CST8200 - Week 7 Group Policy Quiz

Questions and Answers

What is the purpose of nested OUs in a domain?

To apply exceptions to policies set at a higher level (correct)

To automatically block GPO inheritance

To remove all GPOs from the parent OU

To create individual GPOs for each user

What does blocking inheritance do in Group Policy management?

It releases all settings applied to child containers

It allows all GPOs to affect child containers

It prevents GPOs linked to parent containers from affecting child containers (correct)

It enforces the strongest GPO setting on child objects

What is the highest level of precedence for GPOs when conflicts arise?

The GPO set to block inheritance

The GPO with the most recent modification time

The enforced GPO at the highest level in its scope (correct)

The GPO linked to a child container

Which method is NOT a way to alter the normal scope of GPOs?

Reverting to default policies (D)

What indicator shows that blocking inheritance is enabled in GPMC?

A blue exclamation point next to the OU (C)

What type of filtering uses permissions to restrict object access to a GPO?

Security filtering (B)

In the event of multiple enforced GPOs, which GPO takes precedence?

The GPO linked at the highest level of scope (D)

What is a potential downside of frequent blocking of inheritance?

It may indicate a flawed organizational unit design (B)

Which replication method is used when all Domain Controllers are running Windows Server 2008?

Distributed File System Replication (DFSR) (B)

In Group Policy, which configuration takes precedence when both Computer Configuration and User Configuration have conflicting settings?

Computer Configuration (B)

What does the 'Published' deployment option do when configuring software installation?

Provides a link in Programs and Features for users to install manually (B)

Which folder under the Policies folder does NOT typically contain any Group Policy settings?

Network Settings (C)

What is the first step to detect synchronization issues between GPC and GPT?

Open Group Policy Management Console, select the domain node, and click Detect Now (C)

What happens when blocking inheritance is applied to an Organizational Unit (OU)?

GPOs from both parent and child OUs will be ignored. (A)

Which of the following describes the role of the Group Policy Object (GPO) scope?

The set of users and computers to which the GPO is applied (C)

Which of the following is NOT a file format associated with software installation through Group Policy?

.zip (D)

What is the main function of Domain-Linked GPOs?

They contain settings that should apply universally across all objects in a domain. (C)

How does the precedence of OU-Linked GPOs compare to other GPOs?

They take precedence over both domain and site policies. (D)

Which scenario exemplifies GPO inheritance in a nested OU structure?

The deepest nested OU policies take precedence over all other GPOs. (A)

Which of the following statements about GPO blocking inheritance is correct?

It allows child OUs to selectively ignore policies applied to parent OUs. (C)

What could be a potential downside of using Site-Linked GPOs?

They may confuse users if policies differ significantly between sites. (C)

Which best practice is recommended for setting account policies at the domain level?

Including account policies that affect domain logons. (B)

What is the primary purpose of OU-Linked GPOs?

To fine-tune policies for groups of users and computers with similar requirements. (B)

What happens if a setting is configured on one GPO but not on another for the same object?

The configured setting will be applied, while the other setting is ignored. (C)

Flashcards

GPO Inheritance

A feature that allows Group Policy settings from parent containers to be applied to child containers.

Blocking Inheritance

Prevents Group Policy settings from parent containers from affecting child containers.

GPO Enforcement

Forces the inheritance of a GPO's settings on all objects within its scope, even if a conflicting GPO exists lower in the hierarchy.

GPO Filtering

A method that limits the impact of a GPO by excluding specific objects from its effect.

Security Filtering

A GPO filtering type that uses permissions to restrict access to a GPO by specific objects.

Nested OUs

Organizing objects in a hierarchical structure, using parent-child relationships.

OU Design

The hierarchical organization of system objects.

GPO Precedence

The order in which GPOs are applied, with enforced GPOs having the highest priority.

What does GPO scope mean?

GPO scope defines which objects are affected by the settings within a GPO. It determines which computers, users, or groups will be subject to the policies set by the GPO.

List the order of GPO application

GPOs are applied in this order: 1. Local policies 2. Site-linked GPOs 3. Domain-linked GPOs 4. OU-linked GPOs. The last policy applied takes precedence.

OU-linked GPOs precedence

If an OU is nested within another, the GPO linked to the deepest nested OU takes precedence over all other GPOs.

Site-linked GPOs purpose

Site-linked GPOs affect users and computers physically located at a specific site. They are helpful for mobile users who might have different policy needs based on their location.

Domain-linked GPOs best use

Domain-linked GPOs should contain settings that apply to all objects within the domain. Best practices suggest setting account policies and critical security policies at this level.

OU-linked GPOs role

OU-linked GPOs are used for fine-tuning policies and are applied last. They take precedence over site and domain policies.

Why are users with similar policies grouped in the same OU?

Users and computers with similar policy requirements should be located in the same OU to ensure consistent policy application and simplify administration.

What happens when a setting is configured in one GPO but not another?

If two GPOs are applied to an object, and a certain setting is configured in one GPO but not the other, the configured setting is applied.

Group Policy Replication Methods

Group Policy Objects (GPOs) are replicated through Active Directory using either File Replication Service (FRS) for mixed Windows Server environments or Distributed File System Replication (DFSR) for all Windows Server 2008 or newer DCs. DFSR is preferred due to its efficiency and reliability.

Group Policy Settings Priority

Settings within the Computer Configuration portion of a GPO take precedence over those in User Configuration if a conflict arises. This means computer-level settings will override user-level settings.

Software Installation Policy

This policy allows administrators to install applications remotely using the Software Installation extension. Applications are deployed with Windows Installer, which utilizes MSI files containing installation instructions for applications.

Software Package Deployment Methods

Software packages can be assigned to users through two methods: Published and Assigned. Published creates a shortcut in Control Panel, allowing users to install it when needed. Assigned automatically installs the software during user login.

Published Software

A software deployment method that only provides a shortcut to install the application. The user has to manually initiate the installation process.

Assigned Software

A software deployment method that automatically installs the application when the user logs in to a computer within the domain.

GPO Processing: Scope and Precedence

Understanding how GPOs are processed involves comprehending their scope, which defines whom and what they affect, and precedence, which dictates the order of application.

GPO Processing: Inheritance

GPO inheritance determines how settings from parent containers are applied to child containers within the Active Directory hierarchy. Settings can be blocked or enforced according to the administrator's choices.

Study Notes

CST8200 - Windows Domain Administration

• Course offered by Professor Denis Latremouille
• Covers week 7 topics on Group Policy.

Agenda

• Description of group policy architecture and processing.
• Configure group policy settings.
• Configure group policy security settings.
• Configure and manage administrative templates.
• Work with security templates.
• Configure Group Policy Preferences.
• Configure group policy processing.
• Configure group policy client processing.
• Configure Group Policy Results and Group Policy Modeling tools.
• Manage GPOs.

Local GPOs

• Stored on individual computers.
• Modified using the Group Policy Object Editor snap-in.
• Settings inherited from domain GPOs cannot be changed locally.
• Only non-configured settings in domain GPOs are editable locally.
• Using gpedit.msc opens Local Computer Policy, containing Computer Configuration and User Configuration nodes.

Domain GPOs

• Stored in Active Directory on domain controllers.
• Composed of two parts: a Group Policy Template (GPT) and a Group Policy Container (GPC).
• GPT and GPC share naming and folder structures.
• Understanding GPO structure aids in issue resolution.

Group Policy Templates (GPT)

• Contains policy settings and related files (e.g., scripts).
• Resides in the Sysvol share on the domain controller.
• Upon GPO creation, various files and subfolders are generated (number varies).
• Each GPT folder usually contains at least three items: GPT.ini, Machine, and User.

Group Policy Containers (GPC)

• Stored in the System\Policies folder of Active Directory.
• Stores GPO properties and status, but not policy settings.
• Uses GPO GUID as its folder name.
• Contains information like GPO name, file path to GPT, version, and status.

Group Policy Replication

• GPOs replicated using Active Directory.
• GPTs in the SYSVOL share are replicated via File Replication Service (FRS) in mixed environments.
• Distributed File System Replication (DFSR) used when all DCs run Windows Server 2008 or later.
• DFSR is more efficient and reliable compared to FRS.
• GPOs and GPTs can sometimes fall out of sync.
• Gather information using Group Policy Management Console (GPMC), clicking the domain node then the Status tab, and clicking Detect Now.

Group Policy Settings

• Computer Configuration settings have precedence over User Configuration settings in conflicts.
• The Policies folder contains three subfolders: Software Settings, Windows Settings, and Administrative Templates.

Software Installation Policies

• Contains Software Installation extensions for remote software packaging.
• Uses Windows Installer (MSI) files, which package files into a single MSI file.
• MSI files contain installation instructions.

Configuring Software Installation for Users

• Software installation extensions perform the same function in the User Configuration node.
• Software packages are assigned to computers or deployed to users via published or assigned software.
• Published software isn't automatically installed; instead, it provides a link to install in Control Panel Programs and Features.
• Assigned software installs automatically when a user logs onto a computer in the domain.

Configuring Group Policy Processing

• Administrators should understand GPO processing, inheritance, and exceptions.
• GPO scope and precedence, GPO inheritance, and GPO filtering are discussed.

GPO Scope and Precedence

• Defines objects affected by GPO settings.
• GPOs are applied in the following order: local policies, site-linked GPOs, domain-linked GPOs, and OU-linked GPOs.
• The last policy applied has precedence.
• GPO in a nested OU overrides one at a higher level if there's a conflict.

Understanding Site-Linked GPOs

• Affect users and computers within the site.
• Can be used for differing policies for mobile users.
• Use domain GPOs instead of site GPOs in simpler environments.
• Use site GPOs with caution due to potential user confusion with drastic policy changes between sites.

Understanding Domain-Linked GPOs

• Applies to all objects in the domain.
• Can define account policies for domain sign-ons.
• Should primarily contain account policies and key security settings at the domain level.

Understanding OU-Linked GPOs

• Fine-tuning of policies, applied after site and domain policies.
• OU-linked GPOs have precedence over site and domain policies.
• Use OUs for users and computers with matching policy requirements.
• Nested OUs can have nested GPOs, providing exceptions to policies set at higher levels.

Group Policy Inheritance

• GPO inheritance is enabled by default.
• GPMC can be used to view inherited policies.
• Several methods affect GPO inheritance, including blocking inheritance and GPO enforcement.

Blocking Inheritance

• Prevents parent container GPOs from affecting child containers.
• Blocking inheritance is done in the GPMC by right-clicking the child domain or OU and selecting Block Inheritance.
• Should be used sparingly as frequent blocking often points to flawed OU design.

GPO Enforcement

• Forces settings inheritance within a GPO's scope, prioritising the highest-level enforced GPO in conflicts.

GPO Filtering

• GPO filtering alters the scope of a GPO, excluding certain objects.
• Two methods exist: security filtering (using permissions to restrict object access) and WMI filtering (using queries based on object attributes).
• Security filtering and WMI filtering are done in the GPMC.
• Security Filtering is done using the Security Filtering dialog box to add or remove security principals from the GPO access list.
• WMI filtering uses queries to select certain computer groups and applies or doesn't apply policies based on the query results.

WMI Filtering

• Uses queries to select computer groups based on attributes.
• Requires a solid understanding of WMI query language.
• Example: Selecting computers running Windows 10 Enterprise.

Description

This quiz assesses your understanding of Group Policy architecture and processing as covered in week 7 of the CST8200 course. Topics include configuring group policy settings, managing administrative templates, and understanding local versus domain GPOs. Prepare to demonstrate your knowledge of these critical components in Windows Domain Administration.