Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/65

Click to flip

65 Cards in this Set

  • Front
  • Back
The C: drive is running out of space. You would like to move the C:\Finances folder to the Fat32 formatted D: drive. Existing NTFS permissions should be kept on the folder following the move.

You want to accomplish this with the least amount of effort possible.

What should you do?
- Run the "convert" command, followed by the xcopy command.
- Run the "robocopy" command.
- Run the "copy" command followed by the "attrib" command.
- Run the "move" command.
- Run the "convert" command, followed by the xcopy command.

Explanation
Because the destination drive is not formatted with NTFS, you must first convert the destination drive to NTFS. Then use the xcopy of robocopy commands to copy the folder while retaining the NTFS permissions on the folder.

Copying or moving files or folders to another partition removes the NTFS permissions unless you use the xcopy or robocopy commands to preserve the ACL information.
Your Windows 7 computer has a folder named D:\SalesDocs. The folder has been shared with the sharename of SalesDocs. The D: drive is formatted with NTFS.

The following permissions have been configured for the folder:
NTFS permissions:
Users group = Allow-Read
Sales group = Allow-Modify

Share permissions:
Users group = allow-Read
Sales group = Allow-Change

Sally is a member of both the Users and Sales group. She needs to be able to read and modify all files in the SalesDocs shared folder except for the StyleGuide.doc file. Sally should be able to read StyleGuide.doc but not modify it.

What should you do?
- Disable permissions inheritance on StyleGuide.doc.
- Configure StyleGuide.doc to be a system file.
- Remove Sally from the Sales group.
- Set Sally's NTFS permission for StyleGuide.doc to Deny Write.
- Configure StyleGuide.doc to be a hidden file.
- Set Sally's NTFS permission for StyleGuide.doc to Deny Write.

Explanation
The best way to prevent Sally from modifying StyleGuide.doc without preventing authorized users from modifying it is to configure the NTFS permission for StyleGuide.doc to Deny Write for Sally.

Removing Sally from the Sales group would no longer let Sally edit other documents in the SalesDocs folder.

Section 5.2, 5.3
You have a Windows 7 laptop that is shared by three users. The computer is not a member of a domain.

Each user has been using EFS to encrypt their personal files on the laptop.

You would like to add your user account as a recovery agent so you cna recover any encrypted file encrypted by any user on the laptop. You would like to store the recovery keys on a smart card.

What should you do first?
- Have each user run "cipher /u"
- Add a Data Recovery Agent to the Encrypting File System policy.
- Run "cipher /rekey"
- Run "cipher /r"
- Run "cipher /r"

Explanation
To add a data recovery agent to encrypted files:
1. Run "cipher /r" to generate the recovery agent keys.
2. Add a Data Recovery Agent to the encrypting File System policy in the local security policy. use the certificate generated in step 1.
3. For each user, run the cipher /u command to update encrypted files and add the DRA to each file. Running this command updates only current user's files.

Run the "cipher /rekey" command to change the encryption keys used on files, for example if you want to update existing files to be encrypted using a certificate on a smart card.

Section 5.6
You have a computer running windows 7.

You want to configure windows to prompt for additional credentials whenever a sensitive action is taken.

What should you do?
- Edit User Account Control (UAC) settings.
- Enable and configure Windows Defender.
- Configure Windows Firewall with Advanced with Advanced Security settings
- Edit Windows Firewall settings.
- Edit User Account Control (UAC) settings.

Explanation
User Account control (UAC) prompts the user for credentials or permission in an effort to minimize the dangers of unwanted actions or unintended software installations.

Windows Firewall protects the system from network attacks. Windows Firewall with Advanced Security (WFAS) is a feature which provides advanced firewall settings beyond the program or service rules enforced by Windows Firewall. Windows Defender scans software for malicious code.

Section 3.6
The d:\ drive in your computer has been formatted with NTFS.

The Sales group on your computer has been given Allow Modify to the D:\Sales folder. The Mary user account is a member of the Sales group.

You want to accomplish the following:
* Mary should not be allowed access to the D:\Sales\2010sales.doc file.
* Mary should be able to read, write, and create new files int he D:\Sales folder.
* Your solution should nto affect the abilities of other Sales group members to access files in the D:\Sales folder.

What should you do?
- Remove Mary from the Sales group.
- Edit the properties for the file; assign Mary the Deny Full Control permission.
- Edit the properties for the folder; assign Mary the Deny Full Control permission.
- Edit the properties for the folder; assign the Sales group the Deny Full Control Permission.
- Edit the properties for the file; assign the Sales group the Deny Full Control permission.
- Edit the properties for the file; assign Mary the Deny Full Control permission.

Explanation
To prevent Mary from accessing the one file, assign the user account the Deny Full Control permission to the file. Deny permissions override Allow permissions. Because Mary is still a member of the Sales group, she will have access to the remaining files int he directory.

Removing Mary from the group or denying permission to the folder would prevent her from accessing all files in the folder. Denying permissions for the group would affect all group members and not just the one user.

Section 5.2
You work for a company with headquarters in Seattle and an office in Olympia.

The office in Olympia has 5 client computers, all running Windows 7. The Olympia office is connected to the Seattle office with a WAN link. All servers are located in the Seattle office, and shared files are stored on those servers.

You want to improve file access for users in the Olympia office to meet the following requirements:

* Copies of files should be saved on the client computers in the Olympia office.
* Only a single copy of each file should exist in the Olympia office.
* Files should only be transferred once from the Seattle office to the Olympia office (unless the file has changed).
* Copies of the files in the Olympia office should be shared and available to all computers in that office.
* Files should be encrypted during transit between the two offices.

Which features should you implement in the Olympia office?
- BranchCache
- Distributed File System (DFS)
- Offline Files
- DirectAccess
- BranchCache

Explanation
BranchCache is a feature which stores (i.e. caches) content in remote locations so that users in branch offices can access information more quickly. Content can be cached on a server, or on individual client computers that run Windows 7 Ultimate or Enterprise.

Offline files caches content on each client computer, with each client computer holding a copy of the cached files. Offline files on each client are not shared with other clients, and offline files only uses the local copy when the remote copy is offline.

The Distributed File System (DFS) is a file aching service, but requires a server to cache the content. DirectAccess is a VPN-like technology that allows for secure connections to a private intranet through the Internet.

Section 5.7
Your Windows 7 computer has two hard drives.
C: = 32.00 GB NTFS
D: = 2 GB FAT32

The C:\Finances folder and its contents have been encrypted.

You need to move the C:\Finances\Reports.xls file to the D: drive. You want the file to remain encrypted.

You want to accomplish this with the least amount of effort possible.

What should you do?
- Run the 'move' command.
- Run the 'copy' command followed by the attrib command.
- Run the 'robocopy' command.
- Run the 'convert' command followed by the 'xcopy' command.
- Run the 'convert' command followed by the 'xcopy' command.

Explanation
Because the destination drive is not formatted with NTFS, you must first convert the destination drive to NTFS. Then use the 'xcopy' or 'robocopy' commands to copy the file while retaining the encryption on the file. encrypted files copied or moved to another NTFS partition remain encrypted. Files copied or moved to a FAT32 partition are unencrypted.

Section 5.6
C:\ Windows\system32\netsh branchcache show status all

The above command was run and received the following output.

BranchCache service Status:
----------------------------
Service Mode = Hosted Cache Client (Set By Group Policy)
Current Status = Running
Service Start Type = manual
Hosted Cache Location = file1.mydomain.com (Set By Group Policy)

Local Cache Status:
-------------------------------------------
Maximum Cache Size = 5% of hard disk
Active Current Cache Size = 0 Bytes
Local Cache Location = C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub (Default)

Publication Cache Status:
----------------------------------------------
Maximum cache Size = 1% of hard disk
Active Current Cache Size = 0 Bytes
Publication Cache Location = C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub (Default)

Network Status:
---------------------------------------
Content Retrieval URL Reservation = Configured (Required)
Hosted Cache URL Reservation = Configured (Not Required)
SSL Certificate Bound To Hosted Cache Port = Not Configured (Not Required)
Content Retrieval Firewall Rules = Disabled (Required)
Peer Discovery Firewall Rules = Disabled (Required)
Hosted Cache Server Firewall Rules = Disabled (Not Required)
Hosted Cache Client Firewall Rules = Enabled (Required)

You have a computer that runs Windows 7 Ultimate.

You work out of a branch office with BranchCache configured. The configuration caches files on a server in the branch office. all file transfers should use encrypted communications.

You run the 'netsh' command on your client computer and see the output listed.

How should you modify the client configuration?
- Enable additional firewall rules.
- Change the service startup type to Automatic.
- Change the mode to Distributed Cache.
- Change the hosted cache location to https://file1.mydomain.com.
- Obtain an SSL certificate for the client.
- Enable additional firewall rules.

Explanation
You must configure additional firewall rules. Specifically, the 'Content Retrieval Firewall Rules' rule group show as 'Disabled', but should be enabled as indicated by the <Required> status. Other disabled firewall rule groups are not required when you use the 'netsh' command to configure BranchCache, firewall rules are automatically configured to allow the necessary ports. When using Group policy, you must enable the firewall rules using the Windows Firewall with Advanced Security or through Group Policy.

When configured in Hosted Cache mode, the client computer must be configured with the FQDN of the hosted cache server (the server int he branch office). The FQDN should not begin with http:// or https://.

The BranchCache service does not need to be constantly running; it is started automatically when BranchCache is used by the client. Distributed Cache mode caches content on client computers, not a central server.

An SSL certificate is not required. Only items designated as <Required> are necessary for the BranchCache configuration. Items designated <Not Required> are not needed fro successfully running BranchCache.

