FrontBack

Chapter 1 . Overview of Active DirectoryAnswers to Review Questions

1. Which of the following is not a feature of Active Directory? A. The use LDAP for transferring information B. Reliance on DNS for name resolution C. A flat domain namespace D. The ability to extend the schema1. C. Active Directory uses a hierarchical namespace for managing objects.

2. Domains provide which of the following functions?A. Creating security boundaries to protect resources and ease of administrationB. Easing the administration of users, groups, computers, and other objectsC. Providing a central database of network objectsD. All of the above2. D. All of these options are features of domains and are reasons for their usefulness.

3. You are the administrator for a large organization with multiple remote sites. Your supervisor would like to have remote sites log in locally to their own site but he is nervous about security. What type of server can you implement to ease their concerns? A. Domain controller B. Global Catalog C. Read-only domain controller D. Universal Group Membership Caching Server3. C. Windows Server 2008 has a new type of domain controller called a read-only domain controller (RODC). This gives an organization the ability to install a domain controller in an area or location (on or offsite) where security is a concern.

4. Which of the following objects is used to create the logical structure within Active Directory domains? A. Users B. Sites C. Organizational units (OUs) D. Trees4. C. OUs are used for creating a hierarchical structure within a domain. Users are objects within the directory, sites are used for physical planning, and trees are relationships between domains.

5. Which of the following is false regarding the naming of Active Directory objects? A. Active Directory relies on DNS for name resolution. B. Two objects can have the same relative distinguished name. C. Two objects can have the same distinguished name. D. All objects within a domain are based on the name of the domain. 5. C. The distinguished name of each object in Active Directory must be unique, but the relative distinguished names may be the same. For example, we might have a User object named Jane Doe in two different containers.

6. Which of the following are true regarding Active Directory trust relationships? A. Trusts are transitive. B. By default, trusts are two-way relationships. C. Trusts are used to allow the authentication of users between domains. D. All of the above.6. D. Trusts are designed for facilitating the sharing of information and have all of these features.

7. Which of the following protocols is used to query Active Directory information? A. LDAP B. NetBEUI C. NetBIOS D. IPXISPX7. A. LDAP is the Internet Engineering Task Force (IETF) standard protocol for accessing information from directory services. It is also the standard used by Active Directory.

8. You are the administrator for a large organization. Your organization currently has a Windows Server 2003 domain. Your company has set up a domain-based password policy but the organization is unhappy with the requirement to have a single policy for all users. Your company is considering upgrading to Windows Server 2008. What feature will solve the problem of only one policy for all domain users? A. Microsoft Windows Server 2008 multi-password policy B. Fine-grained password policy C. Certificate server policy D. None of the above8. B. Fine-grained password policies allow an organization to have different password and account lockout policies for different sets of users in the same domain.

9. What Windows Server 2008 server role allows a user to have a single sign-on (SSO) to access multiple applications? A. Active Directory Domain Services B. Active Directory Federation Services C. Active Directory Lightweight Directory Services D. Active Directory Rights Management Services9. B. Active Directory Federation Services gives users the ability to do a SSO and access applications on other networks without a secondary password.

10. What are some of the advantages of using Windows Server 2008 Active Directory Certificate Services? A. Web enrollment B. Network Device Enrollment Service C. Online Responder D. All of the above10. D. Web enrollment, certification authorities (CAs), the Network Device Enrollment Service, and the Online Responder are four advantages of Active Directory Certificate Services.

11. What Windows Server 2008 server role allows a user to secure an email while using Microsoft Office 2007 Outlook? A. Active Directory Domain Services B. Active Directory Federation Services C. Active Directory Rights Management Services D. Active Directory Lightweight Directory Services11. C. Active Directory Rights Management Services (AD RMS) is included with Microsoft Windows Server 2008. This service allows administrators or users to determine what access (open, read, modify, etc.) they give to other users in an organization. This access can be used to secure email messages, internal websites, and documents. Organizations can use AD RMS for confidential or critical information.

12. Identity and access (IDA) has five distinct categories. What are they? A. Directory services, strong authentication, Federated Identities, informationprotection, and Identity Lifecycle Management B. Directory services, strong certificates, Federated Identities, data protection, and LDAP C. LDAP, strong authentication, Federated Identities, information protection, and Identity Lifecycle Management D. Directory services, basic authentication, Federated Identities, data protection, and Identity Lifecycle Management12. A. Directory services, strong authentication, Federated Identities, information protection, and Identity Lifecycle Management are the five categorizes forIDA.

13. You are the administrator for your company. Another administrator has changed a users group settings. What is the easiest way to get the original setting back for the user? A. Restore tapes. B. Perform auditing. C. Use a recovery disk. D. Enter safe mode and then restore from tape. 13. B. With the Microsoft Windows Server 2008 auditing feature, you have the ability to view the new and the old values of the object and its attributes. After viewing the old values, you can restore them.

14. Which of the following features of Active Directory allows information between domain controllers to remain synchronized? A. Replication B. The Global Catalog C. The schema D. None of the above14. A. Replication ensures that information remains synchronized between domain controllers

15. Jane is a system administrator for a large, multi-domain, geographically distributed network environment. The network consists of a large, central office and many smaller remote offices located throughout the world. Recently, Jane has received complaints about the performance of Active Directoryrelated operations from remote offices. Users complain that it takes a long time to perform searches for network resources (such as shared folders and printers). Jane wants to improve the performance of these operations. Which of the following components of Active Directory should she implement at remote sites to improve the performance of searches conducted for objects in all domains? A. Data store B. Global Catalog C. Schema D. None of the above15. B. The Global Catalog contains information about multiple domains and additional Global Catalog servers can greatly increase the performance of operations such as searches for shared folders and printers. The other options are features of Active Directory, but they are not designed for fast searching across multiple domains.

16. What is the name of the server that is a repository of Active Directory topology and schema information for Active Directory? A. Domain Partition B. Schema Master C. Global Catalog D. None of the above16. C. The Global Catalog is a repository of the Active Directory topology and schemainformation. The Global Catalog contains information about multiple domains. Adding more Global Catalog servers can greatly increase the performance of operations such as searches for shared folders and printers. The other options are features of Active Directory, but they are not designed for fast searching across multiple domains.

17. You need to install the Active Directory Federation Services. What application do you use to do the install? A. Server Set-Up B. Role Manager C. Server Manager D. Add/Remove ProgramsServices17. C. Server Manager is a Microsoft Management Console (MMC) snap-in that allows an administratorto view information about server configuration, status of roles that are installed, and links for adding and removing features and roles.

18. What term is used to refer to the actual structure that contains the information stored within Active Directory? A. Schema B. Data store C. Global Catalog D. NTS Storage group18. B. The termdata storeis used to refer to the actual structure that contains the information stored within Active Directory.

19. You are the administrator for your companys domain. You need to subdivide groups in your organization within Active Directory. i you wanted to separate Sales from Marketing, for example, what could you do to create a system of organizing this subdivision and any others that you need to divide? A. Create OUs. B. Use Users and Groups. C. Create a Sites and Services subnet grouping. D. Build a container in LM Manager. 19. A. An OU is an organizational Unit and is a container object that is an Active Directory administrative partition. OUs can contain users, groups, resources, and other OUs. You can use OUs to help build organization into your directory so that you can roll out software updates to groupings of users and computers. OUs enable the delegation of administration to very distinct sub trees of the directory. OUs can be departments or groups. They are used to structure and manage your network in a way that reflects a company's business organization.

20. You are the network administrator for a 200-node network. You are currently looking at creating software packages to roll out to your network users. When the users log in, they will automatically install needed updates. You need to roll out a specific set of updates to 30 of those nodes. What could you create so that you can separate those 30 from the 200 and roll out updates only to that group? A. A policy that deploys only to those 30 members B. A group assignment through Administrative Tools C. An organizational unit (OU) for those 30 users D. None of the above20. C. An OU is a container object that s used for administering an Active Directory database. OUs contain Active Directory objects. You can use OUs to help build organization into your directory so that you can roll out software updates to groupings of users computers. OUs enable the delegation of administration to very distinct subtrees of the directory. OUs can be departments or groups. They are used to structure and manage your network in a way that reflects a companys business organization.

DNS1.You are the network administrator for a Windows Server 2008 network. You have multipleremote locations connected to your main office by slow satellite links. You want to install DNSinto these offices so that clients can locate authoritative DNS servers in the main location.What type of DNS servers should be installed in the remote locations?

A. Primary DNS zonesB. Secondary DNS zonesC. Active Directory Integrated zonesD. Stub zones

2.The organization you work for has five Windows Server 2008 servers all running as domaincontrollers. Your DNS servers are all currently running as primary DNS zones. You need to setup a DNS strategy that allows all DNS servers to hold the same database and your companyrequires that you use secure DNS dynamic updates for all clients. What type of DNS strategydo you need to implement?

A. Upgrade 1 server as a primary master and the rest as stub zones.B. Upgrade 1 server as a primary master and the rest as secondary servers.C. Upgrade all servers to Active Directory Integrated servers.D. Keep all servers primary servers and set up replication.

3.The company you work for has six locations around the country. You are part of the administrativeteam based in the central office, and you have finished upgrading the workstations andservers to Vista and Server 2008. Your team is now in the process of deploying DNS in orderto support your managers planned implementation of a single Active Directory tree so thatyou can support the network from your central location. Because you must support name resolutionfor six offices, you want to provide an efficient and responsive service for the users.Which of the following is the best approach to support your plans for a single Active Directorytree and provide efficiency and responsiveness for the users in this situation?A. Create a single second-level name and maintain all the DNS servers at your central officeto ease administration.B. Create a single second-level name and deploy a DNS server at each location in the network.C. Create a second-level name for each city and maintain all the DNS servers at your centraloffice to ease administration.D. Create a second-level name for each city and deploy a DNS server at each location in thenetwork.

4.Acme Bowling Pin Company, with offices in 4 states, has been acquired by Roadrunner Enterprises,which has offices in 14 states and is a highly diversified organization. Although the variouscompanies are managed independently, the parent company is very interested in minimizingcosts by taking advantage of any shared corporate resources; it also wants to have overall centralcontrol. This means that you, the network administrator for Acme Bowling Pin Company,will manage your own DNS namespace but will still be under the umbrella of the parentorganization. Which of the following will best accomplish these goals?A. Have each location, including yours, register its own namespace and manage its DNSsystem independently.B. Register a single domain name for Roadrunner Enterprises and use delegated subdomainson a single DNS server at corporate headquarters to provide name resolution across theenterprise.C. Register a single domain name for Roadrunner Enterprises and use delegated subdomainson DNS servers installed at each location to provide name resolution across the enterprise.D. Have each location, including yours, register its own namespace and add it on a single DNSserver at corporate headquarters to provide name resolution across the enterprise.

5.A DNS client sends a recursive query to its local DNS server, asking for the IP address ofwww.bigbrother.gov. The DNS server finds no local zones corresponding to the requesteddomain name, so it sends a request to a root name server. What does the root name serverreply with?A. The IP address of the name server for the bigbrother.gov domainB. The DNS name of the .gov top-level domainC. The IP address of www.bigbrother.govD. The IP address of the name server for the .gov top-level domain

6.You have a private network that contains several DNS zones and servers, including a coupleof root name servers. You never need to change any of your DNS data. You find that the loadon one of your name servers is inordinately high. What can you do to reduce this load?

A. Increase the TTL on the affected name server.B. Decrease the TTL on the affected name server.C. Add a service record to the affected name server.D. Edit the directory command in the DNS boot file.

7.You are charged with upgrading your Windows NT network to Windows Server 2008. Youplan on installing Active Directory and upgrading all your client machines to Vista. Your companydoes not allow Internet access because the company president still views it, as well asemail, as a time-wasting toy that distracts the employees. Despite what you feel is a shortsightedview by management, you begin to design the upgrade process. You realize that DNSis an important component of Windows Server 2008, even though you wont be using it tolocate resources on the Internet. What DNS records must you include in the configuration ofthe Windows Server 2008 DNS service in this environment? (Choose all that apply.)

A. Host recordB. Pointer recordC. Alias recordD. Name server recordsE. Start of authority recordF. Mail exchanger recordG. Service record

8.A spammer is attempting to send junk mail through an unsuspecting mail server. The spammeruses a fake DNS name from which they think the mail server will accept mail, but the mail isrejected anyway. How does the mail server know to reject the spammers mail?

A. The spammers DNS name is not in the cache file of the primary DNS server that serves themail servers domain, so it gets rejected.B. A fake DNS name is automatically detected if the IP address isnt recognized by the mailserver.C. The mail server employs a reverse lookup zone to verify that DNS names are not fake.D. The spammer does not have an MX record in the database of the DNS server that servesthe mail servers domain.

9.Your web servers hostname within the LAN is chaos.stellacon.com. However, you need toadd a DNS entry so that it can be found with the name www.stellacon.com. What type ofrecord should you add to the DNS zone for stellacon.com in order for this to be configuredproperly?

A. An Alias/CNAME recordB. An A recordC. An SRV recordD. A PTR record

10.You have two master servers operating in your environment, a primary master and a secondarymaster. These DNS servers are authoritative for the zone example.com. When the secondary mastertransfers the domain, what part of the DNS zone does it use to determine if the zone datahas changed?A. The TTL, or time to liveB. The NS recordC. The serial numberD. The database record tombstone

Installing Active Directory

1.You are the system administrator of a large organization that has recently implementedWindows Server 2008. You have a few remote sites that do not have very tight security. Youhave decided to implement read-only domain controllers (RODC). What forest and functionlevels does the network need for you to do the install? (Choose all that apply.)

A. Windows 2000 MixedB. Windows 2000 NativeC. Windows 2003D. Windows 2008

2.What is the maximum number of domains that a Windows 2008 Server computer, configuredas a domain controller, may participate in at one time?

A. 0B. 1C. 2D. Any number of domains

3.In order to support Windows Server 2000, 2003, and 2008 domain controllers in an ActiveDirectory domain, which of the following modes must you use?

A. Windows 2000 Native modeB. Windows Server 2003 modeC. Low-security modeD. Windows Server 2008 mode

4.You are the systems administrator for the XYZ Products, Inc. Windows Server 2008basednetwork. You are upgrading a Windows Server 2008 computer to an Active Directory domaincontroller and need to decide the initial domain name. Your business has the followingrequirements:. The domain name must be accessible from the Internet.. The domain name must reflect your companys proper name.Which of the following domain names meet these requirements? (Choose two.)

A. XYZProducts.comB. XYZProducts.domainC. Server1.XYZProducts.orgD. XYZProductsServer2008

5.Recently, you have received several alerts that Server1 is running low on disk space. Server1primarily stores users home directories. This problem has occurred several times in the past,and you want to restrict the amount of space that users can use on one of the volumes on theserver. Which NTFS feature can you implement to limit the amount of disk space occupied byusers?

A. QuotasB. EncryptionC. Dynamic disksD. Remote storageE. Shared Folder Policy Objects

6.You are attempting to join various machines on your network to an Active Directory domain.Which of the following scenarios describe machines that can be added to the domain? Chooseall that apply.

A. The machine is running Windows XP Professional.B. The machine is a member of another domain.C. The machine is running Windows Server 2008.D. The machine is a member of a workgroup.

7.Windows Server 2008 requires the use of which of the following protocols or services in orderto support Active Directory? (Choose two.)

A. DHCPB. TCP/IPC. NetBEUID. IPX/SPXE. DNS

8.You are promoting a Windows Server 2008 computer to an Active Directory domain controllerfor test purposes. This server will act alone on the network and does not need to be accessiblefrom other machines. Which of the following domain names is a valid choice for the initialActive Directory domain? (Choose all that apply.)

A. mycompany.comB. test.mycompany.comC. mycompany.orgD. mycompany.net

9.You are promoting a Windows Server 2008 computer to an Active Directory domain controllerfor test purposes. The new domain controller will be added to an existing domain. Whileyou are using Active Directory Installation Wizard, you receive an error message that preventsthe server from being promoted. Which of the following might be the cause of the problem?(Choose all that apply.)

A. The system does not contain an NTFS partition on which the Sysvol directory can becreated.B. You do not have a Windows Server 2008 DNS server on the network.C. The TCP/IP configuration on the new server is incorrect.D. The domain has reached its maximum number of domain controllers.

10.You are the systems administrator responsible for your companys infrastructure. You thinkyou have an issue with name resolution and you need to verify that you are using the correcthostname. You want to test DNS on the local system and need to see if the hostname server-1resolves to the IP address 10.1.1.1. Which of the following actions provides a solution to theproblem?

A. Add a DNS server to your local subnet.B. Add the mapping for the hostname server-1 to the IP address 10.1.1.1 in the localsystems HOSTS file.C. Add an A record to your local WINS server.D. Add an MX record to your local DNS server.

11.You are the network administrator for your company, which consists of 3 new WindowsServer 2008 servers and 40 workstations running Windows XP Professional. You design a newname for your domain while deploying Active Directory. You consider DNS and how your clientswill use it. Because you dont own your DNS name publicly, only privately, what is your nextstep if you want to ensure that you are the owner of that domain for the future?

A. Make a lease offer and hold the domain.B. Make a list of similar domain names to use.C. Register the name with a registration authority.D. Use a reverse lookup zone to configure this functionality.

12.You are the systems administrator for 123 Inc. You are in charge of your companys DNSinfrastructure, and you want to ensure that naming remains accurate in a distributed networkenvironment. Choose the proper way to ensure that DNS will stay accurate across theenterprise.

A. You must designate one DNS server as the primary master database for a specific set ofaddresses.B. You need to implement round robin ordering.C. You need to implement a secondary transfer zone server to ensure accuracy.D. You must open Port 52 on all firewalls and access control lists enterprise-wide.

Configuring Sites and Replication

1. Daniel is responsible for managing Active Directory replication traffic for a medium-sizedorganization that has deployed a single Active Directory domain. Currently, the environment isconfigured with two sites and the default settings for replication. Each site consists of 15 domaincontrollers. Recently, network administrators have complained that Active Directory traffic isusing a large amount of available network bandwidth between the two sites. Daniel has beenasked to meet the following requirements:. Reduce the amount of network traffic between domain controllers in the two sites.. Minimize the amount of change to the current site topology.. Require no changes to the existing physical network infrastructure.Daniel decides that it would be most efficient to configure specific domain controllers in eachsite that will receive the majority of replication traffic from the other site. Which of the followingsolutions meets the requirements?

A. Create additional sites that are designed only for replication traffic and move the existingdomain controllers to these sites.

B. Create multiple site links between the two sites.C. Create a site link bridge between the two sites.D. Configure one server at each site to act as a preferred bridgehead server.

2. Which of the following does not need to be manually created when you are setting up a replicationscenario involving three domains and three sites?

