ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-742 All Questions

View all questions & answers for the 70-742 exam
Go to Exam

Exam 70-742 topic 1 question 193 discussion

Actual exam question from Microsoft's 70-742
Question #: 193
Topic #: 1
[All 70-742 Questions]

Your network contains an Active Directory forest named contoso.com. The forest contains three domains named contoso.com, corp.contoso.com, and ext.contoso.com. The forest contains three Active Directory sites named Site1, Site2, and Site3.
You have the three administrators as described in the following table.

You create a Group Policy object (GPO) named GPO1.
Which administrator or administrators can link GPO1 to Site2?

  • A. Admin1 and Admin2 only
  • B. Admin1, Admin2, and Admin3
  • C. Admin3 only
  • D. Admin1 and Admin3 only
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
To link an existing GPO to a site, domain, or OU, you must have Link GPOs permission on that site, domain, or OU. By default, only domain administrators and enterprise administrators have this privilege for domains and OUs. Enterprise administrators and domain administrators of the forest root domain have this privilege for sites.
References:
https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx
by coleman at Dec. 9, 2019, 1:24 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
culcal
4 years, 3 months ago
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11)?redirectedfrom=MSDN
upvoted 1 times
...
lofzee
4 years, 3 months ago
Aye, answer is correct. Domain and Enterprise admins have the right permission to link GPOs. As they're both admins of the root domain, they pretty much have full control. Admin2, is only a domain admin of the child domain, meaning he will not have the access to link GPOs
upvoted 1 times
...
Kamikazekiller
4 years, 9 months ago
Answer is: D. Admin1 and Admin3 only
upvoted 4 times
...
BrownHornet
5 years, 2 months ago
D. I think the given answer is correct. Enterprise administrators and domain administrators of the forest root domain have this privilege for sites. Admin 2 is domain admin on a sub domain so that user would not have the privilege to link GPO's on that site.
upvoted 3 times
lbs
4 years, 10 months ago
Admin2 only have priviledge for corp.contoso.com domain and it's OUs
upvoted 2 times
Cheema269
4 years, 4 months ago
Yes, well spotted. Only Admin 1 and Admin 3 can link GPO1 to site 2.
upvoted 2 times
...
...
...
coleman
5 years, 5 months ago
the answer should be C :: admin3 only. By default, only Enterprise Admins group have full control permission on an Active Directory Site, this is inherited from the "CN=Sites" portion of the Configuration directory partition. Default permission for Domain Admins, they don't have Full Control permission, While Enterprise Admins has full control permission. Moreover, the "Enterprise Admins" group contains only Admin3 as stated by this question, therefore, only Admin3 can link GPO to a newly created site "Site2". This is a very tricky question that "Admin1" is a separate account, he/she is not the built-in "Administrator"! When Admin1 belongs to the "Domain Admins" group only, he/she don't have full control permission over forest-level objects and configurations like "CN=Sites, CN=Configuration ......" partition. This question was designed to emphasize the super-dominating power of the "Enterprise Admins" universal group at the forest-level of your entire directory.
upvoted 2 times
gagol14
5 years, 4 months ago
You are wrong. "To link an existing GPO to a site, domain, or OU, you must have Link GPOs permission on that site, domain, or OU. By default, only domain administrators and enterprise administrators have this privilege for domains and OUs. Enterprise administrators and domain administrators of the forest root domain have this privilege for sites." https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11)?redirectedfrom=MSDN
upvoted 18 times
...
JustM0
4 years, 4 months ago
I also disagree. I do this several times a week in a live production environment with over 10 sites. I use an account that only has Domain Admin privileges.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago