Appendix A -- Questions and Answers - MCSE Training Kit, Microsoft Windows 2000 Active Directory Services [Electronic resources] نسخه متنی

Appendix A -- Questions and Answers

What is the primary difference between Windows 2000 Professional and Windows 2000 Server?

Windows 2000 Professional is optimized for use alone as a desktop operating system, as a networked computer in a peer-to-peer workgroup
environment, or as a workstation in a Windows 2000 Server domain
environment. Windows 2000 Server is optimized for use as a file, print, and application server, as well as a Web-server platform.

What is the major difference between a workgroup and a domain?

The major difference between a workgroup and a domain is where the user account information resides for user logon authentication. For a workgroup, user account information resides in the local security
database on each computer in the workgroup. For the domain, the user account information resides in the Active Directory database.

Which of the integral subsystems is responsible for running Active Directory?

The Security subsystem.

What is the purpose of Active Directory?

Active Directory is the directory service included in Windows 2000 Server. It stores information about objects on a network and makes this information available to users and network administrators. Active
Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects.

What happens when a user logs on to a domain?

Windows 2000 sends the logon information to a domain controller, which compares it to the user's information in the directory. If the
information matches, the domain controller authenticates the user and issues an access token for the user.

How would you use the Windows Security dialog box?

The Windows 2000 Security dialog box provides easy access to important security options, including the ability to lock a computer, change a password, stop programs that are not responding, log off a computer, and shut down the computer. You can also determine the domains to which you are logged on and the user account that you used to log on.

Chapter 2

What is the Active Directory schema?

The schema contains a formal definition of the contents and structure of Active Directory, including all attributes, classes, and class properties.

What is the purpose of an organizational unit (OU)?

An OU is a container used to organize objects within a domain into logical administrative groups that mirror your organization's functional or
business structure. An OU can contain objects such as user accounts, contacts, groups, computers, printers, applications, file shares, and other OUs from the same domain.

What are sites and domains and how are they different?

A site is a combination of one or more IP subnets that should be connected by a high-speed link. A domain is a logical grouping of servers and other network resources organized under a single name. A site is a component of Active Directory's physical structure, whereas a domain is a component of the logical structure.

What is the difference between implicit two-way transitive trusts and explicit one-way nontransitive trusts?

An implicit two-way transitive trust is a trust between domains that are part of the Windows 2000 scalable namespace, for example, between parent and child domains within a tree and between the top-level domains in a forest. These trust relationships make all objects in all the domains of the tree available to all other domains in the tree.

An explicit one-way nontransitive trust is a relationship between domains that are not part of the same tree. One-way trusts support connections to existing pre-Windows 2000 domains to allow the configuration of trust relationships with domains in other trees.

Chapter 3

To use a preconfigured MMC

Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.

Windows 2000 displays the Event Viewer console, which gives you access to the contents of the event log files on your computer. You use Event Viewer to monitor various hardware and software activities.

Looking at the console tree, what three logs are listed?

Application Log, Security Log, System Log.

Can you add snap-ins to this console? Why or why not?

No. This is a preconfigured console and therefore it was saved in User mode. You cannot modify consoles that are saved in User mode.

Exercise 2: Creating a Custom Microsoft Management Console

To create a custom MMC

To view the currently configured options, click Options on the Console menu.

MMC displays the Options dialog box with the Console tab active. The
Console tab allows you to configure the console mode.

How does a console that is saved in User mode differ from one that is saved in Author mode?

You can modify consoles that are saved in Author mode. You can't modify consoles that are saved in User mode after they have been saved. Different levels of User mode restrict the degree of user access.

To remove extensions from a snap-in

Click Computer Management (Local), and then click the Extensions tab.

MMC displays a list of available extensions for the Computer Management snap-in.

What determines which extensions MMC displays in this dialog box?

The available extensions depend on the snap-in you select.

Expand Computer Management and then expand System Tools to confirm that System Information and Device Manager have been removed.

NOTE
Do not use any of the tools at this point.

When should you remove extensions from a console?

To customize the console for limited administrative tasks. This allows you to include only those extensions that are relevant to the computer that you are administering. You should also remove extensions when you
create consoles for administrators who perform only limited tasks.

Review Questions

What are the functions of the Active Directory Domains and Trusts, the Active Directory Sites and Services, and the Active Directory Users and Computers consoles?

The Active Directory Domains and Trusts console manages the trust
relationships between domains. The Active Directory Sites and Services console creates sites to manage the replication of Active Directory information. The Active Directory Users and Computers console manages
users, computers, security groups, and other objects in Active Directory.

What is the purpose of creating custom MMCs?

Create custom MMCs to meet your administrative requirements. Combine snap-ins that you use together to perform common administrative tasks. Creating custom MMCs allows you to perform most administrative tasks with one MMC. You do not have to switch between different programs or MMC files because all of the snap-ins that you need to use are located in the same MMC file.

When and why would you use an extension?

When specific snap-ins need additional functionality. Extensions are snap-ins that provide additional administrative functionality to another snap-in. A standalone snap-in provides one function or a related set of functions.

You need to create a custom MMC for an administrator who only needs to use the Computer Management and Active Directory Users and Computers consoles. The administrator

Must not be able to add any additional consoles or snap-ins

Needs full access to both consoles

Must be able to navigate between consoles

What console mode would you use to configure the custom MMC?

User Mode, Full Access.

What do you need to do to remotely administer a computer running Windows 2000 Server from a computer running Windows 2000 Professional?

Windows 2000 Professional does not include all snap-ins that are
included in Windows 2000 Server. To enable remote administration of many Windows 2000 Server components from a computer running
Windows 2000 Professional, you need to add the required snap-ins on
the computer running Windows 2000 Professional. This is done by
executing the systemroot\system32\adminpak.msi file on the Windows 2000 Server using My Network Places from the Windows 2000
Professional desktop.

You need to schedule a maintenance utility to run once a week on a computer running Windows 2000 Server. What do you use to accomplish this?

Use Task Scheduler to schedule the necessary maintenance utilities to run at specific times.

Chapter 4

To install the Active Directory service on a standalone server

Ensure that the SYSVOL folder location is systemroot\SYSVOL. (If you did not install Windows 2000 in the WINNT directory, the SYSVOL location should default to a SYSVOL folder in the folder where you installed Windows 2000.)

What is the one SYSVOL location requirement?

SYSVOL must be located on a Windows 2000 partition that is formatted as NTFS 5.0.

What is the function of SYSVOL?

SYSVOL is a system volume hosted on all Windows 2000 domain controllers. It stores scripts and part of the group policy objects for both the current domain and the enterprise. systemroot\SYSVOL\SYSVOL stores domain public files.

Exercise 2: Viewing Your Domain Using My Network Places

To view a domain using My Network Places

Double-click My Network Places.

The My Network Places window appears.

What selections do you see?

Add Network Place and Entire Network.

Double-click Entire Network, click the Entire Contents link, and then double-click Microsoft Windows Network.

What do you see?

Your domain set up in the previous exercise, Microsoft. Answer may vary depending on your domain name.

Exercise 3: Viewing a Domain Using the Active Directory Users and Computers Console

To view a domain using the Active Directory Users and Computers console

In the console tree, double-click microsoft.com (or the name of your domain).

What selections are listed under microsoft.com?

Builtin, Computers, Domain Controllers, and Users.

Lesson 4: Implementing an Organizational Unit Structure

To create an OU

Expand the microsoft.com domain (or the domain you set up).

The OUs appear as folders with a directory book icon under the
domain. Plain folders are specialized containers.

