Backup Operators

Members of this group can back up and restore all files on domain controllers in the domain, regardless
of their own individual permissions on those files. Backup Operators can also log on to domain
controllers and shut them down. This group has no default members. Because this group has significant
power on domain controllers, add users with caution.

Account Operators

Members of this group can create, modify, and delete accounts for users, groups, and computers
located in the Users or Computers containers and organizational units in the domain, except the Domain
Controllers organizational unit. Members of this group do not have permission to modify the
Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for
members of those groups. Members of this group can log on locally to domain controllers in the domain
and shut them down. Because this group has significant power in the domain, add users with caution.

Print Operators

Members of this group can manage, create, share, and delete printers connected to domain controllers
in the domain. They can also manage Active Directory printer objects in the domain. Members of this
group can log on locally to domain controllers in the domain and shut them down. This group has no
default members. Because members of this group can load and unload device drivers on all domain
controllers in the domain, add users with caution.

Remote Desktop Users

Members of this group can remotely log on to domain controllers in the domain. This group has
no default members.

Server Operators

On domain controllers, members of this group can log on interactively, create and delete shared
resources, start and stop some services, back up and restore files, format the hard disk, and shut
down the computer. This group has no default members. Because this group has significant
power on domain controllers, add users with caution.

Users

Members of this group can perform most common tasks, such as running applications, using
local and network printers, and locking the server. By default, the Domain Users group,
Authenticated Users, and Interactive are members of this group. Therefore, any user account
created in the domain becomes a member of this group.

Replicator

This group supports directory replication functions and is used by the File Replication service on
domain controllers in the domain. This group has no default members. Do not add users to this
group.

Remote Desktop Users

Members of this group can remotely log on to domain controllers in the domain. This group has
no default members.

