Chapter 2

Question 1

You are the administrator of the westsim.com Active Directory domain.
You delegate administration of the Sales OU and Research OU to other administrators. You want to prevent
the administrators of those OUs from creating any other Group Policy objects with settings that conflict with
those you have configured for the domain.
What should you do?

Distribute a Group Policy object to the westsim.com domain that disables the Block Inheritance
option.
In Group Policy objects linked to the westsim.com domain, set the Enforced option.
In Group Policy objects linked to the Sales Cu and Research OU, set the Enforced option.
Distribute a Group Policy object to the Sales OU and Research OU that disables the Block Inheritance
option.
Enable the Block Inheritance option for the westsim.com domain.

Answer 1

In Group Policy objects linked to the westsim.com domain, set the Enforced option.

Question 2

You are the administrator for a network with a single Active Directory domain named widgets.local. The
widgets.local domain has an Organizational Unit object for each major department in the company,
including the Information Systems department. User objects are located in their respective departmental
OUs. Users who are members of the Domain Admins group belong to the Information Systems department.
However, not all employees in the Information Systems department are members of the Domain Admins
group.
To simplify employees‘ computing environment and prevent problems, you link a Group Policy object (GPO)
to the widgets.local domain that disables the Control Panel for users. You do not want this Group Policy
object to apply to members of the Domain Admins group.
What should you do?

On the Group Policy object’s access control list, deny the Read permission for members of the Domain
Admins group.
Link the Group Policy object to each organizational unit rather than to the domain.
On the Group Policy object’s access control list, deny the Apply Group Policy permission for members of
the Domain Admins group.
Configure the Information Systems Cu to block policy inheritance.

Answer 2

On the Group Policy object’s access control list, deny the Apply Group Policy permission for members of the Domain Admins group.

Question 3

You are a domain administrator for a single-domain network. The domain has several organizational units
(OUs) representing each department in the organization. You have delegated complete administration for
each OU to appropriate users in each department. You have made these users members of the Group Policy
Creator Owners group.
You create a Group Policy object (GPO) named Corporate Desktop that configures the desktop environment
for users in the company. You link the GPO to the domain.
Later, you discover that some of the settings are not being applied to users in the Development department.
How can you make sure that all settings in the Corporate Desktop GPO get applied to all users in the
company?

Configure the Enforced option for the Corporate Desktop GPO.
Grant users in the Development department the Read and Apply Group Policy permissions to Development department.
Grant users in the Development department the Read and Apply Group Policy permissions to the Corporate Desktop GPO.
Grant users in the Development department the Read and Apply Group Policy permissions to the domain.
Deny all users the Write permission to the Corporate Desktop GPO.

Answer 3

Configure the Enforced option for the Corporate Desktop GPO.

Question 4

You are the administrator for WestSim Corporation. The network has a single domain, westsim.com,
running at Windows Server 2008 functional level. Five domain controllers, all running Windows Server 2012
R2, are located on the network.
Users in the Shipping department have a special software program that helps them keep track of incoming
products and match the SKU number with items in the order database. You have created an OU called
Shipping and have placed all computers and users for that department into the OU. You create a software
GPO called SKUWare that publishes the software to all users in the department. All manager user objects
have been placed in an OU called Managers.
The shipping manager logs on to one of the computers in the shipping department. He calls you because the
software package is not available to install on the workstation. You need to make the software package
available so he can install it. You want to make sure that anyone else who logs on to any workstation in the
shipping department can install the software.
What should you do?

Modify the SKUWare GPO to publish the software to computers.
Link the SKUWare GPO to the Managers DU.
Link the SKUWare GPO to the domain.
Enable loopback processing in the SKUWare GPO.

Answer 4

Enable loopback processing in the SKUWare GPO.

Question 5

Your network consists of a single Active Directory domain. The OU structure of the domain consists of a
parent OU named HQ_West, and child OUs of Research, HR, Finance, Sales, and Operations.
You also want to ensure that all client computers have strong password policies applied, and that an
administrator is required to unlock locked user accounts for the Research and Human Resources departments.
You create a Group Policy Object named DefaultSec, which applies security setting that are required for all
users and computers. You create a second GPO named HiSec, which has the security settings that are
required by the HR and the Research departments. Both GPOs use custom security templates.
How should you link the GPOs to the OUs? (Select three.)

Configure password policies on a GPO linked to the HQ_West OU.
Link HiSec to the HR and Research OUs.
Link DefaultSec to each child OU.
Link HiSec to each child OU.
Configure password policies on a GPO linked to the domain.
Link HiSec to the HQ_West OU.
Link DefaultSec to the HQ_West ou.

Answer 5

Link HiSec to the HR and Research OUs.
Configure password policies on a GPO linked to the domain.
Link DefaultSec to the HQ_West ou.

Question 6

You are the network administrator for westsim.com. The network consists of a single domain. All the servers
run Windows Server 2012 R2. All the clients run Windows 8. There is a main office located in New York and a
branch office located in Los Angeles.
You have been directed to set up wireless access for clients in the New York office. You create a new Group
Policy Object (GPO) that specifies the wireless network settings for the New York office and link it to the New
York site. Users from the Los Angeles office complain that when they travel to New York they are unable to
connect to the wireless network in New York. You need to enable the traveling users to connect to the
wireless network.
What should you do?

Change the network type for the wireless network to ad hoc.
Change the authentication protocol on the wireless networks to WPA2-Enterprise.
Direct the visiting users to first connect to the New York network using a wired connection to receive the wireless network settings.
Enable the Connect automatically when this network is in range option on the wireless network in the GPO.

Answer 6

Direct the visiting users to first connect to the New York network using a wired connection to receive the wireless network settings.

Question 7

You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for
each company department. User and computer accounts for each department have been moved into their
respective departmental OUs.
From your workstation, you create a GPO that configures settings from a custom .admx file. You link the GPO
to the Sales OU.
You need to make some modifications to the GPO settings from the server console. However, when you open
the GPO, the custom Administrative Template settings are not shown.
What should you do?
Right-click the Security Settings node and select Import Policy….
Install PowerShell on the server.
On the Administrative Template node, right-click the node and choose Add/Remove Templates…. Browse and select the .admx file to add.
Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location.

Answer 7

Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location.

Question 8

You are the network administrator for eastsim.com. The network consists of a single Active Directory
domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. The company has a main
office in New York and several international locations including facilities in Germany and France.
You have been asked to build a domain controller that will be deployed to the eastsim.com office in
Germany. The network administrators in Germany plan to use Group Policy Administrative Templates to
manage Group Policy in their location. You need to install the German version of the Group Policy
Administrative Templates so they will be available when the new domain controller is deployed to Germany.
What should you do?

Copy the German .ADMX files to the appropriate directory in the SYSVOL on a local domain controller.
Copy the NTDS.dit file to the appropriate directory in the SYSVOL on a local domain controller.
Copy the German .ADM files to the appropriate directory in the SYSVOL on a local domain controller.
Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller.

Answer 8

Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller.

Question 9

You need to add Spanish language support for your administrative templates to a Windows Server 2012 R2
system.
Which administrative template component consists of language-dependent files that provide localized
information when viewing template settings in the GPO?

