HOTSPOT
Your network contains an Active Directory domain named contoso.com.
The domain contains an organizational unit (OU) named OU1 as shown in the OU1 exhibit.
(Click the Exhibit button.)
The membership of Group1 is shown in the Group1 exhibit.(Click the Exhibit button.)
You configure GPO1 to prohibit access to Control Panel.GPO1 is linked to OU1 as shown in
the GPO1 exhibit. (Click the Exhibit button.)
Select Yes if the statement can be shown to be true based on the available information;
otherwise select No. Each correct selection is worth one point.
Answer: 
Explanation:
Since user4 is not in organizational unit, the filtering the GPO does not apply to him.
References:
http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
I disagree from this answer. In fact, user4 belongs to the OU, so GPO1 will be applied to him. I also disagree with the answers for user1 and user3, because the don’t be in OU1, so the policy will not apply to them even if the are included in a group which is part of OU1 (as user1) or if the are included in the Security Filtering panel (as user3). So IMHO, the answer must be YNYN.
0
0
It’s NNYY.
User1 and user2 are in group1. And group1 is in ou1 AND is listed in security filtering.
User3 is not in ou1.
User4 is not included in security filtering.
1
0
You are right : the answer is NNYY.
1-GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to sites, domains and organizational units. However, by using security filtering, you can narrow the scope of a GPO so that it applies only to a single group, user, or computer.
2-Granting Read and AGP is not sufficient to ensure that the GPO is processed for a user or computer. The GPO also has to be linked to a site, domain or organizational unit containing the user or computer, directly or through inheritance.
3-A GPO with security filtering set to Read and AGP doesn’t necessarily apply to all security principals that have security filtering. It only applies to them if those user or computer objects are in the container or child container that is linked to the GPO.
4-The location of a security group in Active Directory is irrelevant to security group filtering and, more generally, irrelevant to Group Policy processing.
https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
0
0
I agree with you Klaus, NNYY.
GPO1:
This GPO is ONLY linked to OU1.
The Security Filtering has REMOVED Authenticated Users (everyone), and has added Group1 and User3.
OU1 has:
Group1:
User1
User2
User4
User1: NO-User1 is Within OU1 AND is a part of (Group1). The GPO is linked to OU1, but applies to Group1/User3 EXCLUSIVELY.
I would also note that due to the group properties having User1 listed under contoso.com and not contoso.com/OU1, some may be confused. However, that just shows where the user is located. Regardless of User1’s location, it is still within Group1.
User2: NO-User2 is Within OU1 AND is a part of (Group1).
User3: YES-User3 IS listed under the Security Filtering of GPO1. HOWEVER, GPO1’s only active link is to OU1. Because User3 is not a member of OU1, the GPO is not applied.
User4: Yes-User4 is not in Group1, and is therefore not listed under the Security Filtering of GPO1.
Hope this helps!
0
0
I am going to take this exam in a few days, and I asked an expert GPO in our company and the answer is YNYN as User2 and User4 are in the OU1 folder which is linked to the GPO. While user1 is not and only in a group. And User3 is just in the WMI filter and not in the OU1 Folder.
This is how he explained it to me.
0
0
Oppps… I was wrong!!! it is YNYY!
He was right, I misunderstood!
1
0
I do in my lab , is YNYY
2
0
I Tested this one, ONLY user2 is affected!
WHY?:
Because there are 2 user accounts where GPO1 possibly can have an effect. Only User2 is member of Group1 so this leaves User4 of the hook!
User3 as stated by Manuel is NOT affected because it is not within OU1. The same goes for User3. If there was a User3 within OU1 it would be affected, but NOT in THIS case.
1
0
Klaus you are right!
User3 is not a member of OU1, so the policy does not apply to him
User4 is not in the security filtering
Only users 1 and 2 are in the OU and in the security filtering
answer is NNYY
0
0
The policy will apply to user3. User3 is not in OU1 but the security filtering of the GPO includes user3, which means user3 will be denied access. NNNY.
0
0
User3 will not get the GPO appied, since GPO’s only apply to Sites, Domains, or OU’s. User3 is not in the targeted OU1. So User3 is unaffected by the GPO and should be able to access Control Panel.
Additionally, User1 appears to have been created directly under the domain, contoso.com, and not within the OU1. So I do not see the GPO applying to User1, either.
So it looks to me that only User2 is prevented from accessing Control Panel.
YNYY
1
0
wow dude are you ever way off.
Navin is correct.
0
0
Dude…Navin is wrong..look below, I have posted detailed explanation
0
0
yeeees
filtriiiiing
0
0
The policy is not enforced which must means it not applied thus all users should be able to access?
0
0
Enforced means it will override blocked GPO inheritance.
0
0
The answer is N Y N N, just tested this on my lab. GP can only be linked to domain, site and OU. It doesn’t matter if user 1 is part of group1 as long as he isnt part of OU1, same goes for user 3. User 4 isnt part of the security filtering. So the GPO only applies to user 2.
0
0
When testing it out in our schools lab environment, the only user that can not access the control panel is User2. You can apply GPO’s to Site, Domain and OU. And in this case the GPO1 is applied to contoso.com/OU1 where User2 is placed in. As is User1 but user1 is added to the ‘root’ contoso.com, eventhough user1 is a member of Group1 it does not do effect anything. User3 does not specify if it is part of domainroot or users in the domain, but it is not part of the OU1, therefore the GPO1 does not seem to apply even if added to the Security filtering. User4 is added to the OU1, but has not been added to the Security filtering – therefore it does not effect this user either. When changing settings and adding all users to OU1, only User4 had access to the Control Panel.
So it is YNYY
2
0
YNYY
GPOs Don’t Apply to Groups Although you may wish it were so, a GPO cannot apply to an Active Directory security group object. The only two objects that a GPO setting can configure are computers and users. GPOs can’t configure objects via group membership. For example, if there is a GPO linked to the Finance OU, as shown in Figure 2 the only objects that will be affected by the setting are Derek and Frank. The settings in the GPO will not affect the members of the Marketing group, no matter who has membership in that group.
Target Object Must Be in the Path of the GPO When you notice that a GPO setting is not affecting an object as it should, there is one more important setting-the object must be in the Scope of Management (SOM) of the GPO. This means that the object must be located under the node where the GPO is linked (even a child node will be sufficient). For example, none of the objects in the Marketing OU will be affected by a GPO that is linked to the Finance OU, as shown in Figure 3. The SOM of a GPO is from the node where it is linked, down through the Active Directory structure.
https://technet.microsoft.com/en-us/magazine/2007.02.troubleshooting.aspx
0
0
step 1 : exhibit 1, GPO just link domain, site and ou
=> user2, user4.
step 2 : exhibit 3, security filtering
=> group1, user3.
exhibit 2, group1 contain user1 and user2
=>user1, user2, user3.
step3 : step 1 & step 2
=>(user2,user4) & (user1,user2,user3)
=>user2
=>YNYY
0
0
User 1 – Can access Control Panel
User 2 – Can not access Control Panel
User 3 – Can access Control Panel
User 4 – Can access Control Panel
Answer YNYY
Tested on home lab
0
0
What’s the actual answer here? There is very mixed answers…
0
0
ok, im gonna explain this for everyone…
a gpo applies to all the users in the ou it is linked to, UNLESS you remove the authenticated users group and add specific security groups in the Security Filter section in gpmc. then a user must be in the linked ou AND in the security filter.
sooo, the correct answer is no, no, yes, yes – as only group1 will have the gpo applied.
0
0
wups… meant to say – Yes, NO, Yes, Yes – as only User 2 is in the OU and in security filter
0
0
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2.html
“…the user and/or computer must be in the group listed on the security filtering list, plus be in the OU (if the GPO is linked to the OU), in order to get the setting defined in the GPO.”
0
0
Answer: YNYY
Please read from Notes posted on https://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
“<>”
0
0
I literally just took this test about 90 minutes ago and this question was on there…
An important detail that’s missing is that User 3 is a member of Group 1.
I don’t believe that changes the YNYY scenario that everyone is mentioning.
0
0
I agree with YNYY
This is a good question, it tests your understanding Group Policy processing.
GPO1 is linked to OU1 = Only users in OU1 can be targeted
So, potentially User2 and User4 might get settings from the GPO, no-one else can be considered.
However security filtering on GPO1 limits who can get settings from it, if you’re not in Group1 or not User3, you cannot get settings from this policy.
User3 is not in the OU, and is already excluded form settings from GPO1.
So, are there any accounts in the OU that are a member of Group1?
Yes, User2 has an account in the OU, and is a member of the group that has the necessary permissions.
So, User2 alone will be prohibited from using control panel
0
0
OK…last word…thanks Hernan for good link…so
User1 -N
because: -User1 belongs to Group1
0
0
sorry…previous was accidental comment…please, read below
User1-N
——–
because: -User1 belongs to Group1
-Group1 belongs to OU1
-Group1 is mentioned in the security filter
From the notes from Herman:
“GPO… only applies to them if those user or computer objects are in the container or child container that is linked to the GPO.”
“Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO.”
User2-N
———-
because: -the same case as with User1 (see above, member of the Group1)
User3-Y
——–
because: -User3 does not belong to OU1
-User3 does not belong to Group1
– User3 is in the security filter, but it means nothing here
From the notes from Herman:
“GPO.. ONLY applies to them if those user or computer objects are in the container or child container that is linked to the GPO.”
“GPOs CANNOT be linked directly to users, computers, or security groups. They can only be linked to sites, domains and organizational units”
User4 -Y
———-
because: -User4 does belongs to OU1… BUT
-not mentioned in the security filter
From the notes from Herman:
“Using security filtering, you can specify that ONLY CERTAIN security principals WITHIN a container where the GPO is linked apply the GPO.”
0
0
Very mixed answers, What’s the actual answer here? as in what would the exam accept as the answer?
0
0
Definitely YNYY
0
0
That is wrong. The answer is NYNN
0
0
GPOs cannot be assigned to groups. Thus only users 2 & 4 can be targeted with GPO in OU1.
Even though groups cannot have GPOs assigned to them, they can be used in security filter. This means that security filter now defines users 1 & 2 & 3.
It is important to note that filter is applied to the OU1, not the whole domain. This means that filter is used to define to which user GPO will be applied among those users given in OU1 (user 2 & 4).
Thus, when we use these information (2 & 4) and (1 & 2 & 3), we can see that GPO will be applied only to User 2!
0
0
I am taking this exam on friday, I would like to know what the real answer is. Some people tested this and their answer doesnt match with the web site´s answer, nor the other replies from everybody. I am starting to think that this site can confuse people other than help us, is there anybody from this site that can grant the answer so we can pass the exam?
Thanks
0
0
Ok, tested and Randy’s reply helped me understand. The answer is YNYY
The only user that is in the OU where the GPO is applied AND is in the Security filter at the same time is User2. Which leads to the result: the only one not able to see Control Panel is user2
0
0
At first i thought the answer was NNNY, but just like you, after reading Randy’s reply i now understand this better. As the “Authenticated Users” link was removed from the security filtering, and only “Group 1” and “User 3” were added to that filter, the security filter is what prevails here. So, “user3” doesn’t belong to “OU1”, so he can access control panel. User 4 belongs to the OU1, but he is not included on the security filter (which is what prevails), so he can access control panel. As GPOs can’t be applied to groups, even though User 1 is included in Group1 and Group 1 is included in the security filtering, in this case isn’t considered, because GPOs are not applied to groups, so User1 can access control panel. The only user that is included in in both OU1 and the security filtering is User2, so he’s the only one who is denied access to control panel.
Correct answer is: YNYY
https://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
0
0
YNYY, Jesus Christ you lot should stop cheating and lean something!
0
0
I will stick with NNNY
0
0
YNYY. Home Lab!. Confirmed
0
0
Tested in Home Lab and results are Y N Y Y as per randy,yhawx,mslover and a couple more.
If you are not sure of a answere that is why you get 90 day trial of software, install it and
test it.
then you will get to know your product. dont build your hopes on passing from dumps, as helpfull as they are try installing the product.
This is a great site by the way just discovered it. 🙂
0
0
Before someone corrects my spelling it should be answer not answere
0
0
NYNN
Tested in my labo.
0
0
The correct answer is NNNY.
Explanation:
Since the GPO is security filtered, filtering only applies to {(Group 1 = User 1 and User 2) and User 3 is also security filtered}, leaving User 4 which is in the OU but because User 4 is not explicitly in the security filtering, it makes the GPO not apply to him.
0
0
YNYY.
GPO applies to OU1, which only contains user2 and 4. This already means user 1 and 3 do not get the policy (a gpo doesn’t apply to a group either, so user1 doesn’t get the GPO either).
However there’s also security filter. The security filtering applies to user 1, 2 and 3. Since user 1 and 3 didn’t get the GPO in the first place, only user2 gets the policy effectively.
As the policies prohibits accessing the control panel only user2 can’t access it.
0
0
YNYY. Tested this after all the confusion on this page.
The GPO is applying to the OU, so it will effect people inside it.
User1 is inside the group inside the OU, but will not apply to them as the user themself is not in the OU.
User2 is in the group, and inside the OU, so the policy applies to him.
User3 is not in the OU, so will not apply.
User4 is in the OU, but is not listed in the Filtering.
Remembering that GPOs take effect to computers/users lower in the chain from where it is applied, and as a result, User1/User3 are above the OU it is being applied to, so it does not effect them even though they are listed in the filtering.
Out of the 4 Users, User2 is the only one it applies to, as he is in the OU it is applied to, and his group is included in the filtering.
0
0
Tested…Results were:
User 1 Y
User 2 N
User 3 Y
User 4 Y
My explanation is the same as Brodie
0
0
PLEASE ATTENTION???????????????????????????????????????????????????
hey guys,
the answer is YNYY
Reasons:
1> Policy will be apply only on those objects which is specified in Security filter.
2> now see that we can just specify the objects which is also in that OU,
so in our case.
in security filter there is group1=(user1,user2) & user4 but the policy will be applied to onlu user2. why? because from user1,user2 and user4 only user2 is the member of OU1. others are outside of the OU1
CONCLUSION:
the policy will be apply to only those objects which are “COMMON” to (security filter list) & (the objects containing in OU1)
0
0
Hi
All you need to be sure is to test this in lab
All you need is an active directory with 4 user account and one group et voila !
0
0
YNYY – Tested in LAB.
GPO only applies to the objects specified in the Security filter and only to the members of the OU the GPO is attached to. Imagine User1 is part of another OU with another GPO attached to it, he would have multiple GPOs affecting his profile…
Who can access Control Panel?
– User1 Yes (not a member of OU1)
– User2 No (member of OU1 and in the Security Filtering list via Group1)
– User3 Yes (not a member of OU1)
– User4 Yes (not in the Security Filtering list)
0
0
I think the real question should be….
Should the I.T. admin that created the horrible mess and followed no organizational standards be fired?
A. Yes
B. Without a doubt
Real answer is YNYY
Will only apply to users in the ou.
Also tested on home lab.
0
0
Just went through this thread to verify my answer and you guys are confusing the hell out of me will all these different answers.
I would go with NNYY:
User1 is in Group1, Group1 is in OU1 & Security filtering. GP applies.
User2 is in OU1. GP applies.
User3 is not in OU1. GP does not apply.
User4 is in OU1 but not in Security filtering. GP does not apply.
Am I mistaking mistaking this in any way?
Thanks,
0
0
Bogdan, because User1 is connected to the OU through being nested in the group and GPOs do not apply to groups, User1 is not restricted by the GPO. User 2 is part of the security filtering and is located in the OU. User 3 is not in the OU, User 4 is in the OU, but is not targeted by the security filtering. After reading through these comments, it is apparent that some individuals are confusing what the GPO is doing, the GPO is removing access to the control panel.
Therefore, the answer of who has access to control panel is:
User 1: Yes
User 2: No
User 3: Yes
User 4: Yes
0
0
It seems that in my environment, authenticated users still needs read rights. Otherwise the policy will not apply to any of the users.
0
0
Holy hell People… YNYY
User 1: YES.
– The user resides in the domain OU, not OU1. GPO will not apply to it so they CAN access it.
User 2: NO.
– Is in OU1 and Group1. Even though Security filtering does not have User2 directly in it, it is a part of Group1 so the AD account will get the policy.
User 3: YES.
– Is not in the OU. Just because User3 is part of the security filtering, doesnt mean he is passed the policy. He has to be in the OU that the GPO resides in to get it.
User 4: YES.
– Even though User4 is in the OU, the security filtering bypasses the user.
Remember everyone, Security Filtering just ALLOWS the user to RECEIVE the policy BUT O-N-L-Y IF THE USER IS IN THE OU THE GPO RESIDES IN.
Users HAVE to be in the OU where the GPO is. GPOs are NOT passed through AD Groups.
Do not confuse Security Filtering and GPO Linking.
0
0
All 4 users have access to the control panel. security groups r not affected by GPO
0
0
It does when it’s in the OU and use security filtering.
0
0
After seeing so many different answers, I tested on my lab and it’s YNYY.
When you apply security filtering for specific user or group, it looks users that mentioned in the OU and security filtering. User1 and user3 aren’t in the OU1. User4 is in the OU1, but hasn’t been mentioned in the security filtering. Therefore, the policy is only applied user2 because it’s in the OU1 and also mentioned in the security filtering (group1)
0
0
Group Policy does NOT APPLY TO SECURITY GROUPS, only users, and computers IN an OU. Consequently, the only users in the OU are User2 and User4. Since the Security Filtering specifies that the policy will only apply to users/computers in the OU who are members of Group1 or User3, User4 will not have the policy applied. Since User2 is, in fact, a member of Group1, the policy will be applied to user 2. Thus, the only user who will not be able to access the control panel is User2. Same with User 3, he is not a member in any OU and as long as this group policy does NOT apply to users, so User 3 will have access to control panel as well. So the correct answer is YNYY
0
0