You implement Just Enough Administration (JEA) on several file servers that run Windows Server 2016.
The Role Capability file from a server named Server5 contains the following code.

Which action can be performed by a user who connects to Server5?

Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows
Server 2012.
The forest contains 20 member servers that are configured as file servers. All domain controllers run Windows
Server 2016.
You create a new forest named contosoadmin.com.
You need to use the Enhanced Security Administrative Environment (ESAE) approach for the administration of
the resources in contoso.com.
Which two actions should you perform? Each correct answer presents part of the solution.

Your network contains an Active Directory domain named contoso.com.
The domain contains 10 servers that run Windows Server 2016 and 800 client computers that run Windows 10.
You need to configure the domain to meet the following requirements:
-Users must be locked out from their computer if they enter an incorrect password twice.
-Users must only be able to unlock a locked account by using a one-time password that is sent to their mobile
phone.
You deploy all the components of Microsoft Identity Manager (MIM) 2016.
Which three actions should you perform before you deploy the MIM add-ins and extensions? Each correct
answer presents part of the solution.

Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers.
You deploy the Local Administrator Password Solution (LAPS) to the network.
You discover that the members of a group named FinanceAdministrators can view the password of the local
Administrator accounts on the servers in an
organizational unit (OU) named FinanceServers.
You need to prevent the FinanceAdministrators members from viewing the local administrators’ passwords on
the servers in FinanceServers.
Which permission should you remove from FinanceAdministrators?

Your network contains an Active Directory domain named contoso.com.
The domain contains two servers named Server1 and Server2 that run Windows Server 2016.
Server1 is configured as a domain controller.
You configure Server1 as a Just Enough Administration (JEA) endpoint. You configure the required JEA rights
for a user named User1.
You need to tell User1 how to manage Active Directory objects from Server2.
What should you tell User1 to do first on Server2?

The network contains an Active Directory domain named contoso.com. The domain contains the servers
configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department.
A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
You need to create a Role Capability file on Server3. Which file should you create?

The network contains an Active Directory domain named contoso.com. The domain contains the servers
configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department.
A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
You need to ensure that AppLocker rules will apply to the marketing department computers. What should you
do?

The network contains an Active Directory domain named contoso.com. The domain contains the servers
configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department.
A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
You need to ensure that you can view Windows PowerShell code that was generated dynamically and executed
on the computers in OU1.
What would you configure in GP1?

The network contains an Active Directory domain named contoso.com. The domain contains the servers
configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department.
A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
You need to implement BitLocker Network Unlock for all of the laptops.
Which server role should you deploy to the network?

The network contains an Active Directory domain named contoso.com. The domain contains the servers
configured as shown in the following table.

All servers run Windows Server 2016. All client computers run Windows 10 and are domain members.
All laptops are protected by using BitLocker Drive Encryption (BitLocker).
You have an organizational unit (OU) named OU1 that contains the computer accounts of application servers.
An OU named OU2 contains the computer accounts of the computers in the marketing department.
A Group Policy object (GPO) named GP1 is linked to OU1.
A GPO named GP2 is linked to OU2.
All computers receive updates from Server1.
You create an update rule named Update1.
You need to create an Encrypting File System (EFS) data recovery certificate and then add the certificate as an
EFS data recovery agent on Server5.
What should you use on Server5? To answer, select the appropriate options in the answer area.