PrepAway - Latest Free Exam Questions & Answers

What should you include in the design?

Your network contains an Active Directory domain named contoso.com. The domain
contains an organizational unit (OU) named OU1.
You have a Group Policy object (GPO) named GPO1 that is linked to contoso.com. GPO1
contains custom security settings.
You need to design a Group Policy strategy to meet the following requirements:
The security settings in GPO1 must be applied to all client computers.

Only GPO1 and other GPOs that are linked to OU1 must be applied to the client computers
in OU1.
What should you include in the design?
More than one answer choice may achieve the goal. Select the BEST answer.

PrepAway - Latest Free Exam Questions & Answers

A.
Enable the Block Inheritance option at the domain level. Enable the Enforced option on
GPO1.

B.
Enable the Block Inheritance option on OU1. Link GPO1 to OU1.

C.
Enable the Block Inheritance option on OU1. Enable the Enforced option on all of the
GPOs linked to OU1.

D.
Enable the Block Inheritance option on OU1. Enable the Enforced option on GPO1.

9 Comments on “What should you include in the design?

  1. theMSguy says:

    I don’t think D is the right answer. When inhertance is blocked, GPO1 is no longer linked to OU1. You need to link it to OU1 first, which is answer B. Enforcing is not an option because other GPO’s linked to OU1 must be applied as well.




    0



    0
    1. Tech1 says:

      The question states that GPO1 is linked to the domain and contains settings that must be applied to all client computers so you would block inheritance on OU1 to stop any other GPO’s being applied and enforce GPO1 so that only that policy is applied from above OU1, then only GPO1 and the other policies that are already linked to OU1 will be applied.

      D is correct.

      http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/15/understanding-the-structure-of-a-group-policy-object-part-2.aspx




      1



      0
      1. Chriss says:

        Yes, the correct answer is D

        * You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.

        * GPO links that are enforced cannot be blocked from the parent container.




        0



        0
  2. Bill Gates says:

    In a lab, both B & D achieve the desired result…. for OU1, but The question says “More than one answer choice may achieve the goal. Select the BEST answer.”

    B) Enable the Block Inheritance option on OU1. Link GPO1 to OU1.
    > Whilst this works for OU1, it does not meet the requirement “The security settings in GPO1 must be applied to ALL client computers” for any other OU’s, etc…

    D) Enable the Block Inheritance option on OU1. Enable the Enforced option on GPO1
    > This blocks any other GPO’s above OU1. Allows any GPO’s linked to OU1 and the “Enforced option on GPO1” also makes sure that OU1 gets the required Security Settings… Likewise, as it is enforced ALL / Everything below the Domain with get GPO1…

    Answer D




    1



    0
  3. bbyipp says:

    C should be the answer – enforce all GPOs linked to OU1
    because the second requirement: “Only GPO1 AND OTHER GPOs that are linked to OU1 must be applied to the client computers in OU1”
    So,
    action 1 – block inheritance to prevent any GPOs from being applied
    action 2 – enforce all GPO directly linked to OU1 (including GPO1)

    Any comment?




    0



    1
    1. S says:

      Yes, answer is D.
      Block inheritance does not count for the GPO’s directly linked to the OU. Enforced option for all GPO’s does not accomplish anything besides more administrative effort




      1



      0
  4. RayOrbison says:

    B; Enable the Block Inheritance option on OU1. Link GPO1 to OU1.

    this answer isn’t popular here but it also works however we are asked to chose the “best” answer. These questions are simply bad form since “best” can be subjective and in this scenario, would likely boil down to the rest of the AD design.

    Answer B works best (IMO) because you can link a GPO to multiple separate OU’s – so you link GPO1 to OU1 as well as leaving it linked to the domain, and then block inheritance on OU1. this solution achieves the goal and the new settings only impact the target, OU1.

    D: Enable the Block Inheritance option on OU1. Enable the Enforced option on GPO1.

    whilst this answer is popular and certainly works, by enforcing GPO1 at the domain level you could be applying GPO1 to unintended targets, member servers for example. By enforcing this GPO1 at this level may be bypassing and additional ‘block inheritance’ settings within your AD setup.

    Therefor I prefer answer B since it is a very targeted approach, answer D is a scattershot and consideration of the rest of the AD structure would need to be made.




    0



    0
    1. bootywhiteteeth says:

      I agree with your answer. The question states that “The security settings in GPO1 must be applied to all CLIENT computers.”

      The key word here being CLIENT. if you enforce it at the domain level, these settings will be enforced on all computers (Server and client).

      B is my answer of choice.




      0



      0

Leave a Reply