You are working as the administrator at ABC.com. The network consists of a single Active
Directory domain named ABC.com with the domain functional level set at Windows Server 2003.
All network servers run Windows Server 2003 and all client computers run Windows XP
Professional.
The ABC.com domain is divided into organizational units (OU). All the resource servers are
contained in an OU named ABC_SERVERS and the workstations are contained in an OU named
ABC_CLIENTS. All resource servers operate at near capacity during business hours. All
workstations have low resource usage during business hours.
You received instructions to configure baseline security templates for the resource servers and the
workstations. To this end you configured two baseline security templates named
ABC_SERVERS.inf and ABC_CLIENTS.inf respectively. The ABC_SERVERS.inf template
contains many configuration settings. Applying the ABC_SERVERS.inf template would have a
performance impact on the servers. The ABC_CLIENTS.inf contains just a few settings so
applying this template would not adversely affect the performance of the workstations.
How would you apply the security templates so that the settings will be periodically enforced whilst
ensuring that the solution reduces the impact on the resource servers? Choose three.
A.
By setting up a GPO named SERVER-GPO and link it to the ABC_SERVERS OU.
B.
By having the ABC_SERVERS.inf template imported into SERVER-GPO.
C.
By having the ABC_SERVERS.inf and the ABC_CLIENTS.inf templates imported into the
Default Domain Policy GPO.
D.
By scheduling SECEDIT on each resource server to regularly apply the ABC_SERVERS.inf
settings during off-peak hours.
E.
By having a GPO named CLIENT-GPO created and linked to the ABC_CLIENTS OU.
F.
By having the ABC_CLIENTS.inf template imported into CLIENT-GPO.
G.
By having SERVER-GPO and CLIENT-GPO linked to the domain.
Explanation:
The question states that you need to apply the baseline security templates so that
the settings will be periodically enforced. To accomplish this you must create a scheduled task so
that the performance impact on resource servers is minimized. Furthermore, the question also
states that ABC_CLIENTS.inf is a baseline security template for client computers. Therefore, the
GPO has to be linked to the OU that contains the client computers, and the ABC_CLIENTS.inf
template must be imported to the said GPO so that it can be applied.
Secedit.exe is a command line tool that performs the same functions as the Security Configuration
And Analysis snap-in, and can also apply specific parts of templates to the computer. You can use
Secedit.exe in scripts and batch files to automate security template deployments.
You can create a baseline security configuration in a GPO directly, or import a security template
into a GPO. Link the baseline security GPO to OUs in which member servers computer objects
exist.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 10
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: UABCrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296,
Microsoft Press, Redmond, Washington, Chapter 9