| All the review questions for this chapter are based on the following scenario: Case Study: Allrisks Insurance Allrisks Insurance is a large insurance company with offices throughout the United States. Allrisks is deploying Windows 2000 on servers and workstations in all its offices, starting with the home office in Chicago. Aside from the home office in Chicago, Allrisks has regional offices in San Francisco, Dallas, Orlando, and Boston. Agents for each of the major lines are located in each regional office as well as the home office. Current LAN/Network Structure Allrisks has a deployment plan in place to migrate from Windows NT 4.0 Server and Workstation to Windows 2000 Server and Professional. The deployment is approximately 50% complete. Allrisks has implemented Active Directory in a single forest, with a root domain of allrisks.com and child domains for each of its major lines of insurance, namely, propcas.allrisks.com , health.allrisks.com , and life.allrisks.com . Ethernet and Fast Ethernet connections are used throughout the company. Proposed LAN/Network Structure The migration is scheduled to be completed in 12 months. No further changes are planned at this time. Current WAN Connectivity The regional offices are connected to the home office via full 1.5Mbps T1 circuits. Sites have been created for each of the regional offices as well as the home office. No changes are planned at this time. Directory Design Commentary Director, Corporate Information Services : We are concerned with the high cost of supporting PCs with different configurations in each office. The Allrisks help desk staff is constantly troubleshooting problems that occur when new software is deployed and conflicts arise between the new programs and the existing software on the computer. An excessive amount of time is spent researching problems because there is no way of enforcing software standards and many computers have configurations with minor, but troublesome , differences. Vice President, Large Group Insurance : Allrisks has instituted a new program of installing kiosk computers at certain corporate clients . These kiosks are linked to Allrisks's data center by dial-up connections. The kiosk computers run a single application that helps employees of the corporate clients select insurance coverage. The kiosk computers should run only this application and not be available for Web browsing or any other applications. Current Internet Positioning Allrisks has a Web site ( www.allrisks.com ) that is primarily used for public relations. All Allrisks employees have email with an allrisks.com domain. No changes to the Internet positioning are planned for the next 12 months. | Question 1 | Allrisks wants to use Group Policy to distribute certain small applications specific to a given line of insurance. In particular, it has developed a life insurance underwriting program that should be available to all Allrisks life insurance agents. The IT department has created a GPO to distribute this life insurance software. To which container should this GPO be linked? -
a. The domain allrisks.com -
b. The domain life.allrisks.com -
c. The Chicago site -
d. The Agents OU in the domain life.allrisks.com | | A1: | The correct answer is d. The GPO to distribute software should be linked to the Agents OU in the life insurance division's domain. Answer a is incorrect because agents are located in regional offices, not in the home office. Answer b is incorrect because distributing software at the domain level means that all employees of the life insurance division would get a copy of the software. Answer c is incorrect because it would give the software to all employees in Chicago, including agents based in the home office, but not to agents located in the regional offices. | | Question 2 | A small group of life insurance agents-in-training should not receive the life underwriting software until their training program is completed. How can Allrisks's IT staff ensure that these agents do not have the software installed prematurely? -
a. Move the agents-in-training to the home office domain allrisks.com -
b. Create a security group for agents-in-training and configure a filter for the GPO to deny the Apply Group Policy permission for this security group -
c. Create a child OU off the Agents OU called In Training, move all agents-in-training into this new OU, and block policy inheritance for the In Training OU -
