Your network contains an Active Directory domain named contoso.com. The domain contains an
organizational unit (OU) named OU1.
You have a Group Policy object (GPO) named GPO1 that is linked to contoso.com. GPO1 contains custom
security settings.
You need to design a Group Policy strategy to meet the following requirements:
The security settings in GPO1 must be applied to all client computers.
Only GPO1 and other GPOs that are linked to OU1 must be applied to
the client computers in OU1.
What should you include in the design?
More than one answer choice may achieve the goal. Select the BEST answer.
A.
Enable the Block Inheritance option at the domain level. Enable the Enforced option on GPO1.
B.
Enable the Block Inheritance option on OU1. Link GPO1 to OU1.
C.
Enable the Block Inheritance option on OU1. Enable the Enforced option on all of the GPOs linked to
OU1.
D.
Enable the Block Inheritance option on OU1. Enable the Enforced option on GPO1.
Explanation:
* You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group
Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being
automatically inherited by the child-level.
* GPO links that are enforced cannot be blocked from the parent container.
I call bullshit on the given answer.
Yes, block inheritance at OU1. But you only need to link GPO1 to OU1 for it to take effect. There is no mention of having other blocked OU’s in OU1, so there is no need to enforce GPO1.
Correct answer is ‘B.’
Both B and D would give the same end result for computers in OU1, but we need to think for the whole domain.
The first condition says “The security settings in GPO1 must be applied to all client computers”. This means that no matter what, this GPO needs to apply everywhere. The best way to do this for the whole domain would be to enforce the GPO.
The second condition can be satisfied two ways, and both require disabling inheritance for OU1. If we link GPO1 to OU1 instead of enforcing GPO1, then any other OU with blocked inheritance would also need GPO1 linked directly to it in order to get those settings. Since this is more complicated/time consuming than its worth, it is not the BEST answer.
Since Enforced GPOs bypass blocked inheritance, it will fulfill the first requirement and allow you to block inheritance on OU1 while still fulfilling the second requirement.
B and D both seem correct.
However, D is the best answer because of the requirement “The security setting in GPO1 must be applied to all client computers”.
We don’t know what OU all the client computers are in, hence the need to link it to the domain, rather than OU1.