Section 5.7
You work for a company with headquarters in Seattle and an office in Olympia.

A single server in the Seattle office runs Windows Server 2008 R2 and holds all shared files for the company.

The office in Olympia has 5 client computers, all running Windows 7. The Olympia office is connected to the Seattle office with a WAN link.

you want to implement BranchCache in the Olympia office using Hosted Cache mode.

Which of the following vest describes the infrastructure requirements?
- Clients running Windows 7 Ultimate or Enterprise; server running Windows Server 2008 R2 in Olympia
- Clients running Windows 7 Ultimate or Enterprise; Active Directory Certificate Services
- Clients running Windows 7 Ultimate or Enterprise
- Clients running Windows 7 Ultimate or Enterprise; server running Windows Server 2008 R2 in Olympia; Active Directory Certificate Services
- Clients running Windows 7 Ultimate or Enterprise; server running Windows Server 2008 R2 in Olympia; Active Directory Certificate Services

Explanation
In Hosted Cache mode the data is cached on a BranchCache-enabled server in the branch office. hosted Cache mode uses Active Directory Certificate Services. To use any mode of BranchCache, clients must be running Windows 7 Ultimate or Enterprise.

Section 5.7
You have a computer running Windows 7 Professional.

The computer is used by several people. You want to prevent users from reusing old passwords. you also want to force them to use a new password for at least 5 days before changing it again.

What should you do?
- Set the 'password complexity' policy.
- Set the 'maximum password age' policy.
- Set the 'enforce password history' policy.
- Set the 'minimum password age' policy.
- Set the 'enforce password history' policy.
- Set the 'minimum password age' policy.

Explanation
Set the 'Enforce password history' policy to prevent users from reusing old passwords. Set the 'minimum password age' policy to prevent users from changing passwords too soon. Passwords must remain the same for at least the time period specified.

Use the 'Maximum password age' policy to force periodic changes to the password. After the maximum password age has been reached, the user must change the password. Use the 'Password complexity' policy to require that passwords include letters, numbers, and symbols. This makes it harder for hackers to guess or crack passwords.

Section 5.1
You have a laptop running windows 7 Professional. The computer is a member of the mydomain.local Active Directory domain.

You take your laptop home and use it on your home network. You would like to create a Homegroup from your laptop that can be used on your home network.

What should you do?
- Set the network location for the connection to Home.
- Set the network location for the connection to domain.
- Disjoin your computer from the domain.
- Upgrade the computer to Windows 7 Ultimate.
- Disjoin your computer from the domain.

Explanation
In this scenario, you will need to disjoin the domain. a better solution would be to create the HomeGroup on a different computer on the home network. To create a HomeGroup:
* The computer must be running windows 7 Home Premium or higher.
* The computer cannot be a domain member.
* The network location type must be set to Home.
* No other HomeGroups can exist on the network.

Simply setting the network location to Home would be insufficient because the computer would still be a domain member.

To join a HomeGroup:
* The computer must be running Windows 7 (any edition).
* The network location type for the network connection must be set to Home.
* Network Discovery must be on.

Domain member computers can join a HomeGroup, but cannot share resources with the HomeGroup.

Section 5.3
You have configured BranchCache on client computers in your branch office to use Distributed Cache mode.

You want to view the status of the BranchCache configuration on a Windows 7 client computer.

What should you do?
- In the Network and Sharing Center, view the Advanced sharing settings.
- At a command prompt, run the 'Netsh' command with the appropriate BranchCache parameters.
- Run 'Msconfig' and examine the settings for the BranchCache service.
- View the Advanced system settings in system Properties.
- At a command prompt, run the 'Netsh' command with the appropriate BranchCache parameters.

Explanation
To view the status of BranchCache, run the 'netsh branchcache show status' command. the command shows whether BranchCache is enabled, the operating mode, cache settings, and firewall settings.

Section 5.7
You Windows 7 computer has a shared folder named Reorg. The folder contains sensitive information about planned changes in the personnel structure.

You configure permissions on the folder to deny access to unauthorized users.

You want to prevent users from seeing this share when they browse the computers on the network. You still need to allow access to users who are authorized to use the share.

What should you do?
- Stop sharing the folder. Share the folder again as Reorg$ with the same permissions as before.
- Share the same folder using Reorg$ as a different share name.
- Rename the share as Reorg$.
- Add the hidden attribute to the folder.
- Stop sharing the folder. Share the folder again as Reorg$ with the same permissions as before.

Explanation
A share name that ends with a $ is a hidden share, and will not be displayed when browsing the network. However, shares can't be renamed, so the old share must be removed and a new share must be created.

Changing the properties of the folder won't change the properties of the share (except that changing the name or location of the folder will cause it to be not shared), so renaming the folder doesn't do what we want and adding the hidden attribute doesn't either. Simply sharing the folder with a different name but without removing the existing share would result in two shares, one a hidden share and the other a regular share.

Section 5.3
You manage a Windows 7 computer.

For the D:\Reports\Finances.xls file, you explicitly grant the Mary user account the Allow Modify NTFS permissions.

You need to move the file from the existing folder to the D:\Confidential folder. you want to keep the existing NTFS permission on the file. You want to accomplish this with the least amount of effort possible.

What should you do?
- Move the file to the new folder.
- Copy the file to the new folder. Run the 'icacls' command. Delete the original file.
- Copy the file to the new folder. Delete the original file.
- Run the 'icacls' command. delete original file.
- Move the file to the new folder.

Explanation
When you move a file or a folder to a different location on the same NTFS partition, NTFS permission are retained.

Copying the file removes any explicit permission set on the file unless you use the 'xcopy' or 'robocopy' commands. Use the 'icacls' command to configure NTFS permissions from the command prompt. While you could reconfigure the NTFS permissions after copying the file, that would require more effort than simply moving the file.

Section 5.2
An employee has a Windows 7 laptop.

The employee has just been fired, but not before he assigned Deny Full control permission to Everyone to all the files and folders on the laptop.

All users, including you, are now blocked from accessing these important files.

You are the administrator and you need to make these files available as quickly as possible.

What should you do?
- Take ownership of the files, and change the permissions.
- Log on as Administrator, and change the permissions on the files.
- Restore the volume from backup, and specify Full control for Everyone permissions on the restored files.
- Log on as a local user with administrative rights. Local users are not members of domain users by default.
- Take ownership of the files, and change the permissions.

Explanation
The owner of a file can always change the NTFS permission, even when specifically denied access to the file itself. The Administrators group has the take ownership permission, which allows you to become the owner of the affected files, and from there change the permissions.

Simply logging on as Administrator will not allow you to change the permissions, because Administrator is a member of the Domain Users. restoring from backup will allow you to remove the existing permissions, but is not the fastest way to do so.

Section 5.2
You manage a laptop that runs Windows 7.

To increase security for the laptop while traveling, you decide to require a smart card for logon. You also want users to be logged off automatically when the smart card is removed.

What should you do?
- Edit settings in Credential manager.
- In Computer Management, edit the user account properties.
- Edit settings in the local security policy.
- Configure BitLocker using the TPM and PIN
- Edit settings in the local security policy.

Explanation
To require a smart card for logon and control what happens when the smart card is removed, edit the local security policy settings. Smart card policies apply to the computer, not a user. When a smart card is required for logon, no one can log on without a smart card.

Use credential manager to store alternate logon credentials for specific resources. To use certificates with Credential manager, the certificate must be added to your personal store (with a smart card, the certificate remains on the smart card). Edit a user account to force a user to change the password, enable or disable the user account, or unlock a locked account. Use BitLocker to encrypt the hard drive contents. BitLocker stores encryption keys in the TPM and can use a PIN on a USB device to allow access to encrypted drives. However, unlocking the drive occurs before logon and does not affect logon once the drive has been unlocked.

Section 1.5 and 5.1
You have a Windows 7 laptop that is shared by three users. The computer is a member of a domain.

Each user has been using EFS to encrypt their personal files on the laptop.

You would like to add your user account as a recovery agent so you can recover any encrypted file encrypted by any user on the laptop. You would like to store the recovery keys on a smart card.

You install a smart card reader and obtain a new smart card with a certificate that can be used for EFS recovery. You add a data recovery agent using Group Policy.

What should you do next?
- Have each user add your user account as an authorized user.
- Have each user run 'cipher /rekey'
- Run 'cipher /r'
- Run 'rekeywiz'
- Have each user run 'cipher /u'
- Have each user run 'cipher /u'

Explanation
To add a data recovery agent to encrypted files:
1. Run 'cipher /r' to generate the recovery agent keys. You do not need to perform this step if you already have a certificate you will use for the data recovery agent.
2. Add a Data Recovery Agent to the Encrypting File System policy in Group Policy. Use the certificate generated in step 1.
3. for each user, run the 'cipher /u' command to update encrypted files and add the DRA to each file. running this command updates only the current user's files.

Run the 'cipher /rekey' command to change the encryption keys used on files, for example, if you want to update existing files to be encrypted using a certificate on a smart card. Adding a user as an authorized user to a file allows that user to read and write to encrypted files; this is not the way that you can identify a data recovery agent.
You have a computer running windows 7 Ultimate.

You want to modify the default settings for UAC to meet the following criteria:

* Prompts should be shown when programs make changes to your computer and when you make changes to windows settings.
* The desktop should not be dimmed and locked out, but should allow you to continue working in other applications without responding immediately to the prompt.
* Settings should apply to all standard users.

