Your network contains an Active Directory domain named contoso.com. You have a Group
Policy object (GPO) named GP1 that is linked to the domain.GP1 contains a software
restriction policy that blocks an application named App1.
You have a workgroup computer named Computer1 that runs Windows 8.A local Group
Policy on Computer1 contains an application control policy that allows App1.
You join Computer1 to the domain.
You need to prevent App1 from running on Computer1.
What should you do?
A.
FromComputer1, run gpupdate /force.
B.
From Group Policy Management, add an application control policy to GP1.
C.
From Group Policy Management, enable the Enforced option on GP1.
D.
In the local Group Policy of Computer1, configure a software restriction policy.
I think the correct answer should be D.
Local policies come first, so adding an application control policy to GP1 will just add the application rule you define in the policy, it will not replace the local policy so the allow rule will remain in the local policy.
B could be the correct answer if they give you the option to remove the local policy first, local policies remain on the client even when you joing them to a domain for so far I know.
I could be wrong tho, so if anyone know’s the correct answer please tell me.
LSDOU applies here and the domain policy will win.
A should be the correct answer as a wherever there is conflict between local and domain policy, domain policy will win when the computer is joined to the domain.
If the machine is just joined to an AD Domain it will not apply the machine-settings GPO. You will have to reapply them so A. is the correct answer. (Deny prevails above Allow)
Chris +1
Presented answer is correct.
From the question, GP1 does not include an appication control policy. Group policy will only overwrite the local computer’s policy if the policy exists in GP1.
See the yourtube video for instructions on how to create a sw restriction policy:
https://www.youtube.com/watch?v=AxwcLC05YPs
https://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
the correct answer is D, as it says in the article the local gpo comes before all the others.
From that article it also states “This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)” Which would make the Domain group policy overwrite the local group policy.
No.
I would agree with answer B here. The GPO GP1 does not have an APPLICATION CONTROL POLICY (AppLocker – computer configuration setting in GPO) GP1 has a Software restriction setting (User settings under GPO). So to counter a Local policy for AppLocker you would have to have a GPO configured for Domain or OU where this account is because of the LSDOU processing order
B is correct I believe.
Application Control Policies trump Software Restriction Policies and domain GPOs trump local GPOs.
Remember, Application Control Policies (AppLocker) were designed as a replacement for Software Restriction Policies.
agree.
And I take a little time to do a lab for this question,
the “B” is the correct answer.
B is correct
B is the right answer
OK. I think the point is that Computer1 is running Windows 8 while the Software Restriction Policies on domain GPO is only supported on the system Windows Vista and earlier. It is AppLocker(application control policy) that is supported on systems running Windows 7 and above.
https://technet.microsoft.com/en-us/library/hh994614.aspx
When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored.
I agree Kaye.
In this instance processing order does not matter, nor does ACP trumps SRP.
Simple explanation is that SRP is only supported on Vista and earlier, so these policies would NOT be applied on a Windows 8 computer.
You would therefore have to add ACP to the GPO. Answer is B.
I test SRP to restrict “mspaint.exe” in my win8.1,and it work.
so I think SRP can support win8, you can try.
And did you try while you have a ACP on the local gpo of ur machine?
A is wrong: because the policy will apply at the logon when joining the domain.
C and D does not make any sense, because they don’t answer what we are looking for.
The right answer is B.
Explanation:
On the computers that support AppLocker: AppLocker policies take precedence over policies generated by software restriction policy.
AppLocker policies in the GPO overwrite any other policies.
Hi man!
Local AppLocker policies supersede policies generated by SRP that are applied through the GPO
https://technet.microsoft.com/en-us/library/ee791851.aspx
Answer B
Just beneath, are a lot of entirely not connected web sites to ours, however, they may be certainly really worth going over.
AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker