DRAG DROP
Your network contains an Active Directory domain named contoso.com. All domain controllers run
Windows Server 2012 R2.
The domain contains an organizational unit (OU) named OU1. OU1 contains an OU named OU2. OU2
contains a user named user1.
User1 is the member of a group named Group1. Group1 is in the Users container.
You create five Group Policy objects (GPO). The GPOs are configured as shown in the following table.
The Authenticated Users group is assigned the default permissions to all of the GPOs.
There are no site-level GPOs.
You need to identify which three GPOs will be applied to User1 and in which order the GPOs will be
applied to User1.
Which three GPOs should you identify in sequence? To answer, move the appropriate three GPOs
from the list of GPOs to the answer area and arrange them in the correct order.
Answer: See the explanation
Explanation:
Box 1: GPO2
Box 2: GPO4
Box 3: GPO5
Note:
* First at the domain level (GPO2), then at the highest OU level GPO4, and finally at the OU level
containing user1 GPO5.
Incorrect:
* Read and Apply group policy are both needed in order for the user or computer to receive and
process the policy
Not GPO1: Group1 has Deny Apply Group Policy permissions on GPO1.
Not GPO3: Group1 has Deny Read permissions on GPO3.
GPO2 and GPO4 are disabled.
* When a Group Policy Object (GPO) is enforced it means the settings in the Group Policy Object on
an Organization Unit (which is shown as a folder within the Active Directory Users and Computers
MMC) cannot be overruled by a Group Policy Object (GPO) which is link enabled on an
Organizational Unit below the Organizational Unit with the enforced Group Policy Object (GPO).
* Group Policy settings are processed in the following order:
1 Local Group Policy object
2 Site.
3 Domain4 Organizational units
GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are
processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs
that are linked to the organizational unit that contains the user or computer are processed.
Shouldn’t it be in opposite order, 5 -> 4 -> 2 where 5 applies with highest weight?
it ask for sequence, which goes first. not which is being weighted more and take over
Default –> L S D OU, no site and no local policy.
So the answer is , D(1,2) OU(3,4,5) ??? WRONG !!!!!!!!!!!!!
However, we have enforced setting enabled for (5,3,1) what mean GPO(5,3,1) move at the end.
The only answer is D(2) –> OU(4) –> ((Enforced Enabled and GPO begin with the opposite direction)) OU(5,3) –> D(1).
2,4,5,3,1.
É preciso prestar atenção as permissões adicionais para chegar na resposta correta.
Correct Answer is GPO1,GPO3,GPO5.
No, thats incorrect. 2, 4, 5 is correct.
No, Xain is correct. 1,3,5 will be applied due to Enforcement and in that order due to Local, Site, Domain, OU (Higher OU first).
GPOs 1 and 3 can’t be applied because Group1 is denied being able to apply GPO1, and is denied being able to even read GPO3. You can’t apply settings you can’t see.
No, it is 2, 4, 5.
1 is not applied because of Deny Apply GPO on Group1 (which user1 is a member of).
3 is not applied because of deny read on Group1. If it can not read the GPO, then it can not apply it.
hint: Look in additional permissions. The excluded 2 are denied to be read. There is now only 3 left, the 3 correct ones.
GPO1 and GPO3 are out of the equation due to the additional permissions for Group1:
-GPO1 – Group1 has Deny apply group policy permission
-GPO3 – Group1 has Deny Read permission
Order of Group Policy application:
Local
Site
Domain
OU
Based on the above:
GPO2 – Will apply first due to it being linked to the Domain contoso.com
GPO4 – Will apply next due to it being linked to OU1
GPO5 – Will apply last due to OU2 being a Sub-OU of OU1
Hope that helps
remember gpo order local site domain ou