Ensurepass.com : Ensure you pass the IT Exams
2018 Aug Microsoft Official New Released 70-646
100% Free Download! 100% Pass Guaranteed!

Pro: Windows Server 2008, Server Administrator

Question No: 91 DRAG DROP – (Topic 1)

A company has client computers that run Windows 7 and Windows Vista. The company has a single domain Active Directory Domain Services (AD DS) forest with domain

controllers that run Windows Server 2008 R2.

An Application must be installed on the windows 7 client computers when users log on to the computers.

You need to design an Application deployment solution. Which actions should you perform in sequence?

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. (Use only actions that Apply.)

Ensurepass 2018 PDF and VCE

Answer:

Ensurepass 2018 PDF and VCE

Explanation:

Ensurepass 2018 PDF and VCE

http://support.microsoft.com/kb/816102

Assigning Software

You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is finalized. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is finalized.

Publishing Software

You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.

Question No: 92 – (Topic 1)

You plan to deploy a distributed database Application that runs on Windows Server 2008 R2.

You need to design a storage strategy that meets the following requirements:

->Allocates storage to servers as required

->Isolates storage traffic from the existing network

->Ensures that data is available if a single disk fails

->Ensures that data is available if a single storage controller fails

What should you include in your design?

  1. An iSCSI disk storage subsystem that uses Microsoft Multipath I/O. Configure a RAID 0 array.

  2. An iSCSI disk storage subsystem that uses Virtual Disk Service (VDS). Configure a RAID 5 array.

  3. A Fibre Channel (FC) disk storage subsystem that uses Microsoft Multipath I/O. Configure a RAID 5 array.

  4. A Fibre Channel (FC) disk storage subsystem that uses Virtual Disk Service (VDS). Configure a RAID 0 array.

Answer: C Explanation:

MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration: Fiber channel with isolate the network, Multipath I/O

Multipath I/O (MPIO) is a feature of Windows Server 2008 that allows a server to use multiple data paths to a storage device. This increases the availability of storage resources because it provides alternate paths from a server or cluster to a storage subsystem in the event of path failure. MPIO uses redundant physical path components (adapters, switches, cabling) to create separate paths between the server or cluster and the storage device. If one of the devices in these separate paths fails, an alternate path to the SAN device will be used, ensuring that the server is still able to access critical data. You configure failover times through the Microsoft iSCSI Software initiator driver or by modifying the Fibre Channel HBA driver parameter settings, depending on the SAN technology deployed in your environment.

If the server will access a LUN through multiple Fibre Channel ports or multiple iSCSI initiator adapters, you must install MPIO on servers. You should verify that a server supports MPIO prior to enabling multiple iSCSI initiator adapters or multiple Fibre Channel ports for LUN access. If you do not do this, data loss is likely to occur. In the event that you are unsure whether a server supports MPIO, only enable a single iSCSI initiator adapter or Fibre Channel port on the server.

Windows Server 2008 MPIO supports iSCSI, Fibre Channel, and Serially Attached Storage (SAS) SAN connectivity by establishing multiple connections or sessions to the storage device. The Windows Server 2008 MPIO implementation includes a Device Specific Module (DSM) that works with storage devices that support the asymmetric logical unit access (ALUA) controller model as well as storage devices that use the Active/Active controller model. MPIO also supports the following load-balancing policies:

Failover When this policy is implemented no load balancing is performed. The application specifies a primary path and a group of standby paths. The primary path is used for all device requests. The standby paths are only used in the event that the primary path fails. Standby paths are listed from most preferred path to least preferred path.

Failback When this policy is configured, I/O is limited to a preferred path while that path is functioning. If the preferred path fails, I/O is directed to an alternate path. I/O will automatically switch back to the preferred path when that path returns to full functionality. Round-robin All available paths are used for I/O in a balanced fashion. If a path fails, I/O is redistributed among the remaining paths.

Round-robin with a subset of paths When this policy is configured, a set of preferred paths is specified for I/O and a set of standby paths is specified for failover. The set of preferred paths will be used until all paths fail, at which point failover will occur to the standby path set. The preferred paths are used in a round-robin fashion.

