assignment # 8
DESCRIPTION
Assignment # 8. Q1. Effective permissions of Esra Ali are: -Deny read permission. -Allow Create all child objects. -Allow reset password. -Deny modify owner. -Allow Delete all child objects. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/1.jpg)
Assignment # 8Assignment # 8
![Page 2: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/2.jpg)
Q1Q1Effective permissions of Esra Ali are:
-Deny read permission.
-Allow Create all child
objects.
-Allow reset password.
-Deny modify owner.
-Allow Delete all child
objects .
Because the Deny permission overrides Allow permission and Explicit Allow override Inherited Deny.
![Page 3: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/3.jpg)
Q2Q2IT department proprieties, security tab
![Page 4: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/4.jpg)
Click Advanced button, select Auditing tab. Then click Add button.
![Page 5: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/5.jpg)
Select success create user objects. Click OK.
![Page 6: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/6.jpg)
Finally..
![Page 7: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/7.jpg)
Log event after create new user:
![Page 8: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/8.jpg)
What type of change was made? create object
Who made the change? Administrator
What member was added? Ahmad
When the change was made? 2:54 PM
![Page 9: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/9.jpg)
Q3Q3
![Page 10: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/10.jpg)
![Page 11: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/11.jpg)
Follow the steps in the wizard to add the data for both PSOs
![Page 12: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/12.jpg)
![Page 13: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/13.jpg)
A snapshot of Password settings A snapshot of Password settings container where the two of the PSO container where the two of the PSO should appearshould appear
![Page 14: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/14.jpg)
![Page 15: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/15.jpg)
Apply HR PSO to: HR OU & Domain AdminsApply HR PSO to: HR OU & Domain AdminsNote that: you should make a shadow copy of Note that: you should make a shadow copy of HR OU using a group named HRHR OU using a group named HR
![Page 16: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/16.jpg)
Apply Domain Admins PSO to Apply Domain Admins PSO to Domain AdminsDomain Admins
![Page 17: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/17.jpg)
A snapshot of Admininstrator properties A snapshot of Admininstrator properties (member of Domain Admins group)(member of Domain Admins group)
![Page 18: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/18.jpg)
QuestionQuestion
HR member will have HR PSOWhat is the resultant PSO of domain admins? Why it was chosen?
Domain Admins PSOBecause it has higher precedence.
![Page 19: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/19.jpg)
Q4Q4Modify the Default Domain Controllers Policy GPO to enable auditing events for both successful and failed account logon
events .
![Page 20: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/20.jpg)
Q4 .. ContQ4 .. Cont..Modify the Client Computers Policy to enable auditing events for both successful and failed logon events
![Page 21: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/21.jpg)
In server side (Fail attempt In server side (Fail attempt to logon-- account logon to logon-- account logon event)event)
![Page 22: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/22.jpg)
In server side (Successful In server side (Successful attempt to logon- account attempt to logon- account logon event)logon event)
![Page 23: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/23.jpg)
QuestionsQuestions
How many log entries? Where?-2
one in DC and other one in client computer
-Account logon events created in the DC
-Logon events created in the client computer
![Page 24: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/24.jpg)
Q5Q5A.What does an RODC do?
RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller. Also, An RODC provides a more secure mechanism for deploying a domain controller. You can grant a no administrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest.
You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat.
B.Are there any special considerations?
To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.
![Page 25: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/25.jpg)
C.What new functionality does RODC provide?
RODC addresses some of the problems that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller but not the physical security, network bandwidth, or local expertise to support it. The following RODC functionality mitigates these problems:
Read-only AD DS database
Unidirectional replication
Credential caching
Administrator role separation
Read-only Domain Name System (DNS)
D.What are the prerequisites for RODC?
-Ensure that the forest functional level is Windows Server 2003 or higher.
-Run Adprep.exe commands to prepare your existing forest and domains for domain controllers.
-Install Active Directory Domain Services (AD DS).
-Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2
![Page 26: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/26.jpg)
E.What does the following print screen shows? What does Advance, Add and Remove button provide?
-The Password Replication Policy tab.
You can control how credentials caching for
users, groups or computers will take place.
Allow passwords for the account replicating to
this RODC.
-Advanced button provides more options:
resultant policy , prepopulate password and view
passwords are stored on RODC and Accounts that have been authenticated to RODC.
-Add and remove buttons to add and remove account.
![Page 27: Assignment # 8](https://reader036.vdocuments.site/reader036/viewer/2022081519/56814394550346895db00f9e/html5/thumbnails/27.jpg)
F.What does the above print screen provide?
Advanced window provides more options: resultant policy ,prepopulate password and view passwords are stored on RODC and Accounts that have been authenticated to RODC.
G.What each of the following mean?
Accounts whose passwords are stored on this Read-only Domain Controller :Current credentials that are cached on an RODC
Accounts that have been authenticated to this Read-only Domain Controller : accounts have tried to authenticate to an RODC
Prepopulate passwords button: prepopulate the password cache for an RODC with the passwords of user and computer accounts before the accounts try to log on in the branch office.