Chapter 1

Question 1

Which are leaf objects? (Choose all that apply)

Answer 1

Computer account, Domain controller, Shared folder

Leaf objects don’t contain other AD objects. OU (Organizational Unit) is a container object.

Question 2

Default folder object created when AD is installed?

Answer 2

Computers

Cannot have a GPO linked to it. Domain Controllers is an OU, Groups is an account object, Sites are physical AD components.

Question 3

Which type of account is NOT in Active Directory?

Answer 3

Local user account

Stored in the SAM database on standalone Windows machines.

Question 4

Which are directory partitions? (Choose all that apply)

Answer 4

Domain directory, Schema directory, Configuration partition

Group policy is NOT a partition.

Question 5

Who manages adding, removing, renaming domains in a forest?

Answer 5

Domain Naming Master

Question 6

What do all domains in a forest share? (Choose all that apply)

Answer 6

Schema, Global catalog

Schema defines object types. Global catalog holds partial lists of objects for searches.

Question 7

Where is the schema master located?

Answer 7

First domain controller in the forest root domain

A forest-wide FSMO role.

Question 8

Where can a GPO be linked? (Choose all that apply)

Answer 8

Domains, Sites

Question 9

Which container has a default GPO linked to it?

Answer 9

Domain

Ensures a security baseline for objects and domain controllers.

Question 10

When are User Configuration policies applied?

Answer 10

At user logon

Question 11

Which are true about Organizational Units (OUs)?

Answer 11

OUs can be nested, A GPO can be linked to an OU.

OUs are not security principals and can’t be added to a DACL.

Question 12

How do you view OU permissions in ADUC?

Answer 12

Enable ‘Advanced Features’ in the View menu.

Question 13

How to delegate control of an OU?

Answer 13

Right-click the OU in ADUC → ‘Delegate Control’.

Question 14

What are the user account categories?

Answer 14

Local, Domain.

Question 15

What are the built-in user accounts?

Answer 15

Administrator, Guest.

Question 16

What is an invalid user account name?

Answer 16

Sam*Snead35 (asterisks are not allowed).

Question 17

Which are true for user accounts in a Windows Server domain?

Answer 17

1-20 character names, Unique in the domain.

Question 18

Which account options can’t be set together?

Answer 18

User must change password at next logon & Password never expires.

Question 19

Who can be in a global group?

Answer 19

User & Computer accounts (NOT universal or global groups from another domain).

Question 20

What is the best way to transition Jada’s account for a new hire?

Answer 20

Disable & rename Jada’s account, assign a new password.

Question 21

How to restrict Tom’s logon locations?

Answer 21

Use the ‘Log On To’ option in his account properties.

Question 22

How to block after-hours logins?

Answer 22

Set Logon Hours for their accounts.

Question 23

What is the best group scope for assigning permissions to resources?

Answer 23

Domain local (AGDLP best practice: Accounts → Global Groups → Domain Local Groups → Permissions).

Question 24

What are security principals?

Answer 24

User accounts, Computer accounts.

Question 25

What are valid group scopes?

Answer 25

Global, Domain local.

Question 26

What happens if a security group is converted to a distribution group?

Answer 26

It remains in the DACL but has no effect on permissions.

Question 27

Who can be in a universal group?

Answer 27

Global groups (any domain), Other universal groups.

Question 28

What is an allowed direct group scope conversion?

Answer 28

Domain local → Universal (if no domain local groups are members).

Question 29

What does a domain local group include?

Answer 29

Domain Users (default membership in AD).

Question 30

A domain user signing in belongs to which special identity group?

Answer 30

Authenticated Users (auto-assigned when logged in).

Question 31

What to do if a computer can’t sign in after months of inactivity?

Answer 31

Reset computer account, remove from domain, rejoin domain.

Question 32

What is a service account managed across multiple servers?

Answer 32

Group Managed Service Account (gMSA).

Question 33

What are the built-in service accounts?

Answer 33

Local System, Network Service.

Question 34

What are the benefits of managed service accounts?

Answer 34

System-managed passwords, No lockouts.

Question 35

What uniquely identifies a service instance to a client?

Answer 35

Service Principal Name (SPN).

Question 36

Before configuring a service to use an MSA, what must be done?

Answer 36

Run Install-ADServiceAccount on the target server.

Question 37

How to configure multiple servers to use the same service account?

Answer 37

Create a group, add servers to it, run New-ADServiceAccount.

Question 38

What is the simplest way to authenticate a local service without creating an account?

Answer 38

Use NT Service\ServiceName virtual account.

Question 39

What provides Azure AD integration with on-prem AD for seamless sign-in?

Answer 39

Azure AD, Cloud Sync, SSO.

Question 40

What allows users to sign in once and access multiple services?

Answer 40

Single Sign-On (SSO).

Question 41

What is a characteristic of Azure AD?

Answer 41

Multitenant.

Question 42

What to do if users can’t sign in to on-prem AD after changing their cloud password?

Answer 42

Configure password writeback.

Question 43

What Azure AD sign-in option requires an on-prem agent?

Answer 43

Pass-through authentication.

Question 44

Which Azure AD DS forest type syncs all objects and on-prem user accounts?

Answer 44

User forest.

Question 45

What provides a secure web-based connection to an Azure VM?

Answer 45

Bastion host.