Dynamic least queue depthI/O is directed to the path with the least number of outstanding requests.

Weighted path Each path is assigned a weight. The path with the least weight is chosen for I/O. Load-balancing policies are dependent on the controller model (ALUA or true Active/ Active) of the storage array attached to the Windows Server 2008 computer. MPIO is added to a Windows Server 2008 computer by using the Add Features item in the Features area of Server Manager.

MORE INFO More on MPIO

To learn more about Multipath I/O, consult the following TechCenter article:http://www.microsoft.com/WindowsServer2003/technologies/storage/mpio/default.m spx.

Striped with Parity This LUN type, also known as RAID-5, offers fault tolerance and improved read performance, although write performance is hampered by parity calculation. This type requires a minimum of three disks and the equivalent of one disk’s worth of storage is lost to the storage of parity information across the disk set. This LUN type will retain data if one disk is lost, but all data will be lost if two disks in the array fail at the same time. In the event that one disk fails, it should be replaced as quickly as possible.

Question No: 93 – (Topic 1)

Your network consists of a single Active Directory domain. The domain contains three organizational units (OUs) named Test, Application, and Database.

You need to redesign the layout of the OUs to support the following requirements:

  • Prevent Group Policy objects (GPOs) that are linked to the domain from applying to computers located in the

    Applications OU

  • Minimize the number of GPOs

  • Minimize the number of Ous

What should you include in your design?

  1. Create a Starter GPO.

  2. Create a Windows Management Instrumentation (WMI) filter.

  3. Delegate permissions on the Application OU.

  4. Configure block inheritance on the Application OU.

Answer: D Explanation:

Understanding Group Policy

You already know that Group Policy settings contained in Group Policy objects (GPOs) can be linked to OUs, and that OUs can either inherit settings from parent OUs or block inheritance and obtain their specific settings from their own linked GPOs. You also know that some policies-specifically, security policies-can be set to “no override” so that they cannot be blocked or overwritten and force child OUs to inherit the settings from their parents.

Question No: 94 – (Topic 1)

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to implement a Certificate Services solution that meets the following requirements:

->Automates the distribution of certificates for internal users

->Ensures that the network#39;s certificate infrastructure is as secure as possible

->Gives external users access to resources that use certificate based authentication

What should you do?

  1. Deploy an online standalone root certification authority (CA). Deploy an offline

    standalone root CA.

  2. Deploy an offline enterprise root certification authority (CA). Deploy an offline enterprise subordinate CA.

  3. Deploy an offline standalone root certification authority (CA). Deploy an online enterprise subordinate CA. Deploy an online standalone subordinate CA.

  4. Deploy an online standalone root certification authority (CA). Deploy an online enterprise subordinate CA. Deploy an online standalone subordinate CA.

Answer: C Explanation:

Certification authority hierarchies

The Microsoft public key infrastructure (PKI) supports a hierarchical certification authority (CA) model. A certification hierarchy provides scalability, ease of administration, and consistency with a growing number of commercial and other CA products.

In its simplest form, a certification hierarchy consists of a single CA. However, in general, a hierarchy will contain multiple CAs with clearly defined parent-child relationships. In this model, the child subordinate certification authorities are certified by their parent CA-issued certificates, which bind a certification authority#39;s public key to its identity. The CA at the top of a hierarchy is referred to as the root authority, or root CA. The child CAs of the root CAs are called subordinate certification authorities (CAs).

A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signed certificate. This means that the root CA is validating itself (self- validating). This root CA could then have subordinate CAs that effectively trust it. The subordinate CAs receive a certificate signed by the root CA, so the subordinate CAs can issue certificates that are validated by the root CA. This establishes a CA hierarchy and trust path.

http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification- authority-ca.aspx

Certification authority hierarchies

The Microsoft public key infrastructure (PKI) supports a hierarchical certification authority (CA) model. A certification hierarchy provides scalability, ease of administration, and consistency with a growing number of commercial and other CA products.

