Oksana should reconfigure the domain GPO and set the Unsigned Driver Installation Behavior policy to Warn But Allow Installation?. Edit the local GPO on each server and set the Unsigned
Trang 1Objective 1.3 Optimize Server Disk Performance 14-27
4 Oksana is looking at a report generated by the disk defragmenter of her system Her system contains two volumes The first volume is 100 GB and is mirrored on a second
100 GB disk The second volume is 400 GB and uses RAID-5 over five 100 GB disks The report that Oksana is examining was an analysis performed on the second volume rather than the first
Oksana is puzzled because there seems to be several sections on the second volume that are colored green Green in a defragmenter analysis represents unmovable files Oksana is puzzled because she believed that the only files that were unmovable for the disk defragmenter are located on the system or boot volumes What is the cause of the unmovable files listed on the defragmenter analysis of the second volume? (Select all that apply.)
A Oksana has mistakenly analyzed the first volume, which contains the boot and system files
B The page file has been located on the second volume
C Oksana has stored encrypted files on the second volume
D Oksana has stored compressed files on the second volume
E The NTFS change journal, stored on all NTFS volumes, is an unmovable file
5 Oksana has scheduled a command-line disk defragmentation job to take place at 2 A.M every Sunday on all Windows Server 2003 systems at her site This represents a perfect time to perform such a task because the amount of activity on any of the servers at this time is minimal Checking through the logs on a Monday morning, Oksana finds that the Sunday morning defragmentation did not occur on one of the volumes on one of the Windows Server 2003 servers Oksana logs onto the server from a remote desktop connection and checks the Disk Defragmenter in the Computer Management Console Oksana decides to wait until the end of business that day and try to run the defragmentation process again on this volume At 6:30 P.M she logs on from the remote desktop again and attempts to initiate a defragmentation of the problematic volume The process fails again What could be causing the failure, and which of the following steps should Oksana take to defragment this volume?
A The volume is failing to defragment because it is close to capacity A volume must have at least 15 percent of space free for the defragmentation process to begin
B The volume has been marked as dirty Oksana needs to run Chkdsk from the command line before she can defragment the volume successfully
C Oksana must take the volume offline manually to perform the defragmentation Once this is done, the disk will defragment normally
D Oksana needs to dismount the disk hosting the volume to perform a defragmentation Once this is done, the disk will defragment normally
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 214-28 Chapter 14 Managing and Maintaining Physical and Logical Devices (1.0)
6 You are the systems administrator for several small businesses One of the small businesses that you work for has reported that the performance of its server appears to be degrading The server is configured as follows:
Drive C Dynamic NTFS Mirrored 9%
Drive E Dynamic NTFS Striped 23%
Drive F Dynamic NTFS RAID-5 32%
Drive G Dynamic NTFS RAID-5 41%
On which of the Windows Server 2003 system volumes will Windows recommend that you run the defragmenter? (Select all that apply.)
Trang 3Objective 1.3 Optimize Server Disk Performance 14-29
Objective 1.3 Answers
1 Correct Answers: A, B, C, and E
A Correct: Disk mirroring provides no read/write benefit but does provide fault
tolerance
B Correct: RAID-5 must generate parity information while writing to the disks,
something that disk striping (RAID-0) does not need to do RAID-5 parity generation provides some latency, making this method slower than disk striping
C Correct: Disk spanning has similar performance to a simple volume whereas disk
striping is the quickest method of reading and writing to a volume
D Incorrect: Disk spanning has similar performance to a simple volume, disk strip
ing offers the best read/write performance
E Correct: In disk striping, data can be written to or read from multiple disks mak
ing up the volume at one time In a simple volume, only one disk can be written
to or read simultaneously
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 414-30 Chapter 14 Managing and Maintaining Physical and Logical Devices (1.0)
2 Correct Answers: F
A Incorrect: Rooslan achieved all the goals of the first team For the second team,
he achieved the first and second goals By choosing to mirror, rather than stripe, the third volume, he did not create a volume of 240 GB with the fastest read/write speed The volume would have been 120 GB and would not have performed significantly better than a simple volume Rooslan achieved one goal of the third team He achieved the first goal, but by using RAID-5 instead of striping, he failed
to achieve the second The second volume would have been 360 GB rather than
480 GB as specified, the equivalent of one drive lost in storing parity information
B Incorrect: Rooslan achieved all the goals of the first team For the second team,
he achieved the first and second goals By choosing to mirror, rather than stripe, the third volume, he did not create a volume of 240 GB with the fastest read/write speed The volume would have been 120 GB and would not have performed significantly better than a simple volume Rooslan achieved one goal of the third team He achieved the first goal, but by using RAID-5 instead of striping, he failed
