W2003 Server Resueltos-Estimacion

O F F I C I A L M I CRO S O F T L EA RN I N G PRO DU C T
2273B
Managing and Maintaining a Microsoft
Windows Server 2003 Environment
Companion Content
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2005 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at
http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks
of the Microsoft group of companies. All other marks are property oftheir respective owners.
Product Number: 2273B

Released: 09/2005
Introduction 0-1
Module 0
Introduction
Contents:
Multimedia 2
0-2 Managing and Maintaining a Microsoft Windows Server 2003 Environment
Multimedia
Media Type Title
Animation Job Roles in Today's Information Systems Environment

Introduction to Administering Accounts and Resources 1-1
Module 1
Introduction to Administering Accounts and Resources
Contents:
Question and Answer 2
Multimedia 4
Lab Answer Keys 5
Question and Answers

Lesson: The Windows Server 2003 Environment
Question: As the systems administrator for your organization, you have been asked to determine the
products in the Microsoft Windows Server 2003 family that can be used for a server that will have
the domain controller role. From the following selection, which products in the Windows Server 2003
Server family would you choose? Choose all that apply.
a. Windows Server 2003, Standard Edition
b. Windows Server 2003, Enterprise Edition
c. Windows Server 2003, Web Edition
d. Windows Server 2003, Datacenter Edition
Answer: Answers a, b, and d are correct.
Only Windows Server 2003, Web Edition, does not support the installation of Active
Directory directory service.
Lesson: Logging On to Windows Server 2003

Question: A user informs you that he can log on to his computer but cannot access network
resources such as shared folders. You determine that the user has all the appropriate group
memberships and permissions, but the user still cannot access shared resources. What may be the
cause of this problem?
a. User has entered the wrong password.
b. User has logged on to the domain instead of the local computer.
c. User has logged on to the local computer instead of the domain.
d. User has attempted to access a shared folder without appropriate permissions.
Answer: Answer c is correct.
The user has logged on to his local computer rather than to the domain. This enables him to
log on and use his computer locally but not to access network or shared resources that are
accessible to his domain account.
Lesson: Using the Runas Feature for Administration

Question: As the network administrator, you need to install a local color printer on a Microsoft
Windows XP Professional client for a user in the marketing department. Can you use the Runas
feature to perform this task?
Answer: No, you must log the user off and log on as an administrator. Printers cannot be
installed using the Runas feature.
Lesson: Installing and Configuring Administrative Tools

Question: As the systems administrator for a distributed marketing company, you are responsible for
managing the file servers in your group. You have determined that you need to install the Windows
Server 2003 Administration Tools Pack on your workstation. What do you need to determine before
you install the administrative tools?
a. That the operating system is Windows XP and that you have local administrators rights.
b. That the operating system is Microsoft Windows 2000 Professional and that you have local user
rights.
c. That the operating system is Windows XP and that you have domain user rights.
d. That the operating system is Windows 2000 Professional and that you have domain
administrator rights.
Answer: Answer a is correct.
Windows administrative tools can only be installed on Windows XP Professional or Windows

Server 2003, and it requires local administrator rights.
Lesson: Creating Organizational Units

Question: What factors will you consider when you design an organizational unit structure? Choose
all that apply.
a. Network topology
b. Delegation of administration
c. Application of Group Policy
d. Active Directory replication
Answer: Answers b and c are correct.
Organizational unit structure deals with logical administration and is generally independent of
network topology and Active Directory replication.
Multimedia
Media Type Title
Animation Introduction to Managing a Microsoft Windows Server 2003 Environment
Animation Logon and Authentication
Animation The Organizational Unit Structure

Lab Answer Keys

Lab: Creating Organizational Units Answer Key
Objectives After completing this lab, you will be able to:
Create organizational units
Note This lab focuses on the concepts in this module and as a result
might not comply with Microsoft security recommendations.
Prerequisites To complete this lab, you must have the following virtual machines:
DEN-DC1
DEN-CL1
Exercise 1: Creating Organizational Units from the Workstation

In this exercise, you will log on with a nonadministrative account and create a
custom MMC. You will create a desktop shortcut that points to the MMC and
uses the Run as feature to perform administrative tasks.
Task 1 Log on as Judy Lew
On DEN-CL1, log on to the CONTOSO domain as Judy with the password
of Pa$$w0rd.
Task 2 Create a custom MMC with a desktop shortcut that uses the
RUN as feature to launch Active Directory Users and
Computers
1. Click Start, click Run. In the Run dialog box, type MMC. Click OK.
2. In the Console1 window, click the File menu, and then click Add/Remove
Snap-in.
3. In the Add/Remove Snap-in dialog box, click Add.
4. In the Add Standalone Snap-in dialog box, select Active Directory
Users and Computers, and then click Add.
5. Click Close.
6. Click OK.
7. On the File menu, click Save As, and then save the console as
AD_Admin.msc in the My Documents folder.
8. Close the AD_Admin console.
9. Click Start and then click My Documents.
10. Right-click AD_Admin and then point to Send To. Click Desktop (create
shortcut).
11. Close the My Documents window.
12. Right-click AD_Admin, and then click Properties.
13. On the Shortcut tab, click Advanced.
14. Click Run with different credentials.
15. Click OK twice.
Task 3 Create a Marketing organizational unit and two nested

organizational units for the eastern and western regions
1. Double-click Shortcut to AD_Admin.
2. In the Run As dialog box, select The following user and type
Contoso\administrator and a password of Pa$$w0rd. Click OK.
3. Right-click Contoso.msft, point to New, and then click Organizational
Unit.
4. In the New Object . Organizational Unit dialog box, in the Name field,
type Marketing and then click OK.
5. Right-click the Marketing OU, point to New, and then click
Organizational Unit.
6. In the New Object-Organizational Unit dialog box, in the Name field,
type Western Region and then click OK.
7. Repeat steps 5 and 6 to create the organizational unit for the Eastern
Region.
8. Close all windows and log off DEN-CL1.
Complete the lab exercise

1. Close all programs and shut down all computers. Do not save changes.
2. To prepare for the next module start the DEN-DC1 and DEN-CL1 virtual
computers.
Managing User and Computer Accounts 2-1
Module 2
Managing User and Computer Accounts
Contents:
Question and Answer 2
Multimedia 5
Lab Answer Keys 6
2-2 Managing and Maintaining a Microsoft Windows Server 2003 Environment Student Materials

Lesson: Creating User Accounts
Question: You are responsible for managing accounts and access to resources for members of your
group. A user in your group leaves the company, and you expect a replacement for that employee in a
few days. What should you do with the previous user's account?
a. Delete the old user account, and create an account for the new user.
b. Change the password for the account, and give the new password to the new user.
c. Disable the old user account, rename the user account by using the replacement's name, and
configure the account to require a new password the next time the user logs on. Then, enable the
account when the replacement arrives.
d. Lock the old user account, rename the user account by using the replacement's name, and
configure the account to require a new password the next time the user logs on. Then, enable the
account when the replacement arrives.
Answer: Answer a is the best solution.
For security purposes, you should always create a new account for each new user.
Lesson: Creating Computer Accounts

Question: A user in your group must create a test lab with 24 computers that will be joined to the
domain. What is the best way to do this and maintain the computer accounts separately in Active
Directory directory service?
a. Let the user create the computer accounts in Active Directory during the installation process.
b. Let the user create the computer accounts in Active Directory before the installation process.
c. Give the user the logon name and password of an administrator and have the user use that account
to create the computer accounts in Active Directory.
d. Have the systems administrator create the computer accounts in Active Directory before the
installation process.
Answer: Answer d is correct.
Although the administrator can use a scripting solution for this, if this is done during installation,
the computer accounts are created in the Computers container by default.
Lesson: Modifying User and Domain Computer Account Properties

Question: You are responsible for maintaining the servers in your organization. You want to enable other
administrators in the organization to determine the physical location of each server without adding any
additional administrative tasks or creating any additional documents. How can you do this?
a. Modify the Managed by property for the computer account of each server to display you as the
manager.
b. Modify the Location property for the computer account of each server to display the server's
location.
c. Modify the Managed by property for the computer account of each server to display the server's
address information.
d. Modify the Location property for the computer account of each server to display the server's asset
information.
Answer: Answer b is correct.
The Location property identifies the server's physical location.
Lesson: Creating a User Account Template

Question: To accelerate the process of creating new accounts when new employees enter your group,
you create a series of account templates that you use to create new user accounts and groups. You are
notified that a user with an account that was created by using one of the non-manager account templates
has been accessing files that are restricted to the Managers group. What should you do?
a. Ensure that you set a strong password on each account created from your template.
b. Ensure that you gave the correct group membership to each account created from your template.
c. Ensure that you disabled all accounts created from your template.
d. Ensure that each manager account created from your template has a unique logon name.

Answer a is incorrect, because the account used as a template should be disabled. As a result, no
one can log on as the template account.
Answer c is incorrect, because that would disable all your users' logon accounts.
Answer d is incorrect, because Active Directory already ensures that each account has a unique
logon name.
Lesson: Managing User and Computer Accounts

Question: You are responsible for managing computer accounts for your group. Which of the following
computer accounts do you need to reset?
a. An account that can no longer authenticate with the domain
b. An account that you will use as a computer account template
c. An account for a computer that an employee on temporary leave uses
d. An account for which the user has forgotten the password
Answer b is incorrect, because computer accounts are not created from a template.
Answer c is incorrect, because the computer account does not need to be reset as long as it can
authenticate with the domain.
Answer d is incorrect, because the user does not need to know the computer account's password.
The computer account password is only used for the computer to authenticate itself with Active
Directory.
Lesson: Using Queries to Locate User and Computer Accounts in Active

Directory
Question: You have determined the best ways to search for Active Directory objects and documented
your recommended search criteria. However, the administrators tell you that it is taking too long to create
and then run the search. After further research, you determine that most of the systems administrators are
searching for the same information. What can you do to accelerate the search process?
a. Specify multiple criteria in a custom search
b. Standardize search procedures

c. Create saved queries for common searches performed by the systems administrators
d. Create saved queries for every search that you or the systems administrators perform
Multimedia
Media Type Title
Animation Types of User Accounts
Animation Introduction to Locating User and Computer Accounts in Active Directory

Lab Answer Keys

Lab: Managing User and Computer Accounts Answer Key
Create user accounts.
Create computer accounts.
Use queries to locate objects.
Modify user and computer properties.
might not comply with Microsoft security recommendations.
DEN-DC1
DEN-SRV1
Exercise 1: Creating User Accounts

In this exercise, you will use a custom MMC to create two new user
accounts based on the sales template.
Task 1 Create a custom MMC

1. Log on to DEN-SRV1 as Judy@contoso.msft, with a password of
Pa$$w0rd.
2. Click Start, click Run, and then type MMC in the Open box. Click OK.
3. Click the File menu, and then click Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, select Active Directory
Users and Computers, and then click Add.
6. Click Close.
7. Click OK.
8. Do not close Active Directory Users and Computers.
Task 2 Create user accounts in the sales organizational unit

1. In Active Directory Users and Computers, click the Sales OU.
2. Right-click the Sales Template user, and then click Copy.
3. In the Copy Object . User dialog box, enter the following:
First Name: Sunil
Last Name: Koduri
User Logon Name: Sunil
4. Click Next.
5. In the Password and Confirm Password fields, type Pa$$w0rd.
6. Click Next.
7. Click Finish.
8. Repeat steps 2 through 7 to create another account with the following
information:
First Name: Jon
Last Name: Morris
User Logon Name: Jon
Password: Pa$$w0rd
9. Select both accounts, right-click, and then select Enable Account.
Task 3 Verify that the template properties were transferred

successfully
1. Open the Properties dialog box for one of the accounts that you just
created, and verify that the group membership, logon hours, and
profile mappings are correct. Review the settings on the General tab
and the Organization tab.
2. What values did not transfer from the template?
Answer: The Description attribute and the Office attribute.
Exercise 2: Creating Computer Accounts

In this exercise, you will create two new computer accounts.
Task 1 Create two computer accounts for the new administrators

1. In Active Directory Users and Computers, click the IT Admin OU.
2. Right-click IT Admin, and point to New, and then click Computer.
3. In the New Object-Computer dialog box, type Admin2 in the Name

field.
4. Click the Change button.
5. In the Select User or Group dialog box, type Kerim in the Enter the
object name to select field, and click Check Names.
6. Click OK.
7. Click Next twice.
8. Click Finish.
9. Repeat the steps 2 through 8 to create a computer account named
Admin3.
10. Give Luis Bonifaz permissions to join the account to the domain.
Exercise 3: Using Queries to Locate Objects

In this exercise, you will create a query to find users and import a query to
find computer accounts.
Task 1 Create a saved query to find sales users

1. In Active Directory Users and Computers, right click the Saved
Queries folder, point to New, and then click Query.
2. In the New Query dialog box, type Find_Sales_Users in the Name field.
3. Click Define Query.
4. In the Find box, click the drop-down arrow, and select Users, Contacts
and Groups.
5. In the Find Users, Contacts and Groups dialog box, click the Advanced
tab.
6. In the Field list, select User . Department.
7. Ensure that Starts with is the condition, and type Sales in the Value
field.
8. Click Add.
9. Click OK twice.
10. The query should display all the users in the Sales department.
Task 2 Import a query to locate the computer accounts in the Sales

department
1. Right-click the Saved Queries folder and click Import Query
Definition.
2. Navigate to \\den-dc1\admin_tools.
3. Select Find_Sales_Computers.xml, and then click Open.
4. Click OK.
5. The query should display the three sales computers.
Exercise 4: Modifying User and Computer Properties

In this exercise, you will modify the properties of multiple users and
computer
accounts.
Task 1 Use a saved query to locate all the Sales department users
and update their Office attribute
1. In Active Directory Users and Computers, expand the Saved Queries
folder, and then click the Find_Sales_Users query.
2. Select the first account in the list. Hold down the SHIFT key and click the
last account in the list to select the entire list.
3. Right-click the selected accounts, and then click Properties.
4. In the Properties On Multiple Objects dialog box, select the Office
check box, and then type Main Street in the Office field.
Task 2 Use the imported query to locate all the Sales computer
accounts and modify their Description attribute
1. In Active Directory Users and Computers, expand the Saved Queries
folder, and then click the Find_Sales_Computers query.
2. In the Details pane, select all computer accounts by clicking the first
account in the list and then holding down and clicking the last account
in the list to select the entire list.
3. On the General tab in the Properties On Multiple Objects dialog box,
change the Description setting to Sales Department.

2. To prepare for the next module, start the DEN-DC1 and DEN-SRV1
virtual computers.
Managing Groups 3-1
Module 3
Managing Groups
Contents:
Question and Answers 2
Multimedia 6
Lab Answer Keys 7

Lesson: Creating Groups
Question: You are the systems administrator for the staff administrative department of a hospital.
You are in the domain called admin.hospital.msft, which is running in native mode. There are multiple
shared folders throughout your Microsoft Windows Server 2003 domain, and you must ensure
that everyone has permissions to the shared folders. Doctors, nurses, and clerks require permissions.
The accounts for the clerks are in your domain, but the doctors and nurses are in the
staff.nwtraders.msft domain.
You have arranged to work with the administrator from the staff.hospital.msft domain to ensure that
the group strategy is correct. Which strategy should you choose?
a. Create a global group in the staff domain called Staff. Create a global group in the admin
domain called Clerks. Create a universal group and add the Staff and Clerks as members. Grant
permissions to the universal group.
b. Create a global group in the staff domain called Staff. Create a global group in the admin
domain called Clerks. Create a domain local group in the staff domain and add the Staff and
Clerks as members. Grant permissions to the domain local group.
c. Create a domain local group in the admin domain called admin. Add the clerk accounts to the
domain local group. Add the doctors and nurses accounts to the domain local group. Grant
permissions to the domain local group.
d. Create a universal group called admin. Add the clerk accounts to the universal group. Add the
doctors and nurses accounts to the universal group. Grant permissions to the universal group.
Creating a global group in each domain allows for more flexibility. By creating a domain local
group and granting permissions, you can easily add another global group to it at any time.
Lesson: Managing Group Membership

Question: You are responsible for managing groups in your organization. To efficiently use groups
for your management tasks, determine which of the following objects cannot be placed in a domain
local security group.
a. Contact
b. User
c. Computer
d. Global group
e. Domain local group
A contact is not a security object.

Managing Groups 3-3
Determine a user's group membership

1. Log on to DEN-DC1 using the Administrator account with the password of Pa$$w0rd.
2. Open Active Directory Users and Computers.
3. Click the Sales organizational unit.
4. Open the Properties dialog box for Don Hall. Click the Member Of tab. What groups is Don Hall
a member of?
Answer: Domain Users, G Sales, G Sales Managers
5. In the Sales organizational unit, open the Properties dialog box for the G Sales group.
a. Click the Members tab. Who is in the G Sales group?
Answer: Jeff Hay, Don Hall, Kim Yoshida
b. Click the Member Of tab. What groups does G Sales belong to?
Answer: DL Sales Read
Lesson: Strategies for Using Groups

Question: You are responsible for creating groups for your department's users. You are given a plan
that outlines the end result of the group hierarchy that must be created. Before you start creating
these groups, you must determine the effects of adding groups to other groups. Which of the
following options are effects of adding groups to other groups? Choose all that apply.
a. Adding groups to other groups can increase the number of times that you must assign
permissions, but improves overall network security.
b. Adding groups to other groups can reduce the number of times that you must assign
permissions.
c. Adding groups to other groups reduces the number of client licenses that you must purchase.
d. Adding groups to other groups can simplify changes in permissions.
Answer: Answers b and d are correct.
Lesson: Modifying Groups

Question: As systems administrator for your group, part of your responsibilities is to fulfill requests to
change group scope. Currently, you have a request to change a group's scope from global to
universal. You must determine what effects this change will have before making the requested
change. What will the effects be?
a. This change enables global groups from the same domain to become a member of this group.
b. This change enables global groups from other domains to become a member of this group.
c. This change enables domain local groups from other domains to become a member of this
group.
d. This change enables the universal group to become a member of domain local groups.

Global groups cannot be members of global groups outside their own domain but can be
members of a universal group.
Lesson: Using Default Groups

Question: You are the administrator for your domain, which is in native mode. You have created a
global group called helpdesk, which contains all the help desk accounts. You want the help desk
personnel to be able to perform any operation on local desktop computers, including take ownership
of files. Which is the best built-in group to use?
a. Administrators
b. HelpServicesGroup
c. Print Operators
d. Power Users
Answer a is correct, because the help desk personnel must be able to perform any operation
on the desktop computers.
Answer b is incorrect, because the HelpServicesGroup is used for Help applications such as
remote assistance and is maintained by the Help and Support service.
Answers c and d are incorrect, because Print Operators and Power Users do not have the
permissions or user rights to accomplish the stated goal.
Lesson: Best Practices for Managing Groups

Question: You are the administrator for your domain. You must work with the Active Directory
directory service designer to determine a group strategy. One of the choices you must make is
whether to use built-in groups or create your new groups. What guidelines should you use to make
this decision? Choose all that apply.
a. Create groups based on administrative needs.
b. Add user accounts to the group that is most restrictive.
c. Use the built-in group whenever possible instead of creating a new group.
d. Use universal groups in a large enterprise.
Answer: Answers a, b, and c are correct.
Answers a, b, and c are best practices that apply to the choice between built-in or custom
groups.
Answer d is incorrect. Universal groups may be helpful for administration of large enterprise
networks. However, because there are also disadvantages to using universal groups, it is not a
best practice to create universal groups based on the organization's size. You should create
universal groups based on the function that the group will support.
Managing Groups 3-5
Practice: Nesting Groups and Creating Universal Groups

Examine the Members and Member Of properties
1. Open the Properties dialog box for the G Graphics Managers global group, and then click the
Members tab. Who are the members?
Answer: The Graphics Manager user account.
2. Click the Member Of tab. What groups is G Graphics Managers a member of?
Answer: G Graphics Managers is a member of the G Contoso Managers global group and
the DL Graphics Managers group.
3. Open the Properties dialog box for the G Contoso Managers global group. Click the Members
tab. What groups are members?
Answer: The G Sales Managers and the G Graphics Managers.
4. Now click the Member Of tab. What groups is G Contoso Managers a member of?
Answer: G Contoso Managers is a member of the U Enterprise Managers universal group.
5. Close all windows and log off of DEN-DC1.
Important Do not shut down the virtual machines.

