You work as an administrator at ABC.com. The ABC.com network consists of a single domain
named ABC.com. All servers in the ABC.com domain, including domain controllers, have Windows
Server 2012 R2 installed.
ABC.com’s user accounts are located in an organizational unit (OU), named ABCStaff. ABC.com’s
managers belong to a group, named ABCManagers.
You have been instructed to create a new Group Policy object (GPO) that should be linked to the
ABCStaff OU, but not affect ABC.com’s managers.
Which of the following actions should you take?
A.
You should consider removing the user accounts of the managers from the ABCStaff OU.
B.
You should consider configuring the new GPO’s WMI filter.
C.
You should consider adding the user accounts of ABC.com’s managers to the Admins group.
D.
You should consider adding the user accounts of ABC.com’s managers to the
localAdministrators group.
Explanation:
Security Filter.
WMI filter can’t be correct !! WMI filters only apply for computer settings not for user settings.
C & D = not correct answers , will not change anything.
Only A remaining.
I say A.
Because WMI filtering is for computer settings not for user settings!
Remove users from OU or set a security filter for group. SO it is A.
Its a super tricky question. B is correct, ONLY because it doe NOT do anything to affect ABCs managers (READ it carefully). It has nothing to do with WMI actually working or not. Its about affecting managers of ABC. It caught me too, but after reading repeatedly for an hour, I saw the trick. Don’t you just love microsoft ?
jx WMI filter could affect managers, because WMI is based on COMPUTERS and you don’t know what computers they are using
and one more…I hate microsoft…
Oh my word!
What an absolutely ridiculous question.
Definitely caught me off guard too!
Not looking forward to the exam..
I will go for A:
WMI is use to queries your local WMI repository on your computer.
WMI is only for computer objects. User objects would use security settings. Thus answer is A.
Question is GPO should not be applied to ABC managers group.
B.Incorrect .WMI filter applies only to computer. It applies to only computer based attributes like hardware ,Operating system configuration specification.
C. Incorrect .GPO is unique rule for all unless you mention a security filter. Security filter tells to whom the rule should apply. But here there is no option given of security filter
D.Incorrect . Reason is same as above given for option “C”.
SO A is the last option left .SO remove the mangers from that OU. (Organizational unit).
The only acceptable answer is A.
Already mention above, WMI is for computer, such as query if the machine got a battery.. then it is a laptop etc…
C & D are totally off.
What I don’t like with A is the wording “remove” user, I would had prefer just “move” (move to another OU). You cannot have a user in 2 or more OU so remove user object from an OU to me sounds like “delete” user. But even if it is so strange that is is remove/delete at least the users wont get the GPO 🙂
It’s gotta be A but the question is weird.
Great looking website. Assume you did a lot of your very ownyour very own html coding
NBA http://www.rushancun.com/comment/html/index.php?page=1&id=33999
I have considered this question and at first went for B, however I switched to A because of the following reasons.
First read the question carefully.
1 users accounts are all in one single ou.
2 a gpo is added to the ou
3 the gpo should not affect a specific group of users.
4 it is nowhere specified what the gpo does and where it is applied.
There are three basic ways to handle this.
1 Security filtering can be used, but it can only be used to apply to a certain group, users or computer, it can not be used to not affect them.
Since non of the options state to collect all non admin users in one group and add that to security filtering, security filtering cannot be used in any of the scenarios.
2 WMI filtering.
Wmi filtering is used to filter or apply a policy based on wmi queries that run against a computer, but since the separation has to be done on the basis of user accounts or a group this cannot be queried for with wmi by default(google: WMI-Filter Group Membership). It can be queried for in wmi(we use it for sccm), but not in the case of a gpo.
Hence WMI filtering doesn’t solve the issue.
3 The third option would be to use the Delegation tab which you could change by removing the authenticated users and only add the users that you want to apply the gpo to. Basically it runs into the same problem as option 1.
Of the 4 answers C&D are no options. Remains A or B. Because B is option 2 and cannot be used, 1 is left as the only valid answer.
How do I know? I tested it by making a gpo on a domain.
Well, only possible answer is A. Because GPO is linked to the OU, and affecting only OU which is linked to. GPO does not affect Groups in OU, however let’s remember that all users are in the same OU, so only possible solution: remove managers to separate OU. As we know WMI has nothing to do with user accounts and computer accounts are not mentioned.
A. is the answer.
http://www.certifychat.com/threads/microsoft-70-410-sacriestory-exam-d-question-10.613/
The policy is linked to the ABCStafff OU. In the OU are all the users (including the managers). For the policy to stay on the ABCStaff OU and not affect the managers, you move the managers accounts out of the ABCStaff OU.
The group named ABCManagers is just there for distraction. You also don’t know where the ABCManagers group is placed in the AD.
The only Vaild option is A. Or maybe using security Filter.
Could it be they are looking for you to apply a WMI filter for the ABCStaff and that is why they dont want you to remove the ABCManagers from the OU? Could the answer be saying, create a WMI filter based off of the ABCStaff’s machines?
Just a thought? I guessed A but all the practice exams I did said B. So I really dont know.