Group Policy

Question 1

In Group Policy, what is Folder Redirection?

Answer 1

Redirects the user’s common profile folders to a network share or other location

Question 2

In Group Policy, what are Security Templates?

Answer 2

• Applies specific security settings to specific types of systems
• Do not take effect until imported into GPO and linked

Question 3

What does this Security Template do?

Setup security.inf

Answer 3

The baseline security for all workstations or member servers out of the box

Question 4

What does this Security Template do?

Securews.inf

Answer 4

Best described as the middle ground security template for workstations and member servers before moving up to hisecws.inf template

Question 5

What does this Security Template do?

DCsecurity.inf

Answer 5

The baseline security template for domain controllers out of the box

Question 6

What does this Security Template do?

Securedc.inf

Answer 6

Best described as the middle ground security template for domain controllers, before moving up to hisecdc.inf template

Question 7

What does this Security Template do?

Hisecws.inf

Answer 7

The highest level security template available for workstations/member servers.

Question 8

What does this Security Template do?

Hisecdc.inf

Answer 8

The highest level security template available for domain controllers

Question 9

What does this Security Template do?

Compatws.inf

Answer 9

Designed to resolve compatibility issues with legacy operating systems

Question 10

When can Scripts be run using Group Policy?

Answer 10

If added to Computer Configuration, they can run as either a Startup or Shutdown script.

If added to User Configuration, they can run either as a Logon or Logoff script.

Question 11

What can a GPO be linked to?

Answer 11

Any of the following:

• an AD site
• a domain
• an OU

Question 12

When multiple GPOs apply to a given user or computer, what is the processing order for them?

Answer 12

Group Policies are processed in this order:

(LSDOU)

• Local GPO
• Site-linked GPOs
• Domain-linked GPOs
• OU-linked GPOs

In the case of conflicts, the GPO processed last will win. Thus, with the LSDOU ordering, the GPO linked closest to the user/computer account wins.

• Additionally, within each container, there may be multiple linked GPOs. So, those GPOs are assigned a “Link Order” that determines their precedence within that container.

Question 13

What is a GPC?

Answer 13

Group Policy Container

One of the two parts of a GPO.

It is an object in Active Directory; it is stored as an object with attributes and properties, just like any Active Directory object.

Question 14

What is a GPT?

Answer 14

Group Policy Template

One of the two parts of a GPO.

It is a set of files and folders within SYSVOL.

(Since it is in SYSVOL, that means it is replicated to all DCs.)

Question 15

When editing a GPO using GP Editor, which Domain Controller does it connect to by default?

Answer 15

The PDC Emulator. Changes are made against the PDC Emulator DC first, and then replicated to all other DCs.

This is the default, but it can be changed.

Question 16

Where are Group Policy Containers found in Active Directory?

Answer 16

You need to show Advanced Features, then they’re in Systems > Policies, and you’ll see a GPC for each GPO that exists.

The GPCs are named by the GUID of their GPO.

Question 17

What are Administrative Templates?

Answer 17

GPOs that contain registry settings.

• Allow you to set registry values for either a user or computer.
• Based on ADMX/ADML files which contain the registry values that can be controlled.
• Admin Templates do NOT “tattoo” the registry; meaning, when a policy that contains a setting is removed, it will restore the registry back to how it was before the template was applied. (Though, it’s possible that custom ADMX/ADML files may tattoo the registry.)

Question 18

In Group Policy, what is IE Maintenance?

Answer 18

It was created to help you configure Internet Explorer settings, but has been deprecated since IE 10 was launched, and since Windows 8.

Any Windows 8 system, or system using IE 10, will not have or process these policies.

Question 19

In Group Policy, what is the difference between a Policy and a Preference?

Answer 19

There are exceptions, but in general:

• Policies can’t be undone by the user. Policies change settings in applications and processes that are designed to look for these Group Policies.
• Preferences can be undone or changed by the user, as long as they have the rights to do so. Preferences do not require the application to be aware of Group Policy; they just make changes to existing settings to change the default state.

