators group.

You need to ensure that Admin1 receives a User Account Control (UAC) prompt when attempting to open Windows PowerShell as an administrator.

Which setting should you modify from the Local Group Policy Editor? To answer, select the appropriate setting in the answer area.

Answer: <map><m x1="11" x2="912" y1="224" y2="246" ss="0" a="0" /></map>

Explanation:

Local Group Policy Editor is a Microsoft Management Console (MMC) snap-in that is used to configure and modify Group Policy settings within Group Policy Objects (GPOs).

Administrators need to be able to quickly modify Group Policy settings for multiple users and computers throughout a network environment. The Local Group Policy Editor provides administrators with a hierarchical tree structure for configuring Group Policy settings in GPOs. These GPOs can then be linked to sites, domains, and organizational units (OU) that contain computer or user objects.To work efficiently, administrators need to have immediate access to information about the function and purpose of individual policy settings. For Administrative Templates policy settings, Local Group Policy Editor provides information about each policy setting directly in the web view of the console. This information shows operating system requirements, defines the policy setting, and includes any specific details about the effect of enabling or disabling the policy setting.

References:

http://technet.microsoft.com/en-us/library/dn265982.aspx

QUESTION NO: 19

Your network contains an Active Directory domain named contoso.com. The domain contains a user account named User1 that resides in an organizational unit (OU) named OU1.

A Group Policy object (GPO) named GPO1 is linked to OU1. GPO1 is used to publish several applications to a user named User1.

In the Users container, you create a new user named User2.

You need to ensure that the same applications are published to User2.

What should you do?

A. Modify the security of GPO1.

B. Modify the settings in GPO1.

C. Link a WMI filter to GPO1.

D. Move User2 to OU1.

Answer: C

Explanation:

WMI filtering allows you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.

When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows Server, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.

Incorrect answers:

A: Changing the security settings of the GPO does not allow application publication to User2. You need to filter the WMI settings.

B: Changing the GPO settings does not apply to User2.

D: Changing User2’s membership to an Organizational Unit is not the issue here.

References:

Training Guide: Installing and Configuring Windows Server 2012: Chapter 10: Implementing Group Policy, p. 470, 482

QUESTION NO: 20

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012.

You create a security template named Template1 by using the Security Templates snap-in.

You need to App1y Template1 to Server2.

Which tool should you use?

A. Local Security Policy

B. Server Manager

C. Authorization Manager

D. Security Templates

Answer: A

Explanation:

A security policy is a combination of security settings that affect the security on a computer. You can use your local security policy to edit account policies and local policies on your local computer.

Incorrect answers:

B: You need the Local Security Policy snap-in to apply templates.

C: Authorization Manager is a role-based security architecture for Windows that can be used in any application that needs role-based authorization, including ASP.NET Web applications, ASP.NET Web services, and client/server systems based on .NET Remoting. The role-based management model enables you to assign users to roles and gives you a central place to record permissions assigned to each role.

D: With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your computer or for your network. It is a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in does not introduce new security parameters; it simply organizes all existing security attributes into one place.

References:

http://technet.microsoft.com/en-us/library/cc739442%28v=WS.10%29.aspx

QUESTION NO: 21

Your network contains an Active Directory domain named contoso.com. The domain contains 100 user accounts that reside in an organizational unit (OU) named OU1.

You need to ensure that a user named User1 can link and unlink Group Policy objects (GPOs) to 0U1.

The solution must minimize the number of permissions assigned to User1.

What should you do?

A. Add User1 to the Group Policy Creator Owners group.

B. Run the Set-GPPermission cmdlet.

C. Modify the permission on the \\Contoso.com\SYSVOL\Contoso.com\Policies folder.

D. Run the Delegation of Control Wizard on OU1.

Answer: D

Explanation:

The Delegation of Control Wizard allows you to delegate tasks, active Directory Object types and to set permissions.

Incorrect answers:

A: Adding User1 to the Group Policy Creator Owners group will be allowing User1 too much permission than is necessary.

B: The Set-GPPermission cmdlet will grant a level of permissions to a security principal (user, security group, or computer) for one GPO or all the GPOs in a domain. You use the TargetName and TargetType parameters to specify a user, security group, or computer for which to set the permission level. You can use the Name or the Guid parameter to set the permission level for the security principal on a single GPO, or you can use the All parameter to set the permission level for the security principal on all GPOs in the domain. However, this is not the same a setting the minimum required permission to User1 because the user must still be able to link and unlink GPOs.

C: Only administrators can modify this permission, thus if you change these permissions to suit the needs of User1 you will be allowing User1 too many permissions.

References:

http://technet.microsoft.com/en-us/library/dd145594.aspx

http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

QUESTION NO: 22

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012.

You create a security template named Template1 by using the Security Templates snap-in.

You need to App1y Template1 to Server2.

Which tool should you use?

A. System Configuration

B. Local Security Policy

C. Certificate Templates

D. Computer Management

Answer: B

Explanation:

A security policy is a combination of security settings that affect the security on a computer. You can use your local security policy to edit account policies and local policies on your local computer.

Incorrect answers:

A: The System Configuration utility is used to modify boot.ini when disk configuration changes have been made.

C: Certificate templates can greatly simplify the task of administering a certification authority (CA) by allowing an administrator to identify, modify, and issue certificates that have been preconfigured for selected tasks.

D: You should make use of Local Security Policy snap-in to apply templates.

References:

http://technet.microsoft.com/en-us/library/cc739442%28v=WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc731256%28v=ws.10%29.aspx

QUESTION NO: 23 HOTSPOT

Your network contains an Active Directory domain named contoso.com. The domain contains a print server named Print1 that runs Windows Server 2012.

