What should you include in the design?

Your network contains an Active Directory domain named contoso.com. The domain
contains an organizational unit (OU) named OU1.
You have a Group Policy object (GPO) named GPO1 that is linked to contoso.com. GPO1
contains custom security settings.
You need to design a Group Policy strategy to meet the following requirements:
The security settings in GPO1 must be applied to all client computers.

Only GPO1 and other GPOs that are linked to OU1 must be applied to the client computers
in OU1.
What should you include in the design?
More than one answer choice may achieve the goal. Select the BEST answer.

Your network contains an Active Directory domain named contoso.com. The domain
contains an organizational unit (OU) named OU1.
You have a Group Policy object (GPO) named GPO1 that is linked to contoso.com. GPO1
contains custom security settings.
You need to design a Group Policy strategy to meet the following requirements:
The security settings in GPO1 must be applied to all client computers.

Only GPO1 and other GPOs that are linked to OU1 must be applied to the client computers
in OU1.
What should you include in the design?
More than one answer choice may achieve the goal. Select the BEST answer.

A.
Enable the Block Inheritance option at the domain level. Enable the Enforced option on
GPO1.

B.
Enable the Block Inheritance option on OU1. Link GPO1 to OU1.

C.
Enable the Block Inheritance option on OU1. Enable the Enforced option on all of the
GPOs linked to OU1.

D.
Enable the Block Inheritance option on OU1. Enable the Enforced option on GPO1.



Leave a Reply 8

Your email address will not be published. Required fields are marked *


theMSguy

theMSguy

I don’t think D is the right answer. When inhertance is blocked, GPO1 is no longer linked to OU1. You need to link it to OU1 first, which is answer B. Enforcing is not an option because other GPO’s linked to OU1 must be applied as well.

Tech1

Tech1

The question states that GPO1 is linked to the domain and contains settings that must be applied to all client computers so you would block inheritance on OU1 to stop any other GPO’s being applied and enforce GPO1 so that only that policy is applied from above OU1, then only GPO1 and the other policies that are already linked to OU1 will be applied.

D is correct.

http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/15/understanding-the-structure-of-a-group-policy-object-part-2.aspx

Chriss

Chriss

Yes, the correct answer is D

* You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.

* GPO links that are enforced cannot be blocked from the parent container.

Bill Gates

Bill Gates

In a lab, both B & D achieve the desired result…. for OU1, but The question says “More than one answer choice may achieve the goal. Select the BEST answer.”

B) Enable the Block Inheritance option on OU1. Link GPO1 to OU1.
> Whilst this works for OU1, it does not meet the requirement “The security settings in GPO1 must be applied to ALL client computers” for any other OU’s, etc…

D) Enable the Block Inheritance option on OU1. Enable the Enforced option on GPO1
> This blocks any other GPO’s above OU1. Allows any GPO’s linked to OU1 and the “Enforced option on GPO1” also makes sure that OU1 gets the required Security Settings… Likewise, as it is enforced ALL / Everything below the Domain with get GPO1…

Answer D

bbyipp

bbyipp

C should be the answer – enforce all GPOs linked to OU1
because the second requirement: “Only GPO1 AND OTHER GPOs that are linked to OU1 must be applied to the client computers in OU1”
So,
action 1 – block inheritance to prevent any GPOs from being applied
action 2 – enforce all GPO directly linked to OU1 (including GPO1)

Any comment?

S

S

Yes, answer is D.
Block inheritance does not count for the GPO’s directly linked to the OU. Enforced option for all GPO’s does not accomplish anything besides more administrative effort

RayOrbison

RayOrbison

B; Enable the Block Inheritance option on OU1. Link GPO1 to OU1.

this answer isn’t popular here but it also works however we are asked to chose the “best” answer. These questions are simply bad form since “best” can be subjective and in this scenario, would likely boil down to the rest of the AD design.

Answer B works best (IMO) because you can link a GPO to multiple separate OU’s – so you link GPO1 to OU1 as well as leaving it linked to the domain, and then block inheritance on OU1. this solution achieves the goal and the new settings only impact the target, OU1.

D: Enable the Block Inheritance option on OU1. Enable the Enforced option on GPO1.

whilst this answer is popular and certainly works, by enforcing GPO1 at the domain level you could be applying GPO1 to unintended targets, member servers for example. By enforcing this GPO1 at this level may be bypassing and additional ‘block inheritance’ settings within your AD setup.

Therefor I prefer answer B since it is a very targeted approach, answer D is a scattershot and consideration of the rest of the AD structure would need to be made.

https://quayphimchuphinh.net

https://quayphimchuphinh.net

Liên hệ ngay với chúng tôi để nhận giá ưu đãi hấp dẫn.