Your network contains an

Active Directory domain named contoso.com.

All client computers run Windows 8.

You deploy a server named Server1 that runs Windows Server 2012 R2.

You install a new client-server application named App1 on Server1 and on the client computers. The client

computers must use TCP port 6444 to connect to App1 on Server1.Server1 publishes the information of App1 to an intranet server named Server2 by using TCP port 3080.

You need to ensure that all of the client computers can connect to App1. The solution must

ensure that the application can connect to Server2.

Which Windows Firewall rule should you create on Server1?

A. an inbound rule to allow a connection to TCP port 3080

B. an outbound rule to allow a connection to TCP port 3080

C. an outbound rule to all

ow a connection to TCP port 6444

D. an inbound rule to allow a connection to TCP port 6444

Explanation:

Server1 gets request from Client PC-s it needs an inbound rule for 6444.

By default, Windows Firewall with Advanced Security blocks all unso

licited inbound network traffic, and allows all outbound network traffic. For unsolicited inbound network traffic to reach your computer, you must create an allow rule to permit that type of network traffic. If a network program cannot get access, verify t

hat in the Windows Firewall with Advanced Security snap-in there is an active allow rule for the current profile. To verify that there is an active allow rule, double-click Monitoring and then click Firewall.

If there is no active allow rule for the progr

am, go to the Inbound Rules node and create a new rule for that program. Create either a program rule, or a service rule, or search for a group that applies to the feature and make sure all the rules in the group are enabled. To permit the traffic, you mus

t create a rule for the program that needs to listen for that traffic. If you know the TCP or UDP port numbers required by the program, you can additionally restrict the rule to only those ports, reducing the vulnerability of opening up all ports for the p

rogram.

Your network contains an Active Directory domain named contoso.com.

You have a DHCP server named Server1 that runs Windows Server 2008.

You install Windows Server

2012 R2 on a server named Server2. You install the DHCP Server server role on Server2.

You need to migrate the DHCP services from Server1 to Server2. The solution must meet the following requirements:

Ensure that existing leases are migrated.

Prevent leas

e conflicts.

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

A. On Server1, run the

Export-DhcpServer

cmdlet.

B. On Server1, run the

Stop-Service

cmdlet.

C. On Server2, run the

Receive-SmigServer

Data

cmdlet.

D. On Server2, run the

Stop-Service

cmdlet.

E. On Server2, run the

Import-DhcpServer

cmdlet.

F. On Server1, run the

Send-SmigServerData

cmdlet.

Your network contains an Active Directory domain named contoso.com.

You create a software restriction policy to allow an application

named App1 by using a certificate rule.

You need to ensure that when users attempt to execute App1, the certificate for App1 is verified against a certificate revocation list (CRL).

What should you do?

A. Modify the rule for App1.

B. Modify the Trusted

Publishers Properties.

C. Create a new certificate rule for App1.

D. Modify the Enforcement Properties.

Your network contains an Active Directory domain named contoso.com.

All of the AppLocker policy settings for the member serve

rs are configured in a Group Policy object (GPO) named GPO1.

A member server named Server1 runs Windows Server 2012 R2.

On Server1, you test a new set of AppLocker policy settings by using a local computer policy.

You need to merge the local AppLocker

policy settings from Server1 into the AppLocker policy settings of GPO1.

What should you do?

A. From Local Group Policy Editor on Server1, export an .inf file. Import the .inf file by using Group Policy Management Editor.

B. From Server1, run the

Set-App

lockerPolicy

cmdlet.

C. From Local Group Policy Editor on Server1, export a .xml file. Import the .xml file by using Group Policy Management Editor.

D. From Server1, run the

New-ApplockerPolicy

cmdlet.

Explanation:

The Set-AppLockerPolicy cmdlet

sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.

When the Merge parameter is used, rules in the specified AppLocker polic

y will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If

the Merge parameter is not specified, then the new policy will overwrite the existing policy.

References:

http://technet.microsoft.com/en-us/library/ee791816(v=ws.10).aspx

Exam Ref 70-410: Installing and configuring Windows Server 2012 R2, Chapter 10: Im

plementing Group Policy, Lesson1: Planning, Implementing and managing Group Policy, p. 479

Your network contains an Active Directory domain named contoso.com.

An organizational unit (OU) named OU1 contains the computer accounts for laptops and desktop computers.

A Group Policy object (GPO) named GP1

is linked to OU1.

You need to ensure that the configuration settings in GP1 are applied only to a user named User1.

What should you do?