Question 20

How can GPO’s be configured to apply only to specific computers or users?

Answer 20

There are four methods, that work in different ways and for different situations:

• Linking (linking the GPO to an AD Site, Domain, or OU)
• Security Groups
• WMI Filters
• Item-Level Targeting

Question 21

In Group Policy, what is Security Filtering?

Answer 21

• Security Filtering applies a GPO to selected AD Users, Computers, or Groups
• By default, all GPOs have security filtering set for “Authenticated Users,” a group which includes all AD user and computer objects.
• To filter, you must remove that default group, then add the objects or groups you want it to apply to.
• You can add any number you want.

Question 22

In Group Policy, what is WMI Filtering?

Answer 22

• Allow filtering based on WMI queries (hardware or software configurations)
• If the query evaluates to “true,” then the GPO is applied.
• A GPO can only have one WMI filter at a time.
• Example filters could be OS version, processor type (ex., a mobile processor will filter for laptops)
• WMI Filters are created and saved within the Domain. Once created, a GPO can select to be linked to a single WMI Filter.

Question 23

In Group Policy, what is Item-Level Targeting?

Answer 23

• Only for GP Preferences settings.
• Allows over 20 different possible criteria for filtering an individual GPP setting.
• the GPO could apply widely, but have one particular GPP setting within that GPO which is targeted to a smaller group.

Question 24

In Group Policy, what is Block Inheritance?

Answer 24

• This is set at a container level, usually a Domain or OU level.
• If set on a container, it prevents any upstream GPOs from applying to the OUs underneath.
• Example: if a Domain is set to Block Inheritance, then any GPOs linked at the site level which would normally apply, will not be applied anywhere in that domain.
• Typically used on OUs that have computers or users to which you don’t want normal settings to apply.

Question 25

In Group Policy, what is an Enforced Link?

Answer 25

• This is set on GPO links (not containers).
• It has essentially the opposite effect of Block Inheritance.
• When set on a GPO Link, it says, “No matter what is happening downstream, this GPO always wins.”

Question 26

If there is an OU with Block Inheritance set, which is inside a Domain that has an Enforced GPO linked to it, will the GPO be applied to that OU?

Answer 26

Yes.

Enforced Links trump Blocked Inheritance settings.

Question 27

In Group Policy, what is “Link Order”?

Answer 27

• Each container in Group Policy may have multiple GPOs linked to it. So, those GPOs are given a “Link Order” that determines their precedence within that container.
• GPOs are processed in reverse order of Link Order, so the lowest numbered GPOs are processed last. (Number 1, at the top of the list, is processed last.)
• (GPO precedence is always determined by “last GPO processed wins.”)

Question 28

In Group Policy, what are CSEs?

Answer 28

Client Side Extensions

• These are the agents of Group Policy, which run on each client machine.
• They pull the GPOs and do the work of processing their settings.
• Each policy area has its own CSE, which is implemented as a DLL file.

Question 29

What domains and forests can you manage with GPMC?

Answer 29

Besides managing your own domain and forest with it,

• GPMC can manage multiple domains and forests, as long as they are trusting of the domain where you are running GPMC from.
• Your user account needs read access to view those other domains’ GPOs, and write access to edit them.

Question 30

What is GPMC?

Answer 30

Group Policy Management Console

• Installed on Desktop OSs by first installing RSAT (Remote Server Administration Tools), then turning it on through the “Turn Windows Features on or off” console.
• Installed on Servers via Add Roles and Features.

Question 31

What is GPME?

Answer 31

Group Policy Management Editor

• The main tool for editing GPOs.
• It’s launched from the GPMC.

Question 32

What happens if you right-click and delete a GPO in GPMC?

Answer 32

• If you delete it from the “Group Policy Objects” container, it will delete the GPO and all links to it in the current domain.
• If you delete it from any other container, it only deletes that link to the GPO for that container.
• If a GPO is deleted, it does not automatically delete links in other domains, so those links will be orphaned, and will need to be cleaned up.

