Term
What does a group policy allow you to do? |
|
Definition
-Configure standard desktop settings -Automatically install, distribute, update or delete software on network computers -Configure logon/logoff and startup/shutdown scripts -Configure security settings such as: account policies (account lockout, password settings), set local policies (user rights and auditing), restrict registry and Event log access, set public key access, etc. -Redirect Folders |
|
|
Term
Which Windows OS computers have a local GPO configured for it? |
|
Definition
-Every Windows 2000, XP, 2003 and 2008 computer has a local GPO configured for it. |
|
|
Term
Non-local GPOs can be applied at what 3 levels? |
|
Definition
-Non-local Active directory GPOs be applied/linked at the domain, OU and/or site levels. |
|
|
Term
What console is used to configure GPOs? |
|
Definition
Group Policy Management Console (GPMC) |
|
|
Term
What would you do to create a new GPO or link an existing GPO to a AD container? |
|
Definition
-To create a new GPO using the GPMC, right-click on the container and select: Create a GPO in this domain and Link it here, or if you want to link an existing GPO, select Link an Existing GPO. |
|
|
Term
What is a Source Starter GPO? Why are they created? |
|
Definition
-A Source Starter GPO is created by you so that it can be used like a template that is copied to automatically populate the new GPO with its common settings. |
|
|
Term
How do you edit a GPO using the GPMC? |
|
Definition
-If you want to edit a GPO after it is created or linked, right-click the GPO and select Edit to open the Group Policy Management Editor. |
|
|
Term
When you link a GPO to an AD container, by default, its settings are applied to all ____ in that container. |
|
Definition
|
|
Term
How do you know if a GPO setting is going to be applied to a user or computer? |
|
Definition
If the setting is configured within the Computer Configuration folder (in the GP Editor) it will apply to computers, if it was configured within the User Configuration folder it will apply to users. |
|
|
Term
When are computer settings applied? |
|
Definition
Computer Configuration policies apply when the OS starts |
|
|
Term
When are user settings applied? |
|
Definition
-User Configuration settings apply when the user logs on to any computer |
|
|
Term
What is the difference between Policies and Preferences? |
|
Definition
-Policies are enforced and cannot be changed by the user -Preferences can be changed by the user. -Preferences usually contain configuration options that are not configured within a policy, for example login script and user profile actions, like mapping drives, scheduled tasks, etc. |
|
|
Term
What two default GPOs are created when AD is installed? |
|
Definition
-There are two GPOs installed automatically when the domain is created: the Default Domain Policy (applied at the domain level) and the Default Domain Controllers Policy (applied to the Domain Controllers OU). |
|
|
Term
What section of a GPO contains settings that can help standardize desktop settings? |
|
Definition
-The Administrative Templates section of a GPO for the most part, contains registry settings that can be configured to manage computers and user desktop settings. |
|
|
Term
Give some examples of desktop settings that can be configured. |
|
Definition
-There are seven main categories of User Configuration Administrative Templates: Control Panel, Desktop Network, Shared Folders, Start Menu and Taskbar, System, Windows Components, and All Settings. You could take the Games menu off the Start Menu, the Run menu, take icons off the Desktop, not allow access to the Control Panel, etc. |
|
|
Term
What are the two types of security policies? |
|
Definition
-There are two types of security policies defined in S2008: Computer security policy (also known as local policy) and a Domain security policy. -A standalone/workgroup computer is affected only by the local policy. -A computer that is a member of a domain has the local policy applied first, followed by the domain security policy. |
|
|
Term
Give some examples of security settings that can be set using a group policy. |
|
Definition
-Account Policies: Security settings for password policy, lockout policy and Kerberos policy for a domain. -Note, Account Policies must be applied at the domain level (if you are not in Server 2008 domain functional level). -Local Policies: Security settings for audit policy, user rights assignments, and security options -Restricted Groups: Gives an Administrator the ability to control who is a member of any security group. -These settings allow administrators to enforce security policies regarding sensitive groups, such as Enterprise Admins or Payroll. -Ex. Only Joe and Mary should be members of the Enterprise Admins group. Restricted groups can be used to enforce this policy. If a 3rd user is added to the group, the next time the policy is enforced, the third user is automatically removed from the group. -Also, Event Log, System Services, Registry, File System, Public Keys, Software Restrictions, etc. |
|
|
Term
Describe Restricted Groups. |
|
Definition
-Restricted Groups: Gives an Administrator the ability to control who is a member of any security group. -These settings allow administrators to enforce security policies regarding sensitive groups, such as Enterprise Admins or Payroll. -Ex. Only Joe and Mary should be members of the Enterprise Admins group. Restricted groups can be used to enforce this policy. If a 3rd user is added to the group, the next time the policy is enforced, the third user is automatically removed from the group. |
|
|
Term
What command line utility and switch can be used to immediately refresh all group policy settings? |
|
Definition
|
|
Term
By default, how often are policies automatically reapplied on domain controllers? …on other Windows systems? |
|
Definition
-Policies are reapplied/refreshed every 5 minutes by default on domain controllers; every 90 minutes (for most policy settings) on all other Windows systems. |
|
|
Term
What 4 types of scripts can be applied using GPOs? |
|
Definition
-Group policies allow considerable flexibility when assigning scripts, you can assign startup and shutdown scripts to computers, and logon and logoff scripts to users. |
|
|
Term
Describe folder redirection. |
|
Definition
-The Folder Redirection extension allows you to transparently redirect the following folders from a user profile to an alternate location on the network server's shared folder: Application Data, Desktop, Start Menu, Documents, Pictures, etc. |
|
|
Term
What are the advantages over using roaming profiles? |
|
Definition
-User log on time is reduced with Folder Redirection because the contents of these folders do not need to be copied between workstation and server each time the users logs on or off, which is what does occur when using a roaming profile. |
|
|
Term
What can you do with software applications using a GPO? |
|
Definition
You can use a GPO to automatically install, update, repair, and remove software applications for users and computers. |
|
|
Term
Can you assign apps to users and computers? Publish apps to users and computers? |
|
Definition
|
|
Term
In order to publish or assign applications, what must you acquire for that software? How can you acquire it? What 2 extensions can they have? |
|
Definition
-Before using a GPO for software distribution, a Microsoft Windows Installer (.msi ) or (.zap) package must be acquired for the application.
