HOTSPOT - You need to meet the technical requirements for the helpdesk users. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Incorrect Answer
The Get-GPOReport cmdlet generates a report in either XML or HTML format that describes properties and policy settings for a specified Group Policy Object (GPO) or for all GPOs in a domain. The information that is reported for each GPO includes: details, links, security filtering, Windows Management Instrumentation (WMI) filtering, delegation, and computer and user configurations.
GPResult
Troubleshooting tool to determine the outcome of the gpo’s on that particular machine.
GPUpdate
Applies the relevant gpo’s
Group Policy Object Editor
For the creation/editing and viewing of group policies
Must be GPResult and local admin access
So are you saying that the correct answers are as below?
First box - The Group Policy Creators Owners group in the domain group
Second Box : Get-GPOReport
No.I am going for local admin access and GPResult as the best answer. I only summarised the various options in the 2nd box, although can Get-GPO Result be an option for the 2nd box.
Ran in a domain environment with the following results:
Group Policy Creater Owners in the domain do not have administrative privileges on the domain computer and will not be able to run gpresult
To add the group policy editor to a blank mmc on the domain computer requires admin privileges
Gpresult by far is the best tool that the help desk users SHOULD be using.
Yes the question details for “least administrative privileges” but you still need enough privileges to deal with the problem at hand. It is a well-known trick for Microsoft to ask such a question to see if you know who has the necessary privileges to fix the issue and at times only an administrator can do this.
I'm not completely convinced.
The Group Policy Creators Owners group gives user the rights to view and create group policies in the Group Policy Editor, but they can't link them. They can still see what's linked though, so they can use the Group Policy Editor to view all GPO's that should be applied.
And that's where I'm in doubt, because they can see which policies SHOULD be applied, but not what's actually applied to a specific computer. However, Get-GPOReport also doesn't do this. The requirement states the following:
"Helpdesk users must be able to troubleshoot Group Policy object (GPO) processing on the Windows 10 computers. The helpdesk users must be able to identify which Group Policies are applied to the computers."
They'd need local administrator rights and GPResult to see what's actually applied. For the computer at least, since administrators are often excluded from user policies.
Tricky question... I think I'm gonna go with the given answer, because that way the users can view Machine and User policies with the least amount of privileges.
Everybody's right. In the real world, GPResult and local admin access is necessary to realistically troubleshoot.
But the question/requirement focuses on Group Policy only. The listed answers address Group Policy only.
I wouldn't want to design a test that way, but there it is.
The Group Policy Creator Owners group lets its members create new GPOs. However, those members can only edit or delete GPOs that they have created. The Group Policy Creator Owners group also has no permission to link GPOs to a container such as a domain or OU; that permission still must be manually given.
From what i understand they do not need to create gpo`s-
I agree with the answer because of this 2 links:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)?redirectedfrom=MSDN#delegating-creation-of-gpos
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/group-policy-object-editor
I'll go with local admin and gpresult. there is no mention of helpdesk users having access to the domain controller where they can access group policy settings
Completely overlooked this! This only makes since. My answer would be local admin with gpresult.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
GPResult /USER <username> /H <html file>
Get-GPOReport needs the powershell 'GroupPolicy' module loaded and creates a report for a specified GPO and not the result of an enduser.
https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gporeport?view=windowsserver2019-ps
If there is a set of local Group policies applied on a computer accidentally and causing some issues, get-gporeport with Group Policy Creators Owners group permission will not let helpdesk users to view them. In addition, the question states that helpdesk users must be able to view the group policies processed on the computers. So I agree with @Anthony_2770 that local admin and GPresult are the best answers in this scenario.
Going with answers given as correct.
While it is true that GPResult and local admin would work, I think the trick is noted under the technical requirements stating “The principle of least privilege must be used whenever possible” and “Administrative effort must be minimized whenever possible”.
I think these push the best answers to be the answers given since those do not require the help desk to be local admins on all machines.
From Anthony's comment:
Yes the question details for “least administrative privileges” but you still need enough privileges to deal with the problem at hand. It is a well-known trick for Microsoft to ask such a question to see if you know who has the necessary privileges to fix the issue and at times only an administrator can do this.
I don't get this answer. It could be right but I'd be using GPResult, which requires that you run from an admin cmd prompt to get the computer settings. So I would think you would need to be local admin.
upvoted 4 times
...
This section is not available anymore. Please use the main Exam Page.MD-100 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Anthony_2770
Highly Voted 4 years, 6 months agoDuyons
4 years, 5 months agoAnthony_2770
4 years, 5 months agoRstilekar
4 years, 2 months agoAnthony_2770
4 years, 4 months agoRequi3m
3 years, 7 months agoAnoniMouse
Highly Voted 3 years, 11 months agoLobo_M
Most Recent 2 years, 7 months agoraduM
2 years, 10 months agoRodrigoT
3 years, 3 months agoMR_Eliot
3 years, 5 months agoPChi
3 years, 1 month agoGoofer
3 years, 6 months agokkstony
4 years, 4 months agohokieman91
4 years, 5 months agoad2531
4 years, 3 months agoNail
4 years, 7 months ago