.adml files
.admx files
ntds.dit files
.adm files

Answer 9

adml files

Question 10

You need to add administrative templates for Microsoft Office products to a Windows Server 2012 R2 server.
Where should the .admx and .adml files be copied to do this?

C:\PerfLogs
C:\Windows\PolicyDefinitions
C:\Windows\System32\
C:\Windows\SYSVOL\

Answer 10

C:\Windows\PolicyDefinitions

Question 11

You want to create a central store for the administrative templates on a Windows Server 2012 R2 domain
controller.
What should you do?

Copy the local .admx and .adml files to C:\Windows\PolicyDefinitions.

Install ADMX Migrator on the domain controller and use it to generate .admx files from the local .adm files.

Copy the local .admx and .adml files to C:\Windows\SYSVOL\domain_name\Policies\PolicyDefinitions.

Configure a property filter for the appropriate policies in the domain using Group Policy Management.

Answer 11

Copy the local .admx and .adml files to C:\Windows\SYSVOL\domain_name\Policies\PolicyDefinitions.

Question 12

You need to add German language support for your administrative templates to a Windows Server 2012 R2
system.
Which administrative template component consists of language-independent files that store policy settings in
XML format?

.adm files
.admx files
gpt.ini files
.adml files

Answer 12

.admx files

Question 13

You are the desktop administrator for your company. You manage a group of Windows 8 Professional
computers used by a part-time sales staff. All computers are members of a single Active Directory domain.
Each part-time sales employee might use a different computer every day. You configure roaming user profiles
for each part time sales employee. After you implement roaming user profiles, some users complain that it
takes an excessive amount of time to log on to a computer for the first time.
You investigate the problem and discover that these users store large amounts of files in their Documents
folders. You suspect that the increased log on times are due to the large amount of data being downloaded
from the network.
You want to decrease log on times for part-time sales employees. You also want to maintain access to each
user‘s Documents folder when the user logs on to any computer. What should you do?

Create a group policy object that configures the Exclude Directories in Roaming Profile setting to exclude the Documents folder. Distribute the group policy object to each part-time sales employee.
Redirect each part-time sales employee’s Documents folder to a folder on a network share.
Create a group policy object that enables the Group Policy slow link detection setting. Distribute the group policy object to each part-time sales employee.
Change each part-time sales employee’s user profile to be a local profile.

Answer 13

Redirect each part-time sales employee’s Documents folder to a folder on a network share.

Question 14

You are the administrator for a domain named widgets.local.
You have created a Group Policy object (GPO) named Deploy Virus Detection, configured it to assign virus
detection software to all computers in the domain, and linked the GPO to the widgets.local domain. The
virus detection software is installed using a Windows Installer (.msi) file that has all installation data
integrated into it.
You now want to update the virus detection software on all computers. You do not want this update to be
optional.
What should you do? (Select two. Each choice is a required part of the solution.)

Assign a new software package to computers in the domain. Configure the new software package to
upgrade over the existing virus detection software.
Copy the updated virus signature file to the shared folder acting as a software distribution point. Redeploy the Deploy Virus Detection GPO.
Update the Windows Installer (.msi) file in the shared folder acting as a software distribution point. Redeploy the Deploy Virus Detection GPO.
Publish a new software package to users in the domain. Configure the new software package to upgrade
over the existing virus detection software.

Answer 14

Assign a new software package to computers in the domain. Configure the new software package to
upgrade over the existing virus detection software.

Update the Windows Installer (.msi) file in the shared folder acting as a software distribution point. Redeploy the Deploy Virus Detection GPO.

Question 15

You administer a network with two Windows Server 2012 R2 servers and 70 Windows 7 computers. The
network has a single domain, with OUs for each department. User and computer objects have been moved to
their corresponding departmental OU.
You create a Group Policy object (GPO) that deploys service packs. You want the service pack to be installed
automatically to all client computers when the computer reboots. You edit a Group Policy object associated
with the Marketing OU and assign the software package to all users.
As a test, you reboot a computer. You find that the service pack has not been installed.
What should you do?

Assign the software package to all computers.
Run the secedit /refreshpolicy user_policy command at the workstation.
Publish the software package to all computers.
Run the secedit /refreshpolicy machine_policy command at the workstation.

Answer 15

Assign the software package to all computers.

Question 16

You are responsible for all application installations on your network. You are also responsible for applying all
service packs, hot fixes, and application upgrades.
Presently, you need to upgrade an application that has been deployed using a GPO and the Windows Installer
process. Before the installation of the upgrade, you must uninstall the previous version of the application.
What should you do?

Manually uninstall the previous version, then use the GPO to perform the upgrade.
Use the GPO to remove the previous version, then manually install the upgrade.
Manually uninstall the previous version, then manually install the upgrade.
Configure the GPO to remove the software when it falls outside of the scope of management. Delete the current GPO and create a new one that installs the updated version.
Configure the GPO to uninstall the previous version before it installs the new upgrade.

Answer 16

Configure the GPO to uninstall the previous version before it installs the new upgrade.

Question 17

You are the network administrator of a very large network. There are approximately 50 servers in the
organization that all require the latest Microsoft service pack. You have acquired an MSI package that installs
the latest service pack.
All servers are located in an Active Directory OU called Servers.
How should you deploy the service pack to all of the servers using the least administrative effort? (Select
two. Each choice is a required part of the solution.)

Create a Group Policy Object and link it to the Servers OU.
Assign the MSI package using Computer Configuration.
Configure a startup script for the installation. Assign it using Computer Configuration.
Configure a startup script for the installation. Assign it using User Configuration.
Create a Group Policy Object and link it at the Domain level.
Assign the MSI package using User Configuration.

Answer 17

Create a Group Policy Object and link it to the Servers OU.

Assign the MSI package using Computer Configuration.

Question 18

You are the network administrator for the westsim.com domain. All client computers are running Windows 8
and all servers are running Windows Server 2008 R2 or Windows Server 2012 R2. Organizational Units (OUs)
have been created for each department, and user and computer accounts have been moved into the
department OUs.
You have recently configured a Windows Server Update Services (WSUS) infrastructure on the network. All
client computers are configured to download updates from your internal WSUS server.
You have just received notification that the accounting software has a new update. The update is critical and
must be deployed as quickly as possible to all computers in the accounting department.
What should you do?

On the WSUS server, approve the update. Use client-side targeting to apply the update to the
accounting computers.
Create a GPO linked to the Accounting OU. Publish the .msi file included with the update to computers.
Create a GPO linked to the Accounting OU. Assign the .msi file included with the update to computers.
Create a GPO linked to the domain. Create a custom script that runs the update file. Use WMI filtering to
apply the GPO to the accounting computers.

Answer 18

Create a GPO linked to the Accounting OU. Assign the .msi file included with the update to computers.

Question 19

You are deploying two new applications to users in the company as follows:

All computers should have Microsoft Word installed.
All users in the Accounting department should have Microsoft Access installed.
For other users in the company, you want to allow them to install Microsoft Access if desired by using the Add/Remove Programs applet in the Control Panel.

Each department has its own organizational unit.
How should you deploy these applications? (Select all that apply.)