A. SitesB. Site linksC. Connection objectsD. Subnets

3. Which of the following services of Active Directory is responsible for maintaining the replicationtopology?

A. File Replication ServiceB. Knowledge Consistency CheckerC. Windows Internet Name ServiceD. Domain Name System

4. Will, a systems administrator for an Active Directory environment that consists of three sites,wants to configure site links to be transitive. Which of the following Active Directory objectsis responsible for representing a transitive relationship between sites?A. Additional sitesB. Additional site linksC. Bridgehead serversD. Site link bridges

5. You have configured your Active Directory environment with multiple sites and have placedthe appropriate resources in each of the sites. You are now trying to choose a protocol for thetransfer of replication information between two sites. The connection between the two siteshas the following characteristics:. The link is generally unavailable during certain parts of the day due to an unreliable networkprovider.. The replication transmission must be attempted whether the link is available or not. If thelink was unavailable during a scheduled replication, the information should automaticallybe received after the link becomes available again.. Replication traffic must be able to travel over a standard Internet connection.Which of the following protocols meets these requirements?A. IPB. SMTPC. RPCD. DHCP

6. A network administrator has decided that it will be necessary to implement multiple sites inorder to efficiently manage your companys large Active Directory environment. Based on herrecommendations, you make the following decisions:. You will create four sites to make the best configuration.. You will connect the sites with site links and site link bridges.. Two small offices must only receive replication traffic during non-business hours.. The organization will own a single DNS name: supercompany.com.. You want to keep administration as simple as possible, and you want to use the smallestpossible number of domains.Based on this information, you must plan the Active Directory domain architecture. What isthe minimum number of domains that you must create to support this configuration?A. 0B. 1C. 4D. 8

7. Andrew is troubleshooting a problem with Active Directory. One systems administrator hastold him that she made an update to a User object and that another system administratorreported that he had not seen the changes appear on another domain controller. It has beenover a week since the change was made. Andrew further verifies the problem by making achange to another Active Directory object. Within a few hours, the change appears on a fewdomain controllers, but not on all of them.Which of the following are possible causes for this problem? Choose all that apply.A. Network connectivity is unavailable.B. Connection objects are not properly configured.C. Sites are not properly configured.D. Site links are not properly configured.E. A WAN connection has failed.

F. Andrew has configured one of the domain controllers for manual replication updates.8. A systems administrator suspects that there is an error in the replication configuration. Howcan he look for specific error messages related to replication?A. By using the Active Directory Sites And Services administrative toolB. By using the Computer Management toolC. By going to Event Viewer . System logD. By going to Event Viewer . Directory Service log

9. Christina is responsible for managing Active Directory replication traffic for a medium-sizedorganization. Currently, the environment is configured with a single site and the default settingsfor replication. The site contains over 50 domain controllers and the system administrators areoften making changes to the Active Directory database. Recently, network administrators havecomplained that Active Directory traffic is consuming a large amount of network bandwidthbetween portions of the network that are connected by slow links. Ordinarily, the amount ofreplication traffic is reasonable, but recently users have complained about slow network performanceduring certain hours of the day.Christina has been asked to alleviate the problem while meeting the following requirements:. Be able to control exactly when replication occurs.. Be able to base Active Directory replication on the physical network infrastructure.. Perform the changes without creating or removing any domain controllers.Which two of the following steps can Christina take to meet these requirements?A. Create and define Connection objects that specify the hours during which replication willoccur.B. Create multiple site links.C. Create a site link bridge.D. Create new Active Directory sites that reflect the physical network topology.E. Configure one server at each of the new sites to act as a bridgehead server

10. James, a systems administrator, suspects that Active Directory replication traffic is consuminga large amount of network bandwidth. James is attempting to determine the amount of networktraffic that is generated through replication. He wants to do the following:. Determine replication data transfer statistics.. Collect information about multiple Active Directory domain controllers at the same time.. Measure other performance statistics, such as server CPU utilization.Which of the following administrative tools is most useful for meeting these requirements?A. Active Directory Users And ComputersB. Active Directory Domains And TrustsC. Active Directory Sites And ServicesD. Event ViewerE. Performance

11. You are the administrator of a large, distributed network environment. Recently, your ITdepartment has decided to add various routers to the environment to limit the amount of trafficgoing to and from various areas of the network. You need to reconfigure Active Directoryreplication to reflect the physical network changes. Which of the following Active Directoryobjects should you modify to define the network boundaries for Active Directory sites?A. Site linksB. Site link bridgesC. Bridgehead serversD. Subnets

12. You have recently created a new Active Directory domain by promoting several WindowsServer 2008 computers to domain controllers. You then use the Active Directory Sites And Servicestool to configure sites for the environment. You soon find that changes that are made onone domain controller may not appear in the Active Directory database on another domaincontroller. By checking the Directory Services log using the Event Viewer application, you findthat one of the domain controllers at a specific site is not receiving Active Directory updates.Which of the following are possible reasons for this? (Choose all that apply.)A. Network connectivity has not been established for this server.B. A firewall is preventing replication information from being transmitted.C. There are not enough domain controllers in the environment.D. There are too many domain controllers in the environment.E. You chose to disable Active Directory replication during the promotion of the machine toa domain controller.

13. You administer a network with locations at two different sites. Both a T1 line and a dial-up lineused for redundancy connect the sites. You want to ensure that replication normally occurs onthe T1 line and that the dial-up line is only there as backup in case the T1 goes down. Whatshould you do to meet these requirements? Choose all that apply.A. Lower the cost of the T1 line.B. Lower the cost of the dial-up line.C. Raise the cost of the T1 line.D. Raise the cost of the dial-up line.

14. You are the administrator for a network with locations at three different sites. You would liketo specify the placement of the Global Catalog (GC) server. You have a central site located inNew York, and two remote sites located in New Jersey and Connecticut. There are 100 userslocated in New York and 20 at each of the smaller locations. You have two full T1s connectingNew Jersey and Connecticut to New York. What state would it make sense to put your GC inif you are only going to use one Global Catalog?A. ConnecticutB. New JerseyC. New YorkD. All of the above

15. As the network administrator for RJS LLC, you are interested in specifying a bridgehead serverat a location due to a recent merger. Your company just bought ABC Inc., and a large ActiveDirectory domain comes from this acquisition. You need to bring up a new domain controllerbut you need to specify the intrasite replication. How do you specify this server as a bridgeheadserver?A. In the Active Directory Sites And Services administrative tool, right-click a domaincontroller and select Properties. Select one or both replication transports from the left andclick Add.B. In the system Registry, change the enum_bridgehead value in HKEY_LOCAL_MACHINE to 1.Reboot the server.C. In the Active Directory Sites and Services tool, right-click a domain controller and selectProperties. Choose Add from the bridgehead server tab.D. In the Control Panel, click the Active Directory Management applet, and in the Sites tab,select the Make This Server A Bridgehead Server option.