Print1 has 50 shared printers. Each printer is listed in Active Directory.

From Active Directory Users and Computers, you browse to Print1 and you discover that the 50 printers are not visible.

You need to ensure that you can view the printer objects in Active Directory Users and Computers.

Which option should you select? To answer, select the appropriate option in the answer area.

Answer: <map><m x1="133" x2="470" y1="160" y2="182" ss="0" a="0" /></map>

Explanation:

In the Active Directory Users and Computers snap-in you should navigate to the Users, Contacts, Groups, and Computers as containers tab if you want to view printer objects that are shared.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 5: Active Directory Administration, Lesson 1: Administering Active Directory objects using ADAC, p. 195

Topic 15, Create and manage Active Directory groups and organizational units (OUs)

Configure group nesting; convert groups including security, distribution, universal, domain local, and domain global; manage group membership using Group Policy; enumerate group membership; delegate the creation and management of Active Directory objects; manage default Active Directory containers; create, copy, configure, and delete groups and OUs

QUESTION NO: 1

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2012.

The domain contains a user named User1 and a global security group named Group1.

User1 logs on to a client computer named Computer1.

You need to disable the computer account of Computer1.

Which cmdlet should you run?

A. Add-AdPrincipalGroupMembership

B. Install-AddsDomainController

C. Install WindowsFeature

D. Install AddsDomain

E. Rename-AdObject

F. Set-AdAccountControl

G. Set-AdGroup

H. Set-User

Answer: F

Explanation:

The Rename-ADObject cmdlet changes the name of an Active Directory object.

Incorrect answers:

A: The Add-ADPrincipalGroupMembership cmdlet adds a user, group, service account, or computer as a new member to one or more Active Directory groups.

B: The Install-ADDSDomainController cmdlet installs a domain controller in Active Directory.

Example: C:\PS>Install-ADDSDomainController -InstallDns -Credential (Get-Credential CORP\Administrator) -DomainName "corp.contoso.com"

C: Installs one or more Windows Server roles, role services, or features on either the local or a specified remote server that is running Windows Server 2012 R2. This cmdlet is equivalent to and replaces Add-WindowsFeature, the cmdlet that was used to install roles, role services, and features in Windows Server 2008 R2.

D: Installs a domain in Active Directory.

E: The Rename-ADObject cmdlet renames an Active Directory object.

G: The Set-ADGroup cmdlet modifies the properties of an Active Directory group. You can modify commonly used property values by using the cmdlet parameters.

H: The Set-User cmdlet is used to modify user attributes in Active Directory.

References:

http://technet.microsoft.com/en-us/library/ee617225.aspx

QUESTION NO: 2

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 runs Windows Server 2012.

An administrator creates a security template named Template1.

You need to App1y Template1 to Server1.

Which snap-in should you use?

A. Security Templates

B. Authorization Manager

C. Security Configuration and Analysis

D. Resultant Set of Policy

Answer: C

Explanation:

The Security Configuration and Analysis tool contains the Local Security Policy snap-in that is used to apply templates.

Incorrect answers:

A: The Security Templates snap-in is used to create a text-based template file and in the question it is stated that the security template was already created.

B: Authorization Manager is a role-based security architecture for Windows that can be used in any application that needs role-based authorization, including ASP.NET Web applications, ASP.NET Web services, and client/server systems based on .NET Remoting. The role-based management model enables you to assign users to roles and gives you a central place to record permissions assigned to each role.

D: You can use the RSoP snap-in to create detailed reports about applied policy settings in two modes: logging mode and planning mode.

References:

http://technet.microsoft.com/en-us/library/bb742512.aspx

http://technet.microsoft.com/en-us/library/cc739442%28v=WS.10%29.aspx

QUESTION NO: 3

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2012.

The domain contains a user named User1 and three global security groups named Group1, Group2 and, Group3.

You need to add User1 to Group1, Group2, and Group3.

Which cmdlet should you run?

A. Add-AdPrincipalGroupMembership

B. Install- AddsDomainController

C. Install- WindowsFeature

D. Install-AddsDomain

E. Rename-AdObject

F. Set-AdAccountControl

G. Set-AdGroup

H. Set-User

Answer: A

Explanation:

The Add-ADPrincipalGroupMembership cmdlet adds a user, group, service account, or computer as a new member to one or more Active Directory groups.

Incorrect answers:

B: The Install-ADDSDomainController cmdlet installs a domain controller in Active Directory.

Example: C:\PS>Install-ADDSDomainController -InstallDns -Credential (Get-Credential CORP\Administrator) -DomainName "corp.contoso.com"

C: The Install-WindowsFeature command installs one or more Windows Server roles, role services, or features on either the local or a specified remote server that is running Windows Server 2012 R2. This cmdlet is equivalent to and replaces Add-WindowsFeature, the cmdlet that was used to install roles, role services, and features in Windows Server 2008 R2.

D: The Install-AddsDomain command installs a domain in Active Directory.

E: The Rename-ADObject cmdlet renames an Active Directory object.

F: The Set-ADAccountControl cmdlet modifies the user account control (UAC) values for an Active Directory user or computer account.

G: The Set-ADGroup cmdlet modifies the properties of an Active Directory group. You can modify commonly used property values by using the cmdlet parameters.

H: The Set-User cmdlet is used to modify user attributes in Active Directory.

References:

http://technet.microsoft.com/en-us/library/ee617203.aspx

http://technet.microsoft.com/en-us/library/hh974723.aspx

QUESTION NO: 4

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2012.

The domain contains a user named User1 and a global security group named Group1.

You need to ensure that User1 can manage the group membership of Group1. The solution must minimize the number of permissions assigned to User1.