What should you do?
- Set the UAC notification level to Control Panel to 'Notify me only when programs try to make changes to my computer (do not dim the desktop).'
- Enable the 'Allow UIAccess applications to prompt for elevation without using secure desktop' setting in group policy.
- Disable the 'Switch to the secure desktop when prompting for elevation' setting in Group Policy.
- Set the UAC notification level to Control Panel to 'Never notify'.
- Disable the 'Switch to the secure desktop when prompting for elevation' setting in Group Policy

Explanation
Disable the 'Switch to the secure desktop when prompting for elevation' setting in Group Policy to meet the criteria. With the Secure Desktop, the desktop and all active applications are darkened, and the prompt appears over the shaded desktop. You must respond to the prompt before you can continue with the requested operation or return to the desktop. The Secure Desktop prompt will be displayed for 150 seconds, after which the request for privilege elevation is automatically denied.

The 'Allow UIAccess applications to prompt for elevation without using secure desktop' setting in Group Policy turns Secure Desktop off for remote assistance helpers during a remote assistance session.

Setting the UAC notification level in Control Panel to 'Notify me only when programs try to make changes to my computer (do not dim the desktop)' turns off Secure Desktop, but also disables prompts when you make changes to Windows settings. Setting the UAC notification level in Control Panel to 'Never notify' would turn Secure Desktop off but not retain all of the UAC prompts.

Section 3.6
You manage a Windows 7 computer.

You need to control access to the D:\Reports folder as follows:
* Members of the Accounting group should be able to open and view all files, edit them, and new files, and rename and delete files.
*Mary needs to be able to open and view files, but should not be able to modify the files, rename files, or delete them

Mary is a member of the Accounting group. You want to assign NTFS permissions taking the least amount of actions possible and affecting existing permissions as little as possible.

What should you do?
- Remove Mary from the Accounting group, Assign Allow Read & execute, List folder contents, Read, and Modify to the Accounting group. Assign Allow Read & execute, List folder contents, and Read to Mary
- Remove Mary from the Accounting group. Assign Allow Read & execute, List folder contents, Read, and Write to the Accounting group. Assign Allow Read &execute, List folder contents, and Read to Mary.
- Assign Allow Read & execute, List folder contents, Read, and Modify to the Accounting group. For the Mary user account, Deny the Modify permission.
- Assign Allow Read & execute, List folder contents, Read, and Write to the Accounting group. For the Mary user account, Deny the Write permission.
- Remove Mary from the Accounting group, Assign Allow Read & execute, List folder contents, Read, and Modify to the Accounting group. Assign Allow Read & execute, List folder contents, and Read to Mary

Explanation
Assign Allow Read & execute, List folder contents, Read, and Modify to the Accounting group to allow group members to open, edit, add, and delete files in the directory. As a member of the Accounting group, Mary receives the same permissions to the folder as the group. To prevent Mary from receiving the Modify permission, you will need to remove Mary from the group and grant her the necessary permissions.

You cannot deny Mary the Modify permission, as this would also deny her other permissions (such as Read). When you deny the Write permission, only the Write permission is denied, but denying the Modify permission also denies all other permissions.

Section 5.2
C:\Windows\system32> netsh branchcache show status all

BranchCache Service Status:
--------------------------------------
Service Mode = Hosted Cache Client (Set By Group Policy)
Current Status = Running
Service Start Type = Manual
Hosted Cache Location = http://file1.mydomain.com (Set By Group Policy)

Local Cache Status:
-----------------------------
Maximum Cache Size = 5% of hard disk
Active current Cache Size = 0 Bytes
Local Cache Location = C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub ( Default)

Publication Cache Status:
-------------------------------------
Maximum Cache Size = 1% of hard disk
Active Current Cache Size = 0 Bytes
Publication Cache Location = C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub (Default)

Networking Status:
-----------------------------
Content Retrieval URL Reservation = Configured (Required)
Hosted Cache URL Reservation = Configured (Not Required)
SSL Certificate Bound to Hosted Cache Port = Not configured (Not Required)
Content Retrieval Firewall Rules = Enabled (Required)
Peer Discovery Firewall Rules = Disabled (Not Required)
Hosted Cache Server Firewall Rules = Disabled (Not Required)
Hosted Cache Client Firewall Rules = Enabled (Required)

You have a computer that runs windows 7 Ultimate.

You work out of a branch office with BranchCache configured. The configuration caches files on a server in the branch office. Only HTTP and not SMB traffic is cached on the server. All file transfers should use encrypted communications.

you run the 'netsh' command on your client computer and see the output listed in the image.

How should you modify the client configuration?
- Enable additional firewall rules.
- Change the hosted cache location to https://file1.mydomain.com
- Change the service startup type to Automatic.
- Change the hosted cache location to file1.mydomain.com.
- Change the mode to Distributed Cache.
- Change the hosted cache location to file1.mydomain.com.

Explanation
When configured in Hosted Cache mode, the client computer must be configured with the FQDN of the hosted cache server (the server in the branch office). The FQDN should not begin with http://.

The BranchCache service does not need to be constantly running; it is started automatically when BranchCache is used by the client. Distributed Cache mode caches content on client computers, not a central server.

An SSL certificate or additional firewall rules are not required. Only items designated as (Required) are necessary for the BranchCache configuration. Items designated (Not Required) are not needed for successfully running BranchCache.

Section 5.7
You have two computers that run Windows 7 Professional: Comp1 and COmp2. Both computers are members of a domain.

You have a domain user account named EFS-Recovery.

You use the user account to recover some files on Comp1.

You need to recover some files on Comp2, but are unsuccessful.

What should you do?
- Copy the file from COmp2 to a FAT32 partition.
- Take ownership of the file on Comp2.
- On Comp2, run 'cipher /rekey'
- Export the recovery agent keys from Comp1 and import them to Comp2.
- Export the recovery agent keys from Comp1 and import them to Comp2.

Explanation
To recover a file using the data recovery agent, the DRA keys must be accessible to the local computer. You can export and import the keys, or place the keys on a smart card to allow you to move from computer to computer to recover files.

You will not be able to copy the file without having the keys of the original user or the DRA. Run 'cipher /rekey' to change the key used to encrypt all files. Taking ownership of the file does not affect your ability to encrypt or decrypt files.
Your Windows 7 computer has two hard drives: C: and D:.

For the D:\Reports\Finances.xls file, you explicitly grant the Mary user account the Allow Modify NTFS permissions.

You need to move the file from the existing folder to the C:\Reports2 folder. You want to keep the existing NTFS permission on the file. You want to accomplish this with the least amount of effort possible.

What should you do?
- Using Windows Explorer, copy the file to the C:\Reports2 folder.
- Using Windows Explorer, move the file to the C:\Reports2 folder. Reconfigure the NTFS permissions on the file.
- Use Windows Explorer, move the file to the C:\Reports2 folder.
- Use the robocopy command to copy the file to the C:\Reports2 folder.
- Use the robocopy command to copy the file to the C:\Reports2 folder.

Explanation
If you copy or move a file to a different NTFS partition, the explicit permissions will be removed. use the robocopy or xcopy command line utilities to copy files while maintaining the NTFS permissions (even when copying between partitions).

While you could reconfigure the NTFS permissions after moving the file, that would require more effort than simply copying the file with the NTFS permissions.

Section 5.2
You manage a Windows 7 computer with an attached printer.

You share the printer using a share name of Printer1.

You assign the Allow Print permission for the printer to the Sales group. However, you discover that users who are not members of this group can print to the printers.

You want only members of the Sales group to print to Printer1.

What should you do?
- Assign Everyone the Deny Print permission to the printer.
- Create a second printer that refers to the same print device. Grant permission to print to the printer to the Sales group only.
- Remove CREATOR OWNER from the printer's access control list.
- Remove Everyone from the printer's access control list.
- Remove Everyone from the printer's access control list.

Explanation
By default, Everyone has the Allow Print permission to a printer. To prevent everyone from printing to a printer, you need to remove the Everyone security principle from the printer's access control list. Add only the users and groups that should be able to print to the printer. Grant the users and groups the Allow Print permission.

Denying the Print permission to Everyone would prevent anyone from printing (deny overrides allow). Removing CREATOR OWNER would prevent users from managing their own print documents in the queue. Creating a second printer would not solve the problem because the original printer object would still exist.

Section 5.4
You have a computer running Windows 7 Professional.

The computer is used by several people. You want to require users to create passwords that are at least 10 characters long. You also want to prevent logon after three unsuccessful logon attempts.

You need to use Local Security Policy to configure specific account policies.

What should you do? (Select two. Each answer is a required part of the solution.)
- Set the 'minimum password length' policy.
- Set the 'account lockout duration' policy.
- Set the 'enforce password history' policy
- Set the 'account lockout threshold' policy
- Set the 'password complexity' policy.
- Set the 'minimum password length' policy.
- Set the 'account lockout threshold' policy

Explanation
Set the Minimum password length policy to require a password equal to or longer than the specified length. Se the 'Account lockout threshold' policy to lock an account after the specified number of incorrect logon attempts.

Incorrect policy choices for this scenario are:

*Enforce password history requires users to input a unique (previously unused) password when changing the password. This prevents users from reusing previous passwords.
* Password complexity prevents using passwords that are easy to guess or easy to crack. It forces passwords to include letters, symbols, and numbers, and also requires passwords of at least 7 characters. However, you cannot configure a longer password length requirement with this policy.
* Account lockout duration determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically.
C:\Windows\system32>netsh branchcache show status all

BranchCache Service Status:
----------------------------------------
Service Mode = Distributed caching
Serve peers on battery power = disabled
Current Status = Running
Service Start Type = Manual
This machine is not configured as a hosted cache client.