to achieve the second The second volume would have been 360 GB rather than
480 GB as specified, the equivalent of one drive lost in storing parity information
C Incorrect: Rooslan achieved all the goals of the first team For the second team,
he achieved the first and second goals By choosing to mirror, rather than stripe, the third volume, he did not create a volume of 240 GB with the fastest read/write speed The volume would have been 120 GB and would not have performed significantly better than a simple volume Rooslan achieved one goal of the third team He achieved the first goal, but by using RAID-5 instead of striping, he failed
to achieve the second The second volume would have been 360 GB rather than
480 GB as specified, the equivalent of one drive lost in storing parity information
D Incorrect: Rooslan achieved all the goals of the first team For the second team,
he achieved the first and second goals By choosing to mirror, rather than stripe, the third volume, he did not create a volume of 240 GB with the fastest read/write speed The volume would have been 120 GB and would not have performed significantly better than a simple volume Rooslan achieved one goal of the third team He achieved the first goal, but by using RAID-5 instead of striping, he failed
to achieve the second The second volume would have been 360 GB rather than
480 GB as specified, the equivalent of one drive lost in storing parity information
E Incorrect: Rooslan achieved all the goals of the first team For the second team,
he achieved the first and second goals In choosing to mirror, rather than stripe, the third volume, he did not create a volume of 240 GB with the fastest read/write speed The volume would have been 120 GB and would not have performed significantly better than a simple volume Rooslan achieved one goal of the third team He achieved the first goal, but by using RAID-5 instead of striping, he failed
to achieve the second The second volume would have been 360 GB rather than
480 GB as specified, the equivalent of one drive lost in storing parity information Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 5Objective 1.3 Optimize Server Disk Performance 14-31
F Correct: Rooslan achieved all the goals of the first team For the second team, he
achieved the first and second goals In choosing to mirror, rather than stripe, the third volume, he did not create a volume of 240 GB with the fastest read/write speed The volume would have been 120 GB and would not have performed significantly better than a simple volume Rooslan achieved one goal of the third team He achieved the first goal, but by using RAID-5 instead of striping, he failed
to achieve the second The second volume would have been 360 GB rather than
480 GB as specified, the equivalent of one drive lost in storing parity information
3 Correct Answers: A, C, and D
A Correct: Disk 1 is a mirrored volume of a volume on Disk 0 No data will be lost
if this disk fails
B Incorrect: If disk 0 fails, data will be lost as any data that is not on the Datastore
volume, such as the boot volume, is not protected
C Correct: Disk 2 is part of a RAID-5 array, hence if disk 2 fails, parity information
can be used to regenerate the data
D Correct: Datastore is a mirrored volume compared to Archive on RAID-5, and
RAID-5 is faster than RAID-1 (mirroring)
E Incorrect: Datastore is a mirrored volume compared to Archive on RAID-5
RAID-5 is faster than RAID-1 (mirroring)
F Incorrect: Disk 3 is also part of the RAID-5 array; therefore, if Disk 3 fails, data
will not be lost
4 Correct Answers: B and E
A Incorrect: The question states clearly that it is the second volume, so Oksana is
not mistaken
B Correct: Page files are unmovable files and therefore are reported in green by the
disk defragmenter analyzer Similarly, the NTFS change journal, on NTFS volumes,
is also represented by the unmovable green
C Incorrect: Encrypted and compressed files are not unmovable
D Incorrect: Encrypted and compressed files are not unmovable
E Correct: Page files are unmovable files and therefore are reported in green by the
disk defragmenter analyzer Similarly, the NTFS change journal, on NTFS volumes,
is also represented by the unmovable green
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 614-32 Chapter 14 Managing and Maintaining Physical and Logical Devices (1.0)
5 Correct Answers: B
A Incorrect: If a disk has less than 15 percent of space left, the defragmentation
process will finish, but the disk will not be completely defragmented
B Correct: Disk defragmentation will fail only when a disk has errors If a disk has
errors, it is classified as “dirty” by the operating system The only way to change this state is to perform a Chkdsk operation on the disk and complete all required repairs
C Incorrect: Disks cannot be defragmented if they are taken offline
D Incorrect: Volumes cannot be defragmented if they are taken offline
6 Correct Answers: B, C, D, and E
A Incorrect: This figure is below the 10% threshold, so Windows will not recom
Trang 7Objective 1.4 Install and Configure Server Hardware Devices 14-33
An administrator may not wish to use only Microsoft-approved device drivers all the time Administrators can override any signing settings by manually setting this option
in the System Properties The options include Block, Warn, and Ignore Block disallows the installation of unsigned drivers, Warn allows the installation but produces a message that must be approved notifying the administrator that the user is about to install unsigned drivers, and Ignore produces no warning and simply installs the drives regardless of whether they have been digitally signed
