Exam 220-601, Best IT Certification Training

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the "Questions and Answers" section at the end of this chapter.

1. If you want to create a GPO for a site, what administrative tool should you use?

2. Why should you create an MMC for a GPO?

3.  Besides Read permission, what permission must you assign to allow a user or administrator to see the settings in a GPO?

4. Why should you disable unused Group Policy settings?

5-  How do you prevent a GPO from applying to a specific group?

6. What's the difference between removing a GPO link and deleting a GPO?

7. You want to deflect all Group Policy settings that reach the North OU from all of the OU's parent objects. To accomplish this, which of the following exceptions do you apply and where do you apply it?

a.      Block Policy Inheritance applied to the OU

b.      Block Policy Inheritance applied to the GPO

c.      Block Policy Inheritance applied to the GPO link

d.      No Override applied to the OU

e.      No Override applied to the GPO

f.       No Override applied to the GPO link

8. You want to ensure that none of the South OU Desktop settings applied to the South OU can he overridden. To accomplish this, which of the following exceptions do you apply and where do you apply it?

a.      Block Policy Inheritance applied to the OU

b.      Block Policy Inheritance applied to the GPO

c.      Block Policy Inheritance applied to the GPO link

d.      No Override applied to the OU

e.      No Override applied to the GPO

f.       No Override applied to the GPO link

Lesson Summary

You use the Active Directory Users And Computers console to create a GPO for a domain or an OU. You use the Active Directory Sites And Services console to create a GPO for a site.

You should create an MMC for a GPO, because you can open it whenever necessary from the Administrative Tools menu, making it easier to administer.

You should disable unused Group Policy settings to avoid the processing of those settings and expedite startup and logging on for the users and computers subject to the GPO.

For a GPO to apply to a specific group, that group must have the Read and Apply Group Policy permissions for the GPO set to Allow. To prevent a GPO from applying to a specific group, that group must have the Apply Group Policy permission for the GPO set to Deny.

When you remove a GPO link to a site, domain, or OU, the GPO still remains in Active Directory. When you delete a GPO, the GPO is removed from Active Directory, and any sites, domains, or OUs to which it is linked are no longer affected by it.

CompTIA A+ certified professionals who are encouraged or required by their employers to remain current on their certifications have two options:

1. Take the CompTIA A+ 2009 Edition (two exams).

2. Only those who are certified in the most recent version of CompTIA A+ (2006 objectives) by taking 220-601 and one of the following: 220-602, 220-603 and 220-604 exams are eligible to update their currency through taking the CompTIA A+ bridge exam (one exam), which covers the new objectives.

CompTIA has retired the English version of the 600 series of CompTIA A+ in the U.S., Canada, Puerto Rico and South Africa. The English version will retire in all other countries on August 31, 2010. The educational versions of these exams (JK0-601, JK0-602, JK0-603 and JK0-604), as well as the German, Korean, Arabic, Chinese and Japanese translations of the 220-601 and 220-602 CompTIA A+ exams, will remain in the market for use until August 31, 2010.

Why A New Exam?

The CompTIA A+ exam was last updated in 2006. Releasing a new version of the eam ensures that CompTIA A+ reflects changes in technologies and covers the latest skills needed by IT technicians. Additionally, CompTIA A+ is ISO 17024 accredited and must be reviewed and updated every three years to maintain accreditation.

The certification is recognized by several industry leaders, including Canon, Sharp and Xerox, as a benchmark certification for professionals that service and support document imaging devices.

CompTIA PDI+ covers a technician's understanding of basic electromechanical components and tools, print engine and scan processes and components, color theory, connectivity and networking. The exam also covers soft skills such as customer service, professionalism, safety and environment. While there are no prerequisites for the CompTIA PDI+ certification exam, it is recommended that entry-level candidates have foundation-level knowledge or hands-on experience working with printing and document imaging devices.

