Tailspin Toys is running a single Windows Server 2012 Active Directory domain wi
ID: 3759121 • Letter: T
Question
Tailspin Toys is running a single Windows Server 2012 Active Directory domain with multiple OUs configured for each of its 12 locations. An administrator at each location is responsible for managing GPOs and user accounts. You are the enterprise administrator responsible for planning the infrastructure. For each of the following challenges, document your options and be prepared to share them with other students.
1.Administrators located at each location should be able to create new GPOs and edit any that they have created. They should not be able to change or delete GPOs that they have not created. What are your options for providing this functionality?
Add the location administrators to the Group Policy Creator Owners group.
2. All users in each location are currently in one OU. Certain group policies should only apply to users in some departments and not others. What options should you consider that will allow group policies to be applied to only the necessary users?
Use Security Group Filtering to apply Group Policies only to specific groups of users.
3. Although you have created a domain-wide policy that enforces restrictions on administrative tools, you do not want those settings to apply to users for which you have delegated administrative permissions on each location's OU. What are your options to solve this?
Create a security group for each OU containing the delegated administrative accounts. Deny the Apply Group Policy permission to this group on the appropriate GPOs.
Explanation / Answer
delegate the following Group Policy tasks:
deciding whether to delegate authority at the site, domain, or OU level, remember the following points:
GPO Permission Option
Low Level Permissions
Read
Allow Read Access on the GPO.
Read (from Security Filtering)
This setting cannot be set directly, but appears if the user has Read and Apply Group Policy permissions to the GPO, which is set using Security Filtering on the Scope tab of the GPO.
Edit settings
Allow Read, Write, Create Child Objects, Delete Child Objects.
Edit, delete, and modify security
Allow Read, Write, Create Child Objects, Delete Child Objects, Delete, Modify Permissions, and Modify Owner. This essentially grants full control on the GPO, except that the "Apply Group Policy" permission is not set.
Custom
Any other combinations of rights, such denying permissions, appear as Custom permissions. You cannot set custom rights by clicking Add. They can only be set by using the ACL editor directly, which can be started by clicking the Advanced button.
You can click Add to grant users permissions on a GPO. This starts the object picker so you can find the desired user or group to set the permission level. You can then set the permission level by selecting the Read, Edit, or Edit, Delete, Modify Security permissions.
Note that the Apply Group Policy permission, which is used for Security Filtering, cannot be set using the Delegation tab. Because setting Apply Group Policy is used for scoping the GPO, this permission is managed on the Scope tab of the GPMC user interface. When you grant a user Security Filtering on the Scope tab, you are actually setting both the Read and Apply Group Policy permissions.
Security Group
Permissions
Authenticated Users
Read (from Security Filtering)
Enterprise Domain Controllers
Read
Domain Administrators
Enterprise Administrators
Creator Owner
SYSTEM
You can manage three Group Policy tasks on a per-container basis in Active Directory:
Delegating permissions on individual WMI filters
GPMC allows you to delegate permissions on individual WMI filters. There are two levels of permissions that can be granted to a user or group on an individual WMI filter:
These permissions are managed by using the Delegation tab of a WMI filter
The Delegation tab shows the users and groups that have permissions on the WMI filter, their permission levels, and whether the permission is inherited from a parent container. Buttons on this tab let you add users and groups to the delegation list for the WMI filter, or remove them from this list.
Note that all users have Read access to all WMI filters. GPMC does not allow this permission to be removed. If the Read permission were removed, this can cause Group Policy processing on the destination computer to fail.
GPO Permission Option
Low Level Permissions
Read
Allow Read Access on the GPO.
Read (from Security Filtering)
This setting cannot be set directly, but appears if the user has Read and Apply Group Policy permissions to the GPO, which is set using Security Filtering on the Scope tab of the GPO.
Edit settings
Allow Read, Write, Create Child Objects, Delete Child Objects.
Edit, delete, and modify security
Allow Read, Write, Create Child Objects, Delete Child Objects, Delete, Modify Permissions, and Modify Owner. This essentially grants full control on the GPO, except that the "Apply Group Policy" permission is not set.
Custom
Any other combinations of rights, such denying permissions, appear as Custom permissions. You cannot set custom rights by clicking Add. They can only be set by using the ACL editor directly, which can be started by clicking the Advanced button.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.