Which of the following actions should you take?

You work as an administrator at ABC.com. The ABC.com network consists of a single domain named ABC.
com. All servers in the ABC.com domain, including domain controllers, have Windows Server 2012 installed.
ABC.com’s user accounts are located in an organizational unit (OU), named ABCStaff. ABC.com’s
managersbelong to a group, named ABCManagers.
You have been instructed to create a new Group Policy object (GPO) that should be linked to the ABCStaffOU,
but not affect ABC.com’s managers.
Which of the following actions should you take?

You work as an administrator at ABC.com. The ABC.com network consists of a single domain named ABC.
com. All servers in the ABC.com domain, including domain controllers, have Windows Server 2012 installed.
ABC.com’s user accounts are located in an organizational unit (OU), named ABCStaff. ABC.com’s
managersbelong to a group, named ABCManagers.
You have been instructed to create a new Group Policy object (GPO) that should be linked to the ABCStaffOU,
but not affect ABC.com’s managers.
Which of the following actions should you take?

A.
You should consider removing the user accounts ofthe managers from the ABCStaff OU.

B.
You should consider configuring the new GPO’s WMIfilter.

C.
You should consider adding the user accounts of ABC.com’s managers to the Admins group.

D.
You should consider adding the user accounts of ABC.com’s managers to the localAdministrators group.

Explanation:
GPOs cannot be linked directly to users, computers,or security groups. They can only be linked to sites,
domains and organizational units. However, by usingsecurity filtering, you can narrow the scope of aGPO so
that it App1ies only to a single group, user, or computer.
http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
deny a specific group both “Read” and “App1y Group Policy” permission to prevent them from App1ying the
GPO.
http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering- and-itemleveltargeting-in-group-policy-preferences.aspx
http://technet.microsoft.com/pt-pt/library/cc758471%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/
library/cc779036%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/cc904317%28v=ws.10%29.
aspx



Leave a Reply 10

Your email address will not be published. Required fields are marked *


Eugene

Eugene

Security Filtering, not WMI…

Michael

Michael

exactly, WMI filters consider other attributes …

Michael

Michael

But since security filtering is not an option, the answer would be be (A)?

sne

sne

WMI Filter is, of course, bullshit.

“Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target COMPUTER.”
http://technet.microsoft.com/en-us/library/cc779036%28v=ws.10%29.aspx

The explanaition describes Security Filtering and not WMI Filters.

Since you dont want to give the managers any sort of admin rights (you should actually give managers no rights at all) you should definitely consider putting them in their own OU.

jason

jason

A sounds good to me!

Matt

Matt

Probably a typo… Should be security filtering.

Franco

Franco

I agree A is the right one.

Bob

Bob

Given the options here I would choose A. Another way, not listed, would be go to the Delegation tab in the policy, click the advanced button, add the managers group and click Deny under the read permission. Then all members of the managers group won’t get the policy.

Peter

Peter

Answers don’t make sense – only logical choice from them is A

But everyone nows we need use security filtering

Bolo

Bolo

Select * From Win32_Group where Name = “ABCManagers” ? Maybe with some win32_group params like domain etc.