Implementing and Administering Microsoft Windows 2000 Directory Services (5 Weeks) Questions for Week 2 1. What is the justification for publishing an object in Active Directory? Publishing an object in Active Directory allows users to search Active Directory for the object, thus making it easier to locate. Module 5, Page 2. 2. What Windows 2000-based print servers automatically publish their printers in Active Directory? Print servers running Windows 2000 that are either member of a domain or a domain controller will automatically publish their printers in Active Directory. Module 5, Page 3. 3. How do you publish printers that are shared from non-Windows 2000 computers in Active Directory? Either, use Active Directory Users and Computers or use the pubprn.vbs command line utility. Module 5, Pages 7, 8. 4. What is the purpose of a “printer location” in Active Directory? A printer location in Active Directory allows a user that is searching for a printer in Active Directory to find a printer is located physically close to the user. Module 5, Pages 10,11. 5. What identifier is used to publish a shared folder in Active Directory? The UNC of the shared folder is the identifier used to publish the shared folder. For example, if the shared folder is named, GAMES on the server, ULYSSES, then the UNC of the shared folder is \\ULYSSES\GAMES. Module 5, Page 17. 6. What is a Security Principal? A Security Principal is an account holder to which can be assigned permissions. For example, user, groups and computers are all security principals. Module 6, Page 3. 7. What is a Security Identifier (SID)? A Security Identifier is a value that uniquely identifies a user, group, service or computer account. All access control mechanisms in Windows 2000 use Security Identifier to identify Security Principals. Security Principal names are not used by access control mechanisms. Module 6, Page 3. 2000 The Beacon Institute for Learning www.thebeaconinstitute.com 8. What is a Security Descriptor? A Security Descriptor is a data structure containing the security information associated with a securable object. Module 6, Page 3. 9. What is a Discretionary Access Control List (DACL)? A DACL is a list identifying who is allowed or denied access, and the level of accessing being allowed or denied. Module 6, Page 4. 10. What is a System Access Control List (SACL)? A SACL is used to control how Windows 2000 audits access to objects. Module 6, Page 4. 11. What are Access Control Entries (ACE)? Access Control Entries (ACE) are what make up Access Control Lists (ACLs). The ACE is used to determine which operations a security principal is allowed to perform on an object. Module 6, Pages 4, 5. 12. What are the six types of ACEs in Windows 2000? 1) 2) 3) 4) 5) 6) Access Denied (DACL) Access Allowed (DACL) System Audit (SACL) Access Denied, Object Specific (DACL) Access Allowed, Object Specific (DACL) System Audit, Object Specific (SACL) Module 4, Pages 5, 6. 13. What is Inheritance? Inheritance is the process that passes ACEs in a parent object’s security descriptor to a child object’s security descriptor. In other words, Access control information that is defined at higher-level containers in Active Directory flows down to sub-containers and their objects. Module 6, Page 7. 14. What happens during the Windows 2000 logon process when a domain controller is NOT available? If no domain controller is available, then the user is logged on by cached logon credentials at the client computer. Module 5, Page 8. 15. What is an access token? An access token is created for the user during the logon process and contains attributes that establish the security credentials for that user on the local computer. Module 6, Page 10. 2000 The Beacon Institute for Learning www.thebeaconinstitute.com 16. What is contained in the access token? An access token contains the user’s Security ID (SID), the group ID for all groups in which the user is a member, and User Rights. Module 6, Page 10. 17. How is an access token used? An access token’s contents are compared to an object’s DACL before the user is granted access to the object. Module 6, Pages 10, 11, 12. 18. What is an Active Directory Permission? An Active Directory Permission is an authorization assigned by an Active Directory object’s owner so that users can perform operations on the object. Module 6, Page 14. 19. How are Active Directory Permissions “implicitly denied”? Active Directory Permissions are “implicitly denied” when a permission to perform an operation is not explicitly assigned. Module 6, Page 15. 