d. Place the accounts for the agents-in-training in the Users container | | A2: | The correct answer is b. The filter will prevent application of the GPO that distributes software but will not affect any other Group Policies that might be in force. Answer a is incorrect because moving users between domains is impossible without special migration utilities, unless the user account is deleted in the old domain and re-created in the new domain and all security settings are reestablished for the new domain user account. Answer c is incorrect because blocking policy inheritance can prevent application of other GPOs that are required. Likewise, answer d can also affect more policies than necessary. Therefore, answer d is incorrect as well. | | Question 3 | In what order is Group Policy applied? Select all appropriate answers from the following list and arrange them in the proper order. Site Organizational unit Domain Local computer Container Forest The correct answer is as follows : Local computer Site Domain Organizational unit | | A3: | Note that neither containers (such as Users or Computers) nor forests can have GPOs linked to them. | | Question 4 | A consultant retained by Allrisks has recommended creating a single GPO with generic corporate settings and linking this GPO to the root domain. He says that the Group Policy will be enforced for the root domain and any child domains off the root. Is the consultant's recommendation valid? | | A4: | The correct answer is b. Domain Group Policy settings do not affect child domains. Domains are security boundaries, and no permissions or GPO settings can cross between domains. | | Question 5 | The CEO of Allrisks has mandated that the Run command should not appear on the Start menu for any personal computers. How can the IT manager ensure that this policy is always enforced? [Select all that apply.] -
a. Create a GPO that removes the Run command, and link it to the root domain. Then, check the No Override option. -
b. Create a GPO in each domain that removes the Run command, and link it to all the top-level OUs in the domain. Then, check the No Override option. -
c. Create a GPO that removes the Run command, and link it to all domains. Then, check the No Override option. -
d. Create a GPO in each domain that removes the Run command, and link it to the domain. Then, check the No Override option. -
e. Create a GPO in the root domain that removes the Run command, and link it to every site. Then, check the Block Policy Inheritance option. | | A5: | Answers b and d are correct. A GPO must be created in each domain, unless a site-level policy is to be applied. Answers a and c are incorrect because domain-level GPOs cannot be referenced in other domains. Answer e is incorrect because the Block Policy Inheritance option is inappropriate here. | | Question 6 | The vice president of the Life Insurance division wants to distribute additional applications using Group Policy. She has asked you to describe the differences between application publishing and application assignment. Which of the following statements is true regarding application assignment and publishing? [Select all that apply.] -
a. Assigning an application to a user means that the application is automatically installed the next time the user restarts his computer. -
b. Published applications are available from the Add/Remove Programs Control Panel applet. -
c. Published or assigned applications can be installed through document invocation by clicking a file that has been associated to the application. -
d. Applications that are assigned to a computer cannot be uninstalled by the user. -
e. Assigned applications cannot be upgraded without uninstalling them first. | | A6: | Answers b, c, and d are correct. Published applications are typically installed from the Add/Remove Programs applet or through document invocation. Applications that are assigned to a computer can be uninstalled only by administrators, not ordinary users. Answer a is incorrect because applications assigned to a computer are installed at startup, not applications assigned to a user. Answer e is incorrect because upgrades can be configured to uninstall the older version, or not. | | Question 7 | An OU has three GPOs linked to it, as shown in Figure 6.11. In what order will the GPOs be processed ? -
a. Software Distribution, Base Agent Desktop, Standard Corporate Desktop. -
b. Standard Corporate Desktop, Base Agent Desktop, Software Distribution. -
c. All settings will be merged into one policy and processed together, with conflicts discarded. -
d. To determine the proper order, you must look at the property sheets for each policy and compare the values in the Policy Weight field. Figure 6.11. GPOs linked to the Agents OU.  | | A7: | Answer b is correct. Policies listed on the Group Policy tab are processed from bottom to top. The last policy processed ”Software Distribution in this case ” overrides any conflicting settings from previously processed policies. Answer a is incorrect because it lists the policies in the order shown, not processed. Answer c is incorrect because GPOs are never merged and conflicts are resolved in favor of the last policy processed. Answer d is incorrect because there is no such field as Policy Weight for GPOs. | | Question 8 | The network services manager at Allrisks needs to determine the best way to ensure that the kiosk computers installed at large corporate customer sites have the latest version of the coverage selection application installed. He also wants to ensure that restrictions applied to the kiosk computers do not affect other computers installed at Allrisks and that the standard Allrisks Group Policy is not applied to the kiosk computers. Which of the following steps can he take to meet these objectives? [Select all that apply.] -
