Objective 2.7 Troubleshoot User Authentication 15 - 35 Objective 2.7 Troubleshoot User Authentication Without proper authentication, a user will be unable to access network resources, and, in some cases, will not be able to log on to his or her local computer. At the root of authentication is the combination of username and password which comprise the user’s credentials. If there is a mismatch between what the user believes his or her cre- dentials to be and what the authenticating system expects, the user will not be able to connect to that resource. If that resource is the local computer, the user will not be able to log on at all. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 15-36 Chapter 15 Managing Users, Computers, and Groups (2.0) Objective 2.7 Questions 1. A traveling user has been away from the office for several months. The laptop com- puter with which the user travels is not configured for dial-in access to the corporate network because it is used mostly for presentations and client documentation. Upon returning to the office and connecting to the corporate network, the user is unable to log on to his or her computer using a local account, and is presented with the “Log on Failed” dialog box. What should you do? A. Reset the user’s password in Active Directory. B. Reset the user’s computer account in Active Directory. C. Use the password reset disk for that user to reset the password on the local computer. D. Disconnect the computer from the network, and then restart the computer. 2. A user has returned from an extended business trip, and reconnects his or her com- puter to the network. The user is able to log on, but is not able to connect to any net- work resources. You examine the accounts associated with the user in Active Directory Users And Com- puters, and note that the computer account for the user’s laptop is marked with a red “X” icon. What should you do to solve the problem? A. Reset the user’s password in Active Directory. B. Reset the laptop computer account in Active Directory. C. Delete the laptop computer account from the domain, join the laptop to a work- group, then rejoin the laptop to the domain. D. Delete and recreate the laptop computer account. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Objective 2.7 Troubleshoot User Authentication 15 - 37 3. You are the systems administrator for a medium-sized organization that runs a single Windows Server 2003 domain. The Default Domain Group Policy object has the fol- lowing password policy settings: 10 Passwords Remembered. Maximum Password Age 10 days Minimum Password Age 2 days Minimum Password Length 10 characters A group of 40 developers who work in a department in your organization has lobbied management for a separate set of password policies specific to its members. The devel- opers want the minimum password age set to 0 days and the maximum password age set to 28 days. Which of the following methods will allow you to alter the password policy for this group of developers? A. Create a child domain of the current domain and move the developers’ accounts to this domain. Edit the Default Domain GPO of the child domain and implement the separate password policy requested by the developers. B. Create a separate OU and move the 40 developers’ user accounts into this OU. Create and edit a new GPO, implementing the separate password policy requested by the developers via this GPO. Apply the GPO to the newly created OU hosting the developers’ accounts. C. Resubnet the network and create a new site within Active Directory. Place all the 40 developers’ workstations onto this new subnet. Create and edit a new GPO, implementing the separate password policy requested by the developers via this GPO. Apply the GPO to the newly created site hosting the developers’ computer accounts. D. Edit the Local GPO on each of the developer’s workstations, implementing the separate password policy requested by the developers via this GPO. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 15-38 Chapter 15 Managing Users, Computers, and Groups (2.0) Objective 2.7 Answers 1. Correct Answers: C A. Incorrect: The “Logon Failed” dialog box appears only if a password reset disk has been created for an account on the local computer. The domain user account is not involved in this problem. B. Incorrect: The “Logon Failed” dialog box only appears if a password reset disk has been created for an account on the local computer. The domain computer account is not involved in this problem. C. Correct: The password reset disk is created for local user accounts, and can be used when a user is trying to access a local computer account with the incorrect credentials, as in this case. D. Incorrect: The computer’s connection to the network or any network interaction does not cause the “Logon Failed” dialog box to appear. 2. Correct Answers: B A. Incorrect: The user’s password would not affect the computer account, as the icon indicates, in Active Directory. B. Correct: The password between the laptop and the domain computer account has become unsynchronized and must be reset. C. Incorrect: This would solve the problem, but might cause other problems if there are permissions set on resources for this laptop computer. Also, this process would take much more time than a computer password reset. D. Incorrect: This would compound the problem by not only having unsynchro- nized passwords, but mismatched SIDs as well. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Objective 2.7 Troubleshoot User Authentication 15 - 39 3. Correct Answers: A A. Correct: Password policies apply domain-wide. The only method by which users can have separate password policies is if their user accounts reside in different domains. A child domain does not inherit the password policy of its parent domain. B. Incorrect: Password policies apply domain-wide. Password policies applied at the OU level do not override the password policies set at the domain level. If this set of steps is taken, the password policies will remain as they did before at the domain level. C. Incorrect.: Password policies apply domain-wide. Password policies applied at the site level do not override the password policies set at the domain level. If this set of steps is taken, the password policies will remain as they did before at the domain level. D. Incorrect: Password policies apply domain-wide. Password policies applied at the local level do not override the password policies set at the domain level. If this set of steps is taken, the password policies will remain as they did before at the domain level. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 16 Managing and Maintaining Access to Resources (3.0) Access to resources requires proper identification and proper permissions. There is no additional configuration to be done to access files across a network than to make sure that the resource is accessible (shared) and that the user has appropriate permissions to accomplish the desired action (read, write, delete, and so on). This transactional process of analyzing the user’s access token involves reading the entries on the access control list (ACL) of the resource, and comparing the list with the security identifiers (SIDs) on the token. If the security services governing the resource access process determine that the combination of SIDs and their permissions is sufficient to perform the requested task, permission and access is granted; if not, access to the resource is denied. Such permission-based access is accomplished by the operating system based upon the file system that is installed on the storage device where the resource resides. On a FAT32 file system, for example, even if the operating system version is Windows Server 2003, permissions cannot be set at the file system level: NTFS permissions are required for this type of permission assignment. Share permissions, however, can be set regardless of the file system on which the resources are stored. The operating system alone controls the share permissions, which are valid for any entity attempting to access the resource from across the network. Terminal Services provides a different type of access to resources, in that it presents a local environment to the user over the network. The creation and use of this virtual local environment requires additional permissions and configuration, but the resource access to files and folders is still governed by network (share) and file system (NTFS) permissions. The understanding of these additional configuration needs and possibili- ties is key to the proper use of Terminal Services. Testing Skills and Suggested Practices The skills that you need to master the Managing and Maintaining Access to Resources objective domain on Exam 70-290: Managing and Maintaining a Microsoft Window Server 2003 Environment include ■ Configure access to shared folders. ❑ Practice 1: Set permissions for individual users and groups. Create increas- ingly complex sets of group memberships and permission assignments so as to make a 2–3 layer set of permissions using multiple group memberships for a user account, and nested memberships for groups. 16-1 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 16-2 Chapter 16 Managing and Maintaining Access to Resources (3.0) ❑ Practice 2: Configure sets of permissions on network share points. Configure NTFS permissions for the same resource, and analyze the effective resulting permissions for a user. ■ Troubleshoot terminal services. ❑ Practice 1: Configure Terminal Services in Remote Desktop for Administration mode such that various users are allowed or denied permissions. Set proper- ties for allowed users to control their profile paths, home directories, and whether their sessions can be controlled remotely through another Terminal Services session. ❑ Practice 2: Configure Group Policy for Terminal Services users to redirect local printer and drive output to the Terminal Services session. Know the pur- poses and functionalities for each of these settings. ■ Configure file system permissions. ❑ Practice 1: Set permissions for individual users and groups. Create increas- ingly complex sets of group memberships and permission assignments so as to make a 2–3 layer set of permissions using multiple group memberships for a user account, and nested memberships for groups. ❑ Practice 2: Configure sets of NTFS permissions on file system objects. Config- ure share permissions for the same resource, and analyze the effective result- ing permissions for a user. ■ Troubleshoot access to shared files and folders. ❑ Practice 1: Access the properties of a file for which you have set complex NTFS permissions for several groups of users. Select a user that is a member of more than one of the groups that you have assigned the permissions to for the file. Use the advanced button in the securities tab to access the “effective permissions” tab. Enter the user’s name to discover his or her effective per- missions to that file. ❑ Practice 2: Access the properties of a folder for which multiple groups have been given different NTFS permissions. Use the advanced button in the secu- rities tab to access the “effective permissions” tab. Enter a group name to view the effective group permissions for that folder. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 16 Managing and Maintaining Access to Resources (3.0) 16 - 3 Further Reading This section contains a list of supplemental readings divided by objective. Study these sources thoroughly before taking the exam. Objective 3.1 Review Chapter 6, “Files and Folders.” This chapter examines share permissions, NTFS permissions, and auditing of resource access. Microsoft Corporation. Frequently Asked Questions: Security Technologies. This Web- based resource is free and can be accessed at the URL: http://www.microsoft.com /windowsserver2003/community/centers/security/security_faq.asp. Objective 3.2 Review Chapter 2, Lesson 3, “Remote Administration with Terminal Services.” This lesson discusses configuration and permission issues involved with Terminal Services, Remote Desktop, and Remote Assistance. Microsoft Corporation. Windows Server 2003, Help and Support Center: Remote Assistance. Objective 3.3 Review Chapter 6, “Files and Folders.” This chapter explores share permissions, NTFS permissions, and auditing of resource access. Microsoft Corporation. Technet; Script Center: Disks and File Systems. This Web-based resource is free, and can be accessed at the following URL: http: //www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/dfs /default.asp. Objective 3.4 Review Chapter 6, “Files and Folders.” Examine the material on troubleshooting permissions, including how to view effective permissions. Review the following article on Microsoft Technet: http://www.microsoft.com /technet/prodtechnol/windowsserver2003/proddocs/standard/acl_view_effective _permissions.asp. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 16-4 Chapter 16 Managing and Maintaining Access to Resources (3.0) Objective 3.1 Configure Access to Shared Folders Share permissions are set within the Windows Server 2003 operating system on net- work access points—shares—within the file system. These share permissions are assigned in the folder properties interface (Sharing tab) in Windows Explorer. Individ- ual files cannot be shared. For multiple user entities, permissions are analyzed for each SID presented in the user’s access token, and the most liberal permission is granted. The exception to this liberal permission assignment is when one (or more) of the SIDs presented in the token has a deny permission assigned in the resources’ ACL; in that case, the deny permission takes precedence. If NTFS permissions are in use on the file system, the effective share permission is com- pared to the effective NTFS permission, and the most restrictive permission is then assigned as the final, effective permission for the user on that resource. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... access several applications through a single Ter­ minal Server, Server0 1, located on the same Local Area Network segment You are run­ ning a Windows Server 2003 Active Directory and DNS, and the Terminal Server is a Windows Server 2003 server At the end of business on the previous day, you renamed the Terminal Server to App1 You verified that the server was reachable using its new name through Terminal... to Per User/Per Device Practice 2: Install the License Logging Server on a Windows Server 2003 system Manage servers remotely ❑ ❑ ■ Practice 1: Install the Hypertext Markup Language (HTML) remote administra­ tion tools on a Windows Server 2003 member server and use the tools to change the server name Practice2: Log on to a remote Windows Server 2003 system using Terminal Services Remote Desktop for... Microsoft Windows Server 2003,” which includes a lesson about using Event Viewer Microsoft Corporation Windows Server 2003 Help And Support Center Review “Event Viewer.” Objective 4.7 Review Chapter 12, “Monitoring Microsoft Windows Server 2003,” which includes a lesson about using System Monitor Microsoft Corporation Windows Server 2003 Help And Support Center Review “Performance.” Please purchase PDF Split-Merge... Administration client to Server0 2, Server0 3, and Server0 4, which are member servers in the same domain You have administrator privileges on each of these servers Server0 1 is not physically accessible to you, as it is in a remote location What steps should you take to resolve the problem? (Select all that apply.) A Connect to Server0 2 with the Remote Desktop for Administration client B Connect to Server0 1 from... reconfigure Server0 1 to allow Terminal Services connections E Connect to Server0 1 from the Terminal Services session on Server0 2 with the Remote Desktop for Administration client Open the System properties page for Server0 1 and configure Server0 1 to deny Remote Desktop Connections, and then reconfigure Server0 1 to allow Remote Desktop Connections Please purchase PDF Split-Merge on www.verypdf.com to... licensing Microsoft Corporation Windows Server 2003 Help And Support Center Review “Licensing.” Objective 4.4 Review Chapter 2, “Administering Microsoft Windows Server 2003,” which provides information about managing servers remotely with the MMC, Remote Administration with Remote Desktop for Administration, and using Remote Assistance Microsoft Corporation Windows Server 2003 Help And Support Center... the Documents folder Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 17 Managing and Maintaining a Server Environment (4.0) Managing a Microsoft Windows Server 2003 system requires an awareness of what is occurring on the system The best place to find this information is in the event logs The three main event logs that are on a Windows Server 2003 system are the System, Security,... not have been vulnerable to such worms as Code Red and Slammer Software Update Services (SUS) runs of Windows Server 2003 and allows an organization to use a Windows Server running on their network as the update server from which to download patches from Microsoft, rather than using Microsoft’s Update servers located on the Internet Licensing is another area that requires attention If the company is... and print servers as well as monitor file and print server performance to determine if anything must be done to improve that performance Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 17-1 17-2 Chapter 17 Managing and Maintaining a Server Environment (4.0) Testing Skills and Suggested Practices The skills that you need to master the Managing and Maintaining A Server Environment... updates to the SUS server Use Group Policy to configure a Windows XP Professional system to use the SUS server as its Automatic Updates server Practice 2: Deploy a service pack using Group Policy to a Windows XP Pro­ fessional system Manage software site licensing ❑ ❑ ■ Practice 1: Run the Licensing console located in Control Panel and read the help menu about switching from Per Server to Per User/Per . client to Server0 2, Server0 3, and Server0 4, which are member servers in the same domain. You have administrator privileges on each of these servers. Server0 1. Server is a Windows Server 2003 server. At the end of business on the previous day, you renamed the Terminal Server to App1. You verified that the server was