You work as the network administrator at certifyme.com. The certifyme.com
network consists of a single Active Directory domain named certifyme.com. All
servers on the certifyme.com network run Windows Server 2003 and all client
computers run Windows XP Professional.
You are required to perform the following tasks:
1. The desktops of the employees in the Sales department have to be locked down by
removing the Run command and hiding the Internet Explorer icon. You need to
make sure that these settings disappear when users in the Sales department log off.
2. You have to rename the local administrator account of all certifyme.com
computers, except the computers in the Sales department, to TK_Admin.
3. You have to give the MK_Admin global group, which is located in the Marketing
OU, the ability to create user accounts and reset passwords for the Marketing
department.
You need to ensure that you use only the GPOs that are available and that you do
not change the links of any existing GPOs. You also need to ensure that the number
of GPOs that has to be edited is kept to a minimum.
What should you do? To answer, configure the appropriate options to achieve your
objective.
Leading the way in IT testing and certification tools, www.certifyme.com
- 45 -
Answer:
Open Administrative Tools by clicking Start, Programs, and then Administrative Tools;
or Start, Control Panel, and then Administrative Tools. Then click Group Policy
Management to open the Group Policy Management console.
Leading the way in IT testing and certification tools, www.certifyme.com
- 46 -
In the Group Policy Management console expand the Forest: certifyme.com node, the
Domains node, and the certifyme.com node. Then expand the Sales OU.
Leading the way in IT testing and certification tools, www.certifyme.com
- 47 -
Right-click the Sales GPO under the Sales OU and select Edit from the pop-up menu.
Leading the way in IT testing and certification tools, www.certifyme.com
- 48 -
This will open the Group Policy Object Editor for the Sales GPO.
Leading the way in IT testing and certification tools, www.certifyme.com
- 49 -
In the Group Policy Object Editor, expand the User Configuration node, and the
Administrative Templates node. 350-001 Then click on Start Menu and Taskbar.
Leading the way in IT testing and certification tools, www.certifyme.com
- 50 -
Then, in the left-hand pane, scroll down to and select the Remove Run menu from Start
Menu setting.
Leading the way in IT testing and certification tools, www.certifyme.com
- 51 -
Right-click the Remove Run menu from Start Menu setting and select Properties from the
pop-up menu.
Leading the way in IT testing and certification tools, www.certifyme.com
- 52 -
In the Remove Run menu from Start Menu Properties dialog box, select the Enabled
radio button and click OK.
Leading the way in IT testing and certification tools, www.certifyme.com
- 53 -
Next, click on Desktop under the
Leading the way in IT testing and certification tools, www.certifyme.com
- 54 -
Administrative Templates node in the right-hard pane of the Group Policy Object Editor.
Leading the way in IT testing and certification tools, www.certifyme.com
- 55 -
Then, right-click the Hide Internet Explorer icon on Desktop setting in the left-hand pane
of the Group Policy Object Editor and select Properties from the pop-up menu.
Leading the way in IT testing and certification tools, www.certifyme.com
- 56 -
In the Hide Internet Explorer icon on Desktop Properties dialog box, select the Enabled
radio button and click OK.
Leading the way in IT testing and certification tools, www.certifyme.com
- 57 -
Right-click the Sales OU in the Group Policy Management console and select Block
Inheritance from the pop-up menu. This will prevent the local administrator account of
the computers in the Sales department from being renamed.
Leading the way in IT testing and certification tools, www.certifyme.com
- 58 -
Inheritance to the Sales OU is now blocked as is indicated by the blue exclamation mark
over the Sales OU icon. 640-802
Leading the way in IT testing and certification tools, www.certifyme.com
- 59 -
Now right click on the Default Domain Policy GPO under the certifyme.com node and
select Edit from the pop-up menu.
Leading the way in IT testing and certification tools, www.certifyme.com
- 60 -
This will open the Group Policy Object Editor for the Default Domain Policy GPO.
