Active directory interview questions, part 2 of 2

  • How does group policy resolve setting conflicts?
  1. Following the GPO’s processing order. More particular – the GPO containing the conflicting policy setting that applies last is the setting that overwrites all other settings.
  • Give three examples of where PowerShell pipeline should be used, rather than set as variable
  1. This is an intriguing question also in the Linux/bash environment.
  2. Allows data to be sent from one command to the second, without the need of variable definition
  3. Allows for easier ongoing refining of the function/script results
  4. Streaming/ piping values allow working with “infinite” length of continuous data, while its rather impossible to define such a variable
  • How do you establish a remote PowerShell session?  What are the pre-requisites?
  1. [If working within Domain] Enable PowerShell Remoting/ Enable-PSRemoting -Force
    1. Starts the WinRM service
    2. Starts automatically with system start
    3. Creates a firewall rule for incoming connection
  2. [If working within Workgroup]
    1. Configure the network as private
    2. Configure TrustedHosts on both machines.
  3. To execute a single remote cmdlet: Invoke-Command
  4. To initiate a remote session: Enter-PSSession

 

Active directory interview questions, part 1 of 2

Some questions from a recent interview for Active Directory specialist position:

 

  • What are some extended Active Directory attribute that are created when you install common enterprise Microsoft offerings?
    1. Depending on the MS product being deployed, there could be various changes on the schema. The good thing is that they are all well documented with sufficient description in Technet.
    2. For example, when installing Exchange 2016, attributes that are being created are: ms-Exch-UG-Event-Subscription-Link and ms-Exch-UG-Event-Subscription-BL.
    3. When deploying Skype for bussienss: msExchUserHoldPolicies, msRTCSIP-UserRoutingGroupId, msRTCSIP-MirrorBackEndServer
    4. etc.

 

  • Name 3 usage case of AD delegation that would be useful in a company
    1. Delegate Microsoft BitLocker Decryption rights to Help Desk
    2. Delegate new user creation and Identity and access management team [IAM]
    3. Delegate password reset to Global Service Desk users [GSD]

 

  • Solve for this scenario.
    o   User A needs access to
    §  \\company.share\Public
    §  \\company.share\Confidential
    §  \\company.share\Secret
    o   User B needs access to
    §  \\company.share\Public
    §  \\company.share\Confidential\Public
    §  Cannot have access to \\company.share\Confidential
    o   Solution needs to be scalable for the future


    1. Make 2 groups – User-a-category and User-b-category
    2. For the user-a-category, assign appropriate NTFS access to the specified folders in \\company.share\.
    3. For the user-b-category, assign NTFS access to the specified folders in \\company.share\.
    4. Set security permissions to the \\company.share\Confidential folder.

 

  • If a user calls and tells you a newly created distribution group is unable to accept email from clients.  What is the problem?:
    1. Analyze the error code, generated by sending emails [if available]
    2. Check if Group scope is appropriate  [Universe/Global/Domain local]
    3. Check if “Sender authentication” is enabled
    4. Check with Get-TransportServer | Get-MessageTrackingLog -sender “address of sender” -recipient “address of DL”
    5. Check if there isn’t an anti-spam filter interfering [althou this could be  depending if internal/external messages are being received]
    6. Remove the user from the group and add him again [some classical IT troubleshooting]

 

  • What is a loop back group policy?
    1. Allows user configuration settings to be applied, based on the computers GPO. Thus computers policies take precedence over user’s policies/ settings. Works in 2 modes:
    2. replace: the user policies defined in the computer’s GPO replace the user policies, normally applied to the user
    3. merge: the user policies defined in the computer’s GPO and the user policies normally applied on the user’s are merged. If a conflict occurs, the user policies in the computer’s default GPO overwrite the user’s normal policies.

Part 2 will be on soon.

 

Making remote server management easier

After making sure the networking is done, installation is complete, AD is created, DNS/ DHCP are proparly configured, time to make life easier by enabling remote server management.

On the managed servers, you need Remote server

  • On the computer that you want to manage remotely open a Windows PowerShell session with elevated user rights.
  • Type the following, and then press Enter to enable all required firewall rule exceptions.

    Configure-SMRemoting.exe -enable

On the management server

  • Navigate to server manager, in the upper right cornet select Manage and add Server
  • Fill the newly opened window with something like this:
Configure Remote Management in Server Manager
Configure Remote Management in Server Manager
  • Wait few seconds for the refreshment
  • Enjoy the improved functionality :).
Configure Remote Management in Server Manager
Configure Remote Management in Server Manager