Comments

techiebird.com/wintelgp.html

TechieBird

Windows Group Policy Interview Questions!

What is group policy in active directory ? What are Group Policy objects (GPOs)?
Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting
information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy
template.
The Group Policy container is an Active Directory container that stores GPO properties, including
information on version, GPO status, and a list of components that have settings in the GPO.
The Group Policy template is a folder structure within the file system that stores Administrative Templatebased policies, security settings, script files, and information regarding applications that are available for
Group Policy Software Installation.
The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its
domain.
What is the order in which GPOs are applied ?
Group Policy settings are processed in the following order:
1.Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally.
This processes for both computer and user Group Policy processing.
2.Site : Any GPOs that have been linked to the site that the computer belongs to are processed next.
Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for
the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed
last, and therefore has the highest precedence.
3.Domain: Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the
Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is
processed last, and therefore has the highest precedence.
4.Organizational units : GPOs that are linked to the organizational unit that is highest in the Active
Directory hierarchy are processed first, then POs that are linked to its child organizational unit, and so on.
Finally, the GPOs that are linked to the organizational unit that contains the user or computer are

1/4

processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be
linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified
by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC.
The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit
of which the computer or user is a direct member are processed last, which overwrites settings in the
earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely
aggregated.)
How to backup/restore Group Policy objects ?
Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group
Policy Management console. Now, navigate through the console tree to Group Policy Management |
Forest: | Domains | | Group Policy Objects.
When you do, the details pane should display all of the group policy objects that are associated with the
domain. In Figure A there are only two group policy objects, but in a production environment you may have
many more. The Group Policy Objects container stores all of the group policy objects for the domain.
Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the
shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box.
As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the
backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them
in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to
provide a description of the backup that you are creating.
You must provide the path to which you want to store your backup of the group policy objects.
To initiate the backup process, just click the Back Up button. When the backup process completes, you
should see a dialog box that tells you how many group policy objects were successfully backed up. Click
OK to close the dialog box, and you're all done.
When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is
to right-click on the Group Policy Object, and choose the Restore From Backup command from the
shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy
Object, and then implement the settings found in the backup.
Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import
Settings option. This option works more like a merge than a restore.
Any settings that presently reside within the Group Policy Object are retained unless there is a
contradictory settings within the file that is being imported.
You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers
etc.) on the computers in one department. How would you do that?
go to Start->programs->Administrative tools->Active Directory Users and Computers
Right Click on Domain->click on preoperties
On New windows Click on Group Policy
Select Default Policy->click on Edit
on group Policy console
go to User Configuration->Administrative Template->Start menu and Taskbar
Select each property you want to modify and do the same.
What is the difference between software publishing and assigning?
Assign Users :The software application is advertised when the user logs on. It is installed when the user
clicks on the software application icon via the start menu, or accesses a file that has been associated with
the software application.
Assign Computers :The software application is advertised and installed when it is safe to do so, such as
when the computer is next restarted.

2/4

Publish to users : The software application does not appear on the start menu or desktop. This means the
user may not know that the software is available. The software application is made available via the
Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the
application. Published applications do not reinstall themselves in the event of accidental deletion, and it is
not possible to publish to computers.

What are administrative templates?

Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised
management of machines and users in an Active Directory environment. Administrative Templates
facilitate the management of registry-based policy. An ADM file is used to describe both the user interface
presented to the Group Policy administrator and the registry keys that should be updated on the target
machines.
An ADM file is a text file with a specific syntax which describes both the interface and the registry values
which will be changed if the policy is enabled or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped
with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are
merged into a unified "namespace" in GPEdit and presented to the administrator under the Administrative
Templates node (for both machine and user policy).
Can I deploy non-MSI software with GPO?
create the fiile in .zap extension.
Name some GPO settings in the computer and user parts ?
Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some
GPO settings in the computer and user parts.

A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU,
and everyone else there gets the GPO. What will you look for?
make sure user not be member of loopback policy as in loopback policy it doesn't effect user settings only
computer policy will applicable. if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to
download the patch to fix this and reboot the computer.
How can I override blocking of inheritance ?
You can set No Override on a specific Group Policy object link so that Group Policy objects linked at a
lower-level of Active Directory closer to the recipient user or computer account cannot override that
policy. If you do this, Group Policy objects linked at the same level, but not as No Override , are also
prevented from overriding. If you have several links set to No Override , at the same level of Active
Directory, then you need to prioritize them. Links higher in the list have priority on all Configured (that is,
Enabled or Disabled ) settings.
If you have linked a specific Group Policy object to a domain, and set the Group Policy object link to No
Override , then the configured Group Policy settings that the Group Policy object contains apply to all
organizational units under that domain. Group Policy objects linked to organizational units cannot override
that domain-linked Group Policy object.
You can also block inheritance of Group Policy from above in Active Directory. This is done by checking
Block Policy inheritance on the Group Policy tab of the Properties sheet of the domain or organizational
unit. This option does not exist for a site.
Some important facts about No Override and Block Policy are listed below:
# No Override is set on a link, not on a site, domain, organizational unit, or Group Policy object.
# Block Policy Inheritance is set on a domain or organizational unit, and therefore applies to all Group
Policy objects linked at that level or higher in Active Directory which can be overridden.

3/4

# No Override takes precedence over Block Policy Inheritance if the two are in conflict.
What can I do to prevent inheritance from above?
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents
GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the
child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block
inheritance. For example, if you want to apply a single set of policies to an entire domain except for one
organizational unit, you can link the required GPOs at the domain level (from which all organizational units
inherit policies by default), and then block inheritance only on the organizational unit to which the policies
should not be applied.
Name a few benefits of using GPMC.
Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing
innovation in Group Policy management. The tool provides control over Group Policy in the following
manner:
# Easy administration of all GPOs across the entire Active Directory Forest
# View of all GPOs in one single list
# Reporting of GPO settings, security, filters, delegation, etc.
# Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
# Delegation model
# Backup and restore of GPOs
# Migration of GPOs across different domains and forests
With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is
needed and should be used by everyone for what it is ideal for. However, it does fall a bit short when you
want to protect the GPOs from the following:
# Role based delegation of GPO management
# Being edited in production, potentially causing damage to desktops and servers
# Forgetting to back up a GPO after it has been modified
# Change management of each modification to every GPO
Continue Next Questions

GoTo Windows Group Policy Guide

Designed by TechieBird

4/4