|
Home > Archive > 70-217 > July 2002 > Thu 70-217 Question of the Day
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Thu 70-217 Question of the Day
|
|
| wbafrank 2002-07-11, 9:56 am |
|  Still don't know where Wednesday went but here is today's poser ....
Q10. In your company, you have a group of people who are working on a special high-security project. Because these user accounts have different requirements for passwords and account lockout than the rest of the organization, you create a new domain for them called projecty.companyxyz.com.
You have created a GPO called Lockdown which enforces strict restrictions on the desktop environment that a user receives. You have linked this GPO to the projecty.companyxyz.com domain.
However, you are concerned that this GPO will affect members of the Domain Admins group for this domain. You do not want these restrictions placed on the Domain Admins group. What is the easiest way to ensure that the Domain Admins does not receive setting from this GPO?
A. Create a new organizational unit (OU) called Users. Move the Authenticated Users security group into this OU. Link the Lockdown GPO to the Users OU.
B. Remove the members of the Domain Admins security group from the Authenticated Users security group.
C. Create a new organizational unit (OU) called Domain Admins. Move the Domain Admins security group into this OU. Set the Block Inheritance option for the Domain Admins OU.
D. You do not need to perform any additional actions. The Domain Admins group does not have the Apply Group Policy permission to any GPOs and therefore will not be affected.
E. Check the box to Deny the Apply Group Policy permission for the Domain Admins group.
Good Luck .... see you tomorrow for the answer!! | |
| Slinky 2002-07-11, 10:02 am |
| The correct answer would be E. | |
| Zaraspook 2002-07-11, 10:42 am |
| How about E?  | |
| robertmillar 2002-07-11, 12:00 pm |
| E | |
| CyberDude 2002-07-12, 8:51 am |
| E.
You could also do this but it takes longer than a simple tick in a box:
Delete the authenticated users group, and only add the project group. Grants this group read and apply GPO.  | |
| wbafrank 2002-07-13, 7:29 am |
| quote:
Originally posted by wbafrank
Still don't know where Wednesday went but here is today's poser ....
Q10. In your company, you have a group of people who are working on a special high-security project. Because these user accounts have different requirements for passwords and account lockout than the rest of the organization, you create a new domain for them called projecty.companyxyz.com.
You have created a GPO called Lockdown which enforces strict restrictions on the desktop environment that a user receives. You have linked this GPO to the projecty.companyxyz.com domain.
However, you are concerned that this GPO will affect members of the Domain Admins group for this domain. You do not want these restrictions placed on the Domain Admins group. What is the easiest way to ensure that the Domain Admins does not receive setting from this GPO?
A. Create a new organizational unit (OU) called Users. Move the Authenticated Users security group into this OU. Link the Lockdown GPO to the Users OU.
B. Remove the members of the Domain Admins security group from the Authenticated Users security group.
C. Create a new organizational unit (OU) called Domain Admins. Move the Domain Admins security group into this OU. Set the Block Inheritance option for the Domain Admins OU.
D. You do not need to perform any additional actions. The Domain Admins group does not have the Apply Group Policy permission to any GPOs and therefore will not be affected.
E. Check the box to Deny the Apply Group Policy permission for the Domain Admins group.
And the answer is ....
Correct Answer: E
By default, Domain Admins do not have the Apply Group Policy permission. However, Domain Admins are also Authenticated Users and by default Authenticated Users have Read and Apply Group Policy permissions. Therefore Domain Admins will have all GPOs applied to them by default. There are two options to prevent this default behavior:
1. Remove Authenticated Users from the list on the security tab of the GPO, and add a new security group with the Apply Group Policy and Read attributes set to Allow. This new group should contain all the users that this Group Policy is intended to affect.
2. Set the Apply Group Policy attribute to Deny for the Domain Admins. This will prevent the GPO from being applied to members of that groups. Remember that an ACE set to Deny always takes precedence over Allow. Therefore, if a given user is a member of another group that is set to explicitly Allow the Apply Group Policy attribute for this GPO, it will still be denied. |
|
|
|
|