The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
are configured with Windows Server 2003 and all client computers with Windows XP Professional.
At present there are 100 servers in an organizational unit named Terminal Servers, configured to
run Terminal Services.
The Terminal Servers host in-house applications. Only ABC.com users with Power Users group
membership can run these in-house applications.
A new ABC.com security policy states that the Power Users Group must be empty on all servers.
How would you ensure that the in-house applications will be available to users on the servers
when the new security requirement is enabled? Choose two.
A.
Set up a GPO in link it to the Terminal Servers OU.
B.
Set up the Compatws.inf security template to allow the Local Users group to run the legacy
applications. Import the Compatws.inf template into the GPO.
C.
Change the legacy application executable file permissions to allow the Local Users group Full
Control permission.
D.
Place the Domain Users group on the Local Administrators group on the Terminal Servers.
E.
Set up the Terminal Servers to run in Application Mode.
F.
Set up the Terminal Servers to run in Remote Administration Mode.
Explanation:
The default Windows 2003 security configuration gives members of the local Users
group strict security settings, while members of the local Power Users group have security settings
that are compatible with Windows NT 4.0 user assignments. This default configuration enables
certified Windows 2003 applications to run in the standard Windows environment for Users, while
still allowing applications that are not certified for Windows 2003 to run successfully under the less
secure Power Users configuration. However, if Windows 2003 users are members of the Power
Users group in order to run applications not certified for Windows 2003, this may be too insecure
for some environments. Some organizations may find it preferable to assign users, by default, only
as members of the Users group and then decrease the security privileges for the Users group to
the level where applications not certified for Windows 2003 run successfully. The compatible
template (compatws.inf) is designed for such organizations. By lowering the security levels on
specific files, folders, and registry keys that are commonly accessed by applications, the
compatible template allows most applications to run successfully under a User context. In addition,
since it is assumed that the administrator applying the compatible template does not want users to
be Power Users, all members of the Power Users group are removed.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8:5