Group Policy Management Interview

Questions and Answers

What is Group Policy (GP)?
Group Policy is an infrastructure that allows you to implement specific
configurations for users and computers. Group Policy settings are contained
in Group Policy objects (GPOs), which are linked to the following Active
Directory service containers: sites, domains, or organizational units (OUs).
The settings within GPOs are then evaluated by the affected targets, using
the hierarchical nature of Active Directory. Consequently, Group Policy is one
of the top reasons to deploy Active Directory because it allows you to
manage user and computer objects.

Group Policy provides the centralized management and configuration of
operating systems, applications, and users' settings in an Active Directory
Environment
What is Group Policy Objects (GPO)?
Group Policy Settings are stored in Group Policy Objects. Group Policy
Objects are collection of settings that are defined for Users and Computers
Configuration. Group Policy object applies to not only users and Client
machine, but also members Servers, Domain Controllers and any windows
computers within the scope of the management.
What can you do with Group Policy?
Manage- Registry based Polices using Administrative Templates
Assign Scripts
Redirect folders
Manage Applications
Specify Security Options

What are the kinds of Group Policy?
There are two kinds of Group Policy Objects: Local and Non Local Policy
Objects
Local Policy: these are Stored in Individual Computers. only one
object is exist and has subset of settings that are available in Non-
Local Policy
Non Local Policy Objects: Which are stored on a Domain Controller
and be applied from Active Directory Environment. They apply to users
and computers on a site or domain or Organizational unit with which
GPO is applied.

Where do Group Policy Objects that exist by default?
By Default, Active Directory is set up, 2 Non Local Policy Objects are created

Default Domain Policy is linked to the domain, and it affects all users
and computers in the domain (including computers that are domain
controllers) through policy inheritance. For more information
Default Domain Controllers Policy is linked to the Domain Controllers
organizational unit, and it generally only affects domain controllers,
because computer accounts for domain controllers are kept exclusively
in the Domain Controllers organizational unit.

What are User and Computer Policy?
User Policy Settings are stored under User Configuration in Group Policy and
they are obtained when a user logs on.

Computer Policy Settings are stored under Computer Configuration in Group
Policy and they obtained when a computer starts
What is the Order of GP Processing?
1. Local Policy-The unique local Group Policy object on a computer
2. Site Policy
3. Domain Policy
4. Organizational Unit(OU)

Site, Domain and OU are applied as per administratively specified order. This
means Group Policy objects that are linked to the organizational unit that is
highest in the Active Directory hierarchy are processed first, then Group
Policy objects that are linked to its child organizational unit, and so on.
Finally, the Group Policy objects that are linked to the organizational unit
that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy,
one, many, or no Group Policy objects can be linked. If several Group Policy
objects are linked to an organizational unit, their processing is synchronous
and in an order that is specified by the administrator.
In this processing order sites are applied first but have the least precedence. OUs
are processed last and have the highest precedence.

What is Group Policy inheritance?
There are several Group Policy options that can alter this default inheritance
behavior. These options include:

Link Order the precedence order for GPOs linked to a given
container. The GPO link with Link Order of 1 has highest precedence
on that container.
Block Inheritance the ability to prevent an OU or domain from
inheriting GPOs from any of its parent container. Note that Enforced
GPO links will always be inherited.
Enforcement (previously known as No Override) the ability to
specify that a GPO should take precedence over any GPOs that are
linked to child containers. Enforcing a GPO link works by moving that
GPO to the end of the processing order.
Link Status determines if a given GPO link is processed or not for
the container to which it is linked.
What is an enforced group policy object?
Enforced Group Policy Object (GPO): A Group Policy Object (GPO) that is specifically
associated with a scope of management (SOM) so that the associated GPO has a higher GPO
precedence compared to non-enforced GPOs that are associated with the same SOM and
compared to all GPOs that are associated with descendant SOMs. An enforced GPO cannot be
blocked by a descendant SOM using the gpOptions attribute.
The Enforced within the GPMC controls how the Group Policy Object and the settings within
the Group Policy Object are handled with regard to precedence of the settings. In short, when all
GPOs apply from Active Directory, those GPOs that are linked to organizational units (OUs)
have the highest precedence, then those linked to the domain, and finally those linked to Active
Directory sites. Local GPOs on the target endpoint have the weakest precedence of all. What this
means is that if there is a conflicting setting within two GPOs at different levels, the setting
within the highest precedence GPO will win and be applied over the setting in the GPO that
has lower precedence.