Your network contains an Active Directory domain named contoso.com.
An organizational unit (OU) named OU1 contains useraccounts and computer accounts.
A Group Policy object (GPO) named GP1 is linked to the domain. GP1 contains Computer Configuration
settings and User Configuration settings.
You need to prevent the User Configuration settingsin GP1 from being App1ied to users. The solution must
ensure that the Computer Configuration settings in GP1 are App1ied to all client computers.
What should you configure?
A.
The Group Policy loopback processing mode
B.
The Enforced setting
C.
The Block Inheritance feature
D.
The GPO Status
Explanation:
A: Group Policy loopback with replace option needs to be used B: Blocking inheritance prevents Group Policy
objects (GPOs) that are linked to higher sites, domains, ororganizational units from being automatically
inherited by the child-level C: Enforced prevent blocking at lower level
D: The GPO Status. This indicates whether either the user configuration or computer configuration of the
GPOis enabled or disabled.
You can use the Group Policy loopback feature to App1y Group Policy Objects (GPOs) that depend only
onwhich computer the user logs on to.
User Group Policy loopback processing can be enabled in one of two modes: merge or replace. In mergemode,
both GPOs App1ying to the user account and GPOs App1ying to the computer account are processedwhen a
user logs in. GPOs that App1y to the computer account are processed second and therefore takeprecedence if
a setting is defined in both the GPO(s) App1ying tothe user account, and the GPO(s) App1yingto the computer
account, the setting in the GPO(s) App1ying to the computer account will be enforced. With thereplace mode,
GPOs App1ying to the user account are not processedonly the GPOs App1ying to thecomputer account are
App1ied.
Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set
toMerge or Replace. In either case the user only receives user-related policy settings.
Loopback with Replace–In the case of Loopback withReplace, the GPO list for the user is replaced in
itsentirety by the GPO list that is already obtained for the computer at computer startup (during step2 in
GroupPolicy processing and precedence). The User Configuration settings from this list are App1ied to the
user.
Loopback with Merge–In the case of Loopback with Merge, the Group Policy object list is a concatenation.
The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for thecomputer
(obtained during computer startup) is appended to this list. Because the computer’s GPOs are processed
afterthe user’s GPOs, they have precedence if any of the settings conflict.
This is a COMPUTER setting, which is found under Computer Configuration |
Administrative Templates |
System | Group Policy | User Group Policy Loopback Processing Mode You want to create a new OU in AD that
is dedicated to computer accounts that will have loopbackprocessing enabled.
Create a new GPO in your new OU to enable User Group Policy Loopback Processing and set theappropriate
mode (merge / replace).
You will define the user settings you want to App1yto the loopback-enabled PCs via GPOs in this same
newOU. You can define these settings either in the same GPO where you enabled the User Group
PolicyLoopback Processing setting, or you create another new GPO in the same OU for your user settings.
Remember that when using the REPLACE mode, none of your other user GPOs will be App1ied whena user
logs in to a machine that has loopback processing enabled. ONLY the user settings that aredefined in the
GPOs that App1y to that machine will be App1ied.
http://msmvps.com/blogs/cgross/archive/2009/10/12/group-policy-loopback- processing.aspx
http://technet.microsoft.com/en-us/library/cc782810(v=ws.10).aspx http://technet.microsoft.com/en-us/library/
cc731076.aspx http://technet.microsoft.com/en-us/library/cc753909.aspx http://technet.microsoft.com/en-us/
library/cc778238%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/magazine/dd673616.aspx
This answer doesn’t make sense to me.
“When enabled, user settings from GPOs applied to the computer apply to the logged on user.”
– http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
If this is true, the users would get the settings from GP1 anyway as the GPO applies to the computer, so it will apply to the user?
In this case, I believe it to the the GPO status, (D).
– http://technet.microsoft.com/en-us/magazine/dd673616.aspx
correct is D beecoz An organizational unit (OU) named OU1 contains useraccounts and computer accounts.
Answer is A as it is, I think
There’s a nice article about GPO Loopback Mode, both Merge mode and Replace mode, explanation. Read it and you’ll choose Answer A;
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
In addition, Block inheritance blocks both user and computer configuration, the senario wants to keep computer settings still applied to the client computers.
Also, Enforce is used in upper GPO to force to apply its own GPO to child OUs. It also doesn’t distinguish user or computer settings.
This task is possible to achieve using GP Loopback Mode, and among the loopback, specifically ‘Replace mode’. There are two modes, merge and replace. Replace mode replaces all user configuration of upper GPO applied to itself. Actually the OU with loopback replace mode enabled, it skips any user configurations inherited from upper GPOs, but it applies the user configuration of its own GPO to all users whoever logs into the computer. It’s usually used for Kiosk , library type computers’ OUs. Confusing? Read the link.
Reading the question again, I think GPO Status is the correct answer.
Question says ‘You need to prevent the User Configuration settingsin GP1 from being App1ied to users’.
Both GPO Status and Lookback mode allows to prevent user settings being applied to users. However, the question seems it wants to achieve the result only working with the GP1, not creating a new GPO. So, changing GPO status property of GP1, it can accomplish the result.
If you want to use loopback with replace mode, you have to create a new GPO on OU1 to apply.
