HOTSPOT
Your network contains an Active Directory domain named contoso.com.
The domain contains an organizational unit (OU) named OU1 as shown in the OU1 exhibit.
(Refer to the Exhibit.)
The membership of Group1 is shown in the Group1 exhibit. (Refer to the Exhibit.)
You configure GPO1 to prohibit access to Control Panel. GPO1 is linked to OU1 as shown in the GPO1 exhibit.
(Refer to the Exhibit.)
Select Yes if the statement can be shown to be truebased on the available information; otherwise select No.
Each correct selection is worth one point.
Answer: 
Explanation:
This is incorrect. User1 is not in the container and GPOs do not apply to groups by default. User 3 is also not in the OU so the security filter has no relevance. Both will have access to the control panel in this case. Verified by GPO Modeling in lab.
http://technet.microsoft.com/en-us/library/cc779291(v=ws.10).aspx
The settings in a GPO will apply only to users and computers that are contained in the domain, organizational unit, or organizational units where the GPO is linked, and that are specified in, or are members of a group that are specified in Security Filtering. You can specify multiple groups, users or computers in the security filter for a single GPO.
Since User1 is not in the OU the fact that they are a member of the security group in that OU is irrelevant.
If a user or computer is not contained in a site, domain, or organizational unit that is subject to a Group Policy object, either directly through a link or indirectly through inheritance, there is no combination of permissions on any security group that can cause those Group Policy settings to affect that user or computer.
https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true
so only user2 will have access goodjob
*and user 4
only user 2 will not have access
Can someone propose a final solution?
user1 Yes, user2 No, user3 yes, user4 yes, This is because GPO’s only apply to User/Computer Objects (Computer Config/User Config, right) so it can only apply User 2 and User 4, since User 4 is not setup in the security Filtering then it will not apply to them.
Grant,
You said user 4 is not in security filter. Then user 2 is also not in a security filter.Then user 2 can acess control panel ??.
correct. Grant is right
You forget that group1 is listed in security filtering so group1 do get hit by GPO.
I would wote NNNY
Linked GPO only applied to Computer/User objects IN the OU1.
A Security Group in an OU is NOT enough it’s not a computer/user object. A member or computer object in the Security Group ALSO has to be in the OU1.
User 1 will have CP Access. They aren’t in the OU1.
User 2 will not have CP Access. They are in the OU1 and the Security Filter affects User 2 since they are in Group1.
User 3 will have CP Access. They are not in the OU1. Doesn’t matter what objects are in the security filter. If they aren’t in the OU1 it doesn’t matter.
User 4 will have CP Access. While that account is in the OU1 the security filter only applies to Group1 and User 3.
NOW if User 3 is moved to the OU1 then the CP will be restricted.
NOW if User 4 is added to the security filter then the CP will be restricted.
NOW if User 1 is added to the OU1 then the CP will be restricted.
Matt you are spot on with this answer. Anyone else who may view this post should totally disregard any other answer that differs from his in the slightest. This is a clear and concise explanation of why the answer should be YNYY. This is factual info here. Everyone else with a different answer from this seems to be building theoretical answers based on relative knowledge. If you actually replicate this scenario in a lab, you’ll see that this is the one.
YNYY!!!!
Spot on
The GPO only applies to Group1 (user1, user2) and User3, as it’s specifies in the Security Filtering. Only user4 will be able to access Control Panel. NNNY.
User\Computer and Group Account Members (User2) must be in OU to have GPO Applied.
OU Members
Group1 – User1/Acct NOT in OU
User2/Acct IN OU
User2 – Acct in OU. Also Member of Group1
User4 – Acct in OU.
User3 – Acct NOT in OU.
GPO: Security Filtering Settings
Group1 – User1 Acct NOT in OU – Will NOT receive GPO
– User2 Acct IN OU – WILL receive GPO
Note: Groups may have 100’s of Members, GPO will only apply to Members IN the OU Structure. Those Members not in OU will not have GPO applied.
User3 – Acct NOT in OU. – Will NOT receive GPO
User4 – NOT referenced in Security Settings
Will NOT receive GPO.
Excellent Analysis Lostineurope.
This question is really a trap.. I see Microsoft Keep focusing on “real world” Scenario..and then they wonder why People are using Dumps 😀
No Admin on earth would even think of such configuration.
So, in Synthesis:
User 1 -> CAN Access control panel, not in OU (GPO is applied only to OU1 and the members of it – User1 is in the Group1 on security filter but NOT in this OU)
User 2 -> CANNOT Access control Panel (Member is in this OU and Group1 in security filter contains User2)
User 3 -> CAN Access control Panel, not in OU, security filter won’t apply the GPO
User 4 -> CAN Access control Panel, Security filter not applied on him.
User1 is a member of Group1 and therefore a member of the OU, so the GPO will apply to him/her right?