Which cmdlet should you run?

A. Add-AdPrincipalGroupMembership

B. Install- AddsDomainController

C. Install- WindowsFeature

D. Install-AddsDomain

E. Rename-AdObject

F. Set-AdAccountControl

G. Set-AdGroup

H. Set-User

Answer: G

Explanation:

The Set-ADGroup cmdlet modifies the properties of an Active Directory group. You can modify commonly used property values by using the cmdlet parameters.

ManagedBy Specifies the user or group that manages the object by providing one of the following property values. Note:

The identifier in parentheses is the LDAP display name for the property.

Distinguished Name

Example: CN=SaraDavis,OU=Europe,CN=Users,DC=corp,DC=contoso,DC=com

GUID (objectGUID)

Example: 599c3d2e-f72d-4d20-8a88-030d99495f20

Security Identifier (objectSid)

Example: S-1-5-21-3165297888-301567370-576410423-1103

SAM Account Name (sAMAccountName)

Example: saradavis

The Install-ADDSDomainController cmdlet installs a domain controller in Active Directory.

Example: C:\PS>Install-ADDSDomainController -InstallDns -Credential (Get-Credential CORP\Administrator) -DomainName "corp.contoso.com"

Incorrect answers:

A: The Add-ADPrincipalGroupMembership cmdlet adds a user, group, service account, or computer as a new member to one or more Active Directory groups.

B: The Install-ADDSDomainController cmdlet installs a domain controller in Active Directory.

Example: C:\PS>Install-ADDSDomainController -InstallDns -Credential (Get-Credential CORP\Administrator) -DomainName "corp.contoso.com"

C: Installs one or more Windows Server roles, role services, or features on either the local or a specified remote server that is running Windows Server 2012 R2. This cmdlet is equivalent to and replaces Add-WindowsFeature, the cmdlet that was used to install roles, role services, and features in Windows Server 2008 R2.

D: Installs a domain in Active Directory.

E: The Rename-ADObject cmdlet renames an Active Directory object.

F: The Set-ADAccountControl cmdlet modifies the user account control (UAC) values for an Active Directory user or computer account.

H: The Set-User cmdlet is used to modify user attributes in Active Directory.

References:

http://technet.microsoft.com/en-us/library/hh974723.aspx

http://technet.microsoft.com/en-us/library/ee617199.aspx

http://technet.microsoft.com/en-us/library/ee617225.aspx

QUESTION NO: 5

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2012.

The domain contains a user named User1 and a global security group named Group1.

You need to prevent User1 from changing his password. The solution must minimize administrative effort.

Which cmdlet should you run?

A. Add-AdPrincipalGroupMembership

B. Install- AddsDomainController

C. Install- WindowsFeature

D. Install-AddsDomain

E. Rename-AdObject

F. Set-AdAccountControl

G. Set-AdGroup

H. Set-User

Answer: F

Explanation:

The Set-ADAccountControl cmdlet modifies the user account control (UAC) values for an Active Directory user or computer account. UAC values are represented by cmdlet parameters.

CannotChangePassword Modifies the ability of an account to change its password. To disallow password change by the account set this to $true.. This parameter changes the Boolean value of the CannotChangePassword property of an account.

The following example shows how to specify the PasswordCannotChange parameter.

-CannotChangePassword $false

Incorrect answers:

A: The Add-ADPrincipalGroupMembership cmdlet adds a user, group, service account, or computer as a new member to one or more Active Directory groups.

B: The Install-ADDSDomainController cmdlet installs a domain controller in Active Directory.

Example: C:\PS>Install-ADDSDomainController -InstallDns -Credential (Get-Credential CORP\Administrator) -DomainName "corp.contoso.com"

C: Installs one or more Windows Server roles, role services, or features on either the local or a specified remote server that is running Windows Server 2012 R2. This cmdlet is equivalent to and replaces Add-WindowsFeature, the cmdlet that was used to install roles, role services, and features in Windows Server 2008 R2.

D: Installs a domain in Active Directory.

E: The Rename-ADObject cmdlet renames an Active Directory object.

G: The Set-ADGroup cmdlet modifies the properties of an Active Directory group. You can modify commonly used property values by using the cmdlet parameters.

H: The Set-User cmdlet is used to modify user attributes in Active Directory.

References:

http://technet.microsoft.com/en-us/library/ee617249.aspx

http://technet.microsoft.com/en-us/library/hh974723.aspx

http://technet.microsoft.com/en-us/library/hh974722.aspx

QUESTION NO: 6 HOTSPOT

Your network contains an Active Directory domain named contoso.com.

The domain contains an organizational unit (OU) named OU1 as shown in the OU1 exhibit. (Click the Exhibit button.)

The membership of Group1 is shown in the Group1 exhibit. (Click the Exhibit button.)

You configure GPO1 to prohibit access to Control Panel. GPO1 is linked to OU1 as shown in the GPO1 exhibit. (Click the Exhibit button.)

Select Yes if the statement can be shown to be true based on the available information; otherwise select No. Each correct selection is worth one point.

Answer: <map><m x1="504" x2="531" y1="89" y2="112" ss="0" a="0" /><m x1="503" x2="532" y1="157" y2="180" ss="0" a="0" /><m x1="505" x2="531" y1="222" y2="251" ss="0" a="0" /><m x1="388" x2="418" y1="293" y2="318" ss="0" a="0" /></map>

PhotoShare(2)

Explanation:

Since user4 is not in organizational unit, the filtering the GPO does not apply to him.

References:

http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx

QUESTION NO: 7 HOTSPOT

You have a Group Policy object (GPO) named Server Audit Policy. The settings of the GPO are shown in the Settings exhibit. (Click the Exhibit button.)

