Term
| What does a group policy allow you to do? |
|
Definition
-Configure standard desktop settings
-Automatically install, distribute, update or delete software on network computers
-Configure logon/logoff and startup/shutdown scripts
-Configure security settings such as: account policies (account lockout, password settings), set local policies (user rights and auditing), restrict registry and Event log access, set public key access, etc.
-Redirect Folders |
|
|
Term
| Which Windows OS computers have a local GPO configured for it? |
|
Definition
| -Every Windows 2000, XP, 2003 and 2008 computer has a local GPO configured for it. |
|
|
Term
| Non-local GPOs can be applied at what 3 levels? |
|
Definition
| -Non-local Active directory GPOs be applied/linked at the domain, OU and/or site levels. |
|
|
Term
| What console is used to configure GPOs? |
|
Definition
| Group Policy Management Console (GPMC) |
|
|
Term
| What would you do to create a new GPO or link an existing GPO to a AD container? |
|
Definition
| -To create a new GPO using the GPMC, right-click on the container and select: Create a GPO in this domain and Link it here, or if you want to link an existing GPO, select Link an Existing GPO. |
|
|
Term
| What is a Source Starter GPO? Why are they created? |
|
Definition
| -A Source Starter GPO is created by you so that it can be used like a template that is copied to automatically populate the new GPO with its common settings. |
|
|
Term
| How do you edit a GPO using the GPMC? |
|
Definition
| -If you want to edit a GPO after it is created or linked, right-click the GPO and select Edit to open the Group Policy Management Editor. |
|
|
Term
| When you link a GPO to an AD container, by default, its settings are applied to all ____ in that container. |
|
Definition
|
|
Term
| How do you know if a GPO setting is going to be applied to a user or computer? |
|
Definition
| If the setting is configured within the Computer Configuration folder (in the GP Editor) it will apply to computers, if it was configured within the User Configuration folder it will apply to users. |
|
|
Term
| When are computer settings applied? |
|
Definition
| Computer Configuration policies apply when the OS starts |
|
|
Term
| When are user settings applied? |
|
Definition
| -User Configuration settings apply when the user logs on to any computer |
|
|
Term
| What is the difference between Policies and Preferences? |
|
Definition
-Policies are enforced and cannot be changed by the user
-Preferences can be changed by the user.
-Preferences usually contain configuration options that are not configured within a policy, for example login script and user profile actions, like mapping drives, scheduled tasks, etc. |
|
|
Term
| What two default GPOs are created when AD is installed? |
|
Definition
| -There are two GPOs installed automatically when the domain is created: the Default Domain Policy (applied at the domain level) and the Default Domain Controllers Policy (applied to the Domain Controllers OU). |
|
|
Term
| What section of a GPO contains settings that can help standardize desktop settings? |
|
Definition
| -The Administrative Templates section of a GPO for the most part, contains registry settings that can be configured to manage computers and user desktop settings. |
|
|
Term
| Give some examples of desktop settings that can be configured. |
|
Definition
-There are seven main categories of User Configuration Administrative Templates: Control Panel, Desktop Network, Shared Folders, Start Menu and Taskbar, System, Windows Components, and All Settings.
You could take the Games menu off the Start Menu, the Run menu, take icons off the Desktop, not allow access to the Control Panel, etc. |
|
|
Term
| What are the two types of security policies? |
|
Definition
-There are two types of security policies defined in S2008: Computer security policy (also known as local policy) and a Domain security policy.
-A standalone/workgroup computer is affected only by the local policy.
-A computer that is a member of a domain has the local policy applied first, followed by the domain security policy. |
|
|
Term
| Give some examples of security settings that can be set using a group policy. |
|
Definition
-Account Policies: Security settings for password policy, lockout policy and Kerberos policy for a domain.
-Note, Account Policies must be applied at the domain level (if you are not in Server 2008 domain functional level).
-Local Policies: Security settings for audit policy, user rights assignments, and security options
-Restricted Groups: Gives an Administrator the ability to control who is a member of any security group.
-These settings allow administrators to enforce security policies regarding sensitive groups, such as Enterprise Admins or Payroll.
-Ex. Only Joe and Mary should be members of the Enterprise Admins group. Restricted groups can be used to enforce this policy. If a 3rd user is added to the group, the next time the policy is enforced, the third user is automatically removed from the group.
-Also, Event Log, System Services, Registry, File System, Public Keys, Software Restrictions, etc. |
|
|
Term
| Describe Restricted Groups. |
|
Definition
-Restricted Groups: Gives an Administrator the ability to control who is a member of any security group.
-These settings allow administrators to enforce security policies regarding sensitive groups, such as Enterprise Admins or Payroll.
-Ex. Only Joe and Mary should be members of the Enterprise Admins group. Restricted groups can be used to enforce this policy. If a 3rd user is added to the group, the next time the policy is enforced, the third user is automatically removed from the group. |
|
|
Term
| What command line utility and switch can be used to immediately refresh all group policy settings? |
|
Definition
|
|
Term
| By default, how often are policies automatically reapplied on domain controllers? …on other Windows systems? |
|
Definition
| -Policies are reapplied/refreshed every 5 minutes by default on domain controllers; every 90 minutes (for most policy settings) on all other Windows systems. |
|
|
Term
| What 4 types of scripts can be applied using GPOs? |
|
Definition
| -Group policies allow considerable flexibility when assigning scripts, you can assign startup and shutdown scripts to computers, and logon and logoff scripts to users. |
|
|
Term
| Describe folder redirection. |
|
Definition
| -The Folder Redirection extension allows you to transparently redirect the following folders from a user profile to an alternate location on the network server's shared folder: Application Data, Desktop, Start Menu, Documents, Pictures, etc. |
|
|
Term
| What are the advantages over using roaming profiles? |
|
Definition
| -User log on time is reduced with Folder Redirection because the contents of these folders do not need to be copied between workstation and server each time the users logs on or off, which is what does occur when using a roaming profile. |
|
|
Term
| What can you do with software applications using a GPO? |
|
Definition
| You can use a GPO to automatically install, update, repair, and remove software applications for users and computers. |
|
|
Term
Can you assign apps to users and computers?
Publish apps to users and computers? |
|
Definition
|
|
Term
In order to publish or assign applications, what must you acquire for that software?
How can you acquire it?
What 2 extensions can they have? |
|
Definition
-Before using a GPO for software distribution, a Microsoft Windows Installer (.msi ) or (.zap) package must be acquired for the application.
-Packages can be acquired in 2 ways: either the software vendor will supply the package or an administrator can create his own .msi or .zap package file using a third-party utility.
(.msi ) or (.zap) |
|
|
Term
What is the default method of installation when you assign an app to a user?
What additional option can be selected?
What is the difference between the two methods? |
|
Definition
advertised
• Install this application at logon
-An app will be activated by: selecting the app advertisement on the Start Menu, or by attempting to open a file with an associated extension, for ex. Trying to open a .XLS spreadsheet when Excel has been advertised.
-If you select the optional Install this application at logon checkbox when assigning the app to users, the app will be automatically installed when the user logs in. |
|
|
Term
| What happens when you assign an app to a computer? |
|
Definition
| -If you assign an app to a computer, the application is advertised and the installation is performed when it is safe to do so; typically when the computer starts up and there are no competing processes on the computer. |
|
|
Term
| What is the advantage of assigning apps? |
|
Definition
| -An advantage to assigning apps is that the apps become resilient, if any application file becomes corrupted, it will automatically repair itself. |
|
|
Term
What happens when you publish an app to a user?
What applet/folder in Control Panel can be used to install a published app? |
|
Definition
-When you publish an app to users, the app does not appear installed on the users’ computers and no shortcuts are visible on the desktop or Start Menu.