The Way I see it
Answer is
No – in OU
No – in OU
Yes – Not in OU
Yes – Security Filter not applied
yostah, Grant, Lostineurope, Hellwind well done.
User1 Yes
User2 No
User3 Yes
User4 Yes
Mvilar is correct:
“Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO.”
– http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
Group Policy is not enforced on OU1.
Security Filtering shows that it only applies to the specified Groups, Users and Computers.
There for the answer would be
User1: No
User2: No
User3: No
User4: Yes
Hellwind is correct
NNYY
Group 1 gets applied and is in security filtering and is in OU1.
User1 can not access
User 2 can not access
user3 isn’t in OU1 in anyway, therefore can access
user4 is not in security filtering, so it does not apply
NNYY
Please, everyone who does not know exactly, STOP CONFUSING PEOPLE.
The correct answer is:
Yes
No
Yes
Yes
It doesnt matter if the GPO applies to a group, as long as the members in this group are NOT part of the actual OU to which the GPO applies.
Image it like this:
If a user logs on to a system, AD checks in which OU the user account is placed and thus processes the attached GPOs.
How is Active Directory supposed to know, that there is a GPO attached to any other OU than were the user is placed.
This is why User1 will still have access.
He is not part of OU1. So why should AD process the GPOs which are attached to OU1?
So please again, if you havent worked with Active Directory yet and dont know exactly, please dont confuse people who are trying to get correct answers!
De Duitser stuitte echter op het probleem dat WhatsApp maar op
één apparaat tegelijk gebruikt kan worden.
GPO is linked to OU1
OU1 has 3 members
1. user1
2. user4
3. Group1
Group1 has a member which is user2
so the gpo will apply on user1,user4,user2
The gpo will only apply to the container and its member objects it was linked.
user3 is not part of the container (OU1). Thus, it will not apply to it.
the answer would be NNYN
User1 is located not in OU1, so the group policy will not apply on him/her despite his/her membership in Group1.
User4 is filtered out by security filter (screenshot 3), so the group policy will not apply on him/her as well.
You are correct regarding User2 and User3 though.
So the answer is YNYY
I have also tested this in a lab environment. Like the others have said, this GPO will not apply to users that are not in OU1. Doesn’t matter if they’re in Group1, which is in OU1.
Answer:
User1 – Yes
User2 – No
User3 – Yes
User4 – Yes
Also, it doesn’t apply to those not specified in the Security Filtering.
So if they’re in the security filter AND they’re in OU1, then the GPO WILL apply to them.
And if you look at the second screenshot, it shows that User2 is in contoso.com/OU1, while User1 is just in contoso.com (no OU or container).
i didn’t get the right answer ?
please i want to ask some question ?
1-why we said that the rule in GPO is accessing control panel ?
2- it needed to enforced to apply the GPO ?
3-WAHT IS THE THE FINAL CORRECT ANSWER?
Final correct answer:
User1 – yes
User2 – no
User3 – yes
User4 – yes
This answer was officially confirmed by Microsoft: I answered this way on the actual exam and passed with 100% sub-score on “Create and Manage Group Policy”
I agree with y/n/y/y, recreated the question in my testlab
Y,N,Y,Y
User1 : not present in OU1 , is not present in the security filterings ( although he is a member of Group1 that is inserted in the SFs, must also be present inside the OU in which the policy is linked to be subject ) ACCESS ALLOWED
User2 : is present in OU , is present in Group1 that is inserted in the SFs – ACCESS DENIED
User3 : not present in OU1 , is inserted in SFs but is not subject to the policy because absent from OU1 – ACCESS ALLOWED
User4 : is present in OU1 , is absent in SFs so he’s not subject to the policy – ACCESS ALLOWED
Y Y N Y
User1 is located in OU1, referenced via a Security Principle, Group1, which references User1 and 2. Hence, User 1 and 2 receive the GPO policies as Group1 is in the filter and GPO1 is attached to OU1.
User 3 is in the filter however, is not located in the container where the OU applies.
User 4 is located in OU1 however, is not part of the filter.
So,
User 1 = N
User 2 = N
User 3 = Y
User 4 = Y
I agree with you, user3 doesn´t exist in the context!
Mistake in first sentence: User1 is not in OU1, it is directly in contoso.com. Right answer: Y, N, Y, Y. I confirmed it in test lab. This is third confirmation in test lab and all results are the same.
Yes
No
Yes
Yes
You are wrong!!!
Where is the user3?
I was able to reproduce it on my lab. The answer is YNYY
How is the GPO not applied to use1, when he is in Group1?
The user1 is not in the ou, it needs to be in the ou, it’s the tricky part of the question, they try to confuse you
I have used Security Filtering before (in a live environment) in order to target only specific security groups or users. This gave me the power and flexibility of GPO but without the collateral damage of affecting everyone in the OU and avoided creating overly complicated OU structures to hit my targets. The GPOs did get a little complicated though, as security filtering seems rarely used and many Admins are unfamiliar. I had to do a fair amount of explaining for my fellow AD admins.
