Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
136 Cards in this Set
- Front
- Back
|
How would you delegate control of an AD OU to a user?
|
- Right Click on OU
- Delegate Control - Choose User - Choose the appropriate option - Finish |
|
|
What is an OU?
|
An Organizational Unit (OU) is similar to a folder that subdivides and organizes network resources within a domain.
|
|
|
What are the different types of OU?
|
Parent OUs are OUs that contain other OUs.
Child OUs are OUs within other OUs. |
|
|
What organisational structures can you not apply GPO's to?
|
Generic Containers
|
|
|
What is group policy inheritance?
|
Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs.
|
|
|
How can you prevent objects from accidental deletion in AD?
|
- On the Object tab, select the Protect object from accidental deletion check box. (This option is only seen with Advanced Features selected from the View menu.)
- On the Security tab, select the Deny Delete All Child Objects advanced permission for Everyone. |
|
|
What setting should be set at creation to prevent an AD OU being accidentally deleted?
|
When you create an organizational unit, leave the Protect container from accidental deletion check box selected. This is the default. Other types of objects do not have this default setting and must be manually configured.
|
|
|
How would you delete an AD object that is protected from deletion?
|
To delete on abject that is protected, first clear the Protect container from accidental deletion setting, then delete the object.
|
|
|
What is delegation of authority?
|
Delegating authority is the assignment of administrative tasks, such as resetting passwords or creating new users, to appropriate users and groups.
|
|
|
Describe some of the facts about delegating control :
|
- You can delegate control of any part of an OU or object at any level with the Delegation of Control Wizard or through the Authorization Manager console.
- An object-based design allows you to delegate control based on the types of objects in each OU. For example, you can delegate control over specific object types (such as user objects). - A task-based design allows you to delegate control based on the types of administrative tasks that need to be done |
|
|
What is the Builtin Default Container?
|
The Builtin container holds default service administrator accounts and domain local security groups. These groups are pre-assigned permissions needed to perform domain management tasks.
|
|
|
What is the Computers default container?
|
The Computers container holds all computers joined to the domain without a computer account. It is the default location for new computer accounts created in the domain.
|
|
|
What is the Domain Controllers detault container?
|
The Domain Controllers OU is the default location for the computer accounts for domain controllers.
|
|
|
What is the LostAndFound default container?
|
The LostAndFound container holds objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller while administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container.
|
|
|
What is the NTDS Quotas default container?
|
The NTDS Quotas container holds objects that contain limits on the number of objects users and groups can own.
|
|
|
What is the Program Data default container?
|
The Program Data container holds application-specific data created by other programs. This container is empty until a program designed to store information in Active Directory uses it.
|
|
|
What is the System default container?
|
The System container holds configuration information about the domain including security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP security policies.
|
|
|
What is the Users default container?
|
The Users container holds additional predefined user and group accounts (besides those in the Builtin container). Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks.
|
|
|
What is special about AD containers?
|
They are automatically created and cannot be deleted
|
|
|
What is special about the Domain Controllers OU
|
It is the only default OU, and it can have a GPO applied, whereas the other default containers cannot have a GPO applied
|
|
|
How would you view hidden containers in AD Users and Computers?
|
Click Advanced Features from the View menu
|
|
|
Which containers are hidden by default in AD Users and Computers?
|
- LostAndFound
- NTDS Quotas - Program Data - System |
|
|
What is special about AD containers and how do they differ from OU's?
|
They are automatically created and cannot have GPO's applied to them.
|
|
|
What is the SAM database?
|
A local database that allows users to access local resources on the machine
|
|
|
What are the two types of user account?
|
Local and Domain
|
|
|
What is a local user account?
|
A local user account is created and stored on a local system and is not distributed to any other system.