Local Cache Status:
------------------------------------------
Maximum Cache Size = 5% of hard disk
Active Current Cache Size = 0 Bytes
Local Cache Location = C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistRepub (Default)

Publication Cache Status:
-----------------------------------------------------
Maximum Cache Size = 1% of hard disk
Active Current Cache Size = 0 bytes
Publication Cache Location = C:\Windows\ServiceProfiles\NetworkService\AppData\Local\PeerDistPub (Default)

Networking Status:
-----------------------------------------------
Content Retrieval URL Reservation = Configured (Required)
Hosted Cache URL Reservation = Configured (Not Required)
SSL Certificate Bound To Hosted Cache Port = Not Configured (Not Required)
Content Retrieval Firewall Rules = Enabled (Required)
Peer discovery Firewall Rules = Enabled (Required)
Hosted Cache Server Firewall Rules = Disabled (Not Required)
Hosted Cache Client Firewall Rules = Enabled (Not Required)

You have a computer that runs Windows 7 Ultimate.

You work out of a branch office with BranchCache configured. The configuration caches files on a server in the branch office.

You run the 'netsh' command on your client computer and see the output listed above.

How should you modify the client configuration?
- Increase the publication cache size.
- Change the mode to Hosted Cache.
- Change the service startup type to Automatic.
- Obtain an SSL certificate for the client.
- Enable additional firewall rules.
- Change the mode to Hosted Cache.

Explanation
Your BranchCache solution is configured to use Hosted Cache mode, with content being cached on a server in the branch office. Based on the output, the operating mode for the client is Distributed Cache mode (see the Service Mode line).

The BranchCache service does not need to be constantly running; it is started automatically when BranchCache is used by the client.

An SSl certificate or additional firewall rules are not required. Only items designated as (Required) are necessary for the BranchCache configuration. Items designated (Not Required) are not needed for successfully running BranchCache.

Section 5.7
You manage a Windows 7 computer.

You need to control access to the D:\Reports folder as follows:

*Members of the Accounting group should be able to open and view all files, edit them, and add new files. They should not be able to delete or rename files.
* Mary needs to be able to open and view files, but should not be able to modify.

Mary is a member of the Accounting group. You want to assign NTFS permissions taking the least amount of actions possible and affecting existing permissions as little as possible.

What should you do?
- Remove Mary from the Accounting group. Assign Allow Read & execute, List folder content, Read, and Modify to the Accounting group. Assign Allow Read & execute, List folder contents, and Read to Mary.
- Assign Allow Read & execute, List folder contents, Read, and Write to the Accounting group. For the Mary user account, Deny the Write permission.
- Assign Allow Read & execute, List folder contents, Read, and Write to the Accounting group. For the Mary user account, Deny the Write permission.
- Assign Allow Read & execute, List folder contents, Read, and Modify to the Accounting group. For the Mary user account, Deny the Modify permission.
- Remove Mary from the Accounting group. Assign Allow Read & execute, List folder contents, Read, and Write to Accounting group. Assign Allow Read & execute, List folder contents, and Read to Mary.
- Assign Allow Read & execute, List folder contents, Read, and Write to the Accounting group. For the Mary user account, Deny the Write permission.

Explanation
Assign Allow Read & execute, List folder contents, Read, and Write to the Accounting group to allow group members to open, edit, and add files in the directory. As a member of the Accounting group, Mary receives the same permissions to the folder as the group. To prevent Mary from editing files in the directory, you can simply Deny Mary the Write permission. This preserves the Read & execute. List folder contents, and Read permissions she receives from the Accounting group.

Removing Mary from the group and assigning the appropriate permissions would work, but might also prevent her from having the necessary permissions she needs that she might have received to other resources as a member of the Accounting group. The Modify permission includes all permissions expect Full Control, and allows users to delete and rename files.
You have several Windows 7 computers in a domain network.

When you install software on the new computers, you discover that it does not run because User Account control (UAC) causes it to fail. Because the accounting program was designed by the company and it will not be upgraded anytime soon, you must get it to work as is with UAC.

What can you do to get the application to work with UAC? (Choose the best solution.)
- Disable UAC.
- Disable UAC, install the software, then run-enable UAC.
- Alter the program settings to 'Run this program as an administrator'
- Upgrade the application to a Windows 7 compatible version
- Alter the program settings to 'Run this program as an administrator'

Explanation
in this case, you should run the application with administrator credentials, allowing it to run without UAC notifications.

Disabling UAC affects the entire system, not just for the one application, Disabling UAC, installing the software, then re-enabling UAC does not affect the UAC prompts when the program runs.

Section 3.6
You have a laptop running Windows 7 Professional. The computer is a member of the mydomain.local Active Directory domain.

You travel to a branch office in your company. The branch office has 5 computers running Windows 7 Ultimate edition. Computers in the branch office are not domain members. All computers use a HomeGroup for file sharing.

You want to join the HomeGroup in the branch office.

What should you do?
- Set the network location for the connection to Domain.
- Change the workgroup name to match the workgroup name used by other computers on the network.
- Upgrade the computer to Windows 7 Ultimate.
- Set the network location for the connection to Home.
- Set the network location for the connection to Home or Work
- Set the network location for the connection to Home.

Explanation
To join a HomeGroup:
* The computer must be running Windows 7 (any edition).
* The network location type for the network connection must be set to Home. If the network type is set to Work or automatically configured as Domain, the option to join a HomeGroup will be disabled.
* Network Discovery must be on.

Domain member computers can join a HomeGroup, but cannot share resources with the HomeGroup. You can join a HomeGroup from any computer running any edition of Windows 7, but can only create a HomeGroup if the computer is running Windows Home Premium or higher. The workgroup name has no effect on the ability to join a HomeGroup (domain member computers cannot set the workgroup name anyways).

Section 5.3
You have a computer running windows 7 Enterprise. The computer is a member of a domain.

A file server on the network named Server 1 runs Windows Server 2008 R2.

You log on to the computer by using an account named Mary.

With the least amount of effort possible, you need to ensure that every time you connect to a shared folder on Server1, you authenticate by using an account named Admin.

What should you do?
- From Credential manager, select 'Add a Windows credential.'
- From user Accounts, select 'Link online IDs.'
- From Local Security Policy, modify the 'Access this computer from the network' user right.
- From the command line, run the 'runas /user:admin command.
- From Credential manager, select 'Add a Windows credential.'

Explanation
Use Credential Manager to save the Admin credentials for the network share. Credential Manger stores account credentials for network resources, such as file servers and Web sites. Once saved, Credential Manager uses the same credentials every time the user tries to access the network resource.

You must use the /savecred option with the runas /user:admin command to save the credentials to ensure that you authenticate to the network share as Admin. Without the /savecred option, you would spend extra effort when subsequently connection to the network share. Using the Local Security Policy to adjust the Access this computer from network user right will only affect this computer, and not the network share. Online identity integration allows users to link their Windows 7 authentications credentials to Windows Live, and possibly other providers in the future (such as Bing and MSN).

Section 5.1
You have a Windows 7 computer.

You use the computer at home with a small network used by members of your family.

you want to share the contents of a folder with other users over your network. most users should have read-only access, but you want to explicitly deny access to other users.

you want to configure the permissions using the least amount of effort possible.

What should you do?
- Create a HomeGroup. Right-click the folder and select 'Share with Nobody,' then right-click the folder and select 'Share with HomeGroup(Read)'.
- Right-click the folder and select 'Properties'. Configure NTFS permissions on the 'Security' tab.
- Right-click the folder and select 'Share with Specific people....'
- Right-click the folder and select 'Properties'. Configure Advanced Sharing on the 'Sharing' tab.
- Right-click the folder and select 'Properties'. Configure Advanced Sharing on the 'Sharing' tab.

Explanation
To configure both allow and deny permissions, you will need to configure advanced share permissions. Right-click the folder and select Properties. On the Sharing tab, click 'Advanced Sharing...' to configure the share permissions.

Sharing the folder with nobody, then sharing the folder with a HomeGroup results in HomeGroup sharing being configured. When sharing the folder with a HomeGroup or with specific users (simple sharing), you can only configure allow and not deny permissions.

Section 5.3
You can manage encrypted files or folder using the 'Cipher' command.

Describe each command line's behavior.

Cipher
Cipher /k
Cipher /r
Cipher /rekey
Cipher /u
Cipher by itself displays the encryption state of a folder or the files it contains.

Cipher /k creates a new file encryption key for the user running Cipher.

Cipher /r generates recovery agent keys.

Cipher /rekey changes the certificate used to encrypt files.

Cipher /u updates (or adds) encryption keys or recovery agent keys if they have changed.

Section 5.6
You have a laptop running Windows 7 Ultimate edition.

You have been encrypting files on your computer using EFS and a self-signed certificate.

You now want to protect your encrypted files using a certificate on a smart card. You install a smart card reader and obtain a smart card with a new certificate.

You want to make sure that all encrypted files use the certificate on the smart card.

What should you do first?
- Run 'cipher /r'
- Run 'rekeywiz'
- Add a data recovery agent using the smart card certificate to the local security policy.
- Unencrypt all encrypted files
- Run 'rekeywiz'

Explanation
When changing the certificate used to encrypt files, run 'rekeywiz' or 'cipher /rekey'. This updates all encrypted files using the new certificate.

You do not need to unencrypt files to change the certificate used for encryption. Use the 'cipher /r' command to generate data recovery agent keys. A recovery agent is a user who can unencrypt files if the original user's keys are lost or unavailable. While a data recovery agent is recommended, it is not required to be able to use a smart card for encryption.

Section 5.6
On your Windows 7 computer, you share the D:\Promo folder using a sharename of Promo.

The share has been assigned the following permissions:
User/Group Permission
----------------------------------------
Telesales group = Allow Read
Training group = Deny Full Control
Managers group = Allow Change
Mary user = Allow Change

The Mary user account is a member of the Training group. NTFS permissions allow all access.

Mary needs to be able to edit documents in the shared folder but cannot. You need to modify the share permissions to allow her the necessary access.

What should you do? (Choose two. each choice is a possible solution.)
- Remove the 'Mary' user account from the 'Managers' group.
- Change the permission for the 'Mary' user account to Allow Full Control.
- Change the 'Training' group permission to allow Read.
- Add the 'Mary' user account to the 'Administrators' group.
- Remove the 'Mary' user account from the 'Training' group.
- Change the 'Training' group permission to allow Read.
- Remove the 'Mary' user account from the 'Training' group.

Explanation
The Deny Full Control permission on the Training group prevents all of its members from accessing the share. Because Mary is a member of the group, she will be denied access. You can allow access for Mary by:

*Removing the user account from the 'Training" group.
* Changing the permissions for the Training group to Allow Read. Mary would then have the cumulative permissions assigned to the group and to her user account.

Section 5.2, 5.3
Rodney, a user in the research department, uses a Windows 7 Professional laptop computer with a single NTFS volume.

Rodney recently left the company on short notice. Rodney's manager, Kate, wants access to all of Rodney's files.

You make Kate's account an administrator for Rodney's computer and give her the computer. Later, Kate informs you that she cannot open one of Rodney's documents, receiving an access denied message.

you realize that Kate is trying to access a file that Rodney encrypted using EFS. You want to let Kate open the file.

What should you do?
- Instruct Kate to use the 'Robocopy' command to copy the file to a FAT 32 partition to remove the encryption.
- Log on to the laptop using an account with KRA privileges. Clear the Encrypt attribute on the file.
- Log on to the laptop using an account with DRA privileges. Clear the Encrypt attribute on the file.
- Give Kate the Allow Full Control permission to the problem file. Have her clear the Encrypt attribute for the file.
- Log on to the laptop using an account with DRA privileges. Clear the Encrypt attribute on the file.

Explanation
To decrypt the file, log on as a data recovery agent (DRA) and remove the Encrypt attribute for the file. Once a file is encrypted using EFS, only the following users can access the file:

* The user who encrypted the file (the file owner).
* Any additional users designated by the file owner.
* A data recovery agent

Changing NTFS permissions for Kate will not allow her to open encrypted files. Only the file owner or a DRA can move or copy an encrypted file to an unencrypted location. With Robocopy, an unauthorized user can copy the file, but it can only be used to copy the file with encryption intact. A key recovery agent (KRA) is someone who can recover lost keys; a KRA cannot recover encrypted files.

Section 5.6
You manage a Windows 7 computer.

You need to control access to the D:\Reports folder as follows:

* Members of the Accounting group should be able to open and view all files but not modify them.
* Mary needs to be able to modify existing files in the folder, add new files to the folder, but should not be able to delete or rename files.

Mary is a member of the Accounting group. You want to assign NTFS permissions taking the least amount of actions possible.

What should you do?
- Assign Allow Read & execute, List folder contents, and Read to the Accounting group. Assign Allow Modify to Mary.
- Assign Allow Read & execute, List folder contents, and Read to the Accounting group. Assign Allow Write to Mary.
- Remove Mary from the Accounting group. Assign Allow Read & execute, List folder contents, and Read to the Accounting group. Assign Allow Modify to Mary.
- Remove Mary from the Accounting group. Assign Allow Read & execute, List folder contents, and Read to the Accounting group. Assign Allow write to Mary.
- Assign Allow Read & execute, List folder contents, and Read to the Accounting group. Assign Allow Write to Mary.

Explanation
Assign Allow Read & execute, List folder contents, and Read to the Accounting group to allow group members to view and open files int he directory. Assign the Write permission to Mary to allow her to modify existing files and add new files. As a member of the Accounting group, Mary will have all permissions assigned to the group, plus the Write permission assigned to her user account.

The modify permission allows users to delete files int he directory in addition to reading and editing existing files. You do not need to remove Mary from the group before assigning her additional permissions; if you wanted fewer permissions for Mary, you would need to remove her from the group or possibly Deny extra permissions.

Section 5.2
On your windows 7 computer, you share the D:\Apps folder using a sharename of Apps.

You need to configure permission to the share as follows:

* Members of the 'Appusers' group should be able to open and view files in the shared folder.
* Users 'JohnS' should not have any access to files in the shared folder. 'JohnS' is a member of the 'Appusers' group.

You need to assign the necessary permissions without assigning extra permissions beyond what is required and without affecting other access that might already be configured on the computer. You need to complete the task using the least amount of effort possible.

What should you do?
- Remove 'JohnS' should not have any access to files in the shared folder. 'JohnS' is a member of the 'Appusers' group.
- Assign Allow Read permission for each user in 'Appusers' except 'JohnS'
- Assign Allow Read permission to 'Appusers', and assign Deny read permission to 'JohnS'.
- Assign Allow Read permission for all user accounts that are members of the 'Appusers' group. Disable the 'JohnS' account.
- Assign Allow Read permission to 'Appusers', and assign Deny read permission to 'JohnS'.

Explanation
Assign Allow Read to the 'Appusers' group to give them read-only access. To prevent 'JohnS' from having access, assign the 'JohnS' user deny Read permission. The Deny permission assigned to the user override the Allow permission assigned to the group.

Although each of these choices will result in members of the group 'Appusers' having access to the share and the user 'JohnS' not having access, only one does so without producing unwanted side effects. If the account 'JohnS' is disabled, that user will be unable to log into the domain and will be unable to access any domain resources. If we assign Read permission to each user individually, and membership in the group changes, the share permissions will not adjust accordingly (for example, if a user were removed from the 'Appusers' group, they would still have access to the share). Removing 'JohnS' from the group may remove the user's access to other resources that have been granted through the group.

Section 5.3
You manage a Windows 7 computer.

The computer has a printer shared with the name of Printer1.

you need to modify the permissions that apply to the shared printer for network users.

What should you do?
- In Devices and Printers, right-click the printer and select 'Printer properties.' Edit the 'security' settings.
- In devices and Printers, right-click the printer and select 'Printer properties.' edit the 'Device Settings' settings.
- In Devices and Printers, right-click the printer and select 'Printer properties.' Edit the 'Advanced settings.
- In Devices and Printers, right-click the printer and select 'Printer properties.' Edit the 'Sharing settings.
- In Devices and Printers, right-click the printer and select 'Printer properties.' Edit the 'security' settings.

Explanation
To modify printer permissions (for both local and network access), edit the settings on the Security tab of the printer properties.

Section 5.4
You have a computer that runs Windows 7.

You attempt to execute a program in the 'C:\Program Files\AccWiz' directory, but you receive a prompt to elevate your privileges.

You need to execute the program without receiving a prompt for elevated privileges. you also need to prevent harmful applications from making unwanted changes to the system.

What should youd do?
- Use 'runas.exe' to execute the program in the 'C:\Program Files\AccWiz directory'.
- Modify the User Account Control (UAC) settings.
- Modify the permissions of the 'C:\Program Files\AccWiz' directory.
- Add your user account to the local Power Users group.
- Use 'runas.exe' to execute the program in the 'C:\Program Files\AccWiz directory'.

Explanation
to avoid receiving a prompt for elevated privileges, use 'runas.exe', you will not need to re-enter the credentials.

Changing the User Account Control (UAC) settings to not show prompts for elevated credentials will also allow harmful applications to make unwanted changes to the system. Modify the permissions of 'C:\Program Files\AccWiz' directory to enable reading, writing, changing, and deleting files, folders and subfolders, and changing the permissions and ownership on files and folders. Windows 7 no longer uses the Power Users group (no rights are assigned to the Power users group), although it still exists for backwards compatibility with earlier versions of Windows.

Section 5.1
You manage a computer that runs Windows 7.

The computer has a shared printer named Printer1.

You want to let Chad pause, restart, and delete print jobs on the printer. Chad should not be allowed to delete the printer or change its properties. Chad is a member of the 'Sales' group. Currently, the Everyone group has the Allow Print permission to the printer.

What should you do?
- Assign the 'Sales' group the Allow Mange Printers permission to the printer.
- Assign Chad the Allow Manage Documents permission to the printer.
- Assign Everyone the Allow Manage documents permission to the printer.
- Assign Chad the Allow Manage Printers permission to the printer.
- Assign Everyone the Allow manage Printers permission to the printer.
- Assign the 'Sales group the Allow manage documents permission to the printer.
- Assign Chad the Allow Manage Documents permission to the printer.

Explanation
The Manage Documents permission lets a user pause, restart, and delete print jobs without giving permission to edit the printer's properties or delete the printer. You should grant chad this permission. Giving this permission to a group will give this permission to unnecessary users.

Section 5.4
---------------------------------
Windows Security
Encrypting File System
To share file access with other users, select their certificate from the list and click OK.

Mary
Issuer: Mary
Valid From: 5/26/2010 to 5/2/2110
Click here to view certificate prope...
OK Cancel
--------------------------------


You have a computer that runs Windows 7.

Mary and mark share the computer. Mary encrypts a file by using Encrypting File System (EFS). When Mary attempts to grant mark access to the file, she sees the above dialog.

You need to ensure that Mary can grant Mark access to the file.

What should you do?
- Instruct Mark to log on to the computer and encrypt a file.
- Instruct Mary to copy thee file to another NTFS-formatted partition.
- Instruct Mary to move the file to another NTFS-formatted partition.
- Instruct Mark to log on to the computer and take ownership of the file.
- Instruct Mark to log on to the computer and encrypt a file.

Explanation
Mark should log on to the computer and encrypt a file. When he encrypts a file, a certificate (public key) is generated on the computer, and will be available when Mary tries to share her EFS-encrypted file.

NTFS permission, including ownership, will not give Mark access to the EFS-encrypted file. By default, only the user who encrypted the file or folder and the Data Recover Agent (DRA) can access the contents of the file. If you move or copy an encrypted file on the same computer to an NTFS partition, either to the same partition or another partition, the file remains encrypted.

Section 5.1, 5.6
You manage a Windows 7 computer.

One day you are downloading some new mp3 files to your computer.  You save the files directly to the Music library on your computer.

You want to copy the new files to a different folder on your computer.  You view th
You manage a Windows 7 computer.

One day you are downloading some new mp3 files to your computer. You save the files directly to the Music library on your computer.

You want to copy the new files to a different folder on your computer. You view the properties of the Music library and see the dialog shown in the image.

What should you do?
- Copy the new files from the 'C:\Users\Public\Public Music' folder.
- Copy the new files from the 'D:\mp3s' folder.
- Copy the new files from the 'D:\downloads' folder.
- Copy the new files from the C:\Users\Admin\My Music' folder.
- Copy the new files from the 'C:\Users\Public\Public Music' folder.

Explanation
The new files you saved to the library are in the 'C:\Users\Public\Public Music' folder. The check mark next to the folder identifies the folder where new library items are saved. You can also see the location of a file in the library by arranging the library by folder.

Section 5.3
You have a Windows 7 computer that you use at home.

You have a small network set up, with each member of the family having their own computer. You would like to share files such as pictures, videos, and music on your computer with other members of your family. Your mother should be able to modify any of these files, while everyone else should only have read-only access.

You want to use the simplest method to make these files available while providing the level of access specified.

What should you do?
- Enable Public folder sharing in the network and Sharing Center. Put all files in the Public folder.
- Enable media streaming in the Network and Sharing Center. Configure the media to share with each computer.
- Enable Network Discovery in the Network and Sharing Center. Place each file in the My Pictures, My Videos, or My Music folder.
- Create a HomeGroup. Share the folder with the HomeGroup.
- Enable file and printer sharing in the Network and Sharing Center. Share specific folder and configure the necessary permissions.
- Enable file and printer sharing in the Network and Sharing Center. Share specific folder and configure the necessary permissions.

Explanation
You need to enable file and printer sharing, then share each folder and configure specific permissions on each shared folder. Only with file and printer sharing can you have enough control to grant different permissions to different users.

Public folder sharing shares the contents of the Public folder; access is either read-only for all users or full access for all users (you cannot have different permissions for different users). When sharing folders with a HomeGroup, you can only configure Read or Read\Write access for all users (you cannot configure different permissions for different users).

Media sharing lets you share media files fro your computer; you cannot configure specific permission using media sharing. Network discovery lets your computer see other computers and lets other computers see your computer.
Rodney, a user in the research department, uses a Windows 7 Professional laptop computer with a single NTFS volume. Rodney shares the laptop with his manger, Kate.

Rodney stores private company documents in the C:\Data folder on his laptop. Both Rodney and Kate access the documents when they are using the laptop.

Rodney is concerned about the documents falling into the wrong hands if his laptop is stolen. Rodney wants to protect the entire contents of the C:\Data folder.

You want to help Rodney encrypt the contents of the C\Data folder so that Kate and Rodney are the only authorized users.

What should you do?
- Log on to Rodney's computer using your administrative account. Edit the properties of the C\Data folder and enable encryption. Add Rodney and Kate as authorized users for each file in the C:\Data folder.
-Log on to Rodney's computer using your administrative account. remove all NTFS permissions on the C:\Data folder except Rodney's user account and Kate's user account. Grant them Full Control to the C:\data folder.
- Instruct Rodney to log on to his computer, edit the properties of the C:\Data folder, and enable encryption. Add Kate as an authorized user for each file in the C:\Data folder.
- Instruct Rodney to log on to his computer, edit the properties of the C:\Data folder, and remove all NTFS permission except for his user account and Kate's user account. Grant his user account and Kate's user account Full control to the C:\Data folder
- Instruct Rodney to log on to his computer, edit the properties of the C:\Data folder, and enable encryption. Add Kate as an authorized user for each file in the C:\Data folder.

Explanation
Once a file or folder is encrypted using EFS, only the user who encrypted the file or folder (and other users who that user authorizes) can access the file or folder. (You can add additional authorized users to files only, not to folder.) If you perform the encryption, you will still be authorized user. Therefore, Rodney should perform the encryption, then add Kate as an authorized user to each file in the C:\Data folder.

Editing NTFS permissions will not affect the encrypted state of the C:\Data folder and thus will not protect the files should the laptop fall into the wrong hands. (Malicious users can possibly use another operating system installation or other tools that do not enforce NTFS permissions to access NTFS secure data.)

Section 5.6
You have a computer running Windows 7. The computer is a member of a domain.

To increase security as users log onto the computer, you need to implement the strongest form of multi-factor authentication.

What should you do?
- Require two-factor authentication.
- Require a password and biometric scan.
- Require a password, biometric scan, and token device.
- Require two passwords.
- Require a password, biometric scan, and token device.

Explanation
A password, a biometric scan, and a token device together are the strongest form of multi-factor authentication listed here. Multifactor authentication is any combination of two or more of the same or different authentication factors. The three common authentication factor types are Something You Know (such as a password), Something You have (such as a smart card or token device, or Something You Are (such as a biometric quality like a fingerprint).

The other three options are all weaker forms of multi-factor authentication. A password and a biometric scan is a multi-factor authentication but it is also an example of two-factor authentication. Two-factor authentication is any combination of two or more different authentication factors. Two passwords is an example of multi-factor authentication, but sine it uses two of the same type of factors it is not a true two-factor authentication method.

Section 5.1
You have a folder on your Windows 7 computer that you would like memb3ers of your development team to access.

You want to restrict network and local access to only specific users. All other users must not be able to view or modify the files in the folder.

What should you do? (Select two.)
- Place the files on an NTFS partition.
- Configure NTFS permissions.
- Place the files on a FAT32 partition.
- Configure both share and NTFS permissions.
- Configure share permissions.
- Place the files on an NTFS partition.
- Configure both share and NTFS permissions.

Explanation
To control both local and network access, you will need to use both NTFS and share permissions. The folder must be located on an NTFS partition to be able to configure NTFS permissions.

Configuring only NTFS permissions will not allow network access. configuring only shared permissions with the files on a FAT32 partition will not control local access.

Section 5.2, 5.3
You work for a company with headquarters in Seattle and an office in Olympia.

A single server in the Seattle office runs Windows Server 2008 R2 and holds all shared files for the company.

The office in Olympia has 5 client computers, all running Windows 7. The Olympia office is connected to the Seattle office with a WAN link.

You want to implement BranchCache in the Olympia office using Distributed Cache mode.

Using Group Policy, you enable the following policies:

* Turn on BranchCache
* Set BranchCache distributed Cache mode

What else is required to complete the configuration?
- Configure Active Directory Certificate Services.
- Change the startup type for the BranchCache service to Automatic.
- Configure advance firewall rules to allow the necessary ports.
- Configure the 'Configure BranchCache for network files policy in Group Policy.
- Configure advance firewall rules to allow the necessary ports.

Explanation
When using Group Policy, you must manually enable the firewall rules using the Windows Firewall with advance Security. Firewall rules allow BranchCache communications with the BranchCache servers. When you use the 'netsh' command to configure BranchCache, firewall rules are automatically configured to allow the necessary ports.

The 'Configure BranchCache for network files' policy sets the round-trip latency value that triggers the use of BranchCache. If this policy is not set, the default value of 80 milliseconds is used. configuring this policy is optional, not required.

Active Directory Certificate Services or another method of obtaining a certificate for the hosted cache server is required when using Hosted Cache mode. The BranchCache service does not need to be constantly running; it is started automatically when BranchCache is used by the client.

Section 5.7
You have two computers: Comp1 is running Windows XP Professional and Comp2 is running windows 7 Professional.

After moving EFS-encrypted files from Comp1 to Comp2, no one can open the files and access the data.

You need to open the EFS-encrypted files on comp1.

What should you do? (Select two. Each answer is a complete solution.)
- Use USMT to transfer the encryption certificates.
- Use Cipher.exe to transfer the encryption certificates.
- Use Runas.exe to transfer the encryption certificates.
- Use Credential Manager to transfer the encryption certificates.
- Use USMT to transfer the encryption certificates.
- Use Cipher.exe to transfer the encryption certificates.

Explanation
Use USMT or Cipher.exe to transfer the encryption certificates from the computer where the EFS-encrypted files originated to the computer where the EFS-encrypted files were copied.
You manage a Windows 7 computer with a printer that is used by the Sales department.

The sales manager has asked you to restrict access to the printer as follows:

*Sally needs to connect to a printer, print documents, and pause and resume her own print jobs.
* Damien needs to pause and resume documents for all users, but does not need to change printer properties.

You want to assign the most restrictive permissions that meet the sales manager's requirements.

What should you do? (Choose two. each choice is a required part of the correct solution.)
- Assign Sally the Print permission.
- Assign Sally the Manage Printers permission.
- Assign Sally the manage Documents permission.
- Assign Damien the manage Printers permission.
- Assign Damien the Manage Documents permission.
- Assign Sally the Print permission.
- Assign Damien the Manage Documents permission

Explanation
Windows has three levels of permission for printers: Print, manage Documents, and mange Printer.

* Users with Print permission can print documents, pause, resume, restart, and cancel their own documents, and connect to a printer.
* Users with Manage Documents permission can perform all Print tasks, as well as control job settings for all documents, and pause, resume, restart, and cancel the printing of any document.
* Users with mange Printers permission can perform all tasks related to printers and printing.

Section 5.4
You have a computer that runs Windows 7.

You run 'Runas' with the '/savecred' option to start an application.

You need to delete the stored password.

