Windows 7 Exam Questions 5331 Client Operating System

1. Discuss the key features of the Windows 7 Operating system. 1. Aero Themes and Aero Background: Use new themes or choose a slideshow of your favourite photos to make your PC reflect your personal taste.

2. BitLocker and BitLocker To Go: Help protect sensitive data with new, easier ways to protect and recover drives and extend that protection to USB removable storage devices, such as flash memory drives and portable hard disk drives. 3. Windows XP Mode: Run many older Windows XP productivity applications right on your Windows 7 desktop. 4. AppLocker: Control which applications are allowed to run on user PCs. 5. BranchCache: Improve application responsiveness and end user productivity at branch offices while reducing the load on your Wide Area Network (WAN). 6. DirectAccess: Enable workers to more securely connect to corporate networks over any Internet connection without requiring the extra step of initiating a VPN connection. 7. VHD Boot: Ease the transition between virtual and physical environments by reusing the same master image within a VDI infrastructure and on physical PCs. 8. Windows PowerShell 2.0: Automate repetitive tasks with this graphical scripting editor that helps you write scripts that access underlying technologies. 9. Location aware printing: Set different default printers for your home and work networks. 10. HomeGroup: Easily share files and printers between PCs running Windows that are connected to your home network. 11. VPN Reconnect: Get consistent VPN connectivity by automatically re-establishing a VPN connection whenever the Internet connection is temporarily lost. 12. Windows Search and Libraries: Search your own PC and the PCs and devices connected to your network to find items regardless of where they are stored.

13. Windows Troubleshooting: Windows troubleshooting helps you resolve common issues quickly without having to call for help. 14. Problem Steps Recorder: Help your workers troubleshoot application failures by giving them the ability to reproduce and record their experiences and then send that information to support staff. Know more about Problems Steps Recorder by going through our how to use Problem Steps Recorder in Windows 7 guide.

1. Describe the differences between in-place upgrade and migration from a previous version of windows OS to windows 7.

Points Existing Hardware

In-place Upgrade Does not require replacing existing computer hardware Does not require reinstallation of applications Does not require storage space to store user state Is Recommended solution in home or small office scenarios

Migration Typically, requires replacing existing computer hardware Requires reinstallation of applications Typically, requires more storage space to store user state. Recommended solution to achieve standardized environment in a large enterprise scenario.

Application software

Storage space Home/Enterprise

2. Describe the MBR and GPT disks and differences between them MBR GUID Partition Table (GPT) MBR contains partition table for Contains an array of partition entries the disk and a small amount of describing the start and end LBA of each executable code called the master partition on disk boot code Boot and Is created when the disk is Bothe 32 bit and 64 bit support data storage partitioned. Can Boot and store GPT for data disks , but can not boot. Only data from this partition. 64bit windows support GPT for boot disks. No. of Contains 4 primary partition table Contains many (128) partitions partitions Size of Maximum partition size is 2TB. Support larger partitions (256TB) partitions Supporting All Windows O.S. support MBR Older version of windows does not support OS GPT. Only Windows vista and Win 7 support GPT.

Redundancy

No redundancy provided

Redundancy

MBR is the standard partitioning scheme that's been used on hard disks since the PC first came out. It supports 4 primary partitions per hard drive, and a maximum partition size of 2TB. GUID Partition Table: GPT disk max partition size is 256 TB for a single partition (NTFS limit), and 128 partitions. One of the main advantages of GPT is the possible capacity of the hard drive. MBR drives can only handle 2 TB, or terabytes, of data or less. GPT can go beyond this capacity. Furthermore, MBR partitions only allow users to define four primary partitions. The user can use an extended partition to subdivide the hard drive, but often computers will not allow users to install operating systems on extended partitions. GPT, on the other hand, allows users to create a theoretically unlimited amount of partitions, although some operating systems might limit them. Most operating systems still use MBR as of the time of publication. Newer systems, however, are moving to GPT. Windows Vista and Windows 7 both support GPT. Older operating systems, such as Windows XP, do not support GPT and often cannot read GPT drives.

3. Describe Bitlocker pre requisites and difference between EFS and Bitlocker. BitLocker pre -requisites: Bitlocker encryption requires either: A computer with Trusted Platform Module (TPM) v1.2 or later A removable USB memory device Hardware requirements: Must enough hard drive space to create two partitions. First partition of at least 100mb for System partition and second partition is boot partition. Bios that is compatible with TPM and support Boot from USB device. There are several differences between BitLocker Drive Encryption and Encrypting File System (EFS). BitLocker is designed to help protect all of the personal and system files on the drive Windows is installed on (the operating system drive) if your computer is stolen, or if unauthorized users try to access the computer. You can also use BitLocker to encrypt all files on fixed data drives (such as internal hard drives) and use BitLocker To Go to encrypt files on removable data drives (such as external hard drives or USB flash drives). EFS is used to help protect individual files on any drive on a per-user basis. The table below shows the main differences between BitLocker and EFS. BitLocker Encrypting File System (EFS) BitLocker encrypts all personal and system files EFS encrypts personal files and folders one-byon the operating system drive, fixed data drives, one and doesn't encrypt the entire contents of a and removable data drives. drive.

EFS encrypts files based on the user account BitLocker does not depend on the individual associated with it. If a computer has multiple user accounts associated with files. BitLocker is users or groups, each of them can encrypt their either on or off, for all users or groups. own files independently. BitLocker uses the Trusted Platform Module (TPM), a special microchip in many computers EFS does not require or use any special that supports advanced security features to hardware. encrypt the operating system drive. You must be an administrator to turn BitLocker You do not have to be an administrator to use encryption on or off on the drive that Windows EFS. is installed on and on fixed data drives. You can use BitLocker Drive Encryption and EFS together to get the protection offered by both features. When using EFS, encryption keys are stored with the computer's operating system. Although the keys used with EFS are encrypted, their security still could be compromised if a hacker is able to access the operating system drive. Using BitLocker to encrypt the operating system drive can help protect these keys by preventing the operating system drive from booting or being accessed if it is installed in another computer.

4. Define the followings: a. Windows Firewall, Protected Mode and Phishing filter Windows Firewall: Windows firewall provides a stateful inspection of packets which accepts only responses to requests originated by the user. This prevents outside requests for data from entering the computer, unless specifically allowed by the user.

Protected mode: Internet Explorer's protected mode is a feature that makes it more difficult for malicious software to be installed on your computer. Protected mode do not allow malicious software to write data on HDD. In addition to helping protect your computer from malicious software, protected mode allows you to install wanted ActiveX controls or add-ons when you are logged in as an administrator

Phising: Online phishing (pronounced like the word fishing) is a way to trick computer users into revealing personal or financial information through an e-mail message or website. A

common online phishing scam starts with an e-mail message that looks like an official notice from a trusted source, such as a bank, credit card company, or reputable online merchant. In the e-mail message, recipients are directed to a fraudulent website where they are asked to provide personal information, such as an account number or password. This information is then usually used for identity theft. What is Phishing Filter and how can it help protect me? The Microsoft Phishing Filter is a feature in Internet Explorer that helps detect phishing websites. Phishing Filter runs in the background while you browse the web and uses three methods to help protect you from phishing scams. First, it compares the addresses of websites you visit against a list of sites reported to Microsoft as legitimate. This list is stored on your computer. Second, it helps analyze the sites you visit to see if they have the characteristics common to a phishing website. Third, with your consent, Phishing Filter sends some website addresses to Microsoft to be further checked against a frequently updated list of reported phishing websites.

b. Network profiles During the installation of Windows 7, or the first time that you connect to a network, you must choose a network location. Based on the network location you choose, Windows automatically assigns a network discovery state to the network and sets the appropriate Windows Firewall and security settings for that type of network location. 1. Choose Home network for home networks or when you know and trust the people and devices on the network. Computers on a home network can belong to a homegroup. Network discovery is turned on for home networks, which allows you to see other computers and devices on the network and allows other network users to see your computer. 2. Choose Work network (private) for small office or other workplace networks. Network discovery, which allows you to see other computers and devices on a network and allows other network users to see your computer, is on by default, but you can't create or join a homegroup.

All computers are peers; no computer has control over another computer. Each computer has a set of user accounts. To log on to any computer in the workgroup, you must have an account on that computer.

