Which tool should you use?

Your network contains an Active Directory domain named contoso.com. All servers run
Windows Server 2012 R2.
The domain contains a domain controller named DC1 that is configured as an enterprise root
certification authority (CA).
All users in the domain are issued a smart card and are required to log on to their domainjoined client computer by using their smart card.
A user named User1 resigned and started to work for a competing company.
You need to prevent User1 immediately from logging on to any computer in the domain. The
solution must not prevent other users from logging on to the domain.
Which tool should you use?

Your network contains an Active Directory domain named contoso.com. All servers run
Windows Server 2012 R2.
The domain contains a domain controller named DC1 that is configured as an enterprise root
certification authority (CA).
All users in the domain are issued a smart card and are required to log on to their domainjoined client computer by using their smart card.
A user named User1 resigned and started to work for a competing company.
You need to prevent User1 immediately from logging on to any computer in the domain. The
solution must not prevent other users from logging on to the domain.
Which tool should you use?

A.
Active Directory Users and Computers

B.
Certificate Templates

C.
The Security Configuration Wizard

D.
The Certificates snap-in



Leave a Reply 38

Your email address will not be published. Required fields are marked *


mina

mina

in another place on this site the same question but answer was revoke the certificate as disable the user account will take 15 minutes to be enforced all over the domain.

so it should be ‘D’

Guy

Guy

Hi Mina,
How would you disable a certificate issued by a CA in certmgr.msc? The Certificates snap-in only shows certificates in the certificate store of the local computer, not in the ones in the CA database. Looks to me like A is correct.

RHL

RHL

So the answer should be same in the other question that mina mentioned which is (Active Directory Users and Computers ) ?

Akoachi

Akoachi

And revoking the certificate will prevent all other users from logging in too.

den

den

you could revoke the user’s smartcard certificate…but it’s no option here, so just delete or disable that account

damemalov

damemalov

There is a similar question to this one but in the answers you have an option to choose Certificate Authority. You should choose that instead of Active Directory Users and Computers. It’s a tricky question.

Flash

Flash

I failed in the exam , this question came also but the option was (Active Directory Administrative Center) instead of (Active Directory Users and Computers)

JohnPP

JohnPP

Ther are indeed simular answers. I found 4 combinations with different answers. Didnt check if they are correct:

A. Active Directory Users and Computers 
B. Active Directory Sites and Services 
C. The Certificates snap-in 
D. Server Manager
Answer is A

A. Active Directory Sites and Services 
B. Active Directory Administrative Center 
C. Server Manager 
D. Certificate Templates
Answer is B
—-
A. Server Manager
B. The Certificates snap-in  
C. Active Directory Users and Computers
D. The Certification Authority console.
Answer is D
—-
A. Active Directory Users and Computers
B. Certificate Templates
C. The Security Configuration Wizard
D. The Certificates snap-in
Answer is A

JohnPP

JohnPP

probably the answer of the 3th set from my last post must be C not D. But I dont know for sure.

U

U

I have premium file of 412 (10/1/15)
Here the asnwer are:
*A. Active Directory Users and Computers*

in other Q the correct answer are:
*D. The Certification Authority console* (if shown the answer this is the right one…)

Liron

Liron

Today 15/1 i failed 661. and one of the answers was “Active Directory Administrative Center”.
This also look like one of the answers.

ebrahimkali

ebrahimkali

Certificate Revocation:

Clients that have a cached copy of the previously-published CRL or delta CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a valid CRL.
http://technet.microsoft.com/en-us/library/cc778151(v=ws.10).aspx

By default, CAs publish CRLs weekly. You can change this setting through the Revoked Certificates Properties dialog box.
http://msdn.microsoft.com/en-us/library/bb727098.aspx#EDAA