Group User/ Session Description Account Operators   A built-in group that exists only on domain controllers. By
default, the group has no members. By default, Account Operators have permission to create, modify, and delete
accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory
except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify
the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of
those groups.   Administrator A user account for the system administrator. This account is the first account created
during operating system installation. The account cannot be deleted or locked out. It is a member of the
Administrators group and cannot be removed from that group. Administrators   A built-in group . After the initial
installation of the operating system, the only member of the group is the Administrator account. When a computer
joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain
controller, the Enterprise Admins group also is added to the Administrators group. The Administrators group has
built-in capabilities that give its members full control over the system. The group is the default owner of any object
that is created by a member of the group.   Anonymous A user who has logged on anonymously. Authenticated
Users   A group that includes all users whose identities were authenticated when they logged on. Membership is
controlled by the operating system. Backup Operators   A built-in group. By default, the group has no members.
Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those
files. Backup Operators also can log on to the computer and shut it down. Batch   A group that implicitly includes
all users who have logged on through a batch queue facility such as task scheduler jobs. Membership is controlled
by the operating system. Cert Publishers   A global group that includes all computers that are running an enterprise
certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory. Cert
Server Admins   Certificate Authority Administrators - authorized to administer certificates for User objects in
Active Directory. (Domain Local) Cert Requesters   Members can request certificates (Domain Local) Creator
Group   A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID
for the primary group of the object's current owner. The primary group is used only by the POSIX subsystem.  
Creator Owner A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system
replaces this SID with the SID for the object's current owner. Dialup   A group that implicitly includes all users who
are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
Domain Admins   A global group whose members are authorized to administer the domain. By default, the Domain
Admins group is a member of the Administrators group on all computers that have joined a domain, including the
domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active
Directory by any member of the group. If members of the group create other objects, such as files, the default owner
is the Administrators group. Domain Computers   A global group that includes all computers that have joined the
domain, excluding domain controllers. Domain Controllers   A global group that includes all domain controllers in
the domain. New domain controllers are added to this group automatically. Domain Guests   A global group that, by
default, has only one member, the domain's built-in Guest account. Domain Users   A global group that, by default,
includes all user accounts in a domain. When you create a user account in a domain, it is added to this group
automatically. Enterprise Admins   A group that exists only in the root domain of an Active Directory forest of
domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The
group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the
only member of the group is the Administrator account for the forest root domain. Enterprise Controllers   A group
that includes all domain controllers an Active Directory directory service forest of domains. Membership is
controlled by the operating system. Everyone   A group that includes all users, even anonymous users and guests.
Membership is controlled by the operating system. Group Policy Creators Owners   A global group that is
authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is
Administrator. The default owner of a new Group Policy object is usually the user who created it. If the user is a
member of Administrators or Domain Admins, all objects that are created by the user are owned by the group.
Owners have full control of the objects they own.   Guest A user account for people who do not have individual
accounts. This user account does not require a password. By default, the Guest account is disabled. Guests   A built-
in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users
to log on with limited privileges to a computer's built-in Guest account. HelpServicesGroup   XP - Group for the
Help and Support Center Interactive   A group that includes all users who have logged on interactively. Membership
is controlled by the operating system.   KRBTGT A service account that is used by the Key Distribution Center
(KDC) service.   Local System A service account that is used by the operating system. Network   A group that
implicitly includes all users who are logged on through a network connection. Membership is controlled by the
operating system. Network Configuration Operators   XP - Some admin privileges to manage configuration of
networking features   Nobody No security principal. Power Users   A built-in group. By default, the group has no
members. This group does not exist on domain controllers. Power Users can create local users and groups; modify
and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups.
Power Users also can install most applications; create, manage, and delete local printers; and create and delete file
shares. Pre-Windows 2000 Compatible Access   A backward compatibility group which allows read access on all
users and groups in the domain Principal Self
or
Self Principal Self
or
Self A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions
to Principal Self, you grant them to the security principal represented by the object. During an access check, the
operating system replaces the SID for Principal Self with the SID for the security principal represented by the object.
Print Operators   A built-in group that exists only on domain controllers. By default, the only member is the Domain
Users group. Print Operators can manage printers and document queues. RAS and IAS Servers   A domain local
group . By default, this group has no members. Computers that are running the Routing and Remote Access service
are added to the group automatically. Members of this group have access to certain properties of User objects, such
as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. Remote Desktop
Users   XP - Members in this group are granted the right to logon remotely Replicator   Windows NT domains, this
group is called Replicators and is used by the directory replication service. In 2K/XP the group is present but is not
used. Schema Admins   A group that exists only in the root domain of an Active Directory forest of domains. It is a
universal group if the domain is in native mode , a global group if the domain is in mixed mode . The group is
authorized to make schema  changes in Active Directory. By default, the only member of the group is the
Administrator account for the forest root domain. Server Operators   A built-in group that exists only on domain
controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and
delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and
shut down the computer. Service   A group that includes all security principals that have logged on as a service.
Membership is controlled by the operating system. Terminal Server Users   A group that includes all users who
have logged on to a Terminal Services server. Membership is controlled by the operating system. Users   A built-in
group. After the initial installation of the operating system, the only member is the Authenticated Users group.
When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can
perform tasks such as running applications, using local and network printers, shutting down the computer, and
locking the computer. Users can install applications that only they are allowed to use if the installation program of
the application supports per-user installation.

Group Types
You can create two types of groups in Active Directory. Each group type is used for a different
purpose. Security groups are the group type which is created for security purposes, while
distribution groups is the group type created for purposes other than security purposes. Security
groups are typically created for assigning permissions, while distribution groups are usually
created for distributing bulk e-mail to users. As you can see, the main difference between the two
groups is the manner in which each group type is used. Active Directory does however allow you
to convert a security group to a distribution group, and to convert a distribution group to a
security group if the domain functional level is raised to Windows 2000 Native or above.

 Security groups: A security group is a collection of users who have the same permissions
to resources, and the same rights to perform certain system tasks. These are the groups to
which you assign permissions so that its members can access resources. Security groups
therefore remove the need for an Administrator to individually assign permissions to
users. Users that need to perform certain tasks can be grouped in a security group, and
then assigned the necessary permissions to perform these tasks. Each user that is a
member of the group would have the same permissions. In addition to this, any e-mail
sent to a security group is received by each member of that particular group. When a
security group is first created, it receives a SID. It is this SID that enables permissions to
be assigned to security groups - the SID can be included in the DACL of a resource. An
access token is created when a user logs on to the system. The access token contains the
SID of the user, and the SID of those groups to which the user is a member of. This
access token is referenced when the user attempts to access a resource - the access token
is compared with the DACL of the resource to determine which permissions the user
should receive for the resource.
 Distribution groups: Distribution groups are created to share information with a group of
users through e-mail messages. Thus, a distribution group is not created for security
purposes. A distribution does not obtain a SID when it is created. Distribution groups
enable the same messag to be simultaneously sent to its group members - messages do
not need to be individually sent to each user. Applications such as Microsoft Exchange
 that work with Active Directory can use distribution groups to send bulk e-mail to groups
of users.

Group Scopes
The different group scopes make it possible for groups to be used differently to assign
permissions for accessing resources. The scope of a group defines the place in the network where
the group will be used or is valid. This is the degree to which the group will be able to reach
across a domain, domain tree, or forest. The group scope also determines what users can be
included as group members.

In Active Directory, there are three different group scopes.

 Global groups: Global groups are containers for user accounts and computers accounts in
the domain, and are used to assign permissions to objects that reside in any domain in a
tree or forest. You can include a global group in the access control list (ACL) of objects
in any domain in the tree/forest. A global group can however only have members from
the domain in which it is created. What this means is that a global group cannot include
user accounts, computer accounts, and global groups from other domains.

The domain functional level set for the domain determines which members can be
included in the global group.

o Windows 2000 Mixed: Only user accounts and computer accounts from the
domain in which the group was created, can be added as group members.
o Windows 2000 Native / Windows Server 2003: User accounts, computer
accounts, and other global groups from the domain in which the group was
created, can be added as group members
 Domain Local groups: Domain local groups can have user accounts, computer accounts,
global groups, and universal groups from any domain as group members. However, you
can only use domain local groups for assigning permissions to local resources, or to
resources that reside in the domain in which the domain local group was created. This
means that you can only include domain local groups in the ACL of objects that are
located in the local domain.

The domain functional level set for the domain determines which members can be
included in the domain local group.

o Windows 2000 Mixed: User accounts, computer accounts, and global groups from
any domain can be added as group members.
o Windows 2000 Native / Windows Server 2003: User accounts, computer
accounts, global groups, and universal groups from any domain can be added as
group members. You can also add other domain local groups from the same
domain as group members.
  Universal groups: Universal groups can have user accounts, computer accounts, global
groups, and other universal groups, from any domain in the tree or forest as members.
This basically means that you can add members from any domain in the forest to a
universal group. You can use universal groups to assign permissions to access resources
that are located in any domain in the forest. Universal groups are only available when the
domain functional level for the domain is Windows 2000 Native or Windows Server
2003. Universal groups are not available when domains are functioning in the Windows
2000 Mixed domain functional level. You can convert a universal group to a global group
or to a domain local group if the particular universal group has no other universal group
as a group member. When adding members to universal groups, it is recommended to add
global groups as members and not individual users.

When groups contain other groups as members, group nesting occurs. Group nesting occurs
when you add groups to other groups. Group nesting assists in reducing the number of instances
that you need to assign permissions, and in reducing replication traffic. As mentioned previously,
the domain functional level set for the domain determines what group nesting can be
implemented, as summarized below:

 Windows 2000 Mixe:

o Global groups: User accounts and computers accounts in the same domain.
o Domain local groups: User accounts, computers accounts, and global groups from
any domain.
 Windows 2000 native or Windows Server 2003:
o Global groups: User accounts, computer accounts, and other global groups in the
same domain.
o Domain local groups: User accounts, computers accounts, global groups and
universal groups from any domain; and other domain local groups in the same
domain.
o Universal groups: User accounts, computers accounts, global groups, and
universal groups from any domain.

