Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
44 Cards in this Set
- Front
- Back
Where are password policies configured?
|
in the Default Domain Policy
|
|
How does Active Directory store password information?
|
as a hash
|
|
What feature supports applications that need to read a user's password?
|
Store Passwords Using Reversible Encryption
|
|
Why is using reversible encryption generally a bad idea?
|
it weakens the security of the password
|
|
How many previous passwords does Windows store by default?
|
24
|
|
Where can the default domain password settings be overridden for a single user?
|
in that user's Properties
|
|
What new feature allows the Default Domain Policy password settings to be overridden for a group or user?
|
Fine-grained password policy
|
|
What requirement exists to use fine-grained password policy?
|
the domain must be at the 2008 functional level
|
|
Why is it important to set strong passwords on services that authenticate to the domain?
|
most services are incapable of changing their password
|
|
Can different password requirements for different groups be created with Group Policy?
|
no
|
|
What tool can be used to implement group- or user-based password policies?
|
Password Settings Objects
|
|
What are PSO's?
|
Password Settings Objects
|
|
How are PSO's applied?
|
by linking them to global security groups or users
|
|
How many PSO's can help determine password settings for a group or user?
|
only one
|
|
What is a resultant PSO?
|
the PSO that takes effect on a group or user
|
|
What happens if a PSO is linked to a group, and another PSO is linked to a user in the group?
|
the PSO linked directly to the user takes effect
|
|
If there are multiple PSO's applied to a group or user, what determines which one is the resultant PSO?
|
its precedence value
|
|
In regards to PSO's, what is a precedence value?
|
a number greater than 0, with 1 having the highest precedence
|
|
How does Active Directory choose between two PSO's with the same precedence?
|
it selects the PSO with the lowest GUID
|
|
Can PSO's be linked to OU's?
|
no
|
|
What can be done to link a PSO to the users in an OU?
|
create a shadow group for the OU and link the PSO to the shadow group
|
|
Where do account logon events occur?
|
on the domain controller that authenticates the logon attempt
|
|
Where do logon events occur?
|
on the server or workstation that a user attempts to log on to
|
|
What default GPO makes a good location for a policy to audit account logon attempts?
|
the Default Domain Controllers GPO
|
|
What is an RODC?
|
a domain controller that maintains a copy of all objects but not password secrets
|
|
What determines which user accounts a RODC is allowed to cache?
|
the Password Replication Policy (PRP)
|
|
What is the purpose of giving a local Administrators group to RODC's?
|
it allows local support personnel to support an RODC without making them Domain Admins
|
|
What functional level is required to deploy RODC's?
|
forest functional level 2003 or greater
|
|
What two groups can change the forest functional level?
|
Domain Admins in the forest root domain or Enterprise Admins
|
|
What command is necessary if you are installing RODC's in a forest upgraded to 2008?
|
adprep /rodcprep
|
|
What are the requirements for an RODC's writeable partner?
|
it must be running Server 2008
|
|
What determines which users' credentials may be cached by an RODC?
|
Password Replication Policy
|
|
What happens if a user attempts to authenticate to an RODC but is not on the approved list?
|
the credentials are passed to another DC
|
|
What values determine who is, and who is not, allowed to authenticate to an RODC?
|
Allowed List and Denied List
|
|
What happens to a user who is on an RODC's Approved List and Denied List?
|
they are not cached by the RODC
|
|
What two groups are created to facilitate management of Password Replication Policy?
|
2 domain local groups: Allowed RODC Password Replication Group and Denied RODC Password Replication Group
|
|
Who is in the Allowed RODC Password Replication Group by default?
|
no one
|
|
Who is in the Denied RODC Password Replication Group by default?
|
security-sensitive accounts (admins, etc.)
|
|
Where can the Allowed List and Denied list for an individual RODC be configured?
|
in its Active Directory computer account
|
|
What feature supports local administration of RODC's?
|
administrative role separation
|
|
What command is used to configure administrative role separation?
|
dsmgmt.exe
|
|
Why is administrative role separation so useful for RODC's?
|
it grants administrative rights to a single RODC rather than all DC's
|
|
What tool is used to configure fine-grained password and lockout policies?
|
ASDI Edit
|
|
How can you prepare the environment for a non-administrative user to install an RODC at a branch office?
|
pre-stage the computer account and specify their user account as authorized to install
|