Question 33

What qualifiers / filtering criteria are available for item-level targeting in Group Policy.

Answer 33

• Battery Present
• Computer Name
• CPU Speed
• Date Match
• Disk Space
• Domain
• Environmental Variable
• File Match
• IP Address Range
• Language
• LDAP Query
• MAC Address Range
• MSI Query
• Network Connection
• Operating System
• OU
• PCMCIA Present
• Portable Computer
• Processing Mode
• RAM
• Registry Match
• Security Group
• Site
• Terminal Session
• Time Range (based on target computer time)
• User
• WMI Query

Question 34

What are the two types of Group Policy Processing?

Answer 34

Foreground

• Runs at computer startup for computer objects, and at user logon for user objects

Background

• Runs every 90 minutes (plus up to a 30 minute random offset) for workstations, and every 5 minutes for servers, checking for changes in the GP since startup/logon.

Question 35

What policy areas of Group Policy can only be processed in the foreground?

Answer 35

• Folder redirection
• Software installation
• And up until Windows 8.1, GP Preferences Drive Maps

Question 36

What are the two modes of Group Policy Processing, and how do they work?

Answer 36

Synchronous

• GP Processing completes before the user can login (for computer objects) or the user can use their desktop (for user objects).

Asynchronous

• GP Processing runs while the user is logging in and working on their desktop.

Notes:

• Servers always run synchronous GP processing, and this cannot be changed.
• On Workstations, asynchronous processing has been the default mode since Windows XP, but synchronous can be forced.
• Background processing always runs asynchronously, by definition.

Question 37

Why might you want to force workstations to use synchronous GP Processing?

Answer 37

Since some ares of GP policy can be processed in the foreground (before logon), an asynchronous processing could result in these policies not completing in time to be applied.

If that happens, then a flag will be set telling Windows that the next GP Processing cycle needs to run synchronously, so that they can be applied.

This results in sometimes needing a user to log in twice, before all their policies get applied.

Forcing synchronous processing would prevent this.

Question 38

In Group Policy, what is a “Slow Link,” and what effect does it have?

Answer 38

If a slow link between the client and the DC is detected, some GP Policy areas will not run.

By default, a slow link is defined as under 500 Kb/s, but this can be modified within Group Policy.

(500 Kb/s is, by today’s standard, very slow.)

Question 39

What GP Policy areas will not run if a slow link is detected?

Answer 39

By default:

• Disk Quota
• Scripts
• Folder Redirection
• Software Installation
• Wireless Network Policies
• Internet Explorer Maintenance
• Internet Protocol Security

Administrative Templates will still run, as well as (most) Security policies.

These behaviors can be changed by modifying Group Policy. So, whatever policies you want to run, or not run, can be set as desired.

Question 40

How does Group Policy operate over VPN?

Answer 40

VPN connections can be problematic for Group Policy.

• Foreground computer GP processing (i.e. machine startup) won’t work unless a DC is available at boot time, which is unlikely with VPN client connections.
• Foreground user GP processing (i.e. user logon) won’t work unless a DC is available at logon time (which is possible if you have the option to connect VPN at logon).

Question 41

How can you trigger manual GP Processing?

Answer 41

Three possible ways:

• Using the GPupdate.exe command-line utility
- this can only be run locally, no remote option

• Using the Invoke-GPUpdate PowerShell cmndlet

• Using the Group Policy Update option in GPMC (on Server 2012 R2 & newer, or Windows 8 and newer.)
- this has the same effect as running a gpupdate /force on all computers in a selected OU

Question 42

What does the /Force parameter do with the GPupdate command?

Answer 42

It causes all policies to be processed and reapplied, even if no changes to the GPO have been made since the last time they were processed.

(By default, whenever Group Policy is processed, whether manually or according to normal automatic methods, policies that have not changed since the last processing will not be re-processed or re-applied.)

Question 43

How can you, or third party software providers, create new Administrative Template settings?

