Understanding Group Policy (Part 1 of 3): Webcast (11-13-2006)

 

Here is the link to the Part 1 webcast: Understanding Group Policy (Part 1 of 3)

Here are the questions and answers for Part 1:

Question: What takes precedence group policy settings or NTFS file folder level settings?
Answer: The NTFS file permissions will win, in other words GPO will not violate local security.

Question: If I create a "pilot" OU to test with, can I use my virtual machine as a test machine or do you have to use a physical machine?
Answer: Most definitely! This is the same configuration that I basically use for the webcasts.

Question: Does the default domain policy always get applied?
Answer: Yes, the default domain policy always applies but in case of conflict this policy may not win. However, you can control this with the enforced setting.

Question: Can an admin force group policy update (gpupdate) remotely?
Answer: Yes, but you will need a utility to run a remote command prompt. Check out: www.sysinternals.com and look for the PsTools suite and specifically checkout PsExec.  For more information check out this article: https://www.sysinternals.com/Utilities/PsExec.html

Question: Which policy would apply if set at both user and workstation?
Answer: Both settings will be applied, however if there is a conflict the user will win because it is applied second. A way to make sure the computer wins is by using loopback application, I talked about this in Part 3.

Question: Is it possible to force specific users to have a 12 character password, and everyone else a 7 character password?
Answer: Not at the domain level, although if you have multiple AD sites you can work with this type of configuration.

Question: What are the services that should be running in the client computer to have AD access and successful application of GP?
Answer: Group Policy currently uses the NetLogon service for this processing, in Windows Vista the group policy will get a dedicated service.

Question: What happens if a user has 2 GPOs applied
Answer: Again, both GPO’s will be applied, and only if a conflict between the GPO’s settings do you have to worry about this. If that happens the GPO with the lowest number wins.

Question: Using the Group Policy Management console is it possible to export and import the policy settings on a windows 2000 server?
Answer: Technically when you open the GPMC on a Windows 2003 server you are viewing the settings for the domain.

Question: How to link a GPO to OU? Is the GPMC part of Windows Server 2003 SP1?
Answer: To link a GPO either drag it to the OU in the GPMC or right click on the OU and select link an existing GPO. I believe GPMC was a part of SP3, however it is a free download located here: GPMC Console download

Question: Is there a tool to search for a policy setting in a GPO?
Answer: Unfortunately there is not a tool built into the GPMC, however you can download a spreadsheet with the settings here: Group Policy Settings reference

Question: If you have more than one domain controller do you have to make changes on all the domain controllers for the GPO to take effect immediately?
Answer: No, replication will take care of this. GPOs are replicated to other domain controllers in two ways. The GPC is replicated using Active Directory replication, and the GPT is replicated by the File Replication Service (FRS). Policy settings from a GPO are applied only when the GPC and GPT are synchronized. To learn more on how to manage GPO’s take a look at this KB: https://support.microsoft.com/default.aspx?scid=kb;en-us;816662

Question: What is the URL to your 14 Group Policy Video?
Answer: Here is the link: https://www.microsoft.com/events/series/grouppolicy.mspx However I am starting to find out that some of the web casts are being removed. I am still looking into it:

Question: Does the default domain GPO get applied to domain controllers, too?
Answer: Yes, in fact a majority of the settings for the default GPO are computer based.

Question: With Windows XP if the policies are applied asynchronously, could that mean if you had a GP which denies users to logon at that machine that they could logon because the policy has not yet been applied?
Answer: This is possible but not likely all security settings get applied first.