1. Why should we use Group Policy?
- For deploying software
- We can apply security
- For controlling Users environment, settings, per computer settings
- To manage desktop environment (To standardize environment)
- To modify the registry
2. What is Group policy object?
We call the actual unit that we are
creating, deleting, managing, working with is called Group Policy object. Group
Policy objects have two components:
- Group Policy container
- Group Policy template
3. What is Group policy container?
It is the container in the Active
Directory where the Group Policy can be applied. (i.e., either Organizational
unit or Domain or Site)
4. What is Group policy template?
When you create a group policy
container automatically a template will be created in the hard drive, in sysvol
folder of the Domain Controller that is called Group Policy template.
5. Where is Group policy template
stored?
Group Policy template stored in
sysvol folder.
6. How to create a Group Policy?
Start –>Programs
–>Administrative tools ->Active Directory Users and computers ->Right
click on the container on which you want to apply Group Policy->Select
properties-> Click on Group Policy tab->Click on New
7. What are the steps do we have
when we are creating Group Policy?
There are two steps, one is creating
Group policy and linking to the container. Generally we create the group policy
at container only so when you click on New it creates and links the GPO to that
container at a time. Suppose if you want to link a group policy object to a
container which is already created click on Add select the group policy.
8. What are the buttons available on
Group policy tab in properties of a container?
- New (Creates new GPO)
- Add (links a GPO to this container which has created already)
- Edit (Edits the existing GPO)
- Delete Deletes the GPO
- Options (here you get the following check boxes): (i) No override – Prevent other GPO from overriding policy set in this one; and (ii) Disabled – This GPO is not applicable to this container
- Properties
Note: When you are deleting a GPO it
asks two things:
- Remove the link from this list
- Remove the link and delete the GPO permanently
9. What is no override option in
GPO?
Generally the policies set at one
level will be overridden in other level, so if don’t want to override this
policy under the sub levels of this one you can set this.
Ex: If you set No override at Domain level then that GPO will be applied through out the Domain, even though you have the same policy differently at OU level.
Ex: If you set No override at Domain level then that GPO will be applied through out the Domain, even though you have the same policy differently at OU level.
10. What is Block inheritance of GPO
and where it is?
The Block inheritance GPO option
blocks the group policies inheriting from the top level, and takes effect of
this present GPO.
Right click on the container –> click on Group Policy –ègo to properties >on the bottom of the General tab you will find Block inheritance check box
Ex: If you select Block inheritance at OU level then no policy from the Domain level, or Site level or local policy will not applied to this OU.
Right click on the container –> click on Group Policy –ègo to properties >on the bottom of the General tab you will find Block inheritance check box
Ex: If you select Block inheritance at OU level then no policy from the Domain level, or Site level or local policy will not applied to this OU.
11. You have set the No override
option at Domain level and Block inheritance at OU level. Which policy will
take effect?
If you have set both then No
override wins over the Block inheritance. So No override will take effect.
12. What are the options that are
available when you click on option button on general tab?
- General
- Disable computer configuration settings (The settings those are set under computer configuration of this GPO will not take effect.)
- Disable user configuration settings (The settings those are set under User configuration of this GPO will not take effect.)
- Links (Displays the containers which have links to this GPO)
- Security (With security option you can set level of permissions and settings to the individual users and groups. Ex: If you want to disable this GPO to a particular user on this container, on security tab select that user and select the deny check box for apply the Group Policy. Then the GPO will not take effect to that user even though he is in that container.)
13. What will you see in the Group
Policy snap in?
You will see
two major portions, and under those you have sub portions, they are
- Computer Configuration
- Software settings
- Software installations
- Windows settings
- Administrative templates
- User configuration
- Software settings
- Software installations
- Windows settings
- Administrative templates
Note:
Administrative templates are for modifying the registry of windows 2000
clients.
14. What is
the hierarchy of Group Policy?
- Local policy
- Site Policy
- Domain Policy
- OU Policy
- Sub OU Policy (If any are there)
15. Who can
create site level Group Policy?
Enterprise Admin
16. Who can
create Domain lever Group Policy?
Domain Admin
17. Who can
create Organization Unit lever Group Policy?
Domain Admin
18. Who can
create Local Group Policy?
Local
Administrator or Domain Administrator
19. What is
the Refresh interval for Group Policy?
Refresh
interval for Domain Controllers is 5 minutes, and the refresh interval for all
other computers in the network is 45 minutes (this one doubt).
20. Why do
we need to manage and control desktop environment?
- To decrease support time
- Eliminate potential for problems
- One standard environment to support
- Eliminate distractions
- To increase productivity
21. What is
Group policy loop back process? How to set it?
Start
–>programs –>Administrative tools –>Active Directory users and
computers –>Right click on the container –>click on Group policy tab
–>Click on edit –>click on Computer settings –>click on Administrative
templates –>system –>Group policy –>click on User group policy loop
back processing mode –> click OK –> Select enable
22. What are
the players that are involved in deploying software?
- Group Policy: Within GP we specify that this software application gets installed to this particular computer or to this particular user.
- Active Directory: Group Policy will be applied somewhere in Active Directory.
- Microsoft Installer service
- Windows installer packages: The type of package that can be used by Group Policy to deploy applications is .msi packages i.e., Microsoft Installer packages.
23. What is
the package that can be used to deploy software through Group Policy?
Windows
installer packages (.msi files)
24. What is
Microsoft installer service?
Microsoft
Installer Service runs on the client machines in the Windows 2000 domain. It
installs the minimum amount of an application, as you extend functionality it
installs the remaining part of application. It is responsible for installing
software in the client. It is also responsible for modifying, upgrading,
applying service packs.
25. What is
Local security policy, Domain security policy, and Domain controller security
policy in the administrative tools?
- Local Security policy: This is group policy applied to local machine
- Domain Security Policy: Group Policy applied at domain level
- Domain Controller Security Policy: Group Policy applied at domain controller level.
26. What are
the design considerations for Group policy?
The
following should be considered for designing group policies.
- Minimize linking: Because there may be a chance deleting the original one with seeing who else are using this GPO. Minimizing linking for simplicity.
- Minimum number of GPO’s: Microsoft suggests that one GPO with 100 settings will process faster than 100 GPO’s each with one setting. This is for performance.
- Delegate
- Minimize filtering: To keep simple your environment, try to minimize filtering.
If you have
more number of GPO’s for a container, whatever GPO is on top will be applied
first. If you want, you can move GPO’s up and down.
If there is
conflict between two GPO’s of same container, the last applied GPO will be effective.
i.e., the bottom one will be effective.
What is group policy in active
directory ? What are Group Policy objects (GPOs)?
Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template.
Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template.
The Group Policy container is an
Active Directory container that stores GPO properties, including information on
version, GPO status, and a list of components that have settings in the GPO.
The Group Policy template is a
folder structure within the file system that stores Administrative
Template-based policies, security settings, script files, and information
regarding applications that are available for Group Policy Software
Installation.
The Group Policy template is located in the system volume folder (Sysvol) in the Policies subfolder for its domain.
The Group Policy template is located in the system volume folder (Sysvol) in the Policies subfolder for its domain.
What is the order in which GPOs are
applied ?
Group Policy settings are processed in the following order:
1.Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
Group Policy settings are processed in the following order:
1.Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
2.Site : Any GPOs that have been linked to the site that the
computer belongs to are processed next. Processing is in the order that is
specified by the administrator, on the Linked Group Policy Objects tab for the
site in Group Policy Management Console (GPMC). The GPO with the lowest link
order is processed last, and therefore has the highest precedence.
3.Domain: Processing of multiple domain-linked GPOs is in the order
specified by the administrator, on the Linked Group Policy Objects tab for the
domain in GPMC. The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
4.Organizational units : GPOs that are linked to the organizational unit that is
highest in the Active Directory hierarchy are processed first, then POs that
are linked to its child organizational unit, and so on. Finally, the GPOs that are
linked to the organizational unit that contains the user or computer are
processed.
At the level of each organizational
unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If
several GPOs are linked to an organizational unit, their processing is in the
order that is specified by the administrator, on the Linked Group Policy
Objects tab for the organizational unit in GPMC.
The GPO with the lowest link order
is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
How to backup/restore Group Policy
objects ?
Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: | Domains | | Group Policy Objects.
Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: | Domains | | Group Policy Objects.
When you do, the details pane should
display all of the group policy objects that are associated with the domain. In
Figure A there are only two group policy objects, but in a production
environment you may have many more. The Group Policy Objects container stores
all of the group policy objects for the domain.
Now, right-click on the Group Policy
Objects container, and choose the Back Up All command from the shortcut menu.
When you do, Windows will open the Back Up Group Policy Object dialog box.
As you can see in Figure B, this
dialog box requires you to provide the path to which you want to store the
backup files. You can either store the backups in a dedicated folder on a local
drive, or you can place them in a folder on a mapped network drive. The dialog
box also contains a Description field that you can use to provide a description
of the backup that you are creating.
You must provide the path to which
you want to store your backup of the group policy objects.
To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you’re all done.