CompTIA Linux+, Powered by LPI, consists of two exams, LX0-101 and LX0-102. The exams cover system architecture; Linux installation and package management; GNU and Unix commands; devices, Linux filesystems, and the Filesystem Hierarchy Standard. Professionals who pass the CompTIA Linux+ exam can work at the Linux command line, perform maintenance tasks, assist users, and install and configure workstations.

After you create a GPO, you should create an MMC for it. When you create an MMC for a GPO, you can open it whenever necessary from the Administrative Tools menu.

To create an MMC for a GPO, complete the following steps:

1.      Click Start, and then click Run.

2.      In the Run dialog box, type mmc in the Open box, and then click OK.

3.      In the new MMC, on the File menu, click Add/Remove Snap-In.

4.      In the Add/Remove Snap-In dialog box, click Add.

5.      In the Add Standalone Snap-In dialog box, select Group Policy Object Editor, and

then click Add.

6.      In the Select Group Policy Object page, click Browse to find the GPO for which

you want to create an MMC.

7.      In the Browse For A Group Policy Object dialog box, click the All tab, click the

GPO name, and then click OK.

8.      In the Select Group Policy Object page, click Finish, and then in the Add Stand¬

alone Snap-In dialog box, click Close.

9- In the Acid/Remove Snap-In dialog box, click OK.

10.   In the MMC, on the File menu, click Save As.

11.   In the Save As dialog box, type the GPO name in the File Name box and click

Save. The GPO is now available on the Administrative Tools menu.

Delegating Control of a GPO

After you create a GPO, it is important to determine which groups of administrators have access permissions to the GPO. The default permissions on GPOs are shown in Table 10-3.

By default, only the Domain Administrators, Enterprise Administrators, and Group Policy Creator Owner groups, and the operating system can create new GPOs. Nonadministrative users or groups can be given the ability to create GPOs by adding the users or groups to the Group Policy Creator Owners security group. Membership in the Group Policy Creator Owners group gives a user full control of only the GPOs created by the user or explicitly delegated to the user. It does not give a nonadministrative user rights over any other GPOs. If an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the GPO.

By default, the Default Domain Policy GPO cannot be deleted by any administrator. This prevents the accidental deletion of this GPO, •which contains important required settings for the domain.

Exam Tip Know how group polices are inherited.

The default order for the application of Group Policy settings is subject to the following exceptions:

•       Workgroup members    A computer that is a member of a workgroup processes

only the local GPO.

•       No Override    Any GPO linked to a site, domain, or OU (not the local GPO) can

be set to No Override so that none of its policy settings can be overridden by any

other GPO during the processing of group policies. When more than one GPO has

been set to No Override, the one highest in the Active Directory hierarchy (or

higher in the hierarchy specified by the administrator at each fixed level in Active

Directory) takes precedence. No Override is applied to the GPO link. In Figure 10-7,

No Override has been applied to the GPO 4 link to the West OU. As a result, the

policy settings in GPO 4 cannot be overwritten by other GPOs.

•       Block Policy Inheritance    At any site, domain, or OU, Group Policy inheritance

can be selectively marked as Block Policy Inheritance. However, GPO links set to

No Override are always applied and cannot be blocked. Block Policy Inheritance

is applied directly to the site, domain, or OU. It is not applied to GPOs, nor is it

applied to GPO links. Thus, Block Policy Inheritance deflects all Group Policy settings that reach the site, domain, or OU from above (by way of linkage to parents in the Active Directory hierarchy) no matter what GPOs those settings originate from. In Figure 10-7, Block Policy Inheritance has been applied to the East OU. As a result, GPOs 1 and 2, which are applied to the site and the domain, are deflected and do not apply to the East OU. Therefore, in Figure 10-7, only GPOs 6 and 7 are processed for the Columbus OU.

Note Because No Override and Block Policy Inheritance have wide-ranging effects that can cause problems with other GPOs, you should use them sparingly.

