My interesting

In your Windows Server 2003 350-030 functional level domain CONTOSO.COM, you have a domain global group named SUPERUSERS. A security template has been configured that specifies the membership of the SUPERUSERS group as Rooslan, Oksana, Kasia, Shan, and Mick. This security template also assigns the SUPERUSERS group a large number of administrative rights. 350-018 This security template has been imported into a GPO that is applied at the domain level and has been running perfectly for the past week. Today you get a call from your junior administrator who believes that he might have accidentally added the user accounts of Orin and Laherty to the SUPERUSERS group through the Active Directory Users and Computers console on the domain controller. You log on to the domain controller to check, and indeed these accounts have been added to the SUPERUSERS group. 642-481 Which of the following steps should you take to most easily return the membership of the SUPERUSERS group to the original five users listed in the restricted groups policy as quickly as possible?

1. From the command prompt on the domain controller, issue the GPUPDATE/FORCE command.

2. Delete Orin, Laherty, and Mick’s user accounts from the membership of the SUPERUSERS group.

3. Remove the GPO that is applied to the domain. Import the new security template into the Default Domain Policy GPO. MB6-817

4. Import the new security template back into the GPO that is applied to the domain.

5. From the command prompt on the domain controller, issue the SECEDIT/REFRESHPOLICY command.

   Correct Answers: A

   1. Correct When the membership of a restricted group is altered manually by someone adding new members to the group, those members will remain until a policy update is forced. You can accomplish this instantly by running 000-061 a GPUPDATE /FORCE from the command prompt. After this is done, the group membership will be returned to its proper state.

   2. Incorrect This will not solve the problem. Mick’s user account is also supposed to be a part of the SUPERUSERS group.

   3. Incorrect This step is not necessary; on the next Group Policy update the membership of the group will be returned to its proper state.  642-691

   4. Incorrect This will not change anything; the GPO already has the correct security settings. The membership of the group will be returned properly when the next Group Policy update occurs.

   5. Incorrect Although this technique would have worked with Windows 2000, in Windows Server 2003 SECEDIT /REFRESHPOLICY has been replaced by the GPUPDATE command.

This entry was posted on Tuesday, February 24th, 2009 at 4:22 am and is filed under IT certification. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.