Your network contains an Active Directory domain named contoso.com. All domain
controllers run Windows Server 2012 R2.
You have a Group Policy object (GPO) named GPO1 that contains hundreds of settings.
GPO1 is linked to an organizational unit (OU) named OU1. OU1 contains 200 client
computers.
You plan to unlink GPO1 from OU1.
You need to identify which GPO settings will be removed from the computers after GPO1 is
unlinked from OU1.
Which two GPO settings should you identify? (Each correct answer presents part of the
solution. Choose two.)
A.
The managed Administrative Template settings
B.
The unmanaged Administrative Template settings
C.
The System Services security settings
D.
The Event Log security settings
E.
The Restricted Groups security settings
Explanation:
http: //technet. microsoft. com/en-us/library/cc778402(v=ws. 10). aspx
http: //technet. microsoft. com/en-us/library/bb964258. aspx
There are two kinds of Administrative Template policy settings: Managed and Unmanaged .
The Group Policy service governs Managed policy settings and removes a policy setting
when it is no longer within scope of the user or computer
I think its A & D
http://www.web-foro.com/wl/CompanionContent/course/crse6425b_00_06_04_02.htm
sorry I am wrong
Isn’t restricted group in Computer GPO
Configuration\Windows Settings\Security Settings\Restricted Groups
It’s not e
I was wrong
Policy
Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
Computer Configuration\Policies\Windows Settings\Security Settings\Event Logs
Maybe point of this question is which settings will be reversed to default values when you remove GPO and which will stay active after the removal of the GPO.
A&D
There are two kinds of Administrative Template policy settings: Managed and Unmanaged . The Group Policy service governs Managed policy settings and removes a policy setting when it is no longer within scope of the user or computer.
The Group Policy service does not govern unmanaged policy settings. These policy settings are persistent. The Group Policy service does not remove unmanaged policy settings, even if the policy setting is not within scope of the user or computer.
I tested this on a 2012 R2 Domain/DC with Windows 8.1 client PC. The policy I configured and used was the only one which was enabled.
Tested with the following gpo settings:
Computer: Administrative Templates: Control Panel: Personlization: Force a specific default lock screen image (set it to C:\Copy.jpg)
Computer: Administrative Templates: System: Kerberos: Set maxmimum Kerberos SSPI context token buffer size (set it to 58000)
This is the only setting that has the extra note in GP Management Editor that says: “Note: This registry setting is not stored in a policies key and thus considered a preference. Therefore if the Group Policy Object that implements this setting is ever removed, this setting will remain.”
Computer: Windows Settings: Security Settings: Event Log: Maxmimum application log size (set it to 1234560 bytes)
Computer: Windows Settings: Restricted Groups: Backup Operators (made a user a member of this group)
Computer: Windows Settings: System Services: App Readiness (modified the permissions to start the service)
My conclusion is that EVERY gpo setting will be removed except for Unmanaged Administrative Templates. So it’s B. Tested this twice. Whenever I disabled the gpo and did a gpupdate on the client, the settings were all restored to it’s original except for the Unmanaged Administrative Templates.
Your reasoning is sound but not answering the question, which was ‘You need to identify which GPO settings will be removed’. Your answer identifies the opposite, which ones will not.
It is certainly A over B, but I’m still not keen on the second bit.
I was so busy testing that I forgot the question. Indeed A over B. But when I would answer this question I would say that everything is true except B. So there is something wrong with the question/answer as it is copy/pasted over here.
After reading the comments i think its A and C.
A- “The Group Policy service governs Managed policy settings and removes a policy setting when it is no longer within scope of the user or computer.”
C- Since Restricted Groups and Event Log makes part of Security Settings.
Sorry, i misunderstood what was written in C. I agree with John…
The following article could help shed some light, but I find that it really just muddies the water even more…
https://technet.microsoft.com/en-us/library/cc736484(v=ws.10).aspx
A and D
A and B. Your asked to identify which settings will be removed after the GPO is removed. You need to use filtering on the Administrative Templates to see which these are. C, D or E won’t tell you anything.
so what is the right answer guys?
Some guys just want to be spoon-fed all their pathetic life. You see questions that everyone is researching & contributing their own ONE CENT, yet you can’t get on any of the referenced ‘technet’ or ‘msdn’ sites and do some read-up. You sit on your lazy ass, and keep asking “so what is the answer, guys?!” For real?! How pathetic?!
Maybe you should try to find a job instead of complaining!
I just tested this in a lab. I made a test GPO to add a user to the local Guests group and applied it to the GPO with my PC in, sure enough it replaced the membership with the Test Account. When I unlinked the GPO, it reverted back to its original state. So I’d say it’s A & E.
According to the posts here Restricted Groups settings will be removed when unlinked. Managed Template settings definitely are, so i agree with Kai.
That or the question is incorrect here.
https://social.technet.microsoft.com/forums/windowsserver/en-US/3de0d395-4d99-42f1-9d37-a2ce6c24e7d8/restricted-groups
A&E I think. Quick google:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/3de0d395-4d99-42f1-9d37-a2ce6c24e7d8/restricted-groups?forum=winserverGP
Tested in lab only unmanaged Administrative Template settings remain after unlinking a GPO, or if you have GPP configured those will also remain