Interview Question for active directory and exchange
Group Policy Frequently Asked Questions (FAQ)
|
This page addresses key areas of Group Policy and provides links to more information.
On This Page
| View all answers |
Introduction
A. | Group Policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. This infrastructure consists of a Group Policy engine and multiple client-side extensions (CSEs) responsible for writing specific policy settings on target client computers. More information: Core Group Policy Technical Reference | ||||
A. | Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template. The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation. The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain. More information: Core Group Policy Technical Reference | ||||
What are the differences between Group Policy, Registry-based policy, and Security policy? | |||||
A. | Group Policy is an infrastructure in which IT administrators can implement standard computing environments for groups of users and computers and includes both Registry-based and Security Policy. Registry-based policy is one of the many features of Group Policy that uses Administrative templates to modify the registry settings for policy-enabled components included in Windows. Security Policy, another feature delivered by Group Policy, includes a variety of security-related settings for Microsoft Windows. More information: Core Group Policy Technical Reference | ||||
A. | A good starting point would be the Microsoft Group Policy TechCenter. There, you can view a variety of information on Group Policy, including a 14-part webcast series on the Fundamentals of Group Policy. More information:
| ||||
Q. | |
Getting Started with Group Policy
Is there a way to test-drive Group Policy before installing it on my network? | |||||||
A. | Yes, virtual labs are available on the Microsoft TechNet Virtual Lab Web site. There are more than ten different Group Policy virtual labs that cover basic topics such as basic administration and planning and deployment, and advanced topics such as processing and troubleshooting. More information: Microsoft TechNet Virtual Lab Web Site | ||||||
A. | First, read the Introduction to Group Policy in Windows Server 2003 white paper, which will give you a basic understanding of Group Policy and its dependencies. Next, follow the instructions to download the Group Policy Management Console (GPMC). You use GPMC to manage and view Group Policy objects (GPOs). You use Group Policy Object Editor to edit policy settings. With more than 1,700 policy settings, knowing where to begin can be challenging. For ideas about planning how to use policy settings for specific management goals, see Implementing Common Desktop Management Scenarios with Group Policy Management Console. More information:
| ||||||
Is there a maximum number of Group Policy objects that I can store in a domain? | |||||||
A. | Creating a Group Policy object will create a Group Policy container object, stored in Active Directory, and a Group Policy template, stored on the Sysvol of the domain controller. Both are limited only to the amount of free disk space. More information: Introduction to Group Policy in Windows Server 2003 White Paper | ||||||
Q. | |
Best Practices for Group Policy
What are the Microsoft best practices for using Group Policy? | |
A. | The Microsoft Information Technology Group has published an IT Security at Microsoft white paper that describes designs, troubleshooting, and lifecycle management of Group Policy. More information: IT Security at Microsoft White Paper |
Should I have more Group Policy objects with fewer settings or fewer objects with more settings? | |
A. | At Microsoft, Group Policy objects (GPOs) tend to contain a small number of individual settings, typically 5–20 settings. Microsoft has found it easier to manage a large number of GPOs, each with a small group of settings, than to manage a few Group Policy objects with a large number of settings. This approach maximizes flexibility in defining who gets a set of settings and minimizes the need for frequent changes of core policies. More information: Core Group Policy Technical Reference |
Can I apply a Group Policy object directly to a security group? | |
A. | You cannot apply a Group Policy object directly to a security group. However, you can use security filtering to refine which users or computers will receive and apply Group Policy settings. The Group Policy Management Console (GPMC) is the tool to manage security filtering. For more information about security filtering, see the Core Group Policy Technical Reference. More information: Core Group Policy Technical Reference |
Q. | |
Managing Group Policy
A. | Microsoft provides two management consoles to administer Group Policy. The Group Policy Management Console (GPMC) consists of a Microsoft Management Console (MMC) snap-in and a set of scriptable interfaces for managing Group Policy objects (but not Group Policy settings). Group Policy Object Editor, also a Microsoft Management Console, is used to edit the individual settings contained within each Group Policy object. More information: Group Policy Management Console | ||||
A. | Microsoft has a dedicated list of third party tools and extensions for Group Policy on the Group Policy TechCenter. More information: Third-Party Tools and Extensions for Group Policy | ||||
Is there a list of policy settings for each operating system? | |||||
A. | See the Group Policy Settings Reference for documentation of available policy settings. You can also search for policy settings using the Help and More information: Group Policy Settings Reference | ||||
A. | The Group Policy Management Console provides a way to import, export, back up, and restore Group Policy objects. In addition, there are several script files that provide this same functionality using the command line. More information: Group Policy Management Console | ||||
A. | Yes, you can audit changes to Group Policy objects. However, the data that is included in the audit is limited. The Microsoft Developers Network contains an excellent blog on how to enable auditing for Group Policy and explains how to interpret the event log messages. DesktopStandard and NetIQ offer GPOVault and Group Policy Guardian that enhance the change control/auditing experience. More information: How to Enable Auditing for Group Policy | ||||
