070-290 Actualtests.com - The Power of Knowing Answer: 070-290 Actualtests.com - The Power of Knowing QUESTION 29 You are the network administrator for Certkiller.com. Your network consists of a single Active Directory domain Certkiller.com. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. Disk drive D on a server named CertkillerA is formatted with default NTFS file permissions. You create a folder named D:\CertkillerData on CertkillerA. You share D:\CertkillerData as CertkillerData with default share permissions. Then you create a subfolder named Sales in D:\CertkillerData A user named Lisa works in the sales department. Her user account is a member of 34 security groups. Lisa reports that she cannot add files to \\CertkillerA\CertkillerData\Sales. You review Lisa's effective permissions for Sales, which are shown in the exhibit: You need to ensure that Lisa can add files to \\CertkillerA\CertkillerData\Sales. What should you do? A. Modify the NTFS permissions so Lisa inherits permissions on Sales from \\CertkillerA\CertkillerData. B. Remove Lisa from the Users group. C. Assign the Allow - Modify NTFS permissions to the Creator Owner group. D. Modify the share permissions for \\CertkillerA\CertkillerData to assign the Allow - Change permissions to the Everyone group. Answer: D Explanation: The exhibit shows that Lisa has enough permissions to be able to write to the directory. The problem must therefore be with the share permissions. The default share permission is Everyone - Allow Read. This needs to be changed to Everyone - Allow Change. 070-290 Actualtests.com - The Power of Knowing Incorrect Answers: A: The exhibit shows that Lisa has enough permissions to be able to write to the directory. The problem must therefore be with the share permissions. B: The exhibit shows that Lisa has enough permissions to be able to write to the directory. The problem must therefore be with the share permissions. C: The exhibit shows that Lisa has enough permissions to be able to write to the directory. The problem must therefore be with the share permissions. QUESTION 29 You are the network administrator for Certkiller.com. The network consists of a single Active Directory domain Certkiller.com. The functional level of the domain is Windows 2000 native. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. The network includes a shared folder named CertkillerInfo. Your boss Dr. King reports that he is often unable to access this folder. You discover that the problem occurs whenever more than 10 users try to connect to the folder. You need to ensure that all appropriate users can access CertkillerInfo. What should you do? A. Decrease the default user quota limit. B. Raise the functional level of the domain to Windows Server 2003. C. Purchase additional client access licenses. D. Move CertkillerInfo to one of the servers. Answer: D Explanation: It is most likely that the share exists on a Windows XP client. A Windows XP client computer only allows up to 10 connections at the same time. Moving the shared folder to a server computer will allow more concurrent connections. Incorrect Answers: 070-290 Actualtests.com - The Power of Knowing A: The quota limit is irrelevant to network connections. B: The functional level of the domain is not the cause of the problem. C: This is not a CAL problem. QUESTION 30 You are the network administrator for Certkiller.com. The network consists of a single Active Directory domain Certkiller.com. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. All users in the sales department are members of a group names Sales. jack a member of Sales, creates a custom document named Salescustom.doc. She is responsible for making all required changes to this file. Jack places the file in a shared folder named jackDocs on a member server named CertkillerA. Then she goes on vacation. When users from the sales department try to open Salescustom.doc, they receive the following error message: 'Access is denied'. You log on to the console of CertkillerA and try to open Salescustom.doc. You receive the same error message. You need to ensure that members of Sales have read-only access to Salescustom.doc. You must not affect jack permissions on Salescustom.doc or on any other files in jackDocs. You must not grant access to Salescustom.doc to any other users. First, you log on to CertkillerA as an administrator. What should you do next? A. Take ownership of jackDocs and select the Replace owner on sub containers and objects check box. Configure the NTFS permissions to assign the Allow - Modify permissions on the folder to Sales. B. Take ownership of Salescustom.doc. Configure the NTFS permissions to assign the Allow - Create Files/Write Data permissions on the file to Sales. C. Take ownership of Salescustom.doc. Configure the NTFS permissions to assign