Académique Documents
Professionnel Documents
Culture Documents
Redirect folders
Manage Applications
Default Domain Policy is linked to the domain, and it affects all users
and computers in the domain (including computers that are domain
controllers) through policy inheritance. For more information
Domain Policy
4. Organizational Unit(OU)
Site, Domain and OU are applied as per administratively specified order.
This means Group Policy objects that are linked to the organizational unit
that is highest in the Active Directory hierarchy are processed first, then
Group Policy objects that are linked to its child organizational unit, and so
on. Finally, the Group Policy objects that are linked to the organizational
unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy,
one, many, or no Group Policy objects can be linked. If several Group
Policy objects are linked to an organizational unit, their processing is
synchronous and in an order that is specified by the administrator.
In this processing order sites are applied first but have the least
precedence. OUs are processed last and have the highest precedence.
What is Group Policy inheritance()?
There are several Group Policy options that can alter this default
inheritance behaviour. These options include:
Options (here you get the following check boxes): (i) No override Prevent other
GPO from overriding policy set in this one; and (ii) Disabled This GPO is not
applicable to this container
Properties
Ex: If you select Block inheritance at OU level then no policy from the Domain level, or Site
level or local policy will not applied to this OU.
11. You have set the No override option at Domain level and Block inheritance at OU
level. Which policy will take effect?
If you have set both then No override wins over the Block inheritance. So No override will
take effect.
12. What are the options that are available when you click on option button on general
tab?
General
Disable computer configuration settings (The settings those are set under computer
configuration of this GPO will not take effect.)
Disable user configuration settings (The settings those are set under User
configuration of this GPO will not take effect.)
Security (With security option you can set level of permissions and settings to the
individual users and groups. Ex: If you want to disable this GPO to a particular user
on this container, on security tab select that user and select the deny check box for
apply the Group Policy. Then the GPO will not take effect to that user even though he
is in that container.)
13. What will you see in the Group Policy snap in?
You will see two major portions, and under those you have sub portions, they are
Computer Configuration
Software settings
Software installations
Windows settings
Administrative templates
User configuration
Software settings
Software installations
Windows settings
Administrative templates
Note: Administrative templates are for modifying the registry of windows 2000 clients.
14. What is the hierarchy of Group Policy?
Local policy
Site Policy
Domain Policy
OU Policy
Eliminate distractions
To increase productivity
21. What is Group policy loop back process? How to set it?
Start >programs >Administrative tools >Active Directory users and computers >Right
click on the container >click on Group policy tab >Click on edit >click on Computer
settings >click on Administrative templates >system >Group policy >click on User
group policy loop back processing mode > click OK > Select enable
22. What are the players that are involved in deploying software?
Group Policy: Within GP we specify that this software application gets installed to
this particular computer or to this particular user.
Windows installer packages: The type of package that can be used by Group Policy to
deploy applications is .msi packages i.e., Microsoft Installer packages.
23. What is the package that can be used to deploy software through Group Policy?
Windows installer packages (.msi files)
24. What is Microsoft installer service?
Microsoft Installer Service runs on the client machines in the Windows 2000 domain. It
installs the minimum amount of an application, as you extend functionality it installs the
remaining part of application. It is responsible for installing software in the client. It is also
responsible for modifying, upgrading, applying service packs.
25. What is Local security policy, Domain security policy, and Domain controller
security policy in the administrative tools?
Domain Controller Security Policy: Group Policy applied at domain controller level.
Minimize linking: Because there may be a chance deleting the original one with
seeing who else are using this GPO. Minimizing linking for simplicity.
Minimum number of GPOs: Microsoft suggests that one GPO with 100 settings will
process faster than 100 GPOs each with one setting. This is for performance.
Delegate
If you have more number of GPOs for a container, whatever GPO is on top will be applied
first. If you want, you can move GPOs up and down.
If there is conflict between two GPOs of same container, the last applied GPO will be
effective. i.e., the bottom one will be effective.
If Loopback processing of Group Policy is not enabled and our User logs on to our Computer,
the following is true:
As we can see from the picture, the User gets Computer Configuration 2 and User
Configuration 1. This is absolutely standard situation, where policies are applied according to
the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1
accordingly.
Now lets enable the Loopback processing of Group Policy for the Green OU. In this case if
the User logs on to the Computer, the policies applied in the following way:
As we can see, now the User is getting User Configuration 2 despite of the fact that he
belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was
replaced with the User Configuration 2, i.e. with the configuration applied to the Computer
account.
As you have probably noticed, the picture above says Loopback in replace mode. I have to
mention that the Loopback processing of Group Policy has two different modes, Replace and
Merge. It is obvious that Replace mode replaces User Configuration with the one applied to
the Computer, whereas Merge mode merges two User Configurations.
In Merge mode, if there is a conflict, for example two policies provide different values for the
same configuration setting, the Computers policy has more privilege. For example in our
scenario, in case of the conflict the User Configuration 2 would be enforced.
In the real work environment Loopback processing of Group Policy is usually used on
Terminal Servers. For example you have users with enabled folder redirection settings, but
you do not want these folder redirection to work when the users log on to the Terminal
Server, in this case we enable Loopback processing of Group Policy in the Policy linked to
the Terminal Servers Computer account and do not enable the folder redirection settings. In
this case, once the User logged on to the Terminal Server his folder redirection policy will not
be applied.
To enable Loopback Processing navigate to: Computer Configuration/Administrative
Templates/System/Group Policy/Configure user Group Policy loopback processing
mode