Information Technology Reference
In-Depth Information
Assuming that the users are currently each in their own security groups based on
their department, you could simply apply the PSO to each of the security groups. But
a cleaner solution might be to create an Enhanced Password Security group with the
users in it. You then have a single place to manage this policy and the users, and it gives
you a good test group for the new TFA policy if that's what you decide to implement.
2.
Objective 5.4: review
Correct answer:
C
1.
Incorrect
. This command enables you to change the local security policy on the
domain controller.
A.
Incorrect
. This command enables you to change the local security policy on the
local computer.
B.
Correct
. This command enables you to change the Default Domain Policy for the
domain.
C.
Incorrect
. Controls account expiration for an individual account; it has nothing to
do with domain lockout policies.
D.
Correct answer:
A
2.
Correct
. This changes the amount of time a client computer can be out of sync
with the domain controller to 10 minutes instead of 5 minutes. That should be
enough time to resolve the issue temporarily, but you have to determine what the
root cause is for computers getting out of sync.
A.
Incorrect
. This makes the problem worse. Setting to 0 doesn't disable the policy.
B.
Incorrect
. This doesn't affect the clock settings.
C.
Incorrect
. This has nothing to do with the Kerberos settings and only sets the
number of failed logon attempt before the account is locked out.
D.
Correct answer:
D
3.
Incorrect
. Creating a Sales OU is a possible first step, but then you would need to
create a specific password expiration policy that was linked to that OU.
A.
Incorrect
. Creating a Sales OU is a possible first step, but then you would need to
create a specific password expiration policy that was linked to that OU.
B.
Incorrect
. Creating a Sales security group is a possible first step, but you can't attach
a fine-grained password policy by using the New-ADFineGrainedPasswordPolicy,
and then Set-ADFineGrainedPasswordPolicy.
C.
Correct
. After you create the Sales security group and assign the Sales users
to the group, you can create a new fine-grained password policy with
New-ADFineGrainedPasswordPolicy and then assign the Sales security group
to that policy with Add-ADFineGraintPasswordPolicySubject.
D.