-The published application can be installed by going to the advertisement in Control Panel > Add/Remove Programs > Add Programs or when attempting to open an associated file. |
|
|
Term
| To be able to remove an app using a GPO, what must be true? |
|
Definition
| -Note, in order to remove software using a GPO, the software must have been originally installed using a Windows Installer package. |
|
|
Term
| In what order are GPOs applied for a computer/user that is a member of a domain? |
|
Definition
-GPOs are applied hierarchically, in the order:
1 > local GPO
2 > site GPO(s)
3 > domain GPO(s)
4 > OU GPO(s) (thru the OU hierarchy from parent > child OUs) |
|
|
Term
When multiple policies are applied, describe the default GPO inheritance rules when:
-There is no conflict between settings:
-There is a conflict between settings: |
|
Definition
If there is no conflict, then both policies are applied, they are cumulative
If there is a conflict, later settings overwrite earlier settings |
|
|
Term
| Most GPO settings can be configured with what 3 setting values? |
|
Definition
| -Most GPO settings can be configured as: Not configured, Enabled or Disabled. |
|
|
Term
| Can a single GPO be applied/linked to more than one container? |
|
Definition
|
|
Term
| Can a single container have more than one GPO applied/linked to it? |
|
Definition
|
|
Term
| In general, group policy settings are passed down from ______ to ___ containers. |
|
Definition
|
|
Term
| What should you do if a GPO only has computer configuration settings configured? |
|
Definition
| -If a GPO configures only Computer or User Configuration settings, performance will be improved if you disable the unused portion within Group Policy Management Editor, right-click the GPO Name, select Properties, check the option to disable the unused portion. |
|
|
Term
| What option, if selected for a container, will block all group policy settings from being inherited from its parent containers? |
|
Definition
Block Inheritance
-A container (a site, domain or OU) can be configured to block all policy settings that are coming from above in the AD hierarchy by right-clicking on the container and selecting Block Inheritance. |
|
|
Term
| What option, if selected for a GPO/Link, will force all child objects to inherit that GPO’s settings? |
|
Definition
Enforced/No Override
A non-local GPO (linked to a site, domain or OU) can be configured with the Enforced/No Override option, so that none of its policy settings will be overwritten by conflicting GPO settings applied after it or blocked by the container option Block Inheritance. |
|
|
Term
| Block Inheritance is a_______ option. |
|
Definition
|
|
Term
| Enforced/No Override is a____ option |
|
Definition
|
|
Term
| 33. If the Loopback option is configured, the ____ GPO is reapplied after the non-local GPOs. |
|
Definition
|
|
Term
Selecting the Loopback option makes the local GPO the____ powerful, when it is by default the _____
powerful. |
|
Definition
|
|
Term
| What option can be de-selected (usually temporarily) to turn off a GPO on a container? |
|
Definition
| -You should temporarily stop (disable) a GPO from being link enabled when you are making setting changes, since changes take effect immediately and there is no way to “Exit without Saving Changes” once made. |
|
|
Term
| Are individual GPO setting changes saved immediately as they are made in the Group Policy Management Editor? |
|
Definition
|
|
Term
| How can a GPO be further filtered to apply to only certain users/computers in a container? |
|
Definition
| -If you want only some users/computers in a container to have the GPO applied to them, you can filter the application of a GPO by modifying its GPO permissions. |
|
|
Term
| What 2 GPO permissions are necessary for a user/computer to receive a GPOs settings? |
|
Definition
| Read & Apply Group Policy |
|
|
Term
| In what order should you design OUs? |
|
Definition
1 - Delegate administration
2 - Apply GPOs (Add OUs without altering the design of Step 1) |
|
|
Term
| What two utilities can be used to help troubleshoot GPO settings? |
|
Definition
| -If you are receiving unexpected results for a group policy setting for a user or computer, you can use the command line GPResult.EXE utility or the Resultant Set of Policy (RsoP) MMC snap-in (also called Group Policy Result). |
|
|