What are the default OUs in your domain?

Domain Controllers. The Builtin, Computers, Foreign Security Principals, Lost And Found, System, and Users folders are
container objects.

Review Questions

What are some reasons for creating more than one domain?

Some reasons for creating more than one domain are decentralized
network administration, replication control, different password requirements between organizations, massive numbers of objects, different Internet domain names, international requirements, and internal
political requirements.

Your company has an external Internet namespace reserved with a DNS registration authority. As you plan the Active Directory implementation for your company, you decide to recommend extending the namespace for the internal network. What benefits does this option provide?

Extending an existing namespace provides consistent tree names for internal and external resources. In addition, this plan allows your company to use the same logon and user account names for internal and external resources. Finally, you do not have to reserve an additional DNS namespace.

In what two ways does your site configuration affect Windows 2000?

Workstation logon and authentication. When a user logs on, Windows 2000 will try to find a domain controller in the same site as the user's computer to service the user's logon request and subsequent requests for network information.

Directory replication. You can configure the schedule and path for
replication of a domain's directory differently for intersite replication, as
opposed to replication within a site. Generally, you should set replication between sites to be less frequent than replication within a site.

What is the shared system volume, what purpose does it serve, where is it located, and what is its name?

The shared system volume is a folder structure that exists on all Windows 2000 domain controllers. It stores scripts and some of the group policy objects for both the current domain and the enterprise. The default location and name for the shared system volume is systemroot\SYSVOL. The shared system volume must be located on a partition or volume formatted with NTFS 5.0.

What is the purpose of the operations master roles?

Because some changes are impractical to perform in multimaster
fashion, one or more domain controllers can be assigned to perform
operations that are single-master (not permitted to occur at different places in a network at the same time). Operations master roles are
assigned to domain controllers to perform single-master operations.

What administrative tool is used to create OUs?

Use the Active Directory Users and Computers console to create OUs.

Chapter 5

To add a PTR resource record for a zone

Click 10.10.1.x Subnet. (If you did not use 10.10.1.1 as the static IP address for your server name, click the appropriate subnet.)

What types of resource records exist in the reverse lookup zone?

Start of Authority and Name Server.

Review Questions

What is the function of a forward lookup query? A reverse lookup query?

A forward lookup query resolves a name to an IP address. A reverse lookup query resolves an IP address to a name.

What are the advantages of using the Active Directory-integrated zone type?

Multimaster update and enhanced security are based on the capabilities of Active Directory. Zones are replicated and synchronized to new
domain controllers automatically whenever a new zone is added to an
Active Directory domain. By integrating storage of your DNS namespace in Active Directory, you simplify planning and administration for both DNS and Active Directory. Directory replication is faster and more
efficient than standard DNS replication.

What is the purpose of the SOA resource record?

The SOA resource record identifies which name server is the authoritative source of information for data within this domain. The first record in the zone database file must be the SOA record. The SOA resource record also stores properties such as version information and timings that affect zone renewal or expiration. These properties affect how often transfers of the zone are done between servers authoritative for the zone.

What must be done when you delegate zones within a namespace?

When you delegate zones within a namespace, you must also create SOA resource records to point to the authoritative DNS server for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone.

Why is an IXFR query more efficient than an AFXR query?

An IFXR query allows the secondary server to pull only those zone changes it needs to synchronize its copy of the zone with its source, either a primary or secondary copy of the zone maintained by another DNS server. An AXFR query provides a full transfer of the entire zone database.

Chapter 6

To rename a site

Click on the Sites folder.

What objects appear in the details pane?

Default-First-Site-Name (the default site created by the Active Directory Installation Wizard), the Inter-Site Transports container, and the Subnets container.

To create a site link

Open the Inter-Site Transports folder and click the IP folder.

What object appears in the details pane?

DEFAULTIPSITELINK, the default site link created by the Active
Directory Installation Wizard.

Review Questions

What four tasks must be completed to configure a site?

Create a site, associate a subnet with the site, connect the site using site links, and select a licensing computer for the site.

What two site configuration objects does the Active Directory Installation Wizard create automatically?

The Active Directory Installation Wizard automatically creates an object named Default-First-Site-Name in the Sites container and an object named DEFAULTIPSITELINK in the IP container.

Which replication protocol uses RPCs for replication over site links (inter-site) and within a site (intra-site)?

IP replication protocol.

What three tasks must be completed to configure inter-site replication?

Create site links, configure site link attributes (such as site link cost, replication frequency, and replication availability), and create site link bridges.

What is the difference between replication frequency and replication availability?

Replication frequency is the duration between replications on a site link. Replication availability is when a site link is available to replicate directory information.

What is the function of a bridgehead server?

A bridgehead server provides some ranking or criteria for choosing which domain controller should be preferred as the recipient for inter-site replication. The bridgehead server then distributes the directory
information via inter-site replication.

Chapter 7

Complete Table 7.3 to determine a naming convention for the users in the new hire list by considering the information that is provided in the sections
"Scenario," "Criteria," and "New Hire List" in this practice.

Answers may vary. The sample answers use a full name with the department name for duplicate names and a user logon name with the first name and last initial and additional characters from the last name for duplicate names. All user logon names and full names must be unique.

Complete Table 7.4 to determine logon hours and computer use for the users in the new hire list by considering the information that is provided in the sections "Scenario," "Criteria," and "New Hire List" in this practice.

Permanent employees can log on 24 hours a day, seven days a week from any computer on the network. Temporary employees share Temp1 and Temp2. Only two temporary workers are able to log on during a shift, so you must share two computers between four employees.

Select the appropriate password setting for each user in Table 7.5 to determine who controls the user's password.

Temporary employees cannot change their passwords. Permanent employees can change their passwords and must change them the next time they log on.

Lesson 3: Creating User Accounts

To create a domain user account

Expand microsoft.com (if you did not use Microsoft as your domain name, expand your domain), and then double-click Users.

In the details pane, notice the default user accounts.

Which user accounts does the Active Directory Installation Wizard create
by default?

Administrator, Cert Publishers, DHCP Administrators, DHCP Users, DnsAdmins, DnsUpdateProxy, Domain Admins, Domain Computers,
Domain Controllers, Domain Guests, Domain Users, Enterprise Admins, Group Policy CREATOR OWNERs, Guest, IUSR_SERVER1, IWAM_SERVER1, krbtgt, RAS and IAS Servers, SchemaAdmins, and TsInternet User.
(Answers may vary).

Right-click Users, point to New, then click User.

Windows 2000 displays the New Object-User dialog box.

Where in the Active Directory will the new user account be created?

Microsoft.com/Users. (Answer may vary if your domain name is not microsoft.com.)

In the list to the right of the User Logon Name box, select @microsoft.com. (The domain name will vary if you did not use microsoft.com as your DNS domain name.)

The user logon name, combined with the domain name in the box that appears to the right of the User Logon Name box is the user's full Internet logon name. This name uniquely identifies the user throughout the directory (for example, user1@microsoft.com).

Notice that Windows 2000 completes the pre-Windows 2000 logon name box for you.

When is the pre-Windows 2000 logon name used?

The user's pre-Windows 2000 logon name is used to log on to the
Windows 2000 domain from a computer running a previous version of Microsoft Windows.

Specify whether or not the user can change his or her password.

What are the results of selecting both the User Must Change Password At Next Logon check box and the User Cannot Change Password check box? Explain.

Windows 2000 displays an Active Directory message box with the
following message:

You cannot check both User must change password at next logon and 
User cannot change password for the same user.