Multimedia
Media Type Title
Animation Strategy for Using Groups in a Single Domain

Managing Groups 3-7
Lab Answer Keys

Lab: Creating and Managing Groups Answer Key
After completing this lab, you will be able to:
Create global and domain local groups.
Manage group membership.
Objectives Manage default groups.
may not comply with Microsoft security recommendations.
DEN-DC1
DEN-SRV1
Exercise 1: Creating Global and Domain Local Groups

In this exercise, you will create an organizational unit and create two users
in that organizational unit. You will also create domain local and global
groups.
Task 1 Create an organizational unit for the Marketing

department
1. Log on to DEN-DC1 as Administrator@contoso, with a password of
Pa$$w0rd.
2. Click Start, point to Administrative Tools, and then click Active
Directory Users and Computers.
3. Right-click the Contoso domain node, point to New, and then click
Organizational Unit.
4. In the New Object . Organizational Unit dialog box, type
Marketing.
5. Click OK.
Task 2 Create two users accounts in the Marketing organizational

unit
1. Right-click the Marketing organizational unit, point to New, and then
click User.
2. In the New Object . User dialog box, create the following user
account:
First name: Marketing
Last name: Manager
Logon name: Mktmgr
Password: Pa$$w0rd
3. Create a second user as follows:
First name: Marketing
Last name: User
Logon name: Mktuser
Password: Pa$$w0rd
Task 3 Create two global groups, one for Marketing Managers

and one for Marketing Users
1. Right-click the Marketing organizational unit, point to New, and then
click Group.
2. In the New Object-Group dialog box, type G Marketing Managers

Managing Groups 3-9
in the Name field.

3. Click OK to create the global group.
4. Repeat steps 1 through 3 to create the G Marketing Users global
group.
Task 4 Create domain local groups that will be used to assign

permissions to resources for the Marketing team
1. Create a new group called DL Marketing Full Control.
2. Change the group scope to Domain Local.
3. Create a fourth group, named DL Marketing Read-only.
4. Change the group scope to Domain Local.
Exercise 2: Managing Group Membership

In this exercise, you will configure group membership.
Task 1 Add users to their global groups

1. In the Marketing organizational unit, open the Properties dialog box
for the Marketing Manager user account.
2. On the Member Of tab, click Add.
3. In the Select Groups dialog box, type G Marketing Users.
4. Click OK twice.
5. Repeat steps 1 through 4 to add the Marketing User account to the
G Marketing Users global group.
6. Open the Properties dialog box for the G Marketing Managers
global group.
7. Click the Members tab.
8. Click Add.
9. Add the Marketing Manager user account. Click OK. Do not close the
Properties dialog box.
Task 2 Nest the Marketing Managers global group into the G

Contoso Managers global group
1. Click the Member Of tab.
2. Click Add.
3. Add the G Contoso Managers global group.
4. Click OK twice.
Task 3 Add the global groups to the domain local groups

1. Open the Properties dialog box for the DL Marketing Full Control
domain local group.
3. Click Add.
4. Add the G Marketing Managers group account.
5. Click OK twice.
6. Open the Properties dialog box for the DL Marketing Read-only
domain local group.
8. Click Add.
9. Add the G Marketing Users group account.
10. Click OK twice.
Exercise 3 Managing Default Groups

In this exercise, you will add users to the proper groups to allow them to
perform their administrative tasks.
Task 1 Add Judy Lew to the appropriate default built-in group

1. In Active Directory Users and Computers, click the IT Admin
organizational unit.
2. Open the Properties dialog box for Judy Lew.
3. Click the Member Of tab.
4. Click Add, and then add the Print Operators group.
5. Click OK.
6. Click Add, and then add the Backup Operators group.
7. Click OK twice.
Task 2 Add Don Hall to the appropriate default built-in group

1. Log on to DEN-SRV1 as Administrator@contoso.msft, with a
password of Pa$$w0rd.
2. Click Start, Administrative Tools, click Computer Management, and

then expand Local Users and Groups.
3. Click the Groups container, and then open the Properties dialog box
for the Backup Operators group.
4. Click Add, and then add Don Hall to the group.
5. Click OK twice.
Managing Groups 3-11
6. Open the Properties dialog box for the Network Configuration

Operators group.
7. Click Add, and then add Don Hall to the group.
8. Click OK twice.

2. To prepare for the next module, start the DEN-DC1 virtual computer.
Managing Access to Resources 4-1
Module 4
Managing Access to Resources
Contents:
Multimedia 6
Lab Answer Keys 7

Lesson: Overview of Managing Access to Resources
Question: Which of the following statements are true? Choose all that apply.
a. You can grant the Allow permission to a resource implicitly.

b. You can grant the Deny permission to the same resource both implicitly and explicitly.
c. You can only grant the Allow permission to a resource implicitly if you also grant the Deny
permission to the same resource implicitly.
d. You can grant the Deny permission to a resource implicitly if you also grant the Allow
permission to the same resource explicitly.
e. You cannot grant the Deny permission to a resource implicitly if you also grant the Allow
permission to the same resource explicitly.
Answer: Answers b and e are correct.
Lesson: Managing Access to Shared Folders

Question: You are responsible for managing access to server resources for your department. You set
up and configure a test server in your group's lab. You use this server to test the configuration of the
shared folders that you are going to configure on the production servers. You configure a shared
folder and grant Read permission to the Users domain local group and Full Control permission to the
Administrators domain local group.
When you interactively log on to this server as a member of the Users group, you still can create and
delete files in this shared folder. Why can you do more than should be allowed with only the Read
permission?
a. The account you used is also a member of the Administrators group.
b. The account you used has been delegated authority to access shared folders.
c. The server is not a member of the Active Directory directory service domain.
d. Shared folder permissions are not applied to interactive logons.
Shared permissions do not apply to interactive logons.
Lesson: Managing Access to Files and Folders Using NTFS Permissions

Review the scenario in the following illustration.
Question: What steps must you take to ensure that the Sales group has only Read permission for
File2? Choose all that apply.
a. Remove Modify permission from the Users group for Folder1.
b. Disable permissions inheritance for Folder2 or File2.

c. Remove permissions for Folder2 or File2 that Folder2 has inherited from Folder1.
d. Grant only the Read permission to the Sales group for Folder2 or File2.
Answer: Answers b, c, and d are correct.
Test the effects of copying and moving files or folders

1. Log on to DEN-SRV1 as Administrator with the password of Pa$$w0rd.
2. Open Windows Explorer and then click the C:\Legal folder.
3. Open the Properties dialog box for the C:\Legal\Briefs folder.
4. Click the Security tab. Note the current NTFS permissions. Click Cancel.
5. Connect to the administrative share \\DEN-DC1\c$.
6. Cut and paste the Briefs folder C:\Legal\Briefs to \\den-dc1\c$.
7. Open the Properties dialog box for the C:\Briefs folder on DEN-DC1, and examine the NTFS
permissions.
How are they different from the original location?
Answer: The folder is now inheriting a new set of NTFS permissions from its new parent,
and the custom permissions from the original location are gone.
8. Close the administrative share window.
9. On DEN-SRV1, move the Documents folder C:\Legal\Documents to C:\, and then examine the
NTFS permissions.
Have they changed from the original location?
Answer: The permissions have been preserved from the original location.
10. Close all open windows and log off of DEN-SRV1.
Lesson: Determining Effective Permissions

Question: A user connects to a shared folder across the network. The user has been granted Change
shared folder permission and Read NTFS permission. Which of the following actions can the user
perform on a file stored in the folder? Choose all that apply.
a. Read the file
b. View the file attributes
c. Change the file attributes
d. Modify the file
e. Delete the file
Answer: Answers a and b are correct.
Answer a is correct, because Change permission allows a user to read a file.
Answer b is correct, because Change permission allows a user to view the file attributes.
Answer c is incorrect, because Change permission does not allow a user to change the file
attributes.
Answer d is incorrect, because Change permission does not allow a user to delete a file.
Examining NTFS Permissions

Examine the NTFS default permissions on the system folders
11. Log on to DEN-DC1 as Administrator with a password of Pa$$w0rd.
12. Open My Computer (or Windows Explorer).
13. Expand the C:\ drive.
14. Right-click Windows, and then click Sharing and Security.
15. Click the Security tab.
What are the default permissions of Authenticated Users?
Answer: Read & Execute and List Folder Contents.
What are the default permissions of Server Operators?
Answer: Modify permission.
What are the default permissions of Creator Owner?
Answer: Creator Owner has a special permission of Full Control on Subfolders and Files
only. This can be seen on the Advanced tab.
16. Click Cancel.
Examine the NTFS default permissions on a newly created folder

1. Create a new folder named Test at the root of the C:\ drive.
2. Right-click the Test folder and then click Sharing and Security.
How are these permissions different from those in the Windows folder?
Answer: Authenticated Users and Server Operators are not in the list. The domain local
group Users(Contoso\Users) has inherited Read & Execute permission and the special
permission of Create Files/Write Data and Create Folders/Append Data applied onto This
Folder and Subfolders.
4. Close all open windows and log off of DEN-DC1.
Practice: Determining Effective NTFS and Shared Folder Permissions

Determine the effective NTFS permissions
1. Open the Properties dialog box for the Legal folder, and then click the Security tab.
2. Click Advanced.
3. Click the Effective Permissions tab.
4. Click Select to locate the user or group that you want to test.
5. Type LegalManager, and then click OK.
What NTFS permissions does the LegalManager account have?
Answer: Read, Write, Create, and Delete.
6. Test the LegalUser account.
What NTFS permissions does the LegalUser account have?
Answer: Read, Write, and Create, but not Delete.
7. Test the Authenticated Users group.
What NTFS permissions does the Authenticated Users group have?
Answer: None.
8. Close all open windows and log off.
Determine the effective combined permissions

1. Log on to DEN-CL1 as Legalmanager, with a password of Pa$$w0rd.
2. Click Start, click Run, and then type \\DEN-SRV1\Legal. Attempt to create a new text document
in the Legal shared folder.
Did it succeed? Why or why not?
Answer: The attempt to create a document in the shared folder should fail. The combined
effective permission is Read permission. The share permission is Read, and it is the most
restrictive.
3. Log off.
4. Log on as Judy with the password of Pa$$w0rd.
5. Click Start, click Run, and then type \\DEN-SRV1\Legal Attempt to create a new document in the
Legal folder.
What are the results?
Answer: Judy Lew should have access denied. Although the share permission allows Read
access to Authenticated Users, only the administrator and members of the Legal
department have NTFS permission to the folder. Everyone else is implicitly denied access
because they have no NTFS permission.
6. Close all windows, and then log off.

Multimedia
Media Type Title
Animation Access Control in Microsoft Windows Server 2003
Animation Permission States

Lab Answer Keys

Lab: Managing Access to Resources Answer Key
Create and share folders.
Configure NTFS security.

Publish shared folders.
Test permissions.
Configure automatic caching.
DEN-DC1
DEN-SRV1
DEN-CL1
Exercise 1: Creating and Sharing Folders

In this exercise, you will create and share two folders on DEN-SRV1.
Task 1 Create and share two folders

1. Log on to DEN-SRV1 as Administrator@contoso.msft, with a
2. Open Windows Explorer, and then select C:\.
3. From the File menu click New, Folder.
4. Name the folder Research.
5. Repeat the steps to create a second folder, named Price List.
Task 2 Share the folders and set permissions

1. Right-click the Research folder, and then click Sharing and Security.
2. On the Sharing tab, share the folder with the share name Research.
3. Click Permissions, select Everyone, and then click Remove.
4. Click Add, and then select Authenticated Users in the Select Users,
Computers, or Groups dialog box.
5. Leave Authenticated Users with the default permission of Read.
6. Click Add, and then select Administrator and grant Full Control.
7. Click Add, and then select the DL Research Change group and grant
Change permission.
8. Click OK twice.
9. Right-click the Price List folder, and then click Sharing and Security.
10. On the Sharing tab, share the folder with the share name Price List.
11. Click Permissions, select Everyone, and then click Remove.
12. Click Add, and then select Authenticated Users in the Select Users,
Computers, or Groups dialog box.
13. Leave Authenticated Users with the default permission of Read.

14. Click Add, and then select Administrator and grant Full Control.
15. Click Add, and then select the DL Sales Modify group and grant
Change permission.
16. Click OK twice.
Exercise 2: Configuring NTFS Security

In this exercise you will set the NTFS permissions on shared folders.
Task 1 Configure NTFS permissions

1. In Windows Explorer, right-click the Research folder, and then click
Sharing and Security.
2. On the Security tab, click Advanced.
3. Clear the Allow inheritable permissions from the parent to

propagate to this object and all child objects check box to prevent
permission inheritance, and then remove all permissions.
4. Click Add.
5. Select the Administrator account.
6. Grant the Administrator account Full Control.
7. Click OK twice.
8. On the Security tab, click Add.
9. Select Authenticated Users, and leave the default permission Read
and Execute.
10. Click Add, and then select the DL Research change group.
11. Grant the DL Research change group account Modify permission.
12. In Windows Explorer, right-click the Price List folder, and then open
the Sharing and Security Properties dialog box.
13. On the Security tab, click Advanced.
14. Clear the Allow inheritable permissions from the parent to
propagate to this object and all child objects check box to prevent
permission inheritance, and then remove all permissions.
15. Click Add.
16. Select the Administrator account.
17. Grant the Administrator account Full Control.
18. Click OK twice.
19. On the Security tab, click Add.
20. Select Authenticated Users and leave the default permission Read
and Execute.
21. Click Add, and then select the DL Sales Modify group.
22. Grant the DL Sales Managers group Modify permission.
Exercise 3: Publishing Shared Folders

In this exercise, you will publish the shared folders.
Task 1 Publish the folders in Active Directory by using Computer

Management
1. On DEN-SRV1, click Start, point to Administrative Tools, and then

click Computer Management.
2. In Computer Management, open the Shared Folders snap-in, and
then click the Shares folder.
3. Right-click the Research share, and then click Properties.
4. On the Publish tab, select the Publish this share in Active Directory
check box.
5. Click the Edit box beside Keywords, and enter the keywords
Development and Products, clicking Add after each one.
6. Click OK twice.
7. Repeat steps 3 through 6 to publish the Price List shared folder with
the keyword Prices.
8. Close all open windows.
Exercise 4: Testing Permissions

In this exercise, you will test the network access by logging on as two
different users and testing permissions.
Task 1 Test access as Don Hall and Judy Lew

1. Log on to DEN-CL1 as the sales manager Don Hall,
don@contoso.msft.
2. At the Run command prompt, type \\Den-srv1\Price List.
3. Create a new text document named Prices.txt.
4. Close all open windows, and then log off.
5. Log on to DEN-CL1 as Judy@Contoso.msft.
6. At the Run command prompt, type \\Den-srv1\Price List.
7. Open the Prices.txt file.
8. Enter some text, and then attempt to save the file. The attempt will
fail.
Exercise 5: Configuring Automatic Caching

In this exercise, you will configure a shared folder to provide automatic
caching of documents.
Task 1 Configure automatic caching for the Price List shared

folder
1. Ensure that you are logged on to DEN-SRV1 as Administrator.
2. Open Windows Explorer, and then click the Price List folder.
3. Right-click the C:\Price List folder and then click Sharing and
Security.
4. On the Sharing tab, click Caching.
5. Select All files and programs that users open from the share will
be automatically available offline.
6. Click OK twice.

2. To prepare for the next module, start the DEN-DC1 and DEN-SRV1
virtual computers.
Managing Access to Objects in Organizational Units 5-1
Module 5
Managing Access to Objects in Organizational Units
Contents:
Lab Answer Keys 6

Lesson: Modifying Permissions for Active Directory Objects
Question: Which of the following statements are true about moving a user object from one
organizational unit called London to another organizational unit called San Francisco? Choose all that
apply.
a. Explicit permissions remain the same for the user object.
b. Inherited permissions on the user object may change based on the configuration of the San
Francisco organizational unit.
c. Inherited permissions on the user object may change based on the configuration of the
London organizational unit.
d. You must set new permissions for the moved user object.
e. You do not need to change permissions for either organizational unit based on the user
object being moved.
Answer: Answers a, b, and e are correct.
Answer a is true, because explicit permissions are maintained when an object moves between
organizational units.
Answer b is true, because inherited permissions may change based on the target
Answer c is false, because inherited permissions do not change based on the source
Answer d is false, because permissions are based on the explicit permissions on the object or
the implicit permissions on the target organizational unit.
Answer e is true, because moving objects between containers has no effect on the permissions
assigned to the containers.
Remove the inherited permissions and document the new permissions

1. On the Security tab of the Test Properties dialog box, click Advanced.
2. In the Advanced Security Settings for Test dialog box, on the Permissions tab, clear the Allow
inheritable permissions from the parent to propagate to this object and all child objects.
Include these with entries explicitly defined here check box.
3. In the Security dialog box, click Remove.
4. In the Advanced Security Settings for Test dialog box, click OK.
5. Examine the new security settings for the Test organizational unit.
6. Document the new security settings.
Group or user names Inherited Explicit
Account Operators X
Administrators
Authenticated Users X
Domain Admins X
Enterprise Admins
Enterprise Domain X
Controllers
Pre-Windows 2000
Compatible Access
Print Operators X
System X
What groups are no longer on the list?

Answer
Administrators, Enterprise Admins, and Pre-Windows 2000 Compatible Access.
Examine effective permissions

1. On DEN-DC1, open Active Directory Users and Computers" click the Test organizational unit.
Notice that the user account that Judy Lew created is disabled. Why?
Answer: Because Judy Lew was unable to set the password and therefore the account did
not meet the password requirements of the domain. Because she had Create All Child
Objects permission, the object was created but disabled.
2. Right-click the Test OU and then click Properties.
3. Click the Security tab, and then click Advanced to open the Advanced Security Settings for
Test dialog box.
4. Click the Effective Permissions tab, and then click Select.
5. Enter Judy Lew and then click OK.
What are her effective permissions?