Before attempting to implement Group Policy, you must be familiar with concepts that affect Group Policy operations. This lesson defines Group Policy, explains how GPOs work, and provides an overview of the settings in a GPO. It also shows you how Group Policy affects startup and logging on, how it is applied, and how security groups are used to filter Group Policy.

After this lesson, you will be able to

•       Explain the function of group policies

•       Explain the function of GPOs

•       Explain the function of the Group Policy Object Editor

•       Discuss Group Policy settings

•       Explain the function of administrative templates

•       Explain how Group Policy affects startup and logging on

•       Describe how Group Policy is applied

•       Explain how security groups can be used to filter Group Policy

Estimated lesson time: 40 minutes

Understanding Group Policies

Group policies are collections of user and computer configuration settings that specify how programs, network resources, and the operating system work for users and computers in an organization. Group Policy can be set up for computers, sites, domains, and OUs. For example, using group policies, you can determine the programs that are available to users, the programs that appear on the user's desktop, and Start menu options. Although the name "Group Policy" suggests that you might set policies for global, domain local, or global groups, this is not the case. Instead, think of Group Policy as groupings of policy settings that are linked to computers, sites, domains, and OUs.

Verifying Delegated Permissions

You can verify permissions delegated for the container or objects in the container in the Security tab in the Properties dialog box for the container and in the Advanced Security Settings dialog box for the container. Refer to the previous lesson for specific instruction on accessing these dialog boxes.

Removing Delegated Permissions

Although the Delegation Of Control Wizard can be used to grant administrative permissions to containers and the objects within them, it cannot be used to remove those privileges. If you need to remove permissions, you must do so manually in the Security tab in the Properties dialog box for the container and in the Advanced Security Settings dialog box for the container. Refer to the previous lesson for specific instruction on accessing these dialog boxes.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the "Questions and Answers" section at the end of this chapter.

1. Why is it necessary to delegate administrative control of Active Directory objects?

2. What is the purpose of the Delegation Of Control Wizard?

3. How can you remove permissions you set by using the Delegation Of Control Wizard?

4. For which of the following Active Directory objects can you delegate administrative control by using the Delegation Of Control Wizard? (Choose all that apply.)

a.      Folder

b.      User

c.      Group

d.      Site

e.      OU

f.       Domain

g.      Shared folder

Lesson Summary

You delegate administrative control of domains and containers in order to provide other administrators, groups, or users with the ability to manage functions according to their needs.

The Delegation Of Control Wizard is provided to automate and simplify the process of setting administrative permissions for a domain, OU, or container.

Note Groups or users that have been granted Full Control permission for a folder can delete files and subfolders within that folder, regardless of the permissions protecting the files and subfolders.

If you choose to prevent a specific object from inheriting permissions by clearing the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects. Include These With Entries Explicitly Defined Here check box, you are shown a message box that allows you to

•       Copy previously inherited permissions to the object. The new explicit permissions

for the object are a copy of the permissions that it previously inherited from its

parent object. Then, according to your needs, you can make any necessary

changes to the permissions.

•       Remove previously inherited permissions from the object. Windows Server 2003

removes any previously inherited permissions. No permissions exist for the object.

Then, according to your needs, you can assign any permissions for the object.

Note To set inheritance for a standard or special permission, you must be the owner of the object or have been granted permission to do so by the owner.

To set inheritance for a standard or special permission, complete the following steps:

1.      In the Advanced Security Settings dialog box for the object, do one of the following:

Q If you want this object to inherit permissions from its parent object, proceed to the next step.

Q If you don't "want this object to inherit any permissions from its parent object, clear the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects. Include These With Entries Explicitly Defined Here check box. Then select Copy to copy the permissions or Remove to remove the permissions.

2.      Select the permission in the Permission Entries box, then click Edit.

3.      In the Permission Entry dialog box for the object, do one of the following:

Q If you don't want child objects to inherit this permission, ensure that the Apply Onto list is set to This Object Only. Click OK.

Q If you want only child objects to inherit this permission, ensure that the Apply Onto list is set to This Object And All Child Objects. At this point, you have two options.

If you want permissions inheritance to flow past the immediate child objects of this object to other containers within the parent, click OK.

If you want only the immediate child objects of this object to inherit this permission, select the Apply These Permissions To Objects And/Or Containers Within This Container Only check box. Click OK.

4.      In the Advanced Security Settings dialog box for the object, click OK.

5.      In the Properties dialog box for the object, click OK.

Windows Server 2003 uses an object-based security model to implement access control for all Active Directory objects. This security model is similar to the one used to implement NTFS file system security. Every Active Directory object has a security descriptor that defines who has permission to gain access to the object and what type of access is allowed. Windows Server 2003 uses these security descriptors to control access to objects. This lesson explains how to set permissions for Active Directory objects.

After this lesson, you will be able to

•       View and assign standard permissions for an object

•       View, assign, and edit special permissions for an object

•       View effective permissions for an object

•       Set inheritance for a standard or a special permission

•       Remove a security principal and its permission

•       Remove special permissions for an object

•       Transfer ownership of an object

Estimated lesson time: 35 minutes

Understanding Access Control

To control access to Active Directory objects, you grant or deny permissions to security principals. A permission is the authority to perform an operation or a set of operations on an object and is granted or denied by the object's owner. A security principal is a user, group, computer, or service that is assigned a unique security identifier (SID). A SID uniquely identifies the user, group, computer, or service in the enterprise and is used to manage security principals. As an administrator, it is your responsibility to manage permissions for security principals. Recall from the discussion in Chapter 8 that OUs are not security principals; therefore, you cannot assign access permissions to OUs. You can set access permissions only on drives formatted to use NTFS.

Off the Record    In the real world, many domain controllers might exist. The change taught above can be automated by writing a script and applying it to all domain controllers that require it. Creating a script and applying it to all domain controllers eliminates the possibility of configuration error. The change could also be incorporated if a separate image has been created for the automated production of new domain controllers. If changes are made to production systems, be sure to verify that replication is occurring.

The Split DNS Method

In the split DNS method, the namespace is divided and a subdomain is used for internal addressing. The internal DNS namespace is a subdomain of the external DNS namespace. For example, if the fictitious company Humongous Insurance uses this structure, then humongousinsurance.com is the external domain and local.humongousinsurance.com is used as the internal DNS subdomain.

•       Encrypt replication traffic. Replication traffic can be encrypted by either

setting up a gateway-to-gateway VPN tunnel between the server locations and

routing DNS zone transfer traffic over the tunnel, or by creating an IPSec trans¬

port mode policy that is triggered by communications between the primary and

secondary servers. Using an IPSec tunnel has the advantage of authenticating the

traffic. Each server must authenticate to the other before any transfer of data

occurs. The tunnel also does not have the additional overhead of creating the

VPN gateway.

• Use secure dynamic registration. An attack on a DNS server might attempt to

change the IP address for a registered server, service, or client. If successful, connections would then be redirected to a spoofed server or client and additional

harm might be done. By using secure dynamic registration, the modification of an

IP address is restricted and the address cannot be arbitrarily changed.

•       Secure DNS clients. All computers that are joined to a domain are DNS clients

and should be secured. Best practices indicate that static IP addresses should be

specified in the DNS configuration for the DNS client. The addresses for preferred

and alternate DNS servers should be entered. If they are not, clients can be con¬

figured to obtain DNS server information by using Dynamic Host Configuration

Protocol (DHCP); however, this means that the security of DNS services for these

clients is dependent on the security of the DHCP server. If the DHCP server were

to be compromised, incorrect information on DNS services could be provided to

clients and thus either cause DoS or direct the clients to spoofed servers. In addition, you should limit clients that can access the DNS server by configuring the

DNS server to listen only on specific IP addresses. Then only clients configured to

use the DNS server will do so.