A. Modify the security settings of OU1.

B. Modify the GPO Status of GP1.

C. Modify the security settings of GP1.

D. C

onfigure the WMI Filter of GP1.

References:

Training Guide: Installing and Configuring Windows Server 2012 R2: Chapter 10: Implementing Group Policy, p. 470, 482

http://technet.microsoft.com/en-us/library/jj134176

WMI filtering using GPMC

QUE

Your network contains an Active Directory domain named contoso.com.

The password policy for the domain is set to require a minimum password length of 10 characters.

A user named User1 and a user named User2 work for the sa

les department.

User1is forced to create a domain password that has a minimum of 12 characters. User2 is forced to create a domain password that has a minimum of eight characters.

You need to identify what forces the two users to have different password

lengths.

Which tool should you use?

A. Credential Manager

B. Security Configuration Wizard (SCW)

C. Group Policy Management

D. Active Directory Administrative Center

Explanation:

In Windows Server 2008, you can use fine-grained password polici

es to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. For example, to increase the security of privileged accounts, you can apply stricter settings

to the privileged accounts and then apply less strict settings to the accounts of other users. Or in some cases, you may want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

This is found in the

Active Directory Administrative Center. You can use Active Directory Administrative Center to perform the following Active Directory administrative tasks:

Create new user accounts or manage existing user accounts

Create new groups or manage existing groups

Create new computer accounts or manage existing computer accounts

Create new organizational units (OUs) and containers or manage existing OUs

Connect to one or several domains or domain controllers in the same instance of Active Directory Administrative C

enter, and view or manage the directory information for those domains or domain controllers

Filter Active Directory data by using query-building search

Your network contains an Active Directory domain named contoso.com.

Your company hires 500 temporary employees for the summer.

The human resources department gives you a Microsoft

Excel document that contains a list of the temporary employees.

You need to automate the creation of user accounts for the 500 temporary employees.

Which tool should you use?

A. ADSI Edit

B. The

csvde.exe

command

C. Active Directory Users and Computers

D. The

Add-Member

cmdlet

Explanation:

Csvde.exe is the best option to add multiple users. As you just need to export the excel spreadsheet as a csv file and make sure the parameters are correct.

You can use Csvde to import and export Active Dire

ctory data that uses the comma-separated value format.

Use a spreadsheet program such as Microsoft Excel to open this .csv file and view the header and value information.

The CSVDE is a command-line utility that can create new AD DS objects by importing i

nformation from a comma-separated value (.csv) file. This would be the least amount of administrative effort in this case especially considering that these would be temporary employees.

Your network contains an Active Directory domain named contoso.com.

The domain contains 20 computer accounts in an organizational unit (OU) named OU1. A user account named User1 is in an OU named OU2.

You are

configuring a Group Policy object (GPO) named GPO1.

You need to assign User1 the Backup files and directories user right to all of the computer accounts in OU1.

Which two actions should you perform? (Each correct answer presents part of the solution. Cho

ose two.)

A. From User Configuration in GPO1, modify the security settings.

B. Link GPO1 to OU1.

C. From Computer Configuration in GPO1, modify the security settings.

D. Modify the Delegation settings of GPO1.

E. Link GPO1 to OU2.

QUESTION

Your network con

tains an Active Directory domain named contoso.com.

You have a starter Group Policy object (GPO) named GPO1 that contains more than 100 settings.

You need to create a new starter GPO based on the settings in GPO1.

You must achieve this goal by using the

minimum amount of administrative effort.

What should you do?

A. Run the

New-GPStarterGPO

cmdlet and the

Copy-GPO

cmdlet.

B. Create a new starter GPO and manually configure the policy settings of the starter GPO.

C. Right-click GPO1, and then click Back

Up. Create a new starter GPO. Right-click the new GPO, and then click Restore from Backup.

D. Right-click GPO1, and then click Copy. Right-click Starter GPOs, and then click Paste.

Explanation:

Although GPOs and Starter GPO scan both be copied,

and a Starter GPO can be used to create a new GPO (as that is their purpose), an existing GPO cannot be copied to a new StarterGPO (unfortunately).

Your network contains an Active Directory domain named contoso.com.

You discover that when you join client computers to the domain manually, the

computer accounts are created in the Computers container.

You need to ensure that new computer accounts are created automatically in an organizational unit (OU) named Corp.

Which tool should you use?

A. net.exe

B. redircmp.exe

C. regedit.exe

D. dsadd.ex

e

Explanation:

Redirects the default container for newly created computers to a specified, target organizational unit (OU) so that newly created computer objects are created in the specific target OU instead of in CN=Computers.

You must run the

redircmp command from an elevated command prompt.

Redircmp.exe is located in the C:\Windows\System32 folder.

You must be a member of the Domain Admins group or the Enterprise Admins group to use this tool.

Your network contains an Active Directory domain named contoso.com.

All servers run Windows Server 2012 R2.

An application named Appl.exe is installed on all client computers. Multiple versions of Appl.exe are installed

on different client computers. Appl.exe is digitally signed.

You need to ensure that only the latest version of Appl.exe can run on the client computers.

What should you create?

A. An application control policy packaged app rule

B. A software restrictio

n policy certificate rule

C. An application control policy Windows Installer rule

D. An application control policy executable rule

Explanation:

Executable Rules, for .exe and can be based on Publisher, Product name, filename and version. Use Cer

tificate Rules on Windows Executables for Software Restriction Policies This security setting determines if digital certificates are processed when a user or process attempts to run software with an .exe file name extension. This security setting is used t

o enable or disable certificate rules, a type of software restriction policies rule. With software restriction policies, you can create a certificate rule that will allow or disallow software that is signed by Authenticode to run, based on the digital cert

ificate that is associated with the software. In order for certificate rules to take effect, you must enable this security setting. When certificate rules are enabled, software restriction policies will check a certificate revocation list (CRL) to make sur

e the software-s certificate and signature are valid. This may decrease performance when start signed programs. You can disable this feature. On Trusted Publishers Properties, clear the Publisher and Timestamp check boxes.

Your network contains an Active Directory domain named contoso.com.

You need to prevent users from installing a

Windows Store app named App1.

What should you create?

A. An application control policy executable rule

B. An application control policy packaged app rule

C. A software restriction policy certificate rule

D. An application control policy Windows Installer

rule

Explanation:

Windows 8 is coming REALLY SOON and of course one of the big new things to computer with that is the new Packaged Apps that run in the start screen. However, these apps are very different and do not install like traditional ap

ps to a path or have a true -executable- file to launch the program. Of course enterprises need a way to control these packaged apps and therefore Microsoft has added a new feature Packaged Apps option to the App1ocker feature.

Packaged apps (also known a

s Windows 8 apps) are new to Windows Server 2012 R2 and Windows 8. They are based on the new app model that ensures that all the files within an app package share the same identity.

Therefore, it is possible to control the entire Application using a single

App1ocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps which implies all packaged apps must be signed. App1ocker supports only publisher rules for Pac

kaged apps. A publisher rule for a packaged app is based on the following information:

Publisher of the package

Package name

Package version

Therefore, an App1ocker rule for a Packaged app controls both the installation as well as the running of the app. O

therwise, the publisher rules for Packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups.

Your network contains an Active Directory domain named contoso.com.

An organizational unit (OU) named OU1 contains the user accounts a

nd the computer accounts for laptops and desktop computers. A Group Policy object (GPO) named GP1 is linked to OU1.

You need to ensure that the configuration settings in GP1 are applied only to the laptops in OU1. The solution must ensure that GP1 is app

lied automatically to new laptops that are added to OU1.

What should you do?

A. Modify the GPO Status of GP1.

B. Configure the WMI Filter of GP1.

C. Modify the security settings of GP1.

D. Modify the security settings of OU1.

Your network contains an Active Directory domain named contoso.com.

You create a software restriction policy to allow an application named App1 by using a certificate

rule.

You need to prevent the software restriction policy from applying to users that are members of the local Administrators group.

What should you do?

A. Modify the rule for App1

B. Modify the Enforcement Properties

C. Modify the Security Levels.

D.

Modify the Trusted Publishers Properties

Your network contains an Active Directory domain named contoso.com.

All client devices run Windows 8.1. You deploy a server named Server1 that runs Windows Server 2012 R2.

You install a new

client-server application named App1 on Server1 and on the client devices.

The client devices must use TCP port 6444 to connect to App1. Server1 must publish information from App1 to an intranet server named Server2 by using TCP port 3080.

You need to en

sure that all of the client devices can connect to App1.

On Server1, which Windows Firewall rule should you create?

A. an outbound rule to allow a connection to TCP port 6444

B. an outbound rule to allow a connection to TCP port 3080

C. an inbound rule

to allow a connection to TCP port 3080

D. an inbound rule to allow a connection to TCP port 6444

References: https://technet.microsoft.com/en-us/library/ee806447(v=ocs.14).aspx