Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

MCSA 70-411 - Global Knowledge > Managing User and Service Accounts > Flashcards

Managing User and Service Accounts Flashcards

Configuring Password Policy and User Account Configuring Managed Service Accounts

1
Q

What are the Kerberous Policies?

A
  1. Enforce User Logon Restrictions
  2. Maximum Lifetime For Service Ticket
  3. Maximum Lifetime For User Ticket
  4. Maximum Lifetime For User Ticket Renewal
  5. Maximum Tolerance For Computer Clock Synchronization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are Password Policies?

A
  1. Enforce Password History
  2. Maximum Password Age
  3. Minimum Password Age
  4. Minimum password length
  5. Password must meet complexity requirements
  6. Store Password using reversible encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the Account Lockout Policies?

A
  1. Account lockout duration
  2. Account lockout threshold
  3. Reset account lockout counter after
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the order that Group Policy is applied in?

A

L - Local

S - Site

D - Domain

OU - Organizational Unit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Where do Password Setting objects live?

Where can this be viewed?

A

System -> Password Settings Objects

ADSI Edit

ADUC (Users and Computers)

ADAC (Administrative Center)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What can Password Setting objects be applied to?

A

Users and Groups

Note: Not Organizational Units

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

New-ADFineGrainedPasswordPolicy

Please provide an example

A

Creates a new Active Directory Password Settings Object

ex. New-ADFineGrainedPasswordPolicy -Name “DomainUsersPSO” -Precedence 500 -ComplexityEnabled $true -Description “The Domain Users Password Policy” -DisplayName “Domain Users PSO” -LockoutDuration “0.12:00:00” -LockoutObservationWindow “0.00:15:00” -LockoutThreshold 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Get-ADFineGrainedPasswordPolicy

A

Gets one or more Active Directory Password Settings Object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Remove-ADFineGrainedPasswordPolicy

A

Removes an Active Directory Password Settings Object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Set-ADFineGrainedPasswordPolicy

A

Modifies an Active Directory Password Settings Object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Add-ADFineGrainedPasswordPolicySubject

Please provide an example

A

Add-ADFineGrainedPasswordPolicySubject cmdlet applies a fine-grained password policy object to one or more global security groups and users.

Ex. Add-ADFineGrainedPasswordPolicySubject -Identity DomainUsersPSO -Subjects ‘Domain Users’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How do PSO’s determine which wins?

Whats the exception to this rule?

A

Precedence. Lowest value is last to apply

exception: If mixture of groups and direct assign to user. The Direct assign wins

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When were Managed Service Accounts introduced?

When were Group Managed Service Accounts introduced?

A
  1. Windows Server 2012
  2. Windows Server 2012R2
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the differnce between a Managed Service Account and a Group Managed Service Account?

A

Managed Service Account: 1 account per machine

Group Managed Service Account: allows 1 object to be created in AD to be used only be specific computers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the requirements for a Group Managed Service Account?

A
  • Must have a least 1 - 2012 DC
  • KDS Root Key created for Domain
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

PowerShell steps to create a gMSA

Service Account Name: Service01

Server: Server01

Domain: contoso

A

PowerShell steps to create a Group Managed Service Account

  • Add-KdsRootKey
    • (Just a Note not need for answer) If Immediately (Add-KdsRootKey -EffectiveImmediately) or specified time (Add-KdsRootKey -EffectiveTime “03/06/2013”)
  • New-ADServiceAccount -Name “Service01” -DNSHostName “Service01.contoso.com” -Enabled $True
  • Add-ADComputerServiceAccount -Computer Server01 -service Account Service01
  • Get-ADServiceAccount -Identity service01

ON THE SERVER IT WILL BE USED

  • Install-ADServiceAccount -Identity ‘service01’
17
Q

What is a Virtual Account?

How do you use one for a service?

A

Virtual accounts are another type of Service Account. All windows Services use a Vitrual Account by default.

To use a virtual account for a service, simply enter
NT SERVICE\ for the account name, and leave the password blank

18
Q

How do you create a Managed Service Account?

A
  1. New-ADServiceAccount –Name <msa_name> –RestrictToSingleComputer -Enabled:$True</msa_name>
  2. Add-ADComputerServiceAccount –identity <host_computer_name> -ServiceAccount <msa_name></msa_name></host_computer_name>

ON THE COMPUTER FOR WHICH IT WILL BE USED

  1. Install-ADServiceAccount –Identity <msa_name></msa_name>
19
Q

How do you get a list of SPN’s (Service Prinicipal Names)?

A

setspn -l < HostName>

20
Q

If you see incorrect names for SPN’s listed for a server what should you do?

How would you do this?

A

Reset them

setspn -r < hostname >

21
Q

When might you need to add an SPN?

How would you add an SPN?

A

setspn -s < Service > / < FDQN > <hostname></hostname>

*FDQN = Fully Qualified Domain Name (i.e. server1.google.com)

22
Q

How would you remove an SPN?

A

setspn -d < service > / < FDQN >

23
Q

How do you configure Kerberos Delegation?

A
  • Open ADUC (Active Directory Users and Computers)
  • Select the computer object, open the properties
  • Select the delegation Tab
  • Select the level of delegation

​End of Answer

  • * Note: Constrainment levels
  • Unconstrained = Trust this computer for delegation to any service (Kerberos only)
  • Constrained =Trust this computer for delegation to specified services only
24
Q
  1. What is Unconstrained delegation?
  2. What is constrained delegation?
A
  1. Unconstrained delegation allows a server
    to act on behalf of a user for any services.
  2. Constrained delegation restricts a server
    to act on behalf of a user for only specific services.
25
Q

What are the different ways you can deleagete password settings management?

(Not Processes, just resource wise)

A
  • Modify permissions at an OU level
  • Modify permission on a PSO
26
Q
  1. What are the different ways you can configure a lockout policy?
    • (Not processes, just resources)
  2. What options can you set for all of them?
  3. Is this enabled by default?
A

1.

  • Group Policy - default domain policy
  • PSO - Password Settings Object
  1. Options
  • Number of failed logon attempts
  • Reset failed logon attemps count after (minutes) duration
  • Account will be lockout out
    • For a duration of minutes
    • or (if on a PSO this is avaliable)
    • until an administrator manually unlocks the account
  1. No

MCSA 70-411 - Global Knowledge (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions