Which three GPOs should you identify in sequence?

DRAG DROP
Your network contains an Active Directory domain named contoso.com. All domain
controllers run Windows Server 2012.
The domain contains an organizational unit (OU) named OU1. OU1 contains an OU named
OU2. OU2 contains a user named User1.
User1 is the member of a group named Group1. Group1 is in the Users container.
You create five Group Policy objects (GPO). The GPOs are configured as shown in the following table.

The Authenticated Users group is assigned the default permissions to all of the GPOs.
There are no site-level GPOs.
You need to identify which three GPOs will be applied to User1 and in which order the GPOs
will be applied to User1.
Which three GPOs should you identify in sequence?
To answer, move the appropriate three GPOs from the list of GPOs to the answer area and
arrange them in the correct order.

DRAG DROP
Your network contains an Active Directory domain named contoso.com. All domain
controllers run Windows Server 2012.
The domain contains an organizational unit (OU) named OU1. OU1 contains an OU named
OU2. OU2 contains a user named User1.
User1 is the member of a group named Group1. Group1 is in the Users container.
You create five Group Policy objects (GPO). The GPOs are configured as shown in the following table.

The Authenticated Users group is assigned the default permissions to all of the GPOs.
There are no site-level GPOs.
You need to identify which three GPOs will be applied to User1 and in which order the GPOs
will be applied to User1.
Which three GPOs should you identify in sequence?
To answer, move the appropriate three GPOs from the list of GPOs to the answer area and
arrange them in the correct order.

Answer: See the explanation.

Explanation:
Box 1: GPO1
Box 2: GPO3
Box 3: GPO5

Note:
* Box 1: Domain GPOs are applied before OU GPOs.
* Incorrect:
* NOT GPO2: GPO2 has Deny Apply Group Policy for Group1.
* Not GPO4. Group1 has Deny Read for this GPO.
* When a Group Policy Object (GPO) is enforced it means the settings in the Group Policy
Object on an Organization Unit (which is shown as a folder within the Active Directory Users
and Computers MMC) cannot be overruled by a Group Policy Object (GPO) which is link
enabled on an Organizational Unit below the Organizational Unit with the enforced Group
Policy Object (GPO). In Active Directory Users and Computers MMC ‘below’ means it is a
subfolder.
* Group Policy Objects are processed in the following order (from top to bottom):
1. Local- Any settings in the computer’s local policy. Prior to Windows Vista, there was only
one local group policy stored per computer. Windows Vista and later Windows versions
allow individual group policies per user accounts.
2. Site- Any Group Policies associated with the Active Directorysitein which the computer
resides. (An Active Directory site is a logical grouping of computers that is meant to facilitate
management of computers based on their physical proximity.) If multiple policies are linked
to a site, they are processed in the order set by the administrator.
3. Domain- Any Group Policies associated with the Windows domainin which the computer
resides. If multiple policies are linked to a domain, they are processed in the order set by the
administrator.
4. Organizational Unit- Group policies assigned to the Active Directory organizational unit
(OU) in which the computer or user are placed. (OUs are logical units that help organizing
and managing a group of users, computers or other Active Directory objects.) If multiple
policies are linked to an OU, they are processed in the order set by the administrator.

Show Hint

Leave a Reply 9

Your email address will not be published. Required fields are marked *

noname

noname

GPO5; GPO4; GPO2

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated

https://technet.microsoft.com/en-us/library/cc785665%28v=ws.10%29.aspx

Reply

Wombat

Wombat

GPO2, GPO4, GPO5
First at the domain level (GPO2), then at the highest OU level GPO4, and finally at the OU level containing user1 GPO5

Reply

lucasdrums

lucasdrums

GPO2 will never even apply, since the Deny apply group policy is selected. answer is GPO1, GPO3 and GPO5 in that order. following the rule LSDOU (local, site, domain, OU) that is the correct order and how precedence takes place when there is conflict.

Reply

xfeeca

xfeeca

GPO1, GPO3, GPO5
Local, Site, Domain, OU (Parent before child)
GPO2 and GPO4 are Security filtered by deny apply and read

Reply

Glenn

Glenn

GPO1 is Disabled, so you have GPO 2 (Site)
GPO3 is Disabled, so you have GPO 4

Reply

MalotJean

MalotJean

please stop. GPOs are not disabled, only enforcement is disabled. Enforcement only relates to settings taking precedence to later GPOs, not on the GPO being applied. You are only confusing people.

Reply

Glenn

Glenn

GPO1 is Disabled, so you have GPO 2
GPO3 is Disabled, so you have GPO 4
GPO5 is Disables and in OU2, GPO 5

Reply

feight

feight

enforced is disabled, not the policy… This only allows the GPO to bypass any “block inheritance” settings that might be enabled. Since there are none mentioned we are to assume none are configured (as is the default state), therefore “enforced” is irrelevant here.

GPO1 = applies by default to authenticated users

GPO2 = Deny “Apply” explicitly excludes group 1, so it won’t apply.

GPO3 = applies by default to authenticated users

GPO4 = Deny “Read” overrides the “authenticated users” ACE which is “read”, and thus won’t apply to group 1.

GPO5 explicitly applies to Group 1.

thus 1, 3, 5 are the only GPOs applicable.

LOCAL > SITE > DOMAIN > OU is the order of APPLICATION

which means order of PRECEDENCE is: OU (parent > child) > DOMAIN > SITE > LOCAL

Thus, order of PRECEDENCE is 1, 3, 5

Reply