DRAG DROP
Your network contains an Active Directory domain named contoso.com. All domain
controllers run Windows Server 2012 R2.
The domain contains an organizational unit (OU) named OU1. OU1 contains an OU named
OU2. OU2 contains a user named user1.
User1 is the member of a group named Group1. Group1 is in the Users container.
You create five Group Policy objects (GPO). The GPOs are configured as shown in the
following table.
The Authenticated Users group is assigned the default permissions to all of the GPOs.
There are no site-level GPOs.
You need to identify which three GPOs will be applied to User1 and in which order the GPOs
will be applied to User1.
Which three GPOs should you identify in sequence?
To answer, move the appropriate three GPOs from the list of GPOs to the answer area and
arrange them in the correct order.
Answer: See the explanation.
Explanation:
Box 1: GPO2
Box 2: GPO4
Box 3: GPO5Note:
* First at the domain level (GPO2), then at the highest OU level GPO4, and finally at the OU
level containing user1 GPO5.
Incorrect:* Read and Apply group policy are both needed in order for the user or computer to receive
and process the policy
Not GPO1: Group1 has Deny Apply Group Policy permissions on GPO1.
Not GPO3: Group1 has Deny Read permissions on GPO3.
GPO2 and GPO4 are disabled.
* When a Group Policy Object (GPO) is enforced it means the settings in the Group Policy
Object on an Organization Unit (which is shown as a folder within the Active Directory Users
and Computers MMC) cannot be overruled by a Group Policy Object (GPO) which is link
enabled on an Organizational Unit below the Organizational Unit with the enforced Group
Policy Object (GPO).
* Group Policy settings are processed in the following order:
1 Local Group Policy object
2 Site.
3 Domain
4 Organizational units
GPOs that are linked to the organizational unit that is highest in the Active Directory
hierarchy are processed first, then GPOs that are linked to its child organizational unit, and
so on. Finally, the GPOs that are linked to the organizational unit that contains the user or
computer are processed.
test
0
0
Can someone explain this to me? I thought using enforcement means that even sub-GPO’s cannot overrule their upper/same level GPO.
I thought that GPO1 would overrule GPO2 on domain level. As for OU1, I would think that GPO3 would win over GPO4 as it overrules the “link enabled” GPO3.
For GPO5 I can understand it completely. I tried looking it up online, but it seems I am missing something?
0
0
GPO1 and GPO3 are out of the equation due to the additional permissions for Group1:
-GPO1 – Group1 has Deny apply group policy permission
-GPO3 – Group1 has Deny Read permission
Order of Group Policy application:
Local
Site
Domain
OU
Based on the above:
GPO2 – Will apply first due to it being linked to the Domain contoso.com
GPO4 – Will apply next due to it being linked to OU1
GPO5 – Will apply last due to OU2 being a Sub-OU of OU1
Hope that helps
11
0
perfect explanation. thanks
0
0
Thanks
0
0
But group 1 is not inside OU1 and it is in Users default OU!?
0
0
This confused me also, I think it’s looking for in what order the policies get applied/processed which is always the same; not the priority order.
0
0
enforced policies can’t be overridden by policies on lower levels. But the lower level policies are still “applied”, they just don’t override policies that are configured in enforced policies (but do override settings that are “not configured”).
0
0
edit: they just don’t override SETTINGS that are configured in enforced policies
0
0
Indeed GPO are processed in LSDO. Enforced rules are added last in reverse order. Therefore.
LSDO then Enforced rules UDS.
Regardless if a rule is enforced GPO permissions still apply therefore deny read on an enforced rule blocks it from being applied.
0
0
Correction ^ UDS should read ODS
0
0
This is deny read for group1, for example it make the user who is in group1 unable to read gpo, why would it be prevented from being enforced??
0
0
Answer:
Security Filtering Under the Hood
Though we can certainly add and remove users, computers and groups from the securtiy filtering window in the GPMC, it’s also helpful to know what’s actually happening under the hood when we do this.
In order for a GPO to apply to an object, that object must have two rights over that GPO. These are:
Read
Apply Group Policy
0
0
Answer correct.
For explanation please read article:
http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/15/understanding-the-structure-of-a-group-policy-object-part-2.aspx
0
0
Thanks
0
0