The scope of the GPO is shown in the Scope exhibit. (Click the Exhibit button.)

The domain contains a group named Group1. The membership of Group1 is shown in the Group1 exhibit. (Click the Exhibit button.)

Select Yes if the statement can be shown to be true based on the available information; otherwise select No. Each correct selection is worth one point.

Answer: <map><m x1="386" x2="419" y1="91" y2="120" ss="0" a="0" /><m x1="500" x2="542" y1="154" y2="192" ss="0" a="0" /><m x1="499" x2="545" y1="224" y2="264" ss="0" a="0" /><m x1="498" x2="543" y1="291" y2="329" ss="0" a="0" /></map>

PhotoShare(2)

Explanation:

Only User1 has group membership according to the exhibit.

The scope of the Audit Policy is not enforced for the Organizational Unit.

References:

http://technet.microsoft.com/en-us/library/cc766468%28v=WS.10%29.aspx

QUESTION NO: 8

Your network contains two Active Directory forests named contoso.com and adatum.com. All servers run Windows Server 2012.

A one-way external trust exists between contoso.com and adatum.com.

Adatum.com contains a universal group named Group1.

You need to prevent Group1 from being used to provide access to the resources in contoso.com.

What should you do?

A. Change the scope of Group1 to domain local.

B. Modify the Allowed to Authenticate permissions in adatum.com.

C. Enable SID quarantine on the trust between contoso.com and adatum.com.

D. Modify the Allowed to Authenticate permissions in contoso.com.

Answer: B

Explanation:

For users in a trusted domain or forest to be able to access resources in a trusting Windows domain or forest where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the Allowed to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest.

Incorrect answers:

A: You use domain local groups to assign permissions to resources in the same domain as the domain local group. There are 2 different domains in this scenario.

C: Enabling quarantine on the trust will only keep resources available to those in the quarantine area.

D: This is the correct permission that should be modified, but it should be modified in adatum.com.

References:

http://technet.microsoft.com/en-us/library/cc816733(v=ws.10).aspx

QUESTION NO: 9

Your network contains an Active Directory forest named contoso.com. The forest contains a child domain named corp.contoso.com.

The network has Microsoft Exchange Server 2010 deployed.

You need to create a mail-enabled distribution group. Which type of group should you create?

A. Domain local

B. Global

C. Local

D. Universal

Answer: D

Explanation:

Universal groups are used to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include accounts and groups from any domain in the domain tree or forest. Only universal groups should be used as mail-enabled groups.

Incorrect answers:

A: Domain local groups are limited to the local domain only.

B: Global groupmemberships are replicated only to domain controllers within the same domain.

C: Local group is too restrictive and cannot be made mail-enabled distribution groups.

http://technet.microsoft.com/en-us/library/bb726978.aspx

Jim McBee and Benjamin Craig, Microsoft Exchange Server 2007: Implementation and Administration, page 248:

QUESTION NO: 10 HOTSPOT

Your network contains an Active Directory forest. The forest contains two domains named Domain1 and Domain2.

Domain1 contains a file server named Server1. Server1 has a shared folder named Share1. Domain2 contains 50 users who require access to Share1.

You need to create groups in each domain to meet the following requirements:

  • In Domain1, create a group named Group1. Group1 must be granted access to Share1.

  • In Domain2, create a group named Group2. Group2 must contain the user accounts of the 50 users.

  • Permission to Share1 must only be assigned directly to Group1.

Which type of groups should you create and which group nesting strategy should you use? To answer, select the appropriate configuration in the answer area.

Answer: <map><m x1="153" x2="336" y1="82" y2="102" ss="0" a="0" /><m x1="155" x2="293" y1="153" y2="172" ss="0" a="0" /><m x1="155" x2="381" y1="255" y2="275" ss="0" a="0" /></map>

Explanation:

Security groups in a nesting strategy with global scope can have only accounts as their members. And Security groups with domain local scope can have other groups with global scope and accounts as their members.

References:

http://technet.microsoft.com/en-us/library/cc776499%28v=ws.10%29.aspx

http://technet.microsoft.com/en-us/library/cc754178.aspx

QUESTION NO: 11

Your network contains an Active Directory domain named contoso.com. All user accounts are in an organizational unit (OU) named Employees.

You create a Group Policy object (GPO) named GP1. You link GP1 to the Employees OU.

You need to ensure that GP1 does not apply to the members of a group named Managers.

What should you configure?

A. The Security settings of Employees

B. The WMI filter for GP1

C. The Block Inheritance option for Employees

D. The Security settings of GP1

Answer: D

Explanation:

Group Policy objects are applied only to sites, domains, and organizational units. Group Policy settings affect only the users and computers that they contain. In particular, Group Policy objects are not linked to security groups.

If a user or computer is not contained in a site, domain, or organizational unit that is subject to a Group Policy object, either directly through a link or indirectly through inheritance, there is no combination of permissions on any security group that can cause those Group Policy settings to affect that user or computer.

Thus by modifying the security settings of GP1 you can omit the group named Managers from the Employees OU.

Incorrect answers:

A: Security setting of the Organizational Unit is not the issue to be addressed.

B: WMI filters only apply to members of the built-in group.

C: The Managers group is to be excluded not the Employees group.

References:

http://technet.microsoft.com/en-us/library/cc786636(WS.10).aspx

QUESTION NO: 12

You have a file server named Server1 that runs Windows Server 2012.

You need to ensure that a user named User1 can use Windows Server Backup to create a complete backup of Server1.

What should you configure?

