Unit 4 Configuring Group Policies

Which of the following are local GPOs on a Windows 10 computer? (Choose all that apply.)

-Local Non-Administrators -Local Administrators

Which of the following are true about GPOs? (Choose all that apply.)

-The <CTX>gpedit.msc </CTX> tool can be used to edit local GPOs. -Domain GPOs can be linked to Active Directory sites.

Which of the following are methods for creating a GPO? (Choose all that apply.)

-Use the Group Policy Objects folder of the Group Policy Management console -Link it to a container

Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account Accounts: Rename guest account Interactive logon: Do not display last user name Interactive logon: Do not require CTL + ALT + DEL Microsoft network server: Disconnect clients when logon hours expire

Additional Security Options commonly configured:

Which of the following is best described as policy definition files saved in XML format?

Administrative templates

scripts are replicated automatically and can be retrieved by clients from a DC in the domain. *will need GUID of GPO to locate the correct folder if stored in this folder

Advantage of using the SYSVOL share

You're having replication problems with your GPOs and suspect that the version numbers have somehow gotten out of sync between the GPT and the GPC. What can you do to verify the version numbers on a GPO?

Check the versionNumber attribute of the GPC and open the GPT.ini file

You want all users to have the company home page and two other Web sites loaded in tabs when they start Internet Explorer, but you want them to be able to change their home pages if they like. What should you do?

Configure an Internet Options preference, and change the defaults in the Common tab

You want to centrally back up the files that users store in the Documents folder in their user profiles, but you don't want users to have to change the way they access their files. What's the best way to go about this?

Configure folder redirection in the User Configuration node of a GPO

You want to set a group policy preference that affects only computers with a CPU speed of at least 4.0 GHz. What's the best way to do this?

Configure item-level targeting

You have been working with ADMX files to modify existing Administrative Templates and create new templates. You work on different domain controllers, depending on your location. Despite a concerted effort, your ADMX files are getting out of sync. How can you solve this problem?

Create an ADMX store in the SYSVOL share, and copy the ADMX files to the ADMX store

Which of the following is a subfolder in the User Configuration node but not the Computer Configuration node of a GPO?

Desktop

You have configured a group policy preference that creates a VPN connection for all computers in the GPO's scope. One user says the connection was there yesterday, but it's no longer showing in his Network Connections window. You suspect he might have deleted the connection accidentally. What can you do to make sure that the VPN connection is re-created even if a user deletes it?

Disable the Apply once and do not reapply option

Group Policy Template (GPT) Group Policy Container (GPC) have same traits: naming structure and folder structure.

Domain GPOs consist of what two separate parts?

Creating & Linking

GPOs are created in the Group Policy management console & can be linked to one or more AD containers.

File Replication Service (FRS) used when running in a mixed environment of differing Windows Server operating systems Distributed File System Replication (DFSR) used when all DC's are running Windows Server 2008 *more efficient and reliable

GPT's located in the SYSVOL share, are replicated by (one) of the following methods?

Name of the GPO File path the GPT Version Status

Group Policy Container (GPC) contains which of the following attributes?

GPOs Replication Creating and Linking Scope and inheritance

Group policy architecture and functions:

Where is a GPT stored?

In a folder named the same as the GUID of the GPO in the SYSVOL share

You need to find a policy related to an application that was installed several years ago. You know that the policy is persistent when the computer that it's applied to falls out of scope, but you can't remember its name. You remember a word or two that might be in the policy name or comments. What can you do to find this policy quickly?

In the Group Policy Management Editor, configure a filter; set Managed to No, and enable Keyword Filters.

You have created a custom administrative template. You want this template to be available to all DCs so that policies can be configured with it from any DC. Where should you save it?

In the central store

Computer Configuration node in Software Installation extension to assign to computers create a shared folder on a server that gives the computer read & execute permission

In what node are software packages only assigned to target computers configure startup/shutdown scripts

You have installed an application that can be configured with Group Policy. The application came with a custom ADM file that must be replicated to all DCs. What should you do first?

Open the file with ADMX Migrator

Group Policy Management console (GPMC) Group Policy Management Editor (GPME) - no save option, changes immediately

Primary tools used for managing, creating, and editing GPOs are?

You want to deploy a software package that's available to all users in the domain if they want to use it, but you don't want the package to be installed unless a user needs it. How should you configure the software installation policy?

Publish the package under the User Configuration node

You're concerned that some domain controllers and workstations don't meet security requirements. What should you do to verify security settings on a computer against a list of known settings?

Run Security Configuration and Analysis on the computer to compare its security settings against a security database

You want to deploy a logon script by using Group Policy. You have several sites connected via a WAN with a DC at each site. You want to make sure the script is always available when users log on from any computer at any location. What should you do?

Save the script in the SYSVOL share

.admx

The ADMX central store holds policy definition files used for updating changes b/w domain controllers. What is the file extension of these files? .adm .admx .xml .xlsx

.xml

The ADMX central store holds policy definition files used for updating changes b/w domain controllers. What is the format of these files? .adm .admx .xml .xlsx

You have configured a policy setting in the User Configuration node of a domain GPO and linked the GPO to OU-X. Later, you discover that you linked it to the wrong OU, so you unlink it from OU-X and link it to OU-Y, which is correct. A few days later, you find that users in OU-X still have the policy setting applied to their accounts. What's the most likely cause of the problem?

The policy setting is unmanaged

Security Templates snap-in Security Configuration & Analysis snap-in

Tools for working w/ Security Templates

Local GPOs Domain GPOs

Two main types of GPOs?

audit object access policy auditing on target objects policy (by changing the system access control list SACL for the object in the Auditing tab on the Advanced Security Settings dialog box for the object)

Two steps for auditing objects:

All your domain controllers are running Windows Server 2016. You're noticing problems with GPT replication. What should you do?

Verify that DFSR is operating correctly

Audit Policy User Rights Assignment Security Options

What are the three Local Policies Folders?

software settings uses Microsoft Software Installation (MSI) files windows settings administrative templates *policy settings can be managed (not configured w/ object outside of policy scope) or unmanaged (persistent)

What are the three folders under the Group Policy Settings under the Policies Folder?

GPT.int Machine User

When GPO is created each GPT folder contains at least three items:

Item-level targeting

You are configuring common GPO properties for folders. You want to specify that only portable computers that are docked have a preference applied. Which choice will accomplish this? Item-level targeting stop processing items in this extension if an error occurs run in logged-on user's security context (user policy option) apply once and do not re-apply

Elevation

a process that occurs when a user attempts to perform an action requiring administrative rights and is prompted to enter credentials.

script

a series of commands saved in a text file to be repeated easily at any time

Members of property

adds the target group to group on the list that it isn't already a member of

Restricted Group Policy

allows an administrator to control the membership of both domain groups and local groups on member computers

GPO

an object containing policy settings that affect user and computer operating environments and security. Can be local or AD objects. contains policy settings for managing many aspects of domain controllers, member servers, member computers, and user focus on a category of settings, then name when creating

Audit Policy (in local policies)

applies to what users can and can't do on the local computer to which they log on admins can audit events such as logon and logogg, file and folder access, Active Directory access, and system and process events. events listed in the Security log

User Rights Assignment Policies (under local policies)

are defined actions users can take on domain controllers.

Computer Configuration (GPP)

are refreshed every 90 minutes or when computer restarts

User Configuration (GPP)

are refreshed every 90 minutes or when user logon

Domain GPOs

are stored in Active Directory on domain controllers

Local GPOs

are stored on local computers, and are edited via the Group Policy Object Editor snap-in

Security Templates

are text files w/ an .inf extention that contain information to define policy settings in the ComputerConfiguration\Policies\WindowsSettings\Security Settings node used to create & deploy security settings to a local or domain GPO verify current security settings on a computer against it's settings

assigned

can be installed automatically when the user logs on to a computer in the domain.

Administrator template files

collection of files in XML format referred to as ADMX files (.admx extension or adml - language specific user interface) XML formatted text files that define policies in the Administrative Template folder in a GPO options: computer configuration settings user configuration settings the ADMX central store Administrative Templates property filters Custom administrative templates migrating administrative templates files

auditpol /clear

command to clear all audit policy subcategories so that auditing is controlled only by Group Policy

gpedit.msc

command to open a local GPO named Local Computer Policy containing Computer Configuration and User Configuration nodes

auditpol.exe

command-line tool to have more control over the types of events that are audited. Managed audit policies from the command line. Use /get /category:* to list all audit policy sub categories

Group Policy Template (GPT)

contains all the policy settings that make up a GPO as well as related files, such as scripts, and is contained in the Sysvol share on a domain controller uses a GPO's GUID for a folder name

msi files (.msi extension)

contains the instructions Windows Installers needs to install the application correctly.

Member property

controls which accounts can be members of the group

Group Policy Preference Both Computer Configuration & User Configuration nodes have 2 subfolders windows settings & control panel settings computers must have Group Policy Preference Client Side Extensions (GPP CSE) to recognize and download settings in the Preference folder when processing group polices

enable administrators to set up a baseline computing environment yet still allow user to make changes to configured settings must create when want to deploy

File System node

enables an administrator to configure permissions and auditing on files and folders on any computer in the GPO on which the policy is configured.

Folder Redirection there are 13 folders you can redirect

enables an administrator to set policies that redirect folders in a user's profile directory. applies strictly to user accounts and is found only under the User Configuration node

Item level targeting

enables you to target specific users or computers based on criteria

Replication

ensures that all domain controllers have a current copy of each GPO

Starter GPO

is a template for creating GPOs (not a GPT)

Group Policy Container (GPC)

is stored in the System\Policies folder store GPO properties and status information but no policy settings uses a GPO's GUID for a folder name replicated w/ Active Directory

published

isn't installed automatically, a link to install the application is available in Control Panel's Programs & Features

group policy

powerful tool for network admins to manage domain controllers, member servers, member computers, and users

User Account Control Policies (of Security Options in Local Policies)

should be configured right away. determines what happens on a computer when user attempts to perform an action that requires elevation.

User Configuration node in Software Installation extension

software packages can be assigned to target computers and deployed to users by being published or assigned. configure logon/logoff scripts

Settings in local GPOs

that are inherited from domain GPOs can't be changed on the local computer. that are undefined or not configured by domain GPOs can be edited locally.

Scope and inheritance

the scope of a group defines which users and computers are affected by its settings

batch file (.bat extension)

used to create command scripts, which is a series of commands saved in a this file

Group Policy Object Editor

what snap-in do you add to access GPO's on these? Local Administrators GPO Local Non-Administrators GPO User-specific GPO

unmanaged policy setting

when a group or user group policy settings is in the scope of a GPO it is managed by GPO. What type of scope is changed to its original configuration outside the GPO? managed policy settings unmanaged policy settings log on locally none of these