70-640 windows server 2008 active directory configuration pdf [Apr 2016]

Exam Code: 70-640 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: TS: Windows Server 2008 Active Directory. Configuring
Certification Provider: Microsoft
Free Today! Guaranteed Training- Pass 70-640 Exam.

2016 Apr 70-640 Study Guide Questions:

Q121. Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1. 

You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1. 

What should you do? 

A. Remove the Request Certificates permission from the Domain Users group. 

B. Remove the Request Certificated permission from the Authenticated Users group. 

C. Assign the Allow - Manage CA permission to only the Security Manager user Account. 

D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manger user account 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc732590.aspx 

Implement Role-Based Administration You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings. 

You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform. 

The following table describes the roles, users, and groups that can be used to implement role-based administration. 

Roles and groups 

Certificate manager 

Security permission 

Issue and Manage Certificates 

Description 

Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in. 


Q122. Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers. The domain controllers are configured as shown in the following table. 


All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range. 

You need to minimize the number of client authentication requests sent to DC2. 

What should you do? 

A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign the subnet to Site1. Move DC1 to Site1. 

B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign the subnet to Site1. Move DC1 to Site1. 

C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign the subnet to Site1. Move DC2 to Site1. 

D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign the subnet to Site1. Move DC2 to Site1. 

Answer: C 

Explanation: 

Creating a new site and assigning a subnet of 10.1.1.2 with subnet mask of 255.255.255.255, it means only ONE ip (the DC2 ip) will be included on the site1 subnet coverage. Therefore all the request will be processed from the DC1 in the default-first-site and dc2 will authenticate only itself. 


Q123. Your network contains an Active Directory domain named contoso.com. 

You create a GlobalNames zone. You add an alias (CNAME) resource record named 

Server1 to the zone. The target host of the record is server2.contoso.com. 

When you ping Server1, you discover that the name fails to resolve. You successfully resolve server2.contoso.com. 

You need to ensure that you can resolve names by using the GlobalNames zone. 

What should you do? 

A. From the command prompt, use the netsh tool. 

B. From the command prompt, use the dnscmd tool. 

C. From DNS Manager, modify the properties of the GlobalNames zone. 

D. From DNS Manager, modify the advanced settings of the DNS server. 

Answer: B 

Explanation: 

http://technet.microsoft.com/en-us/library/cc731744.aspx Enable GlobalNames zone support The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest: dnscmd<ServerName> /config /enableglobalnamessupport 1 


Q124. You want users to log on to Active Directory by using a new Principal Name (UPN). 

You need to modify the UPN suffix for all user accounts. 

Which tool should you use? 

A. Dsmod 

B. Netdom 

C. Redirusr 

D. Active Directory Domains and Trusts 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx 

Dsmod user dsmod user -upn <UPN> 

Specifies the user principal names (UPNs) of the users that you want to modify, for 

example, 

Linda@widgets.contoso.com. 


Q125. Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers. 

You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices. 

At which level should you deactivate UGMC? 

A. Server 

B. Connection object 

C. Domain 

D. Site 

Answer: D 

Explanation: 

http://www.ntweekly.com/?p=788 

http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites How to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog. Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller. UGMC is generally a good idea for multiple domain forests when: 

1. Universal Group membership does not change frequently. 

2. Low WAN bandwidth between Domain Controllers in different sites. 

It is also recommended to disable UGMC if all Domain Controllers in a forest are Global 

Catalogs. 


70-640 exam question

Up to the immediate present transcender practice exam 70-640:

Q126. HOTSPOT 

Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table. 


The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest. 

You need to configure DC2 as a global catalog server. 

Which object's properties should you modify? To answer, select the appropriate object in the answer area. 


Answer: 



Q127. Your network contains an Active Directory domain. All domain controller run Windows Server 2003. 

You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008 R2. 

You need to minimize the amount of SYSVOL replication traffic on the network. 

What should you do? 

A. Raise the functional level of the forest to Windows Server 2008 R2. 

B. Modify the path of the SYSVOL folder on all of the domain controllers. 

C. On a global catalog server, run repadmin.exe and specify the KCC parameter. 

D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.exe. 

Answer: D 

Explanation: 

Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. The migration takes place on a domain controller holding the PDC Emulator role. 

Explanation 1: http://technet.microsoft.com/en-us/library/cc794837.aspx Using DFS Replication for replicating SYSVOL in Windows Server 2008 DFS Replication technology significantly improves replication of SYSVOL. In Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share. 

When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated. 

Explanation 2: 

http://technet.microsoft.com/en-us/library/dd639809.aspx 

Migrating to the Prepared State 

The following sections provide an overview of the procedures that you perform when you 

migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System 

(DFS Replication). 

This migration phase includes the tasks in the following list. 

Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the 

migration to the Prepared state. 


Q128. Your network contains an Active Directory forest. The forest contains multiple sites. 

You need to enable universal group membership caching for a site. 

What should you do? 

A. From Active Directory Sites and Services, modify the NTDS Settings. 

B. From Active Directory Sites and Services, modify the NTDS Site Settings. 

C. From Active Directory Users and Computers, modify the properties of all universal groups used in the site. 

D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the site. 

Answer: B 

Explanation: 

http://technet.microsoft.com/en-us/library/cc816797%28v=ws.10%29.aspx Enabling Universal Group Membership Caching in a Site In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest. If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site. In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow wide are network (WAN) connection can be problematic and a user can potentially be unable to log on to the domain if a global catalog server is not available. You can enable Universal Group Membership Caching on domain controllers that are running Windows Server 2008 so that when the domain controller contacts a global catalog server for the user’s initial domain logon, the domain controller retrieves universal group memberships for the user. On subsequent logon requests by the same user, the domain controller uses cached universal group memberships and does not have to contact a global catalog server. To complete this task, perform the following procedure: http://technet.microsoft.com/en-us/library/cc816928%28v=ws.10%29.aspx Enable Universal Group Membership Caching in a Site 

1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 

2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching. 

3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. 

4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching. 

5. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK. 


Q129. Your company has a main office and a branch office. The branch office contains a read-only domain controller named RODC1. 

You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent Admin1 from logging on to other domain controllers. 

What should you do? 

A. Run ntdsutil.exe and use the Roles option. 

B. Run dsmgmt.exe and use the Local Roles option. 

C. From Active Directory Sites and Services, modify the NTDS Site Settings. 

D. From Active Directory Users and Computers, add the user to the Server Operators group. 

Answer: B 

Explanation: http://technet.microsoft.com/en-us/library/cc732301.aspx Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and 

for adding a user to that role. 

To configure Administrator Role Separation for an RODC 

1. Click Start, click Run, type cmd, and then press ENTER. 

2. At the command prompt, type dsmgmt.exe, and then press ENTER. 

3. At the DSMGMT prompt, type local roles, and then press ENTER. 


Q130. Your network contains an Active Directory forest. The forest contains a single domain. 

You want to access resources in a domain that is located in another forest. 

You need to configure a trust between the domain in your forest and the domain in the other forest. 

What should you create? 

A. an incoming external trust 

B. an incoming realm trust 

C. an outgoing external trust 

D. an outgoing realm trust 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc816877.aspx 

A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest). 


70-640 exam fees

Refined 70-640 braindump:

Q131. Your company has a main office and a branch office. 

You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office. 

You need to ensure that IPv6-only computers authenticate to domain controllers in the same site. 

What should you do? 

A. Configure the NTDS Site Settings object. 

B. Create Active Directory subnet objects. 

C. Create Active Directory Domain Services connection objects. 

D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router. 

Answer: B 


Q132. Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller. 

You disable an account that has administrative rights. 

You need to immediately replicate the disabled account information to all sites. 

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) 

A. From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers. 

B. From the Active Directory Sites and Services console, select the existing connection objects and force replication. 

C. Use Repadmin.exe to force replication between the site connection objects. 

D. Use Dsmod.exe to configure all domain controllers as global catalog servers. 

Answer: B,C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s. Below is a command to replicate from a specified DC to all other DC’s. Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding. If I am running it on the DC itself, I don’t even have to specify the server name. http://technet.microsoft.com/en-us/library/cc776188%28v=ws.10%29.aspx Force replication over a connection To force replication over a connection 

1. Open Active Directory Sites and Services. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 


Q133. You have a domain controller named Server1 that runs Windows Server 2008 R2. 

You need to determine the size of the Active Directory database on Server1. 

What should you do? 

A. Run the Active Directory Sizer tool. 

B. Run the Active Directory Diagnostics data collector set. 

C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file. 

D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc961761.aspx Directory Data Store Active Directory data is stored in the Ntds.dit ESE database file. Two copies of Ntds.dit are present in separate locations on a given domain controller: %SystemRoot%\NTDS\Ntds.dit This file stores the database that is in use on the domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). %SystemRoot%\System32\Ntds.dit This file is the distribution copy of the default directory that is used when you promote a Windows 2000 – based computer to a domain controller. The availability of this file allows you to run the Active Directory Installation Wizard (Dcpromo.exe) without your having to use the Windows 2000 Server operating system CD. During the promotion process, Ntds.dit is copied from the %SystemRoot% \System32 directory into the %SystemRoot%\NTDS directory. Active Directory is then started from this new copy of the file, and replication updates the file from other domain controllers. 


Q134. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain. 

You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes. 

What should you do? 

A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU. 

B. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes. 

C. Enable the Audit account management policy in the Default Domain Controller Policy. 

D. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy. 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx AD DS Auditing Step-by-Step Guide In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes. 

The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory. The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS: When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged. If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged. If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain. If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged. 

In Windows Server 2008, you implement the new auditing feature by using the following controls: Global audit policy System access control list (SACL) Schema Global audit policy Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You can set this global audit policy in the Default Domain Controllers Group Policy (under Security Settings\Local Policies\Audit Policy). In Windows Server 2008, this global audit policy is not enabled by default. Although the subcategory Directory Service Access is enabled for success events by default, the other subcategories are not enabled by default. You can use the command-line tool Auditpol.exe to view or set audit policy subcategories. There is no 

Windows interface tool available in Windows Server 2008 to view or set audit policy 

subcategories. 

Further information: 

http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx 

Auditpol 

Displays information about and performs functions to manipulate audit policies. 

http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/ 

AD Scenario – Auditing Directory Services 

Auditing of Directory Services depends on several controls, these are: 

1. Global Audit Policy (at category level using gpmc.msc tool) 

2. Individual Audit Policy (at subcategory level using auditpol.exe tool) 

3. System ACLs – to specify which operations are to be audited for a security principal. 

4. Schema (optional) – this is an additional control in the schema that you can use to create 

exceptions to what is audited. 

In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) 

auditing with a new audit policy subcategory (Directory Service Changes) to log old and 

new values when changes are made to AD DS objects and their attributes. This can be 

done using auditpol.exe tool. 

Command to check which audit policies are active on your machine: auditpol /get 

/category:* 


C:\Documents and Settings\usernwz1\Desktop\1.PNG Command to view the audit policy categories and Subcategories: 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

How to enable the global audit policy using the Windows interface i.e. gpmc tool Click Start, point to Administrative Tools, and then Group Policy Management or run gpmc.msc command. 

In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

In the details pane, right-click Audit directory service access, and then click Properties. 

Select the Define these policy settings check box. 

Under Audit these attempts, select the Success, check box, and then click OK. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

How to enable the change auditing policy using a command line 

Click Start, right-click Command Prompt, and then click Run as administrator. 

Type the following command, and then press ENTER: 

auditpol /set /subcategory:”directory service changes” /success:enable 

To verify if the auditing is enabled or not for “Directory Service Changes”, you can run 

below command: 

auditpol /get /category:”DS Access” 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

How to set up auditing in object SACLs Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click the organizational unit (OU) (or any object) for which you want to enable 

auditing, and then click Properties. 

Click the Security tab, click Advanced, and then click the Auditing tab. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal) and then click OK. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

In Apply onto, click Descendant User objects (or any other objects). Under Access, select the Successful check box for Write all properties. Click OK 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Click OK until you exit the property sheet for the OU or other object. 

To Test whether auditing is working or not, try creating or modifying objects in Finance OU 

and check the Security event logs. 

I just created a new user account in Finance OU named f4. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

If you check the security event logs you will find eventid 5137 (Create) 

Note: 

Once the auditing is enabled these eventids will appear in security event logs: 5136 

(Modify), 5137 (Create), 5138 (Undelete), 5139 (Move). 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 


Q135. Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit. 

You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units. 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators. 

B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group. 

C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units. 

D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrators. 

Answer: A,B 

Explanation: 

Answer: Run the Delegation of Control wizard and delegate the right to link GPOs for their 

branch organizational units to the branch office administrators. 

Add the user accounts of the branch office administrators to the Group Policy Creator 

Owners Group. 

http://technet.microsoft.com/en-us/library/cc732524.aspx 

Delegate Control of an Organizational Unit 

1. To delegate control of an organizational unit 

2. To open Active Directory Users and Computers, click Start , click Control Panel , double-

click Administrative 

Tools and then double-click Active Directory Users and Computers . 

3. In the console tree, right-click the organizational unit (OU) for which you want to delegate 

control. 

Where? 

Active Directory Users and Computers\ domain node \ organizational unit 

4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the 

instructions in the wizard. 

http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx 

Delegating Administration of Group Policy 

Your Group Policy design will probably call for delegating certain Group Policy 

administrative tasks. 

Determining to what degree to centralize or distribute administrative control of Group Policy 

is one of the most important factors to consider when assessing the needs of your 

organization. In organizations that use a centralized administration model, an IT group 

provides services, makes decisions, and sets standards for the entire company. In 

organizations that use a distributed administration model, each business unit manages its 

own IT group. 

You can delegate the following Group Policy tasks: 

Creating GPOs 

Managing individual GPOs (for example, granting Edit or Read access to a GPO) etc. 

Delegating Creation of GPOs The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create new Group Policy objects. If the domain administrator wants a non-administrator or non-administrative group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC to delegate creation of GPOs. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs to containers unless they have been separately delegated the right to do so on a particular site, domain, or OU. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create. Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain. The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Be sure to delegate both rights to those groups you want to be able to create and link GPOs. By default, non- Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create and link a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group Policy Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someone else who has been delegated permissions to link GPOs an a container can link the GPO as appropriate. Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or user this permission: Add the group or user to the Group Policy Creator Owners group. This was the only method available prior to GPMC. Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC. You can manage this permission by using the Delegation tab on the Group Policy objects container for a given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including the Group Policy Creator Owners group. From this tab, you can modify the membership of existing groups that have this permission, or add new groups. Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from outside the domain. Being able to grant users permissions to create GPOs without using Group Policy Creator Owners facilitates delegating GPO creation to users outside the domain. Without GPMC, this task cannot be delegated to members outside the domain. If you require that users outside the domain have the ability to create GPOs, create a new domain local group in the domain (for example, "GPCO – External"), grant that group GPO creation permissions in the domain, and then add domain global groups from external domains to that group. For users and groups in the domain, you should continue to use the Group Policy Creator Owners group to grant GPO-creation permissions. Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation permissions directly using the new method available in GPMC are identical in terms of permissions. 



see more http://www.certshared.com/exam/70-640/

Microsoft 70-640 Certification Sample Questions and Answers: http://www.braindumpsall.net/70-640-dumps/

P.S. New 70-640 dumps PDF: http://www.4easydumps.com/70-640-dumps-download.html