PrepAway - Latest Free Exam Questions & Answers

Which cmdlet should you use?

Note: This Question is part of series of question that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in the series. Information and detailed provided in a question apply only to that question.
You network contains one Active Directory domain named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012 R2.
You need to identify whether the members of the protected Users group will be prevented from authenticating by using NTLM.
Which cmdlet should you use?

PrepAway - Latest Free Exam Questions & Answers

A.
Get-ADGroupMember

B.
Get-ADDomainControllerPasswordReplicationPolicy

C.
Get-ADDomainControllerPasswordReplicationPolicyUsage

D.
Get-ADDomain

E.
Get-ADOptionalFeature

F.
Get-ADAccountAuthorizationGroup

G.
Get-ADAuthenticationPolicySlio

H.
Get-ADAuthenticationPolicy

23 Comments on “Which cmdlet should you use?

  9. Josef says:

    Guys plz read the question properly! The domainlevel is: QUOTE-“The forest functional level is Windows Server 2012.” So we already know the functional level! So Macky is right we have to check the restrictions. So we should check the Policy! H!




    0



    1
  10. YR says:

    Forest level and domain level is different. For protect user groups using windows 2012 r2 are no longer using ntlm for protected user groups using window 2012- and older they use ntlm so you need to see where the protecter user groups are in the domain which requires you to check the domain level.
    If the domain functional level is Windows Server 2012 R2, members of the group can no longer:

    Authenticate by using NTLM authentication

    Use Data Encryption Standard (DES) or RC4 cipher suites in Kerberos pre-authentication

    Be delegated by using unconstrained or constrained delegation

    Renew user tickets (TGTs) beyond the initial 4-hour lifetime




    1



    0
  11. Junkyard Dawg says:

    I was previously in agreement with Macky and Josef about the answer being H Get-ADAuthenticationPolicy, but I have changed my mind now. I believe the answer is D Get-ADDomain. The below Microsoft Technet article discusses how to configure Protected Accounts.

    https://technet.microsoft.com/en-us/library/Dn518179.aspx

    Let’s first break this down simple and start with the question at hand. The forest functional level is Windows Server 2012, according to the question. This does NOT mean the domain functional level is also Windows Server 2012. It would have to be Windows Server 2012 or higher, but the question does not specify the domain functional level.

    The question goes on to state that all servers, including the host are running Windows Server 2012 R2. Again, it does not state the domain functional level. We can’t just assume this if the question did not state it explicitly.

    Finally, the question states, “You need to identify whether the members of the Protected Users group will be prevented from authenticating by using NTLM.” After reading the below Microsoft Technet article, I noticed this quote, “To provide domain controller-side restrictions for Protected Users, that is to restrict usage of NTLM authentication, and other restrictions, the domain functional level must be Windows Server 2012 R2.” To me, this article is stating that if an administrator wants to restrict NTLM authentication or any of the other restrictions, the DOMAIN functional level must be raised.

    To recap, the question asked us to identify whether Protected Users will be prevented from authenticating using NTLM. The easiest way to confirm this is to review the domain functional level.




    5



    0
  12. Junkyard Dawg says:

    I decided to make a separate comment for ease of reading. This comment deals with the Protected Users Security Group. Please refer to the Microsoft Technet article below.

    https://technet.microsoft.com/en-us/library/dn466518.aspx

    The article states, “The only method to modify these protections for an account is to remove the account from the security group.” This means that using a PowerShell cmdlet like Set-ADAuthenticationPolicy would be useless in modifying the authentication of a Protected User account. And since the Set verb can’t be used, what use would the Get verb be if we could never modify the authentication policy in the first place?

    The Microsoft Technet article goes on to state, “Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.” And of these “behavior changes” is Windows Server 2012 R2’s restriction of NTLM authentication.

    I hope I have supplied enough information to put potential test-takers at ease. If anyone else has supportive, or even contradictory information, please feel free to present this. We all have the same goal: to get our MCSA.




    0



    0
  13. kristofina vatileni says:

    Q5:you plan to decommission a domain controller that holds several operation master role in the table below select
    1- which tool to use to transfer domain naming master -we use Active Directory Domains and Trusts
    2- which tool use to transfer the infrastructure master – we use active directory user and computer
    -active directory domain and trust
    -active directory schema
    -active directory site and service
    -active directory user and computer
    – security configuration wizard (scw)




    0



    0
  15. MS says:

    No guys, we DO know the domain functional level because we know the forest functional level, as mentioned in the post, “The forest functional level is Windows Server 2012”

    Please read this to understand functional levels:
    https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
    Quote from link:
    – You can raise the functional level of a forest only if all domain controllers in the forest run the version or versions of Windows Server that the new functional level supports.
    – You cannot set the domain functional level to a value that is lower than the forest functional level, but you can set it to a value that is equal to or higher than the forest functional level.




    0



    1
    1. Aberdeen Angus says:

      lol, I like it when people speak their mind.

      I’m joining the “fucking idiot” gang and going for D. The forest is at 2012 level so the domain is at either 2012 or 2012R2 level. If the domain is at 2012 level then members of Protected Users can use NTLM, if the domain is at 2012R2 they can’t.

      https://technet.microsoft.com/en-us/library/dn466518.aspx says: When the Protected Users’ group account is upgraded to the Windows Server 2012 R2 domain functional level, domain controller-based protections are automatically applied. Members of the Protected Users group who authenticate to a Windows Server 2012 R2 domain can no longer authenticate by using:
      Default credential delegation (CredSSP)…
      Windows Digest…
      NTLM…

      Fucking idiots of the world unite!




      6



      0

Leave a Reply