Creating Group Policy Objects

Describe Security Filtering
This is the process of applying to a GPO to a container, BUT only making it apply to SELECTED security principals.

The “Apply Group Policy” permission to one or more users or security groups is selectively applied

Windows 2008R2 and Vista can support multiple GPO’s?

True or False

True

Listen Up…

Windows Server 2008 R2 and Windows Vista can
support multiple local GPOs. This enables you to specify a different local GPO for adminis-
trators or to create specific GPO settings for one or more local users configured on a worksta-
tion. This capability is particularly valuable for computers in public locations such as libraries
and kiosks, which are not part of an Active Directory infrastructure.
Older Windows releases (prior to Windows Vista) can support only one local GPO, and the
settings in that local GPO can apply only to the computer, not to individual users or groups.

Name the path location where are local GPO’s are stored?
%systemroot%/System32/GroupPolicy
When a local and domain based GPO conflict, which one wins?
Domain
What is the difference between GPT and GPC
GPC describes the LOGICAL attributes/settings of the GPO

GPT are the actual PHYSICAL settings that will be processed by the client

Listen up….

The Group Policy Template is where the meat of the GPO resides. By way of comparison, think of how Active Directory represents a computer object. It lists all the relevant attributes of the computer, but the object in Active Directory is not the computer itself. In a similar way, the portion of the GPO in Active Directory merely represents the attributes relevant to the GPO content. The content itself is known as the Group Policy Template, or GPT, and it resides in a share known as SYSVOL

What is a starter GPO
This is a ‘template’ for the creation of GPO’s

When a GPO is created using a starter template, all the settings in the template are automatically copied over to it

What are the names of the two default GPOs created when AD DS is installed?
Default Domain Policy
Default Domain Controller Policy.
Where are GPT stored
Domain Controllers
What is the path to the GPT
%systemroot%SYSVOLsysvolPolicies
How does AD INTERNALLY name GPO
Using a GUID

When a GPO is created a GUID is generated. This GUID is used for the name of the GPT created on the DC and as internal moniker for the GPO itself.

What is the purpose of administrative templates (ADMX) files
Administrative templates are the files defining the registry-based settings that appear in Group Policy objects
You open the GPMC and click the Inheritance tab. You observe 2 Policies numbered as follows:

1 Sales
2 Default Domain Policy

Which of these two policies will be processed last, and what is the significance of this?

The Sales policy will be processed last.

This means that any conflicts between the policies will be overriden by the Sales policy. That is the Sales policy will win.

Describe in simple terms ‘Loopback’ processing
As the name implies, Loopback Processing enables the Group Policy processing order to
circle back and reapply the computer policies after all user policies and logon scripts run

Listen Up…

Below is a scenario involving Loopback processing

For example, consider an academic environment in which the user objects for
administrative accounts, such as teachers and staff, are placed in a separate Admin OU. All workstation computer objects are located in a Lab OU. In computer labs, anyone can log on to the network. However, when users in the Admin OU log on to lab computers, their
User Configuration settings configure the computers to print on printers located in their
offices, and install applications on the lab computers intended only for the users’ office
computers. Teachers complain that they have to walk back to their offices to pick up print jobs that should print on the printers located in the lab. In addition, applications that
should not reside on the lab computers are installed there and now must be removed. One solution to this problem is to use the Replace option in Loopback Processing. When you set the Replace option, the system applies only the user settings from the Lab OU applied.
This resolves the issue of applying unwanted settings on shared computers from other
locations in the AD DS hierarchy

Explain how the COMPUTER nodes for Software Settings and Windows Settings are applied
The Software/Windows Settings folder located under the COMPUTER Configuration node contains Software Installation settings that apply to all users who log on to the domain using a specific computer.

These settings are applied before the user logs on

Explain how the USER nodes for Software Settings and Windows Settings are applied
The settings under the USER nodes contains are applied to users designated by the Group Policy, regardless of the computer from which they log on.
Administrative templates control what part of a computers setting?
Registry
If a policy setting is disabled in the registry by default, and you have a lower priority GPO that explicitly enables that setting, what must you do to restore the default setting (ie disabled?)

A. Configure a higher GPO to disabled

B. Configure a higher GPO to Enabled

C. Configure a higher GPO to Not Configured

D. Configure a higher GPO with Loopback processing?

A

Listen up…

You must configure a higher priority GPO to disable the setting, if you want to restore it to
its default. Applying the Not Configured state does not change the setting, leaving
it enabled.

What is the difference between the Group Policy Object Editor and Group Policy Management Editor
Group Policy Object Editor – used for LOCAL group policy editing

Group Policy Management Editor – AD DS group policy editing

Which of the following types of files do Group Policy tools access from a Central Store by default?

a. ADM files
b. ADMX files
c. Group Policy objects
d. Security templates

B
Which of the following local GPOs takes precedence on a system with multiple local GPOs?

a. Local Group Policy
b. Administrators Group Policy
c. Nonadministrators Group Policy
d. User-specific Group Policy

D
Which of the following techniques can you use to apply GPO settings to a specific group of users in an OU?

a. GPO linking
b. Administrative templates
c. Security filtering
d. Starter GPOs

c
Which of the following best describes the function of a starter GPO?

a. A starter GPO functions as a template for the creation of new GPOs.

b. A starter GPO is the first GPO applied by all Active Directory clients.

c. Starter GPOs use a simplified interface for elementary users.

d. Starter GPOs contain all of the settings found in the default Domain Policy GPO.

A
When you apply a GPO with a value of Not Configured for a particular setting to a system on which that same setting is disabled, what is the result?

a. The setting remains disabled.
b. The setting is changed to not configured.
c. The settings is changed to enabled.
d. The setting generates a conflict error.

A
Local GPOs are stored ______, whereas Domain GPOs are stored _____.

a. in Active Directory; in Active Directory

b. in Active Directory; on the local computer

c. on the local computer; in Active Directory

d. on the local computer; on the local computer

C
By default, linking a GPO to a container causes all the users and computers in that container to receive the GPO settings. How can you modify the default permission
assignments so that only certain users and computers receive the ermissions and, consequently, the settings in the GPO?

a. You cannot separate or divide permission assignments within the linked container.

b. You can create and link a different GPO to the applicable objects, overriding the
previous GPO.

c. You remove the applicable objects and place in a new container.

d. You apply security filtering in the Group Policy Management console.

D
When multiple GPOs are linked to a container, which GPO in the list has the highest priority?

a. The last
b. The first
c. The most permissive
d. The most restrictiv

b

The first one in the list is the last to be processed and therefore has higher priority

Group Policy settings are divided into two subcategories: User Configuration and Computer Configuration. Each of these two settings is further organized into three subnodes. What are the three subnodes?

a. Software Settings, Windows Settings, and Delegation Templates

b. Software Settings, Windows Settings, and Administrative Templates

c. Security Settings, Windows
Settings, and Delegation Templates

d. Security Settings, Windows
Settings, and Administrative Templates

D
What is the order in which Windows systems receive and process multiple GPOs?

a. LSOUD (local, site, OU, and then domain)

b. LOUDS (local, OU, domain, and then site)

c. SLOUD (site, local, OU, and then domain)

d. LSDOU (local, site, domain, and then OU)

D
Select the best answer

What are the different types of Group Policy objects (GPOs)?

a. Computer, user, and organizational unit
b. Local, domain, and starter
c. Local, domain, and universal
d. Site, domain, and organizational unit

d
Installing Windows Server 2012 Active Directory Domain Services (AD DS) installs two default policies: Default Domain Policy and Default Domain Controller Policy. As an administrator, you need different policy settings than the default. What is the best
approach to make those changes?

a. Add new settings in the default policies as needed.

b. Create new GPOs to augment or override the existing default settings.

c. Change existing ones in the default policies as needed.

d. Link a new GPO using the AD DS role.

B
Choose the best answer

Group Policies applied to parent containers are inherited by all child containers and objects. What are the ways you can alter inheritance?

a. Using the Enforce, Block Policy Inheritance, or Loopback settings.

b. Using Active Directory
Administrative Center (ADAC) to block inheritance.

c. Inheritance can be altered by making the applicable registry settings.

d. Using the Enforce or Block Policy Inheritance settings.

A