A. The local groups by using Computer Management

B. A task by using Authorization Manager

C. The User Rights Assignment by using the Local Group Policy Editor

D. The Role Assignment by using Authorization Manager

Answer: A

Explanation:

User needs to be added to local Backup Operator group

Incorrect answers:

B. AzMan is a role-based access control (RBAC) framework that provides an administrative tool to manage authorization policy and a runtime that allows applications to perform access checks against that policy.

C. User Rights Assignment policies determines which users or groups have logon rights or privileges on the computer

D. AzMan is a role-based access control (RBAC) framework that provides an administrative tool to manage authorization policy and a runtime that allows applications to perform access checks against that policy.

References:

http://technet.microsoft.com/en-us/library/cc780182(v=ws.10).aspx

http://msdn.microsoft.com/en-us/library/bb897401.aspx

QUESTION NO: 13

Your network contains an Active Directory forest that contains three domains.

A group named Group1 is configured as a domain local distribution group in the forest root domain.

You plan to grant Group1 read-only access to a shared folder named Share1. Share1 is located in a child domain.

You need to ensure that the members of Group1 can access Share1.

What should you do first?

A. Convert Group1 to a global distribution group.

B. Convert Group1 to a universal security group.

C. Convert Group1 to a universal distribution group.

D. Convert Group1 to a domain local security group.

Answer: B

Explanation:

Universal can be used for any domain or forest. Furthermore a Universal group can span multiple domains, even the entire forest.

Incorrect answers:

A. Distribution Groups are non-security related groups and is only used for email.

C. Distribution Groups are non-security related groups.

D. Permissions can be assigned only within the same domain as the parent domain local group because the group is limited to the local domain only.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012: Chapter 5: Install and Administer Active Directory, Objective 5.3 Create and manage Active Directory groups and Organization units, p. 289-291, 293

http://technet.microsoft.com/en-us/library/cc781446(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

QUESTION NO: 14

Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers. The servers are contained in a organizational unit (OU) named ServersOU.

You need to create a group named Group1 on all of the servers in the domain. You must ensure that Group1 is added only to the servers.

What should you configure?

A. a Local Users and Groups preferences setting in a Group Policy linked to the Domain Controllers OU

B. a Restricted Groups setting in a Group Policy linked to the domain

C. a Local Users and Groups preferences setting in a Group Policy linked to ServersOU

D. a Restricted Groups setting in a Group Policy linked to ServersOU

Answer: C

Explanation:

C. allows you to centrally manage local users and groups on domain member computers and is this is the correct OU for the GPO change

Incorrect answers:

A. This would add the group to the wrong OU.

B. This would affect the whole domain and would affect member of the group.

D. Restricted Groups defines what member or groups should exist as part of a group.

References:

http://technet.microsoft.com/en-us/library/cc957640.aspx

http://technet.microsoft.com/en-us/library/cc731972.aspx

Exam Ref 70-410: Installing and Configuring Windows Server 2012: Objective 5.3 Create and manage Active Directory groups and Organization units, Chapter 5: Install and Administer Active Directory, p. 289-291, 293, 328

Training Guide: Installing and Configuring Windows Server 2012: Chapter 10: Implement Group Policy, p. 507

QUESTION NO: 15

Your network contains an Active Directory domain named contoso.com.

You log on to a domain controller by using an account named Admin1. Admin1 is a member of the Domain Admins group.

You view the properties of a group named Group1 as shown in the exhibit. (Click the Exhibit button.)

Group1 is located in an organizational unit (OU) named OU1.

You need to ensure that users from Group1 can modify the Security settings of OU1 only.

What should you do from Active Directory Users and Computers?

A. Modify the Managed By settings on OU1.

B. Right-click contoso.com and select Delegate Control.

C. Right-click OU1 and select Delegate Control.

D. Modify the Security settings of Group1.

Answer: C

Explanation:

Delegating control to only the OU will allow the users of Group1 to modify the security settings.

Incorrect answers:

A. The distinguished name of the user that is assigned to manage this object.

B. Would delegate control to the whole domain

D. Security group setting should not be modified; the requirement is that users from group must be able to modify the security settings of OU1.

References:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms676857(v=vs.85).aspx

http://technet.microsoft.com/en-us/library/cc732524.aspx

QUESTION NO: 16 DRAG DROP

Your network contains two Active Directory forests named adatum.com and contoso.com. Both forests contain multiple domains. A two-way trust exists between the forests.

The contoso.com domain contains a domain local security group named Group1. Group1 contains contoso\user1 and adatum\user1.

You need to ensure that Group1 can only contain users from the contoso.com domain.

Which three actions should you perform?

To answer, move three actions from the list of actions to the answer area and arrange them in the correct order.

Answer: <map><m x1="5" x2="345" y1="4" y2="40" ss="0" a="0" /><m x1="3" x2="344" y1="46" y2="77" ss="0" a="0" /><m x1="1" x2="344" y1="89" y2="125" ss="0" a="0" /><m x1="6" x2="348" y1="135" y2="165" ss="0" a="0" /><m x1="3" x2="344" y1="174" y2="210" ss="0" a="0" /><m x1="355" x2="735" y1="4" y2="50" ss="1" a="0" /><m x1="356" x2="733" y1="58" y2="105" ss="1" a="0" /><m x1="355" x2="732" y1="115" y2="165" ss="1" a="0" /><c start="3" stop="0" /><c start="0" stop="1" /><c start="1" stop="2" /></map>

Explanation:

Remove adatum user. convert to universal, convert to global.

Global to universal conversion is allowed only if the group that you want to change is not a member of another global scope group.

Domain local to universal is allowed only if the group that you want to change does not have another domain local group as a member.

Universal to global conversion is allowed only if the group that you want to change does not have another universal group as a member.