In its simplest form, a certification hierarchy consists of a single CA. However, in general, a hierarchy will contain multiple CAs with clearly defined parent-child relationships. In this model, the child subordinate certification authorities are certified by their parent CA-issued certificates, which bind a certification authority#39;s public key to its identity. The CA at the top of a hierarchy is referred to as the root authority, or root CA. The child CAs of the root CAs are called subordinate certification authorities (CAs).

Authentication and Authorization

Stand-alone CAs use local authentication for certificate requests, mainly through the Web enrollment interface.

Stand-alone CAs provide an ideal service provider or commercial PKI provider platform for issuing certificates to users outside of an Active Directory environment where the user identity is separately verified and examined before the request is submitted to the CA.

Offline and Online CAs

Traditionally, the decision of whether to use either an online or offline CAs involves a compromise between availability and usability versus security. The more sensitive that the key material is and the higher the security requirements are, the less accessible the CA should be to users.

Specifying CA Roles

An ideal PKI hierarchy design divides the responsibility of the CAs. A topology that is designed with requirements that have been carefully considered provides the most flexible and scalable enterprise configuration. In general, CAs are organized in hierarchies. Single tier hierarchies might not provide adequate security compartmentalization, extensibility and flexibility. Hierarchies with more than three tiers might not provide additional value regarding security, extensibility and flexibility.

The most important consideration is protecting the highest instance of trust as much as possible. Single-tier hierarchies are based on the need to compartmentalize risk and reduce the attack surface that is available to users who have malicious intent. A larger hierarchy is much more difficult to administer, with little security benefit.

Depending on the organization#39;s necessities, a PKI should consist of two or three logical levels that link several CAs in a hierarchy. Administrators who understand the design requirements for a three-level topology may also be able to build a two-level topology.

A three-tier CA hierarchy consists of the following components:

A root CA that is configured as a stand-alone CA without a network connection

One or more intermediate CAs that are configured as stand-alone CAs without a network connection

One or more issuing CAs that are configured as enterprise CAs that are connected to the network

Ensurepass 2018 PDF and VCE

Also worth a look though it refers to windows 2003 http://technet.microsoft.com/en-us/library/cc779714(WS.10).aspx

Question No: 95 – (Topic 1)

As part of a Windows Server 2008 R2 Active Directory deployment, you are designing a Group Policy object (GPO) hierarchy. Client computers run Windows 7 and Windows XP. All client computers are in an organizational unit (OU) named Client Computers.

Additional Windows 7 and Windows XP client computers will be joined to the domain over the next six months.

You have the following requirements:

->Install the antivirus Application on all Windows XP computers.

->Do not install the antivirus Application on the Windows 7 computers.

->Do not make changes to the existing Active Directory logical structure.

You need to design a Group Policy strategy that meets the requirements.

Which GPO configuration should you recommend? (More than one answer choice may achieve the goal. Select the BEST answer.)

  1. Publish the antivirus application to client computers. Link the GPO to the domain. Use

    security filtering to prevent the Windows 7 client computers from receiving the GPO.

  2. Assign the antivirus application to client computers. Link the GPO to the Client Computers OU. Create a WMI Filter that queries whether the client computer#39;s Win32_OperatingSystem caption contains quot;Windows

    7quot; . Associate the WMI filter with the GPO.

  3. Assign the antivirus application to client computers. Link the GPO to the domain. Place all the Windows 7 computers in a security group. Use security filtering to prevent the Windows 7 client computers from receiving the GPO.

  4. Assign the antivirus application to client computers. Link the GPO to the Client Computers OU. Create a WMI Filter that queries whether the client computer#39;s Win32_OperatingSystem caption contains quot;Windows XPquot; . Associate the WMI Filter with the GPO.

Answer: D Explanation:

http://technet.microsoft.com/en-us/library/cc947846(v=ws.10).aspx amp; http://technet.microsoft.com/enus/library/cc947846(v=ws.10).aspx#bkmk_1 Depending on which OS you#39;re asked to install the AV app on your answer could change. There are reports that you#39;re now being asked to install the AV on the Win7 clients. if that is the case then you would select the Windows 7 option

Question No: 96 – (Topic 1)

Your network consists of a single Active Directory forest that contains a root domain and two child domains.

