Which tool should you use?

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012.
The domain contains a domain controller named DC1 that is configured as an Enterprise Root Certification
Authority (CA).
All users in the domain are issued a smart card andare required to log on to their domain-joined client
computer by using their smart card.
A user named User1 resigned and started to work fora competing company.
You need to prevent User1 immediately from logging on to any computer in the domain. The solution mustnot
prevent other users from logging on to the domain.
Which tool should you use?

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012.
The domain contains a domain controller named DC1 that is configured as an Enterprise Root Certification
Authority (CA).
All users in the domain are issued a smart card andare required to log on to their domain-joined client
computer by using their smart card.
A user named User1 resigned and started to work fora competing company.
You need to prevent User1 immediately from logging on to any computer in the domain. The solution mustnot
prevent other users from logging on to the domain.
Which tool should you use?

A.
Active Directory Sites and Services

B.
Active Directory Administrative Center

C.
Server Manager

D.
Certificate Templates



Leave a Reply 6

Your email address will not be published. Required fields are marked *


ebrahimkali

ebrahimkali

Certificate Revocation:

Clients that have a cached copy of the previously-published CRL or delta CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a valid CRL.
http://technet.microsoft.com/en-us/library/cc778151(v=ws.10).aspx

By default, CAs publish CRLs weekly. You can change this setting through the Revoked Certificates Properties dialog box.
http://msdn.microsoft.com/en-us/library/bb727098.aspx#EDAA

Each CA is configured with a CRL publication setting. This setting defines when a CA will automatically publish an updated CRL known as the CRL publish period. When a CA is first installed, the publish period is set to one week, but can be manually configured.
A CRL is valid for a period that differs from this publish period. The validity period is the period of time that a CRL is considered authoritative for verifying an issued certificate. The validity period is extended to a length of time greater than the publication period to allow for Active Directory replication. By default, the validity period is defined to be 10% greater than the publication period, up to a maximum of 12 hours difference. For example, if your CRL publish period is set to 10 days, and then the validity period is set to 11 days. In addition, the validity period must be at least 1.5 times the skew value. Therefore, if the skew value is defined to be 10 minutes, then the validity period must be a minimum of at least 15 minutes.
You can alter the default settings by modifying the CRLOverlapPeriod and CRLOverlapUnits values located in the registry in the HKLM\ SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\\ hive. For example, to define validity period to be extended by two days, you would set CRLOverlapPeriod to be a value of “days” and CRLOverlapUnits to be a value of “2”.
Note: It is recommended to modify these registry values using Certutil –setreg, rather than directly modifying the registry. The following command(s) are provided as examples:
certutil -setreg ca\CRLOverlapPeriod days
certutil -setreg ca\CRLOverlapUnits 2
Finally, there is a clock skew of an additional 10 minutes added to the validity period on either side of the publish period, so a CRL will be valid 10 minutes before the beginning of its publish period to account for variances in computer clock settings. You can modify this setting by changing the value of ClockSkewMinutes in the same registry location.
http://technet.microsoft.com/en-us/library/cc700843.aspx#XSLTsection126121120120

You can also publish a CRL on demand at any time, such as when a valuable certificate becomes compromised. Choosing to publish a CRL outside the established schedule resets the scheduled publication period to begin at that time. In other words, if you manually publish a CRL in the middle of a scheduled publish period, the CRL publish period is restarted.
It is important to realize that clients that have a cached copy of the previously published CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a cached copy of a valid CRL.
http://technet.microsoft.com/en-us/library/cc782162(v=ws.10).aspx