Universal to domain local have no restrictions.

References:

http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

QUESTION NO: 17

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012.

You need to ensure that the local Administrator account on all computers is renamed to L_Admin.

Which Group Policy settings should you modify?

A. Security Options

B. User Rights Assignment

C. Restricted Groups

D. Preferences

Answer: A

Explanation:

In Group Policy Object Editor, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Security Options.

In the details pane, double-click Accounts: Rename administrator account.

The Security Options node includes security settings regarding interactive logon, digital signing of data, restrictions of access to floppy and CD-ROM drives, unsigned driver installations as well as logon dialog box behavior. This category also includes options to configure authentication and communication security within Active Directory.

Incorrect answers:

B: User Right Assignment option is not used to rename the local administrator account.

C: Restricted Groups option is not used to rename the Local Administrator account.

D: Preferences cannot be used to rename accounts.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and Manage Group Policy, Objective 6.2: Local Users and Groups, p. 314-315, 318

http://technet.microsoft.com/en-us/library/cc747484(v=ws.10).aspx

QUESTION NO: 18 DRAG DROP

Your network contains two Active Directory forests named contoso.com and adatum.com. Both forests contain multiple domains. A two-way trust exists between the forests.

The adatum.com domain contains a domain local security group named Group1. Group1 contains adatum\user1 and contoso\user1.

You need to ensure that Group1 can only contain users from the adatum.com domain.

Which three actions should you perform?

To answer, move three actions from the list of actions to the answer area and arrange them in the correct order.

Answer: <map><m x1="2" x2="295" y1="45" y2="86" ss="0" a="0" /><m x1="4" x2="296" y1="94" y2="137" ss="0" a="0" /><m x1="4" x2="293" y1="149" y2="188" ss="0" a="0" /><m x1="1" x2="294" y1="198" y2="237" ss="0" a="0" /><m x1="5" x2="297" y1="250" y2="290" ss="0" a="0" /><m x1="306" x2="611" y1="44" y2="102" ss="1" a="0" /><m x1="306" x2="609" y1="109" y2="166" ss="1" a="0" /><m x1="305" x2="609" y1="173" y2="231" ss="1" a="0" /><c start="4" stop="0" /><c start="0" stop="1" /><c start="1" stop="2" /></map>

EAB

Explanation:

Remove adatum user. convert to universal, convert to global.

Global to universal conversion is allowed only if the group that you want to change is not a member of another global scope group.

Domain local to universal is allowed only if the group that you want to change does not have another domain local group as a member.

Universal to global conversion is allowed only if the group that you want to change does not have another universal group as a member.

Universal to domain local have no restrictions.

References:

http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

QUESTION NO: 19

Your network contains an Active Directory domain named contoso.com.

The password policy for the domain is set to require a minimum password length of 10 characters.

A user named User1 and a user named User2 work for the sales department.

User1 is forced to create a domain password that has a minimum of 12 characters. User2 is forced to create a domain password that has a minimum of eight characters.

You need to identify what forces the two users to have different password lengths.

Which tool should you use?

A. Credential Manager

B. Security Configuration Wizard (SCW)

C. Group Policy Management

D. Active Directory Administrative Center

Answer: D

Explanation:

In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. For example, to increase the security of privileged accounts, you can apply stricter settings to the privileged accounts and then apply less strict settings to the accounts of other users. Or in some cases, you may want to apply a special password policy for accounts whose passwords are synchronized with other data sources. This is found in the Active Directory Administrative Center. You can use Active Directory Administrative Center to perform the following Active Directory administrative tasks:

Create new user accounts or manage existing user accounts

Create new groups or manage existing groups

Create new computer accounts or manage existing computer accounts

Create new organizational units (OUs) and containers or manage existing OUs

Connect to one or several domains or domain controllers in the same instance of Active Directory Administrative Center, and view or manage the directory information for those domains or domain controllers

Filter Active Directory data by using query-building search

Incorrect answers:

A: Windows credentials management is the process by which the operating system receives the credentials from the service or user and secures that information for future presentation to the authenticating target.

B: The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. It provides an easy way to create or modify a security policy for your server based on its role.

C: Group Policy Management is not the tool, the Active Directory Administrative center is more appropriate.

References:

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

QUESTION NO: 20

Your network contains an Active Directory domain named contoso.com. The domain contains 100 user accounts that reside in an organizational unit (OU) named OU1.

You need to ensure that a user named User1 can link and unlink Group Policy objects (GPOs) to 0U1.

The solution must minimize the number of permissions assigned to User1.

What should you do?

A. Modify the permission on the \\Contoso.com\SYSVOL\Contoso.com\Policies folder.

B. Run the Delegation of Control Wizard on the Policies container.

C. Run the Set-GPPermissioncmdlet.

D. Run the Delegation of Control Wizard on OU1.

Answer: D

Delegation of Control Wizard should be used to assign the appropriate permissions to User1.

The following are common tasks that you can select to delegate control of them: Manage Group Policy links, Create, delete, and manage user accounts, Reset user passwords and force password change at next logon, Read all user information, Modify the membership of a group, Join a computer to a domain,, and many other tasks.

Permissions on the Organizational unit take precedence over user accounts permissions. Thus by changing the permissions to the OU you can assign the appropriate permission to the user account.

Incorrect answers:

A: The folder should not be modified, rather the permissions that are assigned to User1.

B: The Policies container is not the issue.

C: The user must be able to link and unlink GPO’s with the least number of permissions.

