Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote Desktop Session
Host role service installed. The computer account of Server1 resides in an organizational unit (OU)
named OU1.
You create and link a Group Policy object (GPO) named GPO1 to OU1.
You need to prevent GPO1 from applying to your user account when you log on to Server1. GPO1
must apply to every other user who logs on to Server1.
What should you configure?
A.
Security Filtering.
B.
WMI Filtering.
C.
Block Inheritance.
D.
Item-level targeting.
Explanation:
You can use item-level targeting to change the scope of individual preference items, so they apply
only to selected users or computers. Within a single Group Policy object (GPO), you can include
multiple preference items, each customized for selected users or computers and each targeted to
apply settings only to the relevant users or computers.https://technet.microsoft.com/en-us/library/cc733022.aspx
A absolutely A
(..)You create and link a Group Policy object (GPO) named GPO1 to OU1. GPO1 is configured as shown in the exhibit. (Click the Exhibit button.)
http://www.pass-exams.com/wp-content/uploads/2015/11/clip_image0253.jpg
You need to prevent GPO1 from applying to your user account when you log on to Server1. GPO1 must apply to every other user who logs on to Server1.
What should you configure?
A. Item-level targeting
B. Security Filtering <<=== correct
C. Block Inheritance
D. WMI Filtering
If you try to set a filter with item-level filtering you will get (among others) LDAP query. So you can configure (!(CN=that_guy)). That’s impossible with Security Filtering. The given answer is right.
Item-level filtering is the correct one.
i rethinked my own answer… i’m right but Security Filtering is simpler so it must be right
A is wrong because you can only provide access TO the gpo using security filtering.
You can’t exclude users or groups with security filtering. For this to work you’d have to remove the user from the group.
The actual correct answer is delegation via the delegation tab, and you would deny apply/read permissions.
It’s a trick question really. classic ms.
Security Filtrering
Delegation->Advanced->User->Deny Read or Deny Apply
D is correct because the question is “You need to prevent GPO1 from applying to your user account”. If the question was to not give you access to read the GPO “A” would be correct. So, it really is “you can read the GPO but it should not apply to your user”.
Item-level T. is correct.
Deny read access to a GPO keeps the GPO from applying to you, but with Security filtering, you can also deny apply to a specific user or group of users. A is the right answer. TBH, I am not even sure this could be accomplished via ILT
A is correct in my opinion.Well from those 4 options.
Delegation should be the correct answer but it’s missing. And
I really see no way of setting Item level tageting for a GPO
that would contain 100 policy/preference settings.it would only
work on preferences and those would have to be edited 1 by 1
and policies would still apply.
So the answer is E: Delegation 🙂
or A from the ones we have
Correct answer is DELEGATION, otherwise you need to add one-by-one all the users to Security Filtering except your user account, which is practically impossible and stupid in a big environments.
https://blog.brankovucinec.com/2015/07/17/how-to-exclude-a-group-policy-object-gpo-to-users-or-a-security-group/
Incorrect. By default, security filtering has “Authenticated Users” set to allow and that is it. You can add a specific user or a group to the filtering and set so Deny. Doing this will block the GPO from applying to anyone with the “Deny” applied, and it will apply to everyone else. Read the following link for in depth explanation.
https://msdn.microsoft.com/en-us/library/aa373513(v=vs.85).aspx
A is the answer.
Item level targeting is only used for preferences.