Assign Microsoft Access in a GPO linked to the Accounting OU.
Publish Microsoft Access in a GPO linked to the domain.
Assign Microsoft Word in a GPO linked to the domain.
Assign Microsoft Word in a GPO linked to each department’s OU.
Assign Microsoft Access in a GPO linked to the domain.
Publish Microsoft Word in a GPO linked to the domain.

Answer 19

Assign Microsoft Access in a GPO linked to the Accounting OU.
Publish Microsoft Access in a GPO linked to the domain.
Assign Microsoft Word in a GPO linked to the domain.

Question 20

You are the administrator of a single-domain network. All servers in the domain run Windows Server 2008 R2
or Windows Server 2012 R2. All client computers run Windows 8.
The domain has an OU named Sales. All users in the Sales OU use an application named ContactTrack. You
want all Sales users to have a shortcut to the ContactTrack application in their Start menu. The first time they
click the shortcut, you want the ContactTrack application to be installed.
You create a GPO named Deploy Software, configure it to publish the ContactTrack application to users, and
link the GPO to the Sales OU. You soon discover that the shortcut does not appear in any user’s Start menu.
What should you do?

Configure the Deploy Software GPO to assign rather than publish the ContactTrack software.
Link the GPO to the domain rather than to the Sales OU.
Add users in the Sales OU to the Deploy Software GPO’s access control list, and grant them Read and Apply Group Policy permissions.
Configure the Deploy Software GPO to refer to a network share where the ContactTrack installation files are located.
Configure the Computer Configuration node rather than the User Configuration node of the Deploy Software GPO.

Answer 20

Configure the Deploy Software GPO to assign rather than publish the ContactTrack software.

Question 21

You are the administrator of a single-domain network. The domain has an OU named Sales. All users in the
Sales OU use an application named ContactTrack. You want this application to be available in the Add/
Remove Programs applet of all computers in the Sales OU. You do not want a shortcut to the program to
appear on users’ Start menu.
You create a GPO named Deploy Software, configure it to assign the ContactTrack application to users, and
link the GPO to the Sales OU. However, after doing so, the shortcut appears in the Start menu for all Sales
users.
What should you do to prevent the shortcut from appearing?

Configure the Deploy Software GPO to publish rather than assign the ContactTrack software.
Deny all sales users the Write permission to the Start Menu folder.
Add users in the Sales OU to the Deploy Software GPO’s access control list, and grant them Read and
Apply Group Policy permissions.
Link the GPO to the domain rather than to the Sales DU.
Configure the Deploy Software GPO to refer to a network share where the ContactTrack installation files are located.
Configure the Computer Configuration node rather than the User Configuration node of the Deploy Software GPO.

Answer 21

Configure the Deploy Software GPO to publish rather than assign the ContactTrack software.

Question 22

Your company has just purchased 120 licenses for a new application that will be used by all users. It is up to
you to test and deploy the application as simply as possible. You decide to use a Group Policy object (GPO) to
roll out the new application using the Windows Installer functionality.
You create a software distribution point named Apps on the Serverl server and grant Read and Execute
permissions to all users who will install the software. You then create a Group Policy object and edit the
software installation properties under the User Configuration node. You configure the following properties:

Default package location: C:\apps
When adding new packages to user settings: Display the Deploy Software dialog box
Installation user interface options: Maximum
Uninstall the applications when they fall out of the scope of management: Enabled

You create a software distribution package based on the above settings that assigns the appropriate Windows
Installer package. However, when you test the package, Windows Installer doesn’t execute and install the
software. You need to find out why and make the appropriate changes.
What should you do?

Grant the Full Control permission to all users who will use the software distribution point.
Change the Installation user interface options setting to Basic.
Disable the Uninstall the applications when they fall out of the scope of management option.
Change the Default package location setting to \Server1\Apps. Delete and recreate the software
distribution package.

Answer 22

Change the Default package location setting to \Server1\Apps. Delete and recreate the software
distribution package.

Question 23

Your company has just purchased 120 licenses for an application that will be used by all company users. You
must test and deploy the application as simply as possible. You decide to use a Group Policy object (GPO) to
deploy the new application using the Windows Installer functionality.
You create a software distribution point named Apps on the Server1. You then create a Group Policy object
and edit the software installation properties under the User Configuration node. You configure the following
properties:

Default package location: \Server1\Apps\
When adding new packages to user settings: Display the Deploy Software dialog box
Installation user interface options: Maximum
Uninstall the applications when they fall out of the scope of management: Enabled

You create a software distribution package based on the above settings that assigns the appropriate Windows
Installer package. However, when you test the package, Windows Installer never executes and installs the
package. You need to find out why and make the appropriate changes.
What should you do?

Change the Installation user interface options setting to Basic.
Change the Default package location setting to C:\Server1\Apps. Then delete and recreate the
software distribution package.
Disable the Uninstall the applications when they fall out of the scope of management option.
Grant the Read and Execute permission to all users who will use the software distribution point.

Answer 23

Grant the Read and Execute permission to all users who will use the software distribution point.

Question 24

You are the administrator of a single-domain network. The domain has an OU named Sales.
All users in the Sales OU use an application named ContactTrack. You want to install this application to all
computers in the Sales OU.
You create a GPO named Deploy Software, configure it to assign the ContactTrack application to users, and
link the GPO to the Sales OU. Although the shortcut appears in the Start menu for Sales users, the
application is not installed until users click the shortcut. You want the GPO to install the application
completely.
What should you do?

Add users in the Sales OU to the Deploy Software GPO’s access control list, and grant them Read and Apply Group Policy permissions.
Configure the Computer Configuration node rather than the User Configuration node of the Deploy Software GPO.
Configure the Deploy Software GPO to refer to a network share where the ContactTrack installation files are located.
Configure the Deploy Software GPO to publish rather than assign the ContactTrack software.
Link the GPO to the domain rather than to the Sales OU.

Answer 24

Configure the Computer Configuration node rather than the User Configuration node of the Deploy Software GPO.

Question 25

You manage a network with a single domain. Organizational units (OUs) have been created for each
department. User and computer accounts for each department have been placed in their corresponding OU.
The network has three locations: Portland, Denver, and Phoenix. The Denver location is connected to Portland
with a 1 Mbps WAN link. The Phoenix location is connected to Portland with a 256 Kbps WAN link.
You want to implement a software installation policy to install an application on all computers in the Sales
department. The application should be installed automatically, and should be on the computer regardless of
which user is logged on. The application should be installed, even across slow WAN links. User profiles should
not be applied across slow links.
What should you do? (Select two. Each choice is a required part of the solution.)
In a GPO linked to the Sales OU, publish the software to users.
Enable the Group Policy slow link detection policy and configure it with a value of 1024.
In a GPO linked to the Sales OU, assign the software to computers.
Enable the Group Policy slow link detection policy and configure it with a value of 0.
Enable the Software Installation policy processing policy and select Allow processing across a slow network connection.
In a GPO linked to the Sales OU, assign the software to users.

Answer 25

In a GPO linked to the Sales OU, assign the software to computers.

Enable the Software Installation policy processing policy and select Allow processing across a slow network connection.

