Implementing a Group Policy Infrastructure Flashcards
(90 cards)
What is the default group policy application?
It applies in the following order:
- Local Machine
- AD Site
- AD Domain
- OU
AKA: LSDOU - Last to apply wins
What are the different was you can manipulate the application of GPOs?
- WMI Filters
- Security Filtering (Modify the GPO to Specify a Security Group or User)
- Enforce - Allows this policy to always be read last and ingnores blocks
- Block inheritance
- Modify the link order
- Disable the Group Policy Link
What is loopback processing?
What are the two options?
Essentially loopback processing changes the standard group policy processing. The user configuration settings are applied based on the computers GPO Scope during logon.
Merge or Replace
What are the three states that most group policies have?
What should you watch out for?
- States
- Not Configured
- Enabled
- Disabled
- Watch out for the double negatives (I.E. Do not and disabled)
How do you delegate the permission to create GPOs?
Add the user to the Group Policy Creator Owners AD group
or
In the Group Policy Management Console (GPMC), add the user to the Group Policy Objects delegation tab
How do you delegate the ability to Link a GPO?
Can you narrow the delegated permissions?
- Delegate the ability to link a GPO
- You can select the Domain
- Select the delegation tab
- Make sure Permission is set to Link GPOs
- Select Add.. and select a user or group to add
- Yes - Just select the OU that you would like to give them the ability to link GPOs to (this includes sub OUs). If you need to modify this you will need to go into Advanced..
How would you delegate the ability to Edit a single GPO?
- Select the GPO you would like to delegate
- Select the deledgation tab
- Add the user or group
- Set the permissions (Read - Able to read the policy, Edit settings - can edit the gpo but not edit the owner, Edit settings, delete, modify security - Edit all of the policy including the owner or delegation)
How would you delegate the ability to create a WMI Filter?
Select the WMI Filters folder
Select the delgation tab
Select the User
Set permissions (Creator Owner - only can create/edit what he owns, Full control - Unrestricted WMI access)
Duplicate
How do you delegate the ability to Perform Group Policy Modeling analysis?
Can you narrow the delegated permissions?
- Delegate the ability to Perform Group Policy Modeling analysis
- You can select the Domain
- Select the delegation tab
- Make sure Permission is set to Perform Group Policy Modeling analysis
- Select Add.. and select a user or group to add
- Yes - Just select the OU that you would like to give them the ability to link GPOs to (this includes sub OUs). If you need to modify this you will need to go into Advanced..
How do you delegate the ability to Read Group Policy Results data?
Can you narrow the delegated permissions?
- Delegate the ability to Read Group Policy Results data
- You can select the Domain
- Select the delegation tab
- Make sure Permission is set to Read Group Policy Results data
- Select Add.. and select a user or group to add
- Yes - Just select the OU that you would like to give them the ability to link GPOs to (this includes sub OUs). If you need to modify this you will need to go into Advanced..
How do you backup a GPO?
- GUI
- PowerShell
- Single
- All
- GUI
- Select the group policy in Group Policy Objects
- Right-Click, select Backup GPO..
- Select a Location and enter a Description
- PowerShell
- Backup-GPO -Name < Name of GPO > -Path < Path to save to > -Comment < if so desired >
- Backup-GPO -All -Path < Path to save to > -Comment < if so desired >
What is the difference between Restoring a GPO and Importing a GPO?
Restoring:
- Only for Original Domain
- A GPO with the same name must exist
Importing:
- GPO can be in a different domain or forest than the backup
- It does not have to exist prior to the operation
- The existing attributes of the target GPO, such as security filtering, elegation, links, and WMI filtering, are left untouched
How do you Restore a GPO?
- GUI
- PowerShell
GUI:
- In the Group Policy Managemnet Console
- Select the Group Policy Object, Right-Click
- Select Restore from backup..
- Click through the wizard and select the location of backups and the GPO
PowerShell:
- Restore-GPO -Name < Name of the GPO > -Path < Path of backups >
How do you copy a GPO (with in the same domain)?
- GUI
- PowerShell
GUI:
- Right-Click the GPO, Select Copy
- Right-Click where you want to past it and click paste
- Select to use The Default Permissions For New GPOs
or chose Preserve The Existing Permissions
PowerShell:
- Copy-GPO -SourceName < Name of GPO > -TargetName < GPO to be created >
How do you Import a GPO?
- GUI
- PowerShell
GUI:
- In the GPMC
- Right-Click the GPO, select Import Settings
- Backup the GPO if desired
- Select the Backup location for the settings you want to import
PowerShell:
- Import-GPO -BackupGpoName < Backup GPO Name > -TargetName < Name of GPO to import to > -Path < Backup Path > -CreateIfNeeded
How do you copy a GPO (between two domains)?
- GUI
- PowerShell
GUI:
- Open the GPMC and navigate to the Group Policy Objects container for the domain you want copy a GPO of.
- Right-click the source GPO and select Copy.
- In the target domain, right-click the Group Policy Objects container and select Paste.
- In the Cross-Domain Copying Wizard, click Next on the Welcome page.
- On the Specifying Permissions page, select Use The Default Permissions For New GPOs or chose Preserve The Existing Permissions.
- Click Next. On the Scanning Original GPO page, read the Scan Results. You might have references that you need to address. If not, skip the next step.
- On the Migrating References page, you can choose to copy the references or use a Migration Table.
- Click Next, click Finish, and then click OK.
PowerShell:
- Copy-GPO -SourceName < Name of GPO > -TargetName < GPO to be created > -TargetDomain < Domain to send to >
How do create a Migration Table?
- Open the GPMC (Group Policy Managmenet Console)
- Select the Domain
- Right-Click Group Policy Objects and select Open Migration Table Editor
- You can populate from a GPO or Backup
- Then you must file in the Desitnation Name
When would you use a migration Table?
When importing a GPO
- How do you reset the Default Domain Policy?
- How do you reset the Default Domain Controller Policy?
- How do you reset both at the same time?
- If you are resetting a default policy and the schema is not the same as what it is shipped with, what should you do?
- How do you reset the Default Domain Policy?
- DCGPOFix /target: Domain
- How do you reset the Default Domain Controller Policy?
- DCGPOFix /target: DC
- How do you reset both at the same time?
- DCGPOFix /target: Both
- If you are resetting a default policy and the schema is not the same as what it is shipped with, what should you do? (I.E. You update the schema to allow a new feture to work like bitlocker)
- DCGPOFix /ignoreschema /target: {Domain | DC | Both}]
When enforcing a GPO what happens?
- It will have the highest precedence, meaning it is the last to apply
- Blocking Inheritance will not stop the policy from applying
What does blocking inheritance do?
- Allows you to block all non-enforce group policy objects
- Enforced Group Policy Objects will still be the last to apply (Precedence of 1)
- What does changing the link order of Group Policies do?
- Where would you change this?
- What does changing the link order of Group Policies do?
- It changes the order in which the policy is applied. (I.E. if the GPO (GPO2) is in link order 2 and you move it to link order 1 - It will be moved back in the processing order making it apply after GPO 1)
- Where would you change this?
- Where the group policy is linked. (Note: You can only change the inheritance based on where the GPO is linked)
How would you filter a GPO to only apply to a certain group?
- In the group policy object, on the Scope Tab, select Authenticated Users
- Click Remove
- Click Add… Select the group you would like it to apply to
How would you add a WMI Filter to a GPO?
- Open the GPMC
- Select the Domain
- Next, If you do not already have a WMI filter created, you need to create a WMI Filter
- Select the Group Policy, In the Scope Tab
- Select a WMI Filter