Manage Users, Computers and Groups
These questions are based on 70-290 – Managing and Maintaining a Microsoft Windows Server 2003 Environment
Self Test Software Practice Test
Objective: Manage users, computers and groups.
Sub-objective: Create and manage user accounts.
Single answer, multiple-choice
You are a network administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. As a security measure, you want your assistant, John, to periodically review security logs on all servers on the network. You must assign John the minimum level of authority that is necessary to enable him to view security logs in Event Viewer on all servers in the domain. What should you do?
- Assign the Allow – Full Control permission for the security log file on each server to John.
- Assign the Manage auditing and security logs user right on all servers to John.
- Add John’s domain user account to the Power Users group on each server.
- Add John’s domain user account to the Server Operators group on each server.
B. Assign the Manage auditing and security logs user right on all servers to John.
To be able to view the security log on a Windows Server 2003 computer, John must be assigned the Manage auditing and security logs user right on that computer. By default, only the local Administrators group has this right. With this right, John can view the security log regardless of his NTFS permissions for the security log files. You can assign this right to John in a domain-level Group Policy object (GPO), so that John can view the security log on any computer in the domain. If you want to restrict John to being able to view the security log only on servers, you can place all client computers into an organizational unit (OU) and block policy inheritance on that OU. If there are only a few servers on the network, then you can assign the Manage auditing and security logs right to John’s domain user account in the local security policy on each server.
If you assigned John the Allow – Full Control permission for the security log files, he would be able to open them by using Notepad or another similar program. However, event log files are not text-based; to be presented in a readable form, they should be viewed by using Event Viewer.
Power Users is a local group that exists only on member servers. Server Operators is a built-in domain local group: It exists only on domain controllers. Membership in either of these groups is not sufficient to enable John to view security logs.
Windows Server 2003 Online Help, Contents, “Security,” “Security Configuration Manager,” “Concepts,” “Using Security Configuration Manager,” “Security Setting Descriptions,” “Local Policies,” “User Rights Assignment,” “Manage auditing and security log.”