Week 4 - Active Directory

Question 1

What does GPO stand for?

Answer 1

Group Policy Objects

Question 2

What do GPO do?

Answer 2

ways to manage the configuration of Windows machines

(Active Directory is the central repository of GPOs)

Question 3

What is the Active Directory tool ADAC stand for?

Answer 3

Active Directory Administrative Center

Question 4

What kind of tool is ADAC?

Answer 4

It’s a tool that we’ll use for lots of the everyday tasks

Question 5

Much like file systems, directory services are ________

Answer 5

hierarchical

Question 6

What’s an OU?

Answer 6

A folder or directory for organizing objects within a centralized management system

an organizational unit is the actual folder that organizes objects

Question 7

Can ordinary containers contain other containers?

Answer 7

No, only OUs can contain other OUs

Question 8

What is a forest and what does it contain?

Answer 8

a forest is a level of hierarchy that is above a domain in tree view, a forest contains one or more domains

Question 9

What’s the very first node in the AD tree? What are 2 things it contains? (3 total)

Answer 9

the domain

contains a short name, like example
, and the DNS name, like example.com

Question 10

In which container are new AD computer accounts created?

Answer 10

In the Computers container under the domain tree

Question 11

When are computer accounts created?

Answer 11

when a computer is joined to the AD domain

Question 12

What are domain controllers?

Answer 12

they are servers that host the copies of the Active Directory database

Question 13

Which container contains the domain controllers that are created by default?

Answer 13

the “Domain Controllers” container under the domain tree

Question 14

What are 5 services that domain controllers provide on the network?

Answer 14

1. host a replica of AD database and GPOs
2. serve as DNS service, provides name resolution and service discovery to clients
3. provides central authentication via Kerberos
4. Decide when computers/users can log into the domain
5. Decide whether the computers/users have access to shared resources (file systems, printers, etc.)

(this is how sys admins can create a system-wide user account that recognizes a new user on every device almost immediately)

Question 15

It’s common for most domain controllers in AD network to be what 3 things?

Answer 15

1. read
2. write
3. replicas

(each have a copy of the database and can make changes to it)

Question 16

What does FSMO stand for?

Answer 16

Flexible single master operations

Question 17

What does FSMO do?

Answer 17

Changes to the AD database that can only be safely made by 1 DC at a time are tasked to a single domain controller that’s granted FSMO (flexible single master operations)

Question 18

For computers to take advantage of the central authentication service of AD, what needs to happen?

Answer 18

they need to be joined/bound to Active Directory

Question 19

What does it mean when you join a computer to AD? (2)

Answer 19

1. AD knows about the computer and provisions a computer account for it
2. The computer knows about the AD domain and authenticates it

Question 20

What does SAM stand for?

Answer 20

Security Account Manager

Question 21

What does SAM do?

Answer 21

A database in Windows that stores usernames and passwords

(also a field in the create a new user window that means username)

Question 22

How many categories of group are there in active directory?

Answer 22

2

Security Group
Distribution Group

Question 23

What’s the most common category of group?

Answer 23

security group

Question 24

What do security groups contain? (3)

Answer 24

user accounts, computer accounts, or other security groups

Question 25

What are 2 examples of security groups?

Answer 25

1. Domain users
2. Domain admins

Question 26

What is a distribution group?

Answer 26

Only designed to group accounts and contacts for email communication

(not used to grant permissions to resources)

Question 27

What is group scope?

Answer 27

identifies the extent to which the group is applied in the domain tree or forest

Question 28

What is domain local used for? [group scope]

Answer 28

used to assign permission to a resource

Question 29

What’s an example of using domain local?

Answer 29

creating a domain local group that has read access to a network share (called Research Share Readers) and another with write access called Research Share Writers

Question 30

What is Global used for? [group scope]

Answer 30

used to group accounts into a role

Question 31

What are the 3 group scopes?

Answer 31

1. Univeral
2. Global
3. Domain Local

Question 32

Does AD store a user’s password?

Answer 32

No it stores a one way cryptographic hash of the password

Question 33

What is a workgroup computer?

Answer 33

a Windows computer that isn’t joined to a domain

Question 34

How do you join a computer to AD via CLI?

Answer 34

Add-Computer -DomainName ‘example.com’ -Server ‘dcl’

Question 35

How do you get the AD version via CLI?

Answer 35

Get-AdForest

then

Get-AdDomain

Question 36

What are functional levels?

Answer 36

The several versions of active directory

Question 37

How do you join a computer to AD via GUI? Windows

Answer 37

This PC > Computer > System Properties > Change Settings > Change > Select Domain > Enter domain name (example.com)

Question 38

What is a forest?

Answer 38

A forest contains one or more domains

Question 39

What is tree view?

Answer 39

Tree view is the individual branches of the forest [domain (example (local), DAC, Authentication containers]

Question 40

Who can access files encrypted by the Encrypting File System (EFS)?

Besides

Answer 40

Besides the user who encrypts a file, only designated recovery agent personnel can decrypt it

Question 41

What makes EFS secure?

prevents

Answer 41

Prevents techniques that circumvent the restrictions of access control lists (ACLs) for sensitive files on computers shared by several users and on portable computers.

Question 42

How do you simply define a directory service?

Answer 42

they are services that are used to store information about objects

Question 43

What are “objects”?

Answer 43

things in your network that you want to be able to reference or manage

Question 44

What does GPO stand for?

Answer 44

Group Policy Objects

Question 45

What are GPOs?

Answer 45

a Group Policy Object is a set of policies and preferences that can be applied to a group of objects in the directory

Question 46

What can a GPO contain? (3)

Answer 46

1. computer configuration
2. user configuration
3. both

Question 47

When is computer and user configuration applied? (2)

Answer 47

Computer configuration = when the computer starts and signs into AD domain
User configuration = when the user logs onto the computer

Question 48

How is the GPO enforced when it’s in effect?

Answer 48

It’s enforced and checked every few minutes

Question 49

What’s the difference between policies and group policy preferences, which are what make up GPOs? (2)

Answer 49

1. Policies - Aren’t changed, settings are reapplied every set amount of minutes (by default every 90 minutes)
2. Preferences - Settings that are meant to be a template for settings

Question 50

How do domain-joined computers get the GPOs?

Answer 50

the domain controller gives the computer a list of group policies that it should apply

Question 51

What does the special folder SYSVOL contain?

Answer 51

It contains the GPO policies that should be applied to the computer (the computer downloads it from this folder)

Question 52

What does the Windows registry contain?

(use to store ___data)

Answer 52

a hierarchical database of settings that Windows and apps use for storing configuration data