Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012
R2.
An organizational unit (OU) named ResearchServers contains the computer accounts of all research servers.
All domain users are configured to have a minimum password length of eight characters.
You need to ensure that the minimum password length of the local user accounts on the research servers in
the ResearchServers OU is 10 characters.
What should you do?
A.
Configure a local Group Policy object (GPO) on each research server.
B.
Create and link a Group Policy object (GPO) to the ResearchServers OU.
C.
Create a universal group that contains the research servers. Create a Password Settings object (PSO) and
assign the PSO to the group.
D.
Create a global group that contains the research servers. Create a Password Settings object (PSO) and assign
the PSO to the group.
Explanation:
For a domain, and you are on a member server or a workstation that is joined to the domain
1. Open Microsoft Management Console (MMC).
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. Click Group Policy Object Editor, and then click Add.
4. In Select Group Policy Object, click Browse.
5. In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or
organizational unit–or create a new one, click OK, and then click Finish.
6. Click Close, and then click OK.
7. In the console tree, click Password Policy.
Where?
Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security
Settings/Account Policies/Password Policy
8. In the details pane, right-click the policy setting that you want, and then click Properties.
9. If you are defining this policy setting for the first time, select the Define this policy setting check box.
10. Select the options that you want, and then click OK.
Just in case anyone’s interested: http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
This answer doesn’t seem right to me. Fine-grained password policies are only applicable to users and global security groups. Therefore, answer B is incorrect. It would be correct if there wasn’t a domain password requirement–the fact that there is, leads me to believe that we’re now creating a fine-grained password policy.
I believe it to be either A or D. A is a waste of time as you don’t want to create a local policy on each workstation, even if you do use a template for the sequential servers. Fine-grained password policies also cannot be assigned to universal groups.
D seems to make the most sense in this case. Anybody else??
Or does it make a difference that they are LOCAL user accounts on the servers?
Refer to http://www.aiotestking.com/microsoft/which-two-object-types-should-you-identify-2/
You can’t assign PSOs to computer objects. Only to user and global group objects. The GPO only contains computer objects. Since these are local accounts, you have to set the Local User account settings via a GPO.
The question refers that computer local accounts of the Researchers OU should have the specific requirements. So I think the answer is correct:B
I think it is D, it the only one that makes sense.
PSO cannot apply in this case. This is for LOCAL accounts. PSO can only be set for domain users. Also note: the question does not ask for minimum amount of effort because there is only one effort that can be used……. setting the LOCAL GROUP POLICY on each server.
Canusa what is the answer?
It’s B, the provided answer is correct.
http://technet.microsoft.com/pt-pt/library/cc757692(v=ws.10).aspx
“Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers”
Answer correct
1. GPO applied at ou affect local accounts only http://www.windows-support.co.uk/press/?p=1094
2. PSO can not be applied to universal or local groups as they can only affect domain accounts (local are not domain, universal span domains) https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/-Fine-Grained-Password-and-Lockout-Policy
PSO can not apply to non domain accounts: local, universal (cross domain)
Local GPO would be overwritten by default domain GPO
GPO linked to comouter OU would apply to local accounts only