The resources that a hardware device uses can be configured in the Device Manager by selecting the device and, from the Action menu, selecting Properties Newly installed hardware can sometimes conflict with other hardware on the system and these conflicts can best be resolved by adjusting resources such as I/O range and IRQ
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 814-34 Chapter 14 Managing and Maintaining Physical and Logical Devices (1.0)
Objective 1.4 Questions
1 Oksana has recently replaced Rooslan as the systems administrator of six Windows Server 2003 systems These six servers are stand-alone systems and not members of any domain Several weeks into her tenure, Oksana receives the go-ahead to buy a Digital Audio Tape (DAT) backup drive for each of the Windows Server 2003 systems
At a prescheduled time she brings the servers down and installs the new hardware When all the servers have been brought up, Oksana logs on to each and is confronted
by the Add New Hardware Wizard She begins the process of installing the software for the new hardware but finds that the process fails because the driver cannot be installed Oksana then investigates the driver signing setting in the System Properties The driver signing option is set to Block with the other options dimmed Although the drivers have not been digitally signed by Microsoft, Oksana has decided that she wants
to use them and that they will pose no problems to the stability of the servers that she administers Which of the following actions can Oksana take to allow the installation of unsigned drivers on all six of these Windows Server 2003 systems? (Select all that apply.)
A Oksana should reconfigure the domain GPO and set the Unsigned Driver Installation Behavior policy to Warn But Allow Installation
B Oksana should reconfigure the local GPO and set the Unsigned Driver Installation Behavior policy to Warn But Allow Installation
C Oksana should check the Administrator Option / Make This Action The System Default check box in the Driver Signing Options dialog box, accessible from the System Properties This will enable her to switch the option from Block to Warn
D Oksana should reconfigure the GPO assigned to the site that the servers are set up
in and set the Unsigned Driver Installation Behavior policy to Warn But Allow Installation
E Oksana should reconfigure the GPO applied to the OU that the servers are members of and set the Unsigned Driver Installation Behavior policy to Warn But Allow Installation
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 9Objective 1.4 Install and Configure Server Hardware Devices 14-35
2 You are a systems administrator at a medium-sized organization You maintain a test lab of five Windows Server 2003 systems that are all members of your organization’s single domain Because the organization has had trouble in the past with some users with sufficient privileges installing unsigned drivers on the system the default domain GPO has been configured to block the installation of all unsigned drivers on computers that are members of the domain The domain GPO also blocks access for all users to the System Properties and hides all icons on the desktop Until recently this was unproblematic; however you have just received a new batch of high-performance net-work cards that you wish to test on your lab servers These high performance network cards ship with drivers that have not been digitally signed by Microsoft Because you cannot access the System Properties you cannot override the default domain GPO setting that blocks the installation of unsigned drivers Which of the following methods allows you to override the default domain GPO and change the setting on your lab servers to Warn but not change the overall setting for other computers in your domain?
A Edit the local GPO on each server and set the Unsigned Driver Installation Behavior policy to Warn But Allow Installation
B Edit the GPO applied to the site in which the servers in your lab reside and set the Unsigned Driver Installation Behavior policy to Warn But Allow Installation
C Create a new organizational unit called Mylab Move the computer accounts for the Windows Server 2003 systems in to the Mylab OU Create a GPO that sets the Unsigned Driver Installation Behavior policy to Warn But Allow Installation and apply it to the Mylab OU
D Edit the Domain GPO and set the Unsigned Driver Installation Behavior policy to Warn But Allow Installation
E Create a group and put your user account in this group Create a GPO that sets the Unsigned Driver Installation Behavior policy to Warn But Allow Installation and apply this GPO to the newly created group
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 1014-36 Chapter 14 Managing and Maintaining Physical and Logical Devices (1.0)
3 You are the part-time systems administrator for a small desktop publishing business There is a Windows Server 2003 stand alone at your office You have recently come into possession of a legacy fax board, a device that allows multiple faxes to be sent and received at the same time You install the board on the Windows Server 2003 system but discover that it does not work You examine the Device Manager and notice that a yellow warning with a black exclamation mark sits beside the fax board icon You suspect that there is an IRQ conflict with another device on this same system, a legacy RAID controller Which of the following describes the correct method of altering the fax board’s configuration so that there is no IRQ conflict between the legacy fax board and the legacy RAID controller?
