|
Home > Archive > 70-218 > September 2002 > Especially for ruscorp
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Especially for ruscorp
|
|
| Tech Ranger 2002-09-03, 8:52 pm |
| Ruscorp is the administrator of a Windows 2000 network consisting of multiple domains and OU's. He creates a special GPO for the Advertising OU. Ruscorp wants to offload some of the admin headaches by delegating control of this OU to his son, ruscorp, jr. Ruscorp does not want his new GPO to apply to little ruscorp so he makes the little IT tyke a member of the built-in global domain admins security group. Ruscorp knows that by default GPO's do not apply to administrators. After things get under way, little ruscorp calls his daddy to complain that the GPO is indeed being applied to him. What does daddy do to correct this?
A) He changes the kid's membership to the Enterprise administrator's group.
B) He sets up a "Block Policy Inheritance" configuration.
C) He goes to the dacl of the GPO and removes the "allow read" and "allow apply" settings of the authenticated users group. He then applies these same settings to the other security groups in the OU.
D) He types the command "secedit/ %GPO guid% -admin
E) He removes little ruscorp from the Administrative Template of the GPO. | |
| Sexy Lexy 2002-09-04, 9:51 am |
| Very funny!
Any particular reason?
 | |
| ruscorp 2002-09-04, 10:15 am |
| Uhm, that is a tough one.
In all honesty I have to guess that is either 'B' or 'C'. | |
| NetChild1985 2002-09-04, 10:26 am |
| I'm going with "B"! | |
| Tech Ranger 2002-09-04, 7:32 pm |
| quote:
Ruscorp is the administrator of a Windows 2000 network consisting of multiple domains and OU's. He creates a special GPO for the Advertising OU. Ruscorp wants to offload some of the admin headaches by delegating control of this OU to his son, ruscorp, jr. Ruscorp does not want his new GPO to apply to little ruscorp so he makes the little IT tyke a member of the built-in global domain admins security group. Ruscorp knows that by default GPO's do not apply to administrators. After things get under way, little ruscorp calls his daddy to complain that the GPO is indeed being applied to him. What does daddy do to correct this?
A) He changes the kid's membership to the Enterprise administrator's group.
B) He sets up a "Block Policy Inheritance" configuration.
C) He goes to the dacl of the GPO and removes the "allow read" and "allow apply" settings of the authenticated users group. He then applies these same settings to the other security groups in the OU.
D) He types the command "secedit/ %GPO guid% -admin
E) He removes little ruscorp from the Administrative Template of the GPO.
The answer is "C".
Although GPO's do not explicitly apply to any administraors groups, GPO's apply to administrators by virtue of their membership in the authenticated users group. By default the authenticated users group has the allow-read and allow-apply permissions to a GPO. Ruscorp can modify this setting or remove the authenticated users group from the ACL entirely. He can then filter the GPO to apply to any and all groups in the OU he decides. | |
| NetChild1985 2002-09-05, 6:08 am |
| What? I'm wrong? Maybe I must take 218 again!  Hehe... |
|
|
|
|