AZ-801 Question #61: Real Exam Question with Answer & Explanation

Question

The Default Domain Policy Group Policy Object (GPO) is shown in the GPO exhibit. (Click the GPO tab.) The members of a group named Service Accounts are shown in the Group exhibit. (Click the Group tab.) An organizational unit (OU) named ServiceAccounts is shown in the OU exhibit. (Click the OU tab.) You create a Password Settings Object (PSO) as shown in the PSO exhibit. (Click the PSO tab.) For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Explanation

This question tests understanding of Fine-Grained Password Policies (FGPP) using Password Settings Objects (PSOs) in Active Directory, specifically how PSOs interact with the Default Domain Policy and how they are applied to users and groups versus OUs.

Approach. A PSO overrides the Default Domain Policy password settings ONLY for the users or global security groups it is directly applied to - NOT for OUs. To determine if a user is governed by the PSO, check whether that user is a member of the group the PSO targets (the 'Service Accounts' group in this case). If a user belongs to multiple groups each with a different PSO, the PSO with the lowest 'Precedence' value wins (lower number = higher priority). A PSO linked directly to an OU has no effect - PSOs must be applied to user objects or global security group objects, so placing accounts in the 'ServiceAccounts' OU alone does not cause the PSO to apply; the user must be in the 'Service Accounts' group.

Concept tested. Fine-Grained Password Policies (FGPP) - Password Settings Objects (PSOs): precedence rules, valid application targets (users/global security groups, NOT OUs), and precedence resolution when multiple PSOs apply to the same user.

Reference. Microsoft Learn - Fine-Grained Password and Account Lockout Policy (Windows Server Active Directory DS)

No community discussion yet for this question.