4 Understanding the Architecture of Group Policy Processing

8/10/2019 4 Understanding the Architecture of Group Policy Processing

1/32

16/11/2014 4 Understanding the Architecture of Group Poli cy Processing

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize= 1/32

4 Understanding the Architecture of Group Policy Processing

Section Topics

Group Policy Components in AD DS

Understanding the Group Policy Processing Sequence

Modifying Group Policy Processing

Section Objectives

After completing this section, you will be able to:

Describe the Active Directory components that you can use to deploy Group Policy

Explain the order in which Group Policy is deployed in Active Directory

Describe the methods that are available to modify Group Policy processing

Section Overview

Troubleshooting Group Policy involves more than knowing when to use which tool. You also

eed to understand the Group Policy infrastructure, the GPO structure, and the Group Policy

deployment order. This section describes the concepts that you must grasp in order to

roubleshoot Group Policy. This section also describes the options that are available to change

he standard Group Policy processing sequence.

Group Policy Components in AD DS


2/32



igure 80: Group Policy Components in AD DS

All domain controllers and computers that are members of the domain use certain Active

irectory components to deploy Group Policy settings. Figure 80 lists these components.

You must have access to the physical and logical network diagrams of your Active Network

infrastructure to troubleshoot Group Policy.

Sysvol Folder

igure 81: Sysvol Folder

The Sysvolfolder is a system folder located in the NTFSfile system of every Active

irectory domain controller in %System Root%\ Sysvol. This folder contains administrative

emplates, security settings, applied scripts, and details about MSI packages that will be

installed.


3/32



Sysvol Details

The domain where the user account is located also contains the Group Policy settings of the

authenticating user. These settings are stored in the Sysvolfolder on each domain controller

and replicated throughout the domain using the FRS.

The FRS monitors and updates the changes to Group Policy, startup and shutdown scripts,

and logon and logoff scripts. If your Active Directory is made up of multiple sites (subnets),

he location of your Sysvol folders will be separated by WAN links.

f you have multiple sites, and each site contains multiple domain controllers, your network

ap can get very complicated and much more dependent on the replication process.

PDC Emulator

igure 82: PDC Emulator

One domain controller per domain is assigned the role of a PDC (primary domain controller)

emulator. Only one domain controller can have this role per domain. The PDC emulator role

is automatically assigned to the first domain controller in an Active Directory domain.

hen Group Policy settings are first created or modified using the Active Directory Users and

Computers console, the current live Group Policy settings are pulled from the domain


4/32



controller in the domain that is the PDC emulator.

You can use a variety of tools and utilities to find out which domain controller is currently the

DC emulator. One of the most helpful methods is using the Netdom support tool with the

ollowing syntax at the command prompt:

\> netdom query fsmo

Another support tool is Addiag, which can tell you if all the domain controllers in the domain

now who the current PDC emulator is.

ote

You can use the Dcgpofix command-line tool to restore the Default Domain

olicy and Default Domain Controllers OU policy to their original state. This tool works only

in Windows 2003 or later domains.

Client-Side Extensions

Although the components of each GPO are stored in Active Directory, the client itself

rocesses each linked GPO using client-side extensions. Client-side extensions are a

collection of local DLLs that have one specific job task: to process all enabled GPOs found on

he server at logon or at a specific processing time.

The available policy settings are grouped into specific categories including administrative

emplates, security, folder redirection, wireless, IPSec, EFS, and software installation. After

he client determines which GPOs to apply, each GPO is passed to the client-side extensions.

The following topic describes registry client-side extensions, which apply the settings from

ithin the Administrative Templatessection to a client computer.

egistry Client-Side Extensions


5/32



egistry client-side extensions deal with the Group Policy settings contained in the

dministrative Templates section. Note that some settings are hidden by default; these

idden settings are defined as true policies. The settings that are available and loaded by

default are called preferences and are listed in Figure 83.

GUID Group Policy Component

25537BA6-77A8-11D2-9B6C 0000F8080861 Folder redirection

3610EDA5-77EF-11D2-8DC5-00C04FA31A66 Disk quota

42B5FAAE-6536-11D2-AE5A-0000F87571E3 Scripts

827D319E-6EAC-11D2-A4EA-00C04F79F83A Security

B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A EFS recovery

C6DC5466-785A-11D2-84D0-00C04FB169F7 Application management

A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B Internet Explorer settings

35378EAC-683F-11D2-A89A-00C04FBBCFA2 Registry settings

e437bc1c-aa7d-11d2-a382-00c04f991e27 IP Security

igure 83: Registry Client-Side Extensions

Group Policy Container


6/32



igure 84: Group Policy Container

The policy setting information for a GPO is stored in the GPC (Group Policy container) and

he GPT. The GPC stores the details of every GPO that is created in Active Directory. The

GPC contains the version number of each GPO, its current status, and the installed

components.

A portion of the GPO is stored in Active Directory and you can view it by using the Active

irectory Users and Computers console. The GPC Active Directory object is created from an

Active Directory class called the groupPolicyContainer.

ach created GPO creates a separate GPC and corresponding component in Active Directory.

You can link each GPO to other OUs in the same or remote domains. You can also create

links to sites or other domain roots.

The GPC is used by user and computer accounts within the Active Directory database to

rocess the GPO policies that will be applied.

ach GPO is assigned a unique 128-bit GUID. The GUID can be helpful in locating a policyobject when the friendly name of the policy is not displayed, such as when browsing for the

olicy files in the Sysvoldirectory structure.

Group Policy Template


7/32



igure 85: Group Policy Template

The GPT (Group Policy template) is also used to store policy settings. The GPT stores the

iles that are created by the GPO in the Sysvol folder. It stores these files on the PDC

emulator for each domain. The GPT stores the computer and user scripts, the GPO template

iles, and the Registry.pol files. The GPT is assigned a version number that tracks changes

hat are made to the policy.

The GPT and GPC are linked through the same GUID that is assigned to the GPO.

n order for group processing to properly process a computer and user, the contents of both

he GPC and the GPT must be synchronized. Figure 86 lists the details of the essential Group

olicy components and their location in Active Directory.

Active Directory Location Contents Active Directory

Container

Active Directory Binary and string information GPC

Sysvol\Policies\GUID\User or

Machine\registry.pol

Policy settings for user and computer GPT

Sysvol\Policies\GUID\User or

Machine\CustomFolder\Custom File(s)

Policy related files and data GPT


8/32



igure 86: Group Policy Components

GPO Versioning

igure 87: GPO Versioning

The number displayed on the properties of a GPO is not a version number; it is instead a

evision number listing the number of changes to the User or Computer sections.

The version number of the GPO is calculated based on the total user and computer changes,

and it is applied to both the GPC and the GPT.

f the version numbers of the GPT and GPC for a particular GPO are not the same, the GPO

ill not be processed until the version numbers match or are in sync. For the GPO to sync,

he version numbers of both the GPT and the GPC must be identical on each domain

controller in the domain.

ote

You can use the Replication Monitor to display the sync status of all GPOs usinghe Show Group Policy Object Status context menu option.


9/32



The following topic describes how the GPO version information is used once the GPO has

een created.

ow Version Information Is Used

After the GPOs have been created, the respective site, domain, or OUs link to the created

GPOs using the Active Directory attribute found on each container object that references the

GUID of each site, domain, or OU.

After a policy is linked to a site, domain, or OU, the DN of the policy is entered into the

PLink property on the selected site, domain, or OU.

A Windows client then uses the GetGPOList API to discover which GPOs it should process

on the client. It also uses the computer name and IP address to identify the site that the user is

in, determining which GPOs to associate with the computer system. In addition, the Windows

client also uses the domain and OU location of the computer system to build the master list of

hich GPOs to apply.

ext, the version information and other GPO options (disabled, no override, and block

olicy inheritance) are read to determine what, if any, processing will take place. By default,

if the current GPO settings have already been deployed, no reprocessing will be done unless

andated.

The needed client-side extension DLLs then swing into processing mode and apply their

associated GPO settings.

FRS Replication


10/32


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize 10/32

igure 88: FRS Replication

The process of replication is usually thought to dictate the movement of all changes in Active

irectory.

owever, the changes to Group Policy are replicated to the other domain controllers within

he domain using the FRS (File Replication Service). The process is:

1. When changes are made to Group Policy, the PDC emulator is located and the settings

are read from itsSysvol folder into cache.

2. After changes have been made, the Group Policy settings are saved back to the Sysvol

folder on the PDC emulator. These changes signal the FRS to replicate the changes.

3. At the allotted replication time (up to 15 minutes), the FRS replicates the settings to theother domain controllers throughout the domain.

DFS-R


11/32



igure 89: DFS-R

FS-R was introduced with Windows Server 2008 as a more efficient alternative to FRS.

FS-R only replicates the changes inside a file, instead of replicating an entire file each time a

change occurs.

n order to use DFS-R for Sysvol replication, you must go through a step-by-step migration

rocess to convert from FRS to DFS-R.

