Understanding Group Policy Webcast
Q&A from 4-14-2006
I’ve got some more coming, thanks for your patience.
Questions and Answers:
Asked: I can no longer edit my domain windows firewall settings via the GPMC, its just not visible from my machine. What would cause this to happen?
Answered: You might not have the admin template (.adm file) that contains the Windows Firewall settings so you can manage them. Check out this document, and you should be able to find the portion that describes how to import those settings into your own administrative tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en
Asked: What is the best starting point for all group policy information at Microsoft?
Answered: You can actually enter http://www.microsoft.com/grouppolicy and get right to the main technology page that contains links to all related resources.
Asked: When you move the computers into a new OU, are they no longer listed in the OU you took them from?
Answered: Correct, when you move to a different OU, they will be removed from their existing OU and any GPO’s associated with the old OU will no longer apply
Asked: Is there a hierarchical relationship among domain, site, and ou?
Answered: To some extent, yes – though sites are physical entities, and domains and OUs are logical. The order of “Local, site, domain, OU, and sub-OU” has to do with how policies are read and applied.
Asked: When you apply software to an OU, is it installed based on the computer they log into or is it user based?
Answered: Um… YES. 🙂 It depends on if you’ve created the software policy to apply to the user or to the workstation. You can do either. Or both. (but you probably would choose one or the other.)
Asked: In a small company and DO NOT plan on delegating administrating roles, can I create Groups instead of OUs
Answered: Sure.. but you may still want to use OUs for the sake of applying Group Policy, if not for simply organizing objects in your directory.
Asked: What is the order of precedence for policies set at different levels from Site to PC, with conflicting entries?
Answered: The default order is the last setting to be applied wins. The policies are applied in this order: local, site, domain, ou, child ou’s. In default situations this is the policy closest to the user, for example. If you had a policy at the domain level that enabled the run command, and a policy at the OU level that disabled the run command. By Default the run command would be disabled, why because the OU level is applied after the domain policy is applied. However you can change this behavior, with the no override and block inheritance options.
Asked: could you give me the website to down load the virtual server
Asked: Will everything in the GPO be mapped when doing a backup/import from your production to your test environment? (GPMC help file states that some items may be dropped or cannot be mapped)
Answered: Yeah. If you backup and “restore”, you can only restore to the domain from which it was backed up, because it includes domain specific information . When you “import” a backup into a new domain, you lose domain-specifics, which might mean any settings that depend on domain specific information.
Asked: Where in the file system can I find the Administrative Template Files. (Example: Admin Template for Setup Windows Update Automatic Updates, wuau.adm, in Client Computers)?
Answered: In the %systemroot%\windows\sysvol and %systemroot%\windows\inf directories.
Asked: Is a Local Admin a minimum privilege to read Security Log from a server?
Answered: Yes, All users can view application and system logs. Security logs are accessible only to system administrators.
Asked: Would a GPO also apply for users that are VPN’d into the domain?
Answered: Yes. Unless a slow link is detected, policy should apply.
Asked: Where is the Group Policy Management Console Download:
Asked: Is the GPMC just a snap in to the MMC or is it available as a stand alone app.
Answered: It installs as and is runable as a standalone app, but it is really an MMC based tool.
Asked: how would one un-tatoo the registry?
Answered: You would have to recreate the policy and then delete the setting.
Asked: Is the GP staging environment done for GPO modeling and results?
Answered: You can run GPO Modeling and Results against a live production environment, too.. no fear of getting in the way of production processing.