The scope of a group can be changed as well. You can use the Active Directory Users And
Computers (ADUC) console to view and modify the scope of an existing group. The command-
line can also be used - dsget and dsmod. The rules that govern this capability are summarized
below:

 You can convert domain local groups and global groups to universal groups
 You can convert universal groups to domain local groups or to global groups.
 You cannot convert domain local groups to global groups.
 You cannot convert global groups to domain local groups.

If you are using Windows Server 2003 Active Directory, Windows Server 2003 creates a few
default security groups that are used to assign administrative permissions to users. The default
security groups are created in the Users folder in Active Directory Users And Computers
(ADUC).
  The default domain local groups that are created are listed below:
o Cert Publishers: Members of this group are able to publish certificates to Active
Directory
o DnsAdmins: Group members have administrative access to the DNS server
service.
o HelpServicesGroup: Group members are able to assign rights to support
applications.
o RAS and IAS Servers: Servers assigned to this default group can access a user's
remote access properties.
o TelnetClients: Group members have administrative access to Telnet Server.
 The default global groups that are created are listed below:
o Domain Admins: Members of the Domain Admins group have permissions to
perform administrative functions on computers in the domain.
o Domain Users: Group members are user accounts that are created in the domain.
o Domain Computers: Group members are computer accounts that are created in the
domain. This includes all workstations and servers that are part of the domain.
o Domain Controllers: Group members are domain controllers of the domain.
o Domain Guests: Group members are guest accounts in the domain.
o Group Policy Creator: Group members are able to change the domain's group
policy.
o DnsUpdateProxy: Group members are DNS clients. Members are able to perform
dynamic updates for clients such as DHCP servers.
 The default universal groups that are created are listed below:
o Enterprise Admins: Members of this group are able to perform administrative
functions for the whole network.
o Schema Admins: Members of this group can perform administrative tasks on the
schema.

When formulating a strategy for setting up domain local groups and global groups, follow the
guidelines listed below:

 You should add users that perform the same function in the organization to a global
group.
 Domain local groups should be created for a resource(s) that needs to be shared by
multiple users.
 You should then add any global groups that have to access a resource(s) to the
appropriate domain local group.
 The domain local group should be assigned with the proper permissions to the resource.

In addition to the above mentioned group scopes, another group called a local group, can be
created. A local group is basically used on the local computer to assign permissions to resources
that are located on the computer on which the particular local group is created. Local groups are
created in the local security database and are not present in Active Directory. This means that
you cannot create local groups on domain controllers.
How to create a group
You can use the Active Directory Users And Computers console to create a new group. After the
group is created, you can set additional properties for the group, and add members to the group.

To create a new group,

1. Click Start, Administrative Tools, and then Active Directory Users And Computers.
2. Right-click the particular domain, organizational unit, or container in which you want to
place the new group, and select New, and then Group from the shortcut menu.
3. The New Object-Group dialog box opens next.
4. In the Group Name box, enter a name for the new group. You can specify a name as long
as 64 characters.
5. The Group Name (Pre-Windows 2000) box is automatically populated with the first 20
characters of the group name that you specified.
6. In the Group Scope box, select one of the following options as the group scope: Domain
Local, Global, or Universal.
7. In the Group Type box, select one of the following options as the group type: Security or
Distribution.
8. Click OK.

How to add multiple members to a group

1. Click Start, Administrative Tools, and then Active Directory Users And Computers.
2. Expand the particular domain, organizational unit, or container that contains the group
that you want to add members to.
3. Locate and right-click the group, and then select Properties from the shortcut menu.
4. When the Properties dialog box opens, click on the Members tab.
5. Click Add.
6. When the Select Users, Contacts, Computers, Or Groups dialog box opens, click the
Advanced button.
7. Click the Find Now button and select the user accounts, group accounts, or computer
accounts that should be added to the particular group. If you want to select multiple users,
groups, or computers, simply hold down the Shift or Ctrl key.
8. Click OK.
9. Each account that you have selected now appears in the Enter The Object Names To
Select box.
10. Click OK to add the members to the group.
11. Click OK in the Properties dialog box for the group.

