Download AERO 310 final exam (100 questions and answers). and more Exams Biology in PDF only on Docsity!
NEST 258 WEEK 3 - Create a New
GPO and Change Password
Policies with verified solutions
already graded A+
You have been asked to set up Kerberos constrained delegation on a domain account used as a service account. This would limit delegation to specific services on specific servers. Which Delegation tab option would you choose? a. do not trust this user for delegation b. trust this user for delegation to specified services only c. trust this user for delegation to any service (Kerberos only) d. restrict service delegation - answer b You are configuring fine-grained password policies to configure multiple password and account lockout policies for different sets of user accounts. Which acronym describes the Active Directory object you are configuring? a. GPO b. PPl c. PSO d. FGPP - answer c Which Kerberos authentication and authorization component is also known as a session ticket?
a. ticket-granting tickets b. service ticket c. timestamp d. renewal ticket - answer b Which PowerShell cmdlet would change the MSA settings? a. Set-ADServiceAccount b. Get-ADServiceAccount c. Set-ADSA d. all of the above - answer a When working with managed service accounts to be used on multiple servers, which account type would be used? a. GSA b. MgSA c. gSA d. gMSA - answer d When performing an offline join, which is the first system on which the djoin.exe needs to be run? a. offline system b. additional domain controller
a. Account -LockedOut b. Search-ADAccount -LockedOut c. Search-LockedOut d. Search-AD -LockedOut - answer b What is the output of the following command: Get-ADUser -Filter 'Name -like "*"' -SearchBase "ou=HelpDesk,ou=EMEA,dc=practicelabs,dc=com" | Disable-ADAccount a. Enables the disabled user accounts in the Helpdesk OU b. Lists the disabled user accounts in the Helpdesk OU c. Displays an error since no username is defined d. Disables the user accounts in the Helpdesk OU - answer d Which of the following can be used by a Windows Server 2016 administrator to create a PSO? (Choose all that apply.) a. ADAC b. Server Manager c. ADSI Edit d. PowerShell - answer a, c, d In your Windows Server 2016 domain, you have a member server also running Windows Server 2016. You want to install the LocSvc service, which will be accessing only local resources. You need to configure authentication for this service but don't want to use one of the built-in service accounts and want to do this with the least administrative effort. What should you do?
a. Create a domain user, and in the Delegation tab, select LocSvc. b. Configure the service to log on as NT Service\LocSvc. c. Create a local user on the server, and configure the service to log on as that user. d. Create an MSA with PowerShell, and configure the service to log on as the MSA. - answer b You discovered that a user changed his password 10 times in one day. When you ask why he did this, he replied that the system required him to change his password. He wanted to use his favorite password, but the system wouldn't accept it until he changed it 10 times. What should you do to prevent this user from reusing the same password for at least 60 days? a. Change the value for the Enforce password history setting. b. Change the value for the Maximum password age setting. c. Change the value for the Minimum password age setting. d. Enable the Password must meet complexity requirements setting. - answer c You're configuring a web-based intranet application on the WebApp server, which is a domain member. Users authenticate to the web-based application, but the application needs to connect to a back-end database server, BEdata, on behalf of users. What should you configure? a. On a domain controller, configure constrained delegation on the service account. b. On the WebApp server, create a local user account, and grant it permission to BEdata.
d. Specifies how many minutes a user's account is locked - answer c Where are user accounts stored on a standalone computer? a. SQL database b. A flat file c. Active Directory d. SAM database - answer d A junior administrator is configuring settings for the Password Policy of a new GPO he created and sets the minimum password length to 4. He links the GPO to the EngUsers OU containing the user and group accounts for the Engineering Department. A user in the Engineering Department calls and says he's trying to change the password on his domain user account to A$c1, but the system isn't taking the new password. What's the problem? a. The user doesn't belong to the Engineering group. b. The user can't use the $ symbol in the password. c. Password policies can be set only at the domain level. d. The user's computer account isn't in the EngUsers OU. - answer c You have created an MSA on DC1 to run a service on the ldsServ1 server. What's the last thing you should do before using the Services MMC to configure the service to use the new MSA? a. On ldsServ1, run the Add-ADComputerServiceAccount cmdlet. b. On DC1, run the Add-ADComputerServiceAccount cmdlet.
c. On ldsServ1, run the Install-ADServiceAccount cmdlet. d. On DC1, run the Install-ADServiceAccount cmdlet. - answer c Which of the following service accounts can be managed across multiple servers? a. Managed service account b. AD managed service account c. Multi-managed service account d. Group managed service account - answer d A group of users in the Research Department has access to sensitive company information, so you want to be sure that the group members' passwords are strong with a minimum length of 12 characters and a requirement to change their passwords every 30 days. The current password policy requires passwords with a minimum length of 7 characters that users must change every 120 days. You don't want to inconvenience other users in the domain by making their password policies more stringent. What can you do? a. Create a PSO in ADAC, configure the password policy, and link it to the Research Department OU. b. Create a PSO in ADAC, configure the password policy, and apply it to the Research Department group. c. Create a GPO, configure the password policy for the Research Department, and link it to the domain. Configure a security filter for the Research group. d. Create a GPO, configure the password policy for the Research Depa - answer b
d. Detailed information - answer a, d Which of the following are built-in service accounts? (Choose all that apply.) a. Anonymous Logon b. Local system c. Network Service d. Authenticated Users - answer b, c Which of the following is included in account policies for a GPO? (Choose all that apply.) a. Password Policy b. Authorization Policy c. Account Lockout Policy d. Kerberos Policy - answer a, c, d You have four servers running a service in a load-balancing configuration, and you want the services on all four servers to use the same service account. What should you do? a. Run the New-gMSAServiceAccount cmdlet and specify the four servers in the SPN. b. Run the New-ADServiceAccount cmdlet and configure constrained Kerberos delegation. c. Create a group and add the servers' computer accounts to it. Run the New- ADServiceAccount cmdlet.
d. Move the four servers' computer accounts to the Managed Service Accounts folder in Active Directory. - answer c Which of the following is used to uniquely identify a service instance to a client? a. Service ticket b. TGT c. SPN d. KDC - answer c Which of the following GPOs are created by default when Active Directory is installed? (Choose all that apply.) a. Default Domain Controllers Policy b. Default Group Policy c. Default Active Directory Domain Policy d. Default Domain Policy - answer a, d