The next time that the user attempts to log on, the user would be prompted to change his or her password and would not be able to log on until the password has been changed. However, Windows 2000 will not allow the user to change his or her password, so the user would not be able to log on successfully.

Under what circumstances would you select the Account Is Disabled check box when creating a new user account?

Some possible answers include: If the account is for a user who has not yet started at the company. If a user is taking a leave of absence.

Practice: Modifying User Account Properties

To specify logon hours

In the details pane, right-click User Three, then click Properties.

Windows 2000 displays the User Three Properties dialog box with the
General tab active.

In the General tab, what information can you specify for the user account in addition to the first and last name? How would this information be useful?

Display Name, Description, Office, Telephone Number, E-mail, and Web Page. Active Directory can store user information that might otherwise require a separate application or book. Also, user information that is
entered here can be used to locate the user when you search Active
Directory.

Click the Account tab, and then click Logon Hours.

Windows 2000 displays the Logon Hours For User Three dialog box.

Currently, when can User Three log on?

All hours on all days are allowed by default.

To set account expiration for a user account

Click the Account tab.

When will the account expire?

Never.

Exercise 2: Testing User Accounts

To test logon capabilities of user accounts

Click OK to close the Change Password message box.

Were you able to successfully log on? Why or why not?

No. By default administrators have the right to log on to a domain controller, but regular users, like User1, do not.

To test restrictions on logon hours

Attempt to log on as User1 with a password of student.

Were you able to successfully log on? Why or why not?

Yes, because User1 has access to the network 24 hours a day, seven days a week, and now has the user right to log on interactively.

When prompted, change the password to student.

Were you able to successfully log on? Why or why not?

No, because User3 is only allowed to log on between 6 PM and 6 AM. (The answer is Yes if the reader is logging on between 6 PM and 6 AM.)

To test password restrictions

Attempt to log on as User7 with no password.

Were you able to successfully log on? Why or why not?

No, because User7 was assigned a password when the user accounts
were created.

When prompted, change the password to student.

Were you able to log on? Why or why not?

Yes, because User7 is the correct password for the User7 user account.

Attempt to log on as User9 with a password of User9.

Were you able to successfully log on? Why or why not?

Yes, because User9 is the correct password for the User9 user account.

To test password restrictions by attempting to change a password

In the Old Password box, type the password for the User9 user account; in the New Password and Confirm New Password boxes, type student, then click OK.

Were you able to change the password? Why or why not?

No, because User9 has been restricted from changing passwords.

To test account expiration

When prompted, change your password to student.

Were you successful? Why or why not?

Yes, because the account for User5 does not expire until the end of the day today.

Lesson 4: Creating User Profiles

To view existing profiles

Click the User Profiles tab.

Which users' profiles are stored on your computer?

MICROSOFT\administrator, MICROSOFT\puser, and users who have logged on to the computer.

To define and test a local profile

Log off and log on as the same user, puser.

Were screen colors saved? Why or why not?

Yes, because the screen colors are saved in the puser's profile.

Exercise 2: Defining a Standard Roaming User Profile

To test the roaming profile

Log off and log on as User2.

Are the screen colors and desktop the same or different from those set in the Profile Template? Why or why not?

The screen colors are the same as the screen colors set in the Profile Template because the roaming profile for the User2 account was downloaded from the shared folder on the network server and applied to whatever computer User2 logs on to.

To determine the type of profile assigned to a user

Double-click System, then click the User Profiles tab.

What type of profile is listed for the User2 account?

A roaming user profile.

Lesson 6: Maintaining User Accounts

To disable a user account

In the details pane of the Active Directory Users and Computers console, right-click the user account that you just disabled to display the shortcut menu.

How can you tell that the user account is disabled?

The Enable Account option appears on the shortcut menu, and a red X appears on the user icon in the details pane.

Attempt to log on as puser.

Were you successful? Why or why not?

No, because the account is disabled.

To enable a user account

In the details pane of the Active Directory Users and Computers console, right-click the user account that you just enabled to display the shortcut menu.

How can you tell that the user account is enabled?

The Disable Account option appears on the shortcut menu, and the red X is removed from the user icon in the details pane.

To test account enabling and to change the password for a user account

Log on as puser.

Were you successful? Why or why not?

Yes, because the account is enabled.

Exercise 2: Resetting the Password for a User Account

To test password resetting

Log on as puser and type password as the password.

Were you successful? Why or why not?

Not immediately. Because User Must Change Password At Next Logon was selected, the Logon Message appears, stating that the password has expired and must be changed. Then the Change Password dialog box
appears where a new password known only to the user must be chosen and confirmed. Only then is puser allowed to log on.

Review Questions

What different capabilities do local user accounts and domain user accounts provide to users?

A local user account allows the user to log on at and gain access to
resources on only the computer where you create the local user account. A domain user account allows a user to log on to the domain from any computer in the network and to gain access to resources anywhere in the domain, provided the user has permission to access these resources.

What should you consider when you plan new user accounts?

A naming convention that ensures unique but consistent user account names

Whether you or the user will determine the user account password

The hours when users need to have access to the network or be restricted from using the network

Whether the user account should be disabled

The type of user profile to use

Whether My Documents or home directories will be used

What information is required to create a domain user account?

A first or last name, logon name, and pre-Windows 2000 logon name.

A user wants to gain access to network resources remotely from home. The user does not want to pay the long-distance charges for the telephone call. How would you set up the user account to accomplish this?

In the Dial-In tab of the Properties dialog box for the user account, click the Set By Caller (Routing and Remote Access Service Only) option to have the RAS server call the user back at a telephone number that he or she specifies. You can also click the Always Callback To option to have the RAS server use a specified telephone number to call back the user. However, the user must be at the specified telephone number to make a connection to the server.

What is the difference between a local user profile and a roaming user profile?

A local user profile is stored on the computer where the user logs on.
A roaming user profile is stored on a domain server and is copied to the client computer where the user logs on.

What do you do to ensure that a user on a client computer running Windows 2000 has a roaming user profile?

First, create a shared folder on a network server. Second, for each user account, in the Properties dialog box for each user, provide a path to the shared folder on the server. The next time that the user logs on, the roaming user profile is created.

How can you ensure that a user has a centrally located home directory?

First, create and share a parent folder on a server. Second, change the permission for the folder to Full Control for the Users group. Third, provide a path to the shared folder, including the name of the individual user's home directory (\\server_name\shared_folder_name\ user_logon_name).

Why would you rename a user account and what is the advantage of doing so?

Rename a user account if you want a new user to have all of the properties of a former user, including permissions, desktop settings, and group membership. The advantage of renaming an account is that you do not have to rebuild all of the properties as you do for a new user account.

Chapter 8

Record your planning strategies on the Group Planning Worksheet. Follow these instructions to complete the worksheet. This sample presents only one set of
possible answers. You may have planned your accounts differently.

Group Accounts Planning Worksheet

Does your network require local groups?

No. The scenario presents no need to create local groups, which you can only use on a single computer.

Does your network require universal groups?

No. The scenario presents no need to create universal groups. Your
domain has no groups that need to have access to resources in multiple domains and also need to have members from multiple domains.

Sales representatives at the company frequently visit the company headquarters and other divisions. Therefore, you need to give sales representatives with user accounts in other domains the same permissions for resources that sales representatives in your domain have. You also want to make it easy for administrators in other domains to assign permissions to sales representatives in your domain. How can you accomplish this?