the Allow - Read permissions on the file to Sales. D. Take ownership of jackDocs and select the Replace owner on sub containers and Object check box. Configure the NTFS permissions to assign the Allow - Read permissions on the folder to Sales. Answer: C Explanation: We must change the permissions on the Salescustom.doc file only. Ownership Every object has an owner, whether in an NTFS volume or Active Directory. The owner controls how permissions are set on the object and to whom permissions are granted. Ownership can be transferred in the following ways: The current owner can grant the Take ownership permission to another user, allowing that user to take ownership at any time. The user must actually take ownership to complete the transfer. An administrator can take ownership. A user who has the Restore files and directories privilege can double-click Other users and groups and choose any user or group to assign ownership to. We must change the permissions on the Salescustom.doc file only. Incorrect Answers: A: This will give Sales modify access to every file in the jackDocs folder. B: We must only assign Read access. D: This will give Sales read access to every file in the jackDocs folder. QUESTION 31 You are the network administrator for Certkiller. The network consists of several domains in a single Active Directory forest Certkiller.com. The functional level for all child domains is Windows 2000 mixed. A server named CertkillerA.litwareinc.com runs Windows Server 2003. You share a folder named SalesDocs on this 070-290 Actualtests.com - The Power of Knowing server. In the properties for SalesDocs, you assign the Allow - Full Control permissions to a universal group named U_Sales in Certkiller.com. Effective permissions for U_Sales are shown in the U_Sales exhibit. In each domain in the forest, you create a global group named G_Sales, whose membership consists of users in that domain's department. You add every G_Sales group to the U_Sales group. Ben Smith is a member of G_Sales in child1.Certkiller.com. He reports that he cannot access SalesDocs. On CertkillerA, you verify the effective permissions for Ben Smith, as shown in the Ben Smith exhibit. You need to ensure that Ben Smith can access SalesDocs. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two) A. Add Ben Smith's user account to U_Sales in litwareinc.com B. Change the group scope of U_Sales to domain local. C. Change the group type of U_Sales to distribution. D. Assign the Allow - Full Control permissions to G_Sales in child1.litwareinc.com. E. Instruct Ben Smith to log on by using his user principal name. Answer: B, D 070-290 Actualtests.com - The Power of Knowing Explanation Ben Smith can not access because the child domains are in mixed mode so the child domains can not use the Universal group. Only Certkiller.com is in native mode because Universal group U_sales was created there. We need to change the scope For U_Sales Universal to domain local. This will give Ben the required permissions because the Global Group G_Sales is a member of U_Sales. Alternatively, we could assign the permission directly to the G_Sales group in child1.Certkiller.com. When to use global groups Because global groups have a forest-wide visibility, do not create them for domain-specific resource access. Use a global group to organize users who share the same job tasks and need similar network access requirements. A different group type is more appropriate for controlling access to resources within a domain. When to use universal groups Use universal groups to nest global groups so that you can assign permissions to related resources in multiple domains. A Windows Server 2003 domain must be in Windows 2000 native mode or higher to use universal groups. When to use domain local groups Use a domain local group to assign permissions to resources that are located in the same domain as the domain local group. You can place all global groups that need to share the same resources into the appropriate domain local group. MS THUMB RULES Grant permissions to groups instead of users. • A G P • A DL P • A G DL P • A G U DL P • A G L P A (Account) G (Global Group) U (Universal Group) DL (Domain Local Group) P (Permissions) 070-290 Actualtests.com - The Power of Knowing Changing group scope When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003: Global to universal. 070-290 Actualtests.com - The Power of Knowing This is only allowed if the group you want to change is not a member of another global scope group. Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member. Universal to global. This is only allowed if the group you want to change does not have another universal group as a member. Universal to domain local. No restrictions for this operation. QUESTION 32 You are the network administrator for Certkiller.com. The network consists of a single Active Directory domain Certkiller.com. The functional level of the domain is Windows Server 2003. You install Terminal Services on all domain controllers. However, your technical support specialists report that they cannot use Terminal Services to access any domain controllers. Which action or actions should you perform to solve this problem? (Choose all that apply) A. Install Remote Desktop for Administration. B. Require the support specialists to use a console session to connect to the terminal servers. C. Add the Remote Administrators group to the Account Operators group. D. Add the support specialists to the Remote Desktop group. E. Modify the Default Domain Controller Group Policy object (GPO) to grant the Log on locally user right to the support specialists. Answer: D Explanation: The Remote Desktop group has the necessary permissions to connect to the domain controllers using Terminal Services. We simply need to add the support specialists to the Remote Desktop group. Terminal Server mode Allows multiple remote clients to simultaneously access Windows-based applications that run on the server. This is the traditional Terminal Server deployment. Remote Desktop for Administration Is used to remotely manage Windows Server 2003 servers. This mode is designed to provide operators and administrators with remote access to typical back-end servers and domain controllers. The administrator has access to the graphical user interface-based tools that are available in the Windows environment, even if he or she is not using a Windows-based computer to administer the server. Incorrect Answers: A: Remote Desktop for Administration is installed by default in Windows Server 2003. For security reasons it is disabled by default. It can be enabled through the System control panel. B: They do not require a console session. C: The Account Operators do not have permission to connect using Terminal Services. E: Although this is required, this is not enough to allow the support specialists to connect using Terminal Services. The Remote Desktop group have the right to log on locally, but only via Terminal Services. QUESTION 33 You are the network administrator for Certkiller.com. The network consists of a single Active Directory domain Certkiller.com. All network servers run Windows Server 2003. Your network includes a shared folder named CertkillerDocs. This folder must not be visible in a browse list. However, users report that they can see CertkillerDocs when they browse for shared folders. How should you solve this problem? A. Modify the share permissions to remove the All - Read permission on CertkillerDocs from the Users group. B. Modify the NTFS permissions to remove the Allow - Read permissions on CertkillerDocs from the Users 070-290 Actualtests.com - The Power of Knowing group. C. Change the share name to CertkillerDocs #. D. Change the share name to CertkillerDocs $. Answer: D Explanation: Appending a dollar sign ($) to a share name hides the share. Server Help: To share a folder or drive You can hide the shared resource from users by typing $ as the last character of the shared resource name (the $ then becomes part of the resource name). Users can map a drive to this shared resource, but they cannot see the shared resource when they browse to it in Windows Explorer, or in My Computer on the remote computer, or when they use the net view command on the remote computer. Incorrect Answers: A: This will not hide the share. B: This will not hide the share. Users will see the share, but get an "Access Denied" message. C: The share will be visible with the name CertkillerDocs#. QUESTION 34 You are the network administrator for Certkiller.com. Your network consists of a single Active Directory domain Certkiller.com. All network servers run Windows Server 2003. Certkiller has offices in Chicago, New York and Los Angeles. Each office has one domain controller. Each office also has its own organization unit (OU), which contains all user accounts and computer accounts in that office. The Chicago OU is accidentally deleted from Active Directory. You perform an authoritative restoration of that OU. Some users in Chicago now report that they receive the following error message when they try to log on to the domain. "The session setup from the computer DOMAIN MEMBER failed to authenticate. The name of the account referenced is the security database in DOMAIN MEMBER$. The following error occurred: Access is denied". How should you solve this problem? A. Reset the computer accounts of the computers that receive the error message. Instruct the affected users to restart their computers. B. Perform a nonauthoritative restoration of Active Directory. Force directory replication on all domain controllers. C. Restart the Kerberos Key