PrepAway - Latest Free Exam Questions & Answers

You need to apply desktop restrictions to the Sales Executives group

Your company has an Active Directory domainthat has an organizational unit namedSales.
The Sales organizational unit contains two global security groupsnamed Sales Managersand Sales
Executives.
You need to apply desktop restrictions to the Sales Executives group.
You must not apply these desktop restrictions to the Sales Managers group.
You create a GPO named DesktopLockdown and link it to the Sales organizational unit.
What should you do next?

PrepAway - Latest Free Exam Questions & Answers

A.
Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.

B.
Configure the Deny Apply Group Policy permission for the Sales Executives on the DesktopLockdown GPO.

C.
Configure the Allow Apply Group Policy permissionfor Authenticated Users on the DesktopLockdown GPO.

D.
Configure the Deny Apply Group Policy permission for the Sales Managers on the DesktopLockdown GPO.

Explanation:
http://support.microsoft.com/kb/816100
How to prevent domain Group Policies from applying to certain user or computer accounts
Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computeraccounts,
or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizational
unit level. However, there may be situations where you want to apply Group Policy to a whole domain, although
you may not want those policy settings to also apply to administrator accounts or to other specific users or
groups.
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
Best Practice: How to exclude individual users or computers from a Group Policy Object
One of the common question I see on the forums fromtime to time is how to exclude a user and/or a computer
from having a Group Policy Object (GPO) applied. This is a relatively straight forward process howeverI should
stress this should be used sparingly and should always be done via group membership to avoid the
administrative overhead of having to constantly update the security filtering on the GPO.
Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation”
tab and then click on the “Advanced” button.

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having
this policy applied.

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in
the “Group or user names” list and then scroll downthe permission and tick the “Deny” option against the
“Apply Group Policy” permission.

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied.
Having a security group to control this exception makes it much easier to control as someone only needs to
modify the group membership of the group to makes changes to who (or what) get the policy applied. This
makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant
them permission to the Group Policy Objects.


Leave a Reply