How to pass 70-411 exam easily? GreatExam is now here to help you with your 70-411 exam certification problems. Because we are the best 70-411 exam questions training material providing vendor, all of our candidates get through 70-411 exam without any problem.
QUESTION 41
Hotspot Question
You have a file server named Server1 that runs Windows Server 2012 R2.
A user named User1 is assigned the modify NTFS permission to a folder named C:\shares and all of the subfolders of C:\shares.
On Server1, you open File Server Resource Manager as shown in the exhibit. (Click the Exhibit button.)
To answer, complete each statement according to the information presented in the exhibit.
Each correct selection is worth one point.
Answer:
Explanation:
You can create file screens to prevent files that belong to particular file groups are saved on a volume or in a folder structure. A file screen affects all folders in the specified path. For example, you can create a file screen to prevent users from storing audio and video files in their personal folders on the server. You can also Resource Manager File Server configure that it sends e-mail or other notifications when a certain file screening event occurs.
A file screen can be active or passive:
Active checks prevent users from saving unauthorized file types on the server.
In passive checks users are monitored, save certain file types, and configured notifications
generated, users are not prevented from saving the files.
A file screen prevents users and applications not from accessing files that were saved in a directory before the file screen was created – regardless of whether the files belong to the blocked file groups or not. In the folder C: \ Data1 can no audio and video files and any image files are stored. Because except for image files to the directory C: \ Data1 \ Folder1 image files any audio and video files can be stored in this folder while but.
QUESTION 42
Your network contains an Active Directory domain named contoso.com. The domain contains 30 user accounts that are used for network administration. The user accounts are members of a domain global group named Group1.
You identify the security requirements for the 30 user accounts as shown in the following table.
You need to identify which settings must be implemented by using a Password Settings object (PSO) and which settings must be implemented by modifying the properties of the user accounts.
What should you identify?
Answer:
Explanation:
With the settings Account is sensitive and can not be delegated, and users can not change password is account options on the Register account can be activated in the properties of user accounts. In the settings Minimum password length and enforce password history is it to password policies that can be configured as part of a PSO object.
QUESTION 43
Your network contains an Active Directory domain named contoso.com. The domain contains a virtual machine named Server1 that runs Windows Server 2012 R2.
Server1 has a dynamically expanding virtual hard disk that is mounted to drive E.
You need to ensure that you can enable BitLocker Drive Encryption (BitLocker) on drive E.
Which command should you run?
A. manage-bde -protectors -add c: -startup e:
B. manage-bde -lock e:
C. manage-bde -protectors -add e: -startupkey c:
D. manage-bde -on e:
Answer: D
Explanation:
Manage-bde: on
Encrypts the drive and turns on BitLocker.
Example:
The following example illustrates using the -on command to turn on BitLocker for drive C and add a recovery password to the drive.
manage-bde -on C: -recoverypassword
QUESTION 44
Hotspot Question
Your network contains 25 Web servers that run Windows Server 2012 R2.
You need to configure auditing policies that meet the following requirements:
– Generate an event each time a new process is created.
– Generate an event each time a user attempts to access a file share.
Which two auditing policies should you configure?
To answer, select the appropriate two auditing policies in the answer area.
Answer:
Explanation:
* Audit Object Access
Determines whether to audit the event of a user accessing an object (for example, file, folder, registry key, printer, and so forth) which has its own system access control list (SACL) specified.
* Audit Process Tracking
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
Reference: Audit object access
https://technet.microsoft.com/en-us/library/cc976403.aspx
Reference: Audit Process Tracking
https://technet.microsoft.com/en-us/library/cc976411.aspx
QUESTION 45
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.
You have a Group Policy object (GPO) named GPO1 that contains hundreds of settings. GPO1 is linked to an organizational unit (OU) named OU1. OU1 contains 200 client computers.
You plan to unlink GPO1 from OU1.
You need to identify which GPO settings will be removed from the computers after GPO1 is unlinked from OU1.
Which two GPO settings should you identify?
