(Sample) MCSE 2003 Security Template Exam Questions and Answers
70-291 level questions
Q:
Which setting can you manage by using a GPO but not by using the Local Security
Policy?
A:
You can control the membership of the Power Users group in a GPO but not in
the Local Security Policy. You manage the membership of the Power Users group
by using the Restricted Groups policy. You can configure this policy by using
the Security Settings extension in a GPO. You should add user accounts to the
Power Users group for employees who need to manage shared resources and local
user and group accounts, but who should not have full administrative privileges
for a computer. The Power Users group is a local group that is created by default
on computers that are running Windows 2000 Server or Windows Server 2003 that
are not configured as domain controllers. The Power Users group is also created
by default on computers running Windows XP Professional and Windows 2000 Professional.
You can configure the minimum length of a password in the Account Policies node
in either the Local Security Policy or in a GPO. However, Account Policies are
enforced only at the domain level for user accounts defined in Active Directory.
If you define Account Policies in the Local Security Policy, these policies
govern user accounts defined in the Security Accounts Manager (SAM) database
of the computer. If you define Account Policies in a GPO linked to an organizational
unit (OU), these policies govern user accounts defined in the SAM database of
any computer that is a member of the OU. When you are working in an Active Directory
domain, the recommended procedure is to define all user accounts in Active Directory
rather than in the SAM database, but there may be situations that require the
use of SAM accounts.
You can configure the right to log on locally in the Local Policies node in
either the Local Security Policy or in a GPO. The right to log on locally is
also referred to as the interactive logon right.
You can configure the default behavior for unsigned driver installation in the
Local Policies node in either the Local Security Policy or in a GPO.