Distribution Center service on each domain controller. D. Run Nltest.exe on the computers that receive the error message. Restart the Net Logon service on the domain controller on Chicago. Answer: A Explanation: You restored the computer accounts. The result of this is that the restored computer accounts have a different password to the password that the computers are using. When a member server joins a domain, a computer account is created (you can use Server Manager to see the computer account). A default password is given to the computer account, and the member stores the password in the Local Security Authority (LSA) secret storage $MACHINE.ACC. By default, the password is changed every seven days. QUESTION 35 You are the network administrator for Certkiller.com. The network consists of a single Active Directory domain Certkiller.com. All network servers run Windows Server 2003. Most client computers run Windows XP Professional, and the rest run Windows 2000 Professional. You create and share a folder named ProjectDocs on a member server. The current state of permissions for the folder is shown in the dialog box. Users report that they receive an 'Access is denied' error message when they try to add or create files and folders in ProjectDocs. You need to configure the permissions on ProjectsDocs to fulfill the following requirements: 070-290 Actualtests.com - The Power of Knowing • Domain users must be able to create or add files and folder. • Domain users must not be able to change NTFS permissions on the files or folders that they create or add. • Domain users must receive the minimum level of required permissions. What should you do? To answer, configure the appropriate option or options in the dialog box. Answer: [...]... to select the groups, then selecting Domain users - Change would be a better option QUESTION 36 You are the network administrator for Certkiller.com The network consists of a single Active Directory domain Certkiller.com You manage a Windows Server 20 03 computer named Certkiller3 This server hosts all file and print services for the network on NTFS volumes Certkiller is a technical support specialist... account Actualtests. com - The Power of Knowing 070- 290 Answer: B Explanation: Full Control NTFS permission is the only permission listed that will enable Jack The change the file permissions This answer will however, prevent Jack from reading the files over the network because of the Deny - Read Share permission QUESTION 37 You are the network administrator for Certkiller All network servers run Windows... times on their applications You open System Monitor on CertkillerSrv and see the information shown in the following table Counter Minimum Maximum Average Memory - Pages/sec 0.00 31 .97 1.22 Logical Disk - Avg Disk Queue Length 69 20.61 9. 73 Processor - % Processor Time 3. 00 100.00 5.15 Network Interface - Bytes/sec 189.72 2927.84 37 9.46 You need to improve the performance of Server 1 What should you... a folder named Data on Certkiller3 You share Data and configure the folder permissions shown in the following table Jack logs on to Certkiller3, but she cannot change permissions for any files in Data How should you solve this problem? A Remove the Allow - Read NTFS permissions from jack user account Add jack user account to Group 1 B Add jack user account to Group 3 C Assign the Allow - Full Control... QUESTION 37 You are the network administrator for Certkiller All network servers run Windows Server 20 03 A server named CertkillerSrv hosts applications for network users CertkillerSrv contains a motherboard that can support two CPUs One CPU is currently installed CertkillerSrv has 512 MB of RAM and a single 36 - GB integrated device electronics (IDE) hard disk It has a 10 MB Ethernet card connected to.. .070- 290 The default share permission is Everyone - Read To be able to write to the shared folder, the users require "Change" permission The Change permission allows users to Read, Write, Execute and Delete files in the shared folder Note: the exhibit shows the everyone group In the exam, if you have the option to select the groups, then selecting... 10-Mb Ethernet card with a 100-Mb Ethernet card Answer: C Explanation: The average disk queue length should not be more than two All the other counters are within an acceptable range Actualtests. com - The Power of Knowing . to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 20 03: Global to universal. 070- 290 Actualtests. com. domains is Windows 2000 mixed. A server named CertkillerA.litwareinc.com runs Windows Server 20 03. You share a folder named SalesDocs on this 070- 290 Actualtests. com - The Power of Knowing server 070- 290 Actualtests. com - The Power of Knowing Answer: 070- 290 Actualtests. com - The Power of Knowing QUESTION 29 You are the network administrator