You are the network administrator for your company. The network consists of a single Active Directory domain. The domain includes an organizational unit （OU） named Processing. There are 100 computer accounts in the Processing OU. You create a Group Policy object （GPO） named NetworkSecurity and link it to the domain. You configure NetworkSecurity to enable security settings through the Computer Configuration section of the Group Policy settings. You need to ensure that NetworkSecurity will apply only to the computers in the Processing OU. You need to minimize the number of GPO links. 
What should you do？（）

多项选择题You are the network administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run either Windows XP Professional or Windows 2000 Professional. All client computer accounts are located in an organizational unit （OU） named Workstation. A written company policy states that the Windows 2000 Professional computers must not use offline folders. You create a Group Policy object （GPO） to enforce this requirement. The settings in the GPO exist for both Windows 2000 Professional computers and Windows XP Professional computers. You need to configure the GPO to apply only to Windows 2000 Professional computers.  What are two possible ways to achieve this goal？（）

A. Create a WMI filter that will apply the GPO to computers that are running Windows 2000 Professional. 
B. Create a WMI filter that will apply the GPO to computers that are not running Windows XP Professional.
C. Create two OUs under the Workstation OU. Place the computer accounts for the Windows XP Professional computers in one OU， and place the computer accounts for the Windows 2000 Professional computers in the other OU. Link the GPO to the Workstation OU.
D. Create a group that includes the Windows XP Professional computers. Assign the group the Deny - Generate Resultant Set of Policy（Logging） permission.
E. Create a group that includes the Windows 2000 Professional computers. Assign the group the Deny - Apply Group Policy permission.

单项选择题You have a single Active Directory directory service domain. All servers run Windows Server 2003. You need to specify the list of applications that users are permitted to run. You create a new Group Policy object （GPO） and link it to the domain.  What should you do next？（）

A. Configure Software Restriction Policies Group Policy settings.
B. Configure the Enable user control over installs Group Policy setting.
C. Assign all approved applications.
D. Publish all approved applications.

多项选择题You have two Active Directory directory service forests named contoso.com and fabrikam.com. All users log on to the contoso.com domain. All servers run Windows Server 2003 and are members of the fabrikam.com domain. You create a one-way forest trust in which fabrikam.com is trusting contoso.com. Forest-wide authentication is enabled. You need to provide only selected users with access to a server in the fabrikam.com domain. Which two actions should you perform？（）

A. Grant the users the Allowed to Authenticate permission on the computer object representing the server.
B. Grant the users the Modify permission on the computer object representing the server.
C. Change the one-way forest trust to a two-way forest trust.
D. Change the properties of the forest trust from Forest-wide authentication to Selective authentication.

单项选择题You are the network administrator for your company. Your network consists of a single Active Directory domain. The functional level of the domain is Windows Server 2003. You add eight servers for a new application. You create an organizational unit （OU） named Application to hold the servers and other resources for the application. Users and groups in the domain will need varied permissions on the application servers. The members of a global group named Server Access Team need to be able to grant access to the servers. The Server Access Team group does not need to be able to perform any other tasks on the servers. You need to allow the Server Access Team group to grant permissions for the application servers without granting the Server Access Team group unnecessary permissions.  What should you do？（）

A. Create a Group Policy object （GPO） for restricted groups. Configure the GPO to make the Server Access Team group a member of the Power Users group on each application server. Link the GPO to the Application OU.
B. Grant the Server Access Team group permissions to modify computer objects in the Application OU.
C. Move the Server Access Team group object into the Application OU.
D. Create domain local groups that grant access to the application servers. Grant the Server Access Team group permissions to modify the membership of the domain local groups.

多项选择题You are the network administrator for your company. The network consists of a single Active Directory domain with three sites named Site1， Site2， and Site3. The sites and site links are configured to use Site2 to connect Site1 and Site3. Each site contains three Windows Server 2003 domain controllers. A domaincontroller in each site is configured as a preferred bridgehead server. All user and group accounts are created in Site1. Several new users start work in Site2. When they attempt to log on to the network， the logon fails. You confirm that the user accounts are created and are visible in Site1 and Site2. You discover that the preferred IP bridgehead server in Site2 failed. You repair the server and confirm that replication is successful to Site2. You need to ensure that the failure of a single domain controller in any site will not interfere with Active Directory replication between sites.  What are two possible ways to achieve this goal？（）

A. Configure an IP site link between Site1 and Site3.
B. Configure two domain controllers in each site as preferred IP bridgehead servers.
C. Configure two domain controllers in each site as preferred SMTP bridgehead servers.
D. Configure each site to have no preferred bridgehead servers.
E. Configure an SMTP site link between each of the sites. Assign a cost of 200 to the SMTP site link.