HOTSPOT
Your network contains an Active Directory forest. The forest contains a single domain named contoso.com.
AppLocker policies are enforced on all member servers.
You view the AppLocker policy applied to the member servers as shown in the exhibit.(Click the Exhibit button.)
To answer, complete each statement according to the information presented in the
exhibit.Each correct selection is worth one point.
Answer: 
Explanation:
Please explain it
in the exhibit, we can see that iexplore is allowed for domain admins group and denied for server admins hence the first answer will only the members of domain admins
for the second answer, in the exhibit everyone is allowed to run all files in the program files folder hence the second answer
Thank you!
The first answer is wrong.
Only Local Users can run Internet Explorer is the correct answer.
AppLocker Deny rules always take precedence. There are two deny rules for IE, one for Server Operators and the other for Domain Users. By default Domain Admins are members of Domain Users, therefore the Domain Users deny rule would prevent Domain Admins from running IE.
The only option that is not effected by a deny rule is “Local Users”.
I can’t verify your reply. In my situation the domain admins aren’t member of the domain users. A new user is default member of the domain users. When you add the domain admins to that user, set it to primary and remove the domain users group you only have the domain admins as a group. When I open the domain admins I only see the user accounts that are member off the domain admins. No groups like domain users. Domain admins are member off administrators and Denied rodc password replication group. In my opinion the correct answer is:
– Only Domain admins
– Everyone
Correct me if I am wrong.
Technet article: http://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx
why would ever take a user out of domain users?? this group should always contain every user in the domain, as the name implies.
Dave’s explanation is correct.
Perfect explanation by dave, I agree. Answer is
– only local users
– everyone
only domain admins
everyone
Saad is wrong on one! Noooooo! My IT world is crumbling!
Which answer is corect?
From Mark van Dijk or from Dave, Klaus?
only domain admin
everyone
that is it
Only Domain Admins
Everyone
agree with Dave’s explanation
option “Only” Domain Admins rules out local users. And local users have no limitation.
– local users
– everyone
Which answer is definitively correct?
– local users
– everyone
or
– only Domain admins
– everyone
It’s gonna be
– local users
– everyone
Try it in a lab environment. Open Active Directory Users and Computers on a DC. When you create a new user, they are automatically added to the Domain Users group. You would have to add that new user to the Domain Admin group manually and now this new user belongs to both groups. The question doesn’t state if a specific user belongs to only the Domain Admins folder or both. You should just assume the default values without user intervention.
As stated here http://ss64.com/nt/syntax-security_groups.html the domain users group is a global group that by default includes all user accounts created in your domain and all user accounts are automatically added to the group .. so as Dave stated domain users are denied then so are the Domain Admins…
Thanks for pointing this out Dave….
– local users
– everyone
Does a Domain users have the same permissions as a Domain Admin, if so does a Standard User have the same permission with Local Admin?
When a domain user has local admin rights, it’s still a domain user > denied.
The correct answer is:
– local users
– everyone
Domain Admin users will be denied… all users on the domain are Domain Users, and a Deny overrides an allow.
http://community.spiceworks.com/topic/911560-denying-permissions-to-domain-users-also-denies-permissions-for-domain-admins
Also:
https://technet.microsoft.com/en-us/library/ee460955(v=ws.10).aspx
“If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action”
Tested in Lab:
The group Domain Admins is not part of the Domain Users. I think Mark van Dijk is right.
Tobi,
its not the group that count, but the MEMBERS in the domain admin group. its true the domain admin group is not a member of the domain user group, BUT the users in the domain admin group are members of the domain user group.
rember that the deny rule always count.
– local users
– everyone
is the right answer
In Domain Admins group you have the Administrator user. If you look at the Administrator account properties, you’ll see he’s a member of Domain Users.
Correct, if you unmount the disk you can change the OU.
What is the right answer 🙂 To-be-or-not-be 🙂
WakaFlakaSeagulls is right
– local users
– everyone
1: “everyone” not include local users
ans=4,2
Dave is right, the correct answer is:
1. Local Users
2. Everyone
Just ask yourself this question. If Bob is a domain user, then he gets added to the Domain Admins group, he is still a domain user right? The word “DOMAIN” means he’s still a member of that domain. Why would him being promoted to a Domain Admin suddenly make him a non Domain User?
In fact, you don’t need AD to test this. Run netplwiz on your machine, then go into Advanced User Management. There, you can see your account under “Users”. You can add your account to the local Administrators group (probably already part of it), but it doesn’t take away the fact that your account is still part of the Users container. Same thing in a domain environment.
Local users is the correct answer -tested it myself.
Tested in lab, results are:
– only local users
– everyone
In the choices it stated “Only members of the Domain Admins” Meaning this users are created and once you created a user on AD the user is default member of Domain users.