simplified


7.1 How is an organizational unit different from a container?

OUs organize stuff, containers do too but have some limits.


What are the advantages of placing computer accounts in organizational units rather than the Computers container?

OUs make managing rights, permissions, and delegation easier, and reduce admin work through group policies.


How does inheritance affect child organizational units?

Inheritance passes settings from parent OUs or the domain to child OUs and objects inside them.


How can you protect objects from accidental deletion?

Enable "Protect object from accidental deletion" in object properties to prevent accidental deletions.


What is contained in each default container?

Don’t Bust Cum My Uterus

Containers hold domains, built-in accounts, computers, managed service accounts, and users.


Who is responsible for administrative tasks for an OU?

Tasks for an OU are usually delegated to specific users or groups.


Is there a way to have new computers automatically added to an admin-specified OU rather than to the default computers container?

Yes, by using default Domain Controller OUs and Group Policy settings.


Can an owner of one OU always see the contents of another OU in the forest?

No, visibility depends on permissions granted to users or groups.


7.2 When is it best to pre-stage a computer account?

Before joining a computer to the domain, to control its location in Active Directory.


What is the benefit of computer account redirection?

It puts computer accounts into a specified OU instead of the default location.


How do you reset a computer account?

Use commands like netdom reset or reset account option in Active Directory Users and Computers.


How can you join a computer to a domain if it does not have a network connection?

Use the offline domain join feature.


Is it possible to join a computer to a domain from the computer's System Properties?

Yes, using Manual join in the system properties.


7.3 How is a domain user account different from a local user account?

Local accounts are stored on one system, domain accounts are centrally managed through Active Directory.


What is the difference between a disabled, locked-out, or expired user account?

Disabled accounts can't be used, locked-out accounts are temporarily blocked, expired accounts can't log in.


What is the best way to handle a user's account when an employee quits and will be quickly replaced by a new employee?

Disable the old account and enable and rename it for the new employee.


Which permissions are granted to a user account created from a template?

New accounts retain group memberships but not direct permissions.


How should you re-create a user account that was accidentally deleted?

Restore it from backup rather than creating a new one.


7.4 What are the advantages of using groups when setting permissions?

Groups simplify network maintenance and administration.


What is the difference between a security group and a distribution group?

Security groups manage rights and permissions, distribution groups are for sending emails.


What type of objects can you make members of a universal group? A domain local group?

Universal groups can contain objects from any domain, domain local groups have fewer restrictions.


What happens to user accounts when the group they're in is deleted?

Accounts are not deleted but are no longer associated with the group.


Which PowerShell commands can you use to manage groups?

Commands like get-adgroupmember help manage groups.


7.6 When would you choose the CSVDE command over the LDIFDE command when managing objects?

For bulk additions, CSVDE is useful.


Which tools add a user password to a user account?

Tools like ADUC, PowerShell, and net user.


Which tools can you use to create objects in Active Directory?

ADUC, PowerShell, ADAC, CSVDE, and LDIFDE.


What is the benefit of piping multiple commands?

It allows chaining commands for efficiency and flexibility.


What utilities would you use to view the properties of multiple Active Directory objects?

Tools like ADUC, PowerShell, ADAC, CSVDE, and LDIFDE.


What is the default action for the CSVDE command?

Exporting data.


8.1 What is a Group Policy?

A Windows feature to implement specific configurations for users and computers.


What is the difference between a local policy and a domain policy?

Local policies apply to standalone computers, domain policies to domain-joined computers.


How does the acronym LSDOU apply to Group Policy precedence?

It shows the order of precedence: Local, Site, Domain, OU.


8.2 What is a Group Policy template?

Files containing settings stored on each domain controller.


Where are the administrative templates stored?

In the Central Store or locally as ADMX files.


8.3 How can you set up a password policy?

By enforcing rules like history, age, length, complexity, encryption, lockout duration, threshold, and reset.


What strategies can you implement to protect against password attacks?

Educate users, enforce complex passwords, and implement two-factor authentication.


What object types can be associated with a granular password policy?

User accounts, not computer accounts.


8.4 What is an audit policy?

Policies to control the recording of system events and changes.


What does Object Access auditing track?

Access to files, folders, printers, registry settings, or IIS settings.


Why is it important to limit the number of audits being run?

To conserve system resources and storage space.


8.5 What is the difference between permissions and rights?

Permissions govern access, rights determine actions a user can perform.


What tool do you use to configure rights policy settings?

Local or domain policies using tools like Local Group Policy Editor or Group Policy Management.


8.6 Where are security options configured?

In Group Policy under Security Options.


Which Group Policy settings are available under Interactive Logon?

Settings like user display, last user name, password requirement, and smart card use.


What is the difference between prompting for credentials and prompting for consent?

Prompting for credentials requires admin login, prompting for consent requires admin approval.


8.7 When is it a good idea to create a Restricted Group Policy?

For high-security groups like administrators.


What is the preferred method for defining a Restricted Group?

Using Members and Members of.


Why is it a good strategy to test before activating a GPO using a Restricted Group Policy?

To avoid unintended consequences on all computers in the domain.




8.8 What are the benefits of using AppLocker?

Controls which programs users can run based on path, publisher, or hash, improving security.


Which file extensions can you apply an AppLocker script rule to?

Extensions like ps1, bat, cmd, vbs, and js.


8.9 What is the main difference between Group Policy preferences and Group Policy settings?

Preferences are applied but not enforced, users can change them.


Which types of applications and operating system features do Group Policy preferences support?

Applications that aren't Group Policy-aware.


How do you configure Group Policy preferences?

Using cmdlets like Set-GPPrefRegistry Value in PowerShell.