References:

http://technet.microsoft.com/en-us/library/dd145344.aspx

http://technet.microsoft.com/en-us/library/jj190062 .

http://technet.microsoft.com/en-us/library/cc756952%28v=WS.10%29.aspx

Topic 1 6, Create Group Policy objects (GPOs)

Configure a Central Store; manage starter GPOs; configure GPO links; configure multiple local group policies; configure security filtering

QUESTION NO: 1

Your network contains a production Active Directory forest named contoso.com and a test Active Directory forest named contoso.test. A trust relationship does not exist between the forests.

In the contoso.test domain, you create a backup of a Group Policy object (GPO) named GPO1.

You transfer the backup of GPO1 to a domain controller in the contoso.com domain.

You need to create a GPO in contoso.com based on the settings of GPO1. You must achieve this goal by using the minimum amount of Administrative effort.

What should you do?

A. From Windows PowerShell, run the Get- GPO cmdlet and the Copy- GPO cmdlet.

B. From Windows PowerShell, run the New- GPO cmdlet and the Import- GPO cmdlet.

C. From Group Policy Management, create a new starter GPO. Right-click the new starter GPO, and then click Restore from Backup.

D. From Group Policy Management, right-click the Croup Policy Objects container, and then click Manage Backups.

Answer: B

Explanation:

Since the GPO’s original domain is different and there is no trust relationship between forests, you should execute the New-GPO command and import the already existing command into the ‘new’ domain.

Incorrect answers:

A: You cannot execute the Get-GPO command in this scenario since there is no trust relationship between forests.

C: Creating a new starter GPO will involve too much administrative effort since the GPO already exists.

D: You cannot do option D because even though you can restore GPOs. This operation takes a backed-up GPO and restores it to the same domain from which it was backed up. You cannot restore a GPO from backup into a domain different from the GPO’s original domain.

References:

http://technet.microsoft.com/en-us/library/cc781458(v=WS.10).aspx

http://technet.microsoft.com/en-us/library/hh967461.aspx

http://technet.microsoft.com/en-us/library/ee461050.aspx

http://technet.microsoft.com/en-us/library/ee461044.aspx

QUESTION NO: 2

Your network contains an Active Directory domain named contoso.com.

An organizational unit (OU) named OU1 contains user accounts and computer accounts.

A Group Policy object (GPO) named GP1 is linked to the domain. GP1 contains Computer Configuration settings and User Configuration settings.

You need to prevent the User Configuration settings in GP1 from being applied to users. The solution must ensure that the Computer Configuration settings in GP1 are applied to all client computers.

What should you configure?

A. The Group Policy loopback processing mode

B. The Enforced setting

C. The Block Inheritance feature

D. The GPO Status

Answer: A

Explanation:

A loopback with merge option needs to be used.

Incorrect answers:

B. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.

C. Enforced prevent blocking at lower level.

D. The GPO Status. This indicates whether either the user configuration or computer configuration of the GPO is enabled or disabled.

References:

http://technet.microsoft.com/en-us/library/cc782810(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/cc731076.aspx

http://technet.microsoft.com/en-us/library/cc753909.aspx

QUESTION NO: 3

Your network contains an active directory domain named Contoso.com. The domain contains 100 user accounts that reside in an organizational unit (OU) named OU1.

You need to ensure that user named user1 can link and unlink Group Policy Objects(GPOs) to OU1. The solution must minimize the number of permissions assigned to user1.

What should you do?

A. Run the Delegation of Control Wizard on the Policies containers

B. Run the Set-GPPermission cmdlet

C. Run the Delegation of Control Wizard on OU1

D. Modify the permission on the user1 account

Answer: C

Explanation:

Use the Delegation of Control Wizard to minimize delegated permission to a single OU.

Incorrect answers:

A. The Policies Container option does not represent the minimum permissions assigned.

B. Grants a level of permissions to a security principal for one GPO or all the GPOs in a domain.

D. Will not allow GPO changes to the OU.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 5: Install and administer Active Directory, Objective 5.3: Create and Manage Active Directory Groups and Organizational Units (OUs), p. 290

http://technet.microsoft.com/en-us/library/ee461038.aspx

http://technet.microsoft.com/en-us/library/cc732524.aspx

QUESTION NO: 4

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012. The domain contains a server named Server1 that runs Windows Server 2012.

You need to ensure that when users log on to Server1, their user account is added automatically to a local group named Group1 during the log on process.

Which Group Policy settings should you modify?

A. Restricted Groups

B. Security Options

C. User Rights Assignment

D. Preferences

Answer: D

Explanation:

With Preferences, local and domain accounts can be added to a local group without affecting the existing members of the group.

Incorrect answers:

A. If a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed

B. Security settings incorporated into policies are rules that administrators configure on a computer or multiple computers for the purpose of protecting resources on a computer

C. User Rights Assignment policies determines which users or groups have logon rights or privileges on the computer

References:

Training Guide: Installing and Configuring Windows Server 2012: Chapter 8: File Services and Storage, p. 361

http://technet.microsoft.com/en-us/library/cc785631(v=ws.10).aspx

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

http://technet.microsoft.com/en-us/library/cc780182(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/hh831424.aspx

QUESTION NO: 5

Your network contains an Active Directory domain named contoso.com. The domain contains an organizational unit (OU) named 0U1.

You need to ensure that when new client computers join the domain, their computer accounts are created in OU1 by default.

What should you do?

A. From a command prompt, run the redircmp.exe command.

B. From Windows PowerShell, run the Move-ADObject cmdlet.

C. From Ldp, configure the properties of the Computers container.

D. From ADSI Edit, configure the properties of the OU1 object.

Answer: A

Explanation:

Redirects the default container for newly created computers to a specified, target organizational unit (OU) so that newly created computer objects are created in the specific target OU instead of in CN=Computers.