16. You are the administrator for your companys Active Directory infrastructure. The companyhas three domain controllers, each of which has Knowledge Consistency Checker (KCC) errorsconsistently popping up in the directory services Event Viewer log. What does this indicate?A. Replication problemsB. DNS problemsC. Name resolution problemsD. Problems associated with Global Catalog placement

17. You need to keep track of licensing with the licensing server. Where can you configure thelicensing server so that as the system administrator you can ensure you are compliant?A. Configure licensing in the Control Panel under the Licensing Applet.B. Configure licensing in the Registry under the HKEY_ClASSES_ROOT key.C. Configure licensing in the Computer Management MMC.D. Configure licensing in the Active Directory Sites And Services tool.

18. You are the network administrator responsible for deploying sites and subnets within yourorganization. You want to make sure you have set up your subnet objects correctly. From thefollowing list, choose which subnet object cannot be used.A. 10.1.1.0B. 192.168.256.0C. 11.1.1.0D. 172.16.1.0

Administrimi i OU

1. Gabriel is responsible for administering a small Active Directory domain. Recently, the Engineeringdepartment within his organization has been divided into two departments. He wantsto reflect this organizational change within Active Directory and plans to rename variousgroups and resources. Which of the following operations can he perform using the ActiveDirectory Users And Computers tool? (Choose all that apply.)A. Renaming an organizational unitB. Querying for resourcesC. Renaming a groupD. Creating a computer account

2. You are a domain administrator for a large domain. Recently, you have been asked to makechanges to some of the permissions related to OUs within the domain. In order to furtherrestrict security for the Texas OU, you remove some permissions at that level. Later, a juniorsystems administrator mentions that she is no longer able to make changes to objects withinthe Austin OU (which is located within the Texas OU). Assuming no other changes have beenmade to Active Directory permissions, which of the following characteristics of OUs mighthave caused the change in permissions?A. InheritanceB. Group PolicyC. DelegationD. Object properties

3. You are a consultant hired to evaluate an organizations Active Directory domain. The domaincontains over 200,000 objects and hundreds of OUs. You begin examining the objects withinthe domain, but you find that the loading of the contents of specific OUs takes a very long time.Furthermore, the list of objects can be very large. You want to do the following:. Use the built-in Active Directory administrative tools, and avoid the use of third-party toolsor utilities.. Limit the list of objects within an OU to only the type of objects that youre examining (forexample, only Computer objects).. Prevent any changes to the Active Directory domain or any of the objects within it.Which one of the following actions meets the above requirements?

A. Use the Filter option in the Active Directory Users And Computers tool to restrict the displayof objects.B. Use the Delegation of Control Wizard to give yourself permissions over only a certain typeof object.C. Implement a new naming convention for objects within an OU and then sort the resultsusing this new naming convention.D. Use the Active Directory Domains And Trusts tool to view information from only selecteddomain controllers.E. Edit the domain Group Policy settings to allow yourself to view only the objects of interest.

4. Your organization is currently planning a migration from a Windows NT 4 environment thatconsists of several domains to an Active Directory environment. Your staff consists of 25 systemadministrators who are responsible for managing one or more domains. The organizationis finalizing a merger with another company.John, a technical planner, has recently provided you with a preliminary plan to migrate yourenvironment to several Active Directory domains. He has cited security and administration asmajor justifications for this plan. Jane, a consultant, has recommended that the Windows NT4 domains be consolidated into a single Active Directory domain. Which of the following statementsprovide a valid justification to support Janes proposal? (Choose all that apply.)A. In general, OU structure is more flexible than domain structure.B. In general, domain structure is more flexible than OU structure.C. It is possible to create a distributed system administration structure for OUs by using delegation.D. The use of OUs within a single domain can greatly increase the security of the overall environment.

5. Miguel is a junior-level systems administrator and he has basic knowledge about working withActive Directory. As his supervisor, you have asked Miguel to make several security-relatedchanges to OUs within the companys Active Directory domain. You instruct Miguel to use thebasic functionality provided in the Delegation of Control Wizard. Which of the followingoperations are represented as common tasks within the Delegation of Control Wizard?(Choose all that apply.)A. Reset passwords on user accounts.B. Manage Group Policy links.C. Modify the membership of a group.D. Create, delete, and manage groups.

6. You are the primary systems administrator for a large Active Directory domain. Recently, youhave hired another systems administrator to offload some of your responsibilities. This systemsadministrator will be responsible for handling help desk calls and for basic user account management.You want to allow the new employee to have permissions to reset passwords for allusers within a specific OU. However, for security, reasons, its important that the user not beable to make permissions changes for objects within other OUs in the domain. Which of thefollowing is the best way to do this?A. Create a special administration account within the OU and grant it full permissions for allobjects within Active Directory.B. Move the users login account into the OU that he or she is to administer.C. Move the users login account to an OU that contains the OU (that is, the parent OU of theone that he or she is to administer).D. Use the Delegation of Control Wizard to assign the necessary permissions on the OU thathe or she is to administer.

7. You have been hired as a consultant to assist in the design of an organizations Active Directoryenvironment. Specifically, you are instructed to focus on the OU structure (others will be planningfor technical issues). You begin by preparing a list of information that you need to createthe OU structure for a single domain. Which of the following pieces of information is not vitalto your OU design?A. Physical network topologyB. Business organizational requirementsC. System administration requirementsD. Security requirements

8. A systems administrator is using the Active Directory Users And Computers tool to view theobjects within an OU. He has previously created many users, groups, and computers withinthis OU, but now only the users are showing. What is a possible explanation for this?A. Groups and computers are not normally shown in the Active Directory Users AndComputers tool.B. Another systems administrator may have locked the groups, preventing others fromaccessing them.C. Filtering options have been set that specify that only User objects should be shown.D. The Group and Computer accounts have never been used and are, therefore, not shown.

