Term
A user calls to report that his account has been locked after he entered the incorrect password four times. Which tab of the user’s account properties do you go to unlock his account?
a. Account
b. General
c. Sessions
d. User
|
|
Definition
ANS: A
EXPLANATION: The Account Is Locked Out check box is in the Account tab of a user’s properties. If the account is locked as a result of settings in the Account Lockout Policy, the check box is selected. Clearing it unlocks the account. The Account Is Locked Out check box is not in the General or Sessions tab of a user’s account properties. There is no tab in the user’s account properties called User. (Discussion starts on page 181.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
A user calls to report that his account has been locked after he entered the incorrect password four times. Which tab of the user’s account properties do you go to unlock his account?
a.
Account
b.
General
c.
Sessions
d.
User |
|
Definition
ANS: A
EXPLANATION: The Account Is Locked Out check box is in the Account tab of a user’s properties. If the account is locked as a result of settings in the Account Lockout Policy, the check box is selected. Clearing it unlocks the account. The Account Is Locked Out check box is not in the General or Sessions tab of a user’s account properties. There is no tab in the user’s account properties called User. (Discussion starts on page 181.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
A user calls you because he cannot log on to the system. After verifying his identity, you determine that he recently returned from vacation and is unsure of his password. You decide to reset the password. How do you do accomplish this?
a.
In the Active Directory Users And Computers MMC snap-in, select the user and then select Reset Password from the Action menu. Enter the existing password, and then enter a new password. Retype the new password in the Confirm Password box, and click OK.
b.
In the Active Directory Users And Computers MMC snap-in, select the user and then select Reset Password from the Action menu. Enter the new password, retype the new password in the Confirm Password box, and click OK.
c.
In the Active Directory Users And Computers MMC snap-in, select the user. On the Account properties page for the user, click Change Password and then enter a new password. Retype the password in the Confirm password box, and click OK.
d.
On the General properties page for the user, click Change Password and then enter a new password for the user. Retype the password in the Confirm password box, and click OK. |
|
Definition
ANS: B
EXPLANATION: You can reset a user account password in Active Directory Users And Computers by selecting Reset Password from the Action menu. You must enter and confirm the new password. You do not need to know the existing password to reset the password. User passwords are not reset from the Account properties page for the user, nor are they reset from the General properties page for the user. (Discussion starts on page 177.)
DIF: Application REF: Chapter 6 |
|
|
Term
After numerous support calls from a user who is creating problems by making changes to his Windows settings, you get management approval to configure the user with a profile that will not allow him to save any changes. How do you go about doing this?
a. Open the Advanced page from the System Properties dialog box on the system that holds the profile, select the relevant profile, and click Set As Mandatory.
b. Locate the profile folder for the user and rename the Ntuser.man file to Ntuser.dat.
c. Configure the permissions to the folder holding the profile to read-only.
d. Locate the profile folder for the user, and rename the Ntuser.dat file to Ntuser.man.
|
|
Definition
ANS: D
EXPLANATION: The basic procedure for making a profile mandatory is to locate the Ntuser.dat file related to the user account and rename it to Ntuser.man. There is no Set As Mandatory button in the Advanced page of the System Properties dialog box. Although setting read-only permissions for the user’s profile folder might prevent the user from making any changes to his profile, this is not the accepted way of making a profile mandatory. (Discussion starts on page 199.)
DIF: Application REF: Chapter 6 |
|
|
Term
If the Password Must Meet Complexity Requirements policy is enabled, which of the following passwords is not acceptable?
a.
111aaaBBB
b.
!!@TRPP%%
c.
aa2324!@
d.
TTee@#P1 |
|
Definition
ANS: B
EXPLANATION: For a password to meet complexity requirements, it must contain at least three of the following four elements: uppercase alphabetic characters, lowercase alphabetic characters, numbers, or special characters (such as !@#). It must also be at least six characters long and not be based on the username. The !!@TRPP%% password contains only special characters and uppercase letters. All of the other passwords conform to the complexity requirements. (Discussion starts on page 168.)
DIF: Application REF: Chapter 6 |
|
|
Term
In Active Directory Users And Computers, where do you configure logon time restrictions for a user?
a.
The Logon Hours page of the user account properties
b.