- Local user accounts are created with the Computer Management console. - The local Security Accounts Manager (SAM) manages the user account information. - Only local resources are accessible with local user accounts. |
|
|
What is a domain user account?
|
A domain user account is created and centrally managed through Active Directory, and is replicated between domain controllers in the domain.
|
|
|
How can domain user accounts be created?
|
Domain user accounts are created with Active Directory Users and Computers, command line tools, and PowerShell.
|
|
|
What is unique to each domain user account?
|
Each domain user account has a unique security identifier (SID) to identify the user. A user can log on to the domain from any computer that is a member of the domain and can access resources on that computer or on other computers for which the domain user account has permissions.
|
|
|
How can external users with email accounts be represented in AD?
|
External users which need an e-mail account, can be represented through a contact object
|
|
|
What is a contact object?
|
an account that does not have any security permissions. Users represented as contact objects cannot log on to the domain. Use contacts to add information about individuals, such as e-mail or phone number, to Active Directory. Applications, such as Exchange, can search for attributes of contact objects.
|
|
|
What is the user or logon name?
|
The user or logon name is the name of the user account
|
|
|
What is the user principle name (UPN)?
|
The User Principle Name (UPN) combines the user account name with the DNS domain name
- The UPN format is also known as the SMTP address format. - The DNS domain name in the UPN is known as the UPN suffix. - By default, the domain that holds the user account is selected for the UPN suffix. However, you can configure different UPN suffixes to use instead of the domain name. |
|
|
What is the LDAP Distinguished Name (DN)?
|
The LDAP Distinguished Name (DN) references the domain and related container(s) where the object resides. It has three basic attributes:
Domain Component (DC) Organizational Unit (OU) Common Name (CN) |
|
|
What is the Relative Distinguished Name (RDN)
|
The Relative Distinguished Name (RDN) is used to identify the object within its container. The RDN needs to be unique only within the object’s container.
|
|
|
When would you use the Üser cannot change password"option?
|
when you want to maintain control over a Guest, service, or temporary account. For example, many applications use service accounts for performing system tasks. The application must be configured with the user account name and password. If you allow changing the user account password for the service account, you would also need to change the password within every application that uses that account.
|
|
|
How would you unlock an account?
|
To unlock an account, go to the Account tab in the account object's Properties dialog box, and select the Unlock Account box. Resetting the password on the account also unlocks a user account.
|
|
|
What should you do if a user account is accidentally deleted?
|
Restore it from backup rather than creating a new one with the same name. Creating a new account with the same name results in a user account with a different SID and will not automatically assume the permissions and memberships of the previously deleted account.
|
|
|
How would you add a User Principal Name (UPN) suffix to a forest?
|
1) Open Active Directory Domains and Trusts.
2) Right-click Active Directory Domains and Trusts in the Tree window pane, then select Properties. 3) Type the new UPN suffix that you would like to add to the forest on the UPN Suffixes tab. 4) Click Add. 5) Click OK. |
|
|
What is a computer account?
|
A computer account is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device
|
|
|
How would you prestage a computer account?
|
From Active Directory Users and Computers, create a computer account. This process is called prestaging computer accounts. From the workstation, join the domain. The workstation will be associated with the computer account you created previously.
|
|
|
Where is the computer account created when you join a workstation to the domain?
|
In the Computers built-in container
|
|
|
How would you control where computer accounts are placed when a computer joins the domain?
|
Create computer account ahead of time (pre-stage them)
|
|
|
Which groups have permissions to create a computer account?
|
- Account Operators
- Domain Admins - Enterprise Admins |
|
|
How many computers are the Authenticated Users group members allowed to join to the domain (from a workstation)?
|
10 - this wil also create the computer account automatically if it doesn't already exist. This ability comes from the Add workstations to a domain user right.
|
|
|
How would you allow a specific user to join a specific computer to the domain?
|
You can also allow specific users to join specific computers to a domain by selecting The following user or group can join this computer to a domain when creating the computer account.
|
|
|
How would you give other users permissions to create computer accounts in AD?
|
By giving them the Create Computer Objects right over the Active Directory OU. This permission does not have a limit on the number of accounts that can be created. Note: You must grant this right to the domain or specific OUs.
|
|
|
Will a computer receive group policy settings once the computer account is created?
|
No, the computer must be joined to the domain before it receives any GPO settings or AD receives any workstation-specific information
|
|
|
What commands can be used to create computer accounts from a command prompt or script?
|
dsadd or netdom. (Use netdom join to jion a computer to the domain)
|
|
|
What establishes a secure channel between a computer and the domain controller?
|
The computer password (authomatically generated when the computer joins the domain).
|
|
|
Where is the computer account password saved?
|
On the local computer and in AD. BY default, it is changed every 30 days
|
|
|
What might cause a computer to fail to authenticate to the domain?
|
If the two computer passwords (on the local machine and in AD) become unsychronised.