9. The company you work for has a multilevel administrative team that is segmented by departmentsand locations. There are four major locations and you are in the Northeast group. Youhave been assigned to the administrative group that is responsible for creating and maintainingnetwork shares for files and printers in your region. The last place you worked was a largeWindows NT 4 network, where you had a much wider range of responsibilities. You areexcited about the chance to learn more about Windows Server 2008.For your first task, you have been given a list of file and printer shares that need to be createdfor the users in your region. You ask how to create them in Windows Server 2008, and you aretold that the process of creating a share is the same as with Windows NT. You create the sharesand use NET USE to test them. Everything appears to work fine, so you send out a message thatthe shares are available. The next day, you start receiving calls from users who say that theycannot see any of resources that you created. What is the most likely reason for the calls fromthe users?A. You forgot to enable NetBIOS for the shares.B. You need to force replication for the shares to appear in the directory.C. You need to publish the shares in the directory.D. The shares will appear within the normal replication period.

10. Wilford Products has over 1,000 users in 5 locations across the country. The network consistsof 4 servers and around 250 workstations in each location. One of the 4 servers in each locationis a domain controller. As the new network administrator, you are now responsible for allaspects of the OUs within the directory. After meeting with the HR department, you have beeninformed that the vice president of sales has left the organization, and you are to remove hisaccess to all resources on the network. You return to your office and remove his account fromthe directory. After you remove the account, you are immediately notified that you have beenmisinformed and the vice president of sales is not leaving the company. You quickly re-add himwithin the window of replication between the other domain controllers. What else must youdo to reinstate his account and all his associated permissions?A. Nothing. Since you re-created the account before the replication window opened, theaccount will remain in the directory.B. Open the Tombstone folder and remove the object that is pending in order to remove theaccount before the replication window opens.C. After replication occurs, you need to manually synchronize his account in the domaincontrollers.D. You must re-establish every permission and setting manually.

11. You have inherited the administrator position of a network that has already completed itsmigration from Windows NT to Windows Server 2008. The network consists of a singledomain that serves two locations with five servers at each site. The replication topology hasproven to be solid, and the monitoring tasks that were in place when you arrived show noerrors. Each site has two domain controllers for redundancy, each of which has a DNS serverto support name resolution. Your first tasks are to learn how the directory has been designedand how the structure of the OUs is providing management capabilities to the domain. As youbegin to settle in, you add some new users to the domain, but some of them complain that theycannot do what you have told them they could do. As you investigate the problem, you determinethat Group Policy is not being applied when the users with the problems log on to thenetwork. What are the possible reasons for this problem? (Choose all that apply.)A. The policy has been blocked for the OU of which the users are members.B. The users are not members of the OU that is subject to the Group Policy object.C. The users are members of a security group whose Apply Group Policy ACE is set to Deny.D. Policies must be applied to the specific OU that contains the users before they take effect.

12. As the network administrator for your company, you find that you need a plan for how tostructure your OUs. You also need to accommodate the delegation of a few OUs to otheradministrators. Your current layout is as follows: you have a Sales department, a Marketingdepartment, and an HR department. You need to plan and create OUs. You want to delegatecontrol of each OU to each department supervisor. Which of the following solutions will helpsatisfy your plan?A. Build an OU called ADMIN, and then create three OUs below it called SALES, MARKET,and HR. Delegate control of each OU to each respective department head.B. Build an OU called SITEA, and then create two OUs below it called SALES and MARKET.Create a third OU under MARKET called HR. Delegate control of each OU to each respectivedepartment head.C. Build an OU called ADMIN, and then create three OUs below it called SALES, MARKET,and HR. Create Administrator accounts for each OU and then allow each to control theirrespective OUs.D. Build an OU called SITEA, and then create four OUs below it called SALES, ADMIN,MARKET, and HR. Delegate control of each OU to each respective department head andmake sure that ADMIN keeps Executive Administrative privileges.

13. You are the Lead Administrator and Designer for your company. You have just installed thefirst of many Windows Server 2008 systems. You are building your infrastructure and nowneed to design the OU layout and implement it. You have to design an OU structure thatincludes the following departments: IT, HR, SALES, MARKETING, ENGINEERING, andCORPORATE. You also need to make sure that the supervisor within each department is ableto manage each OU you create. You will need to delegate permissions. What is the best wayto design your OU structure?A. Create an OU at the top level and call it DELEGATION. Create second-level OUs underDELEGATION and assign administrative rights to each. Create a policy that will alloweach supervisor the right to manage the DELEGATION OU.B. Create an OU at the top level. Call it ADMIN1. Create IT, HR, SALES, MARKETING,ENGINEERING, and CORPORATE under ADMIN1. Set up delegation to the properusers for each OU.C. Design a top-level OU and create it with administrative rights. Name it US. Make an OUcalled COMP1 under US and then create SALES and MARKETING under it. Create a secondOU called UK and create all the rest of the needed OUs under it. Rights will beassigned by default.D. Create an OU at the top level. Call it TOP1. Create a Regional OU called US. Create IT1,HR1, SALES1, MARKETING1, ENGINEERING1, and CORPORATE1 under US1. Setup delegation to the proper users for each OU.

Ou:Administrimi i OU

1. Gabriel is responsible for administering a small Active Directory domain. Recently, the Engineeringdepartment within his organization has been divided into two departments. He wantsto reflect this organizational change within Active Directory and plans to rename variousgroups and resources. Which of the following operations can he perform using the ActiveDirectory Users And Computers tool? (Choose all that apply.)A. Renaming an organizational unitB. Querying for resourcesC. Renaming a groupD. Creating a computer account

2. You are a domain administrator for a large domain. Recently, you have been asked to makechanges to some of the permissions related to OUs within the domain. In order to furtherrestrict security for the Texas OU, you remove some permissions at that level. Later, a juniorsystems administrator mentions that she is no longer able to make changes to objects withinthe Austin OU (which is located within the Texas OU). Assuming no other changes have beenmade to Active Directory permissions, which of the following characteristics of OUs mighthave caused the change in permissions?A. InheritanceB. Group PolicyC. DelegationD. Object properties

3. You are a consultant hired to evaluate an organizations Active Directory domain. The domaincontains over 200,000 objects and hundreds of OUs. You begin examining the objects withinthe domain, but you find that the loading of the contents of specific OUs takes a very long time.Furthermore, the list of objects can be very large. You want to do the following:. Use the built-in Active Directory administrative tools, and avoid the use of third-party toolsor utilities.. Limit the list of objects within an OU to only the type of objects that youre examining (forexample, only Computer objects).. Prevent any changes to the Active Directory domain or any of the objects within it.Which one of the following actions meets the above requirements?