A Select the RAID controller in the Device Manager From the Action menu, select Properties Select the Resources Tab, and then clear the Use Automatic Settings check box Select the IRQ and click Change Settings Scroll through the IRQs until you find one that does not conflict with any others Click OK and then restart the server
B Select the fax board in the Device Manager From the Action menu, select Properties Select the Resources tab, and then clear the Use Automatic Settings check box Select the IRQ and click Change Settings Scroll through the IRQs until you find one that does not conflict with any others Click OK and then restart the server
C Select the RAID controller in the Device Manager From the Action menu, select Properties Select the Resources tab, and then clear the Use Automatic Settings check box Select the I/O Range and click Change Settings button Scroll through the I/O Range until you find one that does not conflict with any others Click OK and then restart the server
D Select the fax board in the Device Manager From the Action menu, select ties Select the Resources tab, and then clear the Use Automatic Settings check box Select the I/O Range and click Change Settings Scroll through the I/O Range until you find one that does not conflict with any others Click OK and then restart the server
Proper-E Select the RAID controller in the Device Manager From the Action menu, select Properties In the Device Usage drop-down list on the General tab, select Do Not Use This Device (Disable)
F Select the fax board in the Device Manager From the Action menu, select ties In the Device Usage drop-down list on the General tab, select Do Not Use This Device (Disable)
Proper-Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 11Objective 1.4 Install and Configure Server Hardware Devices 14-37
4 You have recently installed three legacy network cards on a Windows Server 2003 member server Two of the network cards are working properly, but a third appears to
be conflicting with another device on your system How can you determine which other device on the system is conflicting with the third network card?
A Run the Device Manager and look for another device with a yellow and black exclamation mark beside it
B View the application log and look for an entry that describes the device with which the network card conflicts
C Run the Device Manager and select the network card that has the yellow and black exclamation mark beside it From the Action menu, select Properties On the Resources tab, clear the Use Automatic Settings check box A conflicting device list will be displayed with the resources that conflict
D Run the Hardware Troubleshooting Wizard and select Resolve All Device Conflicts
E Run the Hardware Troubleshooting Wizard and select Report On All Device Conflicts
5 You would like to view a list of devices connected to your Windows Server 2003 system listed numerically by IRQ Which of the following methods could you use to do this? (Select all that apply.)
A Use the Device Manager and from the View menu, select Resources By Connection
B Use the Device Manager and from the View menu, select Resources By Type
C Use the Device Manager and from the View menu, select Devices By Connection
D Use the Device Manager and, from the View menu, select Devices By Type
E This cannot be done
6 You have two modems connected to a Windows Server 2003 system that are used to create a multilink connection to a remote site using on-demand routing You have found that the line quality to the remote site is not particularly high and you want to modify the port speed of both modems Which of the following administrative tools would you use to do this?
A
B
C Use the Routing And Remote Access console to adjust the modem speed
D Right-click on My Network Places and select Properties Edit the properties of the multilink connection to the remote site and reduce the connection speed
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 1214-38 Chapter 14 Managing and Maintaining Physical and Logical Devices (1.0)
7 You are the systems administrator for a small agricultural college One of the problems that you have encountered is students installing different devices on their Windows XP Professional workstations in their dormitory rooms The college allows only Windows XP Professional workstations that it has leased to the students to join the dormitory net-work This allows administration to restrict the students from engaging in undesirable activities such as peer-to-peer (P2P) file sharing
Your group within the college is responsible for maintaining these workstations After analyzing the amount of time that your group spends supporting the workstations, it has been found that 30 percent of the time goes to repairing faults caused by the installation of unsigned device drivers You would like to prevent unsigned device drivers from being installed on the dormitory room workstations Which of the following methods will achieve this goal without altering the settings on any other computers within the domain?