(Each correct answer presents part of the solution. Choose two.)
A. The managed Administrative Template settings
B. The unmanaged Administrative Template settings
C. The System Services security settings
D. The Event Log security settings
E. The Restricted Groups security settings
Answer: AE
Explanation:
http://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx http://technet.microsoft.com/en-us/library/bb964258.aspx
There are two kinds of Administrative Template policy settings: Managed and Unmanaged .
The Group Policy service governs Managed policy settings and removes a policy setting when it is no longer within scope of the user or computer.
QUESTION 46
Your network contains an Active Directory domain named contoso.com. The domain contains an organizational unit (OU) named IT and a CU named Sales. All of the help desk user accounts are located in the IT CU. All of the sales user accounts are located in the Sales CU. The Sales CU contains a global security group named G_Sales. The IT CU contains a global security group named G_HelpDesk.
You need to ensure that members of G_HelpDesk can perform the following tasks:
– Reset the passwords of the sales users.
– Force the sales users to change their password at their next logon.
What should you do?
A. Run the Set-ADFinecrainedPasswordPolicy cmdlet and specify the -identity parameter.
B. Right-click the IT OU and select Delegate Control.
C. Right-click the Sales OU and select Delegate Control.
D. Run the Set-ADAccountPassword cmdlet and specify the -identity parameter.
Answer: C
Explanation:
B. Wrong OU. Question asks for G_HelpDesk member to be able to delegate control of sales users/force reset
C. G_HelpDesk members need to be allowed to delegate control on the Sales OU as it contains the sales users (G_Sales)
http://technet.microsoft.com/en-us/library/cc732524.aspx
QUESTION 47
Your network contains an Active Directory domain named contoso.com. The domain contains five servers. The servers are configured as shown in the following table.
All desktop computers in contoso.com run Windows 8 and are configured to use BitLocker Drive Encryption (BitLocker) on all local disk drives.
You need to deploy the Network Unlock feature.
The solution must minimize the number of features and server roles installed on the network.
To which server should you deploy the feature?
A. Server1
B. Server2
C. Server3
D. Server4
E. Server5
Answer: E
Explanation:
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the Windows Deployment Services role in Server Manager.
QUESTION 48
Hotspot Question
Your network contains an Active Directory domain named contoso.com.
You create an organizational unit (OU) named OU1 and a Group Policy object (GPO) named GPO1. You link GPO1 to OU1.
You move several file servers that store sensitive company documents to OU1.
Each file server contains more than 40 shared folders.
You need to audit all of the failed attempts to access the files on the file servers in OU1.
The solution must minimize administrative effort.
Which two audit policies should you configure in GPO1?
To answer, select the appropriate two objects in the answer area.
Answer:
Explanation:
The figure shows the categories of Advanced Audit Policy Configuration. The basic settings for the Safeguards Policies under Security Settings \ Local Policies \ Audit Policy and the advanced settings for the Safeguards Policies under Security Settings \ Advanced Audit Policy Configuration \ System Audit Policies appear to overlap, but they are recorded and applied differently . Under Security Settings \ Local Policies \ Audit Policy, there are nine basic audit policy settings under Advanced Audit Policy Configuration 53 Settings.
The settings under Security Settings \ Advanced Audit Policy Configuration \ System Audit Policies are available, refer to similar areas as the basic nine settings \ Local Policies Audit Policy, however, administrators have more choices when it comes to the number and types of the monitored events. Where the basic audit policy e. g. provides a single setting for account registration, are available in the extended audit policy four.
The activation of the single basic account logon setting is equivalent to the activation of all four advanced account logon settings. In comparison, no audit events for activities when you specify a single set advanced audit policy, created in which you are not interested. If you success auditing for the basic setting Audit account logon activate, also just a sense of achievement for all account logon-related behaviors are logged. For an extended account logon setting, you can however configure success auditing for a second advanced account logon setting, fault monitoring and for a third advanced account logon settings success and failure – or no monitoring, depending on the requirements of the organization.
