CST8200 - Week 7 Group Policy Quiz

Questions and Answers

What is the purpose of nested OUs in a domain?

To apply exceptions to policies set at a higher level (correct)

To automatically block GPO inheritance

To remove all GPOs from the parent OU

To create individual GPOs for each user

What does blocking inheritance do in Group Policy management?

It releases all settings applied to child containers

It allows all GPOs to affect child containers

It prevents GPOs linked to parent containers from affecting child containers (correct)

It enforces the strongest GPO setting on child objects

What is the highest level of precedence for GPOs when conflicts arise?

The GPO set to block inheritance

The GPO with the most recent modification time

The enforced GPO at the highest level in its scope (correct)

The GPO linked to a child container

Which method is NOT a way to alter the normal scope of GPOs?

Reverting to default policies

What indicator shows that blocking inheritance is enabled in GPMC?

A blue exclamation point next to the OU

What type of filtering uses permissions to restrict object access to a GPO?

Security filtering

In the event of multiple enforced GPOs, which GPO takes precedence?

The GPO linked at the highest level of scope

What is a potential downside of frequent blocking of inheritance?

It may indicate a flawed organizational unit design

Which replication method is used when all Domain Controllers are running Windows Server 2008?

Distributed File System Replication (DFSR)

In Group Policy, which configuration takes precedence when both Computer Configuration and User Configuration have conflicting settings?

Computer Configuration

What does the 'Published' deployment option do when configuring software installation?

Provides a link in Programs and Features for users to install manually

Which folder under the Policies folder does NOT typically contain any Group Policy settings?

Network Settings

What is the first step to detect synchronization issues between GPC and GPT?

Open Group Policy Management Console, select the domain node, and click Detect Now

What happens when blocking inheritance is applied to an Organizational Unit (OU)?

GPOs from both parent and child OUs will be ignored.

Which of the following describes the role of the Group Policy Object (GPO) scope?

The set of users and computers to which the GPO is applied

Which of the following is NOT a file format associated with software installation through Group Policy?

.zip

What is the main function of Domain-Linked GPOs?

They contain settings that should apply universally across all objects in a domain.

How does the precedence of OU-Linked GPOs compare to other GPOs?

They take precedence over both domain and site policies.

Which scenario exemplifies GPO inheritance in a nested OU structure?

The deepest nested OU policies take precedence over all other GPOs.

Which of the following statements about GPO blocking inheritance is correct?

It allows child OUs to selectively ignore policies applied to parent OUs.

What could be a potential downside of using Site-Linked GPOs?

They may confuse users if policies differ significantly between sites.

Which best practice is recommended for setting account policies at the domain level?

Including account policies that affect domain logons.

What is the primary purpose of OU-Linked GPOs?

To fine-tune policies for groups of users and computers with similar requirements.

What happens if a setting is configured on one GPO but not on another for the same object?

The configured setting will be applied, while the other setting is ignored.

Study Notes

CST8200 - Windows Domain Administration

• Course offered by Professor Denis Latremouille
• Covers week 7 topics on Group Policy.

Agenda

• Description of group policy architecture and processing.
• Configure group policy settings.
• Configure group policy security settings.
• Configure and manage administrative templates.
• Work with security templates.
• Configure Group Policy Preferences.
• Configure group policy processing.
• Configure group policy client processing.
• Configure Group Policy Results and Group Policy Modeling tools.
• Manage GPOs.

Local GPOs

• Stored on individual computers.
• Modified using the Group Policy Object Editor snap-in.
• Settings inherited from domain GPOs cannot be changed locally.
• Only non-configured settings in domain GPOs are editable locally.
• Using gpedit.msc opens Local Computer Policy, containing Computer Configuration and User Configuration nodes.

Domain GPOs

• Stored in Active Directory on domain controllers.
• Composed of two parts: a Group Policy Template (GPT) and a Group Policy Container (GPC).
• GPT and GPC share naming and folder structures.
• Understanding GPO structure aids in issue resolution.

Group Policy Templates (GPT)

• Contains policy settings and related files (e.g., scripts).
• Resides in the Sysvol share on the domain controller.
• Upon GPO creation, various files and subfolders are generated (number varies).
• Each GPT folder usually contains at least three items: GPT.ini, Machine, and User.

Group Policy Containers (GPC)

• Stored in the System\Policies folder of Active Directory.
• Stores GPO properties and status, but not policy settings.
• Uses GPO GUID as its folder name.
• Contains information like GPO name, file path to GPT, version, and status.

Group Policy Replication

• GPOs replicated using Active Directory.
• GPTs in the SYSVOL share are replicated via File Replication Service (FRS) in mixed environments.
• Distributed File System Replication (DFSR) used when all DCs run Windows Server 2008 or later.
• DFSR is more efficient and reliable compared to FRS.
• GPOs and GPTs can sometimes fall out of sync.
• Gather information using Group Policy Management Console (GPMC), clicking the domain node then the Status tab, and clicking Detect Now.

Group Policy Settings

• Computer Configuration settings have precedence over User Configuration settings in conflicts.
• The Policies folder contains three subfolders: Software Settings, Windows Settings, and Administrative Templates.

Software Installation Policies

• Contains Software Installation extensions for remote software packaging.
• Uses Windows Installer (MSI) files, which package files into a single MSI file.
• MSI files contain installation instructions.

Configuring Software Installation for Users

• Software installation extensions perform the same function in the User Configuration node.
• Software packages are assigned to computers or deployed to users via published or assigned software.
• Published software isn't automatically installed; instead, it provides a link to install in Control Panel Programs and Features.
• Assigned software installs automatically when a user logs onto a computer in the domain.

Configuring Group Policy Processing

• Administrators should understand GPO processing, inheritance, and exceptions.
• GPO scope and precedence, GPO inheritance, and GPO filtering are discussed.

GPO Scope and Precedence

• Defines objects affected by GPO settings.
• GPOs are applied in the following order: local policies, site-linked GPOs, domain-linked GPOs, and OU-linked GPOs.
• The last policy applied has precedence.
• GPO in a nested OU overrides one at a higher level if there's a conflict.

Understanding Site-Linked GPOs

• Affect users and computers within the site.
• Can be used for differing policies for mobile users.
• Use domain GPOs instead of site GPOs in simpler environments.
• Use site GPOs with caution due to potential user confusion with drastic policy changes between sites.

Understanding Domain-Linked GPOs

• Applies to all objects in the domain.
• Can define account policies for domain sign-ons.
• Should primarily contain account policies and key security settings at the domain level.

Understanding OU-Linked GPOs

• Fine-tuning of policies, applied after site and domain policies.
• OU-linked GPOs have precedence over site and domain policies.
• Use OUs for users and computers with matching policy requirements.
• Nested OUs can have nested GPOs, providing exceptions to policies set at higher levels.

Group Policy Inheritance

• GPO inheritance is enabled by default.
• GPMC can be used to view inherited policies.
• Several methods affect GPO inheritance, including blocking inheritance and GPO enforcement.

Blocking Inheritance

• Prevents parent container GPOs from affecting child containers.
• Blocking inheritance is done in the GPMC by right-clicking the child domain or OU and selecting Block Inheritance.
• Should be used sparingly as frequent blocking often points to flawed OU design.

GPO Enforcement

• Forces settings inheritance within a GPO's scope, prioritising the highest-level enforced GPO in conflicts.

GPO Filtering

• GPO filtering alters the scope of a GPO, excluding certain objects.
• Two methods exist: security filtering (using permissions to restrict object access) and WMI filtering (using queries based on object attributes).
• Security filtering and WMI filtering are done in the GPMC.
• Security Filtering is done using the Security Filtering dialog box to add or remove security principals from the GPO access list.
• WMI filtering uses queries to select certain computer groups and applies or doesn't apply policies based on the query results.

WMI Filtering

• Uses queries to select computer groups based on attributes.
• Requires a solid understanding of WMI query language.
• Example: Selecting computers running Windows 10 Enterprise.

Description

This quiz assesses your understanding of Group Policy architecture and processing as covered in week 7 of the CST8200 course. Topics include configuring group policy settings, managing administrative templates, and understanding local versus domain GPOs. Prepare to demonstrate your knowledge of these critical components in Windows Domain Administration.