Users 1 and 2 are referenced in the OU either by account or security group and they will be affected. User 3 is MIA and if he ever shows up in OU1 he will be restricted, but for now he escapes justice! User 4 is not listed as a target in the Filtering and so will not be affected.
User 1 = N
User 2 = N
User 3 = Y
User 4 = Y
TECH NET SECURITY FILTERING USING GPMC — https://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO
I hope my answer lends some clarity. Please refer to Tech net and experiment in a lab.
User 1 and 3 are the same mate, only you see User1 in a Group and User3 is mention in the GPO.
The got both the same AD Domain Services Folder.
But both are not in this OU ( but in de root of the forrest?)
So, you are not right.
also.. this technet article is for:
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Windows 2012 is not mention
Note: The default group “Authenticated Users” has been removed from Security Filtering. This means that users in the OU will not be targeted simply by being in the OU. Targets are limited to only those specifically listed in the Security Filtering area.
That’s right
The settings in a GPO will apply only to users and computers that are contained in the domain, organizational unit, or organizational units where the GPO is linked, and that are specified in, or are members of a group that are specified in Security Filtering. You can specify multiple groups, users or computers in the security filter for a single GPO.
Lets break down this ‘rule’
So, the users must be in the OU where the GPO is linked to.
But then Technet says ‘..or are members of a group that are specified in Security Filtering.’
The ‘or’ is the keyword. In this cause User1 will not get the GPO but User3 does, because is in mention in the Security Filitering.
Does I got it wrong when I think that a GPO does not need to linked to a OU as technet stated that Users or OU are mention in the filtering the GPO will apply to them.
A Computer or User Object has to be included in the OU – on which the GPO is linked – only mentioning it at the security filter isn’t enough to get the GPO assigned.
Reference: https://social.technet.microsoft.com/Forums/windowsserver/en-US/17984613-02d5-49e9-81d2-19a2976e7534/security-filter-for-gpo-to-a-group-of-computers
==========================
The same thing as for User groups is for Computer groups. But, it has to have the computer objects in the OU where you link the GPO ! (as it is needed for User groups).
So, if you want to use GPO and Computer groups, you might think about linking the GPO at domain level (if computers are spread on multiple OU) and use the Security filtering : Computer Groups.
=========================
This should address this tricky question 😉
Answer is Y,N,Y,Y Tested in my lab
Since User 1 is in the Users Container GPO not applied
User2 is in the OU and in Group 1 so Control Panel will be blocked
User 3 is like user 1 as it is not in the OU the policy will never apply
User 4 was not added to the Filtering so it was not applied
I understand why the answer would be Y,N,Y,Y if the GPO was enforced, but since it is not, why would the GPO apply at all?
Nvrmind, I was thinking enabled, not enforced.
and to make the confusion even greater, here’s my 50 cents on the matter. Screenshot Nr.3 shows clearly that the Security filtering includes 2 items:
1) Group1 (consisting of User1 and User2)
2) User3
The explanation inside the Security filter area itself says it pretty straight forward: “The Settings in this GPO can only apply to the following groups, users and computers”
there’s nothing more to think about… GPO applies only to the above mentioned User1, User2 and User3, since they’re the ones listed in the Security filter.
User4 is the only one who can access Control Panel.
or if you want – i can put it this way – the answer is NNNY, everything else is bullshit…
Be that as it may, you may have missed a small detail in your answer as well. Though the SF states that the GPO only applies to Group1 and User3, the GPO is linked to OU1, and User3 is not in OU1. The GPO cannot apply to something that is not there, regardless of what the SF may state. Just saying…
Final correct answer:
User1 – yes
User2 – no
User3 – yes
User4 – yes
Matt and Lostineurope are both right.
Most of you should go back and touch up on GPOs.
The short summary is this:
– GPO applies to users ONLY if they are also part of that OU. User1 and User3 are not under OU1, so why would it make sense for that GPO to apply to them?
– User4 is not added to Security Filtering, therefore the GPO has no effect on him.
Therefore, the ONLY user that will be prohibited from Control Panel access is User2. Easy.
Yes, no, yes, yes
GP applies only to user and computer objects in OU to which GPO is linked to. Users and computers that are member of a group in the OU are not affected as they are located in a different OU.
You can target specific users and computers by using groups (containing user and computers from the linked OU) in security filtering.
YNYY confirmed in lab and if one applies the rules of GPO’s it makes sense.
Only User2 and User4 is physically in the OU1 where the GPO is linked, so this already excludes User1 (in an OU one level up) and User3 (not to be seen on any screen shots).
From User2 and User4 only User2 is in Group1, and the GPO will only apply to Group1 and User3. We already know that it won’t apply on User3 as he is not in OU1, this leaves us with only User2 that will be affected and won’t be able to access Control Panel.