Which of the following actions should you take?

You work as a Network Administrator at AIOTestking.com. AIOTestking.com has an Active Directory
Domain Services (AD DS) domain named AIOTestking.com. The AIOTestking.com network has several
Group Policy objects (GPOs).
You must allow a junior technician named Rory Allen to create GPOs in the domain but he must
not be able to link GPOs to any container.
Which of the following actions should you take?

A.
You should run the Gpupdate cmdlet.

B.
You should run the Set-GPPermission cmdlet.

C.
You should run the Set-GPLink cmdlet.

D.
You should run the Add-ADGroupMember cmdlet.

E.
You should run the Remove-GPLink cmdlet.

F.
You should run the Gpresult cmdlet.

Show Hint

← Previous question

Next question →

Leave a Reply 7

Shaun

B. Set-GPPermission

jaido

yes u correct

sysadmin

nope. Set-GPPermissions changes the permissions on an already existing GPO. You need to change the privileges of a user. This is controlled though adding them to various groups.

Gareth Robson

correct

dwarf

answer is B.
Here’s a quick and easy way to delegate the management of existing Group Policy Objects in your domain.

Set-GPPermission -All -Domain “halo.net” -TargetType Group -TargetName “Domain Local – Halo GPO Edit 1″ -PermissionLevel GpoEdit

http://windowswideopen.com/category/set-gppermission/

MadMilkman

“EXISTING GPO”… we are talking about creating new GPO-s.

Is D.

PeterN

Answer is D, you need to add the user to the Group Policy Creator Owners group

https://technet.microsoft.com/en-us/library/cc781991(v=ws.10).aspx

Delegating Creation of GPOs

The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create new Group Policy objects. If the domain administrator wants a non-administrator or non-administrative group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs to containers unless they have been separately delegated the right to do so on a particular site, domain, or OU. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create.