Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2.
You need to recommend a Group Policy deployment strategy. Your strategy must support the
following requirements:
• Domainlevel Group Policy objects (GPOs) must not be overwritten by organizational unit
(OU) level GPOs.
• OUlevel GPOs must not Apply to members of the Server Operators group.
What should you recommend?
A.
Enable Block Inheritance for the domain, and then modify the permissions of all GPOs linked to
OUs.
B.
Enable Block Inheritance for the domain, and then enable Loopback Processing policy mode. Add
the Server Operators group to the Restricted Groups list.
C.
Set all domain level GPOs to Enforced, and then modify the permissions of the GPOs that are
linked to OUs.
D.
Set all domain level GPOs to Enforced, and then enable Loopback Processing policy mode. Add the
Server Operators group to the Restricted Groups list.
Explanation:
http ://www.petri.co.il/working_with_group_policy.htm
http ://technet.microsoft.com/en-us/library/bb742376.aspxLinking a GPO to Multiple Sites, Domains, and OUs
This section demonstrates how you can link a GPO to more than one container (site, domain, or OU)
in the Active Directory. Depending on the exact OU configuration, you can use other methods to
achieve similar Group Policy effects; for example, you can use security group filtering or you can
block inheritance. In some cases, however, those methods do not have the desired affects.
Whenever you need to explicitly state which sites, domains, or OUs need the same set of policies,
use the method outlined below:
To link a GPO to multiple sites, domains, and OUs
1. Open the saved MMC console GPWalkthrough, and then double-click the Active Directory User
and Computers node.
2. Double-click the reskit.com domain, and double-click the Accounts OU.
3. Right-click the Headquarters OU, select Properties from the context menu, and then click the
Group Policy tab.
4. In the Headquarters Properties dialog box, on the Group Policy tab, click New to create a new GPO
named Linked Policies.
5. Select the Linked Policies GPO, and click the Edit button.
6. In the Group Policy snap-in, in the User Configuration node, under Administrative Templates
node, click
Control Panel, and then click Display.
7. On the details pane, click the Disable Changing Wallpaper policy, and then click Enabled in the
Disable Changing Wallpaper dialog box and click OK.
8. Click Close to exit the Group Policy snap-in.
9. In the Headquarters Properties page, click Close.
Next you will link the Linked Policies GPO to another OU.1. In the GPWalkthrough console, double-click the Active Directory User and Computers node,
double-click the reskit.com domain, and then double-click the Accounts OU.
2. Right-click the Production OU, click Properties on the context menu, and then click the Group
Policy tab on the Production Properties dialog box.
3. Click the Add button, or right-click the blank area of the Group Policy objects links list, and select
Add on the context menu.
4. In the Add a Group Policy Object Link dialog box, click the down arrow on the Look in box, and
select the Accounts.reskit.com OU.
5. Double-click the Headquarters.Accounts.reskit.com OU from the Domains, OUs, and linked Group
Policy objects list.
6. Click the Linked Policies GPO, and then click OK.
You have now linked a single GPO to two OUs. Changes made to the GPO in either location result in
a change for both OUs. You can test this by changing some policies in the Linked Policies GPO, and
then logging onto a client in each of the affected OUs, Headquarters and Production.