This problem will also occur if you have rebuilt the computer, or if you are replacing the computer with another one using the same computer account name. |
|
|
How would you reset the computer account after a logon failure?
|
- Run the netdom reset command followed by the computer account name and the domain.
- In Active Directory Users and Computers, right-click the computer account and select Reset Account. - Create a script in Visual Basic. After resetting the computer account, you must rejoin the computer to the domain. |
|
|
What is a local group?
|
Local groups exist only on the local computer, and control access to local resources.
|
|
|
What is a domain group?
|
Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.
|
|
|
What is group scope?
|
Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.
|
|
|
What membership can a global group have?
|
Global groups can contain members within the same domain. These include:
- Global groups in the same domain (in native mode only). - Users and computers within the same domain. |
|
|
What should a global group be used for?
|
Use global groups to group users and computers within the domain who have similar access needs.
|
|
|
What membership can a domain local group have?
|
Domain local groups can contain members from any domain in the forest. These include:
- Domain local groups in the same domain (in native mode only). - Global groups within the forest. Universal groups within the forest (in native mode only). - Users and computers within the forest. |
|
|
What membership can a universal group have?
|
Universal groups can contain members from any domain in the forest. These include:
- Universal groups within the forest. - Global groups within the forest. - Users and computers within the forest. |
|
|
What resources can global groups permission?
|
Global groups can be assigned permissions to resources anywhere in the forest.
|
|
|
What resources can domain local groups permission?
|
Domain local groups can be assigned permissions within a domain.
|
|
|
What resources can universal groups permission?
|
Universal groups can be assigned permissions to resources anywhere in the forest.
|
|
|
What should global groups be used for?
|
Create global groups to organize users (e.g., Sales or Development).
|
|
|
What should domain local groups be used for?
|
Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.
|
|
|
What should universal groups be used for?
|
Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.
|
|
|
What is a security group?
|
A security group is one that can be used to manage rights and permissions.
- Group members get the permissions that are granted to the group. - A security group represents an object with a security identifier (SID), which through the member attribute, collects other objects, such as users, computers, contacts, and other groups. |
|
|
Which type of AD group should be used for assiging permissions?
|
Security
|
|
|
What is a ditribution group?
|
A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions.
|
|
|
What happens if you convert a security group to a distribution group?
|
This would remove the permissions assigned to the group.
This could prevent or allow unwanted access. |
|
|
How would you convert a global group to a domain local group?
|
First convert to a universal group, then to a domain local.
|
|
|
Can you convert a global group nested in another global group into a universal group?
|
No - a universal group cannot be a member of a global group
|
|
|
Can you make a universal group a member of a global group?
|
No
|
|
|
What happens when a group is deleted?
|
All information about the group - including any permissions assigned - is deleted.
|
|
|
How can you recover a deleted group?
|
- Re-create the group, add all the original group members, and reassign any permissions granted to the group.
- Restore the group from a recent backup. |
|
|
When are the default local groups created?
|
During Windows installation
|
|
|
Can you rename or delete the default local groups?
|
CAN rename them
CANNOT delete them |
|
|
What is the Administrators default local group?
|
Members of the Administrators group have complete and unrestricted access to the computer, including every system right. The group contains the Administrator user account (by default) and any account designated as a computer administrator.
|
|
|
What is the Backup Operators default local group?
|
Members of the Backup Operators group can back up and restore files (regardless of permissions), log on locally, and shut down the system. However, members cannot change security settings.
|
|
|
What is the User default local group?
