Your network consists of four Active directory domains named East, West, North, and South. The
North domain is the forest root domain. All domain controllers run Windows Server 2008 R2.
Department managers use a sales reporting application on a server named SalesServer1 in the East
domain. A domain local group named SalesAppEast in the East domain has access to the application.
Each domain has a global group named LocalManagers that contains all managers from the
corresponding domain. All global groups are added to the SalesAppEast domain local group. You
need to ensure that any unauthorized member added to SalesAppEast is automatically removed.
What should you do?
A.
Deny the Modify permission for the SalesAppEast domain local group.
B.
Create a Group Policy object (GPO). Configure the GPO to restrict group membership to the
SalesAppEast group and link the GPO to the East domain.
C.
Create a Group Policy object (GPO). Configure the GPO to restrict group membership to the
LocalManagers group and link the GPO to the North domain.
D.
Create a Group Policy object (GPO). Configure the GPO to restrict group membership to the
LocalManagers group and link the GPO to the North, South, and West domains.
Explanation:
To ensure that any unauthorized member added to LocEastGr is automatically removed, you need to
create and configure the GPO to restrict group membership to the LocEastGr group and link the GPO
to the East domain. A restricted group’s membership is enforced by group policy. It allows you to
clearly specify which accounts must not considered members of a client’s local group, and which
accounts must always be considered members of a local group. This way you can enforce rights and
privileges for who gets to log onto a local client and who does not. You should not create and
configure the GPO to restrict group membership to the global domain group because you want to
configure LocEastGr for unauthorized access and not global domain groups.
Using Group Policy to Restrict Group Membership
http://www.informit.com/guides/content.aspx?g=windowsserver&seqNum=68