Group Policy Interview Questions & Answers

Question 1. Why Should We Use Group Policy?

Answer :

• For deploying software
• We can apply security
• For controlling Users environment, settings, per computer settings
• To manage desktop environment (To standardize environment)
• To modify the registry

Question 2. What Is Group Policy Object?

Answer :

We call the actual unit that we are creating, deleting, managing, working with is called Group Policy object.

Group Policy objects have two components:

• Group Policy container
• Group Policy template

Question 3. What Is Group Policy Container?

Answer :

It is the container in the Active Directory where the Group Policy can be applied. (i.e., either Organizational unit or Domain or Site)

Question 4. What Is Group Policy Template?

Answer :

When you create a group policy container automatically a template will be created in the hard drive, in sysvol folder of the Domain Controller that is called Group Policy template.

Question 5. Where Is Group Policy Template Stored?

Answer :

Group Policy template stored in sysvol folder.

Question 6. How To Create A Group Policy?

Answer :

Start –>Programs –>Administrative tools ->Active Directory Users and computers ->Right click on the container on which you want to apply Group Policy->Select properties-> Click on Group Policy tab->Click on New

Question 7. What Are The Steps Do We Have When We Are Creating Group Policy?

Answer :

There are two steps, one is creating Group policy and linking to the container. Generally we create the group policy at container only so when you click on New it creates and links the GPO to that container at a time. Suppose if you want to link a group policy object to a container which is already created click on Add select the group policy.

Question 8. What Are The Buttons Available On Group Policy Tab In Properties Of A Container?

Answer :

• New (Creates new GPO)
• Add (links a GPO to this container which has created already)
• Edit (Edits the existing GPO)
• Delete Deletes the GPO
• Options (here you get the following check boxes): (i) No override – Prevent other GPO from overriding policy set in this one; and(ii) Disabled – This GPO is not applicable to this container
• Properties

Note: When you are deleting a GPO it asks two things:

• Remove the link from this list
• Remove the link and delete the GPO permanently

Question 9. What Is No Override Option In Gpo?

Answer :

Generally the policies set at one level will be overridden in other level, so if don’t want to override this policy under the sub levels of this one you can set this.

Ex: If you set No override at Domain level then that GPO will be applied through out the Domain, even though you have the same policy differently at OU level.

Question 10. What Is Block Inheritance Of Gpo And Where It Is?

Answer :

The Block inheritance GPO option blocks the group policies inheriting from the top level, and takes effect of this present GPO.

Right click on the container –> click on Group Policy –ègo to properties >on the bottom of the General tab you will find Block inheritance check box

Ex: If you select Block inheritance at OU level then no policy from the Domain level, or Site level or local policy will not applied to this OU.

Question 11. You Have Set The No Override Option At Domain Level And Block Inheritance At Ou Level. Which Policy Will Take Effect?

Answer :

If you have set both then No override wins over the Block inheritance. So No override will take effect.

Question 12. What Are The Options That Are Available When You Click On Option Button On General Tab?

Answer :

• General
• Disable computer configuration settings (The settings those are set under computer configuration of this GPO will not take effect.)
• Disable user configuration settings (The settings those are set under User configuration of this GPO will not take effect.)
• Links (Displays the containers which have links to this GPO)
• Security (With security option you can set level of permissions and settings to the individual users and groups. Ex: If you want to disable this GPO to a particular user on this container, on security tab select that user and select the deny check box for apply the Group Policy. Then the GPO will not take effect to that user even though he is in that container.)

Question 13. What Will You See In The Group Policy Snap In?

Answer :

You will see two major portions, and under those you have sub portions, they are:

• Computer Configuration
• Software settings
• Software installations
• Windows settings
• Administrative templates
• User configuration
• Software settings
• Software installations
• Windows settings
• Administrative templates

Note: Administrative templates are for modifying the registry of windows 2000 clients.

Question 14. What Is The Hierarchy Of Group Policy?

Answer :

• Local policy
• Site Policy
• Domain Policy
• OU Policy
• Sub OU Policy (If any are there)

Question 15. Who Can Create Site Level Group Policy?

Answer :

Enterprise Admin

Question 16. Who Can Create Domain Level Group Policy?

Answer :

Domain Admin

Question 17. Who Can Create Organizational Unit Lever Group Policy?

Answer :

Domain Admin

Question 18. Who Can Create Local Group Policy?

Answer :

Local Administrator or Domain Administrator

Question 19. What Is The Refresh Interval For Group Policy?

Answer :

Refresh interval for Domain Controllers is 5 minutes, and the refresh interval for all other computers in the network is 45 minutes (this one doubt).

Question 20. Why Do We Need To Manage And Control Desktop Environment?

Answer :

• To decrease support time
• Eliminate potential for problems
• One standard environment to support
• Eliminate distractions
• To increase productivity

Question 21. What Is Group Policy Loop Back Process? How To Set It?

Answer :

Start –>programs –>Administrative tools –>Active Directory users and computers –>Right click on the container –>click on Group policy tab –>Click on edit –>click on Computer settings –>click on Administrative templates –>system –>Group policy –>click on User group policy loop back processing mode –> click OK –> Select enable

Question 22. What Are The Players That Are Involved In Deploying Software?

Answer :

• Group Policy: Within GP we specify that this software application gets installed to this particular computer or to this particular user.
• Active Directory: Group Policy will be applied somewhere in Active Directory.
• Microsoft Installer service
• Windows installer packages: The type of package that can be used by Group Policy to deploy applications is .msi packages i.e., Microsoft Installer packages.