Question 26

You manage a network with a single domain. Organizational units (OUs) have been created for each
department. User and computer accounts for each department have been placed in their corresponding OU.
The network has three locations: Portland, Denver, and Phoenix. The Denver location is connected to Portland
with a 1 Mbps WAN link. The Phoenix location is connected to Portland with a 256 Kbps WAN link.
You want to implement a software installation policy to install an application for all members of the
Accounting team. The application should be added to the Add/Remove Programs list, and should be installed
only when a user manually adds it. The application should not be installed across the WAN links to the Denver
and Phoenix locations.
What should you do? (Select two. Each choice is a required part of the solution.)

In a GPO linked to the Accounting OU, assign the software to users.
Enable the Group Policy slow link detection policy and configure it with a value of 1024.
Enable the Group Policy slow link detection policy and configure it with a value of 0.
In a GPO linked to the Accounting OU, assign the software to computers.
In a GPO linked to the Accounting OU, publish the software to users.
Enable the Group Policy slow link detection policy and configure it with a value of 500.

Answer 26

Enable the Group Policy slow link detection policy and configure it with a value of 1024.
In a GPO linked to the Accounting OU, publish the software to users.

Question 27

You are the network administrator for a network with a single Active Directory domain. The domain’s
functional level is Windows Server 2003. Users are divided into OUs named Sales, Accounting, and
Management.
You are using Group Policy software distribution for all corporate applications. A sales application is deployed
as user assigned in a GPO named Sales Applications that is linked to the Sales OU.
Mary Hurd has been transferred to the Sales department to the Accounting department. You move the
corresponding user account from the Sales Cu to the Accounting OU. After logging on to a new computer in
the Accounting department, Mary reports that the sales application is still being applied. You do not want the
sales application to be applied to the user.
What should you do?

Remove the sales application software package from the Sales Applications GPO and select the Immediately uninstall the software from users and computers option.
Enable the Block Policy inheritance option for the Accounting OU.
Reconfigure the sales application software package in the Sales Applications GPO to be published rather than assigned.
Configure the Uninstall this application when it falls out of the scope of management option for the sales application software package.

Answer 27

Configure the Uninstall this application when it falls out of the scope of management option for
the sales application software package.

Question 28

You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for
each company department. User and computer accounts for each department have been moved into their
respective departmental OUs.
You have two OUs that contain temporary users: TempSales and TempMarketing. For all users within these
OUs, you want to restrict what the users are able to do. For example, you want to prevent them from
shutting down the system or access computers through a network connection.
Which GPO category would you edit to make the necessary changes?

Account Policies
Restricted Groups
User Rights
Security Options

Answer 28

User Rights

Question 29

You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for
each company department. User and computer accounts for each department have been moved into their
respective departmental OUs.
You would like to configure all computers in the Sales OU to prevent the installation of unsigned drivers.
Which GPO category would you edit to make the necessary changes?

Restricted Groups
Account Policies
Security Options
User Rights

Answer 29

Security Options

Question 30

You are in charge of managing several servers. Your company requires many custom firewall rules in
Windows Firewall with Advanced Security.
What should you do?

Configure each computer individually.
Use Secedit.exe to import a custom security policy.
Create a PowerShell script that applies the firewall setting each time a server boots. Apply this script to all applicable servers.
Configure firewall settings in Group Policy. Apply the GPO so that it applies to all applicable servers.

Answer 30

Configure firewall settings in Group Policy. Apply the GPO so that it applies to all applicable servers.

Question 31

You are the administrator of a network with a single Active Directory domain. The domain includes two
domain controllers.
Your company‘s security policy requires that locked out accounts are unlocked by administrators only. Upon
reviewing the account lockout policy, you notice the Account lockout duration of 99999.
You need to configure your domain’s account lockout policy to comply with your company’s security policy.
What should you do next?

Configure the Account lockout duration to 0.
Configure the Reset account lockout counter after to 1.
Configure the Account lockout duration to 1
Configure the Reset account lockout counter after to 0.

Answer 31

Configure the Account lockout duration to 0.

Question 32

You are the administrator of a network with a single Active Directory domain. Your domain contains three
domain controllers and five member servers.
Your security policy states that all accounts should be locked out after three unsuccessful logon attempts, and
that accounts must be reset only by an administrator. A GPO enforces these settings.
You receive a call Monday morning from the Help Desk. There are seven users who are unable to log in to the
domain. Upon further investigation, you notice all seven accounts have been locked-out.
You need to unlock the user accounts with the least amount of administrative effort while complying with
your security policy.
What should you do next?

Change the Account lockout duration value to O.
Using Active Directory Users and Computers, highlight all seven accounts, and select Unlock Account.
Change the Account lockout threshold value to O.
Change the Reset account lockout counter after value to 0.
Using Active Directory Users and Computers, select Unlock Account for each account.

Answer 32

Using Active Directory Users and Computers, select Unlock Account for each account.

Question 33

You are the network administrator for your network. Your network consists of a single Active Directory
domain. All servers run Windows Server 2012 R2. Your company recently mandated the following user
account criteria:

User accounts must be deactivated after three unsuccessful logon attempts
User account passwords must be at least 12 characters long
User accounts must be manually reset by an administrator once they are locked out

You must make the changes to affect everyone in the domain. You are editing the Default Domain Group
Policy object.
What should you do? (Choose three. Each correct choice represents part of the solution.)

Enable Password must meet complexity requirements.
Set Reset account lockout counter after to 0.
Set Account lockout threshold to 0.
Set Minimum password length to 12.
Set Maximum password age to 3.
Set Account lockout duration to 999.
Set Account lockout duration to 0.
Set Account lockout threshold to 3.

Answer 33

Set Minimum password length to 12.
Set Account lockout duration to 0.
Set Account lockout threshold to 3.

Question 34

You are the network administrator of a small network consisting of three Windows Server 2012 R2
computers, 50 Windows 7 workstations, and 100 Windows 8 workstations. Your network has a password
policy in place with the following settings:

Enforce password history: 10 passwords remembered
Maximum password age: 30 days
Minimum password age: 0 days
Minimum password length: 8 characters
Password must meet complexity requirements: Disabled
Store password using reversible encryption: Disabled

One day while sitting in the cafeteria, you overhear a group of co-workers talk about how restrictive the
password policy is and how they have found ways to beat it. When required to change the password, they
simply change the password 10 times at the same sitting. Then they go back to the previous password.
Your company has started a new security crackdown and passwords are at the top of the list. You thought
you had the network locked down, but now you see that you need to put an end to this practice. Users need
to have passwords that are a combination of letters and numbers and do not contain a complete dictionary
word. Users should not be able to reuse a password immediately.
What should you do? (Choose two. Each answer is part of the solution.)

Schedule a meeting with each co-worker‘s supervisor to explain that the co-worker is violating the
corporate security policies.
Enable the Minimum password age setting.
Enable the Store password using reversible encryption setting.
Enable the Password must meet complexity requirements setting.
Schedule a meeting with the co-worker to explain the password policy in more detail and explain why it
is in place.

Answer 34

Enable the Minimum password age setting.

Enable the Password must meet complexity requirements setting.