Answer: Full Control.
What are her effective permissions on the user account she created?
Read and Modify Permissions.
What are her effective permissions on the Test1 organizational unit? Why does she have
these permissions?
Read and List Contents permissions. This is because she is a member of Authenticated
Users.
6. Close all open windows and log off of DEN-DC1 and DEN-CL1.
Lesson: Delegating Control of Organizational Units

Question: You are given the task of assigning permissions to a set of organizational units. You must
determine the appropriate delegation of authority if each organizational unit requires the following:
Security Group A must be able to create user accounts in the OU1 organizational unit.
Security Group B must be able to update user account properties in the OU2 organizational
unit.
What are the minimum permissions required by each group? Choose all that apply.
a. Create, Delete User accounts
b. Modify User accounts
c. Full Control
d. Read All Properties
Answer c is incorrect, because Full Control permission is a higher level of permission than the
scenario requires.
Answer d is incorrect, because the Read All Properties permission does not give the groups a
high enough level of access to accomplish the stated goals.
Examine the permissions assigned by the Delegation of Control Wizard

1. Right-click the Sales OU and then click Properties.
3. Click Advanced, and view Don Hall in the Permission entries list.
What permissions are assigned to Don Hall?
Don Hall has Full Control permission for User objects and Create/Delete User Objects
permission for This object and all child objects.
4. Locate Judy Lew.
What permissions are assigned to Judy Lew?
Answer: Judy Lew has Create/Delete Computer Objects permission for This object and all
child objects and Read All Properties and Write All Properties permissions for computer
objects.
Test the delegated permissions for the Sales organizational unit

1. Log on to DEN-CL1 as Don with the password of Pa$$w0rd.
2. Open the Run command, and then type dsa.msc to launch Active Directory Users and
Computers.
3. Right-click the Sales organizational unit, and then create a new user with the following:
4. First name: Test
5. Last name: 2
6. User name: Test2

7. Password: Pa$$w0rd
This task will succeed because Don Hall was delegated the authority to perform that task.
8. Right-click the Legal organizational unit.
What permission does Don Hall have on the Legal organizational unit?
Answer: None. Don Hall was granted authority over only the Sales organizational unit.
9. Log off.
10. Log on to DEN-CL1 as Judy with the password of Pa$$w0rd.
11. Click Start, Run, and then type Dsa.msc in the text box.
12. Create a new computer account named Computer1 in the Sales organizational unit.
This will succeed because Judy Lew was granted authority to perform that custom task.
13. Try to perform tasks on user objects.
What other permission does Judy Lew have in the Sales organizational unit?
Answer: None. Judy Lew was granted authority over only computer objects in the Sales
14. Close all windows and then log off of DEN-CL1 and DEN-DC1.

Lab Answer Keys

Lab: Managing Access to Objects in Organizational Units Answer Key
Modify the Delegation of Control Wizard and delegate
permissions.
Test the delegated permissions.
Delegate permissions in the Legal organizational unit and create a
taskpad.
Test the delegated permissions.
DEN-DC1
DEN-CL1
Exercise 1: Modifying the Delegation of Control Wizard and Delegating

Permissions
In this exercise, you will delegate administrative control of objects in an
Task 1 Examine the default delegwiz.ini file

1. Log on to DEN-DC1 as Administrator with the password of
Pa$$w0rd.
2. Open the C:\Windows\Inf\delegwiz.ini file in Notepad.
3. Examine the current delegwiz.ini file.

5. Right-click the Legal organizational unit, and then click Delegate
Control to open the Delegation of Control Wizard for the Legal
6. Add the Legalmanager user account, and then click Next.
7. On the Tasks to Delegate page, notice how the list of common tasks
relates to the delegwiz.ini file.
What is the first common task on the list?
Create, delete and manage user accounts.
8. Cancel the Delegation of Control Wizard.
9. Open the D:\2274\Labfiles\Admin_Tools \delegwiz.ini file in
Notepad.
10. Compare the modified file with the original.
What new task has been added to the list of templates?
Unlock Locked User Accounts.
What permission is being granted by the template?
Read and Write permission on the LockoutTime attribute of the
User class object.
11. Close Notepad without saving the files.
Task 2 Replace the delegwiz.ini file with the delegwiz.ini file

located in the D:\2274\Labfiles\Admin_Tools folder
1. Copy the delegwiz.ini file from the D:\2274\Labfiles\Admin_Tools
folder to the C:\Windows\Inf folder.
2. Click Yes in the Confirm File Replace dialog box.
Task 3 Grant the Legal department manager the authority to

unlock lockedout user accounts
1. Switch to Active Directory Users and Computers, and run the
Delegation of Control Wizard on the Legal organizational unit.

2. Add the Legalmanager user account, and then click Next.
On the Tasks to Delegate page, what is the last common task in the
list now?
Unlock Locked user accounts
3. Select the Unlock Locked user accounts check box.
4. Click Next and then click Finish.
Exercise 2: Testing the Delegated Permissions

In this exercise, you will unlock a locked-out user account as the Legal
department manager.
Task 1 Lock out the Legaluser account by attempting to log on

with an incorrect password
1. Attempt to log on to DEN-CL1 as Legaluser four times with the wrong
password to have the account locked out. On the fourth attempt, you
will receive a message informing you that the account has been locked
out.
2. Log on to DEN-CL1 as legalmanager@contoso.msft, with a password
of Pa$$w0rd.
3. At the Run command prompt, type dsa.msc.
4. In Active Directory Users and Computers, open the Legal
organizational unit, and then open the Properties dialog box for the
Legal User account.
5. Click the Account tab, and clear the Account is locked out check box.
Can the Legal department manager modify any other properties of the
user account?
No, the Legal department manager can perform only one task.
6. Close all windows and log off of DEN-CL1.
Exercise 3: Granting Permissions in the Legal Organizational Unit and

Creating a Taskpad
In this exercise, you will delegate to Judy Lew the authority to create, delete,
and manage user and computer accounts in the Legal organizational unit
and then create a taskpad to allow her to perform those tasks.
Task 1 Delegate control to Judy Lew

1. Switch to DEN-DC1.
2. Right-click the Legal organizational unit, and then click Delegate
Control.
3. Add Judy Lew, and then click Next.

4. On the Tasks to Delegate page, select the Create, delete, and manage
user accounts check box.
5. Click Next, and then click Finish.
6. Run the Delegation of Control Wizard for the Legal organizational
unit a second time.
7. Add Judy Lew. And click Next.

8. On the Tasks to Delegate page, select Create a custom task.
9. On the Active Directory Object Type page, select Only the following
objects in the folder.
10. Select Computer objects in the list of objects.
11. Select the Create selected objects in this folder and Delete selected
objects in this folder check boxes, and then click Next.
12. On the Permissions page, select Full Control.
13. Click Next, and then click Finish.
Task 2 Create a taskpad for Judy Lew

1. At the Run command prompt, type MMC, and then add the Active
Directory Users and Computers snap-in.
2. Right-click the Legal organizational unit, and then select New Window
from here.
3. On the Window menu of Console 1 [Legal], switch to Console Root to
display the entire forest again.
4. Close the Console Root view by clicking the X in the top-right corner of
its window. Only the view of the Legal organizational unit will be visible.
5. Right-click the Legal organizational unit, and then select New Taskpad
View.
6. In the New Taskpad View Wizard, click Next on the Welcome page.
7. On the Taskpad Display page, click Next to accept the defaults.
8. On the Taskpad Target page, click Next to accept the defaults.
9. Click Next to accept the name and description.
10. Ensure that the Start New Task wizard check box is selected, and then
click Finish.
11. On the Welcome to the New Task Wizard page, click Next.
12. On the Command Type page, click Next to accept the default Menu
command selection.
13. On the Shortcut Menu Command page, select Tree Item Task in the
Command source drop-down list.
14. On the Available commands list, select New->Computer, and then

click Next.
15. On the Name and Description page, type Create a Computer
Account in the Task name field, and then click Next.
16. On the Task Icon page, click Next.
17. On the Completing the New Task Wizard page, select the Run this
wizard again check box, and then click Finish.
18. Repeat the steps to create the shortcut menu command New->User.
19. Click Finish.
20. On the console File menu, click Options.
21. In the Options properties dialog box, in the Console mode drop-down
list, select user mode-limited access, single window.
22. Clear the Allow the user to customize views check box.
23. Save the custom taskpad in the D:\2274\Labfiles\Admin_Tools folder as
Legal.msc.
Exercise 4: Testing the Delegated Permissions

In this exercise, you will log on as Judy Lew and use the taskpad to perform
administrative tasks.
Task 1 Copy the taskpad from Den-DC1 to DEN-CL1

2. At the Run command prompt, type \\DEN-Dc1\admin_tools to
connect to the administrative tools shared folder.
3. Copy the Legal.msc taskpad to the desktop of DEN-CL1.
Test the permissions

1. Double-click the Legal.msc.
2. Click the Create a User Account icon.
The New Object . User dialog box will appear.
3. Create a test user account called Test User 3. It will succeed.
Can you add a snap-in to the management console from the File
menu?
No, the Add snap-in command is not available on the File menu.

2. To prepare for the next module, start the DEN-DC1 and DEN-CL1
virtual computers.
Implementing Group Policy 6-1
Module 6
Implementing Group Policy
Contents:
Multimedia 4
Lab Answer Keys 5

Lesson: Implementing Group Policy Objects
Question: You have a Web server that is not a domain member. You need to configure security and
lock down the user configuration. What is the best way to accomplish this?
a. Manually edit the HKEY_Local_Machine and HKEY_Current_User hives of the local registry
b. Create a custom MMC and configure a local Group Policy
c. Put the Web server in an organizational unit and assign a GPO
d. Use the Local Security Policy to configure Group Policy
Although answer a would work, it is not recommended. Answer c would not work because a
server that is not a domain member cannot be in an organizational unit. Answer d would only
allow you to set the computer security settings, not the user configuration.
Lesson: Implementing GPOs in a Domain

Question: As the systems administrator for your department's organizational units, you are
responsible for ensuring that the proper Group Policy settings are applied to each user and computer
in your department. You must ensure that the administrative policies that are applied to a group of
users are always inherited from parent objects. To ensure this, you decide to apply the Enabled
setting. To which of the following do you apply this setting?
a. The GPO in the Group Policy Objects container
b. The organizational unit that contains the users
c. The link associated with the GPO
d. The domain
The Enabled setting is always set at the link associated with the GPO.
Create an unlinked GPO

1. Right-click the Start menu, and then click Open All Users.
2. Double-click the Programs folder.
3. Double-click Administrative Tools,
4. Double-click Group Policy Management.
5. Expand Forest:contoso.msft, expand Domains, expand the Contoso.msft, and expand the Group
Policy Objects container.
What GPOs are in the container?
Answer: The Default Domain Policy and the Default Domain Controllers Policy.
6. Right-click the Group Policy Objects container, and click New.
7. In the New GPO dialog box, type Remove Search and click OK.
Lesson: Managing the Deployment of Group Policy

Question: You have linked a GPO that assigns critical security settings to a parent organizational unit.
You want to ensure that the child organizational units will always receive the policy. What is the best
way to accomplish this?
a. Enable the link at the child organizational unit.
b. Set the link at the parent organizational unit to Enforced.
c. Copy the policy and specifically link it to the child organizational unit.
d. Block inheritance of all policies except the security GPO
Answers a and c are incorrect because enabling the GPO link or copying it to the child
organizational unit will not guarantee that it will be applied. Answer d is incorrect because
you cannot block GPOs selectively.
Test the results

1. Log on to DEN-CL1 as Don.
2. Click the Start menu. Ensure that the Search folder is back on the Start menu.
3. Log off and log on as GraphicsUser.
4. Click the Start menu. Ensure that the Search folder is on the Start menu.
5. Log off and log on as Administrator.
Does Administrator have a Search folder on the Start menu?
Answer: Administrator should not have a Search folder because the Administrator account
is in the Users container.
Test the results

1. Log on to DEN-CL1 as Don and then as GraphicsUser.
Is the Search folder available on the Start menu for either user? Why or why not?
Answer: No. When a GPO is set to Enforced, it overrides blocking inheritance or conflicting
GPOs.

Multimedia
Media Type Title
Animation How Group Policy Settings Are Inherited in Active Directory

Lab Answer Keys

Lab: Implementing Group Policy Answer Key
Disable and delete a GPO.
Create and link multiple GPOs.

Filter the GPOs to exempt selected users.
Back up and import GPO settings.
DEN-DC1
DEN-CL1
Exercise 1: Disabling and Deleting a GPO

In this exercise, you disable and delete a GPO link.
Task 1 Disable the GPO link

1. Log on to DEN-CL1 as Administrator.
2. Open the Administrative Tools folder and open the GPMC.
3. Expand the domain node.
4. Right-click the Remove Search GPO and click Link Enabled to
remove the checkmark. Notice that the arrow on the link icon
becomes dimmed.
Task 2 Delete the GPO link

1. Right-click the Remove Search GPO and click Delete.
2. Read the warning message in the Group Policy Management dialog
box and click OK.
3. Go to Start, Run and type GPupdate /force to refresh the policy.
4. Open the Group Policy Objects container.
Has the Remove Search policy been deleted?
Answer: No. Only the link was deleted. The policy would need to
be deleted from the Group Policy Objects container to be deleted
from the domain. The Remove Search GPO is still available to be
linked to containers.
Exercise 2: Creating and Linking Multiple GPOs
Task 1 Create and link a GPO to the domain

1. Right-click the domain node.
2. Click Create and Link a GPO here.
3. In the New GPO dialog box, type Remove Run Command in the
name field and click OK.
4. Right-click the Remove Run Command and click Edit.
5. Expand User Configuration, Administrative Templates, Start Menu
and Taskbar folder, Enable the Remove Run from the Start Menu.
6. Click OK.
Task 2 Create and link a GPO to the Sales OU and the Graphics OU
that prohibits access to Control Panel
1. Right-click the Sales OU.
2. Click Block Inheritance to remove the check mark. This will disable
inheritance blocking for the Sales OU.
3. Create and link a GPO to the Sales OU called Remove Control Panel.
4. Right-click the Remove Control Panel policy and then click Edit.
5. Expand User Configuration, Administrative Templates, Control
Panel folder, locate and Enable the Prohibit access to the Control
Panel setting.
6. Right-click the Graphics OU and click Link an Existing GPO.
7. In the Select GPO dialog box, click the Remove Control Panel GPO,
and click OK.
Task 3 Determine which OUs the Remove Control Panel GPO is

linked to
1. Open the Group Policy Objects folder and click the Remove Control
Panel GPO.
2. In the right pane, on the Scope tab, look under the Location heading.
What containers are listed under the Location heading?
Answer: Sales and Graphics.
Task 4 Test the setting as the sales manager

1. Log on as Don@contoso.msft.
2. Click the Start menu. Ensure that the Run command has been removed
from the Start menu. Ensure that Control Panel does not appear on
the Start menu.
3. Log off.
Exercise 3: Filtering the GPOs to Exempt Selected Users

In this exercise, you will filter the GPO permissions to exempt selected
users.
Task 1 Filter permissions on the Remove Run Command GPO to

exempt domain administrators
2. Open the GPMC and expand the domain.
3. Click the Remove Run Command GPO.
4. In the right pane, click the Delegation tab.
5. Click Advanced.
6. In the Remove Run Command Security Settings dialog box, select
Domain Admins and check the box to Deny the Apply Group Policy
permission.
7. Click OK and click Yes after reading the Security warning message.
8. Log off and then log on again to DEN-CL1 as Administrator.
9. Click the Start menu. The Run command should be on the Start menu.
Task 2 Filter permissions on the Remove Control Panel GPO to

exempt the sales managers
1. Switch to the GPMC and expand the Sales OU.
2. Click the Remove Control Panel GPO.
3. In the right pane, click the Delegation tab.
4. Click Advanced.
5. In the Remove Control Panel Security Settings dialog box, click Add.
6. Enter G Sales Managers and click OK.
7. Deny the Apply Group Policy permission to G Sales Managers.
8. Close all windows and log off
9. Log on as Don@contoso.msft.
10. Click the Start menu. Ensure that Control Panel appears and the Run
command does not appear on the Start menu.
11. Close all windows and log off.
Exercise 4: Backing Up and Import GPO Settings

In this exercise, you will back up and import GPO settings.
Task 1 Back up the Remove Control Panel GPO

2. Open the GPMC and expand the domain.
3. Right-click the Remove Control Panel GPO and click Backup.
4. In the Backup Group Policy dialog box, ensure that C:\GPO Backup
is the location.
5. Click Back Up, and click OK.
Task 2 Import the settings into a new GPO named Imported

1. Right-click the Group Policy Objects container, create a new policy
called Imported, and click OK.
2. Right-click the Imported GPO, and select Import Settings.
3. In the Import Settings Wizard, click Next.

4. On the Backup GPO page, click Next.
5. On the Backup Location page, ensure that the location is set to
C:\GPO Backup and click Next.
6. Select the Remove Control Panel GPO and click Next.
7. On the Scanning Backup page, click Next.
8. Read the summary and click Finish.

9. Edit the Imported GPO to see that the settings were imported
correctly.

2. To prepare for the next module, start the DEN-DC1 and DEN-CL1
virtual computers.
Managing the User Environment by Using Group Policy 7-1
Module 7
Managing the User Environment by Using Group Policy
Contents:
Lab Answer Keys 6

Lesson: Configuring Group Policy Settings
Question: You are the systems administrator responsible for creating, configuring, and managing
Group Policy objects (GPOs) for your organization. Before you can determine which Group Policy
settings you should apply to each GPO, you must determine what types of Group Policy settings you
can configure. Which of the following types of Group Policy settings can you configure in an Active
Directory directory service environment? Choose all that apply.
a. Desktop settings
b. Network connections
c. The location of computers

d. Inventory-installed software
e. Who can log on to a computer and when
Answer: Answers a, b, and e are correct.
Answers c and d are incorrect, because you cannot configure the location of computers and
inventory-installed software by using Group Policy.
Lesson: Assigning Scripts with Group Policy

Question: You are the systems administrator for a support call center. You have configured GPOs for
security settings, Folder Redirection, and scripts assignment. All the appropriate settings are being
applied, but the users say that performance is slower during startup, logon and shutdown. Which of
the following can you do to improve performance during these times? Choose all that apply.
a. Ensure that only the required scripts are configured to run.
b. Avoid cross-domain GPO assignments.
c. Use the Block Policy inheritance and Enabled features sparingly.
d. Filter Group Policy based on security group membership.
Answer a is correct, because running additional scripts impedes performance.
Answer b is correct, because when you use cross-domain GPO assignments, the performance
of GPOs is impeded.
Answer c is incorrect, because Block Policy inheritance and Enabled do not affect
performance.
Answer d is incorrect, because policy filtering only affects performance when unnecessary
Group Policy settings are applied to users or computers.
Lesson: Restricting Group Membership and Access to Software

Question: You want to give a user named Jane the right to back up and restore files on your file
servers only. Jane's user account resides in an organizational unit named IT Admin. The file server
computer accounts reside in an organizational unit named Servers. How would you configure a GPO
to accomplish this?
a. Create a Restricted Groups policy that places Jane's user account in the Backup Operators
group and link the GPO to the Domain Controllers container.
b. Create a Restricted Groups policy that places Jane's user account in the Backup Operators
group and link the GPO to the IT Admin organizational unit.
c. Create a Restricted Groups policy that places Jane's user account in the Backup Operators
group and link the GPO to the Servers organizational unit.
d. Create a Restricted Groups policy that places Jane's user account in the Backup Operators
group and link the GPO to the domain.
Answer: Answer c is correct. The computer accounts reside in the Servers organizational unit,
so that is where the policy must be linked to affect only those computers.
Answers a and b are incorrect because the computer accounts of the file servers do not reside
in those containers.
Answer d is incorrect because that would put the user account into the Backup Operators
group on all the computers in the domain.
Define the membership of the local Administrators group for DEN-CL1

1. Log on to DEN-DC1 as Administrator.
3. Click the Computers container and move the DEN-CL1 computer account into the IT Admin
organizational unit. Click Yes at the Active Directory prompt.
4. Click Start, point to Administrative Tools, and then click Group Policy Management.
5. Create and link a GPO named Admin Membership to the IT Admin organizational unit.
6. Edit the Admin Membership GPO.
7. Expand Computer Configuration, Windows Settings, Security Settings and then click
Restricted Groups.
8. Right-click Restricted Groups and then click Add Group.
9. In the Add Group dialog box, type Administrators and then click OK.
10. In the Administrators Properties dialog box, in the Members of this group section click Add.
11. In the Add Member dialog box, type Contoso\G Admins and then click OK.
12. Click Add again and locate and add the Domain Admins group.
13. Click OK twice.
14. Close the Group Policy Object Editor.

