Your network contains an Active Directory domain named contoso.com.
You have a Group Policy object (GPO) named GPO1 that contains several user settings. GPO1 is
linked to an organizational unit (OU) named OU1.
The help desk reports that GPO1 applies to only some of the users in OU1.
You open Group Policy Management as shown in the exhibit. (Click the Exhibit button.)
You need to configure GPO1 to apply to all of the users in OU1.
What should you do?
A.
Modify the Security settings of GPO1.
B.
Disable Block Inheritance on OU1.
C.
Modify the GPO status of GPO1.
D.
Enforce GPO1.
Explanation:
Inheritance is blocked, but that would only affect policies applied ABOVE the given OU, not the one
applied directly to it (as is the case with GPO1). Also Enforcing a policy is only going to cause it to be
applied even when inheritance is blocked (which, as mentioned, does not make a difference on
policies which are directly linked to the OU as a child). That means that there must be something in
the security settings (such as a Security Group which does not have the “read” or “Apply group
policy” permission) preventing ALL of the users in OU1 from having the policy applied. (GPO status is
the status of its replication within the forest, so it is not relevant here.)
D
1
0
d
1
0
A
Enforce has nothing to do with it
0
0
I was thinking you was wrong but after reading one pair documents I agree with you. Enforce modify GPO preference processing order.
so A.
http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/15/understanding-the-structure-of-a-group-policy-object-part-2.aspx
0
0
I do not understand why it’s A. It clearly says “authenticated users”, which is all users that is permitted to log on to the domain. Somebody pls explain.
0
0
Security Filtering is not the same as Security settings.
You can check it yourself here:
http://s10.postimg.org/48vc6wfnt/gpo_security.jpg
0
0
It is D.
“A blue exclamation point that’s displayed next to an OU container in GPMC indicates that the container has Block Inheritance enabled, which means that settings made to parent containers aren’t applied to the OU”.
0
0
Look up how to use group policy. And read questions.
0
0
@ITNavigator, as you said “Setting made to parent containers aren’t applied” but this setting is applied directly to OU1 container so it has nothing to do with enforce. The answer is A and this is a silly question!
0
0
I verified with other dumps and preps and it seems to be A however in this case there is missing a word. Option A should be “modify security FILTERING settings”.
In which you can adjust from the authenticated users to apply only to a specific set of users.
0
0
The answer is A.
======================
Very detailed explanation from nick JD is here.
http://www.aiotestking.com/microsoft/you-need-to-configure-gpo1-to-apply-to-all-of-the-users-in-ou1/#comment-1348384
JD
August 23, 2015 at 7:36 pm
First thing is the The Blue Exclamation = Organizational unit with inheritance blocked.
Then you need to know what Enforcement is (the ability to specify that a GPO should take precedence over any GPOs that are linked to CHILD containers)
Lastly Link Enabled means the settings in the Group Policy Object will be applied to the object to which it has a link
A. would equal settings forced to containers below the OU1, so this does not apply here, all the users are in OU1
D. would allow any settings from GPOs above to be applied to OU1, so settings from the default domain policy would get pushed down, we dont want that
B. Here are the different status of a GPO (The status of a GPO is Enabled by default)
— (Enabled)
Allows processing of the policy object and all its settings.
— (All Settings Disabled)
Disallows processing of the policy object and all its settings
— (Computer Configuration Settings Disabled)
Disables processing of Computer Configuration settings. This means that only User Configuration settings are processed.
— (User Configuration Settings Disabled)
Disables processing of User Configuration settings. This means that only Computer Configuration settings are processed.
None of those seems to fit, that leaves only one thing
Correct Answer
C. Modify the Security settings of GPO1
https://technet.microsoft.com/en-us/library/Cc960657.aspx
Under that you would find Restricted Groups Policies
You can define Restricted groups policies to manage and enforce the membership of built-in or user-defined groups that have special rights and permissions. Restricted Groups policies contain a list of members of specific groups whose membership are defined centrally as part of the security policy. Enforcement of Restricted Groups automatically sets any computer local group membership to match the membership list settings defined in the policy. Changes to group membership by the local computer administrator are overwritten by the Restricted Groups policy defined in Active Directory.
Restricted Groups can be used to manage membership in the built-in groups. Built-in groups include local groups such as Administrators, Power Users, Print Operators, and Server Operators, as well as global groups such as Domain Administrators. You can add groups that you consider sensitive or privileged to the Restricted Groups list, along with their membership information. This allows you to enforce the membership of these groups by policy and not allow local variations on each computer.
1
0