The nine basic settings under Security Settings \ Local Policies \ Audit Policy were introduced in Windows 2000 and are therefore available for all versions of Windows since published. The advanced audit policy settings were introduced in Windows Vista and Windows Server of 2008. The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2 or Windows Server 2008 is running.
QUESTION 49
Your network contains an Active Directory domain named contoso.com.
All domain controllers run Windows Server 2012 R2.
The domain contains 500 client computers that run Windows 8 Enterprise.
You implement a Group Policy central store.
You have an application named App1. App1 requires that a custom registry setting be deployed to all of the computers.
You need to deploy the custom registry setting. The solution must minimize administrator effort.
What should you configure in a Group Policy object (GPO)?
A. The Software Installation settings
B. The Administrative Templates
C. An application control policy
D. The Group Policy preferences
Answer: D
Explanation:
Group Policy preferences provide the means to simplify deployment and standardize configurations. They add to Group Policy a centralized system for deploying preferences (that is, settings that users can change later).
You can also use Group Policy preferences to configure applications that are not Group Policy-aware. By using Group Policy preferences, you can change or delete almost any registry setting, file or folder, shortcut, and more.
You are not limited by the contents of Administrative Template files.
The Group Policy Management Editor (GPME) includes Group Policy preferences.
http://technet.microsoft.com/en-us/library/gg699429.aspx
http://www.unidesk.com/blog/gpos-set-custom-registry-entries-virtual-desktops-disabling-machine-password
QUESTION 50
You have a file server that has the File Server Resource Manager role service installed.
You open the File Server Resource Manager console as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that all of the folders in Folder1 have a 100-MB quota limit.
What should you do?
A. Run the Update FsrmQuotacmdlet.
B. Run the Update-FsrmAutoQuotacmdlet.
C. Create a new quota for Folder1.
D. Modify the quota properties of Folder1.
Answer: C
Explanation:
By using auto apply quotas, you can assign a quota template to a parent volume or folder. Then File Server Resource Manager automatically generates quotas that are based on that template. Quotas are generated for each of the existing subfolders and for subfolders that you create in the future.
http://technet.microsoft.com/en-us/library/cc731577.aspx
QUESTION 51
You have a server named Server 1.
You enable BitLocker Drive Encryption (BitLocker) on Server 1.
You need to change the password for the Trusted Platform Module (TPM) chip.
What should you run on Server1?
A. Manage-bde.exe
B. Set-TpmOwnerAuth
C. bdehdcfg.exe
D. tpmvscmgr.exe
Answer: B
Explanation:
The Set-TpmOwnerAuthcmdlet changes the current owner authorization value of the Trusted Platform Module (TPM) to a new value.
You can specify the current owner authorization value or specify a file that contains the current owner authorization value. If you do not specify an owner authorization value, the cmdlet attempts to read the value from the registry.
Use the ConvertTo-TpmOwnerAuthcmdlet to create an owner authorization value.
You can specify a new owner authorization value or specify a file that contains the new value.
QUESTION 52
Your company has a main office and two branch offices. The main office is located in Seattle.
The two branch offices are located in Montreal and Miami.
Each office is configured as an Active Directory site.
The network contains an Active Directory domain named contoso.com.
Network traffic is not routed between the Montreal office and the Miami office.
You implement a Distributed File System (DFS) namespace named \\contoso.com\public.
The namespace contains a folder named Folder1. Folder1 has a folder target in each office.
You need to configure DFS to ensure that users in the branch offices only receive referrals to the target in their respective office or to the target in the main office.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Set the Ordering method of \\contoso.com\public to Random order.