Question 23. What Is The Package That Can Be Used To Deploy Software Through Group Policy?

Answer :

Windows installer packages (.msi files)

Question 24. What Is Microsoft Installer Service?

Answer :

Microsoft Installer Service runs on the client machines in the Windows 2000 domain. It installs the minimum amount of an application, as you extend functionality it installs the remaining part of application. It is responsible for installing software in the client. It is also responsible for modifying, upgrading, applying service packs.

Question 25. What Is Local Security Policy, Domain Security Policy, And Domain Controller Security Policy In The Administrative Tools?

Answer :

• Local Security policy: This is group policy applied to local machine
• Domain Security Policy: Group Policy applied at domain level
• Domain Controller Security Policy: Group Policy applied at domain controller level.

Question 26. What Are The Design Considerations For Group Policy?

Answer :

The following should be considered for designing group policies:

• Minimize linking: Because there may be a chance deleting the original one with seeing who else are using this GPO. Minimizing linking for simplicity.
• Minimum number of GPO’s: Microsoft suggests that one GPO with 100 settings will process faster than 100 GPO’s each with one setting. This is for performance.
• Delegate
• Minimize filtering: To keep simple your environment, try to minimize filtering.

If you have more number of GPO’s for a container, whatever GPO is on top will be applied first. If you want, you can move GPO’s up and down.

If there is conflict between two GPO’s of same container, the last applied GPO will be effective. i.e., the bottom one will be effective.

Question 27. What Is Group Policy In Active Directory ? What Are Group Policy Objects (gpos)?

Answer :

Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template.

The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO.

The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation.

The Group Policy template is located in the system volume folder (Sysvol) in the Policies subfolder for its domain.

Question 28. What Is The Order In Which Gpos Are Applied ?

Answer :

Group Policy settings are processed in the following order:

1. Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
2. Site : Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
3. Domain: Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
4. Organizational units : GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then POs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC.

The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

Question 29. How To Backup/restore Group Policy Objects ?

Answer :

• Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: | Domains | | Group Policy Objects.
• When you do, the details pane should display all of the group policy objects that are associated with the domain. In Figure A there are only two group policy objects, but in a production environment you may have many more. The Group Policy Objects container stores all of the group policy objects for the domain.
• Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box.
• As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to provide a description of the backup that you are creating.
• You must provide the path to which you want to store your backup of the group policy objects.
• To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you’re all done.
• When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup.
• Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore.
• Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported.

Question 30. You Want To Standardize The Desktop Environments (wallpaper, My Documents, Start Menu, Printers Etc.) On The Computers In One Department. How Would You Do That?

Answer :

• Go to Start->programs->Administrative tools->Active Directory Users and Computers
• Right Click on Domain->click on preoperties
• On New windows Click on Group Policy
• Select Default Policy->click on Edit
• on group Policy console
• go to User Configuration->Administrative Template->Start menu and Taskbar.
• Select each property you want to modify and do the same.

Question 31. What Is The Difference Between Software Publishing And Assigning?

Answer :

Assign Users :The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.

Assign Computers :The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted.

Publish to users : The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.

Question 32. What Are Administrative Templates?

Answer :

Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines.

An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified “namespace” in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).

Question 33. Can I Deploy Non-msi Software With Gpo?

Answer :

create the file in.zap extension.

Question 34. Name Some Gpo Settings In The Computer And User Parts ?

Answer :

Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts.

Question 35. A User Claims He Did Not Receive A Gpo, Yet His User And Computer Accounts Are In The Right Ou, And Everyone Else There Gets The Gpo. What Will You Look For?

Answer :

make sure user not be member of loopback policy as in loopback policy it doesn’t effect user settings only computer policy will applicable. if he is member of gpo filter grp or not.

You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.

Question 36. How Frequently Is The Client Policy Refreshed ?

Answer :

90 minutes give or take.

Question 37. Where Is Secedit ?

Answer :

It’s now gpupdate.

Question 38. What Can Be Restricted On Windows Server 2003 That Wasn’t There In Previous Products ?

Answer :

Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.

Question 39. You Want To Create A New Group Policy But Do Not Wish To Inherit.

Answer :

Make sure you check Block inheritance among the options when creating the policy.

Question 40. How Does The Group Policy ‘no Override’ And ‘block Inheritance’ Work ?

Answer :

Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP’s for each level. Obviously it may be that some policy settings conflict hence the application order of Site – Domain – Organization Unit and within each layer you set order for all defined policies but you may want to force some polices to never be overridden (No Override) and you may want some containers to not inherit settings from a parent container (Block Inheritance).

A good definition of each is as follows:

No Override – This prevents child containers from overriding policies set at higher levels

Block Inheritance – Stops containers inheriting policies from parent containers

No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but on the parent a group policy has No Override set then it will get applied.

Also the highest No Override takes precedence over lower No Override’s set.

To block inheritance perform the following:

1. Start the Active Directory Users and Computer snap-in (Start – Programs – Administrative Tools – Active Directory Users and Computers)
2. Right click on the container you wish to stop inheriting settings from its parent and select
3. Select the ‘Group Policy’ tab
4. Check the ‘Block Policy inheritance’ option
5. Click Apply then OK

To set a policy to never be overridden perform the following:

1. Start the Active Directory Users and Computer snap-in (Start – – Administrative Tools – Active Directory Users and Computers)
2. Right click on the container you wish to set a Group Policy to not be overridden and select Properties
3. Select the ‘Group Policy’ tab
4. Click Options
5. Check the ‘No Override’ option
6. Click OK
7. Click Apply then OK