Your network contains an Active Directory domain named contoso.com.
An organizational unit (OU) named OU1 contains user accounts and computer accounts.
A Group Policy object (GPO) named GP1 is linked to the domain.GP1 contains Computer
Configuration settings and User Configuration settings.
You need to prevent the User Configuration settings in GP1 from being applied to users. The
solution must ensure that the Computer Configuration settings in GP1 are applied to all client
computers.
What should you configure?
A.
The GPO Status
B.
The Block Inheritance feature
C.
The Group Policy loopback processing mode
D.
The Enforced setting
Explanation:
A loopback with merge option needs to be used.
Hi Folks!
No, answer is A.!
Loopback processing is something completely different and doesn´t prevent that User Configuration of a GPO is applied to users.
Loopback processing just lets the User Configuration of a GPO that is linked to an OU, where the Computer, on which the user logs on to, is located, being applied to the user. Here ist it possible to merge (so that the configuration is added to a GPO User Configuration that is linked to an OU, where the according User is in) or the replayce, so that only the GPO of the Computer OU is applied.
But the way to disable the User configuration is simply by changing the Status of a GPO, so that only the Computer Configuration Part ist enabled.
So C. is completelly wrong.
Cheers, Michael
Michael, I believe you might be wrong. The question doesn’t state clearly the Group Policy is being applied to a special-use computer but I believe this is implied. Microsoft is tricky in how they word the questions.
Group Policy Loopback Processing Mode:
Applies alternate user policies when a user logs on to a computer affected by this policy.
This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this policy. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user policy based on the computer that is being used.
By default, the user’s Group Policy objects determine which user policies apply. If this policy is enabled, then, when a user logs on to this computer, the computer’s Group Policy objects determine which set of Group Policy objects applies.
https://support.microsoft.com/kb/231287/en-us
(same page you copypasted text from)
The question is how to configure GP1 not to apply user settings and apply computer settings. So loopback is not the way to go. You’d use loopback processing if you wanted to apply GP1’s user settings instead of user settings defined somewhere else.
If you choose A you are disabling user settings of a policy linked to the DOMAIN.
You should consider loopback processing in Replace mode.
I stick to Michael and think A is correct.
Yes A is the correct answer simply disable users side of the GPO
After reading all the comments, reading other blogs and articles, the best answer seems to be
A. The GPO Status
Usually the 2003/2008 MS test questions say the computer is a kiosk computer which is the clue for the C. Loopback answer
A is the correct answer. I just used a 2012 R2 server and opened up a GPO. The 2nd tab on the GPO is “details”. On the details tab you see an option called GPO status with a drop down arrow. You can select the option on this drop down arrow.
A for sure
it’s A for sure. I have also test it in my envouriment.
If you choose A you are disabling user settings of a policy linked to the DOMAIN.
You should consider loopback processing in Replace mode.
The question is not to disable the GPO for the users in OU1 but for all users.
Definitely A.
A is correct GPO Status disables any unused part of a GPO.
https://technet.microsoft.com/en-us/magazine/dd673616.aspx
It is A, and definitely not C. Let’s look at it in the simplest terms possible:
GP1 is linked to the domain, thus, it will apply to OU1 (where there are users and computers). You need GP1’s computer settings to apply, but not its user settings.
A.
The GPO Status – You can disable the user settings, so that it is applying just computer settings. This meets the requirement of applying the computer settings still, but not applying the user settings of GP1 to users. Thus, A is correct.
B.
The Block Inheritance feature – If you block the inheritance of GP1, the user settings will not apply to the users, but it will also keep the computer settings from applying. Thus, B is incorrect.
C.
The Group Policy loopback processing mode – If you use group policy loopback processing you have two choices: merge and replace. If you use merge the user settings will still apply to users, but with merge with user settings from other GPOs. If you instead choose replace, the user settings of GP1 will replace any user settings from another GPO that applies to users. Either way, the user settings of GP1 are still applying to users. Thus, C is incorrect.
D.
The Enforced setting – This will enforce the group policy of GP1 and keep it from being overruled by another group policy. Thus, D is incorrect.
A is the correct answer. Loopback processing only comes into play when you have Users and Computers in separate OU’s. Nothing is implied in this question it clearly states that User policies are not to be applied but Computer policies are. BEST way to achieve this is via GPO Status.
Also there is only one GPO, GP1 – hence nothing to replace or merge via loopback processing.
I have a doubt.
What is the difference between computers’ and users’ group policy object. If they are Computer and user configuration part of GPO then this line doesn’t make sense.
“replace indicates that the user settings defined in the Computer’s group policy objects replace the user settings normally applied to the user.” This is a part in loopback processing GPO’s explanation.
i find this article and understand more…
Windows Server: Understand “User Group Policy Loopback Processing Mode”
Group Policy Objects (GPO) is a set of rules for Users and Computers, thus the policies for computers will be applied to computers and the policies for users will be applied to users. This article applies to Windows Server scenarios.
Let’s assume that you have two organizational units in your domain:
OU-TSSERVERS
OU-SUPPORT
In OU-TSSERVERS units, there are computer accounts, and in the OU-SUPPORT units there are users accounts.
In OU-TSSERVER, you created and configured a new GPO. So, there are policies for:
Computer Configuration
User Configuration
In OU-SUPPORT, you created and configured a new GPO. So, there are policies for:
Computer Configuration
User Configuration
When a user belonging to OU-SUPPORT logs on a server that belongs to the OU-TSSERVER, what happens?
Applies:
Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
User Configuration -> The configuration created in GPO linked to OU-SUPPORT.
This is the default setting.
Now we are finally going to learn about User Group Policy Loopback Processing Mode.
When configuring the policy Loopback Processing Mode, you can choose two different options, Replace and Merge.
Replace Mode
When you define the “User Group Loopback processing Mode”, to “Replace” on the GPO linked to the OU-TSSERVER.
Applies:
Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
User Configuration -> The configuration created in GPO linked to OU-TSSERVER. (This is the difference in Replace Mode.)
Merge Mode
When you define the “User Group Loopback processing Mode”, to “Merge” on the GPO linked to the OU-TSSERVER.
Applies:
Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
User Configuration -> The configuration created in GPO linked to OU-TSSERVER.
And
User Configuration -> The configuration created in GPO linked to OU-SUPPORT. (This is the difference in Merge Mode.)
NOTE: In case of conflict, the users policies from OU-TSSERVERS have precedence. Because the computer’s GPOs are processed after the user’s GPOs, they have precedence if any of the settings conflict.
i think when in the question says “applied to users..” means users but they are not necessary to be in the OU…
hi yor i read that link also but i am still not sure of the answer i think it is a gpo status what do you think the answer is if you dont mind me asking
The answer is A.
Loopback processing is used in the event that a GPO you have linked to an OU containing computers also contains user settings. In replace mode, any user settings here apply, and any user settings linked to the user’s OU are discarded.
In merge mode, the user settings in the GPO linked to the computers OU are applied LAST, so any conflicts are won by the User settings in the Computers OU.
Never used it in a production environment myself, and it seems like it’s fixing a problem that doesn’t exist! If anyone has any real-life scenarios where this would be useful, please share 🙂
we use loopback in an environment where our users live in one OU, and can use these logons to access their desktop/laptops in another OU, or alternatively a set of terminal servers in a third OU.
One team manages the policy for the workstations and user accounts. My team are responsible for the terminal servers.
We enforce configure user side and computer side policices on our server OU, with loopback processing, so we can control exactly how the users experience our machines, rather than getting more liberal settings allowed in their user OU.
Thought I would post something useful for once in my life and say that I believe the answer is A.
Please read this article: https://powershell.org/2013/02/13/set-gpo-status-with-powershell/
Then re read the question. The second sentence is the most important part “The solution must ensure that the Computer Configuration settings in GP1 are applied to all client computers.
”
IF the status of the GPO was disabled, it would affect all users and all computers. Therefore if we enabled the GPO Status to be enabled, it will apply to however the GPO was configured to work therefore apply to all client computers.
Group Policy Lookback is associated to legacy anyways. I do not believe it is relevant to Server 2012.