Lab 4.

1 Review Questions
1.True or False? By default, new OUs are protected from accidental deletion.
TRUE
2. Which of the following is not a task set that you can delegate using the
Delegation of Control Wizard?
a. Create, delete, and manage groups
b. Create, delete, and manage OUs
c. Modify the membership of a group
d. Read all user information
3. When the Delegation of Control Wizard is used to delegate the Reset password
permission, which of the following is the default inheritance setting for the
permission?
a. Descendant User objects
b. This object only
c. All descendant objects
d. This object and all descendant objects
4. True or False? When a user has been delegated control to an object, he or she
automatically is made a member of the Server Operators group.
FALSE
5. The user attribute that pertains to the User must change password at next logon
account option is _______________________.
pwdLastSet

Lab 4.2 Review Questions

1. True or False? DSREVOKE.EXE comes standard with Windows Server 2008.
FALSE
2. What option should you supply DSACLS when you want to allow a specified
permission?
a. /G
b. /A
c. /P
d. /D

3. Which of the following commands would remove user sjohnson from the DACL all
Active Directory objects in domain W2k8AD1XX?
a. dsrevoke /report W2k8AD1XX\sjohnson
b. dsacls /deny W2k8AD1XX\sjohnson
c. dsrevoke /remove W2k8AD1XX\sjohnson
d. dsacls /D W2k8AD1XX\sjohnson /all
4. True or False? The DSACLS command can be used only to change permissions,
not view them.
FALSE
5. Write the command that would deny all permissions to the Operations OU to a
user in the W2k8AD1XX. local domain named bsmith. ________________________.
dsacls ou=Operations,dc=W2K8ad1moss0067,dc=local /d
W2K8ad1moss0067\bsmith:GA

Lab 4.3 Review Questions

1. Which of the following FSMO roles is a forest-wide role? (Choose all that apply.)
a. Schema master
b. RID master
c. Domain naming master
d. PDC emulator
e. Infrastructure master
2. Which of the following FSMO roles can you view using Active Directory Users and
Computers? (Choose all that apply.)
a. Schema master
b. RID master
c. Domain naming master
d. PDC emulator
e. Infrastructure master
3. Which of the following FSMO roles requires the registration of a dll file to manage
it?
a. Schema master
b. RID master

c. Domain naming master

d. PDC emulator
e. Infrastructure master
4. True or False? The regsvr32 command is used to manage the Active Directory
database.
FALSE
5. You can change which attributes are copied to the Global Catalog by using the
snap-in.
Active Directory Schema Snap-in

Lab 4.4 Review Questions

1. Which of the following are considered physical components of the Active
Directory structure? (Choose all that apply.)
a. Domains
b. Sites
c. OUs
d. Domain Controllers
e. Forests
2. Which component of a site should you modify if you want to change the
replication schedule between sites?
a. Subnet
b. Connection
c. Site link
d. Server
3. Which of the following is a valid prefix value?
a. 150
b. 149.18:16
c. 192.168.110.0[20]
d. 150.11.0.0/16
4. True or False? You cannot change the name of the first site, which is created
automatically.

FALSE
5. The name of the IP site link that is automatically created is _________________.
Default-First-Site-Name

Lab 4
Dsacls is the command-line program included with Windows Server 2008 to do just
that. Like most of the ds command-line programs, batch files are probably the way
to go with dsacls. Dsrevoke is a simpler command-line program that you can
download from the Microsoft download site. Dsrevoke provides similar functionality
to Dsacls but is easier to use when you wish to remove permissions. This lab
introduces you to these two command-line programs so that you can set Active
Directory object permissions without the GUI.

The operations masters are domain controllers that perform key functions to ensure
proper operation of Active Directory. The functions provided are referred to as
flexible single master operations (FSMO) role. There are five FSMO roles: schema
master, domain naming master, infrastructure master, PDC emulator, and RID
master. The schema master and domain naming master are forest-wide roles and
are found only on domain controllers in the forest root domain. The other three
FSMO roles are domain-wide functions and reside on one domain controller in each
domain. It is critical that an administrator know by which domain controllers each of
the FSMO roles is held. The schema holds a list of all object classes and attributes in
Active Directory. The Active Directory Schema snap-in lets you view and change the
properties of schema objects and attributes. You know that the Global Catalog holds
a partial replica of Active Directory attributes, which means that some attributes are
held in the Global Catalog and others are not. You can view and change which
attributes are copied to the Global Catalog using the Active Directory Schema snapin.

Sites are one of the physical components of the Active Directory structure. Sites are
associated with one or more IP subnets and contain domain controllers whose IP
addresses reside in the associated subnet. You can create new subnets, associate
subnets to sites, create new sites, and change replication options between sites
using Active Directory Sites and Services. Other Active Directory objects you can
manage here include bridgehead servers, connection objects, and site links.

Lab 5.1 Review Questions

1. True or False? Windows PowerShell is a feature that is installed by default on
Windows Server 2008.

FALSE
2. The ________________ uses syntax such as ou=myou,dc=mydomain,dc=com.
a. UNC path
b. distinguished name
c. schema path
d. common name
3. The _____ operator (|) is used to send the output of one command as input to
another command.
a. pipe
b. forward
c. logical or
d. logical and
4. True or False? When a user account is created by PowerShell, the account is
automatically made a member of the Guests group.
FALSE
5. The _________ attribute on a user account is used to allow pre-Windows 2000
computers to log on to a domain.
samaccountname

Lab 5.2 Review Questions

1. True or False? The Department field is copied when you copy a user account.
TRUE
2. Which of the following is copied when you copy a user account? (Choose all that
apply.)
a. City
b. Company
c. Web page
d. Description
3. When duplicating a user, what do you need to edit to change which fields are
copied?
a. Schema classes

b. Schema common names

c. Schema attributes
d. Schema properties
4. True or False? You need not provide a password when creating a user account if
the account itself is disabled.
TRUE
5. The _____ snap-in is used to change the attributes that are copied when a user
account is duplicated.
Active Directory Schema

Lab 5.3 Review Questions

1. You can restrict user logon hours by which of the following criteria?
a. Days of the week only
b. Hours of the day only
c. Hours, days, and months
d. Days of the week and hours
2. To specify the station to which a user can log on, you must specify the _____.
a. computer name
b. distinguished name of the computer account
c. MAC address of the computer
d. domain\computer
3. Which of the following can be edited on multiple accounts at one time? (Choose
all that apply.)
a. Description
b. Logon hours
c. Password
d. Display name
e. Web page
4. True or False? By default, if a user is already logged on when the logon time
restriction becomes effective, he or she is immediately logged off the system.
FALSE

5. The command to log off a ServerCoreXX computer is _________________.

logoff

Lab 5.4 Review Questions

1. Which of the following is the default location for new computer accounts?
a. Domain Controllers OU
b. Member Computers OU
c. Computers Folder
d. Users Folder
2. By default, members of which of the following groups has the right to add
workstations to the domain?
a. Everyone
b. Authenticated Users
c. Administrators
d. Domain Users
3. When you right-click a computer account in Active Directory, which of the
following options will you see?
a. Connect to it using remote desktop protocol
b. View its IP address settings
c. Change the computer name
d. Connect to it using Computer Management
4. True or False? The default location for new computer accounts can have a GPO
linked to it.
FALSE
5. The _____ command can change the default container for new computer objects
to the NewClients OU in the mydomain.com domain.
redircmp ou=NewClients,dc=mydomain,dc=com

Lab 5
Windows PowerShell is a powerful new scripting language available in Windows.
PowerShell provides a command-line interface that gives you access to many
features and functions, including Active Directory management features. In most

cases, you will not use PowerShell interactively except to test and refine script
commands. Instead, you will create script files that can be run to execute a series of
PowerShell commands to perform a particular function; this process is similar to
using batch files for DSADD and other commands. Typically, once you have
perfected a series of commands, you would put them into a script file (a text file
you can create with Notepad) and either execute them from within the PowerShell
command or execute the PowerShell command followed by the script file name. For
example, if your script is named c:\scripts\CreateUsers.ps1 (ps1 is the standard file
extension name for a PowerShell version 1 script file, you could execute it by typing
PowerShell c:\scripts\CreateUsers.ps1.

