Your network contains an Active Directory domain named contoso.com. All user accounts are in an
organizational unit (OU) named Employees.
You create a Group Policy object (GPO) named GP1. You link GP1 to the Employees CU.
You need to ensure that GP1 does not App1y to the members of a group named Managers.
What should you configure?
A.
The Security settings of Employees
B.
The WMI filter for GP1
C.
The Block Inheritance option for Employees
D.
The Security settings of GP1
Explanation:
A: Wrong Group
B: Windows Management Instrumentation (WMI) filtersallow you to dynamically determine the scope of
GroupPolicy objects (GPOs) based on attributes of the target computer.
C: Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains,
ororganizational units from being automatically inherited by the child-level. D: Set Managers to – Members of
this security group are exempt from this Group Policy object.
Security settings.Youuse the Security Settings extension to set security options for computers and userswithin
the scope of a Group Policy object. You can define local computer, domain, and network securitysettings.
Figure belows shows an example of the security settings that allow everyone to be affected by this GPO
exceptthe members of the Management group, who wereexplicitly denied permission to the GPO by settingthe
App1yGroup Policy ACE to Deny. Note that if a
member of the Management group were also a member of a groupthat had an explicit Allow setting for the
App1y Group Policy ACE, the Deny would take precedence and theGPO would not affect the user.
http://technet.microsoft.com/en-us/library/bb742376.aspx http://technet.microsoft.com/en-us/library/cc786636
(WS.10).aspx http://technet.microsoft.com/en-us/library/cc731076.aspx http://technet.microsoft.com/en-us/
library/cc779036(v=ws.10).aspx
Excellent site you have here.. It’s difficult to find high-quality writing like yours
these days. I seriously appreciate people like you!
Take care!!
0
0
Confirmed, D is correct.
Open the GPMC
Select the GPO
Click on the delegation tab
Click on Advanced
Add the Managers group to be excluded and click on OK
Check the read “Deny” and Apply Group Polcy “Deny” and click on apply.
Now that GPO will be not applied on the Managers group.
0
0
d
0
0
D. The Security settings of a GPO is one step in a 3 step process of determining whether a GPO will apply to a given user/computer
Phases of GPO
1. Scope – Is the GPO linked to a domain/site/OU/group such that it will apply to a user/computer account?
2. Security filtering – GPOs have security settings that state whether a group/user has the permissions required to have the GPO applied. A user/computer must have at least ‘Read’ and ‘Apply group policy’ permissions.
3. WMI filtering – Write queries that target CIM (common information model) objects residing on the target computer. Those queries evaluate to true or false. WMI queries are bound to GPOs. Depending on whether a query evaluates to true will determine whether a given user/computer account has the GPO applied.
If the GPO passes all 3 phases, then the GPO is sent to the target computer, where Client-Side Extensions (CSE) performs the tasks of applying the GPO. This means making configuration changes to the registry, firewall, local group membership, etc.
0
0