16. Click Start, click Run, and then type gpupdate /force. Click OK.
17. Right-click My Computer and click Manage to open Computer Management and expand Local
Users and Groups.
18. Click Groups and then open the Administrators group.
Who is in the Administrators group?
Answer: Local Administrator, Contoso\Domain Admins, Contoso\G Admins
Lesson: Configuring Folder Redirection

Question: You are the systems administrator responsible for client data availability. You want to
configure Folder Redirection of the My Documents folder to the user's existing home directory for all
users. You also are required to have the My Documents folder secured to just the owner. Which of the
following options best fulfills this requirement? Each option is a part of the solution.
a. Configure a GPO to set the Folder Redirection policy to Redirect to the user's home
directory setting, and link it to the appropriate organizational unit.
b. Configure a GPO to set the Grant the user exclusive rights to My Documents setting to
Disabled, and link it to the appropriate organizational unit.
c. Configure a GPO to set the Folder Redirection policy to redirect special folders to a specific
path setting, and link it to the appropriate organizational unit.
d. Configure a GPO to set the Grant the user exclusive rights to My Documents setting to
Enabled, and link it to the appropriate organizational unit.
Answer: Answers c and d are correct.
Answer c is correct, because redirecting special folders to a specific path satisfies all the
requirements.
Answer d is correct, because the Grant the user exclusive rights to My Documents setting must
be enabled for this to work.
Test the Folder Redirection

1. Log on to the DEN-CL1 as Legaluser with the password of Pa$$w0rd.
2. Click Start, right-click the My Documents folder and click Properties.
What is the path in the Target folder location field?
Answer: \\DEN-DC1\Redirect\legaluser\My Documents
Note It may require two logons to see the results of the GPO.
3. Click OK
4. Open the My Documents folder. Create a new document named legal.txt. Enter some text and
save the document.

6. Log on to DEN-SRV1 as Legaluser.
7. Open the My Documents folder and open the legal.txt document. You should see the text you
entered.
Lesson: Determining Applied GPOs

Question: You are responsible for managing Group Policy settings for your organization. You must
ensure that all Group Policy settings are being correctly applied to users and computers. You have
decided that you will use Resultant Set of Policy (RSoP) to evaluate the Group Policy settings to
ensure that the appropriate settings are applied to the computers and user that are logged on. Which
RSoP mode should you use?
a. Planning Mode
b. Logging Mode

Lab Answer Keys

Lab: Managing the User Environment by Using Group Policy Answer
Key
Create and apply a GPO to the Graphics
Assign a logon script to connect to the
Graphics1 printer.
Use a GPO to configure the membership of the
Backup Operators group.
Use the Group Policy Results Wizard to verify
the policy settings.
Note This lab focuses on the concepts in this

module and as a result may not comply with
Microsoft security recommendations.
Prerequisites To complete this lab, you must have the following
virtual machines:
DEN-DC1
DEN-CL1
Exercise 1: Creating and Applying a GPO to the Graphics Organizational

Unit
In this exercise, you will create a GPO to configure the desktop
for the Graphics department.
Task 1 Create and link a GPO

1. Ensure that you are logged on to DEN-DC1 as
Administrator.
2. Open Group Policy Management and then create and
link a GPO named Graphics Desktop to the Graphics
3. Edit the Graphics Desktop GPO.
Task 2 Edit the policy

1. Expand User Configuration, Administrative Templates
and configure the following:
In Start Menu and Taskbar, enable the Remove Run
menu from Start Menu setting.
In Windows Components, in Windows Messenger,
enable the Do not allow Windows Messenger to be
run setting.
In Control Panel, in Display, enable the Prevent
changing wallpaper setting.
In Desktop, enable the Hide and disable all items
on the desktop setting.
Task 3 Test the policy

1. Log on to DEN-CL1 as GraphicsUser@contoso.msft.
2. Ensure the desktop has nothing displayed.
3. Ensure the Run command does not appear on the Start
menu.
4. Open Control Panel, Appearance and Themes, Display
and attempt to change the desktop wallpaper.
5. Attempt to launch Windows Messenger.
Exercise 2: Assigning a Logon Script to Connect to the Graphics1 Printer

In this exercise, you will create and assign a logon script that
connects users in the Graphics organizational unit to the
Graphics1 printer.
Task 1 Create a GPO

1. In Group Policy Management, right-click the Graphics
organizational unit and click Create and Link a GPO Here.
2. Name the GPO Map Printer.
Task 2 Edit the GPO

1. Right-click the Map Printer GPO and select Edit.
2. Expand User Configuration, Windows Settings, Scripts
(Logon/Logoff), double-click the Logon setting.
3. In the Logon Properties box, click Show Files to display
the Logon folder window.
4. Switch to Windows Explorer and copy
D:\2274\Labfiles\Admin_Tools\ printers.vbs to the
Logon folder.
5. Close the Logon folder, and then click Add.
6. In the Add a Script dialog box, click Browse, and then
select printers.vbs.
7. Click OK twice.
Task 3
Test the setting
1. Log on to DEN-CL1 as GraphicsUser.
2. Open the Printers and Faxes folder.
3. Ensure that the Graphics1 printer appears.
Exercise 3: Using a GPO to Configure the Members of the Backup

Operators Group
In this exercise, you will configure a GPO to place the G Admins
global group in the Backup Operators group on all workstations
and servers in the domain.
Task 1 Create a GPO

1. In Group Policy Management create and link a GPO named
Backup Operators to the contoso.msft domain.
2. Edit the Backup Operators GPO.
Task 2 Edit the GPO

1. Expand Computer Configuration, Windows Settings, and
Security Settings, select and right-click the Restricted
Groups folder, and then click Add Group.
2. In the Add Group dialog box, type Backup Operators and

then click OK.
3. In the Backup Operators Properties dialog box, click Add in
the Members of this group section, and then type
Contoso\G Admins.
4. Click OK twice.
Task 3 Test the setting

2. From Run, type gpupdate /force.
3. Open Computer Management, expand Local Users and
Groups, Groups and then open the Backup Operators
group.
4. Ensure that the G Admins group is a member.
Exercise 4: Using the Group Policy Results Wizard to Verify the Policy
Settings
In this exercise, you will use the Group Policy Results Wizard
to verify the policy settings for the GraphicsUser user account.
Task 1 Run the Group Policy Results Wizard

1. Switch to DEN-DC1.
2. In Group Policy Management, right-click Group Policy
Results, and then click Group Policy Results Wizard.
3. On the Group Policy Results Wizard Welcome screen,
click Next.
4. On the Computer Selection page, click Another
computer, type DEN CL1 in the field, and then click
Next.
5. On the User Selection page, notice that only users who
have logged on to DEN-CL1 are listed.
6. Select GraphicsUser, and then click Next.

7. On the Summary of Selections page, click Next.
8. Click Finish.
Task 2 View and save the report

1. Click the Summary tab of the report.
2. In the Computer Configuration Summary section,
expand Group Policy Objects and expand Applied
GPOs.
What GPOs are being applied to the computer?
The Backup Operators GPO, Admin Membership, and
the Default Domain GPO.
3. In the User Configuration Summary Section, expand
Group Policy Objects and Applied GPOs.
What GPOs are being applied to the user?
The Standard Desktop, Default Domain Policy,
Graphics Desktop and Map Printer GPOs
4. Click the Settings tab.
What GPO is applying the setting that hides the screen
saver?
The Standard Desktop GPO
What GPO is applying the setting that removes the Run
command from the Start menu?
The Graphics Desktop GPO
5. Right-click the report and click Save Report. Save the
report as an HTML file in the My Documents folder.

1. Close all programs and shut down all computers. Do not
save changes.
2. To prepare for the next module, start the DEN-DC1 and
DEN-CL1 virtual computers.
Implementing Administrative Templates and Audit Policy 8-1
Module 8
Implementing Administrative Templates and Audit Policy
Contents:
Lab Answer Keys 6

Lesson: Managing User Rights in Microsoft Windows Server 2003
Group Policy objects (GPOs) for your organization. You must determine the appropriate settings to
use for each of your organizational units. Which of the following are user rights?
a. Log on locally
b. Access a share with full control
c. Open a database file
d. Back up files and directories
Answer: Answers a and d are correct.
Answers a and d are user rights. Answers b and c are permissions.
Lesson: Using Security Templates to Secure Computers

GPOs for your organization. Using the plan presented to you from the systems engineers, you must
determine if you can use a default template. Which of the following default Group Policy templates
provides the highest default security for clients?
a. Rootsec
b. Hisecws
c. Securews
d. Compatws
Answer: Answer b is correct. Hisecws is the Group Policy template used for the highest level of
security.
Import the security template into a GPO and apply the GPO to an organizational
unit
1. Open Group Policy Management and then create and link a GPO named XP Security to the
Sales organizational unit.
2. Right-click and edit the XP Security policy.
3. In the Group Policy Object Editor, expand Computer Configuration, Windows Settings, and
Security Settings.
4. Right-click Security Settings, and then click Import Policy.
5. In the Import Policy From dialog box, click Secure XP.inf, and then click Open.
6. Close the Group Policy Object Editor and Group Policy Management.
7. Open Active Directory Users and Computers, and move DEN-CL1 from the Computers
container to the Sales organizational unit.
8. Close Active Directory User and Computers and then log off of DEN-DC1.
10. Click Start, click Shutdown,and then click Restart. Do not shut down the virtual machine.

12. Open Computer Management,expand Local Users and Groups and then click Users.
What is the name of the built-in administrator account?
Answer: XPAdmin.
Lesson: Testing Computer Security Policy

GPOs for your organization. You must determine if the Group Policy settings that you configured for
each of your organizational units is being applied to computers and users in their organizational unit.
Which of the following tools can you use to determine if the correct settings have been applied?
Choose all that apply.
a. Resultant Set of Policy (RSoP)

b. The Security Configuration and Analysis tool
c. Group Policy Management
d. Active Directory Users and Computers
RSoP and Security Configuration and Analysis are the tools used to determine if the correct
Group Policy settings are applied.
Analyze a computer's security policy by using a security template

2. Create an MMC, and then add the Security Configuration and Analysis snap-in.
3. In the console tree, right-click Security Configuration and Analysis,and then click Open
Database.
4. In the Open Database dialog box, type Enterprise Client in the File name field, and then click
Open.
5. In the Import Template dialog box, in the Look in field, browse the network to \\Den-
DC1\Admin_Tools\XP security templates, select Enterprise Client - Desktop.inf, and then click
Open.
6. In the console tree, right-click Security Configuration and Analysis,and then click Analyze
Computer Now.
7. In the Perform Analysis dialog box, click OK to accept the default path for the log file.
8. When the analysis is complete, expand Local Polices and click Security Options.
What are the Database and Computer settings for Renaming the administrator account?
Answer: The computer setting is XPAdmin. The Database setting is Not Analyzed because
the setting was not configured in the database.
Do the Database and Computer settings for Interactive logon: Do not display last user name
agree?
Answer: A green check mark indicates that the Database and Computer settings agree.
9. Click File System, C:\.
What are the Database and Computer settings for the Program Files directory?
Answer: This setting was not analyzed because it was not configured in the template.
10. Close all open windows and log off of DEN-CL1.
Lesson: Configuring Auditing

Question: As a systems administrator for a large distributed financial organization, you are
responsible for managing access to resources on servers. You are notified that users accessing files in
a shared folder on one of the file servers has been failing intermittently over the past few days. You
have verified that the shared folder and file permissions are correctly configured, so you decide to use
auditing to isolate the issue. Which events do you audit? Choose all that apply.
a. Account Logon, Success
b. Account Logon, Failure
c. Directory Service Access, Success
d. Directory Service Access, Failure
e. Object Access, Failure
f. Object Access, Success
g. Logon, Success
h. Logon, Failure
Answer: Answers b, e, and f are correct.
Auditing the events in answers b, e, and f tells you when a logon to the server fails and when a
user's attempt to access a folder fails.
Question: You are notified that users are having difficulty accessing shared resources on two of the
organization's file servers. You decide to review the audit logs for these servers to determine the
cause of the issues. When you review the event logs, you discover that the log only contains data
from the previous 12 hours. What may be responsible for the lack of data? Choose all that apply.
a. The maximum size of the event log is too small.
b. Too many events are being audited.
c. The Overwrite events older than [x] days setting is set to 1 day.
d. Another administrator manually cleared the event logs.
e. All the relevant events are logged to domain controllers, not member servers.
Answer: Answers a, c, and d are correct.
Answer a is correct, because if the maximum size of the event log is too small, events that help
you determine the problem may be overwritten.
Answer b is incorrect. Although this may be a factor if you are auditing things you do not
need to, it is not correct for this scenario.
Answer c is correct, because this would cause events to be overwritten every 24 hours.
Answer d is correct, because it is possible that the events were cleared while another
administrator was trying to isolate a different issue.
Answer e is incorrect, because events are logged to the servers that are performing the
actions.
Lesson: Managing Security Logs

server security for your organization. You are notified that files in a shared folder on a file server are
being deleted, although users still need them. The last deletion occurred yesterday. You must
determine who has been accessing and deleting files on that shared folder. When you look at the file
server's security log, you do not notice any events for files being deleted. What may be the cause?
a. The log is configured to only keep data for two days.
b. The log is being overwritten before the event can be viewed.
c. Auditing is not enabled on that NTFS folder
d. You must view the security logs for the domain controllers security log for alerts.
Answer: Answers b and c are correct.

Lab Answer Keys

Lab: Managing Security Settings Answer Key
Create a custom security template.
Import and deploy the custom template.

virtual machines:
DEN-DC1
DEN-SRV1
Exercise 1: Creating a Custom Seurity Template

In this exercise, you will create a custom security template.
Task 1 Create a new custom security template based on

the securews template
2. Click Start, All Programs, and Administrative Tools, and
then open the Security Templates MMC.
3. In the Security Templates snap-in, right-click the
securews template, and then click Save As.
4. In the Save As dialog box, type Graphics Security Policy

in the File name field, and then click Save.
Task 2 Enable audit, security policies, and event log

properties
1. Right-click the Graphics Security template, and then click
Edit.
2. Expand Local Policies and Audit Policy. Notice that some

auditing policies are enabled because this template was
copied from the securews template.
3. Double-click Audit object Access, select Success and
Failure, and then click OK.
4. Click Security Options. Notice that many security policies
are enabled because this template was copied from the
securews template.
5. Double-click the Accounts: Rename administrator
account policy.
6. In the Accounts: Rename administrator account dialog
box, select the Define this policy setting in the template
check box, type Graphics Admin in the field, and then click
OK.
7. Double-click the Interactive logon: Do not display last
user name policy, select the Enabled setting, and then click
OK.
8. In the Security Templates tree, click Event Log.
9. Double-click Maximum security log size, type 99840 in
the Maximum Log Size field, and then click OK.
10. Double-click Retain security log, select the Define this
policy setting in the template check box, type 7 in the
Overwrite events older than field, and then click OK.
11. Read the message, and then click OK in the Suggested
Value Change dialog box to accept the suggested change.
Task 3 Save the Graphics Security Policy template

1. Right-click the Graphics Security Policy template, and
then click Save.
2. Close the Security Templates MMC.
Exercise 2: Importing and Deploying the Custom Template

In this exercise, you will import the Graphics Security Policy
template to a GPO that is linked to the Graphics organizational
unit.
Task 1 Import the Graphics Security Policy template into

a GPO
2. Open Group Policy Management, and create and link a
GPO named Graphics Security to the Graphics
3. Right-click the Graphics Security Policy template, and then
click Edit.
4. Right-click Security Settings, and then click Import to
import the Graphics Security Policy template.
5. Close the Group Policy Object Editor and Group Policy
Management.
6. Open Active Directory Users and Computers, and move
the DEN-SRV1 computer account into the Graphics
Task 2 Test the settings

1. Log on to DEN-SRV1 as Administrator.
2. At the Run command prompt, type gpupdate /force.
3. In Computer Management, under Local Users and
Groups, open the Users folder.
What is the name of the built-in administrators account?
Graphics Admin.

save changes.
Preparing to Administer a Server 9-1
Module 9
Preparing to Administer a Server
Contents:
Lab Answer Keys 4

Lesson: Administering a Server
Question: You are working at the Los Angeles office of your organization and must access a folder
that is located on a remote file server in the London office. This folder is not currently shared. The
time in London is eight hours ahead of the time in Los Angeles, and there is no one at the London
office to share the folder locally. The link speed between these two locations is either slow or
intermittent. Choose the best way to administer this folder.
a. Remote Desktop, Account Operators group
b. Manage Your Server, local Administrators group
c. Computer Management tool, Server Operators group

d. Active Directory Users and Computers snap-in, domain Administrator group
Answer: Answer: c
Lesson: Configuring Remote Desktop to Administer a Server

Question: You are the administrator for three print servers, but a new print server was recently
installed. You cannot connect to the new print server by using Remote Desktop. You need to gain
access to the new print server by using Remote Desktop. You also want to retrieve usage information
by running a custom application every time Remote Desktop is used to gain access to the server.
Which of the following tasks can you use to accomplish these tasks? Choose all that apply.
a. Connect to one of the other print servers as an administrator, and then enable the new server
for remote administration.
b. Log on locally to the new print server as a server operator, and then configure the new server
c. Log on locally to the new print server as an administrator, and then configure the new server
d. On the new print server, in the Properties dialog box for Remote Desktop, enable the Redirect
local drives when logged on to the Remote computer option.
e. On the new print server, in the Properties dialog box for Remote Desktop, enable the Start
the following program on connection option.
Answer: Answer: b, c, e.
The minimum group membership that has the rights to configure a server for remote
administration is a server operator. You cannot accomplish the task by using answers a and d
because you must be logged on locally to the server to enable remote administration. Also,
the Redirect local drives when logged on to the Remote computer option is not used to
configure stating a program on connection.
Lesson: Managing Remote Desktop Connections

Question: You are the administrator for three existing database servers. These servers are configured
to allow only two Remote Desktop connections at a time, and these connections are used for
administration of the server and its databases. You are informed by the database administrators that
they are denied access when they attempt to connect to the server by using Remote Desktop.
Which of the following situations is a potential cause of this condition? Choose all that apply.
a. Other administrators are already logged on to and are actively using the server.
b. The other administrators are closing the Remote Desktop window rather than logging off the
remote desktop.
c. The other administrators are logging off the remote desktop rather than closing the Remote
Desktop window.
d. The other administrators are using computers running Microsoft Windows XP rather than
Microsoft Windows Server 2003 for remote administration.
Answer: Answer: a, b
The cause of this issue is that there are already two concurrent connections using remote
administration. The administrators are not logging off to disconnect their sessions. Instead,
they are closing the Remote Desktop window.
Answer c is incorrect because logging off would be the correct action, and the administrator
would be able to connect.
Answer d is incorrect because Remote Desktop works the same in both Windows XP and
Windows Server 2003.
Lab Answer Keys

Lab: Preparing to Administer a Server Answer Key
Enable remote desktop.
Create a shared folder on a remote computer.

