Which three GPOs should you identify in sequence?

DRAG DROP

Your network contains an Active Directory domain named contoso.com. All domain
controllers run Windows Server 2012 R2.
The domain contains an organizational unit (OU) named OU1. OU1 contains an OU named
OU2. OU2 contains a user named user1.
User1 is the member of a group named Group1. Group1 is in the Users container.
You create five Group Policy objects (GPO). The GPOs are configured as shown in the
following table.

The Authenticated Users group is assigned the default permissions to all of the GPOs.
There are no site-level GPOs.
You need to identify which three GPOs will be applied to User1 and in which order the GPOs
will be applied to User1.
Which three GPOs should you identify in sequence?
To answer, move the appropriate three GPOs from the list of GPOs to the answer area and
arrange them in the correct order.

DRAG DROP

Answer: See the explanation.

Explanation:
Box 1: GPO2
Box 2: GPO4
Box 3: GPO5

Note:
* First at the domain level (GPO2), then at the highest OU level GPO4, and finally at the OU
level containing user1 GPO5.
Incorrect:

* Read and Apply group policy are both needed in order for the user or computer to receive
and process the policy
Not GPO1: Group1 has Deny Apply Group Policy permissions on GPO1.
Not GPO3: Group1 has Deny Read permissions on GPO3.
GPO2 and GPO4 are disabled.
* When a Group Policy Object (GPO) is enforced it means the settings in the Group Policy
Object on an Organization Unit (which is shown as a folder within the Active Directory Users
and Computers MMC) cannot be overruled by a Group Policy Object (GPO) which is link
enabled on an Organizational Unit below the Organizational Unit with the enforced Group
Policy Object (GPO).
* Group Policy settings are processed in the following order:
1 Local Group Policy object
2 Site.
3 Domain
4 Organizational units
GPOs that are linked to the organizational unit that is highest in the Active Directory
hierarchy are processed first, then GPOs that are linked to its child organizational unit, and
so on. Finally, the GPOs that are linked to the organizational unit that contains the user or
computer are processed.

Show Hint

← Previous question

Next question →

Robert

Can someone explain this to me? I thought using enforcement means that even sub-GPO’s cannot overrule their upper/same level GPO.

I thought that GPO1 would overrule GPO2 on domain level. As for OU1, I would think that GPO3 would win over GPO4 as it overrules the “link enabled” GPO3.

For GPO5 I can understand it completely. I tried looking it up online, but it seems I am missing something?

Jason32

GPO1 and GPO3 are out of the equation due to the additional permissions for Group1:
-GPO1 – Group1 has Deny apply group policy permission
-GPO3 – Group1 has Deny Read permission

Order of Group Policy application:
Local
Site
Domain
OU

Based on the above:
GPO2 – Will apply first due to it being linked to the Domain contoso.com
GPO4 – Will apply next due to it being linked to OU1
GPO5 – Will apply last due to OU2 being a Sub-OU of OU1

Hope that helps

Firas

perfect explanation. thanks

kyo

Thanks

a.l.i

But group 1 is not inside OU1 and it is in Users default OU!?

Matt

This confused me also, I think it’s looking for in what order the policies get applied/processed which is always the same; not the priority order.

robber

enforced policies can’t be overridden by policies on lower levels. But the lower level policies are still “applied”, they just don’t override policies that are configured in enforced policies (but do override settings that are “not configured”).

robber

edit: they just don’t override SETTINGS that are configured in enforced policies