Create global groups for sales representatives in all other domains.
Add these global groups to the appropriate domain local groups in your
domain. Tell administrators in other domains about the global group that represents sales representatives in your domain. Have the administrators add the sales representatives group from your domain to the appropriate domain local groups in their domains.

Review Questions

Why should you use groups?

Use groups to simplify administration by granting rights and assigning permissions once to the group rather than multiple times to each
individual member.

What is the purpose of adding a group to another group?

Adding groups to other groups (nesting) creates a consolidated group and can reduce the number of times that you need to assign permissions.

When should you use security groups instead of distribution groups?

Use security groups to assign permissions. Use distribution groups when the only function of the group is not security related, such as an e-mail distribution list. You cannot use distribution groups to assign permissions.

What strategy should you apply when you use domain local and global groups?

Place user accounts into global groups, place global groups into domain local groups, and then assign permissions to the domain local group.

Why should you not use local groups on a computer after it becomes a member of a domain?

Local groups do not appear in Active Directory, and you must administer local groups separately for each computer.

What is the easiest way to give a user complete control over all computers in a domain?

Add his or her user account to the Domain Admins predefined global group. Then he or she can perform all administrative tasks on all domain computers and in Active Directory. The user receives administrative control because Windows 2000 makes the Domain Admins predefined global group a member of both the Administrators built-in domain local group and the Administrators built-in local group on each member server and computer running Windows 2000 Professional. The Administrators built-in domain local group has complete control over all domain controllers and Active Directory. Each Administrators built-in local group has
complete control over the computer on which it exists.

Why shouldn't you run your computer as an administrator? What action should you take instead?

Running Windows 2000 as an administrator makes the system vulnerable to Trojan horse attacks and other security risks. For most computer
activity, you should assign yourself to the Users or Power Users group. Then, if you need to perform an administrator-only task, you should log on as an administrator, perform the task, and then log off. If you frequently need to log on as an administrator, you can use Run As to start a program as an administrator.

Suppose the headquarters for this chapter's imaginary manufacturing company has a single domain that is located in Paris. The company has managers who need to access the inventory database to perform their jobs. What would you do to ensure that the managers have the required access to the inventory database?

Place all of the managers into a global group. Create a domain local group for inventory database access. Make the managers global group a member of the inventory database domain local group and assign permissions to gain access to the inventory database to the domain local group.

Now suppose the company has a three-domain environment with the root domain in Paris and the other two domains in Australia and North America. Managers from all three domains need access to the inventory database in Paris to perform their jobs. What would you do to ensure that the managers have the required access and that there is a minimum of administration?

In each domain, create a global group and add user accounts for the managers in that domain to the global group. Create a domain local group for the inventory database access in the domain where the database is located (Paris). Add the managers global groups from each of the domains to the inventory database domain local group. Then, assign permissions to gain access to the inventory database to the domain local group.

Chapter 9

When you apply custom permissions to a folder or file, which default permission entry should you remove?

The Full Control permission for the Everyone group at the volume level.

Complete Table 9.5 to plan and record your permissions.

Table 9.5 Permissions Planning Table for Exercise 1

Exercise 2: Assigning NTFS Permissions for the Data Folder

To remove permissions from the Everyone group

Click the Security tab to display the permissions for the Data folder.

Windows 2000 displays the Data Properties dialog box with the Security
tab active.

What are the existing folder permissions?

The Everyone group has Full Control.

Under Name, select the Everyone group, then click Remove.

What do you see?

Windows 2000 displays a message box, indicating that the folder is inheriting the permissions for Everyone from its parent folder. To change permissions for Everyone, you must first block inheritance.

Click Remove.

What are the existing folder permissions?

No permissions are currently assigned.

To assign permissions to the Users group for the Data folder

Click OK to return to the Data Properties dialog box.

What are the existing allowed folder permissions?

The Users group has the following permissions: Read & Execute, List Folder Contents, and Read. These are the default permissions that Windows 2000 assigns when you add a user account or group to the list of permissions.

To assign permissions to the CREATOR OWNER group for the Data folder

Click OK to return to the Data Properties dialog box.

What are the existing allowed folder permissions?

The Users group has the following permissions: Read & Execute, List Folder Contents, Read, and Write. The CREATOR OWNER group has no
permissions.

Make sure that CREATOR OWNER is selected, and next to Full Control, select the Allow check box, then click Apply to save your changes.

What do you see?

For the CREATOR OWNER group, none of the Allow check boxes are checked for any permissions. A note appears next to the Advanced button stating: "Additional permissions are present but not viewable here. Press
Advanced to see them."

Under Name, select CREATOR OWNER.

What permissions are assigned to the CREATOR OWNER group and where do these permissions apply? Why?

The CREATOR OWNER group has Full Control permission. These permissions apply to subfolders and files only. Permissions that are assigned to the CREATOR OWNER group are not applied to the folder but only to new files and folders that are created within the folder. The user who creates the new file or folder receives the permissions that are assigned to
CREATOR OWNER for the parent folder and must belong to other groups that are capable of writing to the new files and folders.

To test the folder permissions that you assigned for the Data folder

In the Data folder, attempt to create a text file named USER81.txt.

Were you successful? Why or why not?

Yes, because the Users group (of which USER81 is a member) is assigned the Write permission for the Data folder.

Attempt to perform the following tasks for the file that you just created, and then record those tasks that you are able to complete.

Open the file

Modify the file

Delete the file

The tasks that you can complete are opening, modifying, and deleting the file because CREATOR OWNER has been assigned the NTFS Full Control permission for the Data folder.

Exercise 4: Testing NTFS Permissions

To test permissions for the Reports folder while logged on as USER81

Attempt to create a file in the Reports folder.

Were you successful? Why or why not?

No, because only User82, Managers, and Administrator have permissions to create and modify files in the Reports folder.

To test permissions for the Reports folder while logged on as User82

Attempt to create a file in the Reports folder.

Were you successful? Why or why not?

Yes, because User82 has the Modify permission for the folder.

To test permissions for the Sales folder while logged on as Administrator

Attempt to create a file in the Sales folder.

Were you successful? Why or why not?

Yes, because the Administrators group has the Full Control permission for the Sales folder.

To test permissions for the Sales folder while logged on as USER81

Attempt to create a file in the Sales folder.

Were you successful? Why or why not?

No, because only the Sales group has NTFS permissions to create
and modify files in the Sales folder. User 81 is not a member of the
Sales group.

To test permissions for the Sales folder while logged on as User82

Attempt to create a file in the Sales folder.

Were you successful? Why or why not?

Yes, because User82 is a member of the Sales group, which has been
assigned Modify permission for the Sales folder.

Lesson 3: Assigning Special Permissions

To determine the permissions for a file

Click the Security tab to display the permissions for the OWNER.TXT file.

What are the current allowed permissions for OWNER.TXT?

The Administrators group has the Full Control permission. The Users group has the Read & Execute permission.

Click the Owner tab.

Who is the current owner of the OWNER.TXT file?

The Administrators group.

To take ownership of a file

Click Advanced to display the Access Control Settings For OWNER.TXT dialog box, then click the Owner tab.

Who is the current owner of OWNER.TXT?

The Administrators group.

Under Name, select User83, then click Apply.

Who is the current owner of OWNER.TXT?

User83.

To test permissions for a file as the owner

In the Security dialog box, click Remove to remove permissions from the Users group and the Administrators group for the OWNER.TXT file.

Were you successful? Why or why not?

Yes, because User83 is the owner of OWNER.TXT, and the owner of a folder or file can always change the permissions on folders and files that he or she owns.