Connect to a remote console session.
Create runas shortcuts for administrative tools.

virtual machines:
DEN-DC1
DEN-CL1
DEN-SRV1
Exercise 1: Enabling Remote Desktop

You will enable Remote Desktop on DEN-SRV1 for remote
administration.
Task 1 Log on to DEN-SRV1 as domain Administrator

1. Start the DEN-SRV1 virtual machine.
2. Press <RIGHT>ALT+DELETE and log on as Administrator
with a password of Pa$$w0rd.
Task 2 Enable Remote Desktop

1. Click Start, right-click My Computer, and then click
Properties.
2. Click the Remote tab.
3. Check the Enable Remote Desktop on this Computer check
box, click OK in the Remote Session dialog box, and then click
OK to close System Properties.
4. Log off.
Exercise 2: Creating a Shared Folder on a Remote Computer

In this exercise, you will create a shared folder on a remote
computer by using Computer Management and Remote Desktop
Connection.
Task 1 Log on to DEN-CL1 as Paul

Press <RIGHT>ALT+DELETE and log on to DEN-CL1 as Paul
with a password of Pa$$w0rd.
Task 2 Create a shared folder on DEN-DC1 using MMC1

1. Right-click MMC1 and then click Run as.
2. Click the The following user button.
3. In the User name box, type Contoso\Administrator, and, in
the Password box, type Pa$$w0rd, and then click OK.
4. Expand Computer Management (DEN-DC1), expand
System Tools, expand Shared Folders, and then click Shares.
5. Right-click Shares and then click New Share.
6. Click Next.
7. In the Folder Path box, type C:\Data1, and then click Next.
8. Click Yes to create the folder.
9. Click Next to accept the default share name, and then click
Finish to accept the default permissions.
10. Click Close.

11. 11. Close MMC1.
Task 3 Create a shared folder on DEN-DC1 using Remote

Desktop Connection
1. Click Start, point to All Programs, point to Accessories, point
to Communications, and then click Remote Desktop
Connection.
2. In the Computer box, type DEN-DC1, and then click
Connect.
3. Log on as Administrator with a password of Pa$$w0rd.
4. Click Start, point to Administrative Tools, and then click

Computer Management.
5. Expand Computer Management (Local), expand System
Tools, expand Shared Folders, and then click Shares.
6. Right-click Shares and click New Share.
7. Click Next.
8. In the Folder Path box, type C:\Data2, and then click Next.
9. Click Yes to create the folder.
10. Click Next to accept the default share name, and then click
Finish to accept the default permissions.
11. Click Close.
12. Close Computer Management.
Task 4 Log off from the remote connection

Log off DEN-DC1.
Exercise 3: Connecting to a Remote Console Session

In this exercise, you will connect to a remote console session by
using Remote Desktop Connection.
Task 1 Open Task Manager on DEN-SRV1

On DEN-SRV1, click Start, click Run, type taskmgr, and then
click OK.
Task 2 Use Remote Desktop Connection on DEN-CL1 to

view the console on the DEN-SRV1 computer
1. On DEN-CL1, click Start, click Run, type mstsc /v:DEN-SRV1
/console, and then click OK.

Notice that when you connect, Task Manager is already
running and that the console on DENSRV1 is now blank.
Task 3 Close Task Manager through Remote Desktop

Connection
1. Close Task Manager.
2. Log off DEN-SRV1.
Exercise 4: Creating runas Shortcuts to Administration Tools

In this exercise, you will create shortcuts to commonly used
administrative tools.
Task 1 On DEN-SRV1, create a shortcut to Computer

Management
1. Ensure that DEN-SRV1 is the Active window.
2. Right-click on the Desktop, point to New, and then click
Shortcut.
3. In the Type the location of the item box, type
runas/user:contoso\administrator mmc
%windir%\system32\compmgmt.msc and then click
Next.
4. In the Type a name for this shortcut box, type Computer
Management, and then click Finish.
Create a shortcut to Active Directory Users and

Computers
1. Right-click on the Desktop, point to New, and then click
Shortcut.
2. In the Type the location of the item box, type
runas/user:contoso\administrator mmc
%windir%\system32\dsa.msc and then click Next.
3. In the Type a name for this shortcut box, type Active
Directory Users and Computers, and then click Finish.
Test each shortcut

Test each shortcut by double-clicking it and typing the

1. Close all programs and shut down all computers. Do not save
changes.
2. To prepare for the next module start the DEN-DC1 and DEN-
CL1 virtual computers.
Preparing to Monitor Server Performance 10-1
Module 10
Preparing to Monitor Server Performance
Contents:
Multimedia 4
Lab Answer Keys 5

Lesson: Introduction to Monitoring Server Performance
Question: As a new systems administrator for a large bank, you must create a performance baseline
for the file servers in your group. Because your group primarily uses these servers to access archived
information, you decide to create the performance baseline for only the memory subsystem. After
you create the performance baseline and monitor the log results, a user notifies you that the
performance of one of the file servers has degraded over the past two days. You review your historical
logs, compare them to the baseline, and find no problem.
What is the most likely cause of the performance degradation?
a. The processor subsystem is causing the performance bottleneck.

b. The network subsystem is causing the performance bottleneck.
c. The disk subsystem is causing the performance bottleneck.
d. It is impossible to determine where the bottleneck is because the baseline is incomplete.
Answer: d
Answers a, b, and c are incorrect, because the data gathered would not allow you to make that
determination. You need to gather data about all primary subsystems to isolate potential
performance issues.
Lesson: Performing Real-Time and Logged Monitoring

Question: A file server is not responding to client requests in a timely manner. You must quickly
diagnose and fix the problem and then return the server to duty. By viewing management
information on the network switches you have determined that network throughput is not the
problem.
What performance tools should you use to diagnose the problem quickly and to ensure that the tools
are not affecting the performance data?
a. Task Manager, on the server with the problem
b. System Monitor, using only the appropriate counters on the local computer.
c. System Monitor, using the default counters from a remote computer
d. System Monitor, using only the appropriate counters from a remote computer
Answer: d
Answer d is correct because they are running from a remote computer, which prevents further
degradation of the server's performance and does not use unnecessary counters.
Answers a, b and c are incorrect, either because they are running on the affected computer or
are using unnecessary counters.
Lesson: Configuring and Managing Counter Logs

Question: You are responsible for maintaining four file servers in the Sales group. You must view
performance data daily for all four servers and compare performance data of each file server with the
performance data of the other file servers in the Sales group.
What is the best process for accomplishing this task with the least administrative burden?
a. Create one counter log that captures relevant counter data from all four servers.
b. Create four counter logs that capture relevant counter data, one for each server.
c. Use a screen capture utility to capture performance data every 30 minutes during the entire
day.
d. Create one counter log that captures all available counter data on all the servers.
Answer: a
Answer a is correct, because it uses one log to hold all the data from the servers, so it can be
easily compared.
Answers b, c, and d would require more administrative overhead to compare and analyze the
performance data from the servers.
Lesson: Configuring Alerts

Question: You are responsible for maintaining an application server in your group. This application
server is running an application that was built in-house. The latest revision of the application is having
a performance problem where it begins to use 100 percent of available CPU time and stops
responding to users. Corporate policy states that all servers in this group are required to maintain a
95 percent or higher uptime. You must determine the appropriate performance monitoring strategy
to ensure that this goal is met.
How do you configure performance monitoring so that you can keep up-to-date on potential
failures? Choose the best answer.
a. Create an alert for %Processor Time and log an entry to the application log.
b. Create an alert for %Processor Time and send a network message to yourself.
c. Create an alert for %Processor Time and start a performance data log.
d. Create an alert for %Processor Time and run the shutdown command to restart the server.
Answer: d
This will restart the server and make the application available to users. Answer a is incorrect,
because you may not be monitoring the application log at all times.
Answer b is incorrect, because you will not be notified if you are not logged in to the network.
Answer c is incorrect, because starting a log does not fix the problem or notify you.
Multimedia
Media Type Title
Animation Creating a Performance Baseline

Lab Answer Keys

Lab: Preparing to Monitor Server Performance Answer Key
Examine various scenarios and select the
appropriate monitoring technique.

virtual machines:
None required.
Exercise 1: Selecting the Appropriate Monitoring Technique

In this exercise, you will select the appropriate monitoring technique
based on the following scenarios. R=Real Time, L=Logging, A=Alerts. If
more than one technique will work, put your selections in order of
preference.
Scenario Monitoring technique(s)
1. Determine when the hard disk is running out A,R

of free space.
2. Provide management with information that L

can be used for budgeting purposes.
3. Determine the number of users that a specific L,R

server configuration should support.
4. Analyze a trend. L
5. Monitor multiple servers. L,R
6. Determine when to increase capacity. L,R
7. Find intermittent performance problems. L
8. Investigate why a computer application is slow R,L

or inefficient.
9. Determine when to add additional system L,R

resources.
10. Determine when to upgrade the system. L,R
11. Determine how a server should be used. L,R
12. Determine expected response times for R

specific numbers of users and system use.
13. Analyze data to find and resolve abnormalities L

in the system use.
14. Monitor use over time. L
15. Determine a preventive maintenance schedule L

for your servers.
16. Create a baseline for a server. L
17. Monitor the effects of replication. L,R
18. Troubleshoot a server. R.L,A

19. Plan for growth. L
20. Find a slow memory leak. L
21. Find a fast memory leak. R
22. Monitor intermittent disk thrashing. L
23. Monitor continuous disk thrashing R
24. Monitor a remote computer. L,R,A
25. Respond to user complaints that a server R,L

seems to be running slowly.
26. Monitor a computer 24 hours a day, seven L

days a week.
Managing Data Storage 11-1
Module 11
Managing Data Storage
Contents:
Multimedia 5
Lab Answer Keys 6

Lesson: Managing File Compression
Question: As the systems administrator responsible for data access for the file servers of the sales
group, you must determine what, if anything, you need to communicate to your users about moving
compressed files and folders between the NTFS volumes on the file servers.
Which of the following conditions describes the effect of moving a file or folder between NTFS
volumes?
a. The file or folder is uncompressed, regardless of the compression state of the target folder.
b. The file or folder remains compressed, regardless of the compression state of the target folder.
c. The file or folder inherits the compression state of the target folder.
d. The file or folder retains its compression state no matter where you move it.
Answer: c
Answer c is correct, because the file or folder inherits the compression state of the target
folder.
Lesson: Configuring File Encryption

Question: You are responsible for configuring a series of laptops that will be used by four sales
people for demonstrations at client sites. Due to security concerns that confidential information may
be exposed if the laptops are lost or stolen, you have decided to use Encrypting File System (EFS) to
encrypt the data on the demonstration laptops. You configure the first 32 laptops with EFS and allow
all four users access to the encrypted data. On two of the laptops, however, either the encryption
option is unavailable or, when selected, changes the data size for the data in that folder.
Which of the following options are probable causes of these problems? Choose all that apply.
a. Volume is formatted as FAT32.
b. Volume is formatted with NTFS.
c. Folder is not compressed.
d. Folder is compressed.
Answer: a, d
Answer a is correct, because file encryption requires NTFS
Answer b is incorrect, because NTFS is required for encryption.
Answer c is incorrect, because uncompressed folders can be encrypted.
Answer d is correct, because compressed files and folders cannot be encrypted.

Lesson: Configuring an EFS Recovery Agent

Question: Some of the sales people on your organization have been using EFS encryption on their
laptops to protect files in case the laptop is stolen. All laptops are part of the corporate domain, and
users log on with their domain accounts. Recently one of the salespeople was fired, and now his
manager wants access to the files on the former salesperson's laptop.
How can you recover these files? Choose all that apply.
a. Reset the password of the salesperson and log on as the salesperson and decrypt the files.
b. Log on as any user that is a member of Domain Admins and decrypt the files.
c. Log on to the laptop as the domain administrator and decrypt the files.
d. Log on to the laptop as the local administrator and decrypt the files.
Answer: a, c
Answer a is correct, because after a domain account password is reset, the files are still
available to the user.
Answer c is correct, because the domain administrator is the default recovery agent in a
domain.
Answer b is incorrect, because the Domain Admins group has no special privileges to decrypt
files.
Answer d is incorrect, because the local administrator does not have any special privileges to
decrypt files if the laptop is a member of the domain.
Lesson: Implementing Disk Quotas

Question: You are responsible for data access for your group. You need to determine what the effect
or administrative actions disk quotas will have.
Which of the following characteristics apply to disk quotas? Choose all that apply.
a. When a user takes ownership of a file, the file size is charged against the disk quota limit for
that user.
b. Although a file is compressed, disk usage is calculated based on the size of the uncompressed
file.
c. Disk quotas can be used on FAT, FAT32, and NTFS.

d. Disk quotas can be spanned across multiple volumes.
Answer: a, b
Answer a is correct, because when a user takes ownership of a file, the file is added to the
user's quota.
Answer b is correct, because disk quotas are always based on the size of the uncompressed
file.
Answer c is incorrect, because disk quotas require the NTFS file system.
Answer d is incorrect, because disk quotas are volume-based and can be set only at the
volume level.
Multimedia
Media Type Title
Animation What Are the Differences Between the FAT, FAT32 and NTFS File Systems?
Animation What Are Disk Quotas?

Lab Answer Keys

Lab: Managing Data Storage
Answer Key
Troubleshoot disk-quota entries.
Recover an encrypted file.

virtual machines:
DEN-DC1
DEN-CL1
Exercise 1: Troubleshooting Disk-Quota Entries

You need to configure a disk quota entry for Paul West.
Task 1 Configure a disk-quota entry for Paul West

1. On DEN-DC1, log on as Administrator with a password of
Pa$$w0rd.
2. Click Start and then click My Computer.
3. Right-click Allfiles (D:) and then click Properties.
4. Click the Quota tab and then click Quota Entries.
5. Click the Quota menu and then click New Quota Entry.
6. Type Paul West, click Check Names, and then click OK.
7. In the Limit disk space to box, type 10.
8. In the Set warning level to box, type 5, and then click OK.
9. Close the Quota Entries for Allfiles (D:) window.
10. Click OK.
Task 2 Test the disk space as Paul West

1. On DEN-CL1, log on as Paul with a password of
Pa$$w0rd.
2. Open Windows Explorer and browse to \\DEN-
DC1\Data\Quota.
3. Copy File1, File2, and File3 into the Project1 folder.
Task 3 On DEN-DC1, view the quota status

1. On DEN-DC1, click Start, point to Administrative Tools,
and then click Computer Management.
2. Expand Event Viewer and then click System.
3. Double-click the event with source ntfs and event id 36.
4. Click OK to close the event, and close Computer

Management.
5. On DEN-CL1, copy File4 and File5 into the Project1
folder. You will get an error indicating that one of the files
could not be copied because there was not enough free
disk space.
6. Click OK to clear the error.
Task 4 Allow Paul West unlimited disk space

1. On DEN-DC1, right-click Allfiles (D:) and then click
Properties.
2. Click the Quota tab and click Quota Entries.
3. Double-click the Paul West quota entry.
4. Click Do no limit disk usage and then click OK.
5. Close the Quota Entries for Allfiles (D:) window.
6. Click OK and close My Computer.
7. On DEN-CL1, copy File1, File2, File3, File4, and File5 into

the Project1 folder. Replace existing files. Notice that now
all the files can be copied.
Exercise 2: Recovering an Encrypted File

In this exercise, you recover an encrypted file.
Task 1 Create an encrypted file logged on as Paul

West
1. On DEN-CL1, open Windows Explorer and browse to
\\DEN- DC1\Data\Encrypted.
2. Create a text file named Recover.

3. Double-click Recover, enter your name, save Recover,
and close Notepad.
4. Log off of DEN-CL1.
On DEN-DC1, log on as Administrator and

Delete the Paul West profile
1. On DEN-DC1, if necessary, log on as Administrator with
a password of Pa$$w0rd.
2. Click Start, point to Control Panel, and then click
System.
3. Click the Advanced tab and, in the User Profiles area,

click Settings.
4. Click the CONTOSO\Paul profile and then click Delete.
5. Click Yes to confirm and then click OK.
6. Close System Properties.
7. Restart DEN-DC1. This is necessary to clear the private
key for Paul West from memory on the server.
On DEN-CL1, open Recover.txt

1. On DEN-CL1, log on as Paul with a password of
Pa$$w0rd.
2. Open Windows Explorer and browse to \\DEN-
DC1\Data\Encrypted.
3. Open Recover.txt. You will receive an access denied
error message.
4. Close Notepad.
On DEN-DC1, decrypt the file

1. On DEN-DC1, open Windows Explorer and browse to
D:\2275\Practices\Mod06\Data\Encrypted.
2. Right-click Recover and click Properties.
3. Click Advanced, clear the Encrypt contents to secure
data check box, and then click OK.
4. Click OK. Notice that the file name is no longer green.
5. Close Windows Explorer.
On DEN-CL1, open Recover.txt

On DEN-CL1, open Recover. This is now possible.
Encrypt Recover.txt
1. Right-click Recover and click Properties.
2. Click Advanced, check the Encrypt contents to secure
data check box, and then click OK.
3. Click OK. Notice that the file name is green again.

save changes.
2. To prepare for the next module start the DEN-DC1 virtual
computer.
Managing Disaster Recovery 12-1
Module 12
Managing Disaster Recovery
Contents:
Lab Answer Keys 5

Lesson: Preparing for Disaster Recovery
Question: As the systems administrator responsible for data access and availability, you must
determine which disaster prevention method to use as the primary element to recover from a massive
hardware failure caused by water damage or fire.
Which method applies to this scenario?

a. Data RAID (either mirrored or RAID-5)
b. Uninterruptible power supply (UPS)
c. Backups with offsite data storage
d. Concise documentation on server configuration
Answer: c
Answer c is correct, because it is the only way to prevent this type of damage to data.
Answer a is incorrect, because RAID does not work if the entire system is damaged.
Answer b is incorrect, because UPS does not work for water or fire damage.
Answer d is incorrect, although it is a good idea, because it would not recover the data itself.
Lesson: Backing Up Data

Question: You are responsible for ensuring that all data in your organization is protected against loss
or damage. You must determine how the various backup types affect what is backed up the next time
the backup is run.
Which of the following backup types do not clear the archive attribute? Choose all that apply.
a. Normal
b. Copy
c. Differential
d. Incremental
e. Daily
Answer: b, c, e
Answers b, c, and e are correct, because they do not clear the archive attribute.
Answers a and d are incorrect, because they do clear the archive attribute.
Lesson: Scheduling Backup Jobs

Question: You recently started working at an organization with 100 users and three servers. You and
one other administrator are responsible for all server and desktop support. The other administrator
has been performing system backups each day in the morning, and he finishes at about noon. When
employed at other organizations, you always scheduled backup jobs to occur at night.
Which of the following is a valid reason why backup jobs should be scheduled rather than started
manually? Choose all that apply.
a. It reduces the workload on administrative staff.
b. Backups are less likely to be forgotten.

c. It reduces load on the server to perform backups outside of regular business hours.
d. Problems with open files are eliminated.
Answer: a, b, c
All are valid reasons to schedule backup jobs.
Answer d is incorrect, because with volume shadow copy, open files are no longer a concern.
Lesson: Restoring Data

Question: You are documenting restore procedures for your servers. Which of the following are
required to perform an Automated System Restore (ASR)? Choose all that apply.
a. The ASR backup set
b. A Microsoft Windows startup disk
c. A floppy disk with disk configuration information
d. The Microsoft Windows Server 2003 installation CD-ROM
Answer: a, c, d
The backup set holds the data that is restored. A floppy disk is used to store disk
configuration information. The Windows Server 2003 installation CD-ROM is required to start
the ASR restore.
Answer b is incorrect. A Windows startup disk is not used as part of an ASR restore.
Lesson: Configuring Shadow Copies

Question: You are considering implementing shadow copies for your servers. As part of the
evaluation process, you have been asked to explain to some of the other administrative staff to give
situations where shadow copies will not help and a backup must be used. In which of the following
situations will shadow copies not be able to recover the files?
a. A file is accidentally deleted.
b. A file is modified with incorrect data.
c. A volume becomes corrupted.

d. A file is copied over.
Answer: c
Shadow copies track changes to files. If a volume is corrupted, then shadow copies are lost as
well.
Answers a, b, and d are incorrect, because shadow copies could recover the file at the point
when the last shadow copy was taken.
Lesson: Recovering from Server Failure

Question: Your company has decided to enhance security by installing fingerprint readers on all of
the servers. On a test server, the fingerprint reader and associated driver installed with no problem.
However, when you install a fingerprint reader on the first production server, you cannot log on.
Which of the following are valid ways that you can use to restore log on capabilities to this server?
a. Use a Windows startup disk to disable the driver for the fingerprint reader.
b. Use Last Known Good Configuration to restore the registry to the last successful logon.
c. Use the Recovery Console to install a newer driver version for the fingerprint reader.
d. Use Safe Mode to remove the driver for the fingerprint reader.
Answer: b, d
Last Known Good Configuration will restore the registry to the state before the fingerprint
reader driver was installed. Safe Mode will still function because it loads only essential
components and would not load the driver for the finger print reader.
Answer a is incorrect, because a Windows startup disk will start Windows with the existing
configuration, including the driver for the fingerprint reader.
Answer c is incorrect, because the Recovery Console cannot be used to install drivers.
Lab Answer Keys

Lab: Managing Disaster Recovery Answer Key
Back up System State data.
Recover from a corrupt registry by using Last Known Good
Configuration.
Recover from a corrupt registry by restoring System State data.
DEN-DC1
DEN-SRV1
Exercise 1: Backing Up the System State Data

In this exercise, you will use the Backup Wizard to back up the System
State data for your computer.
Task 1 Back up the System State data

1. On DEN-DC1, log on as Administrator with a password of
Pa$$w0rd.
2. Click Start, point to All Programs, point to Accessories, point to
System Tools, and then click Backup.
3. Click Advanced Mode and then click the Backup tab.
4. Check the System State check box, type D:\SysState.bkf in the
Backup media or file name box, and click Start Backup.
5. Click Replace the data on the media with this backup and then
click Start Backup.
6. Click Close and close the Backup Utility.
Exercise 2: Recovering from a Corrupt Registry by Using Last Known Good

Configuration
In this exercise, you will recover from a nonresponsive computer. The
cause of this problem was the installation of a software package that
modified the
registry. (The source for this exercise is Microsoft Knowledge Base article
317246.)
Task 1 Install the software

1. Log on to DEN-SRV1 as Administrator with a password of
Pa$$w0rd.
2. Click Start, click Run, type
C:\MOC\2275\LabFiles\Lab07\inst_01.bat and click OK.
3. When the computer restarts the mouse and keyboard are disabled.
4. You must use Last Known Good Configuration to recover.
Task 2 Repair the system

1. In the virtual machines, click the Action menu and click Reset.
2. When the computer restarts, press F8 to access the Windows
Advanced Options Menu.
3. Select Last Known Good Configuration and press ENTER.
Task 3 Log on as Administrator

When the computer restarts, log on as Administrator with a
Exercise 3: Recovering from a Corrupt Registry by Restoring System State

Data
In this exercise, you will recover from a nonresponsive mouse. The cause of
this problem was the installation of a software package that modified the
registry. (The source for this exercise is Microsoft Knowledge Base article
317246.)
Task 1 Install the software

1. Click Start, click Run, type D:\2275\Labfiles\Lab07\inst_04.bat and
click OK.
Recover from a corrupt registry using Last Known Good

Configuration
1. Press CTRL+ESC, use the arrows to select Shut Down, and then press
ENTER.
2. Use the arrows to select Restart, use Tab to select the Comment box,
type a letter, use Tab to select OK, and then press ENTER.
Recover from a corrupt registry by restoring System State

data using the keyboard
1. When the computer restarts, press F8 to access the Windows Advanced
Options Menu.
2. Select Last Known Good Configuration and press ENTER.
3. When the computer restarts, log on as Administrator with a password
of Pa$$w0rd. The problem is not fixed.
4. Use the arrows to select Restart, use Tab to select the Comment box,
type a letter, use Tab to select OK, and press ENTER.
5. When the computer restarts, press F8 to access the Windows Advanced
Options Menu.
6. Select Directory Services Restore Mode, press ENTER, and press

ENTER.
7. When the computer restarts, log on as Administrator with a password
of Pa$$w0rd.
8. Press ENTER to close the Safe Mode dialog box.
9. Press CTRL+ESC, use the arrows to select All Programs, press right
arrow, select Accessories, press right arrow, select System Tools, press
right arrow, select Backup, and then press ENTER.
10. Use Tab to select Advanced Mode and press ENTER.
11. Press the right arrow twice to select the Restore and Manage Media
tab.
12. Press Tab to select File, press the right arrow four times to select System
State, and then press the SPACEBAR.
13. Use Tab to select Start Restore and press ENTER.
14. Press ENTER to close the Warning dialog box.
15. Press ENTER to confirm the restore.
16. Click Yes to restart your computer.
Confirm the problem is fixed

When the computer restarts, log on as Administrator with a password
of Pa$$w0rd.

2. To prepare for the next module start the DEN-DC1 virtual computer.
Software Maintenance Using Windows Server Update Services 13-1
Module 13
Software Maintenance Using Windows Server Update
Services
Contents:
Multimedia 4
Lab Answer Keys 5

Lesson: Introduction to Windows Server Update Services
Question: Your company has experienced several high-profile virus infections recently. To ensure that
this does not happen again, you are evaluating options for client security upgrades. Internally you
have decided to implement Windows Server Update Services (WSUS). However, you have many
roaming clients who do not have access to the WSUS server and are not part of the domain.
Which is the best solution for ensuring that the operating systems of roaming clients are properly
updated?
a. Use a Group Policy object to configure automatic updates to install updates automatically as
they are available.
b. Provide users with instructions on how to download updates from the Microsoft Windows
Update Web site.
c. Provide users with instructions about how to configure automatic updates to automatically
install updates as they are available.
d. Provide users with instructions on how to install and configure their own WSUS server.
Answer: c
Configuring automatic updates to install updates automatically as they are available is the
most reliable way to ensure that workstations are updated.
Answer a is incorrect, because Group Policy is only applicable if the workstations are members
of the Active Directory directory service forest.
Answer b is incorrect, because requiring users to remember to go to Windows Update will be

unreliable.
Answer d is incorrect, because configuring a WSUS server for each remote user will require too
many resources. WSUS requires a server.
Lesson: Installing and Configuring Windows Server Update Services

Question: You organization consists of four physical locations connected by a wide-area network
(WAN). Each site has its own independent Internet connection. If the primary concern about installing
WSUS is the impact on WAN links, what is the best way to configure the WSUS servers?
a. All clients download updates from a single WSUS server at the head office.
b. Each location has an independent WSUS server the serves local clients.
c. Each remote location has replica WSUS servers that copy their configuration from the head
office WSUS server.
d. Each remote location has a disconnected WSUS server and updates are imported on those
servers from DVD.
Answer: b
With independent servers at each location, the WSUS servers and clients will not generate any
WAN traffic.
Answer a is incorrect, because Automatic Updates for clients will generate a high volume of
WAN traffic as updates are downloaded.
Answer c is incorrect, because WAN traffic will be generated when updates and configuration
information are downloaded from the head office WSUS server to the replica WSUS servers.
Answer d is incorrect, because disconnected WSUS servers require a large amount of

administrative effort to update.
Lesson: Managing Windows Server Updates Services

Question: A hard drive in your WSUS server has failed and the WSUS database has been lost.
Unfortunately, there is no backup of the WSUS database. Which of the following is required to restore
your WSUS server to full functionality after replacing the failed hard drive? Choose all that apply.
a. Synchronize the database and approve all previously approved updates.
b. Recreate any previously existing computer groups that are used for testing or update
deployment.
c. Reinstall WSUS to recreate the database.
d. Recreate the All Computers computer group.
e. Create a Group Policy object configure Automatic Updates on the client computers.
Answer: a, b, c
The database contains the list of approvals and computer groups. These were lost when the
database was lost.
Answer d is incorrect, because the All Computers computer group is created by default.
Answer e is incorrect, because the Group Policy object was not lost when the database was
lost.
Multimedia
Media Type Title
Animation Microsoft Windows Server Update Services

Lab Answer Keys

Lab: Maintaining Software by Using Windows Server Update Services
Answer Key
Create a test computer group.
View status of updates and computers.
Back up WSUS.
DEN-DC1
DEN-SRV1
DEN-CL1
Exercise 1: Create a Test Computer Group

In this exercise, you will create a test computer group and place DEN-
SRV1 in it.
Task 1 Add DEN-SRV1 as a computer in WSUS

1. Log on DEN-SRV1 as Administrator with a password of Pa$$w0rd.
2. Click Start, click Run, type gpupdate.exe /force, and then click OK.
3. Click Start, click Run, type wuauclt.exe /detectnow and click OK.
Task 2 Open the WSUS Administration Web site

1. Log on DEN-DC1 as Administrator with a password of Pa$$w0rd.
2. Click Start, point to All Programs, and click Internet Explorer.
3. In the Address Bar, type http://DEN-DC1/WSUSadmin and then
press ENTER.
4. In the User name box, type administrator, and, in the Password box,
type Pa$$w0rd, and then click OK.
5. Click Computers. Notice that DEN-SRV1 is in the list of computers.
Task 3 Create a Test computer group

1. Click Create a computer group.
2. In the Group name box, type Test and then click OK.
3. Click den-srv1 and then click Move the selected computer.
4. In the Computer group box, click Test, and then click OK.
5. In the Groups area, click Test. Notice that DEN-SRV1 is now in this
computer group.
Task 4 Approve an update for the Test group

1. Click Updates.
2. Change the filter to show to all updates which have been
synchronized at any time.
3. Scroll down and select Microsoft Windows Installer 3.1.
4. Click Change approval.
5. In the Test computer group row, click Same as All Computers
group, select Install, and then click OK.
Exercise 2: View the Status of Updates and Computers

In this exercise, you will view the status of updates and computers.
Task 1 View update status

1. On DEN-DC1 in the WSUS Administration Web Site, click Reports.
2. Click Status of Updates.
3. In the Computer group box, click Test.
4. Select the Unknown check box and the Needed check box, and then
click Apply.
Task 2 View computer status

1. Click Reports.
2. Click Status of Computers.
3. In the Computer group box, click Test.
4. Select the Unknown check box and the Needed check box, and then
click Apply.
5. Expand den-srv1.contoso.msft.
6. Close Internet Explorer.
Exercise 3: Back up WSUS

In this exercise, you will back up the WSUS database and updates.
Task 1 Stop the database service

On DEN-DC1, Click Start, click Run type net stop mssql$wsus, and
then click OK.
Task 2 Back up the updates and database

1. Click Start, point to All Programs, point to Accessories, point to
System Tools, and click Backup.
2. Click Advanced Mode and click the Backup tab.
3. Expand Allfiles (D:), expand WSUS, and then expand
MSSQL$WSUS.
4. Select the Data check box and the WsusContent check box.
5. In the Backup media or file name box, type D:\WSUS.bkf, and click
Start Backup.
6. Click Start Backup.
7. When the backup is complete, click Close.
8. Close Backup.
Task 3 Start the database service

Click Start, click Run type net start mssql$wsus, and then click OK.
Task 4 Complete the lab exercise

1. Close all programs and shut down all computers. Do not save
changes.
2. To prepare for the next module start the DEN-DC1 virtual computer.
Securing Windows Server 2003 14-1
Module 14
Securing Windows Server 2003
Contents:
Lab Answer Keys 4

Lesson: Introduction to Securing Servers
Question: You work as an administrator for a large multinational company and are a member of a
local computing professional user group. You have been assigned as a mentor to an administrator
working for a small local company. While discussing security implementation with the administrator,
you realize that he is subject to very different restraints in his work environment than you are.
Which of the following are security challenges that are more common in smaller companies? Choose
all that apply.
a. Servers are performing multiple roles.
b. A high percentage of threats are external.

c. Security expertise is lacking.
d. Physical access to servers negates many security measures.
e. There are legal consequences for security breaches.
Answer: a, c, d
Servers performing multiple roles are more often found in smaller organizations. Smaller
organizations typically cannot afford to devote staff to specialized task such as security.
Smaller organizations are more likely not to restrict physical access to servers.
Answer b is incorrect, because a high percentage of security threats are internal for large and
small businesses.
Answer e is incorrect, because legal consequences for security breaches apply to large and
small businesses.
Lesson: Implementing Core Server Security

Question: You have just applied Service Pack 1 to all computers running Microsoft Windows
Server 2003 in your organization. A magazine article you read indicates that the Security
Configuration Wizard can be used to secure Windows Server 2003 SP 1 computers.
Which of the following are features of the Security Configuration Wizard? Choose all that apply.
a. Services are enabled and disabled based on server role.
b. Firewall rules are configured based on server role.
c. Security Configuration Wizard settings can be imported into a Group Policy object.
d. Changes can be rolled back if there are problems.
Answer: a, b, c, d
Lesson: Hardening Servers

Question: As part of planning a security policy for your organization, you are analyzing the risks to
your computers. Your current task is analyzing risks to domain controllers.
Which of the following threats are specific to domain controllers? Choose all that apply.
a. Unauthorized changes to Active Directory directory service objects
b. Denial-of-service attacks
c. Exploitation of known security issues
d. Password attacks
Answer: a, d
Only domain controllers hold a copy of Active Directory objects, including passwords.
Answer b is incorrect, because any server or service can be vulnerable to a denial-of-service

attack.
Answer c is incorrect, because any server that is missing updates is vulnerable to known
security issues.
Lesson: Microsoft Baseline Security Analyzer

Question: Your organization has already implemented WSUS for update management. However, you
would like to use the Microsoft Baseline Security Analyzer (MBSA) tool in addition to WSUS.
What features or benefits does MBSA provide that WSUS does not? Choose all that apply.
a. Scans for missing Microsoft Office updates
b. Scans for missing Microsoft BizTalk Server updates
c. Scans for configuration errors in addition to missing updates
d. Scans for missing Microsoft Windows updates

e. Scans for weak passwords
Answer: b, c, e
These features are unique to MBSA and are not found in WSUS.
Answer a is incorrect, because WSUS scans for missing Microsoft Office updates.
Answer d is incorrect, because WSUS scans for missing Windows updates.

Lab Answer Keys

Lab: Securing Windows Server 2003
Answer Key
Use the Security Configuration Wizard.
Configure a Group Policy object for member servers.
Scan a range of computers by using MBSA.
DEN-DC1
DEN-SRV1
DEN-CL1
Exercise 1: Using the Security Configuration Wizard

In this exercise, you will install and run the Security Configuration Wizard.
Task 1 Install the Security Configuration Wizard

1. Log on to DEN-DC1 as Administrator with a password of Pa$$w0rd.
2. Click Start, point to Control Panel, and then click Add or Remove
Programs.
3. Click Add/Remove Windows Components.
4. Scroll down in the Components box, select the Security Configuration
Wizard check box., and then click Next.
5. If prompted for the location of the Service Pack 1 CD-ROM, use
C:\win2k3\I386.
6. Click Finish.
7. Close Add or Remove Programs.
Task 2 Run the Security Configuration Wizard

1. Click Start, point to Administrative Tools, and then click Security
Configuration Wizard.
2. Click Next to begin the Security Configuration Wizard.
3. Ensure that Create a new security policy is selected and click Next.
4. Ensure that DEN-SRV1 is the server to be used as a baseline for the
policy and click Next three times.
5. Click Next again to accept the installed roles.
6. Click Next to accept the installed client features.
7. Click Next to accept the installed administration and other options.
8. Click Next to accept the additional services.
9. Ensure that Do not change the startup mode of the service is selected
and then click Next.
10. Scroll through the list of changed services and note which ones are being
disabled. Notice that Windows Firewall is being enabled.
11. Click Next.
12. Click Next again to start configuring network security.
13. Scroll through the list of ports that will be opened, and then click Next.
14. Click Next again to accept the list of ports that will be opened.
15. Check the Skip this section check box, and then click Next to skip
configuring registry settings.
configuring audit policies.

configuring Internet Information Services.
18. Click Next to begin saving the security policy.
19. In the Security policy file name box, type
C:\WINDOWS\security\msscw\Policies\NewMember.xml and then
click Next.
20. Click OK to acknowledge the warning.
21. Click Apply now, and then click Next.
22. When the application of the security policy is complete, click Next.
23. Click Finish.
24. Restart DEN-SRV1.
Exercise 2: Configuring a Group Policy Object for Member Servers

In this exercise, you will configure a group policy object for member
servers.
Task 1 Create an OU for member servers

1. On DEN-DC1, click Start, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. Expand Contoso.msft, right-click Contoso.msft, point to New, and
click Organizational Unit.
3. In the Name box, type MemberServers, and then click OK.
4. Click Computers, right-click DEN-SRV1, and click Move.
5. Click MemberServers, and then click OK.
6. Close Active Directory Users and Computers.
Task 2 Create a Group Policy object for member servers

1. Click Start, point to Administrative Tools, and then click Group
Policy Management.
2. Expand Forest: Contoso.msft, expand Domains, expand
Contoso.msft, and then expand MemberServers.
3. Right-click MemberServers, and click Create and Link a GPO Here.
4. In the Name box, type Member Security and then click OK.
5. Click Member Security and click OK to clear the dialog box.
Task 3 Import a security template into the Group Policy object for
member servers
1. Right-click Member Security, and then click Edit.
2. Under Computer Configuration, expand Windows Settings, right-
click Security Settings, and then click Import Policy.
3. Select D:\2275\Practices\Mod09\Security Templates\Enterprise
Client .Member Server Baseline.inf, and then click Open.
5. Close Group Policy Management.
Exercise 3: Scanning a Range of Computers by Using MBSA

In this exercise, you will scan all computers on a subnet by using MBSA.
Task 1 Scan a range of computers from DEN-DC1

1. On the DEN-DC1 desktop, double-click Microsoft Baseline Security
Analyzer 1.2.1.
2. Click Scan more than one computer.
3. In the IP address range boxes, type 10.10.0.1 to 10.10.0.20.
4. Click Start scan.
Task 2 View the reports for all computers

1. Click Pick a security report to view.
2. Click CONTOSO\DEN-DC1.
3. Review the report and then click Next security report.
4. Review the report and then click Next security report.
5. Close Microsoft Baseline Security Analyzer.
Task 3 Complete the lab exercise

Close all programs and shut down all computers. Do not save changes.
Implementing Printing A-1
Module A
Implementing Printing
Contents:
Multimedia 5
Lab Answer Keys 6
A-2 Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson: Installing and Managing Access to Printers
Question: You are responsible for managing and configuring print resources. Over the past six
months, color print devices have been added to all the printer rooms under your control. It is brought
to your attention that, in the last few weeks, users have been using the color print devices much more
than the black-and-white print devices.
Because a color print device carries a higher cost per use than a black-and-white print device, you are
asked to limit this resource to groups that require color print jobs. Which of the following best fulfills
this requirement? Choose the best answer.
a. Create a local group that contains all the authorized users and set the permissions on the
color printers to:
Everyone = Deny Print New local group = Allow Print
b. Create a global group that contains all the authorized users, and set permissions on the color
printer to:
Everyone = Allow Print New global group = Allow Print
c. Create a local group that contains all the authorized users and set the permissions on the
color printer to:
New local group = Allow Print
d. Create a global group that contains all the authorized users and set the permissions on the
color printer to:
New global group = Deny Print
Answer a is incorrect, because if everyone is denied Print permission, then no one can access
the printer.
Answer b is incorrect, because if everyone is granted Print permission, then the goal is not
met.
Answer c is correct, because the Everyone group has been removed. As a result, the Everyone
group is implicitly denied access.
Answer d is incorrect, because denying the new group the Print permission does not allow
anyone to print to the printer.
Lesson: Managing Printer Drivers

Question: Your organization uses more than 100 different types of print devices. Your existing
corporate desktop computers are running Microsoft Windows XP Professional. Your organization is
acquiring a new company that uses desktop computers running Microsoft Windows NT 4.0. The new
company's desktop computers will be incorporated into your company without any changes.
What must you do to ensure that the clients running Windows NT 4.0 can print to your print devices?
Choose the answer that requires the least amount of administrative effort.
a. Install the printer driver for Windows XP on each computer running Windows NT 4.0.
b. Install the printer driver for Windows NT on each computer running Windows XP.
c. Nothing; the computers running Windows NT can print by default.
d. Add the printer driver for Windows NT to the existing printers.
Answer a is incorrect, because you cannot install a printer driver for Windows XP on
computers running Windows NT.
Answer b is incorrect, because you would not install a driver for an older operating system on
a computer.
Answer c is incorrect, because computers running Windows NT cannot print by default.
Answer d is the best answer and requires the least amount of administrative effort.
Lesson: Implementing Printer Locations

Question: For which of the following do you use the location-tracking feature?
a. Printer
b. Print device
Locations are always for the print device. The location of the printer is irrelevant to the users.
Question: Which of the following are requirements for printer-location tracking? Choose all that
apply.
a. Client computers that can search Active Directory directory service
b. Print devices that support location tracking

c. At least one Active Directory site and two or more Internet Protocol (IP) subnets
d. A subnet object for each Active Directory site
Answers a, c, and d are correct.
The print device does not need to understand anything about Active Directory.
Examine the subnet objects in Active Directory

1. Log on to DEN-DC1 as Administrator with the password of Pa$$w0rd.
2. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
3. Expand the Sites container, and then expand the Subnets container.
4. Right-click the 10.10.0.0/16 subnet object, and then click Properties.