This process is thoroughly detailed in the following TechNet article:

http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx

f you have installed a new Windows Server 2012 Domain, the DFS-R replication process will

e enabled automatically.

Understanding the Group Policy Processing Sequence
http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx


12/32



igure 90: Understanding the Group Policy Deployment Order

Group Policy is deployed in the following order:

1. Local Group Policy settings are deployed first: Local administrators or administrators

can configure local policies from the domain. Local policies can always be overridden by

conflicting options from other levels and, therefore, have the least amount of precedence.

2. Site policies are applied next: Enterprise administrators can configure site policies.

These policies apply to the subnet IDs that match the site that the computer or user is

located within. This allows for location-based GPO deployment.

3. Domain policies are applied after the site policies: Enterprise administrators and

domain administrators can configure domain policies. These policies apply to all users

and computers in the same domain. A Default Domain policy already exists at thislevel. Additional policies can be applied to the domain; however, they should be limited

because they can impact such a large portion of the environment.

. OU policies are applied last: All Administrators and any users that have been delegated

permissions to the OU can configure OU policies. OU policies apply to all users and

computers in the OU that the policy is linked to. Assigning policies to OUs provides more

granularity and flexibility when it comes to determining the users and computers for

which the policies should be effective.


13/32



Local Computer System

emember that any local Group Policy settings deployed using the Gpedit.msclocal policy

editor or through the Local Security Policy console in the Administrative Toolmenu will be

deployed first, before any other network-based policy settings. The local Group Policy choices

are pulled from the local Windows\System32\Group Policyfolder.

t may be helpful to remember that the local registry hives, the logged in user profile

(NTUSER.DAT), and the Secedit.sdb security database are where all Group Policy settings

are eventually deployed to, even if the settings are deployed from the site, domain, or OU. In

he Local Security Policy console, the Effective Settingsand Local Settingscolumns in the

details pane indicate where the setting was applied.

f you, as a client, have read access to the local GPO, the settings apply to you even if you are

he local administrator. Setting the read access to no accessresults in the local GPO not being

applied to the local administrator.

Site GPOs

A GPO created within a site applies to all users and computers in the site. A site is one or

ultiple subnets joined together under an Active Directory site name.

Any Group Policy settings deployed at the Active Directory site level that are different from

any previously applied local Group Policy overwrite the previously applied local settings. For

example, if you enable a local setting to remove the Settingstab from the properties of the

isplayicon in Control Panel, it is deployed first.

f the exact same setting at the site level GPO is set to Not Configured, the end result at this

oint of the deployment cycle is that the Settingtab is now available.

Domain GPOs

A GPO created at the domain properties is applied to all users and computers in the domain,

and to all users and computers in all child OUs and user containers.


14/32



f a conflict occurs with a previously applied local or site setting, the domain settings overwrite

he local and site settings.

Organizational Unit

The OU settings are deployed next, potentially overwriting the local, site, and domain settingsif a conflict occurs with a previously applied setting.

Child OU

f you use multiple OUs in your Active Directory design, any Group Policy settings deployed

at the top of an OU tree flow down through the OU child domains, similar to the

enforcement of permissions on an NTFS partition.

f you have multiple Group Policy settings applied from multiple sources, you have an

effective Group Policy built from the multiple GPOs applied to your network.

ote

For Group Policy to operate properly, the three key components that must be

orking are: Active Directory, DNS, and the FRS. Each Active Directory client uses the

QDN to attach to the domain controller and read the GPO.

Modifying Group Policy Processing


15/32



igure 91: Modifying Group Policy Processing

The standard group policy processing behavior is based upon inheritance. Policies

implemented at higher levels of the OU structure are inherited down the OU tree structure.

Using Group Policy Inheritance

igure 92: Using Group Policy Inheritance

To manage group policies most effectively, you must have a good foundation to apply them

o.

This foundation normally exists as a hierarchy of OUs within the domain environment. Group

olicies certainly can be applied to the site and the domain levels, but the real power of Group

olicy is in being able to apply it in a granular fashion.

hen you apply a GPO to an OU structure, remember that a policy applied at a parent OU


16/32



ill automatically be inherited by all child and grandchild OUs. Leverage this default behavior

so that settings that really should apply to a broad range of users and computers are applied at

a higher parent level, while settings that should affect only a subset of accounts are applied at

a child OU.

Structuring the OUs appropriately can make this process much easier.