Leading the way in IT testing and certification tools, www.certifyme.com
- 61 -
In the Group Policy Object Editor, expand the Computer Configuration node, the
Windows Settings node, and the Security Settings node. Then click on Security Options.
Leading the way in IT testing and certification tools, www.certifyme.com
- 62 -
Then, in the left-hand pane, right-click on the
Leading the way in IT testing and certification tools, www.certifyme.com
- 63 -
Accounts: Rename administrator account policy and select Properties from the pop-up
menu.
Leading the way in IT testing and certification tools, www.certifyme.com
- 64 -
In the Accounts: Rename administrator account Properties dialog box, select the Define
this policy setting check box and enter TK_Admin in the text box. Then click OK.
Leading the way in IT testing and certification tools, www.certifyme.com
- 65 -
This will rename the local administrator account of all certifyme.com computers except
those in the Sales OU to TK_Admin. We've already blocked inheritance to the Sales OU
so the local administrator account of the computers in the Sales OU will not be renamed.
Now close the Group Policy Object Editor.
Leading the way in IT testing and certification tools, www.certifyme.com
- 66 -
Then close the Group Policy Management console.
Leading the way in IT testing and certification tools, www.certifyme.com
- 67 -
Next, in Administrative Tools, click Active Directory Users and Computers to open the
Active Directory Users and Computers console.
Leading the way in IT testing and certification tools, www.certifyme.com
- 68 -
In the Active Directory Users and Computers console, expand the certifyme.com node.
Leading the way in IT testing and certification tools, www.certifyme.com
- 69 -
The right-click the Marketing OU and select Delegate Control from the pop-up menu top
open the Delegation of Control Wizard.
Leading the way in IT testing and certification tools, www.certifyme.com
- 70 -
On the Welcome to the Delegation of Control Wizard page, click Next.
Leading the way in IT testing and certification tools, www.certifyme.com
- 71 -
On the Users or Groups page, click Add.
Leading the way in IT testing and certification tools, www.certifyme.com
- 72 -
On the Select Users, Computers, or Groups dialog box, click Advanced.
Leading the way in IT testing and certification tools, www.certifyme.com
- 73 -
Then click Find Now.
Leading the way in IT testing and certification tools, www.certifyme.com
- 74 -
Leading the way in IT testing and certification tools, www.certifyme.com
- 75 -
Next, scroll down to and select the MK_Admin group and click OK.
Leading the way in IT testing and certification tools, www.certifyme.com
- 76 -
Leading the way in IT testing and certification tools, www.certifyme.com
- 77 -
Click OK to close the Select Users, Computers, or Groups dialog box.
Leading the way in IT testing and certification tools, www.certifyme.com
- 78 -
Back on the Users or Groups page of the Delegation of Control Wizard, click Next.
Leading the way in IT testing and certification tools, www.certifyme.com
- 79 -
On the Tasks to Delegate page, select the Create, delete, and manage user accounts and
the Reset user password and force password change at next logon check boxes. Then
click Next.
Leading the way in IT testing and certification tools, www.certifyme.com
- 80 -
Finally, click Finish on the Completing the Delegation of Control Wizard page.
Leading the way in IT testing and certification tools, www.certifyme.com
- 81 -
Explanation: GPOs are stored in Active Directory, which is hosted on domain
controllers. VCP-310 Computer-specific policies in GPOs are applied when they start up, and
user-specific policies are applied to users when they log on. In this scenario, the
settings should go away when the user logs off. These settings should, therefore,
apply only to the users and not the computers.
This scenario requires you to minimize the number of GPOs that has to be edited. You
should, therefore, configure the new name for the local administrator account for all
computers in a GPO at the domain level. This GPO is the default domain policy. To
prevent this setting from applying to the computers in the Sales department, you should
enable Block Policy Inheritance for the Sales OU. If you enable the Block Policy
Inheritance option for the Sales OU, the GPOs that are linked to the site or domain would
not apply to the Sales OU.
Reference:
G: Configure system services (1 Question)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment