Managing and Maintaining a Microsoft-based Server Infrastructure

The 70-414 exam looks to stretch your understanding of planning, implementation, and management of an advanced Microsoft-based infrastructure. The tools and products included in the exam are used in enterprise-level networks and emphasize automation, high availability, and self-service. The first chapter of this book discusses objectives surrounding server infrastructure management. Within this chapter and indeed the entire book, you’ll find hands-on examples that directly tie to the exam objectives, and you’ll find numerous links to more information on TechNet.

Objectives in this chapter:

• Objective 1.1: Design an administrative model
• Objective 1.2: Design a monitoring strategy
• Objective 1.3: Plan and implement automated remediation

Objective 1.1: Design an administrative model

Designing an administrative model for an enterprise network involves a large amount of planning, especially in complex or highly structured enterprises. A good administrative model will enable delegation of authority while also enforcing the principle of least privilege. Many organizations have unique needs, but the overall administrative model can follow a common pattern. For example, an organization that’s geographically dispersed may allow personnel at remote locations to change passwords for users at that remote site.

Understanding administrative model design considerations

Typical enterprise administrative and privilege models use groups to assign and delegate permissions. Groups save time and administration overhead by combining similar users and computers into one entity that can then be assigned permissions.

Groups can have users and computers and are created as a security group or a distribution group. The security group type is covered in this chapter; distribution groups are typically used to create email distribution lists and aren’t covered in this book. Groups are also scoped, which means that they can apply locally to a computer, to a domain, or to an entire forest. Table 1-1 describes the three types of group scopes available in AD DS.

TABLE 1-1 Active Directory Domain Services group scope

Group Scope	Description
Domain Local	Members in a Domain Local scoped group can have permissions within the same domain where the Domain Local group is located and can contain any combination of groups with domain local, global, or universal scope.
Global	Members of groups with a Global scope can have permissions in any domain within a forest, but members can come from only the domain within which the group is defined.
Universal	Members of groups with Universal scope can have permissions in any domain or forest and can originate from any domain or forest.

User rights

Before looking at user rights, it’s important to agree on the definition of a user right. You can find a definition all the way back to Windows NT Server 4.0 in the “NT Server 4.0 Concepts and Planning Manual” on TechNet, where a right is defined as something that “authorized a user to perform certain actions on a computer system.” See http://technet.microsoft.com/en-us/library/cc751446.aspx for more discussion on the definition.

What’s important to realize is the distinction between a right and a permission. A right defines what a user can do on a computer system, whereas permissions apply to objects. Rights can override permissions in certain instances. For example, if a user is a member of a group that has the right to back up a computer or has the Back Up Files and Directories right, that user inherently has read access to the files on the computer, even if permissions would normally deny such access. More specifically, the Back Up Files and Directories right has the following permissions:

• Traverse Folder/Execute File
• List Folder/Read Data
• Read Attributes
• Read Extended Attributes
• Read Permissions

The Back Up Files and Directories right is just one example of this concept. Table 1-2 shows several other security-related user rights available with Windows Server 2012. An abbreviated constant name applies to each of the rights described in Table 1-2. The constant names are used for logging and can also be used for Windows PowerShell, as discussed later in this section.

TABLE 1-2 Additional security-related user rights

User Right	Description	Constant Name
Access Credential Manager as a trusted caller	Applies to Credential Manager during backup-related processes. This privilege is assigned to the Winlogon service only and should not be assigned to the account.	SeTrustedCredManAccessPrivilege
Access this computer from the network	Determines whether a user can utilize protocols related to accessing a given computer, such as Service Message Block (SMB), NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).	SeNetworkLogonRight
Act as part of the operating system	Applies to processes to determine whether they can use a user’s identity to gain access to the privileges granted to that user.	SeTcbPrivilege
Add workstations to domain	Enables a user to add a computer to a domain.	SeMachineAccountPrivilege
Adjust memory quotas for a process	Enables a user to change the memory used by a process.	SeIncreaseQuotaPrivilege
Allow logon locally	Enables a user to start an interactive session.	SeInteractiveLogonRight
Allow logon through Remote Desktop Services	Enables a user to log on using Remote Desktop Services.	SeRemoteInteractiveLogonRight
Back up files and directories	Enables an account to bypass permissions for backup purposes.	SeBackupPrivilege
Bypass traverse checking	Enables an account to traverse an NTFS file system without needing to check the Traverse Folder permission.	SeChangeNotifyPrivilege
Change the system time	Enables a user to change the time on the local computer.	SeSystemtimePrivilege
Change the time zone	Enables a user to change the time zone on the local computer.	SeTimeZonePrivilege
Create a pagefile	Enables a user to change settings around the pagefile, including its size.	SeCreatePagefilePrivilege
Create a token object	Enables a process to create a token using the privileged account.	SeCreateTokenPrivilege
Create global objects	Enables creation of global objects.	SeCreateGlobalPrivilege
Create permanent shared objects	Enables creation of directory objects.	SeCreatePermanentPrivilege
Create symbolic links	Enables an account to create a file system symbolic link.	SeCreateSymbolicLinkPrivilege
Debug programs	Enables a user to attach to a process for debugging.	SeDebugPrivilege
Deny access to this computer from the network	Prevents users from accessing the computer.	SeDenyNetworkLogonRight
Deny logon as a batch job	Prevents an account from logging on using batch-related methods.	SeDenyBatchLogonRight
Deny logon as a service	Prevents an account from logging on as a service.	SeDenyServiceLogonRight
Deny logon locally	Prevents an account from logging on locally at a computer console.	SeDenyInteractiveLogonRight
Deny logon through Remote Desktop Services	Prevents users from logging on to a computer using Remote Desktop Services.	SeDenyRemoteInteractiveLogonRight
Enable computer and user accounts to be trusted for delegation	Enables a user to set the Trusted for Delegation setting.	SeEnableDelegationPrivilege
Force shutdown from a remote system	Allows a user to shut down a computer when connected remotely.	SeRemoteShutdownPrivilege
Generate security audits	Enables an account to generate audit records in the security log.	SeAuditPrivilege
Impersonate a client after authentication	Enables a program to impersonate a user or account and act on behalf of that user or account.	SeImpersonatePrivilege
Increase a process working set	Enables a user to increase the size of a working set of a process.	SeIncreaseWorkingSetPrivilege
Increase scheduling priority	Enables a user to increase the base priority of a process.	SeIncreaseBasePriorityPrivilege
Load and unload device drivers	Enables a user to dynamically load or unload device drivers.	SeLoadDriverPackage
Lock pages in memory	Enables an account to keep data from a process in physical memory.	SeLockMemoryPrivilege
Log on as a batch job	Enables an account to log on using batch-related methods, including Task Scheduler.	SeBatchLogonRight
Log on as a service	Enables a service account to register a process.	SeServiceLogonRight
Manage auditing and security log	Enables a user to work with auditing and security log.	SeSecurityPrivilege
Modify an object label	Enables an account to modify integrity labels used by Windows Integrity Controls (WIC).	SeRelabelPrivilege
Modify firmware environment values	Enables a user to modify non-volatile RAM (NVRAM) settings.	SeSystemEnvironmentPrivilege
Perform volume maintenance tasks	Enables a user to do volume- and disk management–related tasks.	SeManageVolumePrivilege
Profile single process	Enables a user to view performance aspects of a process.	SeProfileSingleProcessPrivilege
Profile system performance	Enables a user to use the Windows Performance Monitor tools.	SeSystemProfilePrivilege
Remove computer from docking station	Enables a user to undock a computer without logging on.	SeUndockPrivilege
Replace a process level token	Enables a process to replace an access token of a child process.	SeAssignPrimaryTokenPrivilege
Restore files and directories	Enables a user to bypass the normal permission checks when restoring.	SeRestorePrivilege
Shut down the system	Enables a local user to shut down the system.	SeShutdownPrivilege
Synchronize directory service data	Enables a user to synchronize service data, such as LDAP directory synchronization.	SeSyncAgentPrivilege
Take ownership of files or other objects	Enables an account to take ownership of objects in the computer.	SeTakeOwnershipPrivilege

The constant name described in Table 1-2 can be used with Windows PowerShell cmdlets related to privileges:

• Get-Privilege
• Grant-Privilege
• Revoke-Privilege
• Test-Privilege

As described in Table 1-2, user rights generally shouldn’t be applied to accounts directly, but rather should be granted through the use of groups.

Built-in groups

Built-in groups, also called default groups, are added with the operating system. Many of the default groups have user rights assigned already. Certain rights also apply depending on the type of computer on which the right is being exercised. For example, the Allow Logon Locally right is granted to the following groups for logging on to workstations and servers:

• Administrators
• Backup Operators
• Users

By contrast, the following groups have the Allow Logon Locally right for domain controllers:

• Account Operators
• Administrators
• Backup Operators
• Print Operators
• Server Operators

Table 1-3 shows the local groups for a computer and the user rights granted to them by default.

TABLE 1-3 User rights for local groups

Group	User Rights
Administrators	Access this computer from the network Adjust memory quotas for a process Allow logon locally Allow logon through Remote Desktop Services Back up files and directories Bypass traverse checking Change the system time Change the time zone Create a page file Create global objects Create symbolic links Debug programs Force shutdown from a remote system Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Log on as a batch job Manage auditing and security log Modify firmware environment variables Perform volume maintenance tasks Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects
Backup Operators	Access this computer from the network Allow logon locally Back up files and directories Bypass traverse checking Log on as a batch job Restore file and directories Shut down the system
Cryptographic Operators	No user rights granted by default
Distributed COM Users	No user rights granted by default
Guests	No user rights granted by default
IIS_IUSRS	No user rights granted by default
Network Configuration Operators	No user rights granted by default
Performance Log Users	No user rights granted by default
Performance Monitor Users	No user rights granted by default
Power Users	No user rights granted by default
Remote Desktop Users	Allow logon through Remote Desktop Services
Replicators	No user rights granted by default
Users	Access this computer from the network Allow logon locally Bypass traverse checking Change the time zone Increase a process working set Remove the computer from a docking station Shut down the system
Offer Remote Assistance Helpers	No user rights granted by default

AD DS also contains default groups. These groups are placed into either the Builtin or Users container.

Table 1-4 describes the groups in the Builtin container.

TABLE 1-4 Groups in the Builtin container

Group	User Rights
Account Operators	Allow logon locally Shut down the system
Administrator	Access this computer from the network Adjust memory quotas for a process Back up files and directories Bypass traverse checking Change the system time Create a pagefile Debug programs Enable computer and user accounts to be trusted for delegation Force a shutdown from a remote system Increase scheduling priority Load and unload device drivers Allow logon locally Manage auditing and security log Modify firmware environment values Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects
Backup Operators	Back up files and directories Allow logon locally Restore files and directories Shut down the system
Guests	No user rights granted by default
Incoming Forest Trust Builders	No user rights granted by default; applicable to forest root domain only
Network Configuration Operators	No user rights granted by default
Performance Monitor Users	No user rights granted by default
Performance Log Users	No user rights granted by default
Pre-Windows 2000 Compatible Access	Access this computer from the network Bypass traverse checking
Print Operators	Allow logon locally Shut down the system
Remote Desktop Users	No user rights granted by default
Replicator	No user rights granted by default
Server Operators	Back up files and directories Change the system time Force shutdown from a remote system Allow logon locally Restore files and directories Shut down the system
Users	No user rights granted by default

Table 1-5 describes the groups in the Users container.

TABLE 1-5 Groups in the Users container

Group	User Rights
Cert Publishers	No user rights granted by default
DnsAdmins	No user rights granted by default; installed as part of DNS
DnsUpdateProxy	No user rights granted by default; installed as part of DNS
Domain Admins	Access this computer from the network Adjust memory quotas for a process Back up files and directories Bypass traverse checking Change the system time Create a pagefile Debug programs Enable computer and user accounts to be trusted for delegation Force a shutdown from a remote system Increase scheduling priority Load and unload device drivers Allow logon locally Manage auditing and security log Modify firmware environment values Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects
Domain Computers	No user rights granted by default
Domain Controllers	No user rights granted by default
Domain Guests	No user rights granted by default
Domain Users	No user rights granted by default
Enterprise Admins	Note: Permissions are applicable to forest root domain only Access this computer from the network Adjust memory quotas for a process Back up files and directories Bypass traverse checking Change the system time Create a pagefile Debug programs Enable computer and user accounts to be trusted for delegation Force a shutdown from a remote system Increase scheduling priority Load and unload device drivers Allow logon locally Manage auditing and security log Modify firmware environment values Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects
Group Policy Creator Owners	No user rights granted by default
IIS_WPG	No user rights granted by default; installed with IIS
RAS and IAS Servers	No user rights granted by default
Schema Admins	No user rights granted by default; applicable to forest root domain only

Built-in groups are different from special identities. A special identity is a group for which membership cannot be modified, such as the Everyone group. Special identities include those in Table 1-6.

TABLE 1-6 Special identities

Identity	Description
Anonymous Logon	Used for anonymous access to services and resources
Everyone	All network users, with the exception of the Anonymous Logon group
Interactive	Users who are logged on locally to the computer
Network	Users who are accessing a computer’s resources over the network

Understanding delegation in System Center 2012 R2

Microsoft System Center 2012 R2 consists of several products, including Configuration Manager, Operations Manager, Data Protection Manager, Service Manager, AppController, and Virtual Machine Manager (VMM). The products used in the organization determine the delegation structure. For example, certain roles are only applicable for Virtual Machine Manager and others are applicable for Configuration Manager. If the organization doesn’t use VMM, then those roles wouldn’t be used. However, the concepts of delegated authority and role-based administration are applicable no matter what products are being used. This section examines delegation for Configuration Manager and Operations Manager. Other products such as Virtual Machine Manager and Data Protection Manager are covered in other objectives in this chapter.

Role-based administration

System Center 2012 R2 uses role-based administration to facilitate the structure needed in many organizations. Using role-based administration you can limit the authority and scope of permissions to the least amount necessary in order to complete a task. For example, an organization may grant the ability to change passwords for normal users to help desk staff. This scenario can be accomplished by granting the limited privileges to the help desk personnel. An important concept surrounding role-based administration in System Center is administrative scope. Administrative scope defines the permissions that a given user has on objects within the scope’s control. Administrative scopes consist of:

• Security roles
• Collections
• Security scopes

Security Roles

Security roles, which you might think of like a group in Active Directory, are used to grant sets of permissions to users based on their role. For example, the Asset Analyst role is granted certain permissions to view Asset Intelligence and inventory information. Users can then be given the Asset Analyst role to do their job.

Each security role is granted specific permissions, such as Approve, Create, Delete, Modify, and so on. The permissions apply to specific object types within System Center. There are several built-in security roles that come with Configuration Manager and with other System Center products. The permissions granted to these roles can’t be changed. However, the roles can be copied, and a new role can be built and modified as needed.

The general steps for planning security roles are:

1. Identify tasks. Examine the responsibilities for administrators. For example, you might have administrators that are responsible for client security while others are responsible for software updates.
2. Map tasks to roles. Determine how the responsibilities connect to built-in security roles.
3. Assign roles. Assign roles to users. If a user has responsibilities across multiple roles, assign that user to multiple roles.
4. Create new roles (optional). Create new roles if the responsibilities don’t map to one or more of the built-in roles.

Collections

Computers and users are grouped into collections in Configuration Manager. Collections are important in the hierarchical delegation of administration for Configuration Manager. Collections can be created to meet the needs of the organization. For example, you might create a collection for each physical location in an organization, or you might create a functional collection that includes all servers or all client computers. Like security roles, there are several built-in collections that can’t be modified. Collections become very useful when you want to distribute software, provide reporting, or ensure configuration changes are consistent across the devices within the collection.

Security Scopes

Security scopes can be used to grant access to securable objects by type. Security scopes provide granular access control. However, security scopes can’t be nested or used in a hierarchical manner. Security scopes are useful for segregating objects of the same type so that different levels of access can be granted to them. For instance, if a set of administrators should be granted full access only to non-production servers, the servers can be scoped to separate production from development servers.

There are two built-in security scopes:

• All Includes all scopes. Objects cannot be added to this scope.
• Default Installed with Configuration Manager, the default scope also includes all objects.

Certain objects can’t be secured by security scopes. Instead, access to these objects is granted using security roles. Objects that can’t be included in security scopes are:

• Active Directory forests
• Administrative users
• Alerts
• Boundaries
• Computer associations
• Default client settings
• Deployment templates
• Device drivers
• Exchange server connectors
• Migration site-to-site mappings
• Mobile device enrollment profiles
• Security roles
• Security scopes
• Site addresses
• Site system roles
• Software titles
• Software updates
• Status messages
• User device affinities

Delegation design

Hierarchical structure is important for designing a delegated administration for System Center. When it is properly structured, you can delegate responsibilities merely by using scopes and security roles. However, as the organization’s needs change, so too will the needs for delegated administration. For example, if a merger takes place, the newly merged company may need to manage its own site.

Designing delegation involves determining the following:

• Who Who is responsible for managing a given client computer or server? Determine the various tasks involved in administration, whether that’s software updates, security, or anything else that System Center can do. These tasks will map to security roles.
• Which and Where Which computers, servers, or other objects will those people manage, based on their roles? Where are those objects located, both physically and logically? For instance, there may be different responsibilities based on physical location or logical location (production versus test). Collections are used to group the objects together in Configuration Manager, and security scopes can be used to provide more granular control over the objects.
• What What permissions do administrators need on a given object? Permissions can be changed within the security roles, and their scope can be limited through security scopes.

Configuration Manager

System Center 2012 R2 Configuration Manager is an important piece of enterprise IT management. Configuration Manager provides a unified solution for management of operating systems, devices, software updates, asset inventory, and more. Using Configuration Manager, an enterprise can deliver software to devices within the organization and ensure consistency of updates and configurations. Configuration Manager also integrates with other System Center products and with other services like Windows Intune.

Configuration Manager can be configured as a standalone set of services or in a hierarchy, known as primary site and central administration site, respectively. The primary site-only scenario is useful for small implementations or small networks, whereas the central administration site scenario is useful for larger enterprises, especially those that need hierarchical or delegated management.

Site system roles

Within Configuration Manager, site system roles are used to define what tasks the various servers perform within a site. Site system roles shouldn’t be confused with role-based administration, which is also covered in this section. Table 1-7 describes some of the typical site system roles.

TABLE 1-7 Core site system roles

Role	Description
Component server	A basic service that is responsible for running Configuration Manager services. This role is automatically installed for all roles except the distribution point role.
Site database server	The server that runs the SQL Server database and is used to store information and data related to the Configuration Manager deployment.
Site server	The server from which the core functionality of Configuration Manager is provided.
Site system	The site system role is a basic role installed on any computer hosting a site system.
SMS Provider	Provides the interface between the Configuration Manager console and the site database. Note that the SMS Provider role can be used only on computers that are in the same domain as the site server.

Multiple site system roles typically run on a single server, especially in new or small implementations of Configuration Manager. Additional servers can be deployed as distribution points to ensure availability of software packages and related files or to provide those files at strategic locations. For example, you might place a distribution point close to a large number of client computers.

Aside from the core site system roles, other site system roles may be used. Table 1-8 describes some other site system roles.

TABLE 1-8 Additional site system roles

Role	Description
Application Catalog web service point	Responsible for providing information from the Software Library to the Application Catalog website.
Application Catalog website point	A website that displays available software from the Application Catalog.
Asset Intelligence synchronization point	Exchanges Asset Intelligence information with Microsoft.
Certificate registration point	New for System Center 2012 R2, this role provides for communication for devices using Simple Certificate Enrollment Protocol (SCEP) with Network Device Enrollment Service. This role cannot exist on the same server as the computer running Network Device Enrollment Service.
Distribution point	A role that holds software packages, updates, system images, and other files for clients to download.
Endpoint Protection point	Accepts Endpoint Protection license terms and configures default membership for Microsoft Active Protection Service.
Enrollment point	Enrolls mobile devices and Mac computers using public key infrastructure and also provisions Intel Active Management Technology computers.
Enrollment point proxy	Manages enrollment requests for mobile devices and Mac computers.
Fallback status point	Monitors client installation and identifies clients that can’t communicate with their management point.
Management point	A role that interacts with client computers to receive configuration data and send policy and service location information.
Out of band service point	Configures Intel AMT computers for out of band management.
Reporting services point	A role that creates and manages Configuration Manager reports. This role works with SQL Server Reporting Services.
Software update point	Together with Windows Software Update Services (WSUS), this role provides software updates to clients.
State migration point	Holds client user state data during migration to a new operating system.
System Health Validator point	Validates Network Access Protection (NAP) policies. The role must be installed on a NAP health policy server.
Windows Intune connector	Manages mobile devices with Windows Intune through the Configuration Manager console. This role is available with Service Pack 1 (SP1).

Operations Manager

System Center 2012 R2 Operations Manager provides monitoring capabilities to computers across an enterprise. The roles necessary within Operations Manager include those to create monitoring configurations, view and edit reports, and provide overall administration, among others.

Operations Manager uses many of the same concepts as other System Center products for rights delegation. Operations Manager uses user roles and role profiles which are then combined with a scope to produce the user role. For example, Operations Manager has several built-in user roles, called profiles in Operations Manager:

• Administrator
• Advanced Operator
• Application Monitoring Operator
• Author
• Operator
• Read-only Operator
• Report Operator
• Report Security Administrator

Each of these built-in user roles can be changed through its properties settings. The scopes can be changed, as can the tasks and dashboards and views available to the user role. This is illustrated in Figure 1-1.

Each of the built-in user roles can contain one or more local or Active Directory–based groups or users. For example, the Operations Manager Administrators user role (shown in Figure 1-1) contains the BUILTIN\Administrators group.

You can also create user roles within Operations Manager by using the Create User Role Wizard. When creating a new user role you first choose the type of user role on which the new user role will be based from among these choices:

• Operator
• Read-Only Operator
• Author
• Advanced Operator

Each of these profiles provides certain privileges that are connected to that profile. For example, the Author profile contains privileges specific to creating monitoring configurations.

Understanding self-service portal design using Service Manager

Maintaining an enterprise server infrastructure can be accomplished in a number of ways, but when considering management solutions that scale to large environments, the System Center 2012 R2 family of products comes to the forefront. For example, with Service Manager, you can create a self-service portal for end users, among other things. Service Manager provides incident and configuration management while enabling visibility into current issues. Service Manager uses a Configuration Management Database (CMDB) to provide a master location for all changes, issues, and requests for an infrastructure. Service Manager integrates with other System Center 2012 R2 products to provide an end-to-end solution.

At a minimum, there are three components to a Service Manager implementation: a management server, a configuration management database server, and the management console. Additional components can be added for things like data warehousing, which then facilitates reporting.

Using the self-service portal, users can find answers to common support questions, change their passwords, create help-desk tickets, and request software. When designing a management structure, you should consider deployment of the self-service portal to ease the burden on IT and the help desk for common requests. The end-user self-service portal requires a Silverlight component to run on the client computer and thus is applicable only to those platforms that can run Silverlight through the browser.

Delegating rights for the private cloud

System Center 2012 Virtual Machine Manager provides a centralized management console for virtual machines, such as those managed by Hyper-V. VMM manages virtual machines, networks, and storage as resources, which are then configured within the organization. A VMM deployment consists of a management server, database, library (and library server), and console.

Another component of managing the private cloud is App Controller. App Controller looks at service provision from a service-oriented view rather than from a server or software view. In other words, using App Controller you can connect the components that make up a service to facilitate management.

User roles can be created to manage various aspects of private cloud-based virtualization infrastructure. Virtual Machine Manager can be used to create such a delegation, and then App Controller can be used to manage the private cloud.

Rights are managed within the User Roles area of the Security section in the Settings area of Virtual Machine Manager. User roles can be created using individual user accounts or using Active Directory groups. The scope of the user role can then be assigned to the private cloud, as shown in Figure 1-2.

Members that have been assigned to the new user role will be able to log on to App Controller and manage private clouds within the user role scope.

An alternate method to assign access is by clicking Assign Cloud from the VMs and Services section in Virtual Machine Manager. Doing so enables you to select the user role to be assigned privileges for a given cloud or to create a new user role for the private cloud, as shown in Figure 1-3.

Objective summary

• User rights and built-in groups can be used to provide a robust administrative model.
• Certain user rights shouldn’t be assigned to users or groups but are instead used by system processes and functions.
• Built-in groups have certain user rights inherently assigned to them.
• System Center 2012 R2 can utilize a delegated administration structure that enables separation of responsibilities within an infrastructure.
• Security roles, security scopes, and collections are all used to facilitate the delegated administration structure necessary.
• Determining who, which and where, and what can be helpful for designing a delegation of role structure.
• Service Manager is used to provide end-user self service.
• Service Manager requires at least three servers to run including a management server, configuration management database server, and console.

Objective review

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

1. Which of the following permissions allows the currently logged on user to shut the computer down?

   1. SeShutdownComputer
   2. SeShutdownPrivilege
   3. SePrivilegeShutdown
   4. En_ShutdownComputerPermission

2. Which of the following is not a privilege of the built-in Backup Operators group?

   1. Shut down the system
   2. Create symbolic links
   3. Back up files and directories
   4. Allow logon locally

3. Which of the following roles provides the core functionality for System Center?

   1. Site server
   2. Component server
   3. Core server
   4. Site Core server

4. Which of the following are not built-in security scopes in Configuration Manager?

   1. All
   2. System
   3. Administrator
   4. Default