All servers run Windows Server 2008 R2. A corporate policy has the following requirements:

->All local guest accounts must be renamed and disabled.

->All local administrator accounts must be renamed.

->You need to recommend a solution that meets the requirements of the corporate policy.

What should you recommend?

  1. Implement a Group Policy object (GPO) for each domain.

  2. Implement a Group Policy object (GPO) for the root domain.

  3. Deploy Network Policy and Access Services (NPAS) on all domain controllers in each domain

  4. Deploy Active Directory Rights Management Services (AD RMS) on the root domain

controllers.

Answer: A Explanation:

http://www.windowsecurity.com/articles/protecting-administrator-account.html http://www.pctips3000.com/enable-or-disable-group-policy-object-in-windows-server-2008/ http://blogs.technet.com/b/chenley/archive/2006/07/13/441642.aspx

Ensurepass 2018 PDF and VCE

Ensurepass 2018 PDF and VCE

Question No: 97 – (Topic 1)

Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2. All client computers run Windows 7. Some users have laptop computers and work remotely from home.

You need to plan a data provisioning infrastructure to secure sensitive files. Your plan must meet the following requirements:

->Files must be stored in an encrypted format.

->Files must be accessible by remote users over the Internet.

->Files must be encrypted while they are transmitted over the Internet.

What should you include in your plan?

  1. Deploy one Microsoft SharePoint Foundation 2010 site. Require users to access the SharePoint site by using a Secure Socket Transmission Protocol (SSTP) connection.

  2. Deploy two Microsoft SharePoint Foundation 2010 sites. Configure one site for internal users. Configure the other site for remote users. Publish the SharePoint sites by using HTTPS.

  3. Configure a Network Policy and Access Services (NPAS) server to act as a VPN server. Require remote users to access the files by using an IPsec connection to the VPN server.

  4. Store all sensitive files in folders that are encrypted by using Encrypting File System (EFS). Require remote users to access the files by using Secure Socket Transmission Protocol (SSTP).

    Answer: D Explanation:

    MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:

    Encrypting File System Encrypting File System (EFS) is another method through which you can ensure the integrity of data. Unlike BitLocker, which encrypts all data on a volume using a single encryption key that is tied to the computer, EFS allows for the encryption of individual files and folders using a public encryption key tied to a specific user account. The encrypted file can only be decrypted using a private encryption key that is accessible only to the user. It is also possible to encrypt documents to other user’s public EFS certificates. A document encrypted to another user’s public EFS certificate can only be decrypted by that user’s private certificate.

    Security Groups cannot hold encryption certificates, so the number of users that can access an encrypted document is always limited to the individual EFS certificates that have been assigned to the document. Only a user that originally encrypts the file or a user whose certificate is already assigned to the file can add another user’s certificate to that file. With EFS there is no chance that an encrypted file on a departmental shared folder might be accessed by someone who should not have access because of incorrectly configured NTFS or Shared Folder permissions. As many administrators know, teaching regular staff to configure NTFS permissions can be challenging. The situation gets even more complicated when you take into account Shared Folder permissions. Teaching staff to use EFS to limit access to documents is significantly simpler than explaining NTFS ACLs.

    If you are considering deployment of EFS throughout your organization, you should remember that the default configuration of EFS uses self-signed certificates. These are certificates generated by the user’s computer rather than a Certificate Authority and can cause problems with sharing documents because they are not necessarily accessible from other computers where the user has not encrypted documents. A more robust solution is to

    modify the default EFS Certificate Template that is provided with a Windows Server 2008 Enterprise Certificate Authority to enable autoenrollment. EFS certificates automatically issued by an Enterprise CA can be stored in Active Directory and applied to files that need to be shared between multiple users.