3. Choose Public network for networks in public places (such as coffee shops or airports). This location is designed to keep your computer from being visible to other computers around you and to help protect your computer from any malicious software from the Internet. HomeGroup is not available on public networks, and network discovery is turned off.

4. The Domain network location is used for domain networks such as those at enterprise workplaces. This type of network location is controlled by your network administrator and can't be selected or changed.

c. LLTD mapper and Responder, 802.1x Authentication Link Layer Topology Discovery (LLTD) is a proprietary Link Layer protocol for network topology discovery and quality of service diagnostics Windows creates the Network Map in part by using the Link Layer Topology Discovery (LLTD) protocol. As the name suggests, LLTD functions at Layer 2 (the layer devices use to communicate on a LAN) and enables network devices to identify each other, learn about the network (including bandwidth capabilities), and establish communications (even if devices are not yet configured with IP addresses).

LLTD Mapper : The LLTD Mapper I/O component is the master module which controls the discovery process and generates the Network Map. Appropriate permissions for this may be configured with Group Policy settings. It can be allowed or disallowed for domains, and private and public networks. The Mapper sends discovery command packets onto the local network segment via a raw network interface socket.. LLTD Responder : The second component of LLTD are the LLTD Responders which answer Mapper requests about their host and possibly other discovered network information.

IEEE 802.1X standard, which is simply a standard for passing EAP over a wired or wireless LAN. It's authentication and nothing more. The 802.1X standard is designed to enhance the security of wireless local area networks (WLANs) that follow the IEEE 802.11 standard. 802.1X provides an authentication framework for wireless LANs, allowing a user to be authenticated by a central authority. 802.1X uses three terms that you need to know. The user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication, typically a RADIUS server, is called the authentication server. And the device in between, such as a wireless access point, is called the authenticator. One of the key points of 802.1X is that the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. This makes 802.1X ideal for wireless access points, which are typically small and have little memory and processing power.

d. Network Map

A network map is a graphical representation of all the computers and devices on your network that shows how each is connected. To appear on the network map, the device or computer needs to support UPnP technology or Web Services for Devices for Windows. Also, to use the network map you may need to enable network discovery from within the Network and Sharing Center.
e. Protected mode

Internet Explorer's protected mode is a feature that makes it more difficult for malicious software to be installed on your computer. Protected mode do not allow malicious software to write data on HDD. In addition to helping protect your computer from malicious software, protected mode allows you to install wanted ActiveX controls or add-ons when you are logged in as an administrator
f. Windows Easy Transfer

Windows Easy Transfer is a program included in Microsoft Windows 7 that helps users to move files and settings stored on their computers running Windows XP or more recent to a new computer running Windows Vista or Windows 7.
g. Authentication

The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization , which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
h. Authorization

Authorization (also spelt Authorisation) is the function of specifying access rights to resources, based on their identity.
i. WPA2 Enterprise

WPA2 WPA2(Wi-Fi Protected Access 2), the follow on security method to WPA for wireless networks that provides stronger data protection and network access control. It provides enterprise and consumer Wi-Fi users with a high level of assurance that only authorized users can access their

wireless networks. It compliant AES encryption algorithm and 802.1x-based authentication. There are two versions of WPA2: WPA2-Personal, and WPA2-Enterprise. WPA2-Personal protects unauthorized network access by utilizing a set-up password. WPA2Enterprise verifies network users through a server. WPA2 is backward compatible with WPA.

j.

Direct Access

DirectAccess enables remote users to access the corporate network anytime they have an Internet connection, without the extra step of initiating a virtual private networking (VPN) connection. DirectAccess is a new feature of Microsoft Windows 7 and Windows Server 2008 R2. DirectAccess eliminates the need for users to set up a separate VPN connection as all of the required support is integrated into the operating system. It is designed for remote client access to corporate servers and networks over the Internet. Those with computers running operating systems other than Windows 7 cannot use DirectAccess, of course.
k. Bitlocker to GO

BitLocker. Improved for Windows 7 and available in the Ultimate and Enterprise editions, BitLocker helps keep everything from documents to passwords safer by encrypting the entire drive that Windows and your data reside on. Once BitLocker is turned on, any file you save on that drive is encrypted automatically. BitLocker To Goa new feature of Windows 7gives the lockdown treatment to easilymisplaced portable storage devices like USB flash drives and external hard drives.

l.

App Locker

AppLocker provides administrators with the ability to specify which users can run specific applications. Allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running.

m. Windows Defender

Windows Defender is your first line of defense against spyware and other unwanted software. And in Windows 7, it's easier to use, with simpler notifications, more scanning options, and less impact on your computer's performance. A new feature called "Clean System" provides one-click purging of all suspicious software, and Windows Defender is now part of Action Center, the streamlined place for keeping your PC running smoothly.

5. Describe the purpose of UAC and difference between user token and Admin Token

Enter: User Account Control

User Account Control (UAC) is a security component that enables users to perform common tasks as non-administrators (called standard users), and as administrators without having to switch users, log off, or use Run As. User accounts that are members of the local Administrators group run most applications as a standard user. By separating user and administrator functions, UAC helps users move toward using standard user rights by default. when administrators log in they are assigned two separate access tokens:

One standard (User)token containing all group memeberships except for "Administrators". One elevated (Administrator) token containing all group memeberships, including "Administrators".

During normal usage, the standard access token is used. When a program is launched using this token, it has the same rights as a standard user. The moment the program tries to do something requiring a privilege not given to standard users, Windows shows the UAC dialog asking if you want to grant administrative privileges. Once you confirm, Windows replaces the program's access token with the elevated one, then allows it to continue. The purpose of UAC is to inform the user when a program is taking advantage of their administrative privileges. Text editors and mail readers shouldn't need to run as administrator, so seeing the UAC dialog appear for these programs should be cause for alarm, or at least some scrutiny.

6. Discuss Branch Cache and describe the difference between Hosted Cache Mode and Distributed
Cache Mode.

BranchCache is designed to reduce WAN link utilization and improve application responsiveness for branch office workers who access content from servers in remote locations. Branch office client computers use a locally maintained cache of data to reduce traffic over a WAN link. The cache can be distributed across client computers (Distributed Cache mode) or can be housed on a server in the branch (Hosted Cache mode). Distributed Cache mode If client computers are configured to use Distributed Cache mode, the cached content is distributed among client computers on the branch office network. No infrastructure or services are required in the branch office beyond client computers running Windows 7. Hosted Cache mode In hosted cache mode, cached content is maintained on a computer running Windows Server 2008 R2 on the branch office network.

7. Describe performance and reliability problems and why they occur?

Monitoring your Hardware and Applications

Performance: Measures how quickly computer completes a task. Reliability: Measure of how system conforms to expected behavior. An important part of operations is monitoring the performance and reliability of your site. Through monitoring you gain insight into potential performance bottlenecks and establish baseline performance values. These baseline values can be used to assess the effectiveness of performance tuning and hardware upgrades. Monitoring reliability helps you find problems before they cause loss of service. IIS can be set to restart automatically if an application causes the service to crash. By monitoring these restarts you can fix problems with errant applications in the early stage.

8. Describe the differences between Spanned and Striped Volumes Spanned volume - created from free disk space from 2 to 32 combined disks. Data is written to the first disk until it is full, then it will write to the second disk and so on. If one of the hard disks in the spanned volume fails, the entire volume set is lost and needs to be rebuild and restored from backup. A spanned volume is not fault-tolerant. Striped volume (RAID 0) Allocated space from each disk must be identical. Created from 2 to 32 combined disks. When data is written to a striped volume set with 2 disks, the first block is written to the first disk, the second block to the second disk, and the third data block is written to the first disk, and so on, spreading the data evenly over all disks. A striped volume provides he best performance for Windows systems. A striped volume is not fault-tolerant and cannot be extended once it is created. If one of the hard disks in the striped volume fails, the entire volume set is lost and needs to be rebuild and restored from backup.

9. Describe NTFS Permissions

NTFS Permissions You use NTFS permissions to specify which users and groups can access files and folders and what they can do with the contents of the files or folders. NTFS permissions are available only on NTFS volumes. They are not available on volumes formatted with file allocation table (FAT) or FAT32 file systems. NTFS security is effective whether a user accesses the file or folder at the local computer or over the network. The permissions you assign for folders are different from the permissions you assign for files. Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders. NTFS permissions are available only on NTFS volumes and are used to specify which users and groups can access files and folders and what these users can do with the contents of those files or folders. NTFS folder permissions are Read, Write, List Folder Contents, Read & Execute, Modify, and Full Control. The NTFS file permissions are Read, Write, Read & Execute, Modify, and Full Control. Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders. Most restrictive permission is applies to user or Group when shared permissions are combined with NTFS security permission. Eg. If Jack has only Read Security permission on folder Data

but Full access shared permission on Data folder, than effective permission to access Data folder for Jack is Read only i.e. most restrictive. Deny overrides all permissions. NTFS security permissions inherits and can apply to folders and files.

10. Describe wireless network and WLAN technologies. Wireless is a term used to describe telecommunications in which electromagnetic waves (rather than some form of wire) carry the signal over part or all of the communication path. Or Wireless network is the Interconnected devices connected by radio waves instead of wires or cables. There are two operating modes of wireless networks: Ad Hoc mode : Connects 2 wireless devices directly without access point or wireless router. Infrastructure mode: In this mode wireless network adapters connect only to wireless acces point or wireless router, which is connected directly to wired network.

Wireless Technologies standards 802.11n eventhough is designed for 600mbps, it can give upto 300mbps practically.

Standards in wireless Standard Range Speed Comments 802.11a 5Ghz 54Mbits Small range. Easily absorbed 802.11b 2.4Ghz 11Mbits Interference with Bluetooth, cordless 802.11g 2.4Ghz 54Mbits Interference with Bluetooth, cordless 802.11n 5 or 2.4 600Mbits Uses Multiple Interface Multiple Output (MIMO) Mimo Multiple input multiple output (Mimo) is used by the n standard to achieve higher speeds. It can use up to four signals at once to transmit a signal. Some device may only achieve 300Mbit with the n standard because low through put or not using 4 signals.

WPA-Personal Security password is set on personal device. WPA-Enterprise This need authentication from Radius Server in the Active Directory, used in Enterprise. 802.1X is used with devices such as smartcards. Can be used with wires or wireless networking. Needs backend server such as radius server. Ad-Hoc network If there is no network, you can create ad-hoc network to connect computers to each other. Does not require central device i.e. access point. Can join form one PC to another in same area. Used to share files between 2 computers. Infrastructure Networks:- Need access point to connect computers using wireless network. Easy to setup.

11. Discuss in detail all the wireless network security options.

Wireless Security standards In order to prevent your wireless signal from ears dropping you should secure the signal using a wireless security standard. This will encrypt the signal so that an attacker cannot make sense of it. None Does not encrypt traffic so anyone can listen in. Some free access point may use this standard. WEP Wired Equivalent Privacy (WEP) was originally designed to be as secure as a wired network. The protocol has been found to be very insecure and easily hacked. WPA and WPA2 Wi-FI Protected Access (WPA) is a more secure protocol and should be used instead of WEP where possible. The protocol comes in two versions, WPA and WPA2. WPA2 is the stronger of the two protocols and should be used where possible. Both versions come in personal and enterprise. Personal uses a password on the Wireless Access Point which must be known by the client in order to access the wireless network. Enterprise means that access is determined by a RADIUS authentication system. 802.1x This is an authentication standard that works on wireless and wired networks. When a connection is requested the authentication request is sent to a back end server to authenticate. This could be RADIUS, Active Directory etc.

12. Write five features which are available in Ultimate but are not in Home Basic. 1. 2. 3. 4. 5. 6. 7. 8. Media center Can join Domain Windows XP mode AppLocker BitLocker Direct Access Virtual mode Branch cache

13. Discuss the Shared permission Owner, co-owner and Contributor. Controlling Access to Network Shares
When a user accesses a file or folder over the network and standard file sharing is enabled, two levels of permissions are used, and together they determine the actions a user can perform with regard to a particular shared file or folder. The first level of permissions comprises those set on the share itself. They define the maximum level of access. A user or a group can never have more permissions than those granted by the share. The second level of permissions are those permissions set on the files and folders. These permissions serve to further restrict the permitted actions. Three share permissions are available.

Owner/Co-owner (Full control shared permission) Users allowed this permission have Read and Change permissions, as well as the additional capabilities to change file and folder permissions and take ownership of files and folders. If you have Owner/Co-owner permissions on a shared resource, you have full access to the shared resource. Contributor (Read and Change shared permission) Users allowed this permission have Read permissions and the additional capability to create files and subfolders, modify files, change attributes on files and subfolders, and delete files and subfolders. If you have Contributor permissions on a shared resource, the most you can do is perform read operations and change operations. Reader (Read shared permission) Users with this permission can view file and subfolder names, access the subfolders of the share, read file data and attributes, and run program files. If you have Reader permissions on a shared resource, the most you can do is perform read operations.

Permissions assigned to groups work like this: If a user is a member of a group that is granted share permissions, the user also has those permissions. If a user is a member of multiple groups, the permissions are cumulative. For example, if one group of which the user is a member has Reader access and another has Contributor access, the user will have Contributor access. If one group of which the user is a member has Reader access and another has Owner/Co-owner access, the user will have Owner/Co-owner access. You can override this behavior by specifically denying an access permission. Denying permission takes precedence and overrides permissions that have been granted. If you don't want a user or a group to have a permission, configure the share permissions so the user or the group is denied that permission. For example, if a user is a member of a group that has been granted Owner/Co-owner permissions for a share, but the user should only have Contributor permissions, configure the share to deny Owner/Co-owner permissions to that user.

14. Discuss the differences between IPV4 and IPV6 and write the benefits of using IPV6 for TCP/IP based networking connectivity. 15. Discuss WAP. Discuss different methods used to mitigate the risks to the wireless network.

16. Discuss the common Application Compatibility Problems.

Incompatible Applications
It seems like every environment has some old 16-bit Windows application or MS-DOS application left over from the early 1990s. While Windows XP could be tweaked to run many of these applications, Windows 7 (like Windows Vista) tries to live more in the 21st century and may have problems natively running those applications. The keyword is natively, because Windows 7 can run a complete copy of Windows XP running in a virtual machine. Called

Windows XP Mode, it allows those old applications to continue running on Windows XP, while your users enjoy the broader benefits of Windows 7. You can also use the Application Compatibility Toolkit 3.5 to evaluate and mitigate applicationcompatibility issues. Anything already running on Windows Vista should have no problems.

17. Describe the differences between WPA, WPA2 and WPA-Enterprise or WPA2-Enterprise mode

and WPA-Personal or WPA2-Personal mode.

18. Describe Hibernate and Sleep mode

Hibernate takes a snapshot of everything you got on RAM (including any windows and apps running) and saves it to a special hard disk file and then shuts the computer down, when you resume from hibernation the computer boots a bit faster than a normal power up bootup. This method does not consume any power while the computer is off. Uses: When you are not going to use the computer for a few hours or more.

Sleep, basically shuts your computer down except some components like RAM, so the next time you resume, it will boot almost in an instant. However, this method consumes battery power. Uses: When you are just leaving the computer for a few minutes or hours, like at lunchtime or something like that.
19. Describe the Group policy and how these are applied?

Group policy: - Used to control user and computer enviornmnet. Group policy allows IT administrators to effectively manage large number of computers and user account through a centralised model. Group polcy changes are configured on the server and than propagate to client computer in the domain. Group policy is used to
Apply standard configuration Deploy software Enforce security settings Enforce a consistent desktop environment Group policy :Local policy, Site policy, Domain policy, Organizational Unit.

If Local and site policy are applied then policies are added together. If it conflicts, site policy replaces Local policy. If there is no conflict both policies will be added together.

Group Policy Management Console

To manage domain Group Policy across an enterprise, you must first install the Group Policy Management Console (GPMC). The GPMC consists of a MMC snap-in and a set of scriptable interfaces for managing Group Policy.

Local Group Policy Editor

For standalone computer and in a non networked environment or in a networked environment that does not have domain controller the Local Group policy settings are applied. Local Group Policy Editor is a Microsoft Management Console (MMC) snap-in that you can use to edit local Group Policy objects (GPOs). You can find this MMC snap-in in the following location: %windir%\System32\gpedit.msc To open the Local Group Policy Editor, click Start, click Run, and then type gpedit.msc. Local policy User policy Applied when user loging Computer policy Applies when computer switched on Computer policy is more stronger than user policy. Computer policy is applied and is most restrictive.