The General Page of the user account properties
c.
The Sessions page of the user account properties
d.
The Account page of the user account properties |
|
Definition
ANS: D
EXPLANATION: Time restrictions are configured from the Logon Hours button on the Account page of a user’s properties. There is no Logon Hours page in the user account properties. (Discussion starts on page 181.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
What does setting an account lockout threshold of 0 achieve?
a. Any account that was locked out by the account lockout threshold remains locked indefinitely.
b. Any account that was locked by the account lockout threshold is unlocked immediately.
c. Any account that has exceeded the account lockout threshold needs the administrator to manually unlock it.
d. Any account that has exceeded the account lockout threshold is not locked out.
|
|
Definition
What does setting an account lockout threshold of 0 achieve?
a. Any account that was locked out by the account lockout threshold remains locked indefinitely.
b. Any account that was locked by the account lockout threshold is unlocked immediately.
c. Any account that has exceeded the account lockout threshold needs the administrator to manually unlock it.
d. Any account that has exceeded the account lockout threshold is not locked out.
|
|
|
Term
What information is transferred from a user’s Account tab when you copy the user’s account?
a. Everything except the Logon Hours
b. Everything except the Group Memberships
c. Everything except the User Logon Name and User Logon Name (Pre–Windows 2000)
d. Everything except the Street Address
|
|
Definition
ANS: C
EXPLANATION: All values except the Logon Name are copied from the Account tab when a user account is copied to create a new user account. Group Memberships are listed in the Members Of tab of the user’s account properties, not the Account tab. The logon hours are copied from the Account tab when a user account is copied to create a new account. The Street Address value is in the Address tab, not the Account tab. (Discussion starts on page 190.)
DIF: Application REF: Chapter 6 |
|
|
Term
What information is transferred from a user’s Account tab when you copy the user’s account?
a.
Everything except the Logon Hours
b.
Everything except the Group Memberships
c.
Everything except the User Logon Name and User Logon Name (Pre–Windows 2000)
d.
Everything except the Street Address |
|
Definition
ANS: C
EXPLANATION: All values except the Logon Name are copied from the Account tab when a user account is copied to create a new user account. Group Memberships are listed in the Members Of tab of the user’s account properties, not the Account tab. The logon hours are copied from the Account tab when a user account is copied to create a new account. The Street Address value is in the Address tab, not the Account tab. (Discussion starts on page 190.)
DIF: Application REF: Chapter 6 |
|
|
Term
What term describes a type of user profile that the user can change but that does not save those changes when the user logs off?
a.
Fixed
b.
Roaming
c.
Mandatory
d.
Static |
|
Definition
ANS: C
EXPLANATION: A mandatory profile can be changed by the user, but when the user logs off, the changes are not saved. A roaming profile can be accessed by the user no matter what system on the network she is logging on from. Fixed and static are not profile types. (Discussion starts on page 199.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
When you configure the Password Policy, why would you enable the option to store passwords using reversible encryption?
a.
So that if a user forgets her password it can be recovered
b.
So that the user can find her password by providing a password clue if she forgets it
c.
So the administrator can view the password to ensure that it meets complexity requirements
d.
So that other applications can access the password information |
|
Definition
ANS: D
EXPLANATION: If a password is stored using reversible encryption, it can be accessed by other applications. This approach poses a security risk, and it should be implemented only if absolutely necessary. There is no way for a user account password to be recovered, nor is there any facility in Windows Server 2003 for providing users with password clues. The administrator cannot view users’ passwords. (Discussion starts on page 182.)
DIF: Application REF: Chapter 6 |
|
|
Term
Which of the following client operating systems requires additional client software to access the complete functionality of Active Directory?
a. Windows 98
b. Windows NT 4
c. Windows Me
d. All of the above
|
|
Definition
ANS: D
EXPLANATION: All of the operating systems listed require additional client software to access the complete functionality of Active Directory. (Discussion starts on page 201.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
Which of the following client operating systems requires additional client software to access the complete functionality of Active Directory?
a.
Windows 98
b.
Windows NT 4
c.
Windows Me
d.
All of the above |
|
Definition
ANS: D
EXPLANATION: All of the operating systems listed require additional client software to access the complete functionality of Active Directory. (Discussion starts on page 201.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
Which of the following items is not included in a user profile?
a.
Shortcuts and cookies for favorite locations on the Internet
b.
Links to other computers on the network
c.
Application data and user-defined configuration settings
d.
Logon time restrictions |
|
Definition
ANS: D
EXPLANATION: Logon time restrictions are part of a user’s account properties. They are not part of the user profile. All of the other items are included in a user profile. (Discussion starts on page 196.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
Which of the following properties cannot be configured for multiple users at a single time?
a. Terminal Services session settings
b. Address
c. Logon Hours
d. E-mail address
|
|
Definition
ANS: A
EXPLANATION: When you configure the properties of more than one user at a time, you cannot configure the Terminal Services Session settings. All of the other items can be edited for multiple users at once. (Discussion starts on page 186.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
Which of the following properties cannot be configured for multiple users at a single time?
a.
Terminal Services session settings
b.
Address
c.
Logon Hours
d.
E-mail address |
|
Definition
ANS: A
EXPLANATION: When you configure the properties of more than one user at a time, you cannot configure the Terminal Services Session settings. All of the other items can be edited for multiple users at once. (Discussion starts on page 186.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
Which of the following utilities can you use to modify an existing object in Active Directory?
a. Dsmod.exe
b. Csvde.exe
c. Dsadd.exe
d. Adobjedit.exe
|
|
Definition
ANS: A
EXPLANATION: The Dsmod.exe utility allows you to modify an object in Active Directory. The Comma Separated Value Data Exchange utility (Csvde.exe) can be used only to import or export information to or from the directory. It cannot be used to modify an existing directory object. Dsadd.exe can be used only to add objects to the directory, not to modify an existing object. There is no such utility as Adobjedit.exe. (Discussion starts on page 195.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
Which of the following utilities can you use to modify an existing object in Active Directory?
a.
Dsmod.exe
b.
Csvde.exe
c.
Dsadd.exe
d.
Adobjedit.exe |
|
Definition
ANS: A
EXPLANATION: The Dsmod.exe utility allows you to modify an object in Active Directory. The Comma Separated Value Data Exchange utility (Csvde.exe) can be used only to import or export information to or from the directory. It cannot be used to modify an existing directory object. Dsadd.exe can be used only to add objects to the directory, not to modify an existing object. There is no such utility as Adobjedit.exe. (Discussion starts on page 195.)
DIF: Demonstration REF: Chapter 6 |
|
|
Term
You are attempting to use the Csvde.exe tool to import a new set of user accounts to the directory. You confirm that the import file is formatted correctly, and then you issue the command csvde -f newusers -k. When you check in Active Directory, none of the new user accounts appears. What is the most probable cause of the problem?
a.
The -k switch tells Csvde.exe that it should create the users only at the next database synchronization.
b.
The default mode for Csvde.exe is export; if you want to import objects, you must use the -i switch.
c.
The Csvde.exe command can be used only to import group and computer accounts, not user accounts.
d.
The correct switch for specifying the filename for a Csvde.exe command is -fn, not -f. |
|
Definition
ANS: B
EXPLANATION: The default mode for Csvde.exe is export. Unless you use the -i switch in the command, Csvde.exe will attempt an export to the specified file, not an import from the file. The -k switch tells Csvde.exe to ignore errors such as duplicate users. It does not (nor does any other switch) determine when the user accounts should be added. Csvde.exe can be used to import a wide range of directory objects, including users, groups, and computer accounts. The -f switch is correct for specifying the comma-separated value file that is to be used for the import. (Discussion starts on page 192.)
DIF: Application REF: Chapter 6 |
|
|
Term
You are looking at ways to automate the creation of user accounts. You do not have a large turnover of staff in your organization, so you decide to use templates as a shortcut to user creation. Which of the following statements about the use of template user accounts is true?
a. All new users created with the template have the same initial password.
b. All new users created with the template have the same group memberships.
c. All new users created with the template have the same file permissions as the template user.
d. All new users created with the template have the same street address.
|
|
Definition
You are looking at ways to automate the creation of user accounts. You do not have a large turnover of staff in your organization, so you decide to use templates as a shortcut to user creation. Which of the following statements about the use of template user accounts is true?
a. All new users created with the template have the same initial password.
b. All new users created with the template have the same group memberships.
c. All new users created with the template have the same file permissions as the template user.
d. All new users created with the template have the same street address.
|
|
|
Term
You are the network administrator for a footwear distributor in Georgia. After a recent break-in, your manager is concerned that the criminals might have been able to access the computer systems. She asks you to tighten up security of user accounts and passwords. She asks you to propose settings for an Account Lockout Policy. You propose the following values for the Account Lockout Policy:
Account Lockout Threshold = 3
Account Lockout Duration = 0
Reset Account Lockout Counter After = 15
What would the result of these policies be?
a.