A. Use the Filter option in the Active Directory Users And Computers tool to restrict the displayof objects.B. Use the Delegation of Control Wizard to give yourself permissions over only a certain typeof object.C. Implement a new naming convention for objects within an OU and then sort the resultsusing this new naming convention.D. Use the Active Directory Domains And Trusts tool to view information from only selecteddomain controllers.E. Edit the domain Group Policy settings to allow yourself to view only the objects of interest.

4. Your organization is currently planning a migration from a Windows NT 4 environment thatconsists of several domains to an Active Directory environment. Your staff consists of 25 systemadministrators who are responsible for managing one or more domains. The organizationis finalizing a merger with another company.John, a technical planner, has recently provided you with a preliminary plan to migrate yourenvironment to several Active Directory domains. He has cited security and administration asmajor justifications for this plan. Jane, a consultant, has recommended that the Windows NT4 domains be consolidated into a single Active Directory domain. Which of the following statementsprovide a valid justification to support Janes proposal? (Choose all that apply.)A. In general, OU structure is more flexible than domain structure.B. In general, domain structure is more flexible than OU structure.C. It is possible to create a distributed system administration structure for OUs by using delegation.D. The use of OUs within a single domain can greatly increase the security of the overall environment.

5. Miguel is a junior-level systems administrator and he has basic knowledge about working withActive Directory. As his supervisor, you have asked Miguel to make several security-relatedchanges to OUs within the companys Active Directory domain. You instruct Miguel to use thebasic functionality provided in the Delegation of Control Wizard. Which of the followingoperations are represented as common tasks within the Delegation of Control Wizard?(Choose all that apply.)A. Reset passwords on user accounts.B. Manage Group Policy links.C. Modify the membership of a group.D. Create, delete, and manage groups.

6. You are the primary systems administrator for a large Active Directory domain. Recently, youhave hired another systems administrator to offload some of your responsibilities. This systemsadministrator will be responsible for handling help desk calls and for basic user account management.You want to allow the new employee to have permissions to reset passwords for allusers within a specific OU. However, for security, reasons, its important that the user not beable to make permissions changes for objects within other OUs in the domain. Which of thefollowing is the best way to do this?A. Create a special administration account within the OU and grant it full permissions for allobjects within Active Directory.B. Move the users login account into the OU that he or she is to administer.C. Move the users login account to an OU that contains the OU (that is, the parent OU of theone that he or she is to administer).D. Use the Delegation of Control Wizard to assign the necessary permissions on the OU thathe or she is to administer.

7. You have been hired as a consultant to assist in the design of an organizations Active Directoryenvironment. Specifically, you are instructed to focus on the OU structure (others will be planningfor technical issues). You begin by preparing a list of information that you need to createthe OU structure for a single domain. Which of the following pieces of information is not vitalto your OU design?A. Physical network topologyB. Business organizational requirementsC. System administration requirementsD. Security requirements

8. A systems administrator is using the Active Directory Users And Computers tool to view theobjects within an OU. He has previously created many users, groups, and computers withinthis OU, but now only the users are showing. What is a possible explanation for this?A. Groups and computers are not normally shown in the Active Directory Users AndComputers tool.B. Another systems administrator may have locked the groups, preventing others fromaccessing them.C. Filtering options have been set that specify that only User objects should be shown.D. The Group and Computer accounts have never been used and are, therefore, not shown.

9. The company you work for has a multilevel administrative team that is segmented by departmentsand locations. There are four major locations and you are in the Northeast group. Youhave been assigned to the administrative group that is responsible for creating and maintainingnetwork shares for files and printers in your region. The last place you worked was a largeWindows NT 4 network, where you had a much wider range of responsibilities. You areexcited about the chance to learn more about Windows Server 2008.For your first task, you have been given a list of file and printer shares that need to be createdfor the users in your region. You ask how to create them in Windows Server 2008, and you aretold that the process of creating a share is the same as with Windows NT. You create the sharesand use NET USE to test them. Everything appears to work fine, so you send out a message thatthe shares are available. The next day, you start receiving calls from users who say that theycannot see any of resources that you created. What is the most likely reason for the calls fromthe users?A. You forgot to enable NetBIOS for the shares.B. You need to force replication for the shares to appear in the directory.C. You need to publish the shares in the directory.D. The shares will appear within the normal replication period.

10. Wilford Products has over 1,000 users in 5 locations across the country. The network consistsof 4 servers and around 250 workstations in each location. One of the 4 servers in each locationis a domain controller. As the new network administrator, you are now responsible for allaspects of the OUs within the directory. After meeting with the HR department, you have beeninformed that the vice president of sales has left the organization, and you are to remove hisaccess to all resources on the network. You return to your office and remove his account fromthe directory. After you remove the account, you are immediately notified that you have beenmisinformed and the vice president of sales is not leaving the company. You quickly re-add himwithin the window of replication between the other domain controllers. What else must youdo to reinstate his account and all his associated permissions?A. Nothing. Since you re-created the account before the replication window opened, theaccount will remain in the directory.B. Open the Tombstone folder and remove the object that is pending in order to remove theaccount before the replication window opens.C. After replication occurs, you need to manually synchronize his account in the domaincontrollers.D. You must re-establish every permission and setting manually.

11. You have inherited the administrator position of a network that has already completed itsmigration from Windows NT to Windows Server 2008. The network consists of a singledomain that serves two locations with five servers at each site. The replication topology hasproven to be solid, and the monitoring tasks that were in place when you arrived show noerrors. Each site has two domain controllers for redundancy, each of which has a DNS serverto support name resolution. Your first tasks are to learn how the directory has been designedand how the structure of the OUs is providing management capabilities to the domain. As youbegin to settle in, you add some new users to the domain, but some of them complain that theycannot do what you have told them they could do. As you investigate the problem, you determinethat Group Policy is not being applied when the users with the problems log on to thenetwork. What are the possible reasons for this problem? (Choose all that apply.)A. The policy has been blocked for the OU of which the users are members.B. The users are not members of the OU that is subject to the Group Policy object.C. The users are members of a security group whose Apply Group Policy ACE is set to Deny.D. Policies must be applied to the specific OU that contains the users before they take effect.