Lesson 4: Copying and Moving Folders and Files

Practice: Copying and Moving Folders

To create a folder while logged on as a user

While you are logged on as User83, in Windows Explorer, in C:\ (where C:\ is the name of your system drive), create a folder named Temp1.

What are the permissions that are assigned to the folder?

The Everyone group has Full Control.

Who is the owner? Why?

User83 is the owner because the person who creates a folder or file is
the owner.

To create a folder while logged on as Administrator

In C:\ (where C:\ is the name of your system drive), create the following two folders: Temp2 and Temp3.

What are the permissions for the folders that you just created?

The Everyone group has Full Control.

Who is the owner of the Temp2 and Temp3 folders? Why?

The Administrators group is the owner of Temp2 and Temp3 because a member of the Administrators group created these folders.

To copy a folder to another folder within a Windows 2000 NTFS volume

Select C:\Temp1\Temp2, then compare the permissions and ownership with C:\Temp2.

Who is the owner of C:\Temp1\Temp2 and what are the permissions? Why?

The owner is still the Administrators group because you are logged on as Administrator. When a folder or file is copied within an NTFS volume, the person who copies the folder or file becomes the owner.

The Everyone group has the Full Control permission because when a folder or file is copied within an NTFS volume, the folder or file inherits the permissions of the folder into which it is copied.

To move a folder within the same NTFS volume

Select C:\Temp3, then move it to C:\Temp1.

What happens to the permissions and ownership for C:\Temp1\Temp3? Why?

C:\Temp1\Temp3 retains the same permissions and owner (the Administrators group) as C:\Temp3. This is because when a folder or file is moved within the same NTFS volume, the folder or file retains its original permissions and owner.

Lesson 5: Troubleshooting Permissions Problems

To view the result of denying the Full Control permission for a folder

In Windows Explorer, double-click NOACCESS.TXT in C:\Fullaccess to open the file.

Were you successful? Why or why not?

No. The Everyone group has been denied the Full Control permission for C:\Fullaccess\noaccess.txt. The Administrator user account is a member of the Everyone group.

Delete NOACCESS.TXT by typing del noaccess.txt

Were you successful? Why or why not?

Yes, because the Full Control permission includes the Delete Subfolders and Files special permission for POSIX compliance. This special permission allows a user to delete files in the root of a folder to which the user has been assigned the Full Control permission. This permission overrides the file permissions.

How would you prevent users with Full Control permission for a folder from deleting a file in that folder for which they have been denied the Full Control permission?

Allow users all of the individual permissions, and then deny users the
Delete Subfolders and Files special permission.

Review Questions

What is the default permission when a volume is formatted with NTFS? Who has access to the volume?

The default permission is Full Control. The Everyone group has access to the volume.

If a user has Write permission for a folder and is also a member of a group with Read permission for the folder, what are the user's effective permissions for the folder?

The user has both Read permission and Write permission for the folder because NTFS permissions are cumulative.

If you assign the Modify permission to a user account for a folder and the Read permission for a file, and then copy the file to that folder, what permission does the user have for the file?

The user can modify the file because the file inherits the Modify permission from the folder.

What happens to permissions that are assigned to a file when the file is moved from one folder to another folder on the same NTFS volume? What happens when the file is moved to a folder on another NTFS volume?

When the file is moved from one folder to another folder on the same NTFS volume, the file retains its permissions. When the file is moved to a folder on a different NTFS volume, the file inherits the permissions of the destination folder.

If an employee leaves the company, what must you do to transfer ownership of his or her files and folders to another employee?

You must be logged on as Administrator to take ownership of the employee's files and folders. Assign the Take Ownership special permission to another employee to allow that employee to take ownership of the folders and files. Notify the employee to whom you assigned Take Ownership to take ownership of the files and folders.

What three things should you check when a user cannot gain access to a resource?

Check the permissions that are assigned to the user account and to groups of which the user is a member.

Check whether the user account, or a group of which the user is a
member, has been denied permission for the file or folder.

Check whether the folder or file has been copied to any other file or folder or moved to another volume. If it has, the permissions will have changed.

Chapter 10

Practice: Applied Permissions

User1 is a member of Group1, Group2, and Group3. Group1 has Read permission and Group3 has Full Control permission for FolderA. Group2 has no permissions for FolderA. What are User1's effective permissions for FolderA?

Because User1 has permissions of all groups, User1's effective permission for FolderA is Full Control, which also includes all capabilities of the Read permission.

User1 is also a member of the Sales group, which has Read permission for FolderB. User1 has been denied the shared folder permission Full Control for FolderB as an individual user. What are User1's effective permissions for FolderB?

User 1 has no access to FolderB. Even though User1 is a member of the Sales group, which has Read permission for FolderB, User1 has been
denied Full Control access to FolderB. Denied permissions override all other permissions.

Lesson 4: Combining Shared Folder Permissions and NTFS Permissions

In the first example, the Data folder is shared. The Sales group has the shared folder Read permission for the Data folder and the NTFS Full Control permission for the Sales subfolder.

What are the Sales group's effective permissions for the Sales subfolder when Sales group members gain access to the Sales subfolder by making a connection to the Data shared folder?

The Sales group has Read permission for the Sales subfolder because when shared folder permissions are combined with NTFS permissions, the more restrictive permission applies.

In the second example, the Users folder contains user home folders. Each user home folder contains data that is only accessible to the user for whom the folder is named. The Users folder has been shared, and the Users group has the shared folder Full Control permission for the Users folder. User1 and User2 have the NTFS Full Control permission for only their home folder and no NTFS permissions for other folders. These users are all members of the Users group.

What permissions does User1 have when he or she accesses the User1 subfolder by making a connection to the Users shared folder? What are User1's permissions for the User2 subfolder?

User1 has the Full Control permission for the User1 subfolder because both the shared folder permission and the NTFS permission allow full control. User1 cannot access the User2 subfolder because he or she has no NTFS permissions to gain access to it. The storage of private files on the file server is a common scenario.

Exercise 2: Planning Shared Folders

Shared Folders and Permissions for Exercise 2

Record your answers in Table 10.6.

You have two choices for permissions. You can rely entirely on NTFS
permissions and assign Full Control for all shared folders to the Everyone group, or you can use shared folder permissions according to resource needs. The following suggested shared folders include required permissions if you decide to assign shared folder permissions.

Share the Management Guidelines folder as MgmtGd. Assign the Full Control permission to the Managers group.

Share the Data folder as Data. Assign the Full Control permission to the Administrators built-in group.

Share the Data\Customer Service folder as CustServ. Assign the Change permission to the Customer Service group.

Share the Data\Public folder as Public. Assign the Change permission to the Users built-in group and the Full Control permission to the Administrators built-in group.

Share the Applications folder as Apps. Assign the Read permission to the Users built-in group and the Full Control permission to the Administrators built-in group.

Share the Project Management folder as ProjMan. Assign the Change permission to the Managers group and the Full Control permission to the Administrators built-in group.

Share the Database\Customers folder as CustDB. Assign the Change
permission to the CustomerDBFull group, the Read permission to the CustomerDBRead group, and the Full Control permission to the
Administrators built-in group.

Share the Users folder as Users. Create a folder for every employee below this folder. Assign the Full Control permission to each employee for his or her own folder. Preferably, have Windows 2000 create the folder and
assign permissions automatically when you create each user account.

Exercise 3: Sharing Folders

To share a folder

In the Comment box, type shared productivity applications, then click OK.

How does Windows Explorer change the appearance of the Apps folder to
indicate that it is a shared folder?

Windows Explorer shows a hand icon holding the Apps folder. The hand indicates that the folder is shared.

Exercise 4: Assigning Shared Folder Permissions

To determine the current permissions for the Apps shared folder

Open the Apps Properties dialog box, click the Sharing tab, then click Permissions.

Windows 2000 displays the Permissions For Apps dialog box.

What are the default permissions for the Apps shared folder?

The Everyone group has Full Control.

To assign Full Control to the Administrators group

Click OK.

Windows 2000 adds Administrators to the list of names with permissions.

What type of access does Windows 2000 assign to Administrators by default?

The Read permission.

In the Permissions box, under Allow, click Full Control.

Why did Windows Explorer also select the Change permission for you?

Full Control includes all permissions.

Optional Exercise 5: Connecting to a Shared Folder

To connect to a network drive using the Run command

In the Open box, type \\server1 (if you did not use SERVER1 as the name of your domain controller, use the appropriate name here and in the following steps), then click OK.

Windows 2000 displays the Server1 window.

Notice that only the folders that are shared appear.

Which shared folders are currently available?

In addition to the folders that you shared on your domain controller, the following folders are also shared: Printers, Scheduled Tasks, NETLOGON, and SYSVOL. Any printers that you have shared also appear.

To connect a network drive to a shared folder using the Map Network Drive command

To confirm that Windows Explorer has successfully completed the drive mapping, on your desktop, double-click My Computer.

Notice that Windows 2000 has added drive P as Apps On Server1 (P:).

How does Windows Explorer indicate that this drive points to a remote
shared folder?

Windows Explorer uses an icon that shows a network cable attached to the drive. The network cable icon indicates a mapped network drive.

To attempt to connect to a shared folder on your domain controller

In the Open box, type \\server1\apps (if you did not use SERVER1 as the name of your domain controller, use the appropriate name), then click OK.

Windows 2000 displays a message stating that access is denied.

Why were you denied access to the Apps shared folder?

Because USER81, the user account that you used to log on, does not have the required permissions to gain access to the shared folder. Only the
Administrators group can gain access to the Apps shared folder.

To connect to a shared folder using another user account

Click the link labeled Connect Using A Different User Name.

The Connect As dialog box appears. This dialog box lets you specify a different user account to use to make a connection to the shared folder. It may also be a way to connect to other domains on the network (pre-Windows 2000). When would you use this option?

Choose to connect as a different user when the user account that you are currently using does not have the necessary permissions for a shared folder and you have another user account that does. In this situation, you do not have to log off and log on again to gain access to the shared folder.

Confirm that the Reconnect At Logon check box is cleared, then click Finish.

In Windows Explorer, can you gain access to drive J? Why or why not?

Yes. The administrator account has appropriate permissions to gain
access to the shared folder.

Optional Exercise 8: Testing NTFS and Shared Folder Permissions

To test permissions for the Manuals folder when a user logs on locally as User82

In the Manuals folder, attempt to create a file.

Were you successful? Why or why not?

No. Only the Administrators group and User83 have the NTFS
permission to create and modify files in the Manuals folder.

To test permissions for the Manuals folder when a user makes a connection over the network

In the Manuals folder on your domain controller, attempt to create a file.

Were you successful? Why or why not?

No. Although the Users group has the Full Control shared folder permission for \\server1\public, only the Administrators group and User83 have the NTFS permission to create and modify files in the Manuals folder.

To test permissions for the Manuals folder when a user logs on locally as User83

In the Manuals folder, attempt to create a file.

Were you successful? Why or why not?

Yes. User83 has the Full Control NTFS permission for the folder.

To test permissions for the Manuals folder when a user logs on as User83 and connects over the network

In the Manuals folder on your domain controller, attempt to create a file.

Were you successful? Why or why not?

Yes. The Users group has Full Control for the Public shared folder. User83 also has the Full Control NTFS permission for the
Manuals folder.

Lesson 5: Configuring Dfs to Gain Access to Network Resources

To gain access to a Dfs root

Double-click SERVER1.

Windows Explorer displays a list of all shared folders on your domain
controller. Notice that one of the shared folders is Shared Apps, your
Dfs root.

Does Windows 2000 provide an indication that Shared Apps is a Dfs root and not an ordinary shared folder?

Windows 2000 does not indicate that the share is a Dfs root.

To view the Dfs links, double-click Shared Apps.

Windows Explorer displays the Shared Apps On Server1 window, which shows all the links of Shared Apps.

Does Windows 2000 indicate that the folders inside Shared Apps are Dfs links and not ordinary folders?

Windows 2000 does not indicate that the folders are Dfs links.

Review Questions

When a folder is shared on a FAT volume, what does a user with the Full Control shared folder permissions for the folder have access to?

All folders and files in the shared folder.

What are the shared folder permissions?

Full Control, Change, and Read.

By default, what are the permissions that are assigned to a shared folder?

The Everyone group is assigned the Full Control permission.

When a folder is shared on an NTFS volume, what does a user with the Full Control shared folder permission for the folder have access to?

Only the folder, not necessarily any of the folder's contents. The user would also need NTFS permissions for each file and subfolder in the shared folder to gain access to those files and subfolders.

When you share a public folder, why should you use centralized data folders?

Centralized data folders enable data to be backed up easily.

What is the best way to secure files and folders that you share on NTFS partitions?

Put the files that you want to share in a shared folder and keep the default shared folder permission (the Everyone group with the Full Control
permission for the shared folder). Assign NTFS permissions to users
and groups to control access to all contents in the shared folder or to
individual files.

How does Dfs facilitate network navigation for users?

A user who navigates a Dfs-managed shared folder does not need to know the name of the server where the folder is actually shared. After connecting to the Dfs root, users can browse for and gain access to all of the
resources that are contained within each link, regardless of the location of the server on which the resource is located.

Chapter 11

To find user accounts in the domain

In the console tree, right-click your domain, then click Find.

Windows 2000 displays the Find dialog box.

In the Find dialog box, what object type can you select for a search?

Users, Contacts, and Groups; Computers; Printers; Shared Folders;
Organizational Units; Custom Search, and Remote Installation Clients
(if Remote Installation Services (RIS) is installed).

Ensure that Users, Contacts, And Groups is selected in the Find box, then click Find Now. What do you see?

The list of users and groups in the domain.

Lesson 2: Controlling Access to Active Directory Objects

Practice: Controlling Access to Active Directory Objects

To view default Active Directory permissions for an OU

In Table 11.5, list the groups that have permissions for the Security1 OU. You will need to refer to these permissions in Lesson 5.

Table 11.5 Groups that Have Permissions for the Security1 OU

How can you tell if any of the default permissions are inherited from the
domain, which is the parent object?

The permissions that are assigned to Administrators are inherited from the parent object. The check boxes for inherited permissions are shown as shaded.

To view special permissions for an OU

To view special permissions for Account Operators, in the Permission Entries box, click each entry for Account Operators, then click View/Edit.

The Permission Entry For Security1 dialog box appears.

What object permissions are assigned to Account Operators? What can
Account Operators do in this OU? (Hint: Check each permission entry for
Account Operators in the Permission Entries box in the Access Control
Settings For Security1 dialog box.)

The permissions that are assigned to Account Operators are Create
User Objects, Delete User Objects, Create Group Objects, Delete Group
Objects, Create Computer Objects, and Delete Computer Objects. Account operators can only create and delete user accounts, groups, and computers.

Do any objects within this OU inherit the permissions assigned to the Account Operators group? Why or why not?

No. Objects within this OU do not inherit these permissions. The Apply To column in the Permission Entries list in the Access Control Settings For Security1 dialog box shows that permissions granted to Account
Operators are applied to This Object Only.

To view the default Active Directory permissions for a user object

In Table 11.6, list the groups that have permissions for the Secretary1 user account. You will need to refer to these permissions in Lesson 5. If the dialog box indicates that special permissions are present for a group, do not list the special permissions to which you can gain access through the Advanced button.

Table 11.6 Permissions for the Secretary1 User Account

Are the standard permissions for a user object the same as those for an OU object? Why or why not?

No. Standard permissions for each type of object are different. The reason for the differences is that different object types are used for different tasks, and therefore the security needs for each object type differ.

Are any of the standard permissions inherited from Security1, the parent
object? How can you tell?

Only the standard permissions that are assigned to Administrators, and Enterprise Admins are inherited from the parent object. The check boxes for inherited permissions are shown as shaded.

What do the permissions of the Account Operators group allow its members to do with the user object?

Account Operators have Full Control. A member of the group can make any changes to a user object, including deleting it.

Lesson 4: Moving Active Directory Objects

Practice: Moving Objects Within a Domain

To log on as a user in a nonstandard OU

Log on to your domain by using the User21 account.

Did Windows 2000 require you to specify the OU in which your user account is located as part of the logon process? Why or why not?

No. Windows 2000 automatically locates the user object in Active
Directory, independent of its exact location.

Lesson 5: Delegating Administrative Control of Active Directory Objects

To test current permissions

In the console tree, expand your domain, then click Security1.

What user objects are visible in the Security1 OU?

The Secretary1 and Assistant1 user accounts, also User20, User 21,
and User22.

Which permissions allow you to see these objects? (Hint: Refer to your
answers in Lesson 2.)

The Assistant1 user account automatically belongs to the Authenticated Users built-in group, which has Read permission for the OU.

For the user account with the logon name Secretary1, change the logon hours. Were you successful? Why or why not?

No. The Assistant1 user account does not have Write permission for the Secretary1 object.

For the Assistant1 user account, under which you are currently logged on, change the logon hours. Were you successful? Why or why not?

No. The Assistant1 user account does not have Write permission for the Assistant 1 object.

To test delegated permissions

Attempt to change the logon hours for the Assistant1 and Secretary1 user accounts in the Security1 OU.

Were you successful? Why or why not?

Yes. The Assistant1 user account has been assigned Full Control permission for all user objects in the OU. This includes the permission to change the logon hours.

Attempt to change the logon hours for a user account in the Users container.

Were you successful? Why or why not?

No. The Assistant1 user account has not been assigned any permissions for the Users container.

Review Questions

How does the global catalog help users locate Active Directory objects?

The global catalog contains a partial replica of the entire directory, so it stores information about every object in a domain tree or forest. Because the global catalog contains information about every object, a user can find information regardless of which domain in the tree or forest contains the data. Active Directory automatically generates the contents of the
global catalog from the domains that make up the directory.

You want to allow the manager of the Sales department to create, modify, and delete only user accounts for sales personnel. How can you accomplish this?

Place all of the sales personnel user accounts in an OU, and then delegate control of the OU to the manager of the Sales department.

What happens to the permissions of an object when you move it from one OU to another OU?

Permissions assigned directly to the object remain the same. The object also inherits permissions from the new OU. Any permissions previously inherited from the old OU no longer affect the object.

The Delegation Of Control Wizard allows you to set administrative control at what level?

OU or container.

When backing up Active Directory, what type of data must you specify to be backed up? What is included in this data type?

You must indicate that you need to back up System State data. For Windows 2000 Server operating systems, the System State data comprises the registry, COM+ Class Registration database, system boot files, and the Certificate Services database (if the server is a certificate server). If the server is a domain controller, Active Directory and the SYSVOL directory are also contained in the System State data.

When you restart the computer in Directory Services Restore Mode, what logon must you use? Why?

When you restart the computer in Directory Services Restore Mode, you must log on as an Administrator by using a valid Security Accounts
Manager (SAM) account name and password, not the Active Directory Administrator's name and password. This is because Active Directory is offline, and account verification cannot occur. Rather, the SAM accounts database is used to control access to Active Directory while it is offline. You specified this password when you set up Active Directory.

Chapter 12

To delegate administrative control for your GPO

Right-click the root node of the console, DispatchPolicy [server1.microsoft.com] Policy, click Properties, then click the Security tab.

The DispatchPolicy [server1.microsoft.com] Policy Properties dialog
box appears.

What security groups already have administrative control of the DispatchPolicy GPO?

Domain Admins, Enterprise Admins, and SYSTEM.

Exercise 4: Specifying Group Policy Settings

To specify group policy settings for your GPO

In the console tree, click Start Menu & Task Bar.

What appears in the details pane?

The policies available for the Start Menu & Task Bar category appear in the details pane.

Click Enabled, then click OK.

How can you tell at a glance that this setting is enabled?

The setting is listed as enabled in the details pane.

Exercise 9: Testing a GPO

To test the DispatchPolicy GPO

Press Ctrl+Alt+Delete.

The Windows Security dialog box appears.

Are you able to lock the workstation? Why?

No, the Lock Computer option is not available. Assistant1 is unable to lock the workstation because the DispatchPolicy GPO was linked to the Security1 OU in Exercise 8.

Click Cancel, then click Start.

Does the Search command appear on the Start menu?

No.

Does the Run command appear on the Start menu?

No.

Press Ctrl+Alt+Delete.

Are you able to lock the workstation? Why?

Yes, the Lock Computer option is available. Assistant1 is able to lock the computer because the Sales group was filtered from the DispatchPolicy GPO scope in Exercise 7.

Review Questions

What is a GPO?

A GPO is a group policy object. Group policy configuration settings are contained within a GPO. Each Windows 2000 computer has one local GPO, and may in addition be subject to any number of nonlocal (Active Directory-based) GPOs.

One local GPO is stored on each computer whether or not the computer is part of an Active Directory environment or a networked environment. Local GPO settings can be overridden by nonlocal GPOs.

Nonlocal GPOs are linked to Active Directory objects (sites, domains, or OUs) and can be applied to either users or computers. To use nonlocal GPOs, you must have a Windows 2000 domain controller installed.
Following the properties of Active Directory, nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.

What are the two types of group policy settings and how are they used?

The two types of group policy settings are computer configuration settings and user configuration settings. Computer configuration settings are used to set group policies applied to computers, regardless of who logs onto them. Computer configuration settings are applied when the operating
system initializes. User configuration settings are used to set group policies applied to users, regardless of which computer the user logs on to. User configuration settings are applied when users log on to the computer.

In what order is group policy implemented through the Active Directory structure?

Group policy is implemented in the following order: site, domain, and then OU.

Name the tasks for implementing group policy.

The tasks for implementing group policy are: creating a GPO, creating a snap-in for the GPO, delegating administrative control of the GPO, specifying group policy settings for the GPO, disabling unused group policy settings, indicating any GPO processing exceptions, filtering the scope of the GPO, and linking the GPO to a site, domain, or OU.

What is the difference between Block Policy Inheritance and No Override?

Block Policy Inheritance is applied directly to the site, domain, or OU. It is not applied to GPOs, nor is it applied to GPO links. Thus Block Policy Inheritance deflects all group policy settings that reach the site, domain, or OU from above (by way of linkage to parents in the Active Directory hierarchy) no matter what GPOs those settings originate from. GPO links set to No Override are always applied and cannot be blocked using the Block Policy Inheritance option.