How do I compare the settings contained within two Group Policy objects? | |||||
A. | DesktopStandard provides a downloadable version of GPOVault that gives you the ability to view the differences of multiple selected GPOs in an HTLM Report. More information:
| ||||
Where can I find Administrative Template files for Group Policy? | |||||
A. | Administrative Template (ADM) files are included by default in each Windows operating system. These are: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. An archive of all previous Administrative Template files is also available from the Microsoft Download Center. More information: Group Policy ADM Files | ||||
Q. | |
Targeting and Applying Group Policy Objects
A. | Group Policy for computers is triggered at computer startup. For users, Group Policy is triggered when they log on. Versions of Windows before Windows XP as well as Windows Server 2003 use synchronous processing, meaning that computer Group Policy is completed before the logon dialog box is presented. User Group Policy is completed before the shell is active and available for the user to interact with it. Windows XP defaults to asynchronous policy processing. By default, Group Policy is refreshed every 90 minutes with a randomized delay of up to 30 minutes, for a total maximum refresh interval of up to 120 minutes. This interval can be changed using the computer policy setting Group Policy refresh interval for Computer located in the Computer Configuration\Administrative Templates\System\Group Policy namespace. The processing of Group Policy is explained in the Core Group Policy Technical Reference. More information: Core Group Policy Technical Reference | ||||||
A. | Under synchronous processing, there is a time limit of 60 minutes for all of Group Policy to finish processing on the client computer. Any client side extensions (CSE) that are not finished after 60 minutes are signaled to stop, in which case the associated policy settings might not be fully applied. More information: Group Policy TechCenter Web Site | ||||||
A. | The Security client side extension will process policy on the computer startup, and the extension will refresh with every Group Policy refresh. Most client side extensions, including the security extension, will not attempt to read or write settings on a refresh unless the version number of the policy has increased, which would indicate the policy has been modified. The security extension will process the security settings on the next refresh after 16 hours have expired without any policy changes. In addition, this value and refresh values for other CSEs may be modified using Group Policy Object Editor. Information that is more detailed can be found in the Security Settings Extension Technical Reference. More information: Security Settings Extension Technical Reference | ||||||
What permissions are necessary for Group Policy to apply to a user or computer? | |||||||
A. | Group Policy can apply to any user or computer with access control entry for Read and Apply Group Policy. More information: Group Policy TechCenter Web Site | ||||||
Is there a way to programmatically configure Group Policy settings? | |||||||
A. | There is a section in the Microsoft Platform Software Developer Kit (SDK), which details how to interact with Group Policy objects and Group Policy Object Editor. The Group Policy Management Console SDK provides detailed information about how to manage Group Policy objects. More information:
| ||||||
A. | Administrative Templates and Security Settings are applied over a slow link and the behavior cannot be changed. By default, Software Installation, Scripts, and Folder Redirection will not process over a slow link. You can change the default Policy process behavior for these client side extensions using Group Policy Object Editor. These settings are located at Computer Configuration\Administrative Templates\System\Group Policy. More information: Group Policy TechCenter Web Site | ||||||
Q. | |
Using Group Policy to Manage Internet Explorer
A. | You can manage Internet Explorer in two ways. You can use Administrative Template policy settings located in Administrative Templates\Windows Components\Internet Explorer. For example, you can use policy settings to manage Internet Explorer security options. These are the same options that you see in the Internet Explorer UI when you click Tools, point to Internet Options, and then click Security. There are more than 500 policy settings delivered by the Inetres.adm file, which is included by default in the operating system. For more information about managing Internet Explorer with registry-based policy, see Managing Windows XP Service Pack 2 Features Using Group Policy. In addition, you can use the Internet Explorer Maintenance Extension to manage Internet Explorer settings in a domain-computing environment using Group Policy. You can customize the appearance of the browser, preset and manage browser connection settings, set the default URLs displayed by the browser, and set the default programs used for each Internet service. Additionally, you can preset the security zone, content rating, certification authority, and Authenticode settings. For more information, see Internet Explorer Maintenance Extension Technical Reference. It is recommended to manage Internet Explorer using Administrative Template policy settings whenever possible because these policy settings are always written to a secure tree in the registry, which means users cannot change them either by using the UI or modifying the registry. More information:
| ||||
A. | In normal mode, policy settings are mandatory and used to enforce security, interface, and other Internet Explorer settings, ensuring users cannot change those settings. In preference mode, you can configure default settings, but allow users to change their own settings by using the Internet Explorer user interface. This mode provides users with the same starting configuration for their browsers, but enables them to personalize the configuration. More information: Group Policy TechCenter Web Site | ||||