-Packages can be acquired in 2 ways: either the software vendor will supply the package or an administrator can create his own .msi or .zap package file using a third-party utility.
(.msi ) or (.zap) |
|
|
Term
What is the default method of installation when you assign an app to a user? What additional option can be selected? What is the difference between the two methods? |
|
Definition
advertised
• Install this application at logon
-An app will be activated by: selecting the app advertisement on the Start Menu, or by attempting to open a file with an associated extension, for ex. Trying to open a .XLS spreadsheet when Excel has been advertised. -If you select the optional Install this application at logon checkbox when assigning the app to users, the app will be automatically installed when the user logs in. |
|
|
Term
What happens when you assign an app to a computer? |
|
Definition
-If you assign an app to a computer, the application is advertised and the installation is performed when it is safe to do so; typically when the computer starts up and there are no competing processes on the computer. |
|
|
Term
What is the advantage of assigning apps? |
|
Definition
-An advantage to assigning apps is that the apps become resilient, if any application file becomes corrupted, it will automatically repair itself. |
|
|
Term
What happens when you publish an app to a user? What applet/folder in Control Panel can be used to install a published app? |
|
Definition
-When you publish an app to users, the app does not appear installed on the users’ computers and no shortcuts are visible on the desktop or Start Menu. -The published application can be installed by going to the advertisement in Control Panel > Add/Remove Programs > Add Programs or when attempting to open an associated file. |
|
|
Term
To be able to remove an app using a GPO, what must be true? |
|
Definition
-Note, in order to remove software using a GPO, the software must have been originally installed using a Windows Installer package. |
|
|
Term
In what order are GPOs applied for a computer/user that is a member of a domain? |
|
Definition
-GPOs are applied hierarchically, in the order: 1 > local GPO 2 > site GPO(s) 3 > domain GPO(s) 4 > OU GPO(s) (thru the OU hierarchy from parent > child OUs) |
|
|
Term
When multiple policies are applied, describe the default GPO inheritance rules when: -There is no conflict between settings:
-There is a conflict between settings: |
|
Definition
If there is no conflict, then both policies are applied, they are cumulative
If there is a conflict, later settings overwrite earlier settings |
|
|
Term
Most GPO settings can be configured with what 3 setting values? |
|
Definition
-Most GPO settings can be configured as: Not configured, Enabled or Disabled. |
|
|
Term
Can a single GPO be applied/linked to more than one container? |
|
Definition
|
|
Term
Can a single container have more than one GPO applied/linked to it? |
|
Definition
|
|
Term
In general, group policy settings are passed down from ______ to ___ containers. |
|
Definition
|
|
Term
What should you do if a GPO only has computer configuration settings configured? |
|
Definition
-If a GPO configures only Computer or User Configuration settings, performance will be improved if you disable the unused portion within Group Policy Management Editor, right-click the GPO Name, select Properties, check the option to disable the unused portion. |
|
|
Term
What option, if selected for a container, will block all group policy settings from being inherited from its parent containers? |
|
Definition
Block Inheritance -A container (a site, domain or OU) can be configured to block all policy settings that are coming from above in the AD hierarchy by right-clicking on the container and selecting Block Inheritance. |
|
|
Term
What option, if selected for a GPO/Link, will force all child objects to inherit that GPO’s settings? |
|
Definition
Enforced/No Override A non-local GPO (linked to a site, domain or OU) can be configured with the Enforced/No Override option, so that none of its policy settings will be overwritten by conflicting GPO settings applied after it or blocked by the container option Block Inheritance. |
|
|
Term
Block Inheritance is a_______ option. |
|
Definition
|
|
Term
Enforced/No Override is a____ option |
|
Definition
|
|
Term
33. If the Loopback option is configured, the ____ GPO is reapplied after the non-local GPOs. |
|
Definition
|
|
Term
Selecting the Loopback option makes the local GPO the____ powerful, when it is by default the _____ powerful. |
|
Definition
|
|
Term
What option can be de-selected (usually temporarily) to turn off a GPO on a container? |
|
Definition
-You should temporarily stop (disable) a GPO from being link enabled when you are making setting changes, since changes take effect immediately and there is no way to “Exit without Saving Changes” once made. |
|
|
Term
Are individual GPO setting changes saved immediately as they are made in the Group Policy Management Editor? |
|
Definition
|
|
Term
How can a GPO be further filtered to apply to only certain users/computers in a container? |
|
Definition
-If you want only some users/computers in a container to have the GPO applied to them, you can filter the application of a GPO by modifying its GPO permissions. |
|
|
Term
What 2 GPO permissions are necessary for a user/computer to receive a GPOs settings? |
|
Definition
Read & Apply Group Policy |
|
|
Term
In what order should you design OUs? |
|
Definition
1 - Delegate administration 2 - Apply GPOs (Add OUs without altering the design of Step 1) |
|
|
Term
What two utilities can be used to help troubleshoot GPO settings? |
|
Definition
-If you are receiving unexpected results for a group policy setting for a user or computer, you can use the command line GPResult.EXE utility or the Resultant Set of Policy (RsoP) MMC snap-in (also called Group Policy Result). |
|
|