Design Core Identity and Access Management Components

These questions are based on 70-647: PRO: Windows Server 2008, Enterprise Administrator
Microsoft
Self Test Software Practice Test


Objective: Design core identity and access management components.
Sub-objective: Design the enterprise-level group policy strategy.


Single answer, multiple-choice


You are the administrator for an artist’s management agency. The company has offices in Los Angeles, New York and Atlanta. Each office is configured as a domain named after the location.


A new security policy dictates that the run box must be removed from all computers except the domain administrator in each domain. This should be accomplished with the least effect on computer start-ups and user log-ons. What will be the best approach?




    1. Apply a single GPO to the root domain and deny the Apply Group Policy permission for each administrator.
    2. Apply a single GPO to the root domain and block inheritance.
    3. Apply a single GPO to each domain and deny the Apply Group Policy permission for each administrator.
    4. Use the Preferences node to create the setting, filter out the domain administrator accounts and then apply the GPO to all domains.

Answer:
C. Apply a single GPO to each domain and deny the Apply Group Policy permission for each administrator.


Tutorial:
You should apply a single GPO to each domain and then set the Apply Group Policy permission for each administrator to Deny. GPOs are not inherited from one domain to the next, so the GPO must be applied or linked to all domains. By denying each administrator the Apply Group Policy permission, you effectively exempt them from the policy.


You should not apply a single GPO to the root domain and then set the Apply Group Policy permission for each administrator to Deny. GPOs are not inherited from one domain to the next, so the GPO must be applied or linked to all domains to become effective across the network. For the same reason, you should not apply a single GPO to the root domain and block inheritance.


You should not use the Preferences node to create the setting, filter out the domain administrator accounts, and then apply the GPO to all domains. Preferences are a new feature of Group Policy in Windows Server 2008 and allow you to create more than 20 Group Policy extensions that expand the range of configurable settings.


Group Policy preferences allow you to customize settings that the users have the ability to change. For all the functionality it provides, however, Preferences cannot be used to exempt a group of users such as the domain administrators from the effects of a group policy.


Reference:
Windows Vista Technical Library > Windows Vista: Management and Operations> Step-by-Step Guide to Managing Multiple Local Group Policy Objects


Microsoft TechNet > Windows Server 2008 Technical Library > Featured Resources > Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 > Other Features > Group Policy

Like what you see? Share it.Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone
cmadmin

ABOUT THE AUTHOR

Posted in Archive|

Comment:

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>