Question 35

Susan is the administrator for a Windows Server 2012 R2 domain named internal.widgets.com. This
domain spans a single site (the Default-First-Site-Name site).
She wants to configure password and account lockout policies that Active Directory domain controllers will
enforce. She has created a Group Policy object with the settings she wants to apply. Most of the domain
controllers are located in the Domain Controllers OU, although she has moved some domain controllers to a
sub OU called Secure Domain Controllers.
Where should Susan link the Group Policy object that she has created?

The Default-First-Site-Name site.
The internal.widgets.com domain.
The Domain Controllers OU only.
The Secure Domain Controllers OU only.
Both the Domain Controllers OU and the Secure Domain Controllers OU.

Answer 35

The internal.widgets.com domain.

Question 36

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each
company department. User and computer accounts have been moved into their corresponding OUs.
You define a password and account lockout policy for the domain. However, members of the Directors OU
want to enforce longer passwords than are required for the rest of the users.
You need to make the change as easily as possible. What should you do?

Create a GPO linked to the Directors OU. Configure the password policy in the new GPO.
Create a new domain. Move the contents of the Directors Cu to the new domain. Configure the
necessary password policy on the domain.
Implement a granular password policy for the users in the Directors OU.
In Active Directory Users and Computers, select all user accounts in the Directors OU. Edit the user
account properties to require the longer password.

Answer 36

Implement a granular password policy for the users in the Directors OU.

Question 37

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each
company department. User and computer accounts have been moved into their corresponding OUs.
You define a password and account lockout policy for the domain. However, members of the Directors OU
want to enforce longer passwords than are required for the rest of the users.
You would like to define a granular password policy for these users. Which tool should you use?

ADSI Edit
Active Directory Sites and Services
Group Policy Management Console and Group Policy Management Editor
Active Directory Users and Computers
Active Directory Domains and Trusts

Answer 37

ADSI Edit

Question 38

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each
company department. User and computer accounts have been moved into their corresponding OUs.
You define a password and account lockout policy for the domain. However, members of the Directors OU
want to enforce longer passwords than are required for the rest of the users.
You need to make the change as easily as possible. What should you do?

Create a granular password policy. Apply the policy to the Directors OU.
Create a granular password policy. Apply the policy to all users in the Directors OU.
Create a granular password policy. Create a universal security group. Apply the policy to the group. Add
all users in the Directors OU to the group.
Create a granular password policy. Create a global distribution group. Apply the policy to the group. Add
all users in the Directors OU to the group.

Answer 38

Create a granular password policy. Apply the policy to all users in the Directors OU.

Question 39

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each
company department. User and computer accounts have been moved into their corresponding OUs.
Members of the Directors OU want to enforce longer passwords than are required for the rest of the users.
You define a new granular password policy with the required settings. All users in the Directors OU are
currently members of the DirectorsGG group, a global security group in that OU. You apply the new password
policy to that group.
Matt Barnes is the chief financial officer. He would like his account to have even more strict password policies
than is required for other members in the Directors OU.
What should you do?

Create a granular password policy for Matt. Apply the new policy directly to Matt’s user account. Remove
Matt from the DirectorsGG group.
Create a granular password policy for Matt. Create a new group, making Matt a member of the group.
Apply the new policy directly to the new group. Make sure the new policy has a higher precedence value
than the value for the existing policy.
Create a granular password policy for Matt. Apply the new policy directly to Matt’s user account.
Edit the existing password policy. Define exceptions for the required settings. Apply the exceptions to
Matt‘s user account.

Answer 39

Create a granular password policy for Matt. Apply the new policy directly to Matt’s user account.

Question 40

You are the network administrator for southsim.com. The network consists of a single Active Directory
domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. The current password
policy requires complex passwords of at least 8 characters. These passwords expire every 90 days.
southsim.com has obtained a contract with the United States Government. The contract requires that all
engineers that work on the project have complex passwords with at least 14 characters that expire every 30
days. Management does not wish to change the password requirements for users who are not working on the
new project. You need to ensure that the password requirements for the engineers working on the new
project are enforced without affecting other users.
What should you do first?

Use the Enable-ADOptionalFeature PowerShell cmdlet to create a new fine-grained password policy.
Go to System \ Password Settings Container in the Active Directory Administrative Center to create
a new fine-grained password policy.
Use the Add-ADFineGrainedPasswordPolicySubject PowerShell cmdlet to create a new fine-grained
password policy.
Use the Get-ADFineGrainedPasswordPolicy PowerShell cmdlet to create a new fine-grained password
policy.

Answer 40

Go to System \ Password Settings Container in the Active Directory Administrative Center to create a new fine-grained password policy.

Question 41

To reduce your network’s exposure to replay attacks, you want to reconfigure your Kerberos policies so that
the time on your domain-joined hosts must be within 3 minutes of the time on the domain controller
providing Kerberos authentication.
Which Kerberos Group Policy setting would you use to enable this configuration?

Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization

Answer 41

Maximum tolerance for computer clock synchronization

Question 42

You want to reconfigure your Kerberos policies so that users’ ticket-granting ticket (TGT) may be used for a
maximum of 9 hours. For a user to continue using a resource after the time expires, the TGT must be
renewed or a new one requested.
Click the Kerberos Group Policy setting you would use to enable this configuration.

Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization

Answer 42

Maximum lifetime for user ticket

Question 43

You are consulting with the owner of a small network which has a Windows Server 2012 R2 functioning as a
workgroup server. There are six client desktop computers, each of which is running Windows 2007. There is
no Internet connectivity.
The owner of the company has heard of a case where the owner of a network was found legally liable for
misuse of the corporate computers, because insufficient care was taken to prevent unauthorized access. The
server contains possibly sensitive information and due care needs to be taken to ensure that no unauthorized
access occurs. Specifically, the owner of the company wants you to configure auditing so that access to
sensitive files can be tracked.
You need to check and ensure that the files generate audit results.
What should you do? (Choose three. Each selection is part of the complete solution.)

Make sure the Audit File System policy is configured for success and failure.
Make sure the correct users and groups are listed in the File System policy.
Make sure the files to be audited are on NTFS partitions.
Make sure the properties on the Security log allow writes by all users.
Make sure the account you logged into has permissions to read the security log.

Answer 43

Make sure the Audit File System policy is configured for success and failure.

Make sure the correct users and groups are listed in the File System policy.

Make sure the files to be audited are on NTFS partitions.

Question 44

You are the server administrator for your network. Recently, the system time on several servers has been
modified. You want to find out who has been making the change.
You enable the Audit Security State Change audit policy. After several days, you decide to check to see if
any events have been logged. You want to view only those events that related to auditing that might indicate
someone had changed the system time.
What should you do? (Select two. Each choice is a required part of the solution.)

Filter to look for failed events.
Filter to look for both successful and failed events.
Look in the Security log.
Filter to look for successful audit events.
Look in the Application log.
Look in the System log.

Answer 44

Look in the Security log.

Filter to look for successful audit events.

Question 45

You are the network administrator for your company. Your company uses Windows 8 as its desktop operating
system. All computers are joined to a single Active Directory domain. Several computers store sensitive
information.
You are configuring security settings that will be distributed to all computers on your network. You want to
identify attempts to break into a computer by having the computer that denies the authentication attempt
note the failed attempt in its Security event log.
You want to use an advanced audit policy to accomplish this. What should you do?