The CN=Computers container is a computer-protected object. For backward compatibility reasons, you cannot (and must not) remove it.

References:

http://technet.microsoft.com/en-us/library/cc770619.aspx

QUESTION NO: 6

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012.

You need to configure a central store for the Group Policy Administrative Templates.

What should you do on Dc1?

A. From Server Manager, create a storage pool.

B. From Windows Explorer, copy the PolicyDefinitions folder to the SYSVOL\contoso.com\policies folder.

C. From Server Manager, add the Group Policy Management feature.

D. From Windows Explorer, copy the PolicyDefinitions folder to the NETLOGON share.

Answer: B

Explanation:

The PolicyDefinitions folder in SYSVOL… folder will enable you to configure the central store for the GPO templates.

Incorrect answers:

A. Create Disk Storage Pool is not a central store for the GPO templates.

C. Group Policy Management is a console for GPO Mgmt.

D. Folder is for logon scripts.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012: Objective 6.1: Create Group Policy, Chapter 6 Create Group Policy Objects, p. 309

http://support.microsoft.com/kb/929841

QUESTION NO: 7

You work as an administrator at ABC.com. The ABC.com network consists of a single domain named ABC.com. All servers in the ABC.com domain, including domain controllers, have Windows Server 2012 installed.

ABC.com’s user accounts are located in an organizational unit (OU), named ABCStaff. ABC.com’s managers belong to a group, named ABCManagers.

You have been instructed to create a new Group Policy object (GPO) that should be linked to the ABCStaffOU, but not affect ABC.com’s managers.

Which of the following actions should you take?

A. You should consider removing the user accounts of the managers from the ABCStaff OU.

B. You should consider configuring the new GPO’s WMI filter.

C. You should consider adding the user accounts of ABC.com’s managers to the Admins group.

D. You should consider adding the user accounts of ABC.com’s managers to the localAdministrators group.

Answer: A

Explanation:

Group Policy can be applied to organizational units to define the abilities of groups of computers and users that are contained within the organizational units. Using organizational units, you can create containers within a domain that represent the hierarchical, logical structures within your organization. You can then manage the configuration and use of accounts and resources based on your organizational model.

Thus by removing the users accounts of the managers from the OU you can ensure that the GPO will not affect the managers because they will not be in that OU.

Incorrect answers:

B: WMI filters only apply to members of the built-in group.

C: Adding the Managers’ user accounts to the Admins group does not separate their accounts out from the OU to which the GPO will be applied.

D: Making the Managers’ user accounts members of the LocalAdministrators group does not separate their accounts from the OU to which the GPO is applied.

References:

Training Guide: Installing and Configuring Windows Server 2012: Chapter 10: Implementing Group Policy, p. 470, 482

http://technet.microsoft.com/en-us/library/jj134176

WMI filtering using GPMC

http://technet.microsoft.com/en-us/library/cc978003.aspx

http://support.microsoft.com/kb/308194

Topic 17, Configure security policies

Configure User Rights Assignment; configure Security Options settings; configure Security templates; configure Audit Policy; configure Local Users and Groups; configure User Account Control (UAC)

QUESTION NO: 1

Your network contains a production Active Directory forest named contoso.com and a test Active Directory forest named contoso.test. A trust relationship does not exist between the forests.

In the contoso.test domain, you create a backup of a Group Policy object (GPO) named GPO1.

You transfer the backup of GPO1 to a domain controller in the contoso.com domain. You need to create a GPO in contoso.com based on the settings of GPO1.

You must achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. From Group Policy Management, right-click the Group Policy Objects container, and then click Manage Backups.

B. From Group Policy Management, right-click the Starter GPOscontainer, and then click Manage Backups.

C. From Group Policy Management, create a new starter GPO. Right-click the new starter GPO, and then click Restore from Backup.

D. From Group Policy Management, create a new GPO. Right-click the new GPO, and then click Import Settings.

E. From Windows PowerShell, run the Copy-GPOcmdlet and the Restore-GPOcmdlet.

F. From Windows PowerShell, run the New-GPOcmdlet and the Import-GPOcmdlet.

G. From Windows PowerShell, run the New-GPOcmdlet and the Restore-GPOcmdlet.

H. From Windows PowerShell, run the Get-GPOcmdlet and the Copy-GPOcmdlet.

Answer: D, F

Explanation:

When you join a computer to the domain, the system contacts a domain controller, establishes a trust relationship with the domain, locates (or creates) a computer object corresponding to the computer’s name, alters its security identifier (SID) to match that of the computer object, and modifies its group memberships. Since there is no trust relationship you must import the existing settings to the new GPO. Importing the GPO from the domain controller will represent the least effort.

Incorrect answers:

A: This option does not represent the least administrative effort.

B: There is no trust relationship in this domain; therefor this option will not be suitable.

C: Creating a New starter GPO is unnecessary administrative effort.

E: You cannot use the restore GPO command since there is no trust relationship in the domain.

G: Executing the New-GPO command is correct, but you cannot execute a Restore-GPO command since there is no trust relationship in the domain and thus this option does not represent the least administrative effort.

H: Executing the Get-GPO and the Copy-GPO command will not work as the least administrative effort in this scenario.

References:

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 5: Install and administer Active Directory, Objective 5.2: Create and Manage Active Directory Users and Computers, p. 277

Exam Ref 70-410: Installing and Configuring Windows Server 2012, Chapter 6: Create and Manage Group Policy, Objective 6.2: Configure Security Policies, p. 324

Site Search:

Close

Close
Download Free Demo of VCE
Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.


Simply submit your e-mail address below to get started with our interactive software demo of your free trial.


Enter Your Email Address

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.