However GPO1 is linked to the domain. So, you can’t change status only for UO1. The answer is really C.
Sorry, answer is A.
I´ve beein wondering, how it could ever be Answer A. “The loopback processing mode” and I am absolutelly sure it is NOT correct. The correct answer definitelly is D. The GPO Status.
First of all, the goal is, that Computer configuration IS applied, while User confuguration shall NOT be applied, so the very easiest way to achive that is simply by deactivating the User configuration in the GPO Status.
I tried to find out, why so many people insist, that answer A. is correct and I think I´ve found out the reason. Specially in response to “han”, who posted the follwing article about the loopback processing mode, I can tell the the cause for the misunderstanding.
Here is the link to the article again:
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
The Thing is, that it is mentioned there, that the user configuration is not applied, if the loopback processing mode is used, but this is ment to be the User configuration of the GPO set on the GPO, were the user account is in. Instead the Computer configuration would be applied. Yes, but the User Configuration of the GPO used for the Computer configuration is applied in this case.
To state this more clearly, let´s say we have a GPO with both, a Computer configuration as well as a User configuration as stated in the question. This GPO is linked to the Domain, so it will be applied to all Users and all Computers in the Domain, no matter where these accounts are, in OU1 or in any other OU. In the exam question it is asked, that Computer configuration is applied to all Computers, but User configuration must not be applied to any Users. The only way to achive this, is to Change the GPO Status, so that the User configuration is deactivated. That´s it.
The loopback processing mode is only relevant, if User Accounts and Computer Accounts are in different OUs and further more, if there are different OUs for different Computers, where one User may log on.
So let´s say we have the following Scenario:
There is one OU called USERS for all Users in a Domain.
There are two OUs for different types of Computers, called SERVERS and LAPTOPS in this Domain, where Servers and Laptops are located.
We have one GPO called UserGPO, this GPO has some user configurations set and is linked to the OU called USERS.
Further on we have another GPO called LaptopGPO with only some Computer configurations, which is linked to the OU LAPTOPS.
In addition there is one more GPO called ServerGPO with both, Computer and User configuration.
Normally when a User from the OU USERS log on to a Laptop from the OU LAPTOPS, the User configuration is applied (while the Computer configuration of the LaptopGPO was applied to the Laptop when it was started).
Now when the same User logs on to a Terminal Server from the OU ServerOU, the same thing happens, the User configuration from the UserGPO is applied, while the Computer configuration from ServerGPO was applied to the Terminal Server, during the last restart or GPO update procedure.
The loopback processing mode, set in a seperate GPO links to the OU ServerOU, will now make the following happen:
In Replace mode:
If the same User logs on on the Terminal Server now, the User configuration from the UserGPO is now NOT applied, but replaced with the user configuration of the ServerGPO.
In Merge mode:
The user configuration of the UserGPO is applied first and the the user configuration of the ServerGPO is applied afterwards, in case of conflicting Settings, the ServerGPO wins.
So as a conclusion, the loopback processing mode only makes sure, that Users get the User configurations applied from a GPO linked to an OU, where the Computer account is in.
In the question it is stated, that Users and Computers Accounts are both in the OU1, so the loopback mode would not make any sense at all.
SO THE ANSWER IS DEFINITELLY D.
I can´t see any Explanation, why it should be A.
Cheers, Michael
Why it should be A!
If you use GPO Status – User Configuration Disable you will disable it for all other OUs as the policy object is linked to the domain.
There is no point to have a dead policy. User or Computer disabling is used only for troubleshooting.
The Group Policy loopback processing can be created and linked to OU1 only. Users from OU1 will not be affected by GP1 policy and all client computers will get there settings form GP1.
(sorry for my poor English grammar)
The answer is D because it tell you in the question that GP1 is linked to the DOMAIN. Nothing is mentioned anywhere in the question about it being linked to OU1.
A policy with loopback enabled linked to the domain will effect every user and computer account. So you will wipe user settings for every log on.
Only D will disable the user settings for GP1 only.
I agree – answer D because we should only switch off user config
that is all – simply question simply answer
D
You have a option there to tell if you want to apply to user or computer.
A resposta é D!
A
Sorry D is correct
Answer is A
Key here is the GPO is linked at the Domain…NOT at the OU. If you choose to “D” to deactivate the user configuration you disable the GPO for all users in the domain. Configuring Loop-Back can allow you to isolate the users in the specified OU.
The answer should be D but its showing up as not D.
The user and computer accounts are inside the OU.
The group policy is linked to the DOMAIN.
The policy contains Computer & User Configuration settings.
You need to prevent the User Configuration settings IN THE POLICY from being applied to USERS. (it doesn’t say the users in the OU)
You need to ensure that the Computer Configuration settings IN THE POLICY apply to ALL CLIENT COMPUTERS (again, not saying the computers in the OU).
So to do that, you would just disable user configuration in the GPO Status setting.
Answer SHOULD be D….
i believe the answer is Gpo status (just disable the user configuration), looback processing
involve any other user out of this ou to get the computer configuration from this Gpo
D-D-D – Why are you say another answer – SIMPLY & DEFINITELY D
guys please open your gp mmc and click on any gp and click on details and right in front of gp status you will see otions:
1: all settings disabled
2: computer config disbaled
3: enabled
4: user config settings disabled….simple…