|
Members of the Users group:
- Can use the computer but cannot perform system administration tasks and might not be able to run legacy applications. - Cannot share directories or install printers if the driver is not yet installed. - Cannot view or modify system files. |
|
|
What group do "limited use"accounts become a member of automatically
|
Users default local group
|
|
|
What is the Power Users default local group?
|
Members of the Power Users group have no more user rights or permissions than a standard user account, by default. For legacy applications requiring the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions present in previous versions of Windows
|
|
|
What is the Guests default local group?
|
Members of the Guests group have limited rights (similar to members of the Users group), such as shutting down the system. Members of the Guests group have a temporary profile created at log on, that is then deleted when the member logs off.
|
|
|
What is the Administrators default domain group?
|
Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right.
|
|
|
What is the Server Operators default domain group?
|
Log on locally, back up and restore files and directories, change the system time, and force a local or remote shutdown. Can also create and delete shared resources, format the hard disk, and start and stop some services. Abilities extend to domain controllers.
|
|
|
What is the Backup Operators default domain group?
|
Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings.
|
|
|
What is the Account Operators default domain group?
|
Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.
|
|
|
What is the Guests default domain group?
|
The domain Guest account is a member of this group. The group does not have any default rights.
|
|
|
What is the Network Configuration Operators default domain group?
|
Change TCP/IP settings including changes on domain controllers.
|
|
|
What is the Print Operators default domain group?
|
Create, share, manage, and delete printers on domain controllers. Manage Active Directory printer objects. Log on locally, add or remove device drivers, and shut down domain controllers.
|
|
|
What is the Users default domain group?
|
Perform common tasks such as running applications, using local and remote printers, and locking workstations. By default, all domain members are members of this group.
|
|
|
Which default domain groups are created in the Built-In Container?
|
Administrators
Server Operators Backup Operators Account Operators Guests Network Configuration Operators Print Operators Users |
|
|
What default domain groups are created in the Users container in AD?
|
Domain Admins
Domain Computers Comain Controllers Comain Guests Domain Users Enterprise Admins Schema Admins Read-Only Domain Controllers DHCP Administrators Cert Publishers |
|
|
What is the Domain Admins default domain group?
|
Full control over the domain. This group is a member of the Administrators group on all computers when they are joined to the domain. This means that members of the Domain Admins group can perform all tasks on any computer in the domain (including domain controllers).
|
|
|
What is the Domain Computers default domain group?
|
Contains all computers that are a member of the domain. When you join a computer to the domain, it becomes a member of this group.
|
|
|
What is the Domain Controllers default domain group?
|
Contains all domain controllers. When a computer is made a domain controller, it is added to this group.
|
|
|
What is the Domain Guests default domain group?
|
Contains all domain guests. It does not have any default rights
|
|
|
What is the Domain Users default domain group?
|
Contains all domain users. This group can be used to give access to all users in a domain.
|
|
|
What is the Enterprise Admins default domain group?
|
Full control over all domains in the forest. This group is a member of the Administrators group on all computers in the forest, allowing them to perform any task on any computer in the forest.
|
|
|
What is the Schema Admins default domain group?
|
Full control over the Active Directory schema. By default, the Administrator account is a member of this group.
|
|
|
What is the Read-Only Domain Controllers default domain group?
|
Contains all members who have administrative access to the Read-Only Domain Controllers in the domain.
|
|
|
What is the DHCP Administrators default domain group?
|
Contains all members who have administrative access to the DHCP service.
|
|
|
What is the Cert Publishers default domain group?
|
Contains all members which are permitted to publish certificates to the directory.
|
|
|
Describe the AGDLP strategy
|
A: Place user Accounts
G: Into Global groups DL: Into Domain Local groups P: Assign Permissions to domain local groups |
|
|
When is the AGDLP strategy used?
|
Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode).
|
|
|
What is nesting?
|
Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level.
|
|
|
When is the AGUDLP strategy used?
|
Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains.
|
|
|
Describe the AGUDLP strategy
|
A: Place user Accounts
G: Into Global groups U: Into Universal groups DL: Into Domain Local groups P: Assign Permissions to domain local groups |
|
|
When is the ALP strategy used?
|
Used on workstations and member servers.
