Your network contains an Active Directory domain named contoso.com. The domain
contains an organizational unit (OU) named OU1.
You have a Group Policy object (GPO) named GPO1 that is linked to contoso.com. GPO1
contains custom security settings.
You need to design a Group Policy strategy to meet the following requirements:
The security settings in GPO1 must be applied to all client computers.
Only GPO1 and other GPOs that are linked to OU1 must be applied to the client computers
in OU1.
What should you include in the design?
More than one answer choice may achieve the goal. Select the BEST answer.
A.
Enable the Block Inheritance option at the domain level. Enable the Enforced option on
GPO1.
B.
Enable the Block Inheritance option on OU1. Link GPO1 to OU1.
C.
Enable the Block Inheritance option on OU1. Enable the Enforced option on all of the
GPOs linked to OU1.
D.
Enable the Block Inheritance option on OU1. Enable the Enforced option on GPO1.
Correct -> Enforced overrides block inheritance
But that will blocked also the other GPO (“and other GPO”), so I think it is C
Those “other GPOs” in the question are linked to OU1, so they won’t be blocked.
“C” dont meet the requirement. What with GPO1?
“B” and “D” meet the requirement. “D” is the best answer, because we dont know if all client computers in OU1.
Think about it:
You most likely have computer accounts in other OU’s.
GPO1 has to be applied to all computers. Also there are other domain linked GPO objects beside GP01.
The only GPO’s that are to be applied to OU1 is the Domain linked GPO1 policy and the OU1 linked policies.
1. You don’t need to enforce directly linked GPO’s on OU1. Enforcement and blocking deal with INHERITED / Upstream policies.
2. When you block inheritance at OU1 you are making sure the Domain linked GPO’s get processed first (and subsequently overwritten by down stream OU’s).
3. When you enforce GPO1, OU1 is ignoring all the other domain linked GPO’s except GPO1.