Group Policy Interview Questions – Part 2

By | June 7, 2020

What is Microsoft AGPM?
Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of the Group Policy Management Console (GPMC) to provide comprehensive change control and improved management for Group Policy Objects (GPOs). AGPM is available as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance.

What is RSoP?
RSoP (Resultant Set of Policy) is a report of Group Policy settings within Active Directory that shows how those settings can affect a network, or how existing Group Policy Objects (GPOs) affect various combinations of users and computers when the local security policy is applied.

What is Group Policy Preferences?
Group Policy Preferences is a collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems. Preference settings are administrative configuration choices deployed to desktops and servers.

Important Note: Item-level targeting can be only used for Preferences settings.

Preference settings differ from policy settings because users have a choice to alter the administrative configuration. Policy settings administratively enforce setting, which restricts user choice.

What is Security Filtering in Group Policy?
Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.

What is Enforced GPO?
Enforced (No override) is a setting that is imposed on a GPO, along with all of the settings in the GPO, so that any GPO with higher precedence does not “win” if there is a conflicting setting.

What is WMI filtering in Group Policy?
WMI filtering is used to add a decision on when to apply a given group policy. This can be very useful when users or computers are located in a relatively flat structure instead of specific OU’s.

Example. Filters can also help when you need to apply certain policies based on server roles, operating system version, network configuration, or other criteria. Windows evaluates these filters in the following order of overall Group Policy Processing:

  1. Policies in hierarchy are located.
  2. WMI Filters are checked.
  3. Security settings are checked.
  4. Finally, once everything has passed, a group policy is applied.

So it find all the policies that exist in the user/computer’s Local, Site, Domain, and OU hierarchy. Then it determine if the WMI filter evaluates as TRUE. Then it verify that the user/computer has Read and Apply Group permissions for the GPO. This means that WMI filters are still less efficient than hierarchical linking, but can definitely use filters to make decisions in a non-hierarchical Active Directory design.

Leave a Reply

Your email address will not be published. Required fields are marked *