Home » Microsoft » 70-411 » Which two object types should you identify?
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. You plan to use finegrained password policies to customize the password policy settings ofcontoso.com.
You need to identify to which Active Directory object types you can directly apply the fine-grained password policies.
Which two object types should you identify? (Each correct answer presents part of the solution.
Choose two.)
A. Users
B. Global groups
C. computers
D. Universal groups
E. Domain local groups
Correct Answer: AB
Explanation/Reference:
Explanation:
First off, your domain functional level must be at Windows Server 2008. Second, Fine-grained password policies ONLY apply to user objects, and global security groups. Linking them to universal or domain local groups is ineffective. I know what you’re thinking, what about OU’s? Nope, Fine-grained password policy cannot be applied to an organizational unit (OU) directly. The third thing to keep in mind is, by default only members of the Domain Admins group can set fine- grained password policies. However, you can delegate this ability to other users if needed.
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups.
You can apply Password Settings objects (PSOs) to users or global security groups:
References:
http://technet.microsoft.com/en-us/library/cc731589%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc770848%28v=ws.10%29.aspx
http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/