An example of a useful corporate standard GPO is: Only authorized users can access the

command prompt or the registry editor. One way to define this GPO is to set the Prevent

access to the command prompt, and Prevent access to registry editing toolspolicy

settings and link these settings to an OU, for example Domain_User_Accounts OU. This

action will result in these settings being applied to all users in the Domain_User_Accounts OU.

Then create a GPO, such as an Administrator_Policy GPO, which explicitly allows

administrators access to the command prompt and registry editing through a security group

ilter applied to the Administrator_Policy GPO. Therefore, the GPO linked to the

Administrator_Policy GPO will override the settings configured in the Standard User Policy

GPO.

f another group of users requires access to the command prompt, but not the registry, youcan create another child GPO that allows access. Access to the registry editing tools is still

denied because the new GPO does not override the registry tools setting made in the

omain_User_Accounts GPO.

hen you set the default values for security-related settings, such as restricted group

embership and file system access and registry access permissions, remember that these

settings work on a last-write-wins principle; the settings in this case are not merged.

Changes to a GPO are saved immediately and, therefore, could be applied prematurely if a

client computer refreshes its policies. It is a good idea to keep the GPO unlinked from its

roduction location (site, domain, or OU) until you have fully tested the policy. While you are

developing the GPO, keep it either unlinked or linked to a test OU.

Sometimes, the default processing is not desired, and can therefore be disrupted using several

echanisms. The following topics discuss ways to modify Group Policy processing.


17/32



Using the Block Inheritance and Enforce Options

igure 93: Using Block Inheritance and Enforce Options

Sometimes this normal inheritance process can be limiting. For that reason, you can disrupt

he inheritance of higher-level policies in three different ways:

Contradictory settings: If a child OU has the need to opt out of a particular Group Policy

setting, you can create a new GPO at that level that has the opposite setting. The last policy

applied in the processing sequence wins.

Block inheritance: When a large number of settings are configured at a higher level and

many of them should not apply to a child OU, you can enable the Block Inheritance

attribute on the OU so that no policies from above will apply.

Enforce: You can apply the Enforceoption at higher levels of the policy architecture to

ensure that certain policies cannot be overridden or blocked. The Enforceoption is applied

to an individual GPO. Some GPOs can be overridden or blocked while others can be

mandatory, so to speak. The Enforceoption always wins.

Using Security Filtering


18/32



igure 94: Using Security Filtering

n order for a GPO to apply to a given user or computer, that user or computer must have

oth readand apply Group Policypermissions on the GPO. By default, authenticated users

ave both readand apply Group Policypermissions set to Allow. If you want only a subset

of users within an OU to receive a GPO, remove the authenticated users from the ACL on the

desired GPO.

ext, add a new group with the security filtering permissions that contains the subset of usersho are to receive the GPO. Only members of this group that are within the site, domain, or

OU where the GPO is linked receive the GPO; members of the group in other sites, domains,

or OUs will not receive the GPO.

solating Administrators

You might want to prevent certain Group Policy settings from applying to the Administrator

roup. To accomplish this, you can do one of the following:

Create a separate OU for administrators and keep this OU out of the user infrastructure.

In this case, administrators will not receive most of the settings that you provide for

managed users. If this separate OU is a direct child of the domain, the only settings that

administrators possibly receive are settings from GPOs linked either to the domain or the

site.


19/32



Because only broadly applicable settings should be linked here, it might be acceptable to let

the administrators receive these settings; otherwise, you can set the Block Inheritance

option on the AdministratorsOU.

ave administrators use separate administrative accounts only when administrative tasks are

eing carried out. Therefore, when not performing administrative tasks, they would still be

anaged by the applied Group Policy settings.

Implementing WMI Filters

igure 95: Implementing WMI Filters

Although you can filter the applied settings of GPOs by modifying the ACLs for the policy

links (security group filtering), there might be times that you want to apply a policy based onspecific attributes of an individual client computer. In such situations, you would use WMI

(Windows Management Instrumentation) filtering.

MI provides a mechanism to collect various details of a computers configuration through a

rogrammatic interface. In many respects, WMI is similar to SNMP.WMI runs on Windows

2000 and later platforms.

A WMI filter is a collection of one or more queries (really conditions) written in WQL. A

query might specify, for example that a computer be running at least a Pentium III processor,

or have a minimum OS version number. When you build a WMI filter and apply it to a GPO,

he GPO will apply only if the queries in the filter are all satisfied.

So, for example, you could create a GPO that would apply only to computers with at least a

entium III CPU. That sort of capability could come in handy, for example, when you are

hinking of deploying a processor-intensive application.


20/32



MI is powerful, but is