多选题You need to design Group Policy object （GPO） settings to support the use of the Encrypting File System （EFS）. Your solution must meet business and security requirements. Which two actions should you perform？（）ADesignate a data recovery agent and issue 

第1题：

You need to design desktop and security settings for the client computers in the Seattle call center. Your solution must be implemented by using the minimum amount of administrative effort.Which two actions should you perform？（）

• A、On each client computer in the call center， configure a local policy that lists only authorized programs in the Allowed Windows Programs list
• B、Using NTFS permissions， assign the Deny – Read permission for all unauthorized executable files to the client computer domain accounts
• C、Design a Group Policy object （GPO） that enforces a software restriction policy on all client computers in the call center
• D、Design a Group Policy object （GPO） that implements an IPSec policy on all client computers in the call center. Ensure that the IPSec policy rejects connections to any Web servers that the company does not operate

第2题：

You are the network administrator for your company. Your network consists of a single Active   Directory domain. Three security groups named Accountants， Processors， and Management are located in an organizational unit （OU） named Accounting. All of the user accounts that belong to these three  groups are also in the Accounting OU. You create a Group Policy object （GPO） and link it to the  Accounting OU. You configure the GPO to disable the display options under the User Configuration  section of the GPO. You need to achieve the following goals： You need to ensure that the GPO applies to  all user accounts that are members of the Processors group. You need to prevent the GPO fromapplying  to any user account that is a member of the Accountants group. You need to prevent the GPO from  applying to any user account that is a member of the Management group， unless the user account is also  a member of the Processors group. What should you do？（）

• A、 Modify the discretionary access control list （DACL） settings of the GPO to assign the Accountants and Management security groups the Deny - Read and the Deny - Apply Group Policy permissions. Modify the DACL of the GPO to assign the users who are in both the Accountants and Management security groups the Allow - Read and the Allow - Apply Group Policy permissions.
• B、 Modify the discretionary access control list （DACL） settings of the GPO to assign the Accountants and Management security groups the Deny - Read and the Deny - Apply Group Policy permissions. Create a new security group named Mixed that contains all the user accounts from the Processors group and the specific user accounts from the Management group to which you want the GPO to apply. Modify the DACL of the GPO to assign the Mixed security group the Allow - Read and the Allow - Apply Group Policy permissions.
• C、 Modify the discretionary access control list （DACL） settings of the GPO to assign the Accountants security group the Deny - Read and the Deny - Apply Group Policy permissions. Modify the DACL settings of the GPO to remove the Authenticated Users special group. Modify the DACL settings of the GPO to add the Processors group and assign the Allow - Read and the Allow - Apply Group Policy permissions.
• D、 Modify the discretionary access control list （DACL） settings of the GPO to assign the Accountants security group the Deny - Read and the Allow - Apply Group Policy permissions. Modify the DACL settings of the GPO to assign the Management security group the Deny - Read and the Deny - Apply Group Policy permissions.

第3题：

第4题：

You need to configure the security settings for the new app servers. Which two actions should you perform?（）

• A、Create a Group policy object (GPO) for the web servers.
• B、Create a Group policy object (GPO) for the database servers.
• C、Modify the Default Domain Policy.
• D、Modify the Default Domain Controllers Policy.

第5题：

You have a single Active Directory directory service domain. You back up your domain controllers on a nightly basis. You perform Group Policy backups on a nightly basis. A Group Policy object （GPO） is accidentally deleted. You need to restore the GPO.  What should you do？（）

• A、 Perform a nonauthoritative restore of the Active Directory database.
• B、 Perform an authoritative restore of the Active Directory database.
• C、 Select the Import Policy option in the Group Policy Object Editor.
• D、 Restore the GPO by using the Group Policy Management Console.

第6题：

You configure and deploy a Group Policy object （GPO） that contains AppLocker settings.     You need to identify whether a specific application file is allowed to run on a computer.     Which Windows PowerShell cmdlet should you use（）

• A、Get-AppLockerFileInformation
• B、Get-GPOReport
• C、Get-GPPermissions
• D、Test-AppLockerPolicy

第7题：

You have a single Active Directory directory service domain. You use a Group Policy object （GPO） to apply security settings to your client computers. You configure the startup type for system services settings in a new GPO， and you link the GPO to an organizational unit （OU）.  You discover that the startup type for system services on one of the client computers has not been updated. You need to ensure that the Group Policy settings are applied to the client computer. What should you do？（）

• A、  Restart the client computer.
• B、 Instruct the user to log off and then log on to the client computer.
• C、 On the client computer， run the Gpupdate.exe command with the /Force parameter.
• D、 On the client computer， run the Gpupdate.exe command with the /Target：computer parameter.

第8题：

第9题：

You have Active Directory Certificate Services （AD CS） deployed.  You create a custom certificate template.   You need to ensure that all of the users in the domain automatically enroll for a certificate based on the  custom certificate template.   Which two actions should you perform（）

• A、In a Group Policy object （GPO）， configure the autoenrollment settings
• B、In a Group Policy object （GPO）， configure the Automatic Certificate Request Settings.
• C、On the certificate template， assign the Read and Autoenroll permission to the Authenticated Users  group.
• D、On the certificate template， assign the Read， Enroll， and Autoenroll permission to the Domain Users  group.

第10题：

Your company has deployed network access protection (NAP) enforcement for VPNs. You need to ensure that the health of all clients can be monitored and reported. What should you do?（）

• A、Create a group policy object (GPO) that enabled security center and link the policy to the domain.
• B、Create a group policy object (GPO) that enabled security center and link the policy to the domain controllers organizational unit (OU).
• C、Create a group policy object (GPO) and set the require trusted path for credential entry option to enabled. Link the policy to the domain.
• D、Create a group policy object (GPO) and set the require trusted path for credential entry option to Enabled. Link the policy to the domain controllers organizational unit (OU).