Any GPO linked to a site, domain, or OU (not the local GPO) can be set to No Override with respect to that site, domain, or OU, so that none of its policy settings can be overwritten. When more than one GPO has been set to No Override, the one highest in the Active Directory hierarchy (or higher in the hierarchy specified by the administrator at each fixed level in Active Directory) takes precedence. No Override is applied to the
GPO link.

What is the difference between assigning software and publishing software?

Assign a software application when you want everyone to have the application on his or her computer. An application can be published to both computers and users.

Publish a software application when you want the application to be available to people managed by the GPO, should the person want the application. With published applications it is up to each person to decide whether or not to install the published application. An application can only be published to users.

What folders can be redirected?

Application Data, Desktop, My Documents, My Pictures, and
Start Menu.

Chapter 13

Record your decisions to audit successful events, failed events, or both for the actions listed in Table 13.7.

Answers may vary. Possible answers include the following:

Account logon events: Failed (for network access attempts)

Account management: Successful (for administrator actions)

Directory service access: Failed (for unauthorized access)

Logon events: Failed (for network access attempts)

Object access: Successful (for printer use) and Failed (for unauthorized access)

Policy change: Successful (for administrator actions)

Privilege use: Successful (for administrator actions and backup procedures)

Process tracking: Nothing (useful primarily for developers)

System events: Successful and Failed (for attempts to breach the server)

Exercise 5: Setting Up Auditing of an Active Directory Object

To review auditing of an Active Directory object

In the Access Control Settings For Users dialog box, click the Auditing tab, then double-click Everyone.

The Auditing Entry For Users dialog box appears.

Review the default audit settings for object access by members of the Everyone group. How do the audited types of access differ from the types of access that are not audited?

All types of access that result in a change of the object are audited; types of access that do not result in a change of the object are not audited.

Click OK three times to close the Auditing Entry For Users, the Access Control Settings For Users, and the Users Properties dialog boxes.

At which computer or computers does Windows 2000 record log entries for Active Directory access? Will you be able to review them?

Windows 2000 records auditing events for Active Directory access at
domain controllers, at the OU level. Because you configured auditing for a domain controller, you will be able to view auditing events for Active Directory access. If you had configured auditing for the Local Computer, or the Default Domain Policy, you would not be able to view auditing events for Active Directory access.

Lesson 6: Security Configuration and Analysis

To view security analysis results

Double-click the Account Policies node, then click the Password Policy security area.

In the details pane, what is indicated in the Policy column? In the Database Setting column? In the Computer Setting column?

The Policy column indicates the policy name for the analysis results. The Database Setting column indicates the security value in your template. The Computer Setting column indicates the current security level in the system.

In the Policy column, what does the red X indicate? What does the green check mark indicate?

A red X indicates a difference from the database configuration. A green check mark indicates consistency with the database configuration.

Review Questions

On which computer do you set an audit policy to audit a folder that is located on a member server that belongs to a domain?

You set the audit policy on the member server; the audit policy must be set on the computer where the folder is located.

What is the difference between what the audit policy settings track for directory service access and object access?

Directory service access tracks if a user gained access to an Active
Directory object. Object access tracks if a user gained access to a file, folder, or printer.

When you view a security log, how do you determine if an event failed or was successful?

Successful events appear with a key icon. Unsuccessful events appear with a lock icon.

How are user rights different from permissions?

User rights are different from permissions because user rights apply to user accounts and permissions are attached to objects.

What is a security template and why is it useful?

A security template is a physical representation of a security configuration, a single file where a group of security settings is stored. Locating all security settings in one place streamlines security administration.

Where does the Security Configuration and Analysis console store information for performing configuration and analysis functions?

The Security Configuration and Analysis console uses a database to perform configuration and analysis functions.

Chapter 14

If you experience problems with Active Directory, what item should you investigate first?

You should examine the directory service event logs in Event Viewer.

What is the difference between a performance object and a performance counter?

A performance object is a logical connection of performance counters associated with a resource or service that can be monitored. A performance counter is a condition that applies to a performance object.

What is the difference between a counter log and a trace log?

Counter logs collect performance counter data for a specified interval. Trace logs record data collected by the operating system provider or one or more nonsystem providers when certain activities such as a disk I/O operation or a page fault occur. When counter logs are in use, the Performance Logs and Alerts service obtains data from the system when the
update interval has elapsed, rather than waiting for a specific event, as for trace logs.

What actions can be triggered by an alert?

Alerts can log an entry in the application event log, send a network
message to a computer, start a performance data log, or run a program when the alert counter's value exceeds or falls below a specified setting.

What does the Active Directory Replication Monitor support tool allow an administrator to do and how is this tool accessed?

The Active Directory Replication Monitor tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication through a graphical interface. The Active Directory Replication Monitor is a graphical tool accessed on the Tools menu within
Windows 2000 Support Tools.

If you want to find out which files are open in a shared folder and the users who have a current connection to those files, what action should you take?

Click Start, point to Programs, point to Administrative Tools, then click Computer Management. In the console tree of Computer Management, expand System Tools, then expand Shared Folders. In the console tree, click Open Files under Shared Folders.

Chapter 15

What is RIS? What types of remote booting are supported by RIS?

Remote Installation Services (RIS) are software services that allow an
administrator to set up new client computers remotely without having to visit each client. The target clients must support remote booting. There are two types of remote boot-enabled client computers: Computers with Pre-Boot eXecution Environment (PXE) DHCP-based remote boot ROMS and computers with network cards supported by the RIS
Boot Disk.

What does PXE remote boot technology provide?

Pre-Boot eXecution Environment (PXE) is a new form of remote boot technology that has been created within the computing industry. PXE provides companies with the ability to use their existing TCP/IP network infrastructure with DHCP to discover RIS servers on the network. Net PC/PC98-compliant systems can take advantage of the remote boot
technology included in the Windows 2000 OS. Net PC/PC98 refers to the
annual guide for hardware developers co-authored by Microsoft with Intel, including contributions from Compaq and other industry hardware manufacturers. PC98 is intended to provide standards for hardware development that advance the PC platform and enable Microsoft to
include advanced features, like RIS, in the Windows platform.

What is the RIS boot disk?

For computers that do not contain a PXE-based remote boot ROM,
Windows 2000 provides the administrator with a tool to create a remote boot disk for use with RIS. The RIS remote boot disk can be used with a variety of PCI-based network adapter cards. Using the RIS boot disk eliminates the need to retrofit existing client computers with new network cards that contain a PXE-based remote boot ROM to take advantage of the Remote OS Installation feature. The RIS boot disk simulates the PXE remote boot sequence and supports frequently used network cards.

What is an RIPrep image?

The Remote Installation Preparation (RIPrep) imaging option allows a network administrator to clone a standard corporate desktop configuration, complete with OS configurations, desktop customizations, and
locally installed applications. After first installing and configuring the Windows 2000 Professional OS, its services, and any standard applications on a computer, the network administrator runs a wizard that
prepares the installation image and replicates it to an available RIS server on the network for installation on other clients.

What is the CIW?

Users of a remote boot-enabled client use the Client Installation Wizard (CIW) to select installation options, OSs, and maintenance and troubleshooting tools. The wizard prompts the user for his or her user name, password, and domain name. After the user's credentials have been
validated, the wizard displays the installation options that are available for the user. After the user selects an option, the selected OS installation
image is copied to the client computer's local hard disk.