Configure Service Authentication and Account Policies

Question 1

Which built-in Service Accounts have the most permissions?

Answer 1

Local System > Local Service > Network Service

Question 2

How do you create a service account (unmanaged)?

Answer 2

1. Create a new user account

2. Within a service’s properties, on the Log on As tab, specify the user account to be used as a service account.

Question 3

What PowerShell command can be used to create a new service?

Answer 3

New-Service -Name -BinaryPathName

Question 4

What PowerShell command can be used to create a Managed Service Account?

Answer 4

1. New-ADServiceAccount -Name -RestrictSingleComputer
2. Add-ADComputerServiceAccount -Identity -ServiceAccount
3. Install-ADServiceAccount -Identity

Question 5

What PowerShell command can be used to test if service account is functional?

Answer 5

Test-ADServiceAccount -Identity

Question 6

How do you create a Group Managed Service Account?

Answer 6

1. Create a key distribution center root key by typing:
   Add-KDSRootKey -EffectiveImmediately
   (10 hours to complete)
2. Create the gMSA by typing:
   New-ADServiceAccount -Name -DNSHostName -PrincipalsAllowedToRetrieveManagedPassword “Domain Computers” or specified OU
3. Remotely Push “RSAT AD PowerShell” to machines that will utilized the gMSA by typing:
   Invoke-Command -ComputerName -ScriptBlock { Install-WindowsFeature RSAT-AD-PowerShell }
4. Log into server utilizing gMSA and install service account by typing:
   Install-ADServiceAccount
5. (Optional) Test gMSA by typing:
   Test-ADServiceAccount -Identity

Question 7

What is Kerberos Constrained Delegation?

Answer 7

The use of user account credentials to access requested services on a server

Question 8

How do you configure Kerberos Constrained Delegation?

Answer 8

1. Navigate to ADUC > Server Properties > Delegation tab
2. Select “Trust this computer for delegation to specified services only”
3. Specify the server and service to be used

Question 9

How do you view Service Principal Names?

Answer 9

ADUC > View > Advanced Features > Properties > Attribute Editor tab

Question 10

What command-line utility can be used to manage Service Principal Names?

Answer 10

Setspn

Question 11

Using the setspn utility, how do you view Service Principal Names?

Answer 11

setspn -l

Question 12

Using the setspn utility, how do you create a new Service Principal Name?

Answer 12

setspn -s / \

Question 13

How do you configure a virtual service account?

Answer 13

Service’s Properties > Log on As tab

For account, specify NT SERVICE\

Question 14

In the Run dialog box, what brings up the Security Settings section of Group Policy?

Answer 14

Run > secpol.msc

Question 15

Where do you configure domain and local user password policy settings?

Answer 15

Group Policy Management Editor > Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies

Question 16

Where do you configure account lockout policy settings?

Answer 16

Group Policy Management Editor > Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies

Question 17

Where do you configure Kerberos policy settings within Group Policy, configure Authentication Policies and Authentication Policy Silos?

Answer 17

Group Policy Management Editor > Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies

Question 18

Where do you create PSOs?

Answer 18

AD Admin Center

Question 19

How do you create PSOs?

Answer 19

1. Within AD Admin Center, open a password settings container by navigating to Server (Local) > Add Navigation Nodes > System > Password Settings Container
2. New > Password Settings > Configure Settings > Apply to security object (User/Group)

Question 20

How do you delegate password settings management?

Answer 20

Right click on OU and select New Delegation > Specify User/Group > Assign tasks

Question 21

What PowerShell command is used to view Domain Password Policies?

Answer 21

Get-ADDefaultDomainPasswordPolicy