If a user enters the incorrect password more than three times, the account is disabled. The account is automatically enabled after 15 minutes.
b.
If a user enters the incorrect password more than three times, the account is locked. The account is automatically unlocked after 15 minutes.
c.
If a user enters the incorrect password more than three times, the account is locked. The administrator must manually clear the lock on the account.
d.
The account is never locked, regardless of how many attempts are made to access the system using the incorrect password. |
|
Definition
ANS: C
EXPLANATION: A value of 0 for the Account Lockout Duration means that a locked account must be manually unlocked by an administrator. The Reset Account Lockout Counter After value determines the “memory” of the system for incorrect passwords in a given time period. In this example, the user can enter an incorrect password twice every 15 minutes and still not lock the account. After three incorrect passwords are entered in a 15-minute period, the account is locked. Triggering the Account Lockout policy locks an account—it does not disable it. A disabled account cannot be used, even with the correct password. The policy as described allows a user three incorrect logon attempts before the account is locked. (Discussion starts on page 200.)
DIF: Synthesis REF: Chapter 6 |
|
|
Term
You are the network administrator for a healthcare provider in Denver, Colorado. The network comprises three Windows Server 2003 systems. You have recently installed a new database application that requires a service account to be created. This service account needs to impersonate a client to access computer resources on behalf of other user accounts. Which of the following approaches do you take to do this?
a. Create a new user account. Then, in the General properties tab for that user account, select the Account Is Trusted For Delegation check box.
b. Create a new user account. Then, in the Account properties tab for that user, select the Account Is Trusted For Delegation check box.
c. Create a new user account. Then, in the Advanced properties tab for that user, select the Account Is Trusted For Delegation check box.
d. Use an existing user account. In the Account properties tab for that user, select the Account Is Trusted for Delegation check box.
|
|
Definition
ANS: B
EXPLANATION: When a service account is required, you should create a new user account for that purpose. If the account needs to impersonate a client to access computer resources on behalf of other user accounts, you must select the Account Is Trusted For Delegation check box, which is in the Account properties tab for a user account. (Discussion starts on page 181.)
DIF: Synthesis REF: Chapter 6 |
|
|
Term
You are the network administrator for a large computer manufacturer in Portland, Oregon. Another computer manufacturer has recently acquired the company, and you are in the process of transitioning your IT infrastructure, including Active Directory, to the naming standards and schemes used by the takeover company. Your Active Directory structure uses domains with names based on geographical locations, so no reconfiguration of domain names is necessary. However, the domain name used for e-mail and the corporate Web page has changed. You have been asked to reconfigure all of the user accounts with the new e-mail address and Web page information. In total, you have to reconfigure 325 users in three organizational units. Which of the following is the easiest way to do this?
a.
Select multiple user objects at once, and then edit the user’s properties and enter the new e-mail and Web page information.
b.
Use Csvde.exe, and specify new values for the Web Page and E-Mail Address fields.
c.
Use the Dsmod.exe command, and specify new values for the Web Page and E-Mail Address fields.
d.
Edit the Web Page and E-Mail Address values for the OU objects. Then select Allow Inheritance Of Values From This Object on the OU. |
|
Definition
ANS: A
EXPLANATION: The Web Page field and the E-Mail Address field are available for edit by selecting multiple users at one time. The Csvde.exe utility is used for importing or exporting objects from the directory. It is not used for editing the properties of existing objects. The Dsmod.exe utility can be used for editing the properties of existing objects, but in this case it would almost certainly be simpler to just edit the properties of multiple objects at a time. There is no facility for user objects inheriting values from an OU. (Discussion starts on page 188.)