B. Set the Advanced properties of the folder target in the Seattle office to Last among all targets.
C. Set the Advanced properties of the folder target in the Seattle office to First among targets of equal cost.
D. Set the Ordering method of \\contoso.com\public to Exclude targets outside of the client’s site.
E. Set the Advanced properties of the folder target in the Seattle office to Last among targets of equal cost.
F. Set the Ordering method of \\contoso.com\public to Lowest cost.
Answer: CD
Explanation:
Exclude targets outside of the client’s site In this method, the referral contains only the targets that are in the same site as the client. These same-site targets are listed in random order. If no same-site targets exist, the client does not receive a referral and cannot access that portion of the namespace. Note: Targets that have target priority set to “First among all targets” or “Last among all targets” are still listed in the referral, even if the ordering method is set to Exclude targets outside of the client’s site .
Note 2: Set the Ordering Method for Targets in Referrals A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user accesses a namespace root or folder with targets. After the client receives the referral, the client attempts to access the first target in the list. If the target is not available, the client attempts to access the next target.
QUESTION 53
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has the Network Policy Server server role installed. The domain contains a server named Server2 that is configured for RADIUS accounting.
Server1 is configured as a VPN server and is configured to forward authentication requests to Server2.
You need to ensure that only Server2 contains event information about authentication requests from connections to Server1.
Which two nodes should you configure from the Network Policy Server console?
To answer, select the appropriate two nodes in the answer area.
Answer:
Explanation:
In the properties of the Network Policy Server logging of rejected and successful authentication requests can be disabled: Using connection request policies can be defined, whether connection requests are processed locally or forwarded to a remote RADIUS server.
QUESTION 54
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. An organizational unit (OU) named OU1 contains 200 client computers that run Windows 8 Enterprise. A Group Policy object (GPO) named GPO1 is linked to OU1.
You make a change to GPO1.
You need to force all of the computers in OU1 to refresh their Group Policy settings immediately.
The solution must minimize administrative effort.
Which tool should you use?
A. Group Policy Object Editor
B. The Secedit command
C. Group Policy Management Console (GPMC)
D. Active Directory Users and Computers
Answer: C
Explanation:
In the previous versions of Windows, this was accomplished by having the user run GPUpdate.exe on their computer.
Starting with Windows Server?2012 and Windows?8, you can now remotely refresh Group Policy settings for all computers in an OU from one central location through the Group Policy Management Console (GPMC). Or you can use the Invoke-GPUpdate cmdlet to refresh Group Policy for a set of computers, not limited to the OU structure, for example, if the computers are located in the default computers container.
Note: Group Policy Management Console (GPMC) is a scriptable Microsoft Management Console (MMC) snap-in, providing a single administrative tool for managing Group Policy across the enterprise. GPMC is the standard tool for managing Group Policy.
Incorrect:
Not B: Secedit configures and analyzes system security by comparing your current configuration to at least one template.
Reference: Force a Remote Group Policy Refresh (GPUpdate)
QUESTION 55
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the following BitLocker Drive Encryption (BitLocker) settings:
You need to ensure that drive D will unlock automatically when Server1 restarts. What command should you run?
To answer, select the appropriate options in the answer area.
Answer:
Explanation:
If BitLocker is enabled on the operating system drive, you can admit when you turn on BitLocker for an integrated data drive that the drive is automatically unlocked when the operating system drive is unlocked.
The available parameters are part of the cmdlet Add-BitLockerKeyProtector.
The parameter -ADAccountOrGroupProtector the encryption key can be added to a domain account as a protector.
QUESTION 56
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1. All servers run Windows Server 2012 R2.
You need to collect the error events from all of the servers on Server1. The solution must ensure that when new servers are added to the domain, their error events are collected automatically on Server1.
Which two actions should you perform?
(Each correct answer presents part of the solution.
Choose two.)
A. On Server1, create a collector initiated subscription.
B. On Server1, create a source computer initiated subscription.
C. From a Group Policy object (GPO), configure the Configure target Subscription Manager setting.
D. From a Group Policy object (GPO), configure the Configure forwarder resource usage setting.
Answer: BC
Explanation:
To set up a Source-Initiated Subscription with Windows Server 2003/2008 so that events of interest from the Security event log of several domain controllers can be forwarded to an administrative workstation
* Group Policy
The forwarding computer needs to be configured with the address of the server to which the events are forwarded. This can be done with the following group policy setting:
Computer configuration-Administrative templates-Windows components-Event forwarding-
Configure the server address, refresh interval, and issue certificate authority of a target subscription manager.