5. Click the Location tab.
What location is associated with this subnet?
Answer: Denver/Downtown.
6. Click Cancel.
7. Open the Properties dialog boxfor the 10.15.0.0/16 subnet, and then click the Location tab.
What location is associated with this subnet?
Answer: Denver/Warehouse.
8. Click Cancel and then close Active Directory Sites and Services.
9. Click Start, point to Administrative Tools, and then click Group Policy Management.
10. Expand Forest:contoso.msft/Domains/contoso.msft.
11. Click the Group Policy Objects folder.
12. In the details pane, right-click the Default Domain Policy and then click Edit.
13. In the Group Policy Object Editor window, expand Computer Configuration, Administrative
Templates, and then click Printers.
14. In the details pane, double-click Pre-populate printer search location text.
15. On the Setting tab, click Enable and then click OK.
17. Open a command prompt and refresh group policy by typing Gpupdate /force.
18. Close all windows and log off of DEN-DC1.
Perform a test search for printers

1. Double-click the Add Printer icon
2. On the Welcome page, click Next.
3. On the Local or Network Printer page, click A network printer, or a printer attached to
another computer and then click Next.
4. On the Specify a Printer page, leave the default selection of Find a printer in the directory, and
then click Next.
5. In the Find Printers dialog box, what is the value in the Location field?
Answer: Denver/Downtown/
6. Click Find Now.
Both the Sales printer and the Finance printer should be returned in the results.
7. Close all windows and log off of DEN-SRV1.
Multimedia
Media Type Title
Animation Printing Terminology
Animation Defining Location Names

Lab Answer Keys

Lab: Implementing Printing Answer Key
Install printers, set printer locations and permissions.
Search for printers and test permissions.
DEN-DC1
DEN-SRV1
DEN-CL1
Exercise 1: Installing Printers and Setting Printer Locations and Permissions

In this exercise, you will install printers and set the location
attribute.
Task 1 Add the Shipping printer and set the location

1. Log on to DEN-SRV1 as Administrator with the password of
Pa$$w0rd.
2. Click Start, and then click Printers and Faxes.
3. Double-click the Add Printer icon.

4. In the Add Printer Wizard, on the Welcome page, click
Next.
5. On the Local or Network Printer page, click Local printer
attached to this computer, clear the Automatically detect
and install my Plug and Play printer check box, and then
click Next.
6. On the Select a Printer Port page, leave the default LPT1
selected, and then click Next.
7. On the Install Printer Software page, under Manufacturer,
select HP. Under Printers, select HP LaserJet 5Si, and then
click Next.
8. On the Name Your Printer page, type Shipping in the
Name field, and then click Next.
9. On the Printer Sharing page, leave the default share name
of Shipping, and then click Next.
10. On the Location and Comment page, type
Denver/Warehouse in the Location field.
11. On the Print Test Page page, select No, and then click Next.
12. Select Finish. (If prompted to insert the Windows Server 2003
compact disc, browse to C:\Win2k3\I386, and then click OK.)
Task 2 Set permissions on the Shipping printer

1. In Printers and Faxes, right-click the Shipping printer, and
then click Properties.
2. Click the Security tab, and then remove the Everyone and
Power Users groups.
3. Click Add.
4. Find the G Sales group, and then assign Print permission.
5. Find the G Sales Managers group, and then assign Manage
Documents and Manage Printers permissions.
6. Click OK and close the Printers and Faxes window.
Exercise 2: Searching for Printers and Testing Permissions

In this exercise, you will search Active Directory and test access
to the Shipping printer.
Task 1 Search Active Directory for the Shipping

printer, and then connect as a Sales department
user
1. Log on to DEN-CL1 as Jeff with a password of
Pa$$w0rd.
2. Click Start, and then click Printer and Faxes.
3. Click the Add a printer icon, and then click Next.
4. On the Local or Network Printer page, click Next.
5. On the Specify a Printer page, ensure that Find a
printer in the directory is selected, and then click Next.
6. In the Printers tab, click Browse.
7. In the Browse for Location box, click Warehouse.
8. Click OK.
9. Click Find Now.
10. Right-click the Shipping printer, and then click Connect.
11. Click OK.
12. Click Finish. The Shipping printer should appear as a

network printer in Printers and Faxes.
13. Log off DEN-CL1.
Task 2 Search Active Directory as a user without

permissions to the Shipping printer
1. Log on to DEN-CL1 as Judy with the password of
Pa$$w0rd.
2. Repeat Task 1 to connect to the Shipping printer. When
this user attempts to connect, a message box asking for
credentials will appear because this user has no authority
to connect to this printer.

save changes.
DEN-SRV1 virtual computers.
Managing Printing B-1
Module B
Managing Printing
Contents:
Multimedia 5
Lab Answer Keys 6
B-2 Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson: Changing the Location of the Print Spooler
Question: You are responsible for managing and configuring printers and print servers for your
organization. You must determine what you can do to increase the performance of your print servers
responding to client print requests. Which of the following options are likely to improve print server
performance? Choose all that apply.
a. Schedule the print spooler service to restart two to three times a day to clear out the spooler
b. Place the spool folder on a dedicated disk drive
c. Use a multiprocessor server with a minimum of two processors
d. Add RAM to the print server

e. Move the spool folder to a larger or faster disk
f. Place the spool folder on the same disk drive as the operating system binary files
Answer: Answers b, d, and e are correct.
Answer a is incorrect, because restarting the print spooler service does not affect
performance.
Answer b is correct, because using a dedicated disk increases printer performance by giving
the service exclusive access to the disk.
Answer c is incorrect, because doing this is not as likely to increase performance.
Answer d is correct, because adding RAM increases the overall performance of the print
server.
Answer e is correct, because using a faster or larger disk increases printer performance by
giving the service more disk space.
Answer f is incorrect, because doing this adversely affects the performance of the print server.
Move the spool folder

1. Open Printers and Faxes, click the File menu, and then click Server Properties.
2. In the Print Server Properties dialog box, click the Advanced tab.
What is the current location of the spool folder?
Answer: C:\WINDOWS\System32\spool\PRINTERS
3. Switch to Windows Explorer, and then browse to C:\WINDOWS\ System32\spool\PRINTERS.

The test job you sent should be in the folder.
4. Return to the Print Server Properties Advanced tab, and then change the location of the spool
folder to C:\Spool and click OK.
5. Read the Print Server Properties warning message, and then click Yes.
Lesson: Setting Printer Priorities

Question: You discover that users who print financial reports are preventing other users from
receiving their print jobs in a timely manner. What can you do to solve this problem? Choose the best
answer.
a. Set high priority for the Everyone group
b. Set high priority for the group that prints the financial documents and low priority for groups
that also use this printer
c. Set low priority for the group that prints the financial documents and high priority for other
groups that also use this printer
d. Set low priority for the Everyone group
Setting the group that prints the low-priority documents to low priority is the best solution to
this problem.
Lesson: Scheduling Printer Availability

Question: Your organization uses printer scheduling to defer printing of large financial reports and
Accounts Receivable documents to only after regular office hours. It is brought to your attention that
some users' print jobs did not print overnight. What may be the problem? Choose the best answer.
a. Scheduling is incorrectly configured
b. The print server is running out of disk space
c. The print server is running its scheduled backup during the scheduled printer availability time
Answer a is incorrect, because if the schedule were incorrect, then no documents from this
group would print.
Answer b is correct, because if the print server is running low on disk space, only some of the
documents would print.
Answer c is incorrect, because backups do not affect print jobs.
Lesson: Configuring a Printing Pool

Question: You are responsible for managing printing resources for your department. Each floor of
your building has eight printers located in two different rooms. The printer rooms on each floor have
two printers that are identical and two other printers of varied hardware types. Is this scenario a
candidate for the use of printing pools?
a. Yes, but for only the varied printer hardware types
b. No, because all the printers are not centrally located
c. Yes, but for only the identical printers that are located in the same room.
d. No, because users will not know to which printer room their job printed
Printing pools must contain print devices that use the same print drivers.
Lesson: Redirecting the Print Queue

Question: The Finance department has two print devices in close proximity, and both devices use the
same print driver. They are controlled by two different print servers. If one of the print devices fails,
how could the current jobs in the print queue be transferred to the other print device?
a. Create a new standard TCP/IP port that points to the other print device
b. Create a new standard TCP/IP port that points to the other print server
c. Create a new local port that uses the UNC path of the other printer
d. The current jobs could only be transferred to another printer on the same print server
A new local port can point to the UNC path of another printer. The current jobs in the queue
will automatically transfer over as long as the new port is used.
Multimedia
Media Type Title
Animation How Printing Pools Work

Lab Answer Keys

Lab: Managing Printing
Answer Key
Install printers and create a printing pool.
Set printer priority and schedule availability.
DEN-DC1
DEN-SRV1
Exercise 1: Installing Printers and Creating a Printing Pool

In this exercise, you will install printers and create a printing pool.
Task 1 Create a new sales printer

1. Log on to DEN-SRV1 as the Administrator with the
2. Click Start and then click Printers and Faxes.
3. Double-click Add Printer. Click Next.

4. Ensure that Local printer attached to this computer is
selected, and then clear the Automatically detect and
install my Plug and Play printer check box.
5. On the Select a Printer Port page, click Create a New Port.
6. In the Type of port drop-down list, select Standard TCP/IP
Port.
7. On the Add Standard TCP/IP Printer Port Wizard page,
click Next.
8. On the Add Port page, enter 10.10.0.50 into the Printer
Name or IP Address field and then click Next.
9. On the Additional Port Information Required page, click
Next.
10. Click Finish.
11. On the Install Printer Software page, select HP LaserJet 4
printer, and then click Next.
12. On the Use Existing Driver page, ensure that Keep existing
driver is selected, and then click Next.
13. On the Name Your Printer page, type SalesPool, and then
click Next.
14. On the Printer Sharing page, ensure that the share name is
SalesPool.
15. On the Location and Comment page, type
Denver/Downtown in the Location field and click Next.
16. On the Print Test Page page, select No and click Next.
17. Click Finish to complete the installation.
Task 2 Create a printing pool

1. Right-click the SalesPool printer, click Properties, and then
click the Ports tab.
2. Click Add Port.
3. Select Standard TCP/IP Port, and then click New Port.
4. On the Welcome page of the Add Standard TCP/IP Printer
Port Wizard, click Next.
5. On the Add Port page, enter 10.10.0.60 into the Printer

Name or IP Address field and then click Next.
6. On the Additional Port Information Required page, select
Generic Network Card. and then click Next.
7. Click Finish.
8. Click Close.
9. On the Ports tab, select Enable printer pooling.

10. Select both the 10.10.0.50 port and the 10.10.0.60 port.
11. Click Close.
Exercise 2: Setting Printer Priorities and Scheduling Availability

In this exercise, you will set printer priorities and schedule
printer availability.
Task 1 Create a new sales printer

1. On DEN-SRV1, ensure that the Printers and Faxes
window is open.
2. Double-click the Add Printer icon.
3. On the Welcome page of the Add Printer Wizard, click

Next.
4. Ensure that Local printer attached to this computer is
selected, and then clear the Automatically detect and
install my Plug and Play printer check box.
5. On the Select a Printer Port page, ensure that LPT1 is
selected as the port, and then click Next.
6. On the Install Printer Software page, select HP LaserJet
4 printer, and then click Next.
7. On the Use Existing Driver page, ensure that Keep
existing driver is selected, and then click Next.
8. On the Name Your Printer page, type SalesManager,
9. On the Printer Sharing page, type the share name
SalesManager, and then click Next.
10. On the Location and Comment page, click Next.
11. On the Print Test Page page, select No and then click
Next.
12. Click Finish to complete the installation.
Task 2 Set the priority to high

1. Right-click the SalesManager printer, and then click
Properties.
2. Click the Advanced tab.
3. Set the Priority to 90.
Task 3 Set permissions on the SalesManager printer

2. Remove Everyone.
3. Add the G Sales Managers global group, and then assign
Print permission.
Task 4 Create a printer to be available after hours

1. Create another local HP LaserJet 4 printer configured to
use LPT1 and named Overnight, and then share it as

Overnight.
2. Right-click the Overnight printer, and then click
Properties.
3. Click the Advanced tab.
4. Schedule the printer to be available from 12:00AM to
6:00AM.
5. Click OK.

save changes.
Monitoring Server Performance C-1
Module C
Monitoring Server Performance
Contents:
Multimedia 6
Lab Answer Keys 7
C-2 Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson: Monitoring Server Memory
Question: You are responsible for maintaining four application servers that provide sales forecasting
data to the front-line sales mangers in your organization. It has been reported that the performance
level of one of the servers is much lower than normal. Before any action is taken, you must determine
whether the memory subsystem, which currently has 512 megabytes (MB) of physical RAM, is causing
the performance problem.
Given the following counters and results for the Memory performance object, which of the following
options indicate that the memory subsystem is the cause of the performance problem? Choose all
that apply.
a. Pool Nonpaged Bytes = Rising Committed Bytes = 500 MB
b. Pool Nonpaged Bytes = Steady Committed Bytes = 212 MB
c. Pages/sec = 17 Available Bytes = 20 MB
d. Pages/sec = 4 Available Bytes = 284 MB
Answer: a, c
Answers a and c are correct, based on the recommended performance thresholds for the
memory subsystem.
Lesson: Monitoring Processor Usage

data to the front-line sales managers in your organization. It has been reported that one of the
servers is returning errors and its performance level is much lower than normal. Before any action is
taken, you must determine whether the CPU in the server itself is causing the problem.
Given the following counters and results for the CPU objects, which of the following options indicates
that the CPU is the cause of the performance problem?
a. Processor\% Processor Time = 40% to 90%
b. System:\Processor Queue Length = 4 to 5
c. Server Work Queues\Queue Length = 2 or less
d. Processor\% Processor Time = steady at 80%
Answer: b
Answers a, c, and d all fall within normal operating ranges.
Configure System Monitor to monitor selected processor counters

1. On DEN-DC1, click Start, point to Administrative Tools, and then click Performance.
2. Click the graph and press CTRL+E to clear the existing counters.
3. Click System Monitor, and then add the Processor\% Processor Time counter and the
System\Processor Queue Length counter.
4. Record the information for the following counters:
a. Processor\% Processor Time

b. System\Processor Queue Length
5. Open D:\2275\Practices\Mod03, and then start the cpustres.exe application.
6. Set the Activity level for Thread 1 to Maximum.
a. Processor\% ProcessorTime
b. System\Processor Queue Length

8. Is the cpustres.exe command causing a bottleneck? How can you tell?
Answer: System\Processor Queue Length is 2 or above.
9. Close all windows.
Lesson: Monitoring Disks

data to the front-line sales managers in your organization. It has been reported that the performance
whether the disk subsystem is causing the performance loss.
Given the following counters and results for the Physical Disk performance object, which of the
following options indicate that the physical disks may be the cause of the performance problem?
a. % Disk Time = 22% Current Disk Queue Length = 0
b. % Disk Time = 94% Current Disk Queue Length = 1
c. Avg. Disk Bytes/Transfer = 30% lower than baseline Disk Bytes/sec = 22% lower than baseline
d. Avg. Disk Bytes/Transfer = 26% higher than baseline Disk Bytes/sec = 33% higher than
baseline
Answer: b, c
Answers b and c are correct, based on the recommended performance thresholds for the disk
subsystem.
Configure System Monitor to monitor selected disk counters

1. On DEN-DC1, click Start, and click Help and Support. Record how long it takes to start Help and
Support.
2. Close Help and Support Center.
3. Click Start, point to Administrative Tools, and then click Performance.

4. Click the graph and press CTRL+E to clear the existing counters.
5. Click System Monitor, and then add the following counters:
a. Memory\Pages/sec
b. PhysicalDisk\% Disk Time
c. PhysicalDisk\Current Disk Queue Length
d. Processor\% Processor Time
a. Memory\Pages/sec
b. PhysicalDisk\%Disk Time
7. Open D:\2275\Practices\Mod03 and start the disk.bat application.
8. Switch to report view, and then record the information for the following counters:
a. Memory\Pages/sec
b. PhysicalDisk\%Disk Time
9. On the Start menu, click Help and Support andrecord how long it takes to start Help.
10. Is disk.bat causing a disk bottleneck? How can you tell?
Answer: Yes, the Current Disk Queue Length is above 2.
11. Close all windows.
Lesson: Monitoring Network Usage

data to the front-line sales mangers in your organization. It has been reported that the performance
whether the network is causing the performance loss.
Given the following counters and results for the Network Interface performance object, which of the
following options indicate that the network is the cause of the performance issue? Choose all that
apply.
a. Bytes Total/sec = 15000.220 Network Utilization = 78%
b. Bytes Total/sec = 210.254 Network Utilization = 22%
c. Bytes Sent/sec = 300.452 Network Utilization = 85%
d. Bytes Sent/sec = 14025.321 Network Utilization = 21%
Answer: a, c
Answers b and d are within the recommended performance threshold for the network
subsystem.
Multimedia
Media Type Title
Animation What Are the Primary Server Subsystems?