Select Failure for Audit account logon events.
Select Success for Audit account logon events.
Select Success for Audit System Integrity.
Select Failure for Audit System Integrity.
Select Success for Audit Logon.
Select Failure for Audit Logon.

Answer 45

Select Failure for Audit Logon.

Question 46

You are the network administrator for your company. Your company uses Windows 8 as its desktop operating
system. All computers are joined to a single Active Directory domain. Several computers store sensitive
information.
You are configuring security settings that will be distributed to all computers on your network. You want to
identify denied attempts to manipulate files on computers that have been secured through NTFS permissions.
You want to use an advanced audit policy to accomplish this. What should you do? (Choose two. Both
selections are part of the complete solution.)

Select Failure for Audit object access.
Select Failure for Audit File System.
Select Failure for Audit system events.
Enable File system; then configure the security principles and types of access you want to audit.
Select Failure for Audit account management.

Answer 46

Select Failure for Audit File System.

Enable File system; then configure the security principles and types of access you want to audit.

Question 47

You are the network administrator for your company. Your company uses Windows 8 as its desktop operating
system. All computers are joined to a single Active Directory domain. Several computers store sensitive
information.
You are configuring security settings that will be distributed to all computers on your network. You want to
identify denied attempts to change a user’s security group membership in a computer’s local database.
You want to create a policy that meets these requirements. What should you do?

Select Failure for Audit object access.
Select Failure for Audit User Account Management.
Select Failure for Security Group Management.
Select Failure for Audit account management.
Select Failure for Distribution Group Management.

Answer 47

Select Failure for Security Group Management.

Question 48

You are the security administrator for your organization. Your multiple domain Active Directory forest uses
Windows Server 2012 R2 for domain controllers and member servers. The computer accounts for your
member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the
Domain Controllers OU.
You are creating a security template that you plan to import into a GPO. You want to log all domain user
accounts that connect to the member servers. You want to be able to check each server’s log for the events.
What should you do? (Choose two. Each choice is a required part of the solution.)

Link the GPO to the Member Servers OU.
Enable the logging of Object Access events.
Link the GPO to the Domain Controllers OU.
Enable the logging of System events.
Enable the logging of Logon events

Answer 48

Link the GPO to the Member Servers OU.

Enable the logging of Logon events

Question 49

You are in charge of managing the servers in your network. Recently, you have noticed that many of the
domain member servers are being shut down.
You would like to use advanced auditing to track who performs these actions. You want to only monitor the
necessary events and no others.
What should you do? (Select two. Each choice is a required part of the solution.)

Audit successful system security state changes.
Audit successful user account management events.
Create a GPO to configure auditing. Link the GPO to the domain.
Audit failed system security state changes.
Create a GPO to configure auditing. Link the GPO to the Computers container.
Audit failed user account management events.

Answer 49

Audit successful system security state changes.

Create a GPO to configure auditing. Link the GPO to the domain.

Question 50

You manage a single domain named widgets.com. Recently, you notice that there have been several
unusual changes to objects in the Sales OU.
You would like to use advanced auditing to keep track of those changes. You want to only enable auditing
that shows you the old and new values of the changed objects.
Which directory service auditing subcategory should you enable?

Detailed Directory Service Replication
Directory Service Access
Directory Service Replication
Directory Service Changes

Answer 50

Directory Service Changes

Question 51

You are the network administrator for westsim.com. The network consists of one Active Directory domain.
All the servers run Windows Server 2012 R2. All the clients run Windows 8.
You need to identify attempts by users to log on after their accounts have been locked out. Your solution
should identify attempts made on any client computer in the domain. You must use the least amount of
administrative effort.
What should you do?

In Event Viewer on each of the domain controllers, attach a task to event ID 644.
Create a new group policy object. In the Audit Policy, enable Account Logon Events.
Create a new group policy object. In the Advanced Audit Policy Configuration, enable Audit Account
Lockout.
Create a new group policy object. In the Audit Policy, enable Logon Events.

Answer 51

Create a new group policy object. In the Advanced Audit Policy Configuration, enable Audit Account
Lockout.

Question 52

You are the network administrator for eastsim.com. The network consists of a single Active Directory
domain. All of the servers run Windows Server 2012 R2. All of the clients run Windows 8. The computer
objects for all of the file servers in the company have been placed into an organizational unit named
FileServers.
Human Resources has received a complaint that a user has been accessing secured material on the
company’s file servers. They have requested a list of all files accessed by this user on any file server in the
company during the next two weeks. You must provide this information using the least amount of
administrative effort.
What should you do?

Create a new group policy object and link it to the FileServers organizational unit. Enable Global Object
Access Auditing for the File System and specify the user’s account in the Auditing tab.
Create a new group policy object and link it to the FileServers organizational unit. Enable the Audit
Object Access policy. Then at each of the file servers, modify the access control list at the root of the
file system, and specify the user’s account in the Auditing tab of the Advanced Security Settings dialog
box.
Create a new group policy object and link it to the organizational unit that contains the user’s account.
Enable the Audit Object Access policy. Then at each of the file servers, modify the access control list
at the root of the file system, and specify the user’s account in the Auditing tab of the Advanced Security
Settings dialog box.
Create a new group policy object and link it to the organizational unit that contains the user’s account.
Enable Global Object Access Auditing for the File System and specify the user’s account in the
Auditing tab.

Answer 52

Create a new group policy object and link it to the FileServers organizational unit. Enable Global Object
Access Auditing for the File System and specify the user’s account in the Auditing tab.

Question 53

You are the network administrator for eastsim.com. The network consists of a single Active Directory
domain. All of the servers run Windows Server 2012 R2. All of the clients run Windows 8.
The manager of the Sales business unit informs you that critical files have been inappropriately modified. You
need to determine who has modified the files and what permissions have allowed them to do so.
What should you do?

Create a new group policy object and link it to the organizational unit that contains the computer
account of the file server. Enable the Audit Object Access policy. On the Auditing tab in the Advanced
Security Settings dialog box for the file, specify the Everyone group.
Create a new group policy object and link it to the organizational unit that contains the computer
account of the file server. Enable the Audit File System and Audit Handle Manipulation policies in
the Advanced Audit Policy Configuration node. On the Auditing tab in the Advanced Security Settings
dialog box for the file, specify the Everyone group.
Create a new group policy object and link it to the organizational unit that contains the user’s account.
Enable the Audit Object Access policy. On the Auditing tab in the Advanced Security Settings dialog
box for the file, specify the Everyone group.
Create a new group policy object and link it to the organizational unit that contains the computer
account of the file server. Enable the Audit File System policy in the Advanced Audit Policy
Configuration node. On the Auditing tab in the Advanced Security Settings dialog box for the file, specify
the Everyone group.

Answer 53

Create a new group policy object and link it to the organizational unit that contains the computer
account of the file server. Enable the Audit File System and Audit Handle Manipulation policies in
the Advanced Audit Policy Configuration node. On the Auditing tab in the Advanced Security Settings
dialog box for the file, specify the Everyone group.

