Review Questions | MCSE: Windows Server 2003 Active Directory and Network Infrastructure Design Study Guide (70-297)

1.	After assigning an application in a GPO that is linked to an organizational unit, you instruct the users to look for the application in their Start menu. They do not see the application. What do you need to do in order for the application to show up? From a command prompt, issue the command gpedit /refreshpolicy machine_policy Change the rights for the user in question, giving them the Apply Group Policy right. Instruct the user to reboot their computer. Instruct the user to logoff and logon again.
2.	To which of the following locations can GPOs be linked? (Choose all that apply.) Sites Domains Forests OUs
3.	A member of your administration team has edited the Default Domain Policy and the edit had an adverse affect. How can you restore the Default Domain Policy to its original settings? Use the dcpgofix utility. Restore the Default Domain Policy from the system state of the latest good backup. Restore the Default Domain Policy by using the Group Policy Management Console. Restore the Default Domain Policy by using Automated System Recovery.
4.	If you want to delegate authority to link GPOs at the domain level but do not want to add the user to the Domain Admins group, which of the following permissions should you give them? Group Policy Administrator permission Group Policy Owner permission Manage Group Policy Links permission Group Policy Edit permission
5.	You have edited the Default Domain Policy and decide that you should make a backup of your changes in case something happens so that you can easily restore it. Which utility should you use to back up and restore the Default Domain Policy? Automated System Recovery (ASR) dcgpofix Windows 2003 Backup GPMC
6.	You decide to set account lockout restrictions via Group Policy. Where will you link the GPO? At the site level At the domain level At the OU level At the forest level
7.	You have all of your users separated into OUs based on job function and department. You decide to create a GPO and configure it to publish an application to everyone in the Accounting group so that when they click on a file that is associated with the application, the application will automatically load onto their system. Your accounting staff has ten employees in the main office, and one each in two other branches. Both branches are connected via a fast WAN connection that is not overconsumed. The application is only 2.5 MB and you have determined that it will not adversely affect the WAN link. Where is the best place to link the GPO? Link it to the main office site at the site level, and have the other two users in accounting install the software via a network share. Link it to the Accounting OU and do nothing more. Link it to the domain and instruct the accounting users to install the software. You should tell them to let you know when it is installed so that you can remove the link from the GPO. Link it at the forest level and set security on the install directory to only allow the Accounting group.
8.	You have a network that consists of ten locations. All locations have sites defined. All users are grouped into OUs by job function and department. You have three domains in your forest. Your Atlanta, Detroit, and Cleveland offices have their own domains. Each of the ten offices holds users from every department in the company. You decide to implement IPSec settings for the Atlanta office, and you create a GPO with those settings. Where can you link the GPO? (Choose all that apply.) At the site level At the OU level At the domain level At the forest level
9.	Software can be installed automatically by Group Policy as long as which of the following requirements is met? The software is in a compressed format to reduce bandwidth across a WAN link. The software was written to take advantage of IntelliMirror. The forest is at Windows 2003 forest functional level. The user installing the software has the Group Policy installation right.
10.	You are the administrator of a Windows Server 2003 forest that has three domains. You would like the members of the Domain Admins global group from the other domains to create GPOs for their own domains, but you would like final approval before they are implemented on the live network. The domain admins at the forest level should be the only users who have the ability to apply GPOs. What would be the best choice for this situation? Remove the users in question from the Domain Admins group of their respective domains. Add the Domain Admins group from the remote domain to the Forest Admins group of the forest and take away the Link Group Policy Object right. Remove the Link Group Policy Object right from the users in the Domain Admins group for each child domain. Create a new group called Group Policy Test. Add all Domain Admins groups from all domains to that group. Remove the Link Group Policy Object right from the group.

Answers

1.	D. Application assignment takes effect at logon only, so the user will need to log on and log off their computer for the changes to apply.
2.	A, B, D. GPOs can only be applied to sites, domains, and OUs.
3.	A. The command line utility dcgpofix.exe is a new utility that is included with Windows Server 2003. It allows an administrator to restore the Default Domain Policy.
4.	C. In order to link GPOs at the domain level, a user will need to be a member of the Domain Admins global group, or have the Manage Group Policy Links permission delegated to them.
5.	D. The GPMC allows you the ability to back up and restore GPOs. This utility lets you back up and restore custom GPOs, as well as the built-in Default Domain Policy and Default Domain Controllers Policy. If you have modified the Default Domain Policy or the Default Domain Controllers Policy, the GPMC s backup and restore policy can recover the changed policies so that you do not lose your changes. This is a better solution than dcgpofix , because dcgpofix will only let you restore the Default Domain Policy and Default Domain Controllers Policy back to their default settings. Windows 2003 Backup will back up and restore the system state of the server, but not individual GPOs and ASR will back up and restore the operating system in case of a disaster, but just like Backup, it will not back up the individual GPOs.
6.	B. Although there are guidelines when it comes to linking GPOs, there are also times when linking at certain levels is required. Some settings, such as account lockout settings, can only be set at the domain level. You will not be able to set any of the account policy, lockout policy or Kerberos policy settings anywhere but the Default Domain Policy.
7.	B. Based on the criteria listed in the question, it would make the most sense to link the GPO at the Accounting OU. The majority of users are located in one office, and only two users are located at remote branches. Both of those branches have fast connections, so installation is not going to overconsume bandwidth on the WAN links.
8.	A, C. Because the Atlanta office has its own domain and its own site, either of these locations would suffice.
9.	B. IntelliMirror is a Microsoft technology that Group Policy takes advantage of to push out software packages. In order for Group Policy to automate application installation, the software must be written with IntelliMirror in mind.
10.	C. The Domain Admins group will have rights to edit GPOs for their own domain. If you remove the Link Group Policy Object right from the users in the Domain Admins group, they will be able to edit existing GPOs and create new GPOs, but they will not be able to implement new GPOs. (However, smart administrators will be able to change their permissions back!)