My interesting

You are considering a pilot program for the rollout of the first service pack for Office 2003 in your organization. All of the workstations in your organization are running Windows XP Professional. Your organization has five departments. There is also a small IT unit with five staff members. Each department has its own OU within the Active Directory structure. 642-481  HP0-J23  MB6-817  350-018 Approximately 100 user accounts reside in each OU. Because the requirements for each department are different, each department’s OU has an individualized Group Policy Object applied. You want the pilot program to run for a month before you deploy Office 2003 Service Pack 1 across the rest of your organization. You want to make sure that all applications currently used in the organization are compatible with the service pack. Which of the following is the best suggestion for membership of the pilot program? 350-018  000-061

1. Create a lab with five different workstations running Windows XP. Add each of these workstations to the OU that corresponds to each department.

2. Select one user from each department to be a member of the pilot program.

3. Select five users from each department to be members of the pilot program.

4. Have each member of IT join a corresponding departmental OU. Deploy the service pack to each IT staff member’s system. Correct Answers: C   MB6-817  642-481  642-691 350-030

In your Windows Server 2003 350-030 functional level domain CONTOSO.COM, you have a domain global group named SUPERUSERS. A security template has been configured that specifies the membership of the SUPERUSERS group as Rooslan, Oksana, Kasia, Shan, and Mick. This security template also assigns the SUPERUSERS group a large number of administrative rights. 350-018 This security template has been imported into a GPO that is applied at the domain level and has been running perfectly for the past week. Today you get a call from your junior administrator who believes that he might have accidentally added the user accounts of Orin and Laherty to the SUPERUSERS group through the Active Directory Users and Computers console on the domain controller. You log on to the domain controller to check, and indeed these accounts have been added to the SUPERUSERS group. 642-481 Which of the following steps should you take to most easily return the membership of the SUPERUSERS group to the original five users listed in the restricted groups policy as quickly as possible?

1. From the command prompt on the domain controller, issue the GPUPDATE/FORCE command.

2. Delete Orin, Laherty, and Mick’s user accounts from the membership of the SUPERUSERS group.

3. Remove the GPO that is applied to the domain. Import the new security template into the Default Domain Policy GPO. MB6-817

4. Import the new security template back into the GPO that is applied to the domain.

5. From the command prompt on the domain controller, issue the SECEDIT/REFRESHPOLICY command.

   Correct Answers: A

   1. Correct When the membership of a restricted group is altered manually by someone adding new members to the group, those members will remain until a policy update is forced. You can accomplish this instantly by running 000-061 a GPUPDATE /FORCE from the command prompt. After this is done, the group membership will be returned to its proper state.

   2. Incorrect This will not solve the problem. Mick’s user account is also supposed to be a part of the SUPERUSERS group.

   3. Incorrect This step is not necessary; on the next Group Policy update the membership of the group will be returned to its proper state.  642-691

   4. Incorrect This will not change anything; the GPO already has the correct security settings. The membership of the group will be returned properly when the next Group Policy update occurs.

   5. Incorrect Although this technique would have worked with Windows 2000, in Windows Server 2003 SECEDIT /REFRESHPOLICY has been replaced by the GPUPDATE command.

000-061 Foley is planning the phased deployment of a new service pack for Windows XP Professional across the A. Datum Corporation organization. A. Datum Corporation has 700 users whose accounts are all contained within the default Users container of Active Directory directory service. 350-030 The 700 computer accounts of the systems that these users use are located in the default Computers container. The users are divided into four domain global security groups. The Engineers group has 400 members, the Sales group has 150 members, the Secretarial group has 100 members, and the Management group has 50 members. Employees at A. 642-691 Datum Corporation use their own workstations. In consultation with management, Foley has decided to split the deployment of the service pack into four phases. These phases are as follows: 642-524

• Phase One: 200 members of the Engineers group

• Phase Two: The rest of the Engineers group

• Phase Three: Sales group and Secretarial group

• Phase Four: Management group

Which of the following plans would allow Foley to carry out this phased deployment plan with the minimum of administrative effort? n10-003

1. Create two new global security groups: ENG-PH1 and ENG-PH2. Create a GPO that assigns the service pack in the Computer Configuration\Software Settings\Software Installation node. For Phase One, apply this GPO to the ENG-PH1 group. For Phase Two, apply this GPO to the MB6-817 group. For Phase Three, apply this GPO to the Sales and Secretarial groups. For Phase Four, apply this GPO to the Managers group.

2. Create two new global security groups: ENG-PH1 and ENG-PH2. Create a GPO that assigns the service pack in the User Configuration\Software Settings\Software Installation node. For Phase One, apply this GPO to the ENG-PH1 group. For Phase Two, apply this GPO to the ENG-PH2 group. For Phase Three, apply this GPO to the Sales and Secretarial groups. For Phase Four, apply this 642-481 GPO to the Managers group.

3. Create four new global security groups: Phase1, Phase2, Phase3, and Phase4. Add the computer accounts for the systems that the first 200 groups of engineers use to the Phase1 group. Add the computer accounts for the rest of the engineers’ systems to the Phase2 group. Add the computer accounts for the systems that the sales and secretarial groups use to the Phase3 350-018 group. Add the computer accounts for the systems that the managers use to the Phase4 group. Create a GPO that assigns the service pack in the User Configuration\Software Settings\Software Installation node. Assign this GPO to the default Users container, but in the Group Policy properties make sure that the Authenticated Users group does not have the Read and Apply Group Policy Allow check boxes checked. For each phase, add a security group and assign the Read and Apply Group Policy (allow) HP0-J23 permission.

4. Create four new global security groups; Phase1, Phase2, Phase3, and Phase4. Add the computer accounts for the systems that the first 200 groups of engineers use to the Phase1 group. Add the computer accounts for the rest of the engineers’ systems to the Phase2 group. 70-652 Add the computer accounts for the systems that the sales and secretarial groups use to the Phase3 group. Add the computer accounts for the systems that the managers use to the Phase4 group. Create a GPO that assigns the service pack in the Computer Configuration\Software Settings\Software Installation node. Assign this GPO to the default Users container, but in the Group Policy properties make sure that the Authenticated Users group does not have the Read and Apply Group Policy n10-003 Allow check boxes checked. For each phase, add a security group and assign the Read and Apply Group Policy (allow) permission.

5. Create four new organizational units called Phase1, Phase2, Phase3, and Phase4. Move the computer accounts for the systems that the first 200 engineers use to the Phase1 OU. Move the rest of the engineers’ computer accounts to the Phase2 OU. Move all the computer accounts for the systems that the Sales and Secretarial group use to the Phase3 OU. 642-524 Move all of the computer accounts for the systems that the managers use to the Phase4 OU. Create a new GPO named XPSP_DEPLOY. Configure the GPO so that it assigns the Windows XP service pack in the Computer Configuration\Software Settings\Software Installation node. For phase one, assign the XPSP_DEPLOY GPO to the Phase1 OU. For phase two of the deployment, assign the XPSP_DEPLOY GPO to the Phase2 OU. For phase three, assign the XPSP_DEPLOY GPO to the Phase3 OU. To finalize the deployment, assign the XPSP_DEPLOY GPO to the Phase4 OU. 70-630

You have created a domain local security group named IISADMINS in the single domain that is used at your organization. This group will be assigned special permissions and rights on your organization’s Web servers. You want to limit the membership of that group to four users: 70-630  Orin, Oksana, Kasia, and Shan. The computers running Windows Server 2003 that host the organization’s Web Servers have all been placed in an organizational unit named IISSERV. IISSERV is a child OU of the MEMBERSERV OU. There are three sites at your company: HQ, Branch One, and Branch Two. Two IIS servers are located at Branch One, three are located at HQ, and one is located at Branch Two. You have configured the restricted groups node of a security template as shown in the figure below. n10-003 The IISADMINS group has been assigned permissions only on the servers that are located within the IISSERV OU. Which of the following methods represents the best way of using this security template to meet your goal of limiting the membership of the IISADMINS group to the specified users?  642-524

1. Import the Restricted-Group-IISADMINS security template into the Default Domain GPO.

2. Import the Restricted-Group-IISADMINS security template into a GPO which you then apply to the IISSERV OU. HP0-J23

3. Create a GPO, import the Restricted-Group-IISADMINS security template, and apply the GPO to the IISADMINS group.

4. Log on to each IIS server locally and import the Restricted-Group-IISADMINS security template into the local Group Policy object.  642-481

   Correct Answers: B

   1. Incorrect Unless there is good reason to do otherwise, try to be as specific as possible when importing security templates. Because this template influences only servers in the IISSERV OU, this OU is the best place to apply a GPO that has had this template imported.  n10-003

   2. Correct This answer follows the principle of applying Group Policy objects as specifically as possible. Rather than all computers in the domain having to process this policy when it isn’t relevant, only member systems in the IISSERV OU will have to process it.  000-061

   3. Incorrect Group Policy objects cannot be applied to groups. They can be applied only to organizational units, sites, and domains.  70-652

   4. Incorrect The Restricted Groups node is not available in local Group Policy objects. This security template can only be used on policies applied at the site, domain, or organizational unit level.  MB6-817

You are planning a security template for an Internet Authentication Service (IAS) server that is to be located on your company’s perimeter network (also known as DMZ, 642-481 demilitarized zone, and screened subnet) LAN. Users will authenticate against the server with their domain accounts. The internal firewall has been configured to allow necessary traffic between the IAS server and the organization’s domain controllers. At present, you are considering which services the template should start automatically. The template will be configured so that all services that are not critical to the function of the IAS server will be disabled. Which of the following services is critical for the function of an IAS server? 642-524 (Select all that apply.)

1. Certificate Services

2. Background Intelligent Transfer Service

3. Distributed Link Tracking Server

4. Netlogon 350-018

5. IAS service

   Correct Answers: D and E

   1. Incorrect Certificate Services is critical for the function of a Certificate Server, but not for an IAS server. 70-630

   2. Incorrect The Background Intelligent Transfer Service is not used by an IAS server.

   3. Incorrect Distributed Link Tracking Server is used for tracking linked files across NTFS drives and has nothing to do with running an IAS server. n10-003

   4. Correct Netlogon maintains a secure channel between the IAS server and a domain controller so that authentication can occur against domain accounts.

   5. Correct The IAS Service forms the core of an IAS server’s functions, and hence is mandatory in any security template supporting the IAS server role. 642-691