• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/19

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

19 Cards in this Set

  • Front
  • Back

Allows you to perform fine-grained delegation to enable administration of specific object attibutes

Delegation of Control Wizard





  • You first you need specify the type of AD object to delegate, and then you need to delegate the custom tasks associated with the object.

These tools allow an administrator to manage Windows Server 2012 from a client platform.

RSAT (Administration Tools)





  • PowerShell cmdlets and modules that correspond to the RSAT tools are also part of this installation.
  • The client machine simply need to download the RSAT installation via Windows Update Standalone installer file

This special process protects certain objects from being directly modified in Active Directory.

AdminSDHolder





  • To configure permissions on the AdminSDHolder object, open ADSI Edit, choose the Default naming context, and navigate to the CN=System node under the domain in which you should find CN=AdminSDHolder.
  • The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups.
  • As previously noted, AdminSDHolder permissions apply to security principals that belong to protected groups.
Is a function in Active Directory that enables a computer,typically a server, to authenticate with a user’s credentials.
Kerberos constrained delegation




  • This is a method for services to perform authentication on behalf of users.

This PowerShell CMDlet allows to view a list of security principals allowed to perform delegated authentication
Get-ADComputer, Get-ADServiceAccount, or Get-ADUser cmdlets with the -Propertiesparameter set to PrincipalsAllowedToDelegateToAccount
To configure a service to enable specific security principals to perform delegated authentication, use?
New-ADComputer,New-ADServiceAccount, New-ADUser, Set-ADComputer, Set-ADServiceAccount, orSet-ADUser cmdlets with the -PrincipalsAllowedToDelegateToAccount parameter.

Each domain has hundreds of users who are to be classified in three separate categories, and administrators should have restrictions on the actions they can perform on each user type:




How could you meet the requirement of restricting access to user objects basedon the type of user?
By placing each user class in its own OU, you can delegate different permissions toeach type of user.
Each domain has hundreds of users who are to be classified in three separate categories, and administrators should have restrictions on the actions they can perform on each user type:



Local administrators should be able to create new objects within their domain,but the number of objects they create should be closely monitored. With whatmethod could you accomplish this goal?
Active Directory quotas meet this requirement perfectly.
Each domain has hundreds of users who are to be classified in three separate categories, and administrators should have restrictions on the actions they can perform on each user type:



A very select group of corporate administrators should be able to manage membership of highly restricted groups throughout the forest, including the Enterprise Admins group. How would you allow access to this group to perform these duties?
Creating a security group containing these corporate administrators and giving thempermissions over the AdminSDHolder gives the appropriate permissions over theserestricted groups.
Each domain has hundreds of users who are to be classified in three separate categories, and administrators should have restrictions on the actions they can perform on each user type:



A local administrator cannot create any new objects in his domain due to thenumber he has already created. How could you allow this user to continuecreating new objects?
There are two solutions:




  1. Increase the user’s quota.
  2. Change the owner of the objects that were created by the user.
What methods can you use to configure permissions on an object in Active Directory?
  • Editing the Security tab directly enables you to configure Active Directory object permissions.
  • The Delegation of Control Wizard provides quick and easy access to setpermissions on an object in Active Directory.
Which of the following determines a user’s quota when all apply?
Group-assigned quota of 1000
Which command sets the quota for members of the HelpDesk group to 100 objects?
The DSADD quota command is used to assign a quota to a security principal, either a user or a security group.
What actions might fail due to quota limitations?
Domain migrations create or update large numbers of objects in the target domain.



The user performing the migration should not be constrained by quotas.
What additional step must be taken after installing RSAT for Windows 8.1 to make theadmin tools available?
Installing RSAT should be the only step needed to gain access to thetools.
6. How can you assign permissions to a protected admin group in Active Directory suchas Enterprise Admins?

Modifying the ACL on the AdminSDHolder object results in the object’s ACL being configured correctly.
With what tool do you configure permissions on the AdminSDHolder object?
ADSI Edit should be used to configure permissions on the AdminSDHolder object. 8.
8. Why would you need to create or manage a Kerberos delegation?
Delegations enable a computer to authenticate as a user.
9. What capability in Kerberos constrained delegation is available beginning in WindowsServer 2012?
Limiting Kerberos constrained delegation to individual services is a newfeature in Windows Server 2012.