2. Assuming that the users are currently each in their own security groups based on
their department, you could simply apply the PSO to each of the security groups. But a cleaner solution might be to create an Enhanced Password Security group with the users in it. You then have a single place to manage this policy and the users, and it gives you a good test group for the new TFA policy if thatβs what you decide to implement.
Objective 5.4: Review 1. Correct answer: C A. Incorrect. This command enables you to change the local security policy on the
domain controller. B. Incorrect. This command enables you to change the local security policy on the
local computer. C. Correct. This command enables you to change the Default Domain Policy for the
domain. D. Incorrect. Controls account expiration for an individual account; it has nothing to
do with domain lockout policies. 2. Correct answer: A A. Correct. This changes the amount of time a client computer can be out of sync
with the domain controller to 10 minutes instead of 5 minutes. That should be enough time to resolve the issue temporarily, but you have to determine what the root cause is for computers getting out of sync. B. Incorrect. This makes the problem worse. Setting to 0 doesnβt disable the policy. C. Incorrect. This doesnβt affect the clock settings. D. Incorrect. This has nothing to do with the Kerberos settings and only sets the
number of failed logon attempt before the account is locked out. 3. Correct answer: D A. Incorrect. Creating a Sales OU is a possible first step, but then you would need to
create a specific password expiration policy that was linked to that OU. B. Incorrect. Creating a Sales OU is a possible first step, but then you would need to
create a specific password expiration policy that was linked to that OU. C. Incorrect. Creating a Sales security group is a possible first step, but you canβt attach
a fine-grained password policy by using the New-ADFineGrainedPasswordPolicy, and then Set-ADFineGrainedPasswordPolicy. D. Correct. After you create the Sales security group and assign the Sales users
to the group, you can create a new fine-grained password policy with New-ADFineGrainedPasswordPolicy and then assign the Sales security group to that policy with Add-ADFineGraintPasswordPolicySubject. Answers
CHAPTER 5
329
From the Library of David M Navara