What should you do?
- From Credential manager, remove the credential from the backed up Vault.
- From Credential manager, remove the credential from the Vault.
- Run 'Runas' with the '/noprofile' option.
- Use Account Policies in Group Policy to change the 'maximum password age' setting.
- From Credential manager, remove the credential from the Vault.

Explanation

'Runas' with the '/savecred' indicates the credentials have been previously saved by this user in Windows Vault. From the listed possible answers, the Credential Manager is the only possible option that will remove the saved credentials.

The backed up Vault is meant to restore logon credentials that are stored in the Windows Vault. 'Runas' with the '/noprofile' option stops the profile from loading. The 'maximum password age' setting in Group Policy requires the user to change the password after a given length of time.

Section 5.1
You share a single Windows 7 Professional computer with Judith and Alton.

You are the owner of the D:\Reports folder.

Judith needs to be able to see the files and subfolders in the D:\Reports folder. Dalton needs to be able to do these same things, but also to delete folders.

You need to assign the necessary NTFS permission to the D:\Reports folder.

What should you do?
- Grant Modify to each.
- Grant Read & Execute to Judith; Modify to Dalton.
- Grant List Folder Contents to Judith; Full control to Dalton
- Grant Read & Execute to each
- Grant Read & Execute to Judith; Modify to Dalton.

Explanation
Always assign the most restrictive permission that will still allow the user to do the job. Read & Execute is the minimum permission required to traverse folders (move through a folder to subfolder), and Modify is the minimum permission required to delete folders.

Granting Read & Execute to each would let Judith traverse folders but would not let Dalton delete them. granting Modify to each would let Judith traverse folders and Dalton delete folders, but it would also allow Judith to delete folders.

Section 5.2
You work for a company with headquarters in Seattle and an office in Olympia.

A single server in the Seattle office runs Windows Server 2008 R2 and holds all shared files for the company.

The office in Olympia has 5 client computers, all running Windows 7. The Olympia office is connected to the Seattle office with a WAN link.

You want to implement BranchCache in the Olympia office, caching all contents on a server in the Olympia office.

What should you do to configure the client computers int he Olympia office?
- Run the 'netsh' command to set the BranchCache mode to Distributed Cache. use the FQDN of the server in the Olympia office.
- Run the 'netsh' command to set the BranchCache mode to Hosted Cache. use the FQDN of the server in the Seattle office.
- Run the 'netsh' command to set the BranchCache mode to Distributed Cache. use the FQDN of the server in the Seattle office.
- Run the 'netsh' command to set the BranchCache mode to Hosted Cache. Use the FQDN of the server in the Olympia office.
- Run the 'netsh' command to set the BranchCache mode to Hosted Cache. Use the FQDN of the server in the Olympia office.

Explanation
In Hosted Cache mode, the data is cached on a BranchCache-enabled server in the branch office. This server is called the hosted cache server. When configuring Hosted Cache mode on client computers, you must specify the FQDN of the hosted cache server (the server located in the branch office, not the server in the main office that holds the shared files).

Use Distributed Cache mode to cache content on client computers and not a server in the branch office.

Section 5.7
You have a computer running windows 7.

Prior to installing some software, you turn off User Account Control (UAC), reboot the computer, and install the software. You turn UAC back on, but it does not prompt you before performing sensitive actions.

You want the protection of UAC, but it is not working at all.

What should you do?
- Log in as an administrator and turn the UAC off and then back on.
- Enable UAC.
- Reboot the machine.
- Uninstall the software and re-enable UAC. Reinstall the software.
- Reboot the machine.

Explanation
Turning UAC on or off requires a system reboot before the settings are enabled. In this case, the user needs to reboot the machine after changing the UAC setting to get the change to take effect.

Uninstalling the software, re-enabling UAC, and re-installing the software requires extra effort, and is unnecessary; however, during the installation you can provide the necessary credentials, which leaves UAC turned on before and after re installation of the software.

Section 3.6
You have a laptop running Windows 7 Professional. The computer is a member of the mydomain.local Active Directory domain.

You take your laptop home and connect it on your home network using a wireless connection.

You would like to join the Homegroup from your laptop that has already been created on your home network.

What should you do?
- Turn on Network Discovery.
- Set the network location for the connection to Home or Work.
- Disjoin your computer from the domain.
- Connect to the network using a wired connection.
- Change the workgroup name to match the workgroup name used by other computers on the network.
- Turn on Network Discovery.

Explanation
In this scenario, the only correct configuration action you could perform would be to enable Network Discovery. To join a HomeGroup:

* The computer must be running windows 7 (any edition).
* The network location type for the network connection must be set to Home. If the network type is set to work or automatically configured as domain, the option to join a Homegroup will be disabled.
* Network Discovery must be on.

Both wireless and wired connections can be used to connect to the HomeGroup. The workgroup name has no effect on the ability to join a Homegroup (domain member computers cannot set the workgroup name anyways). Domain member computers can join a Homegroup, but cannot share resources with the HomeGroup.

Section 5.3
You have a computer running Windows 7 Enterprise.

The computer has devices which are Personal Identity Verification (PIV) compliant.

You want to implement a form of authentication which takes advantage of PIV.

What should you do?
- Use biometric authentication.
- Use smart card authentication.
- Use certificate authentication.
- Use Kerberos authentication.
- Use smart card authentication.

Explanation
Smart card authentication can use the Personal Identity Verification (PIV) standard. PIV allows the use of smart cards without requiring specific vendor software. By support PIV, Windows 7 obtains drivers for smart cards from Windows Update or built-in PIV-compliant mini-drivers.

Biometric authentication uses a human trait or characteristic that is unique between different people. Certificate authentications uses a digital document to identify a user or computer. Kerberos authentication uses tickets (also called a security token) to identify users.

Section 5.1
On your Windows 7 computer, you share the D:\Reports folder using a sharename of 'Reports'.

You need to configure permissions on the shared folder as follows:

* Members of the Accounting group should be able to view files, but not modify them.
* Phil, a member of the Accounting group, needs to be able to open and edit files in the shared folder.
* No one else should be allowed access.

You need to assign the necessary permissions without assigning extra permissions beyond what is required and without affecting other access that might already be configured on the computer. You need to complete the task using the least amount of effort possible.

What should you do?
- Add the Accounting group and assign the Read permission. add the Phil user account and assign Read/Write permission.
- For every user in the accounting department, assign the Read permission, for the Phil user account, assign the read/Write permission.
- Remove Phil from the accounting group. Add the Accounting group and assign the Read permission. Add the Phil user account and assign Read/Write permission.
- Add the Accounting group and assign the Read permission. Add the Phil user account and assign the Owner permission.
- Add the Accounting group and assign the Read permission. add the Phil user account and assign Read/Write permission.

Explanation
Assign the Accounting group the Read permission and the Phil user account the Read/Write permission. While Phil is a member of the Accounting group, he will have the greater permissions assigned directly to his user account.

Using simple sharing, you cannot designate a user as an Owner. Removing Phil from the Accounting group would still provide the necessary access, but might affect his abilities to other resources if he gains permissions from his membership in the Accounting group. assigning each accounting member permissions would work as well, but would require more work to assign individual permissions. Instead, assign permissions to groups whenever possible.

Section 5.3
You have tow computers that run Windows 7 Home Premium: Comp1 and Comp2. Both computers are members of a HomeGroup; neither computer is a domain member.

On Comp1, you share the C:\Files folder with the HomeGroup. The C:\Files\data.doc file is encrypted.

From Comp2, you can access all of the files in the C:\Files folder except for the data.doc file.

What should you do?
- On Comp1, run 'cipher /r'
- On Comp2, run 'cipher /rekey'
- On Comp1, add Comp2 as an additional user for the encrypted file.
- Copy your private key from Comp1 to Comp2.
- Copy your private key from Comp1 to Comp2.

Explanation
When sharing EFS-encrypted resources, each user must export either EFS keys to other computers in the HomeGroup. The local computer must have a copy of the certificate and private key that corresponds to the user account that encrypted the file. In a HomeGroup for non-domain computers, user accounts are created on each computer. Even if the user account has the same name, the accounts will be different and require the private key of the user account on the source computer to be able to read the encrypted files.

You could copy the private key from Comp2 to Comp1, and then add that user as an authorized user to the file on Comp1. Adding Comp2 as an authorized user does not allow a user to access an encrypted file. Run 'cipher /r' to generate a data recovery agent key. Run 'cipher /rekey' to change the key used to encrypt all files.

Section 5.6
You have been asked to troubleshoot a Windows 7 computer that is a member of a workgroup.

The director who uses the machine said he is able to install anything he wants as well as change system settings on-demand. he has asked you to figure out why user Account Control (UAC) is not being activated when he performs a sensitive operation.

You verify that the director's user account is a standard user and not a member of the local Administrators group. You want the UAC prompt to show.

What should you do?
- Change the 'Behavior of the elevation prompt for administrators in Admin Approval Mode' setting in group policy to 'Prompt for consent.'
- Enable the 'Admin Approval Mode for the Built-in Administrator account' setting in Group policy.
- Check to see if UAC is configured for this account.
- Enable the 'Run all administrators in Admin Approval Mode' setting in Group Policy.
- Set up a local policy that disables the installation of new hardware.
- Enable the 'Run all administrators in Admin Approval Mode' setting in Group Policy.

Explanation
Enable the 'Run all administrators in Admin Approval Mode' setting for UAC. This turns UAC on.

Change the 'Behavior of the elevation prompt for administrators in Admin Approval Mode' setting to 'Prompt for consent' only applies to administrator accounts, and asks the administrator whether to continue or cancel the requested operation. UAC is not enabled on a per-account basis. It applies to all user accounts on the system, but individual settings in local Group Policy can affect the UAC behavior for standard users versus administrators. The 'Admin Approval Mode for the Built-in Administrator account' setting controls UAC for only the Built-in administrator account.