Answer 43

By providing / creating custom ADMX/ADML files, which are the XML files that Administrative Templates get their available registry setting options from.

Question 44

In Group Policy, what is the Central Store?

Answer 44

By default, every system that opens GP Editor will look in their own c:\windows\policydefinitions for their list of available ADMX/ADML files.

The Central Store is a localtion for ADMX/ADML files, stored in SYSVOL so it is replicated to all domain controllers. When you create it, you would typically copy all local ADMX/ADML files into it.

Once the Central Store exists in a domain, all users of GPMC and EP Editor will refer to it instead of any local files.

Question 45

How do you create the Central Store for Group Policy?

Answer 45

1. On the domain controller that’s sharing out the SYSVOL, simply navigate to SYSVOL[domainname]\Policies
2. Create a new folder named PolicyDefinitions
3. Save any desired ADMX/ADML files in this location. Typically, you would copy all local ADMX/ADML files into it.

That’s it. All computers in the domain will now look here, exclusively, for Admin Templates when using GP Editor.

Question 46

Typically, will Security Policies set in Group Policy tattoo, or not tattoo, a system?

Answer 46

Generally, most security policy WILL tattoo a system.

So, once applied, if you remove the GPO, the settings will still be set on that system.

This is because, unlike Admin Templates where they just need to remove their own registry key, there is no record kept of what security settings were in place before applying the GPO.

Question 47

How can you manage Internet Explorer settings with Group Policy, and how does that work?

Answer 47

Using either Admin Templates, or GP Preferences.

Admin Templates:

• Admin Templates doesn’t cover all IE settings.
• It prevents users from changing settings.
• Can be set either per user or per computer.

GP Preferences:

• Covers more IE configuration options
• Doesn’t enforce configuration; user can change
• Can only be set per user; not per computer
• Easy to use; mimics the IE interface

On pre-Windows 8 systems that are running IE versions older than IE 10, you may be able to use the older “IE Maintenance” Group Policy area.; but only if you’re editing group policy on an older server OS.

Question 48

What are the “hotkeys” for enabling and disabling properties on a GP editor tab?

Answer 48

These are especially useful for GP Preferences IE Settings, but can be used elsewhere as well:

F5: enables all settings on the tab

F6: Enables the currently selected setting

F7: Disable the currently selected setting

F8: Disable all settings on the tab

Question 49

In GP Preferences IE Settings, what does a colored line or circle next to a setting mean?

Answer 49

• A green circle, or underline, means the setting is Enabled, and will be applied to clients.
• A red circle, or dashed underline, means the setting is Disabled, and won’t be applied to clients.

Question 50

How can you manage Internet Explorer Version 11 settings using Group Policy?

Answer 50

Even if Group Policy might only shows IE 10 as the latest version, the settings configured for IE 10 will apply to IE 11.

Question 51

How does “Assigning” an application in Group Policy work?

Answer 51

• If you assign an application to a computer, it is automatically installed without user intervention, and only an admin can uninstall it. It becomes available after the next reboot.
• If you assign an application to a user, it becomes available at the next login. A shortcut can be placed on either the desktop or the Start menu, but it is not installed until a user clicks the shortcut, or opens a file that requires the application. If the user uninstalls it, it becomes available again on the next login.

Question 52

How does “Publishing” an application in Group Policy work?

Answer 52

• Publishing apps can only target users, not computers.
• The application becomes available at the next login, and will be listed in the Add/Remove Programs menu where a user can opt to install it.
• It will also be automatically installed if a user opens a file that requires it.

Question 53

How do files on a user’s local hard drive work, in the default behavior of Group Policy Folder Redirection?

Answer 53

• Once set, the current files in the user’s local hard drive directories will be pushed up to the server location.
• Redirected folders are locally cached for offline use, and changes are automatically synced

Question 54

For GPO’s that contain password information, such as local user creation or “Connect as” for Drive Mappings, how does that work?

Answer 54

Microsoft has deprecated the use of storing passwords in Group Policy, and the method by which they are stored should not be considered secure. So, they should be used cautiously.