ALP is best used in a workgroup environment, not in a domain. |
|
|
Describe the ALP strategy
|
A: Place user Accounts
L: Into Local groups P: Assign Permissions to the local groups |
|
|
When should universal groups be used?
|
Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups.
|
|
|
What group should be used if both the users and resources are located in Multiple Domains?
|
Universal
|
|
|
What groups should not be used in a single domain design?
|
Universal
|
|
|
How can you start AD Users and Computers?
|
- Server Manager
- Administrative Tools (from the Control Panel or Start menu) - Running dsa.msc |
|
|
What is ADSI Edit?
|
Active Directory Service Interfaces Editor (ADSI Edit) acts as a low-level GUI editor for common administrative tasks such as adding, deleting, and moving objects.
|
|
|
What can you use ADSI Edit for?
|
You can use ADSI Edit to query, view, and edit attributes that are not exposed through other MMC snap-ins (such as Active Directory Users and Computers).
|
|
|
What does the command ds add do?
|
Dsadd creates a new object in Active Directory.
|
|
|
What does the command dsquery do?
|
Dsquery finds objects that match the search criteria (allows a search through the whole forest). The command returns a list of objects that match the search criteria. Use Dsquery * to search all object types.
|
|
|
What does the Dsget command do?
|
Dsget retrieves property information about an object. Use the -expand switch to show nested group membership for users.
|
|
|
What does the dsmod command do?
|
Dsmod modifies or changes the properties of an object.
|
|
|
What does the dsrm command do?
|
Dsrm removes (deletes) objects. Use the -subtree option to delete a container object and all objects below that object.
|
|
|
What does the movetree command do?
|
Movetree moves an OU and its objects (it does not move computer objects).
|
|
|
What does the netdom command do?
|
Netdom adds computer objects, joins a computer to a domain, and moves computer objects.
|
|
|
What does Csvde do?
|
The Csvde command imports and exports Active Directory objects using a comma-separated list file.
|
|
|
What can Csvde do?
|
Csvde can read existing information from Active Directory (export) or create new objects in Active Directory (import).
|
|
|
What can Csvde not do?
|
You cannot use Csvde to modify existing objects in Active Directory.
|
|
|
What are some common uses for CSvde?
|
- Using Csvde to export objects from one Active Directory system (or an Exchange 5.5 database) and import them into a different Active Directory database.
- Using a database program to create a CSV file, modifying the file, and importing the objects into Active Directory. |
|
|
Will Csvde import passwords for user accounts?
|
No
|
|
|
What does the Ldifde command do?
|
The Ldifde command imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files.
|
|
|
What are some common uses for Ldifde?
|
- Using Ldifde to export a set of Active Directory objects, modifying various attributes, and then re-importing the file to change the attributes.
- Exporting or importing data that exists on non-Active Directory LDAP directories. |
|
|
How can you manage passwords with Ldifde?
|
Passwords are not exported with user accounts. You can change passwords for existing account with a .ldif file but you cannot create new user accounts with a password.
|
|
|
How would you export a user account and then import it with a password with Ldifde?
|
1) Export the user accounts. The unicodePwd field will be blank.
2) Import the user accounts to create the accounts. The user accounts will be disabled, and the user will be forced to change the password at next logon. 3) Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and add entries to enable the account. 4) Run Ldifde using the file with the passwords to modify the existing user accounts. |
|
|
What does the Ldp command do?
|
The Ldp utility allows you to search for and view the properties of multiple Active Directory objects. It is a GUI-based, Windows Explorer-like utility with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying results.
|
|
|
What is the Active Directory Migration Tool?
|
The Active Directory Migration Tool (ADMT) is a GUI-based utility that helps you restructure your Active Directory organization or migrate objects from one domain to another.
|
|
|
Where can you move AD objects with ADMT?
|
You can move objects to different domains within the same forest (intraforest), or to domains in other forests (interforest).
|
|
|
What must be in place for an interforest migration in ADMT?
|
The target forest must trust the source forest.
|