DIF: Synthesis REF: Chapter 6 |
|
|
Term
You are the network administrator for a media company with 27 employees. You have recently implemented a new Windows Server 2003 system. Your manager is concerned about the security of your network. She has asked you to configure an Account Lockout Policy to provide additional security. She wants you to make sure that if a user tries to log on with the wrong password more than four times, that user’s account is disabled. She also wants to make sure that the user must call you when the account is locked so you can determine what the problem is before the user can attempt to gain access to the system again. Which of the following statements describes the Account Lockout Policy settings you would choose?
a. Set the Account Lockout Duration policy to 4, the Account Lockout Threshold policy to 0, and the Reset Account Lockout Counter After policy to 60.
b. Set the Account Lockout Duration policy to 0, the Enforce Password History policy to 0, and the Reset Account Lockout Counter After policy to 60.
c. Set the Enforce Password History policy to 4, the Account Lockout Threshold policy to 0, and the Reset Account Lockout Counter After policy to 30.
d. Set the Account Lockout Duration policy to 0, the Account Lockout Threshold policy to 4, and the Reset Account Lockout Counter After policy to 30.
|
|
Definition
ANS: D
EXPLANATION: If you set the Account Lockout Duration policy to 0, locked accounts must be manually unlocked by the administrator. The administrator would find out when an account becomes locked because the user must ask the administrator to unlock the account. Setting the Account Lockout Threshold policy to 4 causes the account to become locked after four incorrect logon attempts. These settings would satisfy the manager’s requirements. Setting the Account Lockout Threshold policy to 0 would cause the system to lock the account after the first incorrect logon attempt. Setting the Account Lockout Duration policy to 4 would cause the lockout to be cleared after 4 minutes. The Enforce Password History policy is part of the Password Policy, not the Account Lockout Policy. (Discussion starts on page 200.)
DIF: Synthesis REF: Chapter 6 |
|
|
Term
You are the network administrator for a pottery distributor in Utah. You are in the process of upgrading the corporate network from another operating system to Windows Server 2003. You ask a junior administrator to design an effective Password Policy. He offers the following suggestion:
Enforce Password History = 10
Maximum Password Age = 30
Minimum Password Age = 15
Minimum Password Length = 6
Password Must Meet Complexity Requirements = Yes
What would the result of this policy be?
a.
The user can use a password of 33$#54 but must change it every 30 days. She cannot change it any sooner than 15 days. She cannot reuse the same password until she has changed her password 10 times.
b.
The user can use a password of 23%&678 but must change it every 30 days. She cannot change her password any sooner than 15 days. She cannot reuse the same password until she has changed her password 10 times.
c.
The user can use a password of $$r763 but must change it every 30 days. She cannot change it any sooner than 15 days. She cannot reuse the same password until she has changed her password 10 times.
d.
The user can use a password of $P%#TR but must change it every 15 days. She cannot change it any sooner than 30 days. She cannot reuse the same password until she has changed her password 10 times. |
|
Definition
ANS: C
EXPLANATION: For a password to meet complexity requirements, it must include characters from at least three of the following four categories: uppercase letters, lowercase letters, numbers, and symbols. In this example, the password $$r763 fulfills these requirements. The Maximum Password Age setting requires that the user change her password at least every 30 days, but the Minimum Password Age value prevents the user from changing her password any sooner than 15 days. The Enforce Password History value of 10 ensures that the user must change her password 10 times before using a previous password. (Discussion starts on page 168.)
DIF: Synthesis REF: Chapter 6 |
|
|
Term
You are the network administrator for a soft-toy manufacturer in Wisconsin. The network comprises three Windows Server 2003 systems operating at a Windows 2000 mixed mode domain functional level. There are 135 users, each of whom has a Windows XP Professional system.
The Sales department has been based solely in Green Bay, at the company headquarters, but management has decided to split it into two teams, one of which will telecommute. You are given the names of the users who will be part of the new remote sales team, and you are asked to configure the user accounts with some new information. Specifically, you must specify a new Manager and Department name. You must also provide each user with dial-in capability to the system, which they have never had. Which of the following approaches are you most likely to take?
a.
Configure the properties on multiple objects. Edit the Manager and Department fields in the Organization Properties tab. Grant the dial-in permission on the Dial-In tab, and configure the dial-in permissions on a per-user basis.
b.