    Another EFS deployment option involves smart cards. In organizations where users authenticate using smart cards, their private EFS certificates can be stored on a smart card and their public certificates stored within Active Directory. You can learn more about configuring templates for autoenrollment in Chapter 10, “Certificate Services and Storage Area Networks.”

    MORE INFO More on EFS

    For more information on Encrypting File System in Windows Server 2008, consult the following TechNet article: http://technet2.microsoft.com/windowsserver2008/en/library/f843023b-bedd-40dd9e5b- f1619eebf7821033.mspx?mfr=true.

    Quick Check

    1. From a normal user’s perspective, in terms of encryption functionality, how does EFS differ from BitLocker?

    2. What type of auditing policy should you implement to track access to sensitive files? Quick Check Answers

  1. BitLocker works on entire volumes and is transparent to the user. EFS works on individual files and folders and be configured by the user.

  2. Auditing Object Access.

    Windows Server 2008 VPN Protocols

    Windows Server 2008 supports three different VPN protocols: Tunneling Protocol (PPTP), Layer Two Tunneling Protocol over IPsec (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP). The factors that will influence the protocol you choose to deploy in your own network environment include client operating system, certificate infrastructure, and how your organization’s firewall is deployed.

    Windows XP remote access clients, because these clients cannot use SSTP

    SSTP Secure Socket Tunneling Protocol (SSTP) is a VPN technology that makes its debut with Windows Server 2008. SSTP VPN tunnels allow traffic to pass across firewalls that block traditional PPTP or L2TP/IPsec VPN traffic. SSTP works by encapsulating Point- to-Point Protocol (PPP) traffic over the Secure Sockets Layer (SSL) channel of the Secure Hypertext Transfer Protocol (HTTPS) protocol. Expressed more directly, SSTP piggybacks PPP over HTTPS. This means that SSTP traffic passes across TCP port 443, which is almost certain to be open on any firewall between the Internet and a public-facing Web

    server on an organization’s screened subnet.

    When planning for the deployment of SSTP, you need to take into account the following considerations:

    SSTP is only supported with Windows Server 2008 and Windows Vista with Service Pack 1.

    SSTP requires that the client trust the CA that issues the VPN server’s SSL certificate. The SSL certificate must be installed on the server that will function as the VPN server prior to the installation of Routing and Remote Access; otherwise, SSTP will not be available.

    The SSL certificate subject name and the host name that external clients use to connect to the VPN server must match, and the client Windows Vista SP1 computer must trust the issuing CA.

    SSTP does not support tunneling through Web proxies that require authentication. SSTP does not support site-to-site tunnels. (PPTP and L2TP do.)

    MORE INFO More on SSTP

    To learn more about SSTP, see the following SSTP deployment walkthrough document at http://download.microsoft.com/download/b/1/0/b106fc39-936c-4857-a6ea-3fb9d1f37063/ Deploying SSTP Remote Access Step by Step Guide.doc.

    Question No: 98 – (Topic 1)

    Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2. A server named Server1 has the Remote Desktop Services server role installed. You notice that several users consume more than 30 percent of the CPU resources throughout the day. You need to prevent users from consuming more than 15 percent of the CPU resources. Administrators must not be limited by the amount of CPU resources that they can consume.

    What should you do?

    1. Implement Windows System Resource Manager (WSRM), and configure user policies.

    2. Implement Windows System Resource Manager (WSRM), and configure session policies.

    3. Configure Performance Monitor, and create a userdefined Data Collector Set.

    4. Configure Performance Monitor, and create an Event Trace Session Data Collector Set.

      Answer: A

      Explanation:

      You can use tools such as the Windows System Resource Manager and Performance Monitor to determine memory and processor usage of Terminal Services clients. Once you understand how the Terminal Server’s resources are used, you can determine the necessary hardware resources and make a good estimate as to the Terminal Server’s overall client capacity. Terminal Server capacity directly influences your deployment plans: A server that has a capacity of 100 clients is not going to perform well when more than 250 clients attempt to connect. Monitoring tools are covered in more detail in “Monitoring Terminal Services” later in this lesson.

