Your network contains an Active Directory domain named contoso.com. You have a Group Policy object (GPO)
named GP1 that is linked to the domain. GP1 contains a software restriction policy that blocks an Application
named App1.
You have a workgroup computer named Computer1 that runs Windows 8. A local Group Policy on Computer1
contains an Application control policy that allows App1.
You join Computer1 to the domain.
You need to prevent App1 from running on Computer1.
What should you do?
A.
From Group Policy Management, add an Application control policy to GP1.
B.
From Group Policy Management, enable the Enforcedoption on GP1.
C.
In the local Group Policy of Computer1, configurea software restriction policy.
D.
From Computer1, run gpupdate /force.
I’m not so good with applocker. Can anyone confirm it’s not gpupdate? I’m not sure if this application control policy will force the ex-workgroup computer to use the app control policy.
0
0
I think it’s C. The precedence is local -> site -> domain -> OU.
So if there are conflict settings, the local GPO will win
0
2
The precedence is correct:
1. Local
2. Site
3. Domain
4. OU
But, the last policy wins.
So, the Policy in the OU always rewrites the previously configurations (Doamin, Site and Local).
For this reason the answer is D.
http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/15/understanding-the-structure-of-a-group-policy-object-part-2.aspx
1
0
The answer should be D, because GP1 will be applied at last and will win if there is a conflict!
1
0
Excuse me! I made a mistake!
The correct answer is A. Because AppLocker (Application Control Policy ACP) is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored.
http://technet.microsoft.com/en-us/library/hh994614.aspx
3
0
thanks
u r good
0
0
I agree. The answer should be A, although this is a horribly worded question.
GPO’s are applied at computer startup and user logon. The question states that the computer is joined to the domain, which implies that it is rebooted. The reboot would apply the computer-based GPO settings for GP1. When a user logs on, then the GP1 user-based settings would be applied.
Therefore, there is no need to use GPupdate /force and by process of elimination we are left with A.
0
0
It´s D
0
1
http://technet.microsoft.com/en-us/library/ee791851.aspx
Answer is A
AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker
AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.
0
0
I’m not sure of the answer but want to point out that in your link is states:
“they should not be implemented in the same GPO”
Therefore: shouldn’t add an Application control to GP1 because it contains a software restriction policy.
Or according to the link, are they just trying to saying “you can but you shouldn’t”
If possible, please can somebody supply some clarity?
Like my name states, i’m just…
0
0
Once it joins the domain the local policies are negated and the domain policies are picked up (after gpupdate)Answer should be D (also found in other dumps)
0
0
Answer is A
0
0
Please justify your response,
0
0
“Local AppLocker policies supersede any SRP policies applied through the GPO.”
So you have to have GPO applocker superseding local applocker and it’s the only way.
So, you create an entry in GPO application control policies.
http://technet.microsoft.com/en-us/library/ee791851%28v=ws.10%29.aspx
So,the answer is;
A.
From Group Policy Management, add an Application control policy to GP1.
0
0
In this case, gpupdate doesn’t do any because applocker(no matter local or gpo) always supercedes Software restriction policy. This makes sense. Applocker is pretty new and is independent from previous software restriction mechanism. So, old SRP can not supersede applocker no matter it’s by gpo or local.
0
0
Another important thing about applocker.
As Hasan said above,
when applocker is used, ALL SRP entries are negated(ignored). This is because when you create any entry in Applocker, by default it blocks all apps and only certain common windows related apps.
0
0
Surely the answer is C as GPO1 is applied is linked to the domain, and Computer 1 is a workgroup computer not linked to the domain?
0
0
A
0
0
It’s A. The Applocker policy applied at the Windows 8 Local Policy is still going to apply since there is no Site/Domain/OU to overwrite the AppLocker policy. Remember last GPO to write wins.
Remember it’s a SRP (Software Restriction Policy)on the domain. Two different things and the AppLocker Policy will take precedence.
You ARE NOT going to apply gpupdate /force. Group Policy will run when the Win8 machine logs into the domain.
0
0
Ok. If the answer is “A” what about the statement “GP1 contains a software restriction policy that blocks an Application named App1.”
Answer A says: From Group Policy Management, add an Application control policy to GP1.
So, we are going to have 2 (two) Applocker policies in the same OU?
0
0
See Grant’s comment.
Application control policy’s take precedence over software restriction regardless of GPO processing order.
0
0
I tried to recreate the question.
It shows that its D. gpupdate /force
after i joined the Computer1 to the domain , its no longer allowing the application control policy that i made in the Computer1.
I did not create any applocker in the AD
0
0
or is it From Group Policy Management, add an Application control policy to GP1 because this is the best practice?
0
0