Chapter 2: Managing OUs and Active Directory Accounts

Question 1

Benefits of using OUs

Answer 1

Create hierarchical structures to allow easy resource access
Delegation of administrative authority
Able to change OU structure easily
Grouping users and computers for assigning administrative and security policies
Hiding AD objects

Question 2

Delegation of Control

Answer 2

A person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks for them

Commonly delegated tasks:

Create, delete, and manage user accounts, passwords, and groups
Manage group policy links
Generate Resultant Set of Policy (Planning or Logging)

Question 3

Can delegated control be seen in an OUs properties?
How do you see it?

Answer 3

By default, the OU’s properties don’t show that a user has been delegated control. To verify who has been delegated control, you must view the OU’s permissions

Question 4

Security Principals that can be assigned to an object (3)

Answer 4

Users, groups, computers

Question 5

AD object’s security descriptor

Answer 5

An AD objects security descriptor is the security settings of three components:

Discretionary access control list (DACL)
Object owner
System access control list (SACL)

Question 6

Object permissions (5)

Answer 6

Read
Write
Create all child objects
Delete all child objects
Full control

Question 7

Permission inheritance

Answer 7

Permission inheritance defines how permissions are transmitted from a parent object to a child object

(All objects in AD are child objects of the domain)

Question 8

Default settings in AD Users and Computers hide some system folders, these are… (5)

Answer 8

Displayed by enabling the Advanced Features option from the View menu

LostAndFound
Program Data
System
NTDS Quotas
TPM (Trusted Platform Module) Devices

Question 9

User accounts have two main functions

Answer 9

Provide a method for user authentication to the network (log in to use)
Provide detailed information about the user

Question 10

built-in Administrator account (3)

Answer 10

Has full access to all aspects of a computer
Can be renamed or disabled but not deleted
Default administrator should be renamed and given a strong password

Question 11

Domain administrator account

Answer 11

The domain administrator account in the forest root domain has full access to all aspects of the forest

Question 12

built-in Guest account

Answer 12

Is disabled by default
Can have a blank password
Has limited access to a computer or domain
Can access any resource which the Everyone group has permission for

Question 13

What commands can you use to disable an account? (3)

Answer 13

Powershell cmdlets:
Enable-ADAccount
Disable-ADAccount

dsmod user

Question 14

Group Types

Answer 14

Security - the man AD objects administrators use to manage network resource access and grant rights to users
Distribution - For sending mass emails

Question 15

Group Scope

Answer 15

Group scope determines the reach of a group’s application in a domain or forest

Question 16

Group Scope options (4)

Answer 16

Domain local - domain local groups in the same domain
Global - Global groups in the same domain
Universal - Universal groups from any domain in the forest
local (for groups created in the SAM database of a computer)

Question 17

SAM database

Answer 17

The Security Accounts Manager (SAM) database

Question 18

AGGUDLP

Answer 18

Accounts are made members of
Global groups, which when necessary are nested in other
Global groups, which are made members of
Universal groups, which are then made members of
Doman Local groups, which are assigned
Permissions to resources

Question 19

A global group

Answer 19

A global group used to group users from the same domain with similar access or rights requirements

Question 20

A universal group

Answer 20

A universal group can contain users from any domain in the forest and be assigned permission to resources in any domain in the forest

Question 21

A local group

Answer 21

A local group is created in the local SAM database on a member server or workstation or a stand-alone computer

Question 22

Automating Account Management

Answer 22

Account Management can be automated in AD using command-line programs for simple repetitive tasks, or batch files for lengthy and cumbersome tasks

Question 23

Batch file

Answer 23

A batch file is a text file with .bat extension that can take arguments to replace variables in a command to automate lengthy and cumbersome account management tasks

Question 24

What are ADAC and ADUC?

Answer 24

Active Directory Administrative Center and Active Directory Users and Computers are tools for creating and maintaining user accounts

Question 25

What are user templates and what are they used for?

Answer 25

User templates are templates for creating users who have common attributes, such as group memberships

Question 26

Two methods for automating account management are?

Answer 26

You can automate account management using command-line tools or PowerShell cmdlets