Each CA is configured with a CRL publication setting. This setting defines when a CA will automatically publish an updated CRL known as the CRL publish period. When a CA is first installed, the publish period is set to one week, but can be manually configured.
A CRL is valid for a period that differs from this publish period. The validity period is the period of time that a CRL is considered authoritative for verifying an issued certificate. The validity period is extended to a length of time greater than the publication period to allow for Active Directory replication. By default, the validity period is defined to be 10% greater than the publication period, up to a maximum of 12 hours difference. For example, if your CRL publish period is set to 10 days, and then the validity period is set to 11 days. In addition, the validity period must be at least 1.5 times the skew value. Therefore, if the skew value is defined to be 10 minutes, then the validity period must be a minimum of at least 15 minutes.
You can alter the default settings by modifying the CRLOverlapPeriod and CRLOverlapUnits values located in the registry in the HKLM\ SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\\ hive. For example, to define validity period to be extended by two days, you would set CRLOverlapPeriod to be a value of “days” and CRLOverlapUnits to be a value of “2”.
Note: It is recommended to modify these registry values using Certutil –setreg, rather than directly modifying the registry. The following command(s) are provided as examples:
certutil -setreg ca\CRLOverlapPeriod days
certutil -setreg ca\CRLOverlapUnits 2
Finally, there is a clock skew of an additional 10 minutes added to the validity period on either side of the publish period, so a CRL will be valid 10 minutes before the beginning of its publish period to account for variances in computer clock settings. You can modify this setting by changing the value of ClockSkewMinutes in the same registry location.
http://technet.microsoft.com/en-us/library/cc700843.aspx#XSLTsection126121120120

You can also publish a CRL on demand at any time, such as when a valuable certificate becomes compromised. Choosing to publish a CRL outside the established schedule resets the scheduled publication period to begin at that time. In other words, if you manually publish a CRL in the middle of a scheduled publish period, the CRL publish period is restarted.
It is important to realize that clients that have a cached copy of the previously published CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a cached copy of a valid CRL.
http://technet.microsoft.com/en-us/library/cc782162(v=ws.10).aspx

CryptoAPI uses the following two caches for CRLs and OCSP responses:
• A disk cache, which maintains copies of all CRLs and OCSP responses retrieved during the revocation checking process on the local file system. All items in the disk cache are maintained until their validity period expires.
• A memory cache, which contains revocation information used by a specific process. The memory cache is maintained within the memory used by the calling process. When the process terminates, the memory is released and the memory cache is flushed. If an object exists in the disk cache, the object is read into the memory cache for the calling process.
For Windows XP or Windows Server 2003, it is now supported to delete items from the disk cache. There are different commands available for flushing the cache:
• To delete all cache entries:
certutil -urlcache * delete
For Windows Vista and Windows 2008, it is preferable to invalidate the memory cache instead of deleting the disk cache. You can do so by invalidating the cached CRLs and OCSP responses before the time specified in the object.
To invalidate the cache, you must run the following commands from an Administrative command prompt:
• To immediately invalidate all items from the cache:
• certutil -setreg chain\ChainCacheResyncFiletime @now
http://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx

EXAM TIP
If you don’t want to wait for a CRL or delta CRL to be published according to the default
schedule, you can trigger CRL publication. It is important to note that in most cases a
client will check a certificate’s validity only periodically; a client will not check a certificate’s
validity each time the certificate is used. This period is based on the CRL publication
interval.
Exam Ref 70-412: Configuring Advanced Windows Server 2012 R2 Services, (J.C. MackinOrin Thomas)
CHAPTER 6 Configure access and information protection solutions
Page 323

Enrolling for a smart card certificate:
The recommended method for enrolling users for smart card-based certificates and keys is through the smart card enrollment station that is integrated with Certificate Services in Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition.
When an enterprise certification authority (CA) is installed, the installation includes the Smart Card Enrollment station. This allows an administrator to act on behalf of a user to request and install a Smart Card Logon certificate or Smart Card User certificate on the user’s smart card. Prior to using the Smart Card Enrollment station, the smart card issuer must have obtained a signing certificate based on the Enrollment Agent certificate template. The signing certificate signs the certificate request that is generated on behalf of the smart card recipient.
By default, only domain administrators are granted permission to request a certificate based on the Enrollment Agent template. A user other than a domain administrator can be granted permission to enroll for an Enrollment Agent certificate by means of Active Directory Sites and Services.
http://msdn.microsoft.com/en-us/library/cc775505(v=ws.10).aspx
Checklist: Deploying smart cards for logging on to Windows
http://msdn.microsoft.com/en-us/library/cc739063(v=ws.10).aspx

Smart Cards – Creating a Windows 2008 Certificate Authority & Enrolling Smart Card Users with a 2K8 CA
http://blogs.citrix.com/2011/07/15/smart-cards-creating-a-windows-2008-certificate-authority-enrolling-smart-card-users-with-a-2k8-ca

Events That Trigger Urgent Replication:
Urgent Active Directory replication is always triggered by certain events on all domain controllers within the same site. When you have enabled change notification between sites, these triggering events also replicate immediately between sites.
Immediate replication between Windows 2000–based domain controllers in the same site is prompted by the following:
• Assigning an account lockout, which prohibits a user from logging on after a certain number of failed attempts.
• Changing a Local Security Authority (LSA) secret, which is a secure form in which private data is stored by the LSA.
• Change in the relative identifier (known as a “RID”) master role owner, which is the single domain controller in a domain that assigns relative identifiers to all domain controllers in that domain.
http://technet.microsoft.com/en-us/library/cc961787.aspx

According to the above information the correct answer is either Active Directory Users and Computers, or Active Directory Administrative Center.

