###BeginCaseStudy###
Case Study: 14
School of Fine Art
Scenario
COMPANY OVERVIEW
School of Fine Art is an educational institution that has a main campus and two satellite
campuses. The main campus is located in New York. The satellite campuses are located in
Los Angeles and Chicago. The main campus has approximately 4,000 users made up of
students, faculty, and employees. Each satellite campus has approximately 1,000 users made
up of students, faculty, and employees.
EXISTING ENVIRONMENT
The network contains a single Active Directory domain named fineartschool.net. All servers
run Windows Server 2008 R2. All client computers run either Windows XP or Windows 7.
The network contains Microsoft Application Virtualization (App-V) and Microsoft Enterprise
Desktop Virtualization (MED-V).
Existing Network Infrastructure
The main campus has the following servers:
• A file server that contains confidential files
• A print server that has several printers installed
• A server that has the Windows Server Update Services (WSUS) server role installed
All client computers are updated by using the WSUS server. The main campus has a
computer lab. The lab has 50 client computers that run Windows 7 Enterprise. The computer
accounts for the lab computers are located in an organizational unit (OU) named LabOU. The
user accounts and computer accounts for all of the students are located in an OU named
StudentsOU. Both OUs are child objects in the fineartschool.net domain. The relevant Group
Policy objects (GPOs) are configured as shown in the following table.
REQUIREMENTS
Technical Requirements
The computer lab must meet the following requirements:
• Ensure that the user settings in all domain-level GPOs are App1ied to each student.
• Prevent the settings in all domain-level GPOs from being App1ied to the client computers
in the computer lab.
The update management infrastructure must meet the following requirements:
• Each campus must control the updates for its respective campus.
• Update status reports must be sent weekly to the Enterprise Administrator on the main
campus.
Application Requirements
All client computers will be upgraded to Windows 7 Enterprise. An Application named App1
runs on every client computer. App1 is only compatible with Windows XP. App1 must
remain available after all of the operating system upgrades are complete.
App1 must meet the following requirements:
• App1 must be available from the Start menu.
• The management of App1 must be centralized.
• Each user must have a unique instance of App1.
Security Requirements
Security for the file server on the main campus must meet the following requirements:
• Unauthorized users must be prevented from printing sensitive files stored on the server.
• The contents of the server* s hard disks must remain secure if the physical security of the
server is compromised.
Problem Statements
Users report that they receive a different desktop environment every time they log on to a
client computer in the computer lab. The print server on the main campus has reliability
issues. A malfunction on a single printer often causes other printers to malfunction.
###EndCaseStudy###
You need to recommend a strategy for the computer lab that meet the company’s technical
requirements. What should you recommend?
A.
Enable the loopback setting in GPO2. Enable the Enforced option in GPO1.
B.
Enable the Block Inheritance option on Lab OU. Enable the Enforced option in GPO1.
C.
Enable the loopback setting in GPO2. Disable the user configuration settings in GPO3.
D.
Enable the Block Inheritance option on Lab OU. Disable the user configuration settings in GPO3.
Explanation:
To apply the settings of a Group Policy object (GPO) to the users and computers of a domain, site, or
organizational unit, you can link that domain site or organizational unit to that GPO. You can add one
or more GPO links to each domain, site, and organizational unit in Group Policy Management
Console. The settings deployed by GPOs linked to higher containers (parent container) in Active
Directory are inherited by default to child containers and combine with any settings deployed in
GPOs linked to child containers. If multiple GPOs attempt to set a setting to conflicting values, the
GPO with the highest precedence sets the setting. GPO processing is based on a last writer wins
model, and GPOs that are processed later have precedence over GPOs that are processed sooner.
Group Policy objects are processed according to the following order:
The local Group Policy object (LPGO) is applied.
GPOs linked to sites.GPOs linked to domains
GPOs linked to organizational units. In the case of nested organizational units, GPOs associated with
parent organizational units are processed prior to GPOs associated with child organizational units.
Changing the link order
Within each domain, site, and organizational unit, the link order controls when links are applied. To
change the precedence of a link, you can change the link order, moving each link up or down in the
list to the appropriate location. The link with the higher order (with 1 being the highest order) has
the higher precedence for a given site, domain, or organizational unit. For example, if you add six
GPO links and later decide that you want the last one that you added to have highest precedence,
you can move the GPO link to the top of the list.
Blocking Group Policy inheritance
You can block policy inheritance for a domain or organizational unit. Using block inheritance
prevents GPOs linked to higher sites, domains, or organizational units from being automatically
inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes
useful to block inheritance. For example, if you want to apply a single set of policies to an entire
domain except for one organizational unit, you can link the required GPOs at the domain level (from
which all organizational units inherit policies by default), and then block inheritance only on the
organizational unit to which the policies should not be applied.
Enforcing a GPO link
You can specify that the settings in a GPO link should take precedence over the settings of any child
object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the
parent container. Without enforcement from above, the settings of the GPO links at the higher level
(parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain
conflicting settings. With enforcement, the parent
GPO link always has precedence. By default, GPO links are not enforced. In tools prior to GPMC,
“enforced” was known as “No override.”
Disabling a GPO link
By default, processing is enabled for all GPO links. You can completely block the application of a GPO
for a given site, domain, or organizational unit by disabling the GPO link for that domain, site, or
organizational unit.
Note that this does not disable the GPO itself, and if the GPO is linked to other sites, domains or
organizational units, they will continue to process the GPO, if their links are enabled.
PO links set to enforce (no override) cannot be blocked.
The enforce and block inheritance options should be used sparingly. Casual use of these advanced
features complicates troubleshooting.