Configure the properties on multiple objects. Edit the Manager and Department fields in the Organization Properties tab. Enable the Control Access Through Remote Access Policy.
c.
Open each user’s account individually. Edit the Manager and Department fields in the Organization Properties tab. Grant the dial-in permission in the Dial-In tab, and configure the dial-in permissions on a per-user basis.
d.
Using Dsadd.exe, configure a script to modify the parameters for the dial-in permission and the Manager and Department fields. |
|
Definition
ANS: A
EXPLANATION: The Manager and Department fields can be edited on multiple objects at a time. The dial-in permission must be edited on a per-user basis. Configuration by Remote Access Policy is not supported on a Windows 2000 mixed mode domain functional level. The Dsadd.exe utility is used to add objects to Active Directory, not to edit the properties of existing objects. (Discussion starts on page 177.)
DIF: Synthesis REF: Chapter 6 |
|
|
Term
You are the system administrator for a company that manufactures electronics equipment for the aerospace industry. The company has more than 150 employees, but only the administrative staff of 24 people has PCs. The other employees are involved in production and manufacturing and do not require a PC to perform their job. The client workstations are a mix of Windows 95, Windows 98, and Windows 2000 Professional systems. You have a single Windows Server 2003 system that provides file and print services and runs DHCP, DNS, and WINS services. Each employee has a browser-based e-mail account that is accessed via the company’s intranet.
Your manager has asked you to configure a single user account that will be used to log on from three PCs in the company cafeteria so employees can access the company intranet and their e-mail. Which of the following approaches are you most likely to take?
a.
In the Account page of the user’s properties, configure the Log On To restrictions for the user by entering the IP address of the systems the user is permitted to use. Assign the user a mandatory profile by renaming the user account’s Ntuser.dat file to Ntuser.man and placing it on a server in the network. Configure the user’s profile path so it points to the location of the profile.
b.
In the Account page of the user’s properties, configure the Log On To restrictions for the user by entering the MAC address of the systems the user is permitted to use. Assign the user a mandatory profile by renaming the user account’s Ntuser.man file to Ntuser.dat and placing it on a server in the network. Configure the user’s profile path so it points to the location of the profile.
c.
In the Account page of the user’s properties, configure the Log On To restrictions for the user by entering the NetBIOS machine name of the systems the user is permitted to use. Assign the user a mandatory profile by renaming the user account’s Ntuser.dat file to Ntuser.man and placing it on a server in the network. Configure the user’s profile path so it points to the location of the profile.
d.
In the Account page of the user’s properties, configure the Log On To restrictions
for the user by entering the NetBIOS machine name of the systems the user is permitted to use. Assign the user a mandatory profile by renaming the user account’s Ntuser.pfl file to Ntuser.man and placing it on a server in the network. Configure the user’s profile path so it points to the location of the profile. |
|
Definition
ANS: C
EXPLANATION: To configure Log On To restrictions, you enter the NetBIOS machine names of the system that you will permit the user account to log on from. You can assume that the company is using NetBIOS because it has a WINS server. To create a roaming mandatory profile for the user, you rename the Ntuser.dat file for the user to Ntuser.man. Log On To restrictions are not configured using the IP address of the systems that the user is permitted to log on from, nor are they configured using the MAC address. The user profile file is not named Ntuser.pfl. (Discussion starts on page 195.)
DIF: Synthesis REF: Chapter 6 |
|
|
Term
You have configured Logon Hours restrictions for a specific user. The user is not a member of any group policy objects. If the user is already logged on when the allowed logon time ends, what happens?
a.
The user is forcibly disconnected.
b.
The user is granted a 15-minute grace period.
c.
The user is given a 5-minute warning and then is forcibly disconnected.
d.
The user can continue working. |
|
Definition
ANS: D
EXPLANATION: If the user is already logged on when the allowed logon time ends, service is not interrupted—except if the security option in group policy objects called Network Security: Force Logoff When Logon Hours Expire is enabled. In this case, the user is forcibly disconnected when her logon hours expire. (Discussion starts on page 181.)
DIF: Application REF: Chapter 6 |
|
|
Term
You have recently been employed as the network administrator for a commercial real estate company. The company is relatively small and has a highly mobile workforce. The company has two Windows Server 2003 systems and one Windows 2000 system. Active Directory is configured at a Windows 2000 mixed domain functional level.
Many of the sales representatives spend a great deal of time on the road and use the dial-in features of Windows Server 2003. The others are based primarily in the office and rarely work remotely. Late one evening, a user who normally works from the office pages you to report that he can’t gain access to the system over his dial-up link. He is calling from a hotel, where he is staying while at a conference. He explains that he connected the previous night from home without any problems, but this is the first time he has tried to connect from anywhere other than his home. Since you started working with the company, you have not made any changes to the user’s account properties. Based on the information he has provided, which of the following could be the problem?
a.
The user has Verify Caller ID enabled, and his home phone number is defined for that property.
b.
The static routes for the user have been configured to only allow the user to connect from his home phone number.
c.
The Always Callback To property on the user’s Dial-In page has been configured with the user’s home phone number.
d.
The phone number that the user |
|
Definition
ANS: C
EXPLANATION: The most likely answer of those listed is that the Callback Options on the Dial-In page for the user have been configured to always call back his home phone number. When the user tries to establish a dial-in connection, the server he is connecting to drops the connection and then calls his home number. The Verify Caller ID property is not available when Active Directory is configured in Windows Server 2003 mixed mode. Static routes determine which areas of the network are available to the user if he connects over a dial-in or VPN connection, and what areas of the network are inaccessible. They affect the user after he connects, not while he is trying to connect. Also, because you have made no changes to the account and the user was able to connect the previous day, this is unlikely to be the problem. The telephone numbers listed on the Telephones page of the user’s account properties are unrelated to the dial-in properties. (Discussion starts on page 186.)
DIF: Synthesis REF: Chapter 6 |
|
|
Term
You have recently installed Microsoft Internet Information Services (IIS) on your Windows Server 2003, Enterprise Edition server so that you can create an intranet for your company. Anonymous access to the IIS server has been enabled. The intranet is intended solely as a source of publicly available corporate information. It will also contain a mirror of the company’s Internet Web site.
In addition to providing access to employees, you also want the public to be able to access the intranet from two terminals in the reception area of the building. The terminals will be configured with third-party software that will restrict access to any application other than Microsoft Internet Explorer. Because employees in the company already have user accounts for the network, you will not need to make any changes to their configuration in order to allow access to the intranet. What do you do with respect to user accounts to enable users in the reception area to access the intranet?
a.
Create one user account in Active Directory. Restrict logon through station restrictions to the systems in the reception area.
b.
Create two user accounts, one for each system in the reception area, in Active Directory. Restrict logon through station restrictions to the systems in the reception area.
c.
Create two user accounts, one for each system in the reception area, in Active Directory. Restrict logon through station restrictions to the systems in the reception area. In the General Properties tab, grant the user accounts the Use IIS right.
d.
Nothing. |
|
Definition
ANS: D
EXPLANATION: When you install IIS, a user account is created called IUSR_computername. This account allows anonymous users to connect to the server and access Web pages on it. There is no need, in this example, to create user accounts in Active Directory. There is no Use IIS right in the General Properties tab. (Discussion starts on page 173.)
DIF: Synthesis REF: Chapter 6 |
|
|
Term
You have set the Account Lockout Duration setting of the Account Lockout Policy to 0. What does this mean?
a.
The account lockout threshold will become ineffective because accounts that are locked by exceeding the account lockout threshold will immediately unlock.
b.
An account that has exceeded the account lockout threshold cannot be unlocked until the administrator resets the password for the user.
c.
The Enforce Password History setting will automatically record all of the incorrect passwords that are being tried.
d.
An account that has exceeded the account lockout threshold must be manually unlocked. |
|
Definition
ANS: D
EXPLANATION: A value of 0 for the Account Lockout Duration policy setting means that any account locked out by exceeding the account lockout threshold must be unlocked manually. This value does not cause a locked account to immediately unlock. Resetting a password for the user does not unlock the account. The Enforce Password History policy is part of the Password Policy and is not related to settings in the Account Lockout Policy. (Discussion starts on page 200.)
DIF: Application REF: Chapter 6 |
|
|