So it is A. Active Directory Users and Computers

Nuvin

Nuvin

The answer must either be Active Directory Users and Computer or Active Directory Administrative Center. Certification Authority would take even longer to replicate in my opinion.

Suzie

Suzie

I would have to agree with the AD users and computers or AD admin center. You would think that the purpose of the delta CRL would be to lock out accounts immediately, however, if not computers are set to look at the CRL at specific times, then even if you did a delta CRL, it would not prevent a lockout. The only way therefore, that I see, is to disable in AD, then do a force replication by options in sites and services. But really, I would think that it would defeat the purpose of smart cards, if the delta CRL is only looked at during set times on the local machine.

JD

JD

The question in the premium file has the correct answer as D Active Directory Administrative Centre but answer A is Active Directory Users and Computers so surely both are correct answers ?

I’m guessing it’d be one or the other in the exam.

Steven

Steven

JD, I have my exam this Wednesday at 1:30 instead of taking my final from class. This was just presented to us this past week due to our final being next Friday. I keep seeing/reading “premium file” being tossed around. I gather it’s a better test bank or study guide than here? I’m getting confused on some of these answers because some say correct and others say not correct.

Where do I find this “premium file” or may I respectfully get it from you? If I need to provide any funds in return please let me know.

Pro

Pro

dont think about it too much. It is the right answer. In order to prevent user1 from logging in again is to disable the account or revoke the certificate. None of the above answer allows you to revoke a certificate. So the only choice is to disable the account. How do you disable the account? The answer allows you to.

Mike

Mike

I think the answer will always be the Active Directory Administrative Center for this question group. It is the new tool that incorporates the function of AD U&C introduced in 2008 and MS likes to make sure you know to use the updated tools. CA just takes too long to replicate unless you go out of your way to force it.

If you really want a guy to absolutely not log in have Joe the security guy manhandle him into a exit interview room for the 15 mins it requires ADAC changes to replicate.

Joe

Joe

Although ADUC would not necessarily IMMEDIATELY

Joe

Joe

The only 2 possibilities are A and D…
A: Although ADUC would not necessarily IMMEDIATELY stop the user from logging on, it is the quickest way. It can take the time it takes to replicate between DC’s or can prevent them logging in straight away if they happen to be authenticated by the DC that this change was done on. Either way it is the quickest way to stop them from logging on.
D: you can revoke the certificate but the user can still log on until the CRL they have cached expires so it could be up to a week, slower than through ADUC.

Note that if ADAC and ADUC are both possible answers you will more than likely need to select ADAC as this is newer than ADUC.

Answer is A though in my opinion.

Joe

Joe

Looking at it again it can’t be D as this just shows the certificates on the local computer.

Sami

Sami

The key word in the question is “immediately” and assuming that there is more than one domain controller. The only way to do that is to trigger an urgent/immediate replication in domain controllers. This can be done either in ADUC or ADAC by changing the password and disabling the account.

So the correct answer is A.

https://technet.microsoft.com/en-us/library/cc772726(WS.10).aspx#w2k3tr_repup_how_huzs

Password changes are replicated differently than both normal (non-urgent) replication and urgent replication. Changes to security account passwords present a replication latency problem wherein a user’s password is changed on domain controller A and the user subsequently attempts to log on, being authenticated by domain controller B. If the password has not replicated from A to B, the attempt to log on fails. Active Directory replication remedies this situation by forwarding password changes immediately to a single domain controller in the domain, the PDC emulator.

In Active Directory, when a user password is changed at a domain controller, that domain controller attempts to update the respective replica at the domain controller that holds the PDC emulator role. Update of the PDC emulator occurs immediately, without respect to schedules on site links. The updated password is propagated to other domain controllers by normal replication within a site.

日本最高級スーパーコピーブランド時計激安通販専門店,高品質時計コピー,2015最新作、国際ブランド腕時計コピー、業界唯一無二.世界一流の高品質ブランドコピー時計,当店はスーパーコピ

日本最高級スーパーコピーブランド時計激安通販専門店,高品質時計コピー,2015最新作、国際ブランド腕時計コピー、業界唯一無二.世界一流の高品質ブランドコピー時計,当店はスーパーコピ

日本最高級スーパーコピーブランド時計激安通販専門店,高品質時計コピー,2015最新作、国際ブランド腕時計コピー、業界唯一無二.世界一流の高品質ブランドコピー時計,当店はスーパーコピー時計専門店,販売以下世界一流ブランドコピー時計:ロレックスコピー、ウブロコピー、オメガコピー、シャネルコピー…ンプルに見えて目を奪われてしまう独創的なブルガリのラインアップです。1884年ブルガリの創始者ソティリオ?ブルガリが銀細工師の一族としてイタリ アにオープン。ブルガリ?ブルガリシリーズ。古代ローマの円形競技場をモチーフにした時計「アンフィテアトロ」、若い世代向けの腕時計「ソロテンポ」を発 表。2000年には新会社ダニエル?ロード&ジェラルド?ジェンダ オート?オルロジュリー社を設立しました。本物ブランド時計に間違える程のスーパーコピー時計通販!スーパーコピーは業界n級品最高品質に挑戦!ロレックスコピー,パネライコピー,ウブロコピー,オメガコピー,ルイ?ヴィトンコピー,エルメスコピーを初め世界中有名なスーパーコピーブランドを激安で通販しております!HERMES(バッグ、時計) CHANEL(バッグ、時計)LOUIS VUITTON(バッグ、時計) BVLGARI時計Christian Dior(バッグ、小物) COACH(バッグ)GUCCI(バッグ、小物) ROLEX(時計)OMEGA(時計) IWC(時計) http://www.ooowatch.com/kabann/vuitton/index.html

Digixorcist

Digixorcist

Who says anything about replicating? .. the question states that the domain has a domain controller (DC1) that also runs the CA. Doesn’t mention anywhere that there are more domain controllers installed. Therefore, disabling the account in AD Lusers & Computers pretty much means instant lockout.

Mnoble

Mnoble

Agreed. This has zero to do with the encryption of the connection. If you disable/change his account PW this is pushed immediately.

The secure connection may still be made but the log on attempt will fail.

「スター』この映画を、マシュー・アカデミー影帝麦康纳(Matthew McConaughey)とアニー・海瑟薇(アンHathaway)などに主演、クリストファー・ノーラン(Christopher Nolan)監督。この映画は探検

「スター』この映画を、マシュー・アカデミー影帝麦康纳(Matthew McConaughey)とアニー・海瑟薇(アンHathaway)などに主演、クリストファー・ノーラン(Christopher Nolan)監督。この映画は探検

「スター』この映画を、マシュー・アカデミー影帝麦康纳(Matthew McConaughey)とアニー・海瑟薇(アンHathaway)などに主演、クリストファー・ノーラン(Christopher Nolan)監督。この映画は探検家たちの一番新しい発見、ワーム・ホールを利用して、人類の宇宙旅行の限界を超え、広大な宇宙に冒険する物語を航行する。舞台は近未来、男性の主役のクーパーは元NASA宇宙飛行士が、地球の気候の変化のため、作物栽培による食糧にくい人間の深刻な不足のときは、クーパーと女性科学者艾米莉亜(アンHathaway飾)らを担うた人類を救うの重要な計画が、太陽係外へ、人類の新しい生命力を探して。映画のシーンを撮影アイスランド中外星は、火山の爆発後黒砂に覆われた氷山人に一種ではおなじみのなじみのない感じ、醸し出す雰囲気完璧外星。主人公库パーキンは映画の最後に入った五维空間利用時間は線形」をコンセプトに、片侧を建てた90x60x45フィートの部屋で、映画の中で見たどうせ交差の線で、実際には3 Dプリントテクスチャ、これが現れる謎の五维空間。11月10日、「スター」を監督クリストファー・ノーラン连携主演マシュー・麦康纳、アン・海瑟薇などを含めた「スターを越えて》なく現れ上海新天地に参加し、映画の中国での初日舞台あいさつに出席しじゅうたんを見て http://www.bestevance.com/rolex/gmt/index.htm