20. When you prevent Active Directory permission inheritance, what happens to the permissions that were previously inherited by child objects? You have a choice: 1) you can copy the previously inherited permissions to the object or 2) you can remove previously inherited permissions from the object. Module 6, Page16. 21. What is “delegation”? Delegation is the ability to assign responsibility of the management of Active Directory objects to another user, group, or organization. Module 5, Page 21. 22. What utility is used to delegate control of Active Directory objects? The “Delegation of Control Wizard” is used to delegate control of Active Directory objects. Module 6, Page 21. 23. What is the rational for delegating control of Active Directory objects? Used correctly, you can create Organization Units (OUs) to represent departments or groups and then delegate the administration of these OUs to an OU administrator (a user you’ve identified to be the administrator of the OU). Module 6, Page 22. 24. What is the rational for creating customized MMC consoles? Customized MMC consoles are very useful after you delegate control of an Active Directory container, because you can create a customized MMC to match the permissions that the container administrator has over the container. Module 6, Page 36. 2000 The Beacon Institute for Learning www.thebeaconinstitute.com 25. What are three ways that you can distribute a customized Active Directory console? 1) Send the console file through e-mail. 2) Place the console file in a shared folder on a network server. 3) Package the console file for distribution so that you can distribute it by using Group Policy. Module 6, Page 38. 26. You want to administer your Windows 2000 network from your Windows 2000 Professional computer. In order to do this you must install the Windows 2000 Administrative Tools. What is the name of the file that contains the Windows 2000 administrative tools? Adminpak.msi Module 6, Page 39. 27. What is a “Taskpad”? A Taskpad is an extreme customization of an MMC console designed to simplify administrative tasks by creating a shortcut to a specific administrative task or command. Module 6, Page 41. 28. What is Group Policy? Group Policy is the “technology” that allows you to define user desktop environments once, with user and computer settings , and then rely on Windows 2000 to continually enforce throughout the network. Module 7, Page 2. 29. What are some of the things that Group Policy enables you to do? Group Policy you can: 1) Centralize Policies. 2) Set user environments. 3) Lower Total Cost of Ownership. 4) Enforce a Corporation’s business rules, goals, and security needs. Module 7, Page 2. 30. What are the seven types of Group Policy Settings? 1) Administrative Templates. 2) Security. 3) Software Installation. 4) Scripts. 5) Remote Installation Service (RIS). 6) Internet Explorer Maintenance. 7) Folder Redirection. Module 7, Pages 4, 5. 31. What is a Group Policy Object (GPO)? A Group Policy Object (GPO) is the entity used to implement Group Policy. Module 7, Page 6. 2000 The Beacon Institute for Learning www.thebeaconinstitute.com 32. What is the content of the GPO and where is it stored? The GPO contains Group Policy Settings. The content of a GPO is stored in two different locations. The Group Policy Container (GPC) contains GPO attributes and version information. The GPC is stored in Active Directory. The Group Policy Template (GPT) contains all Group Policy setting and information. GPTs are stored in the shared SYSVOL folder on Windows 2000 domain controllers. Module 7, Page 6. 33. When are Group Policy Settings for Computers applied? Group Policy Settings for Computers are applied when the operating system initializes AND during the periodic refresh cycle. Module 7, Page 7. 34. When are Group Policy Settings for Users applied? Group Policy Settings for Users are applied when users log on to the computer AND during the periodic refresh cycle. Module 7, Page 7. 35. To what objects can Group Policy Objects be linked? Group Policy Objects can be linked to sites, domains, or OUs. Module 7, Page 8. 36. What tool is used to crate a GPO for domains and OUs? Active Directory Users and Computers. Module 7, Page 10. 37. What tools is used to create a GPO for a site? Active Directory Sites and Services. Module 7, Page 11. 38. What tool is used to create an unlinked GPO? The Group Policy snap-in for MMC is used to create an unlinked GPO. Module 7, Page 12. 39. What are the three options you can specify for a domain controller for managing GPOs? 1) The domain controller that is running the PDC emulator. 