Section 3.6
You work for a company with headquarters in Seattle and an office in Olympia.

A single server in the Seattle office runs Windows Server 2003 and holds all shared files for the company.

The office in Olympia has 5 client computers, all running windows 7. The Olympia office is connected to the Seattle office with a WAN link.

You want to implement BranchCache in the Olympia office.

What should you do?
- Upgrade the server in Seattle to Windows Server 2008 R2. configure BranchCache in Distributed Cache mode.
- Install a server in Olympia running Windows Server 2008 R2. configure BranchCache in Distributed Cache mode.
- Upgrade the server in Seattle to Windows server 2008 R2. configure BranchCache in Hosted Cache mode.
- Install a server in Olympia running Windows server 2008 R2. configure BranchCache in Hosted Cache mode.
- Upgrade the server in Seattle to Windows Server 2008 R2. configure BranchCache in Distributed Cache mode.

Explanation
To implement BranchCache so that files in Seattle are cached in Olympia:
* Upgrade the server in Seattle to Windows Server 2008 R2. Only servers running Windows Server 2008 R2 support BranchCache.
* Use one of the following methods:
* Configure client computers to use Distributed cache mode. content is cached on client computers without a server in the branch office.
* Install a server running Windows Server 2008 R2 in the branch office, and configure clients to use Hosted Cache mode. All content is cached on the server in the branch office.

Installing a server in the Olympia office without a corresponding server in Seattle would not cache content from the Seattle location.

Section 5.7
You manage a laptop that runs Windows 7.

The laptop is shared by members of the Sales team. Sales team members use standard user accounts to log on to the computer.

You want to allow users to change the system time and the time zone. You need to grant them this ability while limiting their ability to perform unrelated tasks.

What should you do?
- In the control Panel, add additional clocks to the Date and Time.
- Teach sales team members how to use 'Runas' to gain elevated privileges.
- Configure user rights for the Sales group in the local security policy.
- Make each sales team user a member of the local Administrators group.
- Configure user rights for the Sales group in the local security policy.

Explanation
user rights control the system actions that users can perform. by default, members of the Administrators group can perform most actions. Regular user accounts (members of the local Users group) can perform some system actions, such as logging on or shutting down the system, but are unable to perform other actions. In the local security policy or Group Policy, configure user rights to identify additional users (or groups) who can perform the specified action (such as changing the system time).

Making all users members of the Administrators group would grant the necessary rights, but would also grant all other rights given to the Administrators group. Using Runas, users would need an account with administrative rights to be able to perform the requested actions. Adding more clocks to the Date and time simply shows additional clocks for different time zones but does not allow users to modify the time or the time zone.

Section 1.5
You have a small home network with the following computers:

* Comp1 runs Windows 7 Home
* Comp2 runs Windows 7 Home Premium
* Comp3 runs windows 7 Professional

You want to create a Home Group for your network. Which of the following should be part of your configuration?
(Select the two most correct answers. Each choice is a required configuration step.)
- Set the network location to Home or Work.
- Create the Homegroup on any of the three computers.
- Create the Home Group on comp2.
- Set the network location to Home.
- Create the HomeGroup on Comp2 or Comp3.
- Set the network location to Home.
- Create the HomeGroup on Comp2 or Comp3.

Explanation
Create the HomeGroup on Comp2 or comp3. You must set the network location to Home before you can create the HomeGroup.
To create a HomeGroup:

* The computer must be running Windows 7 Home Premium or higher.
* The computer cannot be a domain member.
* The network location type must be set to Home.
* No other HomeGroups can exist on the network.


To join a HomeGroup:

* The computer must be running windows 7 (any edition).
* The network location type for the network connection must be set to Home.
* Network Discovery must be on.

Section 5.3
You manage 20 computers running Windows 7 in a domain network.

You want to prevent the Sales team members from making system changes. Whenever a change is initiated, you want to allow only those who can enter administrator credentials to be able to make the change.

What should you do?
- Enable the 'User Account Control: Run all administrators in Admin Approval Mode' setting in Group Policy.
- Configure the 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting in Group Policy to 'Elevate without prompting.'
- Configure the 'User Account Control" Behavior of the elevation prompt for standard users' setting in Group Policy to 'Prompt for credentials.'
- Configure the 'User Account control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting in Group Policy to 'Prompt for credentials'
- Configure the 'User Account control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting in Group Policy to 'Prompt for consent.'
- Configure the 'User Account Control" Behavior of the elevation prompt for standard users' setting in Group Policy to 'Prompt for credentials.'

Explanation
Configure the 'User Account control: Behavior of the elevation prompt for standard users' policy to 'Prompt for credentials.' In this scenario, you need to prevent standard users (the Sales team members) from making system changes unless they can provide administrator credentials. This means that you need to prompt standard users for credentials when system changes are initiated.

Configuring prompts on administrator accounts will not affect the ability of standard users to perform system changes. Prompting for consent asks administrators for permission before performing tasks, but does not require supplying additional credentials. 'Run all administrators in Admin Approval Mode' enables or disables UAC. Enabling 'Run all administrators in Admin Approval Mode' enforces UAC on system changes, but does not by itself configure prompting for standard users or administrators.

Section 3.6
You have a folder on your Windows 7 Professional computer that you would like to share with members of your development team. Users should be able to view and edit any file int he shared folder.

You share the folder and give Everyone Full Control permission to the shared folder.

Users connect to the shared folder and report that they can open the files, but they can not modify any of the files.

What should you do?
- Create new user accounts for each user and assign the necessary folder permissions.
- Install Samba on your workstation, then configure permissions using Samba.
- Modify the NTFS permissions on the folder.
- Create a group and make all user accounts members of the group. Grant Full control share permissions to the group.
- Modify the NTFS permissions on the folder.

Explanation
Access to shared folders on a Windows system are controlled through the combination of share and NTFS permissions. Even though the necessary share permissions have been granted, you need to verify that the NTFS permissions also allow access.

Modifying users and groups will not affect the ability to access the files unless the NTFS permissions are also modified. Use Samba on a Linux system to share folders.

Section 5.2, 5.3
Your Windows 7 computer has a folder named D:\SalesDept. the D: drive is formatted with FAT32.

You need to allow network access to the folder as follows:

* Members of the 'Sales' group should have read-only access to the content in the folder.
* Members of the 'SalesAdmin' group should be able to open, edit, and add new files to the folder.
* No other users should have access.

Members of the 'SalesAdmin' group are also members of the 'Sales' group. You want to assign as few permissions as possible.

What should you do?
- Share the 'SalesDept' folder. Grant Read permission to the 'Sales' group and Change permission to the 'SalesAdmin' group. Remove Everyone from the access control list.
- Share the 'SalesDept' folder. Grant Read permission to the 'Sales' group and Full control permission to the 'SalesAdmin' group. Remove Everyone from the access control list.
- Share the 'SalesDept' folder. Grant Read permission to the 'Sales' group and Change permission to the 'SalesAdmin' group.
- Share the 'SalesDept' folder. Grant Read permission to the 'Sales' group and Full Control permission to the 'SalesAdmin' group.
- Share the 'SalesDept' folder. Grant Read permission to the 'Sales' group and Change permission to the 'SalesAdmin' group. Remove Everyone from the access control list.

Explanation
Share the 'SalesDept' folder and grant Read permission to the 'Sales' group and Change permission to the 'SalesAdmin' group. Remove Everyone from the access control list. You must remove Everyone to prevent everyone else from accessing the share (by default, Everyone has Read permissions).

Section 5.2, 5.3
You manage a Windows 7 computer on a small home network.

You want to share the following folders on your computer with users on the network:

* D:\Clipart
* D:\Fonts
* D:\VacationPictures

You want to allow access meeting the following requirements:

* Users will access all folders through a single share.
* The share should include only these folders and no others.
* The folders should remain in their current locations in the file system structure.

What should you do?
- Create a new folder named 'MyFiles.' Move each folder into the new folder. Share the folder with the HomeGroup.
- Share each folder. On each client computer, run 'net use' to map each folder to the same drive letter.
- Move each folder to the Public folder. Enable Public folder sharing.
- Share the D: drive.
- Create a library. Add all folders to the library. Share the library with the HomeGroup.
- Create a library. Add all folders to the library. Share the library with the HomeGroup.

Explanation
Use a library to make files accessible through a single shared folder. Create the library, then add folders to the library. The library is a logical folder, not an actual folder on disk. Files and folders in the library exist in the file system in their original locations. You can share a library to make its contents available on the network.

Creating a folder and moving folders into that folder or moving folders into the Public folder would change the location of the folders in the file system. Sharing the entire D: drive would make additional files and folders available. Mapping multiple folders to the same drive letter results int he last mapping being active (with the previous ones being removed).
You have a Windows 7 computer that is shared by multiple users.

Sally wants to access a file in the Reports folder. a group named Sales has been granted the Full Control permission to the Reports folder and all subfolders and files.

You add Sally as a member of the Sales group, but she still cannot access the file that she needs.

You want to let Sally access the Reports folder. What should you do?
- Remove Sally from the Sales group, then add her to the Sales group.
- Delete and recreate Sally's user account on the local computer.
- Remove Sally from any other groups that have been explicitly denied access to the Reports folder.
- Create a new group, give it rights to the Reports folder, then add Sally to the group.
- Remove Sally from any other groups that have been explicitly denied access to the Reports folder.

Explanation
If a user is a member of a group that has permission to access a folder but still cannot access the folder, the user could be explicitly denied access to the folder by virtue of membership in another group.