プラダ 偽物 見分け方 カード

プラダ 偽物 見分け方 カード

オメガによれば、オメガスピードマスタームーンウォッチのこのバージョンのために美的なインスピレーションの時計を着用shirra宇宙飛行士ワリーによって1962年にnasaシグマ7ミッションは彼が地球を軌道に乗った。この空間における最初の腕時計でない間(ロシアの時計があった)、1962年の任務は、オメガの空間であった最初の時をマークした。このように、「第1のオメガスピードマスターにおける空間」のコレクションが生まれました。それは面白い、オメガからの情報によると、shirra購入オメガスピードマスターは、彼自身の任務のために、これはnasaとの公式関係も以前にありました。
プラダ 偽物 見分け方 カード http://www.gowatchs.com/brand-231-b51-min0-max0-attr0.html

ロレックス デイトジャスト 新品 au

ロレックス デイトジャスト 新品 au

商品は全て最高な材料と優れた技術で造られて、正規と比べて、品質が無差別です!人気時計コピー、N級ブランドコピーのお求めはぜひ当店へ。弊社は正規品と同等品質のブランドコピー品を低価でお客様に提供します
ロレックス デイトジャスト 新品 au http://www.bagkakaku.com/bottegaveneta_wallet/2/zhuwen.html

シャネル時計 ムーブメント 100均

シャネル時計 ムーブメント 100均

ロレックス 通販専門店

★経営理念:
1.信用第一,品質保証,最も合理的な価格で商品を消費者に提供致します.
2.弊社の商品品数大目で、商品は安めです!★商品現物写真★
3.数量制限無し、一個の注文も、OKです.
4.1個も1万個も問わず、誠心誠意対応します.
5.不良品の場合、弊社が無償で交換します.

営業種目:
高級腕時計,スーパーコピー時計(N級品),財布(N級品)
バッグ(N級品),靴(N品),指輪(N級品),ベルト(N級品),マフラー(N級品)
ロレックス,カルティエ,IWC,オメガ,パネライ,ブランド時計等も豊富に取り揃えております

価格が特恵を与えて、信用の第1、品質の100%は保証します
シャネル時計 ムーブメント 100均 http://www.gginza.com/%E6%99%82%E8%A8%88/panerai/index.html

シャネル時計 口コミ

シャネル時計 口コミ

スーパーコピーブランドN品情報満載買取 – スーパーコピー100%品質保証!満足保障!リピーター率100%!
主な販売2016年最新作ブランド財布コピー新品!
シャネル時計 口コミ http://www.bag78.net/brandcopy-l-14.html

Chavi065

Chavi065

This question came in the exam today with the following options:

A. Active Directory Sites and Services
B. Active Directory Administrative Centre
C. Server Manager
D. Certificate Templates

Since “Active Directory users and computers” weren’t an option I chose B

Joebotics

Joebotics

The key here is “The domain contains ** a ** domain controller” .. just one domain controller.. so disabling the account either via ADUC or Administrative Center should do the trick..

It has been mentioned the “changing the password” also does the trick… but specifically in domain with multiple servers in multiple sites is not the case.. let’s say the password was changed in some remote Domain Controllers.. the new password gets immediately replicated to the PDC.. now.. the case of “urgent replication” of passwords only occurs when this account tries to log in.. the Domain Controller sees a wrong password and talks to the PDC.. since the PDC has the new password it “urgently replicates” the password to the requesting DC.. but now.. let’s say.. you changed the password in a remote DC to try to prevent the account to log in… the employee tries to log in to a DC that has the old password… log in will succeed..

シャネル最高品質時計

シャネル最高品質時計

ブランドコピーブランド時計N品級激安販売-通販店

最高品質ブランドコピーブランド時計、バッグ、財布(N級品)新作最新入荷。

★100%品質保証!満足保障!リピーター率100%!
★商品数も大幅に増え、品質も大自信です。
★スタイルが多い、品質がよい、価格が低い!
★顧客は至上 誠実 信用。

当社の商品は絶対の自信が御座います。ぜひ一度ご覧 ください。送料は無料です(日本全国)

ホームページ上でのご注文は24時間受け付けております

高人気ブランドコピー品専門ショップ

高人気ブランドコピー品専門ショップ

コピー優良店
スーパーコピーブランド優良店、偽物時計n級品海外激安通販専門店!
ロレックス、ウブロをはじめとした、
様々なスーパーコピー時計の販売サイズ調整をご 提供しております。スーパーコピーブランドなら当店で!
N級品スーパーコピーブランド偽物は業界で最高な品質に挑戦します。
高人気ブランドコピー品専門ショップ http://www.kopi78.com