      Ensurepass 2018 PDF and VCE

      Windows System Resource Manager

      Windows System Resource Manager (WSRM) is a feature that you can install on a Windows Server 2008 computer that controls how resources are allocated. The WSRM console, shown in Figure 5-9, allows an administrator to apply WSRM policies. WSRM includes four default policies and also allows administrators to create their own. The two policies that will most interest you as someone responsible for planning and deploying Terminal Services infrastructure are Equal_Per_User and Equal_Per_Session.

      The Equal_Per_User WSRM policy ensures that each user is allocated resources equally, even when one user has more sessions connected to the Terminal Server than other users. Apply this policy when you allow users to have multiple sessions to the Terminal Server-it stops any one user from monopolizing hardware resources by opening multiple sessions. The Equal_Per_Session policy ensures that each session is allocated resources equally. If applied on a Terminal Server where users are allowed to connect with multiple sessions, this policy can allow those users to gain access to a disproportionate amount of system resources in comparison to users with single sessions.

      Question No: 99 DRAG DROP – (Topic 1)

      A company has servers that run Windows Server 2008 R2 and client computers that run 32-bit Windows 7 Enterprise. The environment includes Microsoft Application Visualization (App-V).

      You plan to deploy a 64-bit only Application.

      You need to ensure that users can run the Application. The Application must be automatically available on the client computers.

      Which actions should you perform in sequence?

      To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. (Use only actions that Apply.)

      Ensurepass 2018 PDF and VCE

      Answer:

      Ensurepass 2018 PDF and VCE

      Explanation:

      Ensurepass 2018 PDF and VCE

      You have a 64bit application to be installed on 32 bit client PCs, the app is incompatible with these clients for this reason. So you create a remote desktop server (formally terminal server) and install the 64 bit version on this (step 1 of the answer) you then create a RemoteApp that os compatable to the 32bit clients (step 2) and finally you assign that using GPO to those clients that need it (step 3)

      What are RemoteApp programs?

      RemoteApp programs are programs that are accessed remotely through Terminal Services and appear as if they are running on the end user#39;s local computer. Instead of being presented to the user in the desktop of the remote terminal server, the RemoteApp program is integrated with the client#39;s desktop, running in its own resizable window with its own entry in the taskbar. Users can run RemoteApp programs side-by-side with their local programs. If a user is running more than one RemoteApp program on the same terminal server, the

      RemoteApp programs will share the same Terminal Services session.

      In Windows Server 2008, users can access RemoteApp programs in several ways, depending on the deployment method that you choose. They can:

      Access a link to the program on a Web site by using TS Web Access.

      Double-click a Remote Desktop Protocol (.rdp) file that has been created and distributed by their administrator.

      Double-click a program icon on their desktop or Start menu that has been created and distributed by their administrator with a Windows Installer (.msi) package.

      Double-click a file where the file name extension is associated with a RemoteApp program. This can be configured by their administrator with a Windows Installer package.

      The .rdp files and Windows Installer packages contain the settings that are needed to run RemoteApp programs. After opening a RemoteApp program on their local computer, the user can interact with the program that is running on the terminal server as if it were running locally.

      How should I deploy RemoteApp programs?

      Before you configure TS RemoteApp, you should decide how you want to distribute RemoteApp programs to users. You can use either of the following deployment methods: You can make RemoteApp programs available on a Web site by distributing the RemoteApp programs through TS Web Access.

      You can distribute RemoteApp programs as .rdp files or Windows Installer packages through a file share, or through other distribution mechanisms such as Microsoft Systems Management Server or Active Directory software distribution.

      Deploying RemoteApp programs through a file share or other distribution mechanism

      Ensurepass 2018 PDF and VCE

      You can also deploy RemoteApp programs through .rdp files or Windows Installer packages that are made available through file sharing, or through other distribution mechanisms such as Microsoft Systems Management Server or Active Directory software distribution. These methods enable you to distribute RemoteApp programs to users without

      using TS Web Access.

      1. Configure the server that will host RemoteApp programs. This includes installing Terminal Server, installing programs, and verifying remote connection settings.