Question 55

What is the default timeout for a startup or logon script to execute and complete?

Answer 55

Ten minutes.

So, if a script hangs, it could take ten minutes, during which the user will be waiting for startup or logon.

This setting can be changed.

Question 56

What language(s) can be used to write GPO Scripts?

Answer 56

Almost any language can be supported.

Question 57

What context does the a startup or shutdown script run in?

Answer 57

the computer’s Local System identity.

This allows you to do pretty much anything to the system.

Question 58

What are the two modes that Loopback Processing can use, and how do they work?

Answer 58

Loopback Merge Mode:

• The user’s regular policy settings are processed first, then the user settings that apply to loopback computer are processed second.

Loopback Replace Mode:

• The user settings that apply to loopback computer are processed first, and the user’s regular settings are ignored.

Question 59

What is Group Policy Loopback Processing?

Answer 59

Loopback processing allows you to specify a different user policy for users logging into specify machines.

It is set on a per-computer basis, within Group Policy itself.

Question 60

What are “Common Options” in Group Policy Preferences?

Answer 60

Many Group Policy Preference items share these “Common options”, which are displayed in on the Common tab:

• Stop processing items in this extension if an error occurs on this item
• Run in logged-on user’s security context (user policy option)
• Remove this item when it is no longer applied
• Apply once and do not reapply
• Item-level targeting

Question 61

In Group Policy, what are Migration Tables?

Answer 61

A tool for converting references when importing GPOs from another domain or forest.

It allows you to convert / remap several characteristics as you are importing, such as:

• User names
• Computer names
• Domain Groups
• UNC Paths
• “Free Text of SIDs”

It only supports Policy settings, not Preferences.

Question 62

How can you recover a deleted GPO?

Answer 62

If a backup was taken of it in GPMC before deletion, you can do an import on that GPO from the backup.

Note that a “restore” function can only be performed to the same GPO that was backed up, hence a deleted GPO cannot be restored in this way.

Using the import to recreate the GPO will not restore any links that GPO had. It will need to be re-linked to any domains, OUs, etc.

Question 63

What is a Starter GPO?

Answer 63

Like a template for creating GPOs. Whenever you create a new GPO, it offers you a drop-down of Starter GPOs to pick from if desired. If one is selected, it will create the new GPO with all of the settings that were in the Starter GPO.

Starter GPOs can only contain Administrative Template configurations. No Policies or Preferences.

Microsoft also offers several Starter GPOs pre-built in, that become available as soon as you create the Starter GPOs folder in GPMC.

Question 64

What can this PowerShell command be used for?

Dcgpofix

Answer 64

This command is used to reset the Default Domain Policy GPO and Default Domain Controllers GPO to their default settings.

You can chose to reset either, or both.

Question 65

What is RSoP?

Answer 65

Resultant Set of Policy

• A set of tools for troubleshooting Group Policy.

Has two tools:

• RSOP Modeling, which tells you what should happen
• RSPO Logging, which tells you what actually happened on a system

Question 66

What is RSOP Logging?

Answer 66

Also called “Group Policy Results”

• Runs against a target system. You run a query against a system, for a specific user that has previously logged onto it.
• Tells you what happened on the last GP processing cycle for that user on that computer
• Shows what worked and what didn’t
• Only shows “Winning” settings

Question 67

What is RSOP Modeling?

Answer 67

Also called “Group Policy Modeling”

• Runs against a DC in your environment
• Tells you what the results should be with Group Policy processing, when you provide conditions
• Select a computer and a user, or containers with users / computers, and view simulated policy results.
• Can add simulation options for slow-link, loopback, Site, WMI filters, etc. without changing the GPOs themselves.
• Only shows “Winning” settings

Question 68

What can you configure under Control Panel Settings?

Answer 68

Preferences > Control Panel Settings:

• Data sources
• Devices
• Folder Options
• Local users and groups
• Network options
• Power Options
• Printers
• Scheduled tasks
• Services