How to manage group membership individually

1. Click Start, Administrative Tools, and then Active Directory Users And Computers.
2. Double-click the user, group, or computer account that you want to work with.
3. When the Properties dialog box opens, click the Members Of tab.
 4. If you want to add this particular account as a member of a group, click Add.
5. When the Select Groups dialog box opens, select the groups that this account should be
member of.
6. If you want to remove the account from a group, simply click Remove
7. Click OK.

How to delete a group

When it comes to deleting a group, you should remember the following points:

 When a security group is created, it receives a unique SID. When you delete a group, the
SID of that particular group is never used again, even if you create a group with the same
name at a later stage.
 When a group is deleted, the following are deleted:
o The actual group being deleted
o All permissions/rights associated with the particular group being deleted
 When a group is deleted, the following are not deleted:
o Any user accounts and computer accounts that are members of the particular
group.

Use the steps listed below to delete a group,

1. Click Start, Administrative Tools, and then Active Directory Users And Computers.
2. Expand the particular domain, organizational unit, or container that contains the group
that you want to delete.
3. Locate and right-click the group, and then select Delete from the shortcut menu.
4. Click Ys to verify that you want to delete the particular group.

How to change the group scope of an existing group

You can change the group scope of existing groups when the domain functional level is set to
Windows 2000 native or Windows Server 2003.

1. Click Start, Administrative Tools, and then Active Directory Users And Computers.
2. Expand the particular domain, organizational unit, or container that contains the group
that you want to change the group scope for.
3. Locate and right-click the group, and then select Properties from the shortcut menu.
4. When the Properties dialog box opens, on the General tab, change the group scope in the
Group Scope box to either Domain Local, Global, or Universal.
5. Click OK.

How to change the group type of an existing group

You can convert a group's type from being a security group to a distribution group, or from being
a distribution group to a security group

1. Click Start, Administrative Tools, and then Active Directory Users And Computers.
2. Expand the particular domain, organizational unit, or container that contains the group
that you want to change the group type for.
3. Locate and right-click the group, and then select Properties from the shortcut menu.
4. When the Properties dialog box opens, on the General tab, change the group type in
Group Type box to either Security or Distribution.
5. Click OK

How to manage group scope, group type, and group

membership using the command-line
You can use dsget group to determine and view the properties of groups in Active Directory.

 To determine the scope of a group, use the syntax listed below:

o dsget group -scope
 To determine the group type of a group, use the syntax listed below:
o dsget group -secgrp
 To determine the members of a particular group, use the syntax listed below:
o dsget group -members
 To determine a group's membership, use the syntax listed below:
o dsget group -memberof

You can use dsmod group to change the properties of groups in Active Directory.

 To change a group's type, use the syntax listed below:

o dsmod group GroupDN [-secgrp {yes | no}]
 To change a add new members to a group, use the syntax listed below:
o dsmod group GroupDN -addmbr UserDN
 To remove existing members from a group, use the syntax listed below:
o dsmod group GroupDN -rmmbr UserDN

MS Active Directory (AD) Interview Questions and Answers

What�s the difference between local, global and universal groups?
Domain local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains. Universal groups
grant access to resources in all trusted domains.

I am trying to create a new universal user group. Why can�t I?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native
mode requires that all domain controllers be promoted to Windows Server 2003 Active
Directory.

What is LSDOU?
It�s group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units.

Why doesn�t LSDOU work under Windows NT?

If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

Where are group policies stored?

%SystemRoot%System32\GroupPolicy

What is GPT and GPC?

Group policy template and group policy container.

Where is GPT stored?

%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

You change the group policies, and now the computer and user settings are in conflict.
Which one has the highest priority?
The computer settings take priority.

You want to set up remote installation procedure, but do not want the user to gain access
over it. What do you do?
gponame-> User Configuration-> Windows Settings-> Remote Installation Services-> Choice
Options is your friend.

What�s contained in administrative template conf.adm?

Microsoft NetMeeting policies

How can you restrict running certain applications on a machine?

Via group policy, security settings for the group, then Software Restriction Policies.

You need to automatically install an app, but MSI file is not available. What do you do?
A .zap text file can be used to add applications using the Software Installer, rather than the
Windows Installer.

What�s the difference between Software Installer and Windows Installer?

The former has fewer privileges and will probably require user intervention. Plus, it uses .zap
files.

What can be restricted on Windows Server 2003 that wasn�t there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up
TCP/IP properties. Users may be selectively restricted from modifying their IP address and other
network configuration parameters.

How frequently is the client policy refreshed?

90 minutes give or take.

Where is secedit?
It�s now gpupdate.

You want to create a new group policy but do not wish to inherit How Do I?.
Make sure you check Block inheritance among the options when creating the policy.

What is "tattooing" the Registry?

The user can view and modify user preferences that are not stored in maintained portions of the
Registry. If the group policy is removed or changed, the user preference will persist in the
Registry.

How do you fight tattooing in NT/2000 installations?

You can't.

How do you fight tattooing in 2003 installations?

User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show
Policies Only.

What does IntelliMirror do?

It helps to reconcile desktop settings, applications, and stored files for users, particularly those
who move between workstations or those who must periodically work offline.

What's the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides
extensive permission control on both remote and local files.

How do FAT and NTFS differ in approach to user shares?

They don�t, both have support for sharing.

Explan the List Folder Contents permission on the folder in NTFS.

Same as Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.

I have a file to which the user has access, but he has no folder permission to read it. Can he
access it?
It is possible for a user to navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user can�t drill down the
file/folder tree using My Computer, he can still gain access to the file using the Universal
Naming Convention (UNC). The best way to start would be to type the full path of a file into
Run� window.
For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, if at least one group has Allow permission for the file/folder, user will have the same
permission. For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be denied
access, regardless of other group permissions.

What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
More about hidden share here

What�s the difference between standalone and fault-tolerant DFS (Distributed File
System) installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared
folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared
resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is
replicated to other domain controllers. Thus, redundant root nodes may include multiple
connections to the same data residing in different shared folders.

We�re using the DFS fault-tolerant installation, but cannot access it from a Win98 box.
Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant
shares.

Where exactly do fault-tolerant DFS shares store information in Active Directory?

In Partition Knowledge Table, which is then replicated to other domain controllers.

Can you use Start->Search with DFS shares?

Yes.

What problems can you have with DFS installed?

Two users opening the redundant copies of the file at the same time, with no file-locking
involved in DFS, changing the contents and then saving. Only one file will be propagated
through DFS.

I run Microsoft Cluster Server and cannot install fault-tolerant DFS.

Yeah, you can�t. Install a standalone one.

Is Kerberos encryption symmetric or asymmetric?

Symmetric.

How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.

What hashing algorithms are used in Windows 2003 Server?

RSA Data Security�s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash
Algorithm 1 (SHA-1), produces a 160-bit hash.
What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7
certificate response to exchange CA certificates with third-party certificate authorities.

What�s the number of permitted unsuccessful logons on Administrator account?

Unlimited. Remember, though, that it�s the Administrator account, not any account that�s part
of the Administrators group.

If hashing is one-way function and Windows Server uses hashing for storing passwords,
how is it possible to attack the password lists, specifically the ones using NTLMv1?
A cracker would launch a dictionary attack by hashing every imaginable term used for password
and then compare the hashes.

What�s the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.

How many passwords by default are remembered when you check "Enforce Password
History Remembered"?
User�s last 6 passwords.

Read more: http://www.technohub.in/active-directory-interview-questions-and-answers.html#idc-

container#ixzz13TZhCokT
Under Creative Commons License: Attribution Share Alike