2) The domain controller used by Active Directory for Snap-ins. 3) Any available domain controller (not recommended). Module 7, Page 16. 40. In what order are GPOs applied? 1) Site 2) Domain 3) OU Module 7, Page 18. 2000 The Beacon Institute for Learning www.thebeaconinstitute.com 41. What Group Policy settings are processed when a computer starts? When a computer starts, it processes the Group Policy computer settings and it processes startup scripts. Module 7, Page 20. 42. What Group Policy settings are processed when a user logs on? When a user logs on, user Group Policy settings are processed and then Logon scripts are run. Module 7, Page 20. 43. Which dynamic-link library (DLL) is responsible for processing registry-based settings? Userenv.dll is the client-side DLL that is responsible for processing registry-based settings of Group Policy. Module 7, Page 21. 44. The default processing of group policy is synchronous processing. What is meant by synchronous processing of group policy? Synchronous processing waits for one policy to be applied before beginning to process the next policy. Module 7, Page 22. 45. What is asynchronous processing of Group Policy? Asynchronous processing means that multiple Group Policies do not depend on each other and can therefore be done simultaneously. Module 7, Page 22. 46. What is the default Group Policy refresh interval for computers running Windows 2000 Professional? The default refresh interval is 90 minutes. Module 7, Page 23. 47. What is the definition of a slow link as determined by Group Policy? Group Policy, by default, defines a slow link as a link that is less than 500 Kbps. Module 7, Page 24. 48. What Group Policy settings ARE processed even if a slow link is determined by Group Policy? Registry-based settings, Security Settings, and EFS Recovery settings. Module 7, Page 24. 49. When there are conflicts between the GPO settings in a parent container and a GPO settings in a child container, which GPO setting applies? The GPO settings in the child container are applied last and take effect. Module 7, Page 26. 2000 The Beacon Institute for Learning www.thebeaconinstitute.com 50. When there are conflicts between the GPO settings from different GPOs linked to the same container, which GPO settings will apply? The settings in the GPO at the top of the list of GPOs on the Group Policy tab of the Properties dialog box for the container are applied last and take effect. You can change the order of the GPOs listed here. Module 7, Page 26. 51. How can you prevent a child container from inheriting a GPO from its parent container? You enable the Block Inheritance on the child container to prevent inheriting GPOs from a parent container. Module 7, Page 29. 52. How can you prevent a child containing from blocking the inheritance of GPOs from a parent container? You enable the No Override on the GPO on the parent container. Module 7, Page 30. 53. You have applied a GPO to the SALES OU. However, Joe is a user in the SALES OU for which you don’t want the GPO applied. How do you filter the GPO so that it doesn’t apply to JOE? You explicitly Deny the Apply Group Policy permission for JOE. Module 7, Page 31. 54. In Windows 2000, by default, who can create GPOs? By default, only the System account, and members of the Domain Admins, Enterprise Admins and Group Policy Creator Owners groups can create GPOs. Module 7, Page 45. 55. How do you enable logging for Group Policy? To enable Group Policy Logging, add a DWORD value named RunDiagnosticLoggingGlobal with a value of 1 to the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion key in the registry. Module 7, Page 53. 56. What is the name of the Windows 2000 Resource Kit Tool that displays information about the result Group Policy has had on the current computer and logged-on user? Gpresult.exe Module 7, Page 56. 57. You are having problems with Group Policy and suspect that Group Policy is not being replicated correctly to all domain controllers. What Windows 2000 Support Tool will help you diagnose and resolve this problem? Replmon.exe Module 7, Page 55. 2000 The Beacon Institute for Learning www.thebeaconinstitute.com 58. You cannot edit a Group Policy Object. What might be the cause? 1) You may not have permissions to access the GPO. 2) The domain controller that Group Policy is trying to reach cannot be reached. It may be offline, or its name cannot be resolved by the DNS server. You may also be having general network troubles. Module 7, Page 57. 2000 The Beacon Institute for Learning www.thebeaconinstitute.com 2000 The Beacon Institute for Learning www.thebeaconinstitute.com