Certifiable Q&A for October 5, 2001

Welcome to Certifiable, your exam prep headquarters. Here you'll find questions about some of the tricky areas that are fair game for the certification exams. Following the questions, you'll find the correct answers and explanatory text. We change the questions weekly.

Questions (October 5, 2001)
Answers (October 5, 2001)

This week's questions cover topics for Exam 70-217: Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure

Questions (October 5, 2001)

Question 1
You have created an Active Directory (AD) domain for testing purposes, and you want to populate it with several thousand user accounts. However, using the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in to add so many accounts would take more time than you have. Which Windows 2000 tools would let you automatically generate the user accounts from your existing user account information, which is stored in several different formats (e.g., .txt, .xls)? (Choose all that apply.)

  1. ClonePrincipal
  2. Csvde.exe
  3. Dsa.msc
  4. Ldifde.exe
  5. Movetree
  6. Netdom

Question 2
If you create a user account on a network that has an Active Directory (AD) forest with 10 domains in two domain trees, which of the following user account attributes must be unique across the entire forest? (Choose all that apply.)

  1. GUID
  2. LDAP Distinguished Name
  3. Pre-Windows 2000 user logon name
  4. UPN

Question 3
Several employees at your company are working on a special high-security project. These employees' user accounts have special password and account-lockout requirements, so you’ve created a new domain for them called projecty.companyxyz.com.

You’ve created a Group Policy Object (GPO) called Lockdown that enforces strict restrictions on the users’ desktop environments, and you’ve linked this GPO to the projecty.companyxyz.com domain. However, you're concerned that this GPO will affect members of the new domain's Domain Administrators group. How can you ensure that the GPO doesn't place restrictions on the Domain Administrators group?

  1. You don't need to perform any additional actions because the Domain Administrators group doesn't have Apply Group Policy settings for any GPOs.
  2. Select Deny for the Apply Group Policy setting for the Domain Administrators group.
  3. Create a new OU called Domain Administrators. Move the Domain Administrators security group into this OU. Select the Block Inheritance setting for the Domain Administrators OU.
  4. Create a new OU called Users. Move the Authenticated Users security group into this OU. Link the Lockdown GPO to the Users OU.
  5. Remove the members of the Domain Administrators security group from the Authenticated Users security group.

Answers (October 5, 2001)

Answer to Question 1
The correct answers are B—Csvde.exe; and D—Ldifde.exe. Csvde.exe is a tool that lets you import and export data from Comma Separated Value (CSV) files, which applications such as Microsoft Excel use. Ldifde.exe is another tool that lets you import and export data to and from AD.

Answer to Question 2
The correct answers are A—GUID; B—LDAP Distinguished Name; and D—UPN. The globally unique ID (GUID) is a 16-byte code that identifies an interface to an object across all computers and networks. No two objects have the same GUID.

The Lightweight Directory Access Protocol (LDAP) Distinguished Name is a name that uniquely identifies an object by using the relative distinguished name for the object and the names of container objects and domains that contain the object.

The user principal name (UPN) consists of a user account name (sometimes referred to as the user logon name) and a suffix that might identify the domain where the user account is located. The UPN must be unique in the forest.

The pre-Windows 2000 user logon name, which is used for backward-compatibility with Windows NT 4.0 BDCs, must be unique within the domain but doesn't need to be unique within the forest.

Answer to Question 3
The correct answer is B—Select Deny for the Apply Group Policy setting for the Domain Administrators group. By default, Domain Administrators don't have Apply Group Policy permission. However, Domain Administrators are also Authenticated Users, and Authenticated Users have Read and Apply Group Policy permissions by default. Therefore, by default, GPOs will apply to Domain Administrators. You can prevent this default behavior by taking one of the following steps:

  • Specify Deny for the Apply Group Policy setting for the Domain Administrators. Remember, an access control entry (ACE) set to Deny always takes precedence over Allow. Therefore, if a given user is a member of another group that’s set to explicitly Allow the Apply Group Policy attribute for this GPO, it will still be denied.
  • Go to the GPO's Security tab and remove Authenticated Users from the list. Next, add a new security group with the Apply Group Policy and Read attributes set to Allow. To this new group, add all users to whom the GPO should apply.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.