Which cmdlet should you use?

Note: This Question is part of series of question that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in the series. Information and detailed provided in a question apply only to that question.
You network contains one Active Directory domain named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012 R2.
You need to identify whether the members of the protected Users group will be prevented from authenticating by using NTLM.
Which cmdlet should you use?

Note: This Question is part of series of question that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in the series. Information and detailed provided in a question apply only to that question.
You network contains one Active Directory domain named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012 R2.
You need to identify whether the members of the protected Users group will be prevented from authenticating by using NTLM.
Which cmdlet should you use?

A.
Get-ADGroupMember

B.
Get-ADDomainControllerPasswordReplicationPolicy

C.
Get-ADDomainControllerPasswordReplicationPolicyUsage

D.
Get-ADDomain

E.
Get-ADOptionalFeature

F.
Get-ADAccountAuthorizationGroup

G.
Get-ADAuthenticationPolicySlio

H.
Get-ADAuthenticationPolicy



Leave a Reply 22

Your email address will not be published. Required fields are marked *


dkaro

dkaro

I guess it is H but i’m very unsure.

jeff

jeff

Its D, you must first verify the domain function level

Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows

https://technet.microsoft.com/en-us/library/dn466518.aspx

shlok_007

shlok_007

the correct answer is D – getADDomain because we need to check the functional level. as NTML is not supported in windows 2012 r2 server.

David

David

Another vote for “D. Get-ADDomain”. Here is an another technote that confirms:

https://technet.microsoft.com/en-us/library/Dn518179.aspx

If the domain functional level is Windows Server 2012 R2, members of the (Protected Users) group can no longer:
•Authenticate by using NTLM authentication

Josef

Josef

Guys plz read the question properly! The domainlevel is: QUOTE-“The forest functional level is Windows Server 2012.” So we already know the functional level! So Macky is right we have to check the restrictions. So we should check the Policy! H!

Junkyard Dawg

Junkyard Dawg

I agree. The domain functional level was not mentioned in this question, and that will ultimately determine if this type of authentication will be valid.

Junkyard Dawg

Junkyard Dawg

Left reply on wrong comment. Please ignore

YR

YR

Forest level and domain level is different. For protect user groups using windows 2012 r2 are no longer using ntlm for protected user groups using window 2012- and older they use ntlm so you need to see where the protecter user groups are in the domain which requires you to check the domain level.
If the domain functional level is Windows Server 2012 R2, members of the group can no longer:

Authenticate by using NTLM authentication

Use Data Encryption Standard (DES) or RC4 cipher suites in Kerberos pre-authentication

Be delegated by using unconstrained or constrained delegation

Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Junkyard Dawg

Junkyard Dawg

I agree. The domain functional level was not mentioned in this question, and that will ultimately determine if this type of authentication will be valid.

Junkyard Dawg

Junkyard Dawg

Let reply on wrong comment. Please ignore.

Junkyard Dawg

Junkyard Dawg

I was previously in agreement with Macky and Josef about the answer being H Get-ADAuthenticationPolicy, but I have changed my mind now. I believe the answer is D Get-ADDomain. The below Microsoft Technet article discusses how to configure Protected Accounts.

https://technet.microsoft.com/en-us/library/Dn518179.aspx

Let’s first break this down simple and start with the question at hand. The forest functional level is Windows Server 2012, according to the question. This does NOT mean the domain functional level is also Windows Server 2012. It would have to be Windows Server 2012 or higher, but the question does not specify the domain functional level.

The question goes on to state that all servers, including the host are running Windows Server 2012 R2. Again, it does not state the domain functional level. We can’t just assume this if the question did not state it explicitly.

Finally, the question states, “You need to identify whether the members of the Protected Users group will be prevented from authenticating by using NTLM.” After reading the below Microsoft Technet article, I noticed this quote, “To provide domain controller-side restrictions for Protected Users, that is to restrict usage of NTLM authentication, and other restrictions, the domain functional level must be Windows Server 2012 R2.” To me, this article is stating that if an administrator wants to restrict NTLM authentication or any of the other restrictions, the DOMAIN functional level must be raised.

To recap, the question asked us to identify whether Protected Users will be prevented from authenticating using NTLM. The easiest way to confirm this is to review the domain functional level.

Junkyard Dawg

Junkyard Dawg

I decided to make a separate comment for ease of reading. This comment deals with the Protected Users Security Group. Please refer to the Microsoft Technet article below.

https://technet.microsoft.com/en-us/library/dn466518.aspx

The article states, “The only method to modify these protections for an account is to remove the account from the security group.” This means that using a PowerShell cmdlet like Set-ADAuthenticationPolicy would be useless in modifying the authentication of a Protected User account. And since the Set verb can’t be used, what use would the Get verb be if we could never modify the authentication policy in the first place?

The Microsoft Technet article goes on to state, “Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.” And of these “behavior changes” is Windows Server 2012 R2’s restriction of NTLM authentication.

I hope I have supplied enough information to put potential test-takers at ease. If anyone else has supportive, or even contradictory information, please feel free to present this. We all have the same goal: to get our MCSA.

kristofina vatileni

kristofina vatileni

Q5:you plan to decommission a domain controller that holds several operation master role in the table below select
1- which tool to use to transfer domain naming master -we use Active Directory Domains and Trusts
2- which tool use to transfer the infrastructure master – we use active directory user and computer
-active directory domain and trust
-active directory schema
-active directory site and service
-active directory user and computer
– security configuration wizard (scw)

Who

Who

D. Because you need to know the domain functional level –forest is not enough— to see if NTLM could even run. It doesn’t run on 2012 R2.

MS

MS

No guys, we DO know the domain functional level because we know the forest functional level, as mentioned in the post, “The forest functional level is Windows Server 2012”

Please read this to understand functional levels:
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
Quote from link:
– You can raise the functional level of a forest only if all domain controllers in the forest run the version or versions of Windows Server that the new functional level supports.
– You cannot set the domain functional level to a value that is lower than the forest functional level, but you can set it to a value that is equal to or higher than the forest functional level.

MS

MS

oops, missed the R2 part. The Domain is 2012 at a minimum, based on the forest, but the domain could be 2012 R2, which is why you need to check with Get-ADDomain. D

R

R

Its g you fucking idiots.

Aberdeen Angus

Aberdeen Angus

lol, I like it when people speak their mind.

I’m joining the “fucking idiot” gang and going for D. The forest is at 2012 level so the domain is at either 2012 or 2012R2 level. If the domain is at 2012 level then members of Protected Users can use NTLM, if the domain is at 2012R2 they can’t.

https://technet.microsoft.com/en-us/library/dn466518.aspx says: When the Protected Users’ group account is upgraded to the Windows Server 2012 R2 domain functional level, domain controller-based protections are automatically applied. Members of the Protected Users group who authenticate to a Windows Server 2012 R2 domain can no longer authenticate by using:
Default credential delegation (CredSSP)…
Windows Digest…
NTLM…

Fucking idiots of the world unite!