A Move all computer accounts for dormitory room workstations into a newly created organizational unit named Dormwkstn Create a GPO that sets the Unsigned Driver Installation Behavior policy to Warn But Allow Installation Apply this GPO
to the Dormwkstn OU
B Create a group named Dormwkstn and add all computer accounts for dormitory room workstations to this group Create a GPO that sets the Unsigned Driver Installation Behavior policy to Warn But Allow Installation Apply this GPO to the Dormwkstn group
C Create a group named Dormwkstn and add all dormitory room user accounts to this group Create a GPO that sets the Unsigned Driver Installation Behavior policy
to Warn But Allow Installation Apply this GPO to the Dormwkstn group
D Move all computer accounts for dormitory room workstations into a newly created organizational unit named Dormwkstn Create a GPO that sets the Unsigned Driver Installation Behavior policy to Do Not Allow Installation Apply this GPO to the Dormwkstn OU
E Create a group named Dormwkstn and add all computer accounts for dormitory room workstations to this group Create a GPO that sets the Unsigned Driver Installation Behavior policy to Do Not Allow Installation Apply this GPO to the Dormwkstn group
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 13Objective 1.4 Install and Configure Server Hardware Devices 14-39
Objective 1.4 Answers
1 Correct Answers: B and C
A Incorrect: All six of the Windows Server 2003 server systems are stand-alones
and not members of any domain Editing GPOs applied to any domain has no influence on these servers because they are not affected by external GPOs
B Correct: The other options are dimmed because the Administrator Option / Make
This Action The System Default check box is not selected Selecting the check box means that any change is instantly reflected in the local GPO The local GPO can also be edited without selecting this check box to obtain the same result
C Correct: The other options are dimmed because the Administrator Option / Make
This Action The System Default check box is not selected Selecting the check box means that any change is instantly reflected in the local GPO The local GPO can also be edited without selecting this check box to obtain the same result
D Incorrect: All six of the Windows Server 2003 server systems are stand-alones
and not members of any domain Editing GPOs applied to any domain or site has
no influence on these servers because they are not affected by external GPOs
E Incorrect: All six of the Windows Server 2003 server systems are stand-alones
and not members of any domain Editing GPOs applied to any domain has no influence on these servers because they are not affected by external GPOs
2 Correct Answers: C
A Incorrect: Local GPOs are overridden by Site, Domain, and Organizational Unit
GPOs Because the GPO in question is applied at the Domain level, it will have precedence over the Local GPO settings
B Incorrect: Local GPOs are overridden by Site, Domain, and Organizational Unit
GPOs Because the GPO in question is applied at the Domain level it will have precedence over the Site GPO settings
C Correct: By creating an OU and moving the specific computer accounts in the
test environment into the OU, a group policy can be applied that will influence only these specific systems As Group Policy applied at the OU level overrides that applied at the Site or Domain level, a policy applied to the OU level on driver signing will override the default domain GPO for computers that are members of this OU
D Incorrect: This will change the settings for all computers in the domain, which
was forbidden in the question setup
E Incorrect: GPO cannot be applied directly to groups; GPO can apply only to
Sites, Domains, Organizational Units, and Locally Groups can be used to modify which users in a Site, Domain, or OU the GPO applies do
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 1414-40 Chapter 14 Managing and Maintaining Physical and Logical Devices (1.0)
3 Correct Answers: B
A Incorrect: This alters the RAID controller configuration, not the fax board config
uration The question asked how the fax board configuration should be altered
B Correct: The first thing to do is make sure that the IRQ, rather than the I/O on
the fax board is adjusted While the settings are adjusted, the dialog will display any other conflicts that might arise Keep altering the IRQ setting until a free IRQ
is found There is no point stopping a conflict between a fax board and a RAID controller if it leads to a conflict between the fax board and another device
C Incorrect: This answer configures the wrong hardware device and the wrong
resource setting (I/O as opposed to IRQ)
D Incorrect: This answer configures the wrong resource setting (I/O as opposed to
IRQ)
E Incorrect: This action merely disables the device; it does not resolve the conflict
Disabling the RAID controller will also not be helpful for maintaining a stable server
F Incorrect: This action merely disables the device; it does not resolve the conflict
4 Correct Answers: C
A Incorrect: Because the other device is working, it has taken precedence over the
third network card It will have no outward appearance of having any problems
B Incorrect: If a conflict was logged, it would be logged in the system log rather
than the application log
C Correct: By examining the Resources tab on the Device Properties dialog box,
you can generate a list of all devices that have resources that conflict with the particular device in which you are interested From here you can decide also if you want to configure a device manually to use different resources or, if that is not possible, check the properties of the conflicting device to see if its resources can
be changed