Question 54

You are the administrator for eastsim.com. The network consists of a single Active Directory domain. All the
servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. eastsim.com has one
main site. There are two domain controllers named DC1 and DC2, which also provide DNS services to clients.
There is a single Active Directory Integrated zone named eastsim.com.
After users complain that they are unable to reach an application server in the main site, you determine that
the record for the server has been deleted from the zone. You recreate the missing record. You need to
ensure that if the record disappears again you can identify the cause of the deletion. Your solution must
minimize the impact on servers not hosting the DNS role.
What should you do?

Enable Audit Directory Service Access in the Audit policy of the Default Domain Controllers Policy Group Policy Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone.
Enable Audit Object Access in the Audit policy of the Default Domain Policy Group Policy Object (GPO)
and then use the DNS Console snap-in to enable auditing on the zone.
Enable Audit Object Access in the Audit policy of the Default Domain Controllers Policy Group Policy
Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone.
Enable Audit Directory Service Access in the Audit policy of the Default Domain Policy Group Policy
Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone.

Answer 54

Enable Audit Directory Service Access in the Audit policy of the Default Domain Controllers Policy Group Policy Object (GPO) and then use the DNS Console snap-in to enable auditing on the zone.

Question 55

You are the network administrator for eastsim.com. The network consists of one Active Directory domain.
All the servers run Windows Server 2012 R2. All of the clients still run Windows Vista. The domain functional
level of the domain is set to Windows Server 2008.
You have been instructed to use Active Directory group policy preferences to map a department drive for
each user. You create a new group policy object and link it to the domain. Then you configure the appropriate
group policy settings. However, when you log on as a test user, you discover that the department drive has
not been mapped. Troubleshooting indicates that the appropriate group policy object has been applied. You
must ensure that the department drives are mapped using group policy.
What should you do?

Using Active Directory Domains and Trusts, raise the Domain Functional level to Windows Server 2008
R2.
Install the client-side extensions (CSEs) on all of the client computers.
Using Active Directory Sites and Services, force replication to all of the domain controllers at the site.
Link the group policy object to the site.

Answer 55

Install the client-side extensions (CSEs) on all of the client computers.

Question 56

You need to configure a Group Policy preference that configures notebook systems in the domain to use the
Power Saver power plan when undocked. You have specified the appropriate power plan in the Advanced
Settings tab of the Power Options Group Policy preference and have set it as the active power plan.
Click on the option you must enable to apply the preference only to undocked notebook systems.

Stop processing items in this extension if an error occurs.
Run in logged-on user’s security context (user policy option).
Remove this item when it is no longer applied.
Apply once and do not reapply.
Item-level targeting.

Answer 56

Item-level targeting.

Question 57

The desktop workstations you recently purchased for the employees in your organization’s Denver office
came with two network boards installed:

A RealTek PCIe Fast Ethernet interface integrated into the motherboard
A Broadcom NetXtreme 57xx Gigabit Ethernet interface installed in a motherboard slot.

You used the gigabit controller to connect these systems to the network. Because the integrated interface is
not used, you set up a Devices Group Policy preference that disables the RealTek adapter. However, because
this affects only the employees in the Denver office, you set up an item-level target that specifies that the
preference only be applied to hosts in the Denver site in Active Directory.
Which of the following is true concerning this Group Policy preference when it is applied?

To apply the preference, the necessary configuration changes will be saved in a script that is executed
on startup or logon.
The preference will be applied only once and will not be refreshed if the user re-enables the RealTek
adapter manually.
The user interface in Device Manager used to re-enable the RealTek adapter will be disabled on the
workstations.
The preference will be applied but not enforced.

Answer 57

The preference will be applied but not enforced.

Question 58

Your organization’s security policy dictates that the security level for the Local Intranet and Trusted Sites
zones in Internet Explorer be set to Medium-High on all user workstations.
Rather than configure each workstation individually, you decide to use a Group Policy preference setting in a
GPO to make the change.
Which of the following is true concerning this Group Policy preference? (Choose two.)

This preference is not available in local Group Policy.
The Security tab in Internet Options will disabled on the workstations.
Removing the preference setting at a future point in time will restore the original zone security settings.
The preference will be applied only once and will not be refreshed if the user reconfigures zone security
settings manually.
The preference can be applied to specific systems based on criteria you specify.

Answer 58

This preference is not available in local Group Policy.

The preference can be applied to specific systems based on criteria you specify.

Question 59

You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for
each company department. User and computer accounts for each department have been moved into their
respective departmental OUs.
As part of your security plan, you have analyzed the use of Internet Explorer in your organization. You have
defined three different groups of users. Each group has different needs for using Internet Explorer. For
example, one group needs ActiveX controls enabled, while you want to disable ActiveX for the other two
groups.
You would like to create three templates that contain the necessary settings for each group. When you create
a GPO, you‘d apply the settings in the corresponding template rather than manually set the corresponding
Administrative Template settings for Internet Explorer.
What should you do?

Identify three GPOs with the necessary settings. Take a backup of these GPOs. After creating a new
GPO, right-click the GPO and choose Restore from Backup….
Create three custom .admx files. Copy these files to the local workstation that you use to manage GPOs.
Use the Add/Remove Templates… feature to add the necessary template when creating the GPO.
Create three custom .admx files. Copy these files to the central store location. When creating the GPOs,
select the necessary .admx file.
Create three starter GPOs with the necessary settings. When creating the GPOs, select the starter GPO
with the desired settings.

Answer 59

Create three starter GPOs with the necessary settings. When creating the GPOs, select the starter GPO
with the desired settings.

Question 60

You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for
each company department. User and computer accounts for each department have been moved into their
respective departmental OUs.
As you manage Group Policy objects (GPOs), you find that you often make similar user rights, security
options, and Administrative Template settings in different GPOs. Rather than make these same settings each
time, you would like to create some templates that contain your most common settings.
What should you do? (Select two. Each choice is a possible solution.)

Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs.
Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, restore
one of the backed up GPOs.
Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import
the settings from one of the backed up GPOs.
Create starter GPOs. When creating new GPOs, select the appropriate starter GPO.
Create custom .admx files with the necessary settings. Copy these files to the central store. After
creating the GPO, import the settings from the .admx files.

Answer 60

Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs.

Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import
the settings from one of the backed up GPOs.

Question 61

You manage Group Policy for the westsim.com. You have set up a lab with a separate forest named
westsim.test. In the lab domain, you create a GPO named UserSettings. You test this GPO in the lab and
then decide that you want to use it in your production domain.
You need to move the GPO to the westsim.com domain.
What should you do?

Take a backup of the UserSettings GPO. In westsim.com, create a new GPO. Import the settings from
the backup.
Take a backup of the UserSettings GPO. In westsim.com, restore the GPO from the backup.
In the Group Policy Management Console, drag the UserSettings GPO from westsim.test to
westsim.com.
Take a backup of the UserSettings GPO. In westsim.com, create a new GPO. Restore the settings
from the backup.

Answer 61

Take a backup of the UserSettings GPO. In westsim.com, create a new GPO. Import the settings from
the backup.