* Edit the GPO and browse to Computer Configuration | Policies | Administrative Templates
| Windows Components | Event Forwarding – Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager
QUESTION 57
Hotspot Question
Your company has two offices. The offices are located in Montreal and Seattle.
The network contains an Active Directory domain named contoso.com. The domain contains servers named Server1 and Server2. Server1 is located in the Seattle office. Server2 is located in the Montreal office. Both servers run Windows Server 2012 R2 and have the Windows Server Update Services (WSUS) server role installed.
You need to configure Server2 to download updates that are approved on Server1 only.
What cmdlet should you run?
To answer, select the appropriate options in the answer area.
Answer:
Explanation:
With the cmdlet Set-WsusServerSynchronization can be determined whether a Windows Server Update Services (WSUS) server updates synchronized from Microsoft Update or from an upstream server.
The parameter -UssServerName server name indicates that you want to synchronize from the specified upstream server.
The Parameter -Replica configures the Windows Server Update Services (WSUS) for the replica mode.
QUESTION 58
You have a server named Server1 that runs Windows Server 2012 R2.
Server1 has the File Server Resource Manager role service installed.
Each time a user receives an access-denied message after attempting to access a folder on Server1, an email notification is sent to a distribution list named DL1.
You create a folder named Folder1 on Server1, and then you configure custom NTFS permissions for Folder 1.
You need to ensure that when a user receives an access-denied message while attempting to access Folder1, an email notification is sent to a distribution list named DL2.
The solution must not prevent DL1 from receiving notifications about other access-denied messages.
What should you do?
A. From File Explorer, modify the Classification tab of Folder1.
B. From the File Server Resource Manager console, modify the Email Notifications settings.
C. From the File Server Resource Manager console, set a folder management property.
D. From File Explorer, modify the Customize tab of Folder1.
Answer: B
Explanation:
When using the email model each of the file shares, you can determine whether access requests to each file share will be received by the administrator, a distribution list that represents the file share owners, or both.
The owner distribution list is configured by using the SMB Share – Advanced file share profile in the New Share Wizard in Server Manager.
http://technet.microsoft.com/en-us/library/jj574182.aspx#BKMK_12
QUESTION 59
Drag and Drop Question
You have a WIM file that contains an image of Windows Server 2012 R2.
Recently, a technician applied a Microsoft Standalone Update Package (MSU) to the image.
You need to remove the MSU package from the image.
Which three actions should you perform in sequence?
To answer, move the appropriate three actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
QUESTION 60
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. A domain controller named DC1 has the ADMX Migrator tool installed.
You have a custom Administrative Template file on DC1 named Template1.adm.
You need to add a custom registry entry to Template1.adm by using the ADMX Migrator tool.
Which action should you run first?
A. New Category
B. Load Template
C. New Policy Setting
D. Generate ADMX from ADM
Answer: D
Explanation:
A. Done after ADMX is created, adds categories of policy settings
B. Done after ADMX is created, Loads ADMX template to be edited
C. Done after ADMX is created, defines new registry-based policy settings
D. Coverts ADM files into ADMX (XML Format)
http://technet.microsoft.com/en-us/magazine/2008.02.utilityspotlight.aspx
If you want to get more 70-411 exam study guide, you can download the free 70-411 braindumps in PDF files on GreatExam. It would be great help for your exam. As a professional IT exam study material provider, GreatExam.com gives you more than just exam questions and answers. We provide our customers with the most accurate study guide about the exam and the guarantee of pass. You can easily find 70-411 exam Q&As on our site. All the study guide provided by us are selected by experts in this field. The questions and answers are very easy to understand, and they’re especially great for professionals who have really little time to focus on exam preparations for certifications, due to their work and other private commitments.