Your network contains an Active Directory domain named contoso.com. The domain contains more than 100
Group Policy objects (GPOs). Currently, there are no enforced GPOs. The domain contains a top-level
organizational unit (OU) for each department. A group named Group1 contains members from each
department. You have a GPO named GPO1 that is linked to the domain. You need to configure GPO1 to apply
settings to Group1 only. What should you use?
A.
dcgpofix
B.
Get-GPOReport
C.
Gpfixup
D.
Gpresult
E.
Gptedit.msc
F.
Import-GPO
G.
Restore-GPO
H.
Set-GPInheritance
I.
Set-GPLink
J.
Set-GPPermission
K.
Gpupdate
L.
Add-ADGroupMember
Set-GPPermissions
Grants a level of permissions to a security principal for one GPO or all the GPOs in a domain.
http://technet.microsoft.com/en-us/library/ee461038.aspx
Add-ADGroupMember
Adds one or more members to an Active Directory group.
http://technet.microsoft.com/en-us/library/ee617210.aspx
Gpupdate
http://technet.microsoft.com/en-us/library/bb490983.aspx
dcgpofix – Recreates the default Group Policy Objects (GPOs) for a domain.
Get-GPOReport – Generates a report either in XML or HTML format for a specified GPO or for all GPOs in a domain.
Gpfixup – Fix domain name dependencies in Group Policy Objects and Group Policy links after a domain rename operation.
Gpresult – Displays the Resultant Set of Policy (RSoP) information for a remote user and computer.
Gptedit.msc – GPO Editor
Import-GPO – Imports the Group Policy settings from a backed-up GPO into a specified GPO.
Restore-GPO – Restores one GPO or all GPOs in a domain from one or more GPO backup files.
Set-GPInheritance – Blocks or unblocks inheritance for a specified domain or organizational unit (OU).
Set-GPLink – Sets the properties of the specified GPO link.
Set-GPPermission – Grants a level of permissions to a security principal for one GPO or all the GPOs in a domain.
Gpupdate – Refreshes local and Active Directory-based Group Policy settings, including security settings.
Add-ADGroupMember – Adds one or more members to an Active Directory group.
Isn’t the answer just “J” ?
I believe the answer is E. Open GPO Editor, open GPO1, in the security section add Group1 and remove authenticated users and everyone, apply GPO1 to Group 1
Group 1 already exists so why answer L ?
Answer K works only on client side. Why the rush?
The simplest way is to use GPEDIT.exe and modify the security filter or use set-GPPermission cmdlet if you are a poser.
gpedit.msc is used for local group policy objects. J is the solution, it is used to configure the delegation settings of a GPO. This includes rights like applying group policy and read (the ability to actually read the gpo settings). Both are required for a group in order to apply a gpo.
but there’s a funny quirky way to get it done with gpedit.msc also:
https://technet.microsoft.com/en-us/library/cc736591%28v=ws.10%29.aspx
=> start it using switch /gpobject, and then open the properties and modify the security settings
Set-GPPermission can be used to add and remove users and groups from security filtering. The answers is J and only J i think.
It is J, but you need to run it twice. Once to remove the permissions for Authenticated Users (i.e. Set-GPPermissions -Name “GPO1” -PermissionLevel none -TargetName “Authenticated Users” -TargetType Group -Replace), then set it for Group1.
-Replace
Specifies that the existing permission level for the group or user is removed before the new permission level is set. If a security principal is already granted a permission level that is higher than the specified permission level and you do not use the Replace parameter, no change is made.
I have a doubt, If it is asking about permisions to edit/read the GPO my opinion is that it will be J (Set-GPPeermissions)( but I Think it is asking about aplying GPO Settings to a group os users named Group 1 isn’t it? Should it be E gpedit in this last case?
Sounds like kind of a trick question, but I did find this technote that mentions “read and apply permissions are needed to apply GPOs to an object”. See item #7:
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2.html
IMHO…
could the answer be H
“You have a GPO named GPO1 that is linked to the domain. You need to configure GPO1 to apply
settings to Group1 only.”
GPO1 is linked to the domain, so GPO1 applies to everyone. but you need to configure so that only Group1 can receive the settings.
use Set-GPInheritance to block on everyone except Group1.
J
Isn’t this H. Set-GPInheritance for Group1 for GPO1 linked to the domain?
Also, this looks like a one answer for the question style-question.
I thought it was H. Set-GPInheritance, but that does not apply security filtering which is what I think we want here. Then I thought Set-GPPermission. At first this looked like applying permissions to read/modify/apply the GPOs. Then finally it looked like it was possible to apply security settings. Whew, then I realized we are talking easiest in Microsoft language. So, I think the answer is E.Gptedit.msc as Fausto remarked above: E. Open GPO Editor, open GPO1, in the security section add Group1 and remove authenticated users and everyone, apply GPO1 to Group 1. That seems a lot easier than trying to do Powershell command on that unless that’s what you are doing daily. In the end the question asks, What would you use? which is totally subjective anyway.
GPEDIT.EXE is not an option. GPTEDIT(E) does not work on a DC in powershell. Set-GPermission -Guid “GPO1” -targetname “contoso\Group1” works just fine
Answer:J