A. | Trusted sites policies can be set at the computer or user level and are located at the relative path of administrative templates: \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone. More information: Group Policy TechCenter Web Site | ||||
A. | Internet Explorer Maintenance (IEM) settings need to be imported before they can be modified. They are read from the current Internet Explorer settings located on the current computer from which you are editing from-usually your administrative workstation. This explains why you can see different settings when editing IEM policy settings when you move to a different computer or change the Internet Explorer settings on your current computer. More information: Group Policy TechCenter Web Site | ||||
Why does the Group Policy Management Console not report all of my Internet Explorer settings? | |||||
A. | There are some settings the Group Policy Management console will partially report or will not report at all. The reports indicate only whether Content Ratings and Connections are deployed and do not report the details of those settings. New settings only available in Preference mode will not be displayed. Details of customized Java settings, if specified, are not shown. Customized Java settings will appear as “Custom.” For more information, see Administering Group Policy with Group Policy Management Console. More information: Administering Group Policy with Group Policy Management Console | ||||
Q. | |
Managing Security Policy
A. | Security policies are rules that administrators configure on a computer or multiple computers for protecting resources on a computer or network. The Security Settings extension of the Group Policy Object Editor snap-in allows you to define security configurations as part of a Group Policy object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and enable administrators to manage security settings for multiple computers from any computer joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization. More information: Group Policy TechCenter Web Site |
A. | Domain password policies may be enabled and linked at the domain only. This limitation is because of the design of where these values are stored in Active Directory. Password policy settings, such as Minimum Password age, Maximum Password age, and Minimum Password length are stored as attributes on the domain object in Active Directory. The current design does not allow these values to read from any other object. Password policy settings linked at other containers will not affect domain users, but will apply to local users of the computer. More information: Group Policy TechCenter Web Site |
A. | The security database in Windows 2000 had a specific table to store local security policy settings. This approach was changed in Windows XP and Windows Server 2003. Local security policy settings are written directly to their respective locations in the registry. More information: Group Policy TechCenter Web Site |
I removed some security settings but they are still in effect. Why? | |
A. | Under some circumstances, Windows Security Settings remain in effect after being set to undefined. In some cases, these security settings need to be explicitly overwritten to be removed. For more information, see Windows Security Settings remain in effect after removal. More information: Windows Security Settings Remain in Effect After Removal |
Q. | |
Managing Registry-Based Policy Settings
A. | Registry-based policy is a way to use Group Policy to centrally manage client registry keys. Registry-based policy is a combination of a server side snap-in for configuring registry-based policy and a client side extension designed to apply the registry-based policy by creating and configuring the client registry keys. Registry-based policy settings are stored in any of the four Group Policy keys listed below. The approved registry locations for policy settings are listed below. For computer policy settings: HKLM\Software\Policies (the preferred location); HKLM\Software\Microsoft\Windows\CurrentVersion\Policies For user policy settings: HKLM\Software\Policies (the preferred location); HKLM\Software\Microsoft\Windows\CurrentVersion\Policies More information: Administrative Templates Extension Technical Reference | ||||||
A. | ADM files are UNICODE text files that Group Policy uses to describe where registry-based policy settings are stored in the registry. All registry-based policy settings appear and are configured in Group Policy Object Editor under the Administrative Templates node. ADM files do not apply policy settings; they simply enable administrators to view the policy settings in Group Policy Object Editor. Administrators can then create Group Policy objects (GPOs) containing the policy settings that they want to use. ADM files can only support setting the registry under the HKLM or HKCU locations of the registry. If the ADM file contains registry settings for registry keys outside the approved registry locations for policy settings, the settings will be preferences instead of policies. ADM files are being replaced in Windows Vista and Windows Server "Longhorn" operating systems. More information:
| ||||||
A. | Windows Vista and Windows Server "Longhorn" operating systems introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category) are defined using a standards-based, XML file format, known as ADMX files. These new files replace ADM files, which used their own markup language. The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks. More information:
| ||||||
A. | Yes. Group Policy Object Editor and Group Policy Management Console will continue to recognize other earlier ADM files you have in your existing environment; specifically any custom ADM files or any ADM files not delivered by default in the operating system found in a GPO will be consumed by Group Policy Object Editor and Group Policy Management Console. The tools will not recognize earlier ADM files that were included by default in the operating system, such as System.adm and Inetres.adm. More information: Step-by-Step Guide to Managing Group Policy ADMX Files | ||||||
Where can I find Administrative Template files for Group Policy? | |||||||
A. | Administrative Template files are included by default in each Windows operating system. These are: System.adm, Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. An archive of all previous Administrative Template files is also available from the Microsoft Download Center. More information: Group Policy Administrative Template File Download | ||||||
Why can I not see my custom Administrative Template policy settings in Group Policy Object Editor? | |||||||
A. | By default, Group Policy Object Editor will show only Group Policy settings that can be fully managed. This will result in the Group Policy Object Editor only displaying settings from an ADM file that are policies corresponding to the four registry locations mentioned in the "What is registry-based policy?" section of this FAQ. If your custom ADM file contains preference settings whose registry locations are outside of the four registry locations for policy settings, then you must follow this procedure to display the ADM file settings. To view preference settings for all ADM files in the Group Policy Object Editor:
More information: Using Administrative Template Files with Registry-Based Group Policy | ||||||
A. | Administrative Template policy settings do not support binary values. More information: Using Administrative Template Files with Registry-Based Group Policy | ||||||
A. | The registry.pol file contains the current set of registry policy settings defined in the computer or user portion of a GPO. You can find the registry.pol file inside a GPO under the machine or user directory. You can use the regview.exe tool provided in the Windows 2003 Resource Kit Tools to view the contents of any registry.pol file. More information: Windows Server 2003 Resource Kit Tools | ||||||
A. | See the Group Policy Settings Reference for documentation of available registry-based or Administrative Template policy settings. You can also search for policy settings using the Help and More information: Group Policy Settings Reference | ||||||
Q. | |
Distributing Software Using Group Policy
A. | The software installation extension of Group Policy enables you to provide on-demand software installation and automatic repair of applications. Group Policy offers a convenient method for distributing software, especially if you are already using Group Policy for other purposes such as securing your client and server computers. However, a Group Policy-based software installation has some basic limitations, including difficulties with scheduling installation, consistently managing network bandwidth, and providing feedback on the status of the installation. If you need to carefully schedule installations, manage network use, perform hardware and software inventory, or monitor installation status, consider using Microsoft Systems Management Server (SMS). For more information about software distribution, see Deploying a Managed Software Environment. More information: Deploying a Managed Software Environment |
Why can I not distribute security updates with Group Policy? | |
A. | Group Policy is not designed to deliver security updates. Microsoft Update Services was specifically developed to enable information technology administrators to deploy the latest Microsoft product updates to Microsoft Windows Server 2000, Windows Server 2003, and Windows XP operating systems. Windows Server Update Services allows you to fully manage the distribution of updates that are released through Microsoft Update to computers in your network. More information: Microsoft Windows Server Update Services |
A. | The software installation extension assigns a Globally Unique Identifier (GUID) to each application. Applications are then installed in GUID order without any preference. Microsoft Systems Management Server (SMS) provides server-side and client-side scheduling. For more information, see the SMS 2.0 Web site. More information: Systems Management Server 2.0 Web Site |
Q. | |
Managing Terminal Services
A. | You can use Group Policy to configure Terminal Services connection settings, set user policies, configure terminal server clusters, and manage Terminal Services sessions. You can set user policies for Terminal Services to create a consistent logon experience for all Terminal Services users by employing loopback processing for evaluating Group Policy objects (GPOs). More information: Introduction to Loopback Processing |
A. | Group Policy loopback processing can be used to alter the application of GPOs to a user by including GPOs based on the location of the computer object. The typical way to use loopback processing is to apply GPOs that depend on the computer to which the user logs on. More information: Introduction to Loopback Processing |
Q. | |
Troubleshooting Group Policy
Where is the Microsoft guidance for troubleshooting Group Policy? | |
A. | For the latest information, see Troubleshooting Group Policy Problems. More information: Troubleshooting Group Policy Problems |
Why did my local Group Policy change not apply to my computer? | |
A. | There could be several factors that can affect changes not applying to your computer. One of the more common reasons is because domain-joined computers require contacting a domain controller to update policy. If a domain controller is not available, policy stops processing. For more information, see the section Background Refresh of Group Policy in the Core Group Policy Technical Reference. More information: Core Group Policy Technical Reference |
I copied a local GPO registry.pol file from one computer to another and it does not apply. Why? | |
A. | If the computer is a member of a domain, it will still need to contact a domain controller to apply new policy settings. Non-domain computers will apply new policy settings only when the version numbers have increased. Copying the registry.pol will not increase the version number in the GPT.INI. You will need to increase this value by one for new settings to apply. More information: Core Group Policy Technical Reference |
A. | Microsoft Knowledge Base Article 842933 describes these symptoms and resolutions for Windows Server 2003, Windows XP, and Windows 2000 Service Pack 3 operating systems. More information: Microsoft Knowledge Base Article 842933 |
A. | If there is no change to a GPO, policy does not apply. If users change their trusted sites, policy will not change them back unless you actually update the GPO and trigger a refresh. Without a change, Group Policy will not process. |
No comments:
Post a Comment