###BeginCaseStudy###
Case Study: 18
Tailspin Toys
Scenario
General Background
You are the Windows server administrator for Tailspin Toys. Tailspin Toys has a main office
and a manufacturing office. Tailspin Toys recently acquired Wingtip Toys and is in the
beginning stages of merging the IT environments. Wingtip Toys has a main office and a sales
office.
Technical Background
The companies use the network subnets indicated in the following table.

The Tailspin Toys network and the Wingtip Toys network are connected by a point-to-point
dedicated 45 Mbps circuit that terminates in the main offices.
Tailspin toys
The current Tailspin Toys server topology is shown in the following table.

The Tailspin Toys environment has the following characteristics:
• All servers are joined to the tailspintoys.com domain.
• In the Default Domain Policy, the Retain old events Group Policy setting is enabled.
• An Active Directory security group named “Windows system administrators” is
used to control all files and folders on TT-PRINT01.
• A Tailspin Toys administrator named Marc has been delegated rights to multiple
organizational units (OUs) and object in the tailspintoys.com domain.
• Tailspin Toys developers use Hyper-V virtual machines (VMs) for development.
There are 20 development VMs named TT-DEV01 through TT-DEV20.
Wingtip Toys
The current Wingtip Toys server topology is shown in the following table.

All servers in the Wingtip Toys environment are joined to the wingtiptoys.com domain.
Infrastructure Services
You must ensure that the following infrastructure services requirements are met:
• All domain zones must be stored as Active Directory-integrated zones.
• Only DNS servers located in the Tailspin Toys main office may communicate with
DNS servers at Wingtip Toys.
• Only DNS servers located in the Wingtip Toys main office may communicate with
DNS servers at Tailspin Toys.
• All tailspintoys.com resources must be resolved from the Wingtip Toys offices.
• All wingtiptoys.com resources must be resolved from the Tailspin Toys offices.
• Certificates must be distributed automatically to all Tailspin Toys and Wingtip Toys
computers.
Delegated Administration
You must ensure that the following delegated administration requirements are met:
• Tailspin Toys IT security administrators must be able to create, modify, and delete
user objects in the wingtiptoys.com domain.
• Members of the Domain Admins group in the tailspintoys.com domain must have full
access to the wingtiptoys.com Active Directory environment.
• A delegation policy must grant minimum access rights and simplify the process of
delegating rights.
• Minimum permissions must always be delegated to ensure that the least privilege is
granted for a job or task.
• Members of the TAILSPINTOYS\HeIpdesk group must be able to update drivers and
add printer ports on TT-PRINT01.
• Members of the TAILSPINTOYS\Helpdesk group must not be able to cancel a print
job on TT-PRINT01.
• Tailspin Toys developers must be able to start, stop, and Apply snapshots to their
development VMs.
IT Security
You must ensure that the following IT security requirements are met:
• Server security must be automated to ensure that newly deployed servers
automatically have the same security configuration as existing servers.
• Auditing must be configured to ensure that the deletion of user objects and OUs is
logged.
• Microsoft Word and Microsoft Excel files must be automatically encrypted when
uploaded to the Confidential document library on the Tailspin Toys Microsoft SharePoint
site.
• Multifactor authentication must control access to Tailspin Toys domain controllers.
• All file and folder auditing must capture the reason for access.
• All folder auditing must capture all delete actions for all existing folders and newly
created folders.
• New events must be written to the Security event log in the tailspintoys.com domain
and retained indefinitely.
• Drive X:\ on TT-FILE01 must be encrypted by using Windows BitLocker Drive
Encryption and must automatically unlock.
###EndCaseStudy###

You need to remove Marc’s delegated rights. What would you recommend?

A.
Use the Delegation of Control Wizard.

B.
Run the Resultant Set of Policy (RSoP) tool.

C.
Run the dsacls command-line utility.

D.
Run the xcalcs command-line utility.

Explanation:

http ://support.microsoft.com/kb/281146
DSACLS is used to View or Edit ACLs (access control entries) for objects in Active Directory.
Overview of Dsacls.exe
DsAcls uses the following syntax:
dsacls object [/a] [/d {user | group}:permissions […]] [/g {user | group}:permissions […]] [/i:{p | s |
t}] [/n] [/p:{y | n}]
[/r {user | group} […]] [/s [/t]]
You can use the following parameters with Dsacls.exe:
object: This is the path to the directory services object on which to display or change the ACLs. This
path must be a distinguished name (also known as RFC 1779 or x.500 format). For example:
CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com
To specify a server, add \\Servername\ before the object. For example:
\\MyServer\CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com
When you run the dsacls command with only the object parameter (dsacls object), the security
information about the object is displayed.
/a : Use this parameter to display the ownership and auditing information with the permissions. /d
{user | group}:permissions: Use this parameter to deny specified permissions to a user or group.
User must use either user@domain or domain\user format, and group must use either
group@domain or domain\group format. You can specify more than one user or group in a
command. For more information about the correct syntax to use for permissions, see the
<Permissions> Syntax section later in this article.

/g {user | group}:permissions: Use this parameter to grant specified permissions to a user or group.
User must use either user@domain or domain\user format, and group must use either
group@domain or domain \group format. You can specify more than one user or group in a
command. For more information about the correct syntax to use for permissions, see the
<Permissions> Syntax section later in this article.
/i:{p | s | t} : Use this parameter to specify one of the following inheritance flags:
p: Use this option to propagate inheritable permissions one level only.
s: Use this option to propagate inheritable permissions to subobjects only.
t: Use this option to propagate inheritable permissions to this object and subobjects.
/n : Use this parameter to replace the current access on the object, instead of editing it.
/p:{y | n}: This parameter determines whether the object can inherit permissions from its parent
objects. If you omit this parameter, the inheritance properties of the object are not changed. Use
this parameter to mark the object as protected (y = yes) or not protected (n = no).
Note This parameter changes a property of the object, not of an Access Control Entry (ACE). To
determine whether an ACE is inheritable, use the /I parameter.
/r {user | group}: Use this parameter to remove all permissions for the specified user or group. You
can specify more than one user or group in a command. User must use either user@domain or
domain\user format, and group must use either group@domain or domain\group format.
/s: Use this parameter to restore the security on the object to the default security for that object
class, as defined in the Active Directory schema.
/t : Use this parameter to restore the security on the tree of objects to the default for each object
class. This switch is valid only when you also use the /s parameter.