Your network contains an Active Directory domain named contoso.com. You have a Group Policy
object (GPO) named GP1 that is linked to the domain. GP1 contains a software restriction policy that
blocks an application named App1.
You have a workgroup computer named Computer1 that runs Windows 8. A local Group Policy on
Computer1 contains an application control policy that allows App1.
You join Computer1 to the domain.
You need to prevent App1 from running on Computer1.
What should you do?
A.
From Computer1, run gpupdate/force.
B.
From Group Policy Management, add an application control policy to GP1.
C.
From Group Policy Management, enable the Enforced option on GP1.
D.
In the local Group Policy of Computer1, configure a software restriction policy.
Explanation:
AppLocker policies take precedence over policies generated by SRP on computers that are running
an operating system that supports AppLocker.
AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the
GPO and local AppLocker policies or policies generated by SRP.
What is SRP
0
0
software restriction policy
0
0
B
0
0
Why not A? The policy is already there and we need to apply it to the new machine that has been added to the domain
0
0
never mind
0
0
Hhhmmm… Applocker Policies do take precedence over SRPs but I would have said “A” because:
Group Policy Precedence (Last Writer Always Wins):
* Local Policy
* Site Policy
* Domain Policy
* OU Policy
Since Computer1 was joined to the Domain and GPO1 is already linked to the Domain then the OU Policy will override the Local GPO (which was allowing the app).
0
0
Marc, you contradicting.
Since Computer1 was joined to the Domain and GPO1 is already linked to the Domain then the OU Policy will override the Local GPO, is equal to:
Since Computer1 was joined to the Domain and “software restriction policy that
blocks an application named App1” is already linked to the Domain then “software restriction policy that blocks an application named App1” will override the “application control policy that allows App1”
So: You need to create an “application control policy that allows App1” because this has been overwritten by “software restriction policy that blocks an application named App1”
0
0
Marc, everyone SORRY, am I contradict myself, I had not read the question well.
I agree with you Marc, the correct anwser seems to be A.
0
0
Why Not C?
0
0
C is wrong because:
If you enforce a GPO then it does not allow any configurations which you have explicitly set to be overridden by any other policies that may be applied – eg if you create a setting in a GPO and link and it to the domain and enforce it, that setting cannot be changed by another polict applied to the OU.
Enforced settings cannot be blocked either with the “block policy intertance” option.
So: If as GP1 is linked at the domain level and there is no other GPO that can overruled it, so it is not necessary enforced it.
0
0
so Then
The answer should be A and C,
as the newly join domain, for A: gpupdate/force.is like retrieve policy from domain by forcefully, the policy have already been configured,
to inherited that policy from domain by time by time, need to “C:enable the Enforced option on GP1.”
0
0
Guys – I found this…
https://technet.microsoft.com/en-us/library/ee791851.aspx
I think the answer is correct (B).
Look at the table, top row, 2nd column.
The question specifically says that the workgroup computer is a WINDOWS 8 machine with an application policy. It is then joined to the domain. That link I posted above, says that on a Windows 8 machine, LOCAL application policies supersede Software Restriction Policies (SRP) _even if they are applied through GPO_.
With that in mind, it means the Group Policy applied to the domain WILL NOT OVERRULE the local policy set on the WINDOWS 8 computer. So the answer given for this question is correct – to stop App1, you need to add an Application Control Policy to GPO1.
0
0
YOU ARE A GOD!!!!
0
0
The bigs question is:
when you add a computer to a domain, does the computer keep all it’s local policies, or all they all replaced by domain GPO?
I think they are all replaced.
If the question was somethink like “You have GP1 software restrition policy. Then you add Windows 8 computer to domain. Then you create local policy on the Windows 8 computer….” I’d answer B.
In this case I think the correct answer is A.
0
0
I’m on A as well, if someone cares 😉
0
0