Your network contains one Active Directory domain named contoso.com. The forest functional level is Windows
Server 2012. All servers run Windows Server 2012 R2. All client computers run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All
domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012 R2.
You need to identify whether the members of the Protected Users group will be prevented from authenticating
by using NTLM.
Which cmdlet should you use?
A.
Get-ADGroupMember
B.
Get-ADDomainControllerPasswordReplicationPolicy
C.
Get-ADDomainControllerPasswordReplicationPolicyUsage
D.
Get-ADDomain
E.
Get-ADOptionalFeature
F.
Get-ADAccountAuthorizationGroup
G.
Get-ADAuthenticationPolicySilo
H.
Get-ADAuthenticationPolicy
Explanation:
https://technet.microsoft.com/en-us/library/dn466518.aspx
I’m thinking G (Get-ADAuthenticationPolicySilo) on this one.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813%28v%3dws.11%29
By pulling the Authentication Policy applied to the protected users group, you should be able to “identify whether the members of the Protected Users group will be prevented from authenticating
by using NTLM” which the policy is per-configured to do.
0
5
C foo https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-addomaincontrollerpasswordreplicationpolicyusage?view=win10-ps
0
4
Its definitely D.
read below old discussion by Junckyard Dawg:
I was previously in agreement with Macky and Josef about the answer being H Get-ADAuthenticationPolicy, but I have changed my mind now. I believe the answer is D Get-ADDomain. The below Microsoft Technet article discusses how to configure Protected Accounts.
https://technet.microsoft.com/en-us/library/Dn518179.aspx
Let’s first break this down simple and start with the question at hand. The forest functional level is Windows Server 2012, according to the question. This does NOT mean the domain functional level is also Windows Server 2012. It would have to be Windows Server 2012 or higher, but the question does not specify the domain functional level.
The question goes on to state that all servers, including the host are running Windows Server 2012 R2. Again, it does not state the domain functional level. We can’t just assume this if the question did not state it explicitly.
Finally, the question states, “You need to identify whether the members of the Protected Users group will be prevented from authenticating by using NTLM.” After reading the below Microsoft Technet article, I noticed this quote, “To provide domain controller-side restrictions for Protected Users, that is to restrict usage of NTLM authentication, and other restrictions, the domain functional level must be Windows Server 2012 R2.” To me, this article is stating that if an administrator wants to restrict NTLM authentication or any of the other restrictions, the DOMAIN functional level must be raised.
To recap, the question asked us to identify whether Protected Users will be prevented from authenticating using NTLM. The easiest way to confirm this is to review the domain functional level.
9
0