The default settings on a domain controller allow the members of the Authenticated
Users group to add a workstation to the domain. Some administrators may wish to
control the process more by restricting the Add workstations to domain right to
administrators or perhaps to a group that has IT personnel as its members. An
administrator might also want to create the computer account first and then allow
users to join the domain. When a new computer account is created, by default it is
placed in the Computers folder in Active Directory. Note, however, that because the
Computers folder is not an OU, GPOs cannot be linked to it. To place computer
accounts in an OU where a GPO can be linked, you can change the default location
of newly created computer accounts using the redircmp command. You may wish to
do this so that all new computer accounts are immediately subject to the policies
you specify in GPOs linked to the new default location.

Lab 4 Manual
1. The protocol for accessing Active Directory objects and services is based on
which of the following standards?
a. DNS
b. LDAP
c. DHCP
d. ICMP
2. Which MMC do you use to create OUs?
a. Active Directory Sites and Services
b. Active Directory Domains and Trusts
c. Active Directory Users and Computers
d. Computer Management
3. Which wizard is used to assign users the authority to perform certain tasks on
Active Directory objects?

Delegation of Control Wizard

4. User, computer, and group accounts can be referred to as which of the following?
a. Discretionary access accounts
b. Security descriptors
c. Local objects
d. Security principals
5. Which of the following must you modify if you want to change an Active Directory
objects permissions?
a. DACL
b. SACL
c. Object attributes
d. Object schema
6. An objects owner automatically has Full control permission for the object. True or
False?
FALSE
7. JDoe is a member of a group that has Full control permission for an OU, which the
group inherited from a parent OU. What is the best way to stop JDoe from having
Write permission to this OU without affecting any other permissions?
a. Remove JDoe from the group.
b. Add a Deny ACE for JDoe to the parent OU.
c. Add an explicit Deny ACE for JDoe to the OU.
d. Add a Deny ACE for the group to the parent OU.
8. Youre logged on as Administrator to a domain controller and are trying to
troubleshoot a problem with a users access to Active Directory objects. You open
Active Directory Users and Computers to access an objects properties. However,
you cant view the objects permissions. What is the most likely problem?
a. You dont have sufficient permissions to view the objects permissions.
b. You need to open Active Directory Domains and Trusts.
c. You need to enable Advanced Features.
d. You need to run the View Object Permissions Wizard.
9. A users permissions to an object that are a combination of inherited and explicit
permissions assigned to the users account and groups the user belongs to are
referred to as which of the following?

a. Inherited permissions
b. Effective permissions
c. Explicit permissions
d. Access permissions
10. Inherited permissions always override explicit permissions. True or False?
FALSE
11. Youre viewing the DACL for an OU and notice an inherited ACE for a user
account that gives the account permission to the OU that it shouldnt have. You
want to remove the ACE from the OU, but you get an error message when you
attempt to do so. What do you need to do?
a. Open Active Directory Users and Computers in administrative mode.
b. Use ADSI Edit to remove permissions.
c. Disable inheritance on the OU.
d. Add an explicit Deny ACE for the user account.
12. A user is having trouble accessing an OU, so you need to determine the users
permissions to the OU. You log on to the domain controller as Administrator and
view the Security tab of the OUs Properties dialog box. What do you do next?
Click the Advanced button, click the Effective Permissions tab, click the Select button, type the user's
account name, and click OK.

13. Which of the following is a directory partition? (Choose all that apply.)
a. Domain directory partition
b. Group policy partition
c. Schema directory partition
d. Configuration partition
14. Which is responsible for management of adding, removing, and renaming
domains in a forest?
a. Schema master
b. Infrastructure master
c. Domain naming master
d. RID master
15. Which is responsible for determining the replication topology?
a. GPO

b. PDC
c. RID
d. KCC
16. Your company has merged with another company that also uses Windows Server
2008 and Active Directory. You want to give the other companys users access to
your companys domain resources and vice versa without duplicating account
information and with the least administrative effort. How can you accomplish this?
Create a Forest Trust
17. Which of the following do all domains in the same forest have in common?
(Choose all that apply.)
a. The same domain name
b. The same schema
c. The same user accounts
d. The same global catalog
18. Which of the following is not a function of the global catalog?
a. Facilitates forestwide searches
b. Keeps universal group memberships
c. Facilitates intersite replication
d. Facilitates forestwide logons
19. You have an Active Directory forest of two trees and eight domains. You havent
changed any of the operations master domain controllers. On which domain
controller is the schema master?
a. All domain controllers
b. The last domain controller installed
c. The first domain controller in the forest root domain
d. The first domain controller in each tree
20. Which of the following is a valid reason for using multiple forests?
a. Centralized management
b. Need for different schemas
c. Easy access to all domain resources
d. Need for a single global catalog
21. What can you do to reduce the delay caused by authentication referral?

a. Create a forest trust.

b. Create an external trust.
c. Create a shortcut trust.
d. Create a transitive trust.
22. What can you do to integrate user authentication between Linux and Active
Directory?
a. Create a realm trust.
b. Create an external trust.
c. Create a one-way trust.
d. Create a transitive trust.
23. Trust relationships between all domains in a forest are two-way transitive trusts.
True or False?
TRUE
24. Which of the following is a reason to use multiple domains? (Choose all that
apply.)
a. Need for different name identities
b. Replication control
c. Need for differing account policies
d. Easier access to resources
25. Which of the following is a reason for establishing multiple sites? (Choose all
that apply.)
a. Improving authentication efficiency
b. Enabling more frequent replication
c. Reducing traffic on the WAN
d. Having only one IP subnet

Definitions
application directory partition A directory partition that applications and services
use to store information that benefits from automatic Active Directory replication
and security.
configuration partition A directory partition that stores configuration information
that can affect the entire forest, such as details on how domain controllers should
replicate with one another.

dedicated forest root domain The first domain in a forest; contains only the
forestwide administrative accounts and domain controllers needed to run the
forestwide operations master roles.
delegation of control The process of a user with higher security privileges assigning
authority to perform certain tasks to a user with lesser security privileges; usually
used to give a user administrative permission for an OU.
directory partition A section of an Active Directory database stored on a domain
controllers hard drive. These sections are managed by different processes and
replicated to other domain controllers in an Active Directory network.
domain directory partition A directory partition that contains all objects in a domain,
including users, groups, computers, OUs, and so forth.
effective permissions A combination of a users assigned permissions through group
membership, an explicit user permission assignment, and inherited permissions.
external trust A one-way or two-way nontransitive trust between two domains that
arent in the same forest.
Flexible Single Master Operation (FSMO) roles Specialized domain controller tasks
that handle operations that can affect the entire domain or forest. Only one domain
controller can be assigned a particular FSMO.
forest root domain The first domain created in a new forest.
forest trust A trust that provides a one-way or two-way transitive trust between
forests, which enables security principals in one forest to access resources in any
domain in another forest.
global catalog partition A directory partition that stores the global catalog, which is
a partial replica of all objects in the forest. It contains the most commonly accessed
object attributes to facilitate object searches and user logons across domains.
intersite replication Active Directory replication that occurs between two or more
sites.
intrasite replication Active Directory replication between domain controllers in the
same site.
Kerberos An open-standard security protocol used to secure authentication and
identification between parties in a network.
Knowledge Consistency Checker (KCC) A process that runs on every domain
controller to determine the replication topology.
Lightweight Directory Access Protocol (LDAP) A protocol that runs over TCP/IP and is
designed to facilitate access to directory services and directory objects. LDAP is
based on a suite of protocols called X.500, developed by the International
Telecommunications Union.

multimaster replication The process for replicating Active Directory objects in which
changes to the database can occur on any domain controller and are propagated, or
replicated, to all other domain controllers.
one-way trust A trust relationship in which one domain trusts another, but the
reverse is not true.
operations master A domain controller with sole responsibility for certain domain or
forestwide functions.
permission inheritance The process of transmitting permissions from a parent object
to a child object.
realm trust A trust used to integrate users of other OSs into a Windows Server 2008
domain or forest; requires the OS to be running Kerberos V5 authentication.
relative identifier (RID) The part of the SID thats unique for each Active Directory
object.
schema directory partition A directory partition containing the information needed
to define Active Directory objects and object attributes for all domains in the forest.
security identifier (SID) A numeric value assigned to each object in a domain that
uniquely identifies the object; composed of a domain identifier, which is the same
for all objects in a domain, and the RID.
security principals An Active Directory object that can be assigned permissions or
rights to Active Directory objects and network resources.
shortcut trust A manually configured trust between domains in the same forest for
the purpose of bypassing the normal referral process.
site link A logical connection between two sites that determines the replication
schedule and frequency between the sites.
transitive trust A trust relationship based on the transitive rule of mathematics;
therefore, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain
A trusts Domain C.
trust relationship An arrangement that defines whether and how security principals
from one domain can access network resources in another domain.
two-way trust A trust in which both domains in the relationship trust each other, so
users from both domains can access resources in the other domain.
user principal name (UPN) A user logon name that follows the format
username@domain. Users can use their UPNs to log on to their own domain from a
computer thats a member of a different domain.

Chapter 5 Manual
1. Which of the following is a user account category? (Choose all that apply.)

a. Local
b. Global
c. Domain
d. Universal
2. Which of the following is a built-in user account? (Choose all that apply.)
a. Administrator
b. Operator
c. Anonymous
d. Guest
3. Sam*Snead is a valid user account name. True or False?
FALSE
4. Which of the following is true about user accounts in a Windows Server 2008
domain? (Choose all that apply.)
a. The name can be from 1 to 20 characters.
b. The name is case sensitive.
c. The name cant be duplicated in the domain.
d. Using default settings, PASSWORD123 is a valid password.
5. Which of the following account options cant be set together? (Choose all that
apply.)
a. User must change password at next logon
b. Store password using reversible encryption
c. Password never expires
d. Account is disabled
6. Global groups can have domain local groups as members. True or False?
FALSE
7. Jane has left the company. Her user account is a member of several groups and
has permissions and rights to a number of forestwide resources. Janes replacement
will arrive in a couple of weeks and need access to the same resources. In addition,
you want the new employee to have access to the files in Janes profile. What is the
best course of action?
a. Find all groups Jane is a member of and make a note of them. Delete Janes user
account and create a new account for the new employee. Add the new account to
all the groups Jane was a member of.

b. Copy Janes user account and give the copy another name.
c. Disable Janes account. When the new employee arrives, rename Janes account,
assign it a new password, and enable it again.
d. Back up Janes profile and restore it to a folder assigned to the new employee.
8. Over the past several months, Tom, who has access to sensitive company
information, has logged on to computers in other departments and left them
without logging off. You have discussed the matter with him, but the problem
continues to occur. Youre concerned that someone could access these sensitive
resources easily. Whats the best way to solve this problem?
a. Ensure that all computers Tom is logging on to have screen savers set to lock the
computer after 5 minutes of inactivity.
b. Specify which computers Tom can log on to in the domain by using the Log On To
option in his accounts properties.
c. Move Toms account and computer to another domain, thereby making it
impossible for him to log on to computers that are members of different domains.
d. Disable local logon for Toms account on all computers except Toms.
9. You have noticed inappropriate use of computers for gaming and Internet
downloads by some employees who come in after hours and on weekends. These
employees dont have valid work assignments during these times. You have been
asked to devise a solution for these employees that doesnt affect other employees
or these employees computers during working hours. Whats the best solution?
a. Install personal firewall software on their computers in an attempt to block the
gaming and Internet traffic.
b. Request that the Maintenance Department change the locks on their office doors
so that they can enter only during prescribed hours.
c. Set the Logon Hours options for their user accounts.
d. Before you leave each evening and before the weekend, disable these
employees accounts and re-enable them the next working day.
10. The Users domain local group can be a member of the local Administrators
group on a Vista computer. True or False?
FALSE
11. Which of the following is considered a security principal? (Choose all that apply.)
a. Contacts
b. Computers
c. User accounts
d. Distribution lists

12. Youre trying to troubleshoot a users profile. When you open the folder
containing the profile, you notice that many files and folders you expect to see are
missing. The symptoms of the problem dont indicate so many files and folders
being missing. Whats the likely problem, and how can you solve it?
The files are hidden and/or system files. In Windows Explorer, enable the options for
viewing hidden and system files.
13. What file do you see in the root of a users mandatory profile?
a. Netlogon.dat
b. Netlogon.man
c. Ntuser.dat
d. Ntuser.man
14. You have just installed 50 new Vista computers. You want to be sure that all
users get an initial profile you have created when they first log on to a computer in
the domain; they can then customize the profile as needed. Which of the following
is a required step for this task?
a. Rename Ntuser.dat.
b. Copy the appropriate files to the Default folder on every computer in the domain.
c. Create a folder named Default User.V2.
d. Assign permissions to the NETLOGON share.
15. You want to prevent users from logging on to the domain if their mandatory
profiles are unavailable for some reason. Which of the following is a necessary step?
a. Configure the Log On To option in the users account.
b. Add .man to the profile path in their account properties.
c. Add .V2 to the profile path in their account properties.
d. Click the Super Mandatory check box in their account properties.
16. You have configured roaming profiles throughout your company. However,
employees are now complaining that logging on and off sometimes take a long
time. You have also noticed a spike in overall network traffic, particularly during the
beginning and end of shifts. What can you do to reduce the delays and reduce
network traffic while maintaining the convenience of roaming profiles?
Use folder redirection to redirect some folders in the profile, such as the Documents
folder, to a network location so that these folders arent copied when the profile is
copied.
17. Which of the following is a valid group scope? (Choose all that apply.)
a. Global

b. Domain local
c. Forest
d. Domain global
18. What happens if a security group thats an ACE in a shared folder is converted
to a distribution group?
a. A security group cant be converted to a distribution group if it has already been
assigned permissions.
b. The group is removed from the DACL automatically.
c. The group remains in the DACL, but the ACE has no effect on members access to
the resource.
d. The group remains in the DACL, and permissions assigned to the group affect
access to the resource as though it were still a security group.
19. Which of the following can be a member of a universal group? (Choose all that
apply.)
a. User accounts from the local domain only
b. Global groups from any domain in the forest
c. Other universal groups from any domain in the forest
d. Domain local groups from the local domain only
20. Which group conversion is allowed?
a. Domain local to universal, provided no domain local group is already a member
b. Global to domain local, without restriction
c. Domain local to global, provided no domain local group is already a member
d. Universal to global, without restriction
21. Which of the following is true about the Users domain local group?
a. Its in the Users folder.
b. It can be converted to a global group.
c. Domain Users is a member.
d. Its members can log on locally to a domain controller.
22. A domain user logging on to the domain becomes a member of which special
identity group?
a. Creator Owner
b. System

c. Authenticated Users
d. Anonymous Logon
23. Windows 98 computers can have a computer account in a Windows Server 2008
domain. True or False?
FALSE
24. A user is having trouble logging on to the domain from a computer that has
been out of service for several months. Nobody else can seem to log on from the
computer either. What should you try first to solve the problem?
a. Reinstall Windows on the workstation and create a new computer account in the
domain.
b. Rename the computer and create a new computer account with the new name.
c. Reset the computer account, remove the computer from the domain, and rejoin it
to the domain.
d. Disable the computer account, remove the computer from the domain, and rejoin
it to the domain.
25. Which commands can you use together to change attributes of several users at
once?
a. DSGET and DSADD
b. DSGET and DSMOD
c. DSQUERY and DSMOD
d. DSQUERY and DSGET

Definitions
contact An Active Directory object that usually represents a person for informational
purposes only, much like an address book entry.
distribution group A group type used when you want to group users together,
mainly for sending e-mails to several people at once with an Active Directory
integrated e-mail application, such as Microsoft Exchange.
distribution list An Active Directory object consisting of a list of users in a
distribution group, used for sending an e-mail to multiple people simultaneously.
domain local group A group scope thats the main security principal recommended
for assigning rights and permissions to domain resources.
global group A group scope used mainly to group users from the same domain who
have similar access and rights requirements. A global groups members can be user
accounts and other global groups from the same domain.

group scope A property of a group that determines the reach of a groups

application in a domain or a forestwhich security principals in a forest can be
group members and to which forest resources a group can be assigned rights or
permissions.
local group A group created in the local SAM database on a member server or
workstation or a stand-alone computer.
local profile A user profile stored on the same system where the user logs on.
mandatory profile A user profile that can be changed during a users logon session,
but the next time the user logs on, the changes arent saved, and the profile reverts
to its original state.
piping Sending the output of one command as input to another command.
roaming profile A user profile that follows the user no matter which computer he or
she logs on to. Its stored on a network share so that when a user logs on to any
computer in the network, the profile is copied from the network share to the profile
folder on the local computer.
security groups A group type thats the main Active Directory object administrators
use to manage network resource access and grant rights to users.
super mandatory profile A user profile type that prevents a user from logging on to
the domain when the mandatory profile is unavailable.
universal group A group scope that can contain users from any domain in the forest
and be assigned permission to resources in any domain in the forest.
user profile A collection of a users personal files and settings that define his or her
working environment.
user template A user account thats copied to create users with common attributes.