D Incorrect: This option does not exist from the Hardware Troubleshooting
Wizard
E Incorrect: This option does not exist in the Hardware Troubleshooting Wizard
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 15Objective 1.4 Install and Configure Server Hardware Devices 14-41
5 Correct Answers: A and B
A Correct: A list of devices by IRQ can be generated by viewing resource by con
nection or by type in Device Manager To locate the IRQ number for a particular device in other views, the specific device properties must be viewed
B Correct: A list of devices by IRQ can be generated by viewing resource by con
nection or by type in Device Manager To locate the IRQ number for a particular device in other views, the specific device properties must be viewed
C Incorrect: This option does not sort by IRQ
D Incorrect: This option does not sort by IRQ
E Incorrect: A list of devices by IRQ can be generated by viewing resource by con
nection or by type in Device Manager To locate the IRQ number for a particular device in other views, the specific device properties must be viewed
6 Correct Answers: B
A Incorrect: Modem port speeds cannot be adjusted using the Device Manager
B Correct: Because the modem speeds need to be adjusted for several connections
the best option is to edit the modem properties using Phone And Modem Options
in Control Panel
C Incorrect: The Routing And Remote Access MMC cannot be used to adjust the
modem port speed
D Incorrect: Network Connections (accessible through the My Network Places
properties or Control Panel) cannot be used to adjust the modem port speed
7 Correct Answers: D
A Incorrect: This option allows the installation of unsigned drivers rather than
blocking it
B Incorrect: GPOs cannot be applied to distribution or security groups
C Incorrect: GPOs cannot be applied to distribution or security groups
D Correct: GPOs can be applied to sites, domains, and organizational units There
is also a GPO that can be edited and applied locally The policy must be set to Do Not Allow Installation
E Incorrect: GPOs cannot be applied to distribution or security groups
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 17Creation of these user, group, and computer accounts can be done manually through tools provided in the Microsoft Windows Server 2003 interface, or automated through command-line tools or scripts The methods of creating user, group, and computer accounts are important to success on the exam
Related to the creation and management of user, group, and computer accounts are the granting of permissions appropriate to the level of access needed, and the management of data related to the account, such as logon scripts and user profiles
Testing Skills and Suggested Practices
The skills that you need to master the Managing Users, Computers, and Groups objec
tive domain on Exam 70-290: Managing and Maintaining a Microsoft Window Server
2003 Environment include
■ Manage local, roaming, and mandatory user profiles
❑ Practice 1: Configure a roaming profile for secure access Set the permissions
on an individual profile folder for that user Make sure that no other users have access to the data, and that users can log on and use their profile data successfully
❑ Practice 2: Change the configuration of the roaming profile to make it mandatory Groups of users sharing a profile should not be able to change it To
do this rename the shared profile from Ntuser.dat to Ntuser.man Using a mandatory profile does not limit the ability of users who share the profile from creating, modifying, or deleting application data files within the profile folder structure
15-1 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 1815-2 Chapter 15 Managing Users, Computers, and Groups (2.0)
■ Create and manage computer accounts in an active directory environment
❑ Practice 1: Use the Active Directory User And Computers MMC to create two new computer accounts within the domain
❑ Practice 2: Join a new Windows XP workstation to the Windows Server 2003 domain Examine Active Directory Users And Computers and note that the new computer account is added to the directory
■ Create and manage groups
❑ Practice 1: Use manual methods to create user, group, and computer accounts Use the Active Directory Users And Computers MMC snap-in, and the Directory Service command-line tools to create user, group, and computer accounts Modify the properties of user accounts and test the effect of various property changes Use the System Properties interface at a desktop computer
to join computers to the domain
❑ Practice 2: Use automated methods to create user, group, and computer accounts
❑ Practice 3: Place users, groups, and computers as members of a group Use both interface-based and command-line tools
❑ Practice 4: Identify group membership in a complex group hierarchy Use the Directory Service command-line tools to do bulk analysis
■ Create and manage user accounts
❑ Practice 1: Create four different user accounts using the Active Directory Users And Computers MMC
❑ Practice 2: Create a single user account using the Active Directory Users and Computers MMC Configure specific settings for the user’s logon hours and group membership Create three similar accounts using the copy command
■ Troubleshoot computer accounts
❑ Practice 1: Create a computer account in the Active Directory Users and Computers MMC In the dialog box alter the group that can add the computer to the domain from the Domain Admins group to the Users group
❑ Practice 2: In the Active Directory Users and Computers MMC locate a test Windows XP computer account that has recently been joined to the domain Using the Action menu, Disable the computer account Try to use this computer to gain access to the domain
■ Troubleshoot user accounts
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 19Chapter 15 Managing Users, Computers, and Groups (2.0) 15-3
❑ Practice 1: Modify the Default Domain GPO and alter the Account Lockout threshold to three attempts Log on with incorrect credentials to a Windows Server 2003 domain with a normal user account until the account is locked Use the Active Directory Users and Computers MMC to re-enable the account
❑ Practice 2: Reset the password on a user account and configure the account to force the user to change their password to one of their own the next time that they log on
■ Troubleshoot user authentication issues
❑ Practice 1: Edit the default domain policy GPO to change the password policies Configure the Account Lockout Threshold policy to three invalid logon attempts Set the Account Lockout Duration policy to 30 minutes
❑ Practice 2: Edit the default domain policy GPO to change the password policies Set the Enforce Password History policy to 10 passwords Set the Mini-mum Password Age policy to 2 days Set the Minimum Password Length policy to 10 characters
Further Reading
This section contains a list of supplemental readings divided by objective If you feel you need additional preparation before taking the exam, study these sources thoroughly
Objective 2.1 Review Chapter 3, “User Accounts,” which focuses on the creation and
management of user accounts and user profiles
Review Chapter 4, “Group Accounts,” which contains additional information on automated creation of groups, group type and scope, and nesting groups
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit Volume: Designing a Managed Environment Redmond, Washington: Microsoft Press, 2003 This volume can be found on the Microsoft Web site at: http://www.microsoft.com /windowsserver2003/techinfo/reskit/deploykit.mspx
Objective 2.2 Review Chapter 5, “Computer Accounts,” which contains information about creating computer accounts through manual and automated means, various methods of joining the computer accounts to a domain, and resetting the pass-word on a computer account
Microsoft Corporation Windows Server 2003 Help and Support Center Review
“Manage Computers.”
Objective 2.3 Review Chapter 4, “Group Accounts,” which focuses on the creation
and management of user accounts and user profiles
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 2015-4 Chapter 15 Managing Users, Computers, and Groups (2.0)
Microsoft Corporation Windows Server 2003 Help and Support Center: “Managing
Domain Users and Groups: Using Groups.”
Objective 2.4 Review Chapter 3, “User Accounts,” which focuses on the creation and
management of user accounts and profiles
Microsoft Corporation Windows Server 2003 Help and Support Center: Managing
Domain Users and Groups: User and Computer Accounts
Objective 2.5 Review Chapter 5, “Computer Accounts,” which contains information
about creating computer accounts through manual and automated means, various methods of joining the computer accounts to a domain, and resetting the pass-word on a computer account
Microsoft Corporation Windows Server 2003 Knowledge Base article 325850:
“How to Use netdom.exe to Reset Machine Account Passwords of a Windows Server 2003 Domain Controller.”
Objective 2.6 Review Chapter 3, “User Accounts,” which describes some techniques
for troubleshooting user of user accounts
Microsoft Corporation Windows Server 2003 Help and Support Center: Managing
Domain Users and Groups: User and Computer Accounts
Objective 2.7 Review Chapter 3, “User Accounts,” which focuses on the creation and
management of user accounts and profiles
Microsoft Corporation Windows Server 2003 Help and Support: Managing Domain
Users and Groups: User and Computer Accounts
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 21Objective 2.1 Manage Local, Roaming, and Mandatory User Profiles 15-5
pro-on the user’s account Redirected profiles can be stored in any network locatipro-on, and are considered roaming profiles when a network profile location is assigned to the user Roaming profiles can be accessed from any computer to which the user can log
on, and the profile will be loaded for use on the local computer If a roaming profile
is configured as mandatory, no changes to the profile made by the user can be saved This makes practical use of the profile by more than one user possible
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 2215-6 Chapter 15 Managing Users, Computers, and Groups (2.0)
Objective 2.1 Questions
1 Your company has placed 35 computers in various locations throughout the building to allow access to company information when an employee is away from his or her desk-top computer These computers are used to check e-mail, to read corporate news and access policy information on the company’s intranet
You want to make it possible for a user at one of these shared computers to change his
or her desktop settings, and to have these desktop settings apply to any of the other shared computers
What should you do?
A Configure a mandatory profile and assign it to each user in the domain
B Configure a mandatory profile and assign it to each shared computer
C Configure a roaming profile and assign it to each user in the domain
D Configure a roaming profile and assign it to each shared computer
2 You have been given the responsibility for maintaining user accounts, user profiles, and user access to resources on your network Currently, all users share a single profile
on the network, which allows for easy addition and deletion of objects to the users’ desktops, but also allows for desktop changes to be made and saved by the users You want to retain the ability to centrally manage user’s desktops, but want to prohibit changes to desktop settings by the users
What should you do?
A Configure the permissions on the profile folder’s Security property sheet to deny write permission
B Configure the permissions on the profile folder’s Sharing property sheet to allow only read permission
C Modify the attributes of the profile folder to specify the Read Only attribute
D Modify the file name of Ntuser.dat in the profile folder to Ntuser.man
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 23Objective 2.1 Manage Local, Roaming, and Mandatory User Profiles 15-7
3 Your company has been using roaming profiles for members of the Sales and Information Technology departments for the last 10 months The profile data is stored on a member-server running Microsoft Windows Server 2003 The file system in use on the volume on the server hosting the profiles is FAT32 The share hosting the profiles is called Profshare Profile paths are correctly configured in each user’s properties Recently you have found that some users are able to access the data located in other’s profiles You want to secure the roaming user profiles on your network such that only the user logging on to the profile will have access to the data contained within it What should you do? (Choose two; each answer is part of the complete solution.)
A Assign Read and Write permission on the folder where the profiles are stored to only those users who store roaming profiles
B Configure Server Message Block (SMB) signing on the server where the profiles are stored
C Configure Server Message Block (SMB) signing on each computer that uses roaming profiles
D Convert the volume where the profiles are stored to NTFS
E Configure Encrypting Files System (EFS) to encrypt the folder where the profiles are stored
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 2415-8 Chapter 15 Managing Users, Computers, and Groups (2.0)
4 You are the administrator of a company that has decided to place computers in the lobby for access to public company information Members of the Sales department need to be able to log on to these computers with their Domain user credentials for client demonstrations, and public users will use the Guest account
Members of the Sales department, whose desktop computers and user accounts are contained in the Sales Organizational Unit (OU), are configured to use roaming pro-files The shared computers in the lobby are contained in the Lobby OU
You do not want the Sales users’ desktop computer profiles to be used when they log
on to one of the shared, lobby computers All users of the lobby computers should have the same desktop without the ability to save changes
What configuration changes must you make? (Choose three; each answer represents a partial solution.)
A Configure a local profile after logging on as Guest on one of the computers in the lobby Copy it to the Default User folder Repeat this process on each computer in the lobby
B Configure a local profile on one of the computers in the lobby Copy it to the Default User folder in the directory on the server that contains the roaming profiles
C Create a Group Policy Object (GPO) linked to the Sales OU Enable the Only Allow Local User Profiles Computer Configuration policy
D Create a GPO linked to the Lobby OU Enable the Only Allow Local User Profiles Computer Configuration policy
E Change the file name of Ntuser.dat to Ntuser.man in the Default User folder on each computer in the lobby
F Change the file name of Ntuser.dat to Ntuser.man in the Default User folder in the directory on the server that contains the roaming profiles
G Instruct each salesperson to log on and log off of each lobby computer Copy the contents of the Default User folder on each lobby computer to each user profile directory
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 25Objective 2.1 Manage Local, Roaming, and Mandatory User Profiles 15-9
Objective 2.1 Answers
1 Correct Answers: C
A Incorrect: Mandatory profiles do not allow any alterations to desktop settings
made by the user to be retained
B Incorrect: A mandatory profile does not allow for changed settings to be saved
Additionally, profiles are assigned to users, not computers
C Correct: A roaming user profile allows for settings for any user configured with
a roaming profile to have those settings applied at other computers on which they log on
D Incorrect: Profiles are assigned to users, not computers
2 Correct Answers: D
A Incorrect: This action will cause the loading of the profile to fail, as read/write
access to the profile is required when the profile is loaded
B Incorrect: This action will cause the loading of the profile to fail, as read/write
access to the profile is required when the profile is loaded
C Incorrect: This action will cause the loading of the profile to fail, as read/write
access to the profile is required when the profile is loaded
D Correct: This action will allow for proper opening of the profile but will prohibit
any changes made by the user from being saved upon logoff
3 Correct Answers: A and D
A Correct: This action will allow only users who are configured to have roaming
profiles (the Sales and IT departments) to read data contained in a roaming user profile All other users will be denied access This can only be accomplished once the file system on the volume hosting the profile data is moved to NTFS FAT32 cannot be configured for individual permissions
B Incorrect: This action will, partially, ensure the integrity of any packet transmit
ted across the network, but will not prohibit access by unauthorized personnel when saved to disk
C Incorrect: This action will, partially, ensure the integrity of any packet transmit
ted across the network, but will not prohibit access by unauthorized personnel when saved to disk
D Correct: This action will allow for discretionary access control of the profiles as
they are saved to disk on the server The existing FAT32 file system would not allow such permissions to be set
E Incorrect: Roaming profile data cannot be encrypted by the server
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.