70 411 windows 2012 r2 administering

Page 348

2. Assuming that the users are currently each in their own security groups based on

their department, you could simply apply the PSO to each of the security groups. But a cleaner solution might be to create an Enhanced Password Security group with the users in it. You then have a single place to manage this policy and the users, and it gives you a good test group for the new TFA policy if that’s what you decide to implement.

Objective 5.4: Review 1. Correct answer: C A. Incorrect. This command enables you to change the local security policy on the

domain controller. B. Incorrect. This command enables you to change the local security policy on the

local computer. C. Correct. This command enables you to change the Default Domain Policy for the

domain. D. Incorrect. Controls account expiration for an individual account; it has nothing to

do with domain lockout policies. 2. Correct answer: A A. Correct. This changes the amount of time a client computer can be out of sync

with the domain controller to 10 minutes instead of 5 minutes. That should be enough time to resolve the issue temporarily, but you have to determine what the root cause is for computers getting out of sync. B. Incorrect. This makes the problem worse. Setting to 0 doesn’t disable the policy. C. Incorrect. This doesn’t affect the clock settings. D. Incorrect. This has nothing to do with the Kerberos settings and only sets the

number of failed logon attempt before the account is locked out. 3. Correct answer: D A. Incorrect. Creating a Sales OU is a possible first step, but then you would need to

create a specific password expiration policy that was linked to that OU. B. Incorrect. Creating a Sales OU is a possible first step, but then you would need to

create a specific password expiration policy that was linked to that OU. C. Incorrect. Creating a Sales security group is a possible first step, but you can’t attach

a fine-grained password policy by using the New-ADFineGrainedPasswordPolicy, and then Set-ADFineGrainedPasswordPolicy. D. Correct. After you create the Sales security group and assign the Sales users

to the group, you can create a new fine-grained password policy with New-ADFineGrainedPasswordPolicy and then assign the Sales security group to that policy with Add-ADFineGraintPasswordPolicySubject. Answers

CHAPTER 5

329

From the Library of David M Navara

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.