To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you’re all done.
When it comes to restoring a backup
of any Group Policy Object, you have two options. The first option is to
right-click on the Group Policy Object, and choose the Restore From Backup
command from the shortcut menu. When you do this, Windows will remove all of
the individual settings from the Group Policy Object, and then implement the
settings found in the backup.
Your other option is to right-click
on the Group Policy Object you want to restore, and choose the Import Settings
option. This option works more like a merge than a restore.
Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported.
Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported.
You want to standardize the desktop
environments (wallpaper, My Documents, Start menu, printers etc.) on the
computers in one department. How would you do that?
go to Start->programs->Administrative tools->Active Directory Users and Computers
Right Click on Domain->click on preoperties
On New windows Click on Group Policy
Select Default Policy->click on Edit
on group Policy console
go to User Configuration->Administrative Template->Start menu and Taskbar
Select each property you want to modify and do the same
go to Start->programs->Administrative tools->Active Directory Users and Computers
Right Click on Domain->click on preoperties
On New windows Click on Group Policy
Select Default Policy->click on Edit
on group Policy console
go to User Configuration->Administrative Template->Start menu and Taskbar
Select each property you want to modify and do the same
What?s the difference between
software publishing and assigning?
Assign Users :The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.
Assign Users :The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.
Assign Computers :The software
application is advertised and installed when it is safe to do so, such as when
the computer is next restarted.
Publish to users : The software
application does not appear on the start menu or desktop. This means the user
may not know that the software is available. The software application is made
available via the Add/Remove Programs option in control panel, or by clicking
on a file that has been associated with the application. Published applications
do not reinstall themselves in the event of accidental deletion, and it is not
possible to publish to computers.
What are administrative templates?
Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines.
Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines.
An ADM file is a text file with a
specific syntax which describes both the interface and the registry values
which will be changed if the policy is enabled or disabled.
ADM files are consumed by the Group
Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM
files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are
merged into a unified “namespace” in GPEdit and presented to the administrator
under the Administrative Templates node (for both machine and user policy).
Can I deploy non-MSI software with
GPO?
create the fiile in .zap extension.
create the fiile in .zap extension.
Name some GPO settings in the
computer and user parts ?
Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts.
Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts.
A user claims he did not receive a
GPO, yet his user and computer accounts are in the right OU, and everyone else
there gets the GPO. What will you look for?
make sure user not be member of loopback policy as in loopback policy it doesn’t effect user settings only computer policy will applicable. if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.
make sure user not be member of loopback policy as in loopback policy it doesn’t effect user settings only computer policy will applicable. if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.
How can I override blocking of
inheritance ?
What can I do to prevent inheritance
from above?
Name a few benefits of using GPMC.
How frequently is the client policy
refreshed ?
90 minutes give or take.
90 minutes give or take.
Where is secedit ?
It’s now gpupdate.
It’s now gpupdate.
What can be restricted on Windows
Server 2003 that wasn’t there in previous products ?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
You want to create a new group
policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.
Make sure you check Block inheritance among the options when creating the policy.
How does the Group Policy ‘No
Override’ and ‘Block Inheritance’ work ?
Group Policies can be applied at
multiple levels (Sites, domains, organizational Units) and multiple GP’s for
each level. Obviously it may be that some policy settings conflict hence the
application order of Site – Domain – Organization Unit and within each layer
you set order for all defined policies but you may want to force some polices
to never be overridden (No Override) and you may want some containers to not
inherit settings from a parent container (Block Inheritance).
A good definition of each is as
follows:
No Override – This prevents child
containers from overriding policies set at higher levels
Block Inheritance –
Stops containers inheriting policies from parent containers
No Override takes precedence over
Block Inheritance so if a child container has Block Inheritance set but on the
parent a group policy has No Override set then it will get applied.
Also the highest No Override takes
precedence over lower No Override’s set.
To block inheritance perform the
following:
- Start the Active Directory Users and Computer snap-in (Start – Programs – Administrative Tools – Active Directory Users and Computers)
- Right click on the container you wish to stop inheriting settings from its parent and select
- Select the ‘Group Policy’ tab
- Check the ‘Block Policy inheritance’ option
- Click Apply then OK
To set a policy to never be
overridden perform the following:
- Start the Active Directory Users and Computer snap-in (Start – – Administrative Tools – Active Directory Users and Computers)
- Right click on the container you wish to set a Group Policy to not be overridden and select Properties
- Select the ‘Group Policy’ tab
- Click Options
- Check the ‘No Override’ option
- Click OK
- Click Apply then OK
No comments:
Post a Comment