CryptoAPI uses the following two caches for CRLs and OCSP responses:
• A disk cache, which maintains copies of all CRLs and OCSP responses retrieved during the revocation checking process on the local file system. All items in the disk cache are maintained until their validity period expires.
• A memory cache, which contains revocation information used by a specific process. The memory cache is maintained within the memory used by the calling process. When the process terminates, the memory is released and the memory cache is flushed. If an object exists in the disk cache, the object is read into the memory cache for the calling process.
For Windows XP or Windows Server 2003, it is now supported to delete items from the disk cache. There are different commands available for flushing the cache:
• To delete all cache entries:
certutil -urlcache * delete
For Windows Vista and Windows 2008, it is preferable to invalidate the memory cache instead of deleting the disk cache. You can do so by invalidating the cached CRLs and OCSP responses before the time specified in the object.
To invalidate the cache, you must run the following commands from an Administrative command prompt:
• To immediately invalidate all items from the cache:
• certutil -setreg chain\ChainCacheResyncFiletime @now
http://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx

EXAM TIP
If you don’t want to wait for a CRL or delta CRL to be published according to the default
schedule, you can trigger CRL publication. It is important to note that in most cases a
client will check a certificate’s validity only periodically; a client will not check a certificate’s
validity each time the certificate is used. This period is based on the CRL publication
interval.
Exam Ref 70-412: Configuring Advanced Windows Server 2012 R2 Services, (J.C. MackinOrin Thomas)
CHAPTER 6 Configure access and information protection solutions
Page 323

Enrolling for a smart card certificate:
The recommended method for enrolling users for smart card-based certificates and keys is through the smart card enrollment station that is integrated with Certificate Services in Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition.
When an enterprise certification authority (CA) is installed, the installation includes the Smart Card Enrollment station. This allows an administrator to act on behalf of a user to request and install a Smart Card Logon certificate or Smart Card User certificate on the user’s smart card. Prior to using the Smart Card Enrollment station, the smart card issuer must have obtained a signing certificate based on the Enrollment Agent certificate template. The signing certificate signs the certificate request that is generated on behalf of the smart card recipient.
By default, only domain administrators are granted permission to request a certificate based on the Enrollment Agent template. A user other than a domain administrator can be granted permission to enroll for an Enrollment Agent certificate by means of Active Directory Sites and Services.
http://msdn.microsoft.com/en-us/library/cc775505(v=ws.10).aspx
Checklist: Deploying smart cards for logging on to Windows
http://msdn.microsoft.com/en-us/library/cc739063(v=ws.10).aspx

Smart Cards – Creating a Windows 2008 Certificate Authority & Enrolling Smart Card Users with a 2K8 CA
http://blogs.citrix.com/2011/07/15/smart-cards-creating-a-windows-2008-certificate-authority-enrolling-smart-card-users-with-a-2k8-ca

Events That Trigger Urgent Replication:
Urgent Active Directory replication is always triggered by certain events on all domain controllers within the same site. When you have enabled change notification between sites, these triggering events also replicate immediately between sites.
Immediate replication between Windows 2000–based domain controllers in the same site is prompted by the following:
• Assigning an account lockout, which prohibits a user from logging on after a certain number of failed attempts.
• Changing a Local Security Authority (LSA) secret, which is a secure form in which private data is stored by the LSA.
• Change in the relative identifier (known as a “RID”) master role owner, which is the single domain controller in a domain that assigns relative identifiers to all domain controllers in that domain.
http://technet.microsoft.com/en-us/library/cc961787.aspx

According to the above information the correct answer is either Active Directory Users and Computers, or Active Directory Administrative Center.

So it is B. Active Directory Administrative Center.

Maxton

Maxton

The application has a feature to permit your self program the content with periods in between each individual short article, making the website look organic and natural towards the search engines. * Check out blog site templates, layouts, backgrounds, textures and skins from sites. This post will give you some easy suggestions to aid yourself retain your blog in a way that keeps your visitors engaged with your web-site.

http://www.nuenergylaser.com/component/k2/author/384360

PeterN

PeterN

Answer is B, all the stuff in the question about certificates is just a red herring. All we want to do is stop the user logging on, so the easiest and quickest way is just to disable the user account in AD Administrative Centre