Lab Answer Keys

Lab: Monitoring Server Performance Answer Key
Create and configure alerts.
Configure the messaging service.
Find and eliminate a high CPU usage process.
Find and eliminate a high memory usage process.
DEN-DC1
Exercise 1: Create and Configure Alerts

In this exercise, you will create an alert that sends a network
message when CPU utilization is too high.
Task 1 Log on to your computer

Log on to DEN-DC1 as Administrator with a password of
Pa$$w0rd.
Task 2 Create a performance console

1. Click Start, point to Administrative Tools, and then click
Performance.
2. Click the graph and press CTRL+E to clear the existing
counters.
3. Click System Monitor, and then add the following counters:
Processor\% Processor Time
Memory\Available Mbytes
Task 3 Create a high CPU Utilization alert for over 80%

processor time
1. Expand Performance Logs and Alerts, and click Alerts.
2. Right-click Alerts, and then click New Alert Settings.
3. In the Name box, type HighCPU, and then click OK.
4. Click Add, and select the Processor\% Processor Time
counter, click Add, and then click Close.
5. In the Limit box, type 80.
Task 4 Configure HighCPU to send a network message

1. Click the Action tab.
2. Check the Send a network message to check box, and, in
the Send a network message to box, type Administrator,
and then click OK.
Task 5 Create a low memory alert for less than 100 MB

free
1. Right-click Alerts, and then click New Alert Settings.
2. In the Name box, type LowMem, and click OK.
3. Click Add, and select the Memory\Available MBytes
counter, click Add, and then click Close.
4. In the Alert when the value is box, click Under.

5. In the Limit box, type 100.
Task 6 Configure LowMem to send a network message

1. Click the Action tab.
2. Check the Send a network message to check box, and, in
the Send a network message to box, type Administrator,
and then click OK.
Exercise 2: Configure the Messaging Service

In this exercise, you will enable the messenger service.
Task 1 Open Computer Management

Click Start, point to Administrative Tools, and then click
Computer Management.
Task 2 Enable the messenger service

1. Expand Services and Applications, and click Services.
2. In the right pane, right-click Messenger, and then click
Properties.
3. In the Startup type box, click Automatic.
4. Click Start, and then click OK.
5. Close Computer Management.
Exercise 3: Finding a High CPU Usage Process

In this exercise, you will find the high CPU usage process and
stop it.
Task 1 Test the high CPU usage alert

1. Start D:\2275\Practices\Mod03\cpustres.exe.
2. Under Thread 1, select the Active check box, and, in the
Activity box, click Maximum.
3. Look in the Performance console to see the % Processor

Time.
4. Click OK to close any messages.
5. In Performance, click Alerts, right-click HighCPU, and
then click Stop.
6. Find the high CPU usage process.
Open Task Manager

1. Click the Processes tab, and click the CPU column header
twice. Notice that cpustres.exe is at the top of the list.
2. Click cpustres.exe, and then click End Process.
3. Click Yes to confirm.
4. Close Task Manager.
Exercise 4: Finding a High Memory Usage Process

In this exercise, you will find the high memory usage process
and stop it.
Task 1 Test the high CPU usage alert

1. Start D:\2275\Practices\Mod03\leakyapp.exe.
2. Click Start Leaking.
3. Look in the Performance console to see the Available
MBytes.
4. Wait until a dialog box appears indicating that the
Available MBytes is less than 100. This will take a minute
or two.
5. Click OK to close any messages.
6. In Performance, click Alerts, right-click LowMem, and
then click Stop.
Find the high CPU usage process

1. Open Task Manager.
2. Click the Processes tab, and click the Mem Usage

column header twice. Notice that leakyapp.exe is at the
top of the list.

3. Click leakyapp.exe, and then click End Process.
4. Click Yes to confirm.
5. . Close Task Manager.

save changes.
Maintaining Device Drivers D-1
Module D
Maintaining Device Drivers
Contents:
D-2 Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson: Configuring Device-Driver Signing Options
Question: Users must upgrade the device driver for a smart card reader so that they can use new
features. The device driver is unsigned. You need to allow users to perform their own upgrades
because not all computers are on the corporate network. You need to ensure that the users can install
the drivers and are not prompted with any driver signing messages. Choose the correct answer.
a. Configure driver signing options for Block.
b. Configure driver signing options for Ignore.
c. Configure driver signing options for Warn.
d. Configure driver signing by clearing the Administrator option.
Answer: b
Answer b is correct, because Ignore allows the driver to be installed without user intervention.
Answer a is incorrect, because blocking the driver signing forces the driver not to be installed.
Answer c is incorrect, because a warning will confuse many users.
Answer d is incorrect, because removing this option means it must be configured separately
for each user on a computer.
Lesson: Using Device Driver Roll Back

Question: A previously installed smart card driver is causing problems with remote client
connectivity. Until a permanent solution can be tested and implemented, you must correct the
problem by providing the fastest way for each client to restore its connection to the corporate
network.
Which of the following actions provides the best solution?

a. Remove the existing driver, and then reinstall the earlier device driver
b. Reinstall the earlier driver on top of the new driver
c. Use Driver Roll Back to revert to the previously installed driver
d. Remove the existing driver, and then reconfigure Remote Access to not require a smart card
Answer: c
Answer c is correct, because this solution requires the least amount of administrative effort
and has the lowest risk of failure.
Answer a is incorrect, because this solution, although it would work, requires more
administrative effort.
Maintaining Device Drivers D-3
Answer b is incorrect, because this solution may cause some issues, and it is not a best practice
because some vendors may have the wrong dates on the files.
Answer d is incorrect, because this action would lower security for this environment.
Managing Disks E-1
Module E
Managing Disks
Contents:
Lab Answer Keys 6
E-2 Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson: Preparing Disks
Question: You are responsible for managing the file and print servers for the marketing group. Your
responsibilities include maintaining and upgrading server hardware as needed. You find that one of
the servers is running low on available disk space. You acquire a new 100-gigabyte (GB) hard disk to
add to the file server. Your goal is to make all the space on the hard disk available to users for
compressed or encrypted files.
How many partitions should you create? With which file system should you format the partition or
partitions? Choose the correct answer.
a. 4 partitions, FAT32
b. 5 partitions, FAT
c. 1 partition, NTFS
d. 1 partition, FAT32
e. 2 partitions, NTFS
Answer: c
NTFS is the only file system that can be used to format a volume of this size. The maximum
volume that FAT32 can format in Microsoft Windows Server 2003 is 40 GB. If the volume is
formatted using Microsoft Windows 2000, however, Windows Server 2003 can use the
volume.
Lesson: Converting Disks

Question: As the administrator for the file servers that your sales group uses, you must determine
whether converting the three existing basic disks to dynamic disks is an appropriate solution.
From the following options, select the one that requires conversion to dynamic disks to accomplish all
stated goals. Choose all that apply.
a. One drive letter for all three disks, NTFS file system, dual boot to run a proprietary backup
application
b. NTFS file system, use RAID-5 for all three disks
c. Striped volume for all three disks, NTFS file system
d. Three volumes, FAT32 file system, no dual boot
Answer: b, c
Answer b is correct, because software-based RAID-5 requires dynamic disks.
Answer c is correct, because software-based striped volumes require dynamic disks.
Answer a is incorrect, because dual boot is not supported while using dynamic disks.
Managing Disks E-3
Answer d is incorrect, because FAT32 does not require dynamic disks.
Lesson: Managing Disk Properties

Question: In your role as systems administrator for the corporate office of a retail organization, you
manage and configure disks on many servers. You want to document and update the disk
configuration in your servers once per week with the least amount of effort. Select the best method
to do this.
a. Schedule an fdisk script to run on each server once per week and log the output to file.
b. Once per week, use Computer Management to connect each server and write the information
into a Microsoft Office Word document
c. Once per week, use Device Manager to connect to each server and write the information into
a Word document.
d. Schedule a diskpart script to run on each server once per week and log the output to file.
Answer: d
Answer d is correct, because this option requires the least amount of administrative effort.
Answer a is incorrect, because fdisk is not part of Windows Server 2003.
Answer b is incorrect, because this is a very manual process that requires much effort.
Answer c is incorrect, because Device Manager would not work for this task.
Lesson: Managing Mounted Drives

Question: You are the administrator for a file server. The file server has one disk drive that contains
four volumes. Volumes E and F are less than 20 percent full, and volumes C and D are almost full. The
server hosts a database application that stores its data only on volume D. However, volume D is
almost full. You must create additional space on volume D before the database application runs out
of space.
How can you create additional space on volume D with the least amount of administrative effort?
a. Back up of all four volumes, remove the hard disk, install a larger hard disk, create four
partitions on the new hard disk, and make D the largest partition.
b. Delete all mount points from drive D, because mount points consume an excessive amount of
disk space.
c. Move some of the data from drive D to drive F and create a mount point that recreates the
original file structure.
d. Tell users to delete files from drive D until there is 20 percent space free.
Answer: c
Answer a is incorrect, because although it would work, it requires too much administrative
effort.
Answer b is incorrect, because the statement is not true.
Answer d is incorrect because users might delete incorrect files and the management of this
process would be a lot of work.
Lesson: Creating Volumes

Question: One of the file servers in your office is running out of space on the D: volume. There is
unallocated space available on the same disk as the D: volume, as well as on other disks.
Which option should you choose to reduce administrative effort and minimize the chance of volume
failure? Choose the best answer.
a. Extend the D: volume using space on the same physical disk.
b. Create a spanned volume using space on a different physical disk.
c. Create a new larger volume, copy the contents of D: to it, then reconfigure drive letters so
that the new volume is D.
d. Create a new striped volume, copy the contents of D: to it, then reconfigure the drive letters
so that the new volume is D.
Answer: a
Answer b is incorrect, because a volume spanning two disks is twice as likely to fail.
Answer c is incorrect, because copying the contents of D: is a significant effort.
Answer d is incorrect, because a striped set has a higher risk of failure than a single disk.
Lesson: Creating Fault-Tolerant Volumes

Question: A new file server has arrived in your office, and you are responsible for designing the disk
configuration. To reduce cost on the server you decided to use software RAID instead of hardware.
The server has six disks.
Which option should you choose to maximize available disk space and ensure that all data is stored
on a fault-tolerant volume? Choose the best answer.
a. Create a single RAID-5 volume from the space on all six disks.
b. Create three mirrored volumes of two disks each.
c. Create a mirrored volume for the boot and system partitions and a four-disk RAID-5 volume
for data.
d. Create a four-disk RAID-5 volume for the boot and system partitions and mirrored volume for
the data.
Answer: c
Answer a is incorrect, because Windows Server 2003 cannot boot from a software-based
RAID-5 volume.
Managing Disks E-5
Answer b is incorrect, because mirrored volumes are not an effective use of disk space.
Answer d is incorrect, because Windows Server 2003 cannot boot from a software-based
RAID-5 volume.
Lesson: Importing a Disk

Question: You are responsible for configuring and managing the hardware for the 18 file and print
servers in your group. You notice that disk space for two of your file servers is running low. You
requisition the additional hard disks, but you are notified that no additional hardware requests are
being filled for several months. You must determine what you can do for these servers until then. You
obtain a hard disk that was used in another server. When you install the hard disk, it appears in Disk
Management but its status is Offline.
What are possible reasons that the disk status is Offline? Choose all that apply.
a. The disk was already configured as a dynamic disk.
b. The disk was already formatted with the NTFS file system.
c. The disk was part of a spanned or striped volume.
d. The disk was formatted with the FAT32 file system.
Answer: a, c
Answer a is correct, because if you install a dynamic disk to a different system, the disk must
be imported before it can be accessed.
Answer c is correct, because conditions require that the disk be imported before it can be
accessed.
Answers b and d are incorrect because they would have no effect.

Lab Answer Keys

Lab: Managing Disks Answer Key
Recover from a failed mirrored drive.
DEN-DC1
DEN-SRV2
Managing Disks E-7
Exercise 1: Recovering from a Failed Mirrored Drive

In this exercise, you will recover from a failed mirrored drive.
Task 1 Replace the failed disk

1. Shut down DEN-SRV2. Choose to Save the Undo Disk Changes. (Do not
choose Commit Changes to the Virtual Hard Disk.)
2. In the Virtual PC Console, select DEN-SRV2, and click Settings.
3. Click Hard Disk 2.
4. In the Virtual hard disk file box, type C:\Program Files\Microsoft
Learning\2275\DEN-SRV2-Disk2-New.vhd, and click OK.
5. Start the DEN-SRV2 virtual machine.
Task 2 Log on to the server

On DEN-SRV2, log on as Administrator with a password of Pa$$w0rd.
Task 3 Import the new disk

1. Click Start, point to Administrative Tools and then click Computer
Management.
2. Click Disk Management.
3. Click Next to start initializing the new disk.
4. Click Next to accept Disk 1 to be initialized.
5. Select the Disk 1 check box to select it for conversion to a dynamic disk,
6. Click Finish.
Task 4 Break the Mirror for Mirrored (H:)

1. Right-click Mirrored (H:) and then click Remove Mirror.
2. Click Missing and then click Remove Mirror.
3. Click Yes.
Task 5 Add a new mirror disk

1. Right-click Mirrored (H:) and then click Add Mirror.
2. Click Disk 1 and then click Add Mirror.

2. To prepare for the next module start the DEN-DC1 and DEN-CL1 virtual
computers.
Managing and Maintaining a Microsoft Windows Server 2003 Environment R-1
Resources
Contents:
Additional Reading 2
Internet Links 3
R-2 Managing and Maintaining a Microsoft Windows Server 2003 Environment
Additional Reading
To open an Additional Reading file, click one of the links below.
Self-Study Module A, Implementing Printing
Self-Study Module B, Managing Printing
Self-Study Module C, Monitoring Server Performance
Self-Study Module D, Maintaining Device Drivers

Self-Study Module E, Managing Disks
Best Practices for Delegating Active Directory Administration Appendices
Deploying Windows Server Update Services
EFS
Plug and Play
Security Guide for Small Business

Technical Overview of Terminal Services
Windows Server 2003 Security Guide
Windows XP Security Guide v2
Internet Links
The Web sites listed below provide additional resources.
Microsoft Corporation
Microsoft Internet Explorer
Microsoft Learning
Microsoft Product Support Services

Microsoft Security
Microsoft Windows
Microsoft Windows Security
How to raise domain and forest functional levels in Windows Server 2003
How to disable the requirement that a global catalog server be available to validate user logons
Well-known security identifiers in Windows operating systems

Access Control Components
Operating Characteristics and Restrictions of Named Pipes
NTFS Technical Reference
Choosing between NTFS, FAT, and FAT32
Securing Offline Files
Offline Files Overview
Best practices for assigning permissions on Active Directory objects
Order of processing settings
Introduction to IntelliMirror Configuration Management Technologies
Group Policy settings overview
Advanced methods of extending Group Policy
Customizing the Desktop
TechNet Script Center
Best practices for Folder Redirection
Required User Rights for the Upgrade from Windows 2000 to Windows Server 2003
HOW TO: Grant Users Rights to Manage Services in Windows Server 2003
How To Reset User Rights in the Default Domain Group Policy in Windows Server 2003
HOW TO: Apply Local Policies to All Users Except Administrators on Windows Server 2003 in a
Workgroup Setting
Secedit
Best practices for Security Templates
Auditing Overview
R-4 Managing and Maintaining a Microsoft Windows Server 2003 Environment
Auditing Policy
Auditing Security Events Best Practices
HOW TO: Set Up and Manage Operation-Based Auditing for Windows Server 2003, Enterprise
Edition
Windows 2000 Security Event Descriptions (Part 1 of 2)
Windows 2000 Security Event Descriptions (Part 2 of 2)
Windows Server 2003 Security Guide
Windows XP Security Guide v2
Security Configuration Manager
Best practices for Security Configuration and Analysis

Tracerpt page of the Microsoft Windows XP Professional Product Documentation Web site
Windows Server 2003 Resource Kit Tools
Volume Shadow Copy Service (Presentation)
Microsoft Knowledge Base article 814583
Microsoft Knowledge Base article 812547
Security Management The Fundamental Tradeoffs on the Microsoft Technet Web site
Windows Server 2003 Security Guide on the Microsoft TechNet Web site
Changes to Functionality in Microsoft Windows Server 2003 SP1 on the Microsoft Web site
MSSecure.cab file from the Microsoft Download Web site
Threats and Countermeasures Guide
Default Access control Settings in Windows Server 2003
Security Innovations in Windows Server 2003
Technical Overview of Windows Server 2003 Security Services
HOW TO: Configure Internet Printing in Windows Server 2003
Printing Overview
Printing and print servers
Print Services
Server Performance Advisor V1.0 page on the Microsoft Download Center Web site
Products Designed for Microsoft WindowsWindows Catalog and HCL
Windows Storage Server 2003 Web site
Send Us Your Feedback

You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before
submitting feedback. Search using either the course number and revision, or the course title.
Note Not all training products will have a Knowledge Base article if that is the case, please ask your
instructor whether or not there are existing error log entries.
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort.
We review every e-mail received and forward the information on to the appropriate team. Unfortunately,
because of volume, we are unable to provide a response but we may use your feedback to improve your
future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your e-
mail. When you provide comments or report bugs, please include the following:
Document or CD part number
Page number or location
Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the
product Knowledge Base article.

W2003 Server Resueltos-Estimacion

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

W2003 Server Resueltos-Estimacion

Uploaded by

Copyright:

Available Formats

O F F I C I A L M I CRO S O F T L EA RN I N G PRO DU C T

Product Number: 2273B

Animation Job Roles in Today's Information Systems Environment

Question and Answers

d. Windows Server 2003, Datacenter Edition

Answer: Answers a, b, and d are correct.

Lesson: Logging On to Windows Server 2003

Answer: Answer c is correct.

Lesson: Using the Runas Feature for Administration

Lesson: Installing and Configuring Administrative Tools

Answer: Answer a is correct.

Windows administrative tools can only be installed on Windows XP Professional or Windows

Lesson: Creating Organizational Units

Answer: Answers b and c are correct.

Animation Introduction to Managing a Microsoft Windows Server 2003 Environment

Animation Logon and Authentication

Animation The Organizational Unit Structure

Lab Answer Keys

Create organizational units

Exercise 1: Creating Organizational Units from the Workstation

Task 3 Create a Marketing organizational unit and two nested

Complete the lab exercise

Question and Answers

Lesson: Creating Computer Accounts

Lesson: Modifying User and Domain Computer Account Properties

The Location property identifies the server's physical location.

Lesson: Creating a User Account Template

Answer: Answer b is correct.

Lesson: Managing User and Computer Accounts

Lesson: Using Queries to Locate User and Computer Accounts in Active

b. Standardize search procedures

Animation Types of User Accounts

Animation Introduction to Locating User and Computer Accounts in Active Directory

Lab Answer Keys

Exercise 1: Creating User Accounts

Task 1 Create a custom MMC

Task 2 Create user accounts in the sales organizational unit

Task 3 Verify that the template properties were transferred

Exercise 2: Creating Computer Accounts

Task 1 Create two computer accounts for the new administrators

3. In the New Object-Computer dialog box, type Admin2 in the Name

Exercise 3: Using Queries to Locate Objects

Task 1 Create a saved query to find sales users

Task 2 Import a query to locate the computer accounts in the Sales

Exercise 4: Modifying User and Computer Properties

Complete the lab exercise

Question and Answers

Answer: Answer b is correct.

Lesson: Managing Group Membership

Answer: Answer a is correct.

A contact is not a security object.

Determine a user's group membership

Lesson: Strategies for Using Groups

Answer: Answers b and d are correct.

Lesson: Modifying Groups

Answer: Answer b is correct.

Lesson: Using Default Groups

Answer: Answer a is correct.

Lesson: Best Practices for Managing Groups

Answer: Answers a, b, and c are correct.

Practice: Nesting Groups and Creating Universal Groups

Important Do not shut down the virtual machines.

Animation Strategy for Using Groups in a Single Domain