a. Publish the insurance coverage selection application to the kiosk computers. -
b. Assign the insurance coverage selection application to the kiosk computers. -
c. Create an OU for the kiosk computers and link the appropriate Group Policy to this OU. Then, set the No Override option on each GPO linked to the kiosk computer OU. -
d. Create an OU for the kiosk computer user accounts and link the appropriate Group Policy to this OU. Then, set the Block Policy Inheritance option on the kiosk user OU. -
e. Create a security group for the kiosk computer user accounts, and use this account to filter the Group Policy set at the domain level as necessary. | | A8: | Answers b, d, and e are correct. Assigning the special application to the kiosk computers can ensure that the latest version of the application is always installed. Creating an OU for the kiosk users and blocking policy inheritance for that OU will prevent the normal Allrisks Group Policy from affecting the kiosk users. Also, should any domain-level GPO have the No Override option selected, that GPO will need to be filtered out for the kiosk users. Setting the permissions on the GPO to Deny for the kiosk users will prevent the standard domain policy from executing at the kiosk computers. Answer a is incorrect because you cannot publish software to a computer. Answer c is incorrect because it would not be appropriate to use the No Override option in this case. | | Question 9 | The CIO is concerned that someone can set the No Override option on a GPO linked to an OU, thus overriding a No Override option set at the domain level. Which of the following statements correctly describes the processing of No Override? -
a. No Override set at the site or domain level takes precedence over No Override set at a lower level. -
b. Only one No Override can be handled in GPO processing. If a second No Override is encountered , the GPO is not processed. -
c. Because OU GPOs are processed after domain GPOs, there is nothing that can be done to prevent the domain GPO from being overridden. -
d. A Registry key can be set to ignore No Override at the OU level. | | A9: | Answer a is correct. Although normal GPO processing will have OU policy overriding domain or site policy, the No Override option is handled differently. The highest No Override will take precedence over a lower No Override. Answer b is incorrect because multiple No Override options can be processed successfully, although they are very difficult to troubleshoot. Answer c is incorrect because the No Override order is different from the normal GPO processing order. Answer d is incorrect because there is no such Registry key. | | Question 10 | Here are two lists, one of container objects where Group Policy can be linked and a second of GPOs and their functions. Based on the requirements stated for Allrisks, link the GPO and function to the appropriate site, domain, or OU. Not all GPOs may be used, and some might be used more than once. Container objects to which Group Policy can be linked: The Chicago site The life insurance domain The Agents OU The Kiosk Computers OU Group Policy objects and functions: Agent Software GPO ” Distributes software to agents only Standard Corp Desk GPO ” Sets the standard corporate desktop for all users Large Application GPO ” Distributes large applications that should not cross WANs Special Life Desk GPO ” Modifies the corporate desktop for the Life Insurance division Kiosk Application GPO ” Installs applications at kiosk computers Security Settings GPO ” Sets security rules Agent Desk GPO ” Adds special options to desktops for agents HR Applications GPO ” Publishes applications for HR users | | A10: | The correct answer is as follows: The Chicago site: Large Application GPO The life insurance domain: Standard Corp Desk GPO Special Life Desk GPO Security Settings GPO Agents OU : Agent Software GPO Agent Desk GPO Kiosk Computers OU : Kiosk Application GPO | The Large Application GPO is most appropriate at the site level because the installation of these applications should not run across WAN links. Remember that Allrisks domains are structured by line of business, not geography, so this GPO should not be linked to a geographically dispersed domain. The Standard Corp Desk GPO is most appropriate at the domain level because each domain should have a copy of this GPO. The Special Life Desk GPO is intended for all life insurance division employees, so it is also best linked to the domain. Because security policy must be set at the domain level, the Security Settings GPO should also be linked to the domain. The Agent Software and Agent Desk GPOs are intended for insurance agents, so they should be linked to the Agents OU. The Kiosk Computers OU is the logical place to link the Kiosk Application GPO. There is no appropriate place to link the HR Applications GPO in this example.  |