12. As the network administrator for your company, you find that you need a plan for how tostructure your OUs. You also need to accommodate the delegation of a few OUs to otheradministrators. Your current layout is as follows: you have a Sales department, a Marketingdepartment, and an HR department. You need to plan and create OUs. You want to delegatecontrol of each OU to each department supervisor. Which of the following solutions will helpsatisfy your plan?A. Build an OU called ADMIN, and then create three OUs below it called SALES, MARKET,and HR. Delegate control of each OU to each respective department head.B. Build an OU called SITEA, and then create two OUs below it called SALES and MARKET.Create a third OU under MARKET called HR. Delegate control of each OU to each respectivedepartment head.C. Build an OU called ADMIN, and then create three OUs below it called SALES, MARKET,and HR. Create Administrator accounts for each OU and then allow each to control theirrespective OUs.D. Build an OU called SITEA, and then create four OUs below it called SALES, ADMIN,MARKET, and HR. Delegate control of each OU to each respective department head andmake sure that ADMIN keeps Executive Administrative privileges.

13. You are the Lead Administrator and Designer for your company. You have just installed thefirst of many Windows Server 2008 systems. You are building your infrastructure and nowneed to design the OU layout and implement it. You have to design an OU structure thatincludes the following departments: IT, HR, SALES, MARKETING, ENGINEERING, andCORPORATE. You also need to make sure that the supervisor within each department is ableto manage each OU you create. You will need to delegate permissions. What is the best wayto design your OU structure?A. Create an OU at the top level and call it DELEGATION. Create second-level OUs underDELEGATION and assign administrative rights to each. Create a policy that will alloweach supervisor the right to manage the DELEGATION OU.B. Create an OU at the top level. Call it ADMIN1. Create IT, HR, SALES, MARKETING,ENGINEERING, and CORPORATE under ADMIN1. Set up delegation to the properusers for each OU.C. Design a top-level OU and create it with administrative rights. Name it US. Make an OUcalled COMP1 under US and then create SALES and MARKETING under it. Create a secondOU called UK and create all the rest of the needed OUs under it. Rights will beassigned by default.D. Create an OU at the top level. Call it TOP1. Create a Regional OU called US. Create IT1,HR1, SALES1, MARKETING1, ENGINEERING1, and CORPORATE1 under US1. Setup delegation to the proper users for each OU.

You are the administrator of an organization with a single Active Directory Domain A user who left the company returns after 16 weeks. The user tries to log onto their old computer and receives an error stating that the authentication has failed. The users account has been enabled. You need to ensure that the user is able to log onto the domain using that computer What do you do?Reset the computer account in Active Directory. Dis-join the computer from the domain and then rejoin the computer to the domain.You are the administrator of an organization with a single Active Directory domain. One of your senior executives tries to log onto a machine and receives the error "This user account has expired. Ask your administrator to reactivate your account." You need to make sure this doesn't happen to this user again. What do you do?Modify the user's properties to set the "Account Never Expires" setting.You need to create a new user account using the command prompt. Which command would you use?dsaddMaria is a user who belongs to the new Sales distribution global group. Maria has been trying to access the laser printer that is shared on the network. The Sales global group has full access to the laser printer. How do you fix the problem?Change the group type to a security group.You are a domain administrator for a large domain. Recently, you have been asked to make changes to some of the permissions related to OUs within the domain. In order to further restrict security for the Texas OU, you remove some of the permissions at that level. Later, a junior systems administrator mentions that she is no longer able to make changes to objects within the Austin OU ( which is located within the Texas OU). Assuming no other changes have been made to the Active Directory permissions, which of the followign characteristics of OUs might have caused the change in permissions?InheritanceIsabel, a systems administrator, has created a new Active Directory domain in an environment that already contains two trees. During the promotion of the domain controller, she chose to create a new Active director forest. Isabel is a member of the Enterprise Administrators group and has full permissions over all domains. During the organization's migration to Active Directory, many updates have been made to the information stored within the domains. Recently, user and other systems administrators have complained about not being able to find specific Active Directory objects in one or more domains (although the objects exist in others). In order to investigate the problem, Isabel wants to check for any objects that have not been properly replicated among domain controllers. If possible, she would like to restore these objects to their proper place within the relevant Active Directory domains. Which two of the following actions should she perform to be able to view the relevant information?Select the Advance Features item in the View Menu (and) Examine the contents of the LostAndFound folder using the Active Directory Users and Computers tool.You are a consultant hired to evaluate an organizations Active Directory Domain. The domain contaions over 200,000 objects and hundreds of OUs. You begin examining the objects within the domain, but you find that the loading of the contents of specific OUs takes a very long time. Furthermore the list of objects can be very large. You want to do the following, Use the built-in Active Directory administrative tools, and avoid the use of third-party tools or utilities, Limit the list of objects within an OU to only the type of objects that you're examining (for example, only Computer objects), Prevent any changes to the Active Directory domain or any of the objects within it. Which of the following actions meets these requirements?A. Use the Filter option in the Active Directory and Computers tool to restrict the display of objects.Your organization is currently planning a migration from a Windows NT 4 environment that consists of several domains to an Active Directory environment. Your staff consists of 25 systems administrators who are responsible for managing one or more domains. The organization is finalizing a merger with another company. Will, a technical planner, has recently provided you with a preliminary plan to migrate your environment to several Active Directory domains. He has cited security and administration as major specifications to this plan. Crystal, a consultant, has recommended that the Windows NT 4 domains be consolidated into a single Active Directory domain. Which of the following statements provide a valid justification to support Crystals's proposal?A. In general, OU structure is more flexible than domain structure, and C. It is possible to create a distributed system administration structure for OUs by using delegation.Miguel is a junior-level systems administrator, and he has basic knowledge about working with Active Directory. As his supervisor, you have asked Miguel to make several security related changes to OUs within the company's Active Directory domain. you instruct Miguel to use the basic functionality provided in the Delegation of Control Wizard. Which of the following operations are represented as common tasks within the Delegation of Control Wizard? Choose all that apply.A. Reset Passwords on user accounts B. Manage Group Policy links C. Modify the membership of a group D. Create, delete, and manage groupsYou are the primary systems administrator for a large Active Directory domain. Recently, you have hired another systems administrator to whom you will offload some of your responsibilities. This systems administrator will be responsible for handling help desk calls and for basic user passwords for all handling help desk calls and for basic user account management. You want to allow the new employee to have permissions to reset passwords for all users within a specific OU. However, for security reasons, its important that the user not be able to make permissions changes for objects within other OUs in the domain. Which of the following is the best way to do this?: