HOTSPOT
Your network contains an Active Directory domain named contoso.com.
Computer accounts for the marketing department are in an organizational unit (OU) named
Departments\Marketing\Computers. User accounts for the marketing department are in an
OU named Departments\Marketing\Users.
Marketing users can only log on to the client computers in the
Departments\Marketing\Computers OU.
You need to apply an application control policy to all of the marketing users.
Which Group Policy Object (GPO) should you configure?
To answer, select the appropriate GPO in the answer area.
Answer: 
Explanation:
References:
http://technet.microsoft.com/en-us/library/cc781458(v=WS.10).aspx
http://technet.microsoft.com/en-us/library/hh967461 .aspx
http://technet.microsoft.com/en-us/library/ee461050.aspx
http://technet.microsoft.com/en-us/library/ee461044.aspx
GPO 3 is the answer. Application control is used for machines settings, so we must change the GPO over machine OU
0
0
How about this, Hernan?
“Can AppLocker rules be applied to specific users or groups?
Yes, rules can be created for specific users or groups. However, a rule can only apply to one user or one group. You can also create AppLocker rules to apply to all users (the Everyone group) and then apply that GPO to a specific computer group.”
https://technet.microsoft.com/library/ee619725%28v=WS.10%29.aspx
0
0
You cannot apply a “computer configuraton” policy to a user group. It has to be a workstation group.
0
0
I agree with the “you can’t apply computer config to a user group, but is “application control” computer configuration?
For “software restriction policies” this is definitely true > only computers.
For AppLocker this is not true > you can assign those policies to users.
https://technet.microsoft.com/en-us/library/ee449491.aspx
No clue what is the right answer as GPO3 is for SRP and GPO4 can be used with applocker. Even GPO2 is possible as that includes both marketing users and computers.
0
0
nvm, applocker policies still are in the “machine settings” branch, so you still need to apply the policies itself at the computer level. > GPO3.
0
0
see https://technet.microsoft.com/en-us/library/hh125923(v=ws.10).aspx
0
0
Hi floks
The secret why GPO3 is correct is this line:
“Marketing users can only log on to the client computers in the Departments\Marketing\Computers OU.”
This means that marketing users use only marketing computers
Marketing users cannot log into other department’s computers
So this is a question in where we have to consider efficiency, so why bother using GPO4 or GPO2 if we can simply use GPO3 on marketing computers and which make our work simple and clean
Regards
0
0
But then the sentence “You need to apply an application control policy to all of the marketing users” is misleading, because you apply it to the marketing computers. You have to remember that AppLocker configuration only applies to computer objects in a OU, but is targetted to a given group or user.
0
0
Welcome to Microsoft certs. It’s a fucking mindgame.
0
0
The answer is GP04.
The sentence “Marketing users can only log on to the client computers in the Departments\Marketing\Computers OU.” is a DISTRACTION, a tricky information.
0
1