Question 62

You manage the network for the eastsim.com domain. You have three domain controllers, all running
Windows Server 2012 R2.
You have created several Group Policy objects (GPOs) for your domain and various OUs. You have also
enabled the Administrative Templates central store.
You want to take a backup of GPO and starter GPOs. You want to perform as few backups as possible, and
the backup should contain these items and as little else as possible.
What should you do?

In Group Policy Management, create a backup that includes all GPOs and starter GPOs.
Run wbadmin and take a system state backup.
Run wbadmin and back up the Sysvol folder.
In Group Policy Management, back up all GPOs. Back up all starter GPOs separately.

Answer 62

In Group Policy Management, back up all GPOs. Back up all starter GPOs separately.

Question 63

You are the network administrator for westsim.com. The network consists of a single Active Directory
domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8.
You have modified the Default Domain Controllers group policy object. A new security policy in the company
states that all group policy settings must be delivered using new group policy objects. You must reset the
Default Domain Controllers policy to the default settings using the minimum administrative effort.
What should you do?

Run the dcgpofix /target:domain command on a domain controller.
Using Group Policy Management Console, view the Settings tab for the Default Domain Controllers
policy. After identifying settings that are not part of the default settings, edit the policy and remove all
settings that were not part of the default configuration.
Run the dcgpofix /target:dc command on a domain controller.
Set the Burflags registry setting to D2 on a domain controller.

Answer 63

Run the dcgpofix /target:dc command on a domain controller.

Question 64

You are the administrator for the westsim.com domain. Organizational units (OUs) have been created for
each department, with all user accounts being moved into their departmental OUs.
Previously, you used the Delegation of Control wizard to assign permissions to a user to change passwords
and manage user accounts in the Marketing OU. Now you need to remove some of the permissions assigned
to that user for objects in the OU.
What should you do?
Re-run the Delegation of Control wizard, specifying only the necessary permissions.
Edit the ACL for the OU and remove the unnecessary permissions.
Run Dsacls with the /resetDefaultDACL switch.
Add the user to a group. Run the Delegation of Control wizard for the OU, assigning the necessary
permissions to the group.

Answer 64

Edit the ACL for the OU and remove the unnecessary permissions.

Question 65

As a result of a recent security audit, you have made several critical changes to your domain’s security
configuration using Group Policy. You need these changes to be applied immediately.
Which PowerShell cmdlet should you use to do this from your Windows Server 2012 R2 domain controller?

Import-GPO
Set-GPInheritance
Invoke-GPUpdate
New-GPO

Answer 65

Invoke-GPUpdate

Question 66

Your company has just decided to upgrade from an older non-directory-based server operating system to
Windows Server 2012 R2. You are in charge of designing the new Active Directory tree. You have a small
company that has only one location. You have determined that you will have approximately 500 objects in
your completed tree.
The tree design has been the subject of some controversy. In preliminary meetings, you have determined
that there are four primary areas of the company: Accounting, Manufacturing, Sales, and Administration.
Each area is autonomous and reports directly to the CEO. In meetings on the Active Directory tree design, the
manager of each area wants to make sure that some management control of their users and resources
remains in the department.
What should you do?

Create an Organizational Unit object for each department. Train a member of each department to perform limited administrative duties. Use the Delegation of Control wizard to give a member of each OU enough rights to perform the necessary administrative tasks only in the appropriate OU.

Create a local group. Add a designated user from each department to the local group. Make the local group a member of the Administrators domain local group, thus giving the designated users the ability to manage the department resources, no matter where the resources are in the tree.

Create an Organizational Unit object for each department and use the Delegation of Control wizard to make the department managers members of the Administrators group.

Explain to the managers of each of the departments that best practices for an Active Directory tree of this size suggest that centralized administration is the most efficient method. All network administration will remain within your department.

Answer 66

Create an Organizational Unit object for each department. Train a member of each department to perform limited administrative duties. Use the Delegation of Control wizard to give a member of each OU enough rights to perform the necessary administrative tasks only in the appropriate OU.

Question 67

You are the network administrator for your company. Your company has three standalone servers that run
Windows Server 2012 R2. All servers are located in a single location. You have decided to create a single
Active Directory domain for your network.
Currently, each department has one employee designated as the department’s computer support person.
Employees in this role create user accounts and reset passwords for the department. As you design Active
Directory, you want these users to maintain their responsibilities. You must not give these users more
permission than they need.
What should you do?

Create an organizational unit (OU) structure where each department has its own OU. Make each computer support user a member of the Domain Admins group.
Create an organizational unit (OU) structure where each department has its own OU. Create a Computer Support global group that contains each computer support user. Grant the Computer Support global group appropriate permissions to each departmental DU.
Create a domain for each department. Make each computer support user a member of the Domain
Admins group.
Create an organizational unit (OU) structure where each department has its own OU. Use the Delegation
of Control wizard to grant each computer support user appropriate permissions to their department OUs.

Answer 67

Create an organizational unit (OU) structure where each department has its own OU. Use the Delegation
of Control wizard to grant each computer support user appropriate permissions to their department OUs.

Question 68

You are the administrator for the westsim.com domain. Organizational units (OUs) have been created for
each department.
You want to give the TWhite user account the ability to link and unlink GPOs on the Sales OU. You want to
assign the least amount of permissions as possible.
What should you do?

Make TWhite a member of the Group Policy Creator Owners group.
In the Group Policy Management console, add TWhite to the Delegation tab on the Group Policy Objects
container.
In the Group Policy Management console, add TWhite to the Delegation tab for the GPO linked to the
Sales OU.
Run the Delegation of Control wizard.

Answer 68

Run the Delegation of Control wizard.

Question 69

You are the administrator for the westsim.com domain. Organizational units (OUs) have been created for
each department.
You have created a GPO named AccountingGPO and linked it to the Accounting OU. You want to give John
Parker the ability to edit the settings in only that GPO. You want to assign the least amount of permissions as
possible.
What should you do?

In the Group Policy Management console, add the user to the Delegation tab for the GPO.
Run the Delegation of Control wizard and assign the necessary permissions.
Make the user a member of the Group Policy Creator Owners group.
In the Group Policy Management console, add the user to the Delegation tab on the Group Policy Objects container.

Answer 69

In the Group Policy Management console, add the user to the Delegation tab for the GPO.

Question 70

You are the administrator for the westsim.com domain. Organizational units (OUs) have been created for
each department.
In Group Policy, you have created a GPO linked to the domain that sets domain-wide settings. Additional
GPOs linked to each OU configure department-specific settings.
You want to allow user Julia Chow to create GPOs and manage settings in all GPOs. You want to assign the
least amount of permissions as possible.
What should you do? (Select two. Each choice is a possible solution.)

Run the Delegation of Control wizard and assign the user the necessary permissions to the domain.
Make the user a member of the Group Policy Creator Owners group.
Make the user a member of the Domain Admins group.
In the Group Policy Management console, add the user to the Delegation tab for each GPO.
In the Group Policy Management console, add the user to the Delegation tab on the Group Policy Objects
container.

Answer 70

Make the user a member of the Group Policy Creator Owners group.

In the Group Policy Management console, add the user to the Delegation tab on the Group Policy Objects
container.