Your network contains an Active Directory forest named contoso.com. The functional level of
the forest is Windows Server 2008 R2.
All of the user accounts in the marketing department are members of a group named
Contoso\MarketingUsers. All of the computer accounts in the marketing department are
members of a group named Contoso\MarketingComputers.
A domain user named User1 is a member of the Contoso\MarketingUsers group. A
computer named Computer1 is a member of the Contoso\MarketingComputers group.
You have five Password Settings objects (PSOs). The PSOs are defined as shown in the
following table.
When User1 logs on to Computer1 and attempts to change her password, she receives an
error message indicating that her password is too short.
You need to tell User1 what her minimum password length is.
What should you tell User1?
A.
10
B.
11
C.
12
D.
14
Explanation:
One PSO has a precedence value of 2 and the other PSO has a precedence value of 4. In
this case, the PSO that has the precedence value of 2 has a higher rank and, hence, is
applied to the object.
Actually the explanation is wrong. PSOs linked to users override ones linked to groups, regardless of precedence.
http://web-foro.com/wl/CompanionContent/course/crse6425b_00_09_01_08.htm
Answer is D
Explain why you think it is D?
No It’s A. Tested it myself with the exact situation as described.
If one or more PSOs are linked directly to the user, PSOs linked to groups are ignored, regardless of their precedence. The user-linked PSO with highest precedence wins.
Tested its A for 100%
A is the answer, let’s read this example.
Let’s take the G_ITAdmins group and apply two PSOs, one with precedence of 10 and one with precedence of 5. The PSO with precedence of 5 will win, because a lower precedence value is a higher precedence.
This makes sense if you are just using groups and apply the PSO to the group level. But what happens if you apply a PSO to the group G_ITAdmins (Sally Smith is still a member) and you apply a PSO directly to Sally Smith?
Let’s take the G_ITAdmins group again, where Sally Smith is a member, and apply a PSO with a precedence of 10. Create another PSO with a precedence of 15 and apply this PSO directly to the user Sally Smith. The PSO directly applied to Sally will win, although the precedence value is higher.
The way that the PSO applied is determined is as follows:
A PSO that is linked directly to the user object is the resultant PSO. If no PSO is linked to the
user object, the global security group memberships of the user—and all PSOs that are applicable to the user based on those global group memberships—are compared. The PSO with the lowest precedence value is the resultant PSO.
This makes totally sense, because in the reasoning logic of an Administrator who’s in charge of password policies, he may define different password policies to different groups: A,B,C,etc.
Then, he may get a call from someone who belonged to A and B groups, and had a certain password policy, but he is now a member of C group, and as a result, he has a longer password requirement.
The easiest way to fix this issue and give back the user his password policy is to apply a PSO to the user. And this is the way it is applied.
Ans.- A
https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx
How did you get A, when the article you link to confirms it is D?
If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:
A PSO that is linked directly to the user object is the resultant PSO. (Multiple PSOs should not be directly linked to a user object.)
If no PSO is linked directly to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.
Answer is D – 14 characters.
Straight from Microsoft (https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx), here is the relevant section:
“If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:
A PSO that is linked directly to the user object is the resultant PSO. (Multiple PSOs should not be directly linked to a user object.)
If no PSO is linked directly to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.”
It says “Multiple PSOs SHOULD not be directly linked to a user object” it did not say COULD not… in this case a PSO5 has been directly applied to USER1, which makes it the winning PSO… hence answer is A
even if the user linked pso didn’t go first, the precedence is the lowest as well. so it’s not even a trick question! D.
I think i made the same mistake as many others. The last policy wins, but that’s answer A. so maybe it’s a trick question after all 🙂
soz 2 b the bearer of bad news jjj but i think u might b dum.
A
http://sourcedaddy.com/windows-7/creating-password-settings-objects-and-applying-secondary-settings.html
Read carefully where it starts “If Multiple policies……”
If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:
A PSO that is linked directly to the user object is the resultant PSO. (Multiple PSOs should not be directly linked to a user object.)
If no PSO is linked directly to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.
If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.