      2. Use TS RemoteApp Manager to add RemoteApp programs and to configure global deployment settings.

      3. Use TS RemoteApp Manager to create .rdp files or Windows Installer packages from RemoteApp programs.

        Group Policy settings to control client behavior when opening a digitally signed .rdp file You can use Group Policy to configure clients to always recognize RemoteApp programs from a particular publisher as trusted. You can also configure whether clients will block RemoteApp programs and remote desktop connections from external or unknown sources. By using these policy settings, you can reduce the number and complexity of security decisions that users face. This reduces the chances of inadvertent user actions that may lead to security vulnerabilities.

        The relevant Group Policy settings are located in the Local Group Policy Editor at the following location, in both the Computer Configuration and in the User Configuration node: Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client

        The available policy settings are:

        Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

        This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted .rdp file publishers. If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list will be considered trusted.

        Allow .rdp files from valid publishers and user’s default .rdp settings

        This policy setting allows you to specify whether users can run .rdp files from a publisher that signed the file with a valid certificate. This policy setting also controls whether the user can start an RDP session by using default .rdp settings, such as when a user directly opens the RDC client without specifying an .rdp file.

        Allow .rdp files from unknown publishers

        This policy setting allows you to specify whether users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer.

        Question No: 100 – (Topic 1)

        A company has 10,000 client computers that run Windows 7. The company has a single domain Active Directory Domain Services (AD DS) forest with domain controllers that run

        Windows Server 2008 R2. Users have local administrative rights on client computers.

        You need to design a Group Policy solution that deploys a printer and enforces printer settings.

        What should you recommend? (More than one answer choice may achieve the goal. Select the BEST answer.)

        1. Use the Local Security Policy.

        2. Use Group Policy preferences (GPPs).

        3. Use a Group Policy object (GPO) Windows setting.

        4. Use Starter Group Policy objects (GPOs).

Answer: B Explanation:

Group Policy preferences, new for the Windows Server 2008 operating system, include more than 20 new Group Policy extensions that expand the range of configurable settings within a Group Policy object (GPO). These new extensions are included in the Group Policy Management Editor window of the Group Policy Management Console (GPMC), under the new Preferences item. Examples of the new Group Policy preference extensions include folder options, mapped drives, printers, scheduled tasks, services, and Start menu settings.

In addition to providing significantly more coverage, better targeting, and easier management, Group Policy preferences enable you to deploy settings to client computers without restricting the users from changing the settings. This capability provides you with the flexibility to decide which settings to enforce and which settings to not enforce. You can deploy settings that you do not want to enforce by using Group Policy preferences.

System requirements and installation steps

To use Group Policy preferences, complete the following steps:

Install the set of client-side extensions (CSEs) on client computers. Supported operating systems: Windows

Vista RTM or later, Windows XP with Service Pack 2 or later, Windows Server 2003 with Service Pack 1 or later

Download locations: Windows Vista (x86): http://go.microsoft.com/fwlink/?LinkId=111859Windows Vista

(x64): http://go.microsoft.com/fwlink/?LinkID=111857Windows XP (x86): http://go.microsoft.com/fwlink/?

LinkId=111851Windows XP (x64): http://go.microsoft.com/fwlink/?LinkId=111862Windows Server 2003 (x86):

http://go.microsoft.com/fwlink/?LinkId=111852Windows Server 2003 (x64): http://go.microsoft.com/fwlink/?

LinkId=111863

For more information, see Article 943729 in the Microsoft Knowledge Base.

Install the XMLLite low-level XML parser on client computers that are not running Windows Vista.

Supported operating systems: Windows XP SP2 or later, Windows Server 2003 SP1 or later

Download location: http://go.microsoft.com/fwlink/?LinkId=111843 worth looking at:

GP Policy vs. Preference vs. GP preferences http://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp- preferences.aspx

100% Ensurepass Free Download!
Download Free Demo:70-646 Demo PDF
100% Ensurepass Free Guaranteed!
70-646 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.