Managing User and Service Accounts Flashcards Preview

MCSA 70-411 - Global Knowledge > Managing User and Service Accounts > Flashcards

Flashcards in Managing User and Service Accounts Deck (26):
1

What are the Kerberous Policies?

  1. Enforce User Logon Restrictions

  2. Maximum Lifetime For Service Ticket

  3. Maximum Lifetime For User Ticket

  4. Maximum Lifetime For User Ticket Renewal

  5. Maximum Tolerance For Computer Clock Synchronization

2

What are Password Policies?

  1. Enforce Password History
  2. Maximum Password Age
  3. Minimum Password Age 
  4. Minimum password length 
  5. Password must meet complexity requirements
  6. Store Password using reversible encryption 

3

What are the Account Lockout Policies?

  1. Account lockout duration 
  2. Account lockout threshold
  3. Reset account lockout counter after 

4

What is the order that Group Policy is applied in?

L     - Local 

S     - Site

D     - Domain

OU  - Organizational Unit

5

Where do Password Setting objects live?

 

Where can this be viewed?

System -> Password Settings Objects

 

ADSI Edit 

ADUC (Users and Computers)

ADAC (Administrative Center)

6

 

 

What can Password Setting objects be applied to?

Users and Groups

Note: Not Organizational Units

7

New-ADFineGrainedPasswordPolicy

 

Please provide an example

Creates a new Active Directory Password Settings Object

 

ex. New-ADFineGrainedPasswordPolicy -Name "DomainUsersPSO" -Precedence 500 -ComplexityEnabled $true -Description "The Domain Users Password Policy" -DisplayName "Domain Users PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10

8

Get-ADFineGrainedPasswordPolicy

 

 

Gets one or more Active Directory Password Settings Object

 

 

9

Remove-ADFineGrainedPasswordPolicy

Removes an Active Directory Password Settings Object

10

Set-ADFineGrainedPasswordPolicy

Modifies an Active Directory Password Settings Object

11

Add-ADFineGrainedPasswordPolicySubject

 

 

Please provide an example

Add-ADFineGrainedPasswordPolicySubject cmdlet applies a fine-grained password policy object to one or more global security groups and users.

 

 

Ex. Add-ADFineGrainedPasswordPolicySubject -Identity DomainUsersPSO -Subjects 'Domain Users'

12

How do PSO's determine which wins?

 

Whats the exception to this rule?

Precedence. Lowest value is last to apply 

 

exception: If mixture of groups and direct assign to user. The Direct assign wins 

13

When were Managed Service Accounts introduced? 

 

When were Group Managed Service Accounts introduced?

  1. Windows Server 2012
  2. Windows Server 2012R2

14

What is the differnce between a Managed Service Account and a Group Managed Service Account? 

Managed Service Account: 1 account per machine 

Group Managed Service Account: allows 1 object to be created in AD to be used only be specific computers 

15

What are the requirements for a Group Managed Service Account?

  • Must have a least 1 -  2012 DC
  • KDS Root Key created for Domain 

16

PowerShell steps to create a gMSA

Service Account Name: Service01

Server: Server01

Domain: contoso

PowerShell steps to create a Group Managed Service Account

 

  • Add-KdsRootKey 
    • (Just  a Note not need for answer) If Immediately (Add-KdsRootKey -EffectiveImmediately) or specified time (Add-KdsRootKey -EffectiveTime "03/06/2013")
  • New-ADServiceAccount -Name "Service01" -DNSHostName "Service01.contoso.com" -Enabled $True
  • Add-ADComputerServiceAccount -Computer Server01 -service Account Service01
  • Get-ADServiceAccount -Identity service01

ON THE SERVER IT WILL BE USED

  • Install-ADServiceAccount -Identity 'service01'

17

What is a Virtual Account?

 

How do you use one for a service?

Virtual accounts are another type of Service Account. All windows Services use a Vitrual Account by default.

 

To use a virtual account for a service, simply enter
NT SERVICE\ for the account name, and leave the password blank

18

How do you create a Managed Service Account?

  1. New-ADServiceAccount –Name –RestrictToSingleComputer -Enabled:$True
  2. Add-ADComputerServiceAccount –identity -ServiceAccount

ON THE COMPUTER FOR WHICH IT WILL BE USED

  1. Install-ADServiceAccount –Identity

19

How do you get a list of SPN's (Service Prinicipal Names)?

setspn -l < HostName>

20

 

If you see incorrect names for SPN's listed for a server what should you do?

 

How would you do this?

 

Reset them

 

setspn -r < hostname >

21

 

When might you need to add an SPN? 

 

How would you add an SPN?

 

setspn -s < Service > / < FDQN >

*FDQN = Fully Qualified Domain Name (i.e. server1.google.com)

22

 

How would you remove an SPN?

 

setspn -d < service > / < FDQN >

23

How do you configure Kerberos Delegation?

 

  • Open ADUC (Active Directory Users and Computers)
  • Select the computer object, open the properties
  • Select the delegation Tab
  • Select the level of delegation 

 

​End of Answer

  • * Note: Constrainment levels 
  • Unconstrained = Trust this computer for delegation to any service (Kerberos only)
  • Constrained =Trust this computer for delegation to specified services only

24

 

  1. What is Unconstrained delegation? 
  2. What is constrained delegation?

 

  1. Unconstrained delegation allows a server
    to act on behalf of a user for any services.
  2. Constrained delegation restricts a server
    to act on behalf of a user for only specific services.

25

What are the different ways you can deleagete password settings management?

(Not Processes, just resource wise)

  • Modify permissions at an OU level 
  • Modify permission on a PSO 

26

  1. What are the different ways you can configure a lockout policy?
    • (Not processes, just resources)
  2. What options can you set for all of them?
  3. Is this enabled by default?

 1. 

  • Group Policy - default domain policy 
  • PSO - Password Settings Object 

 

2. Options

  • Number of failed logon attempts
  • Reset failed logon attemps count after (minutes) duration
  • Account will be lockout out 
    • For a duration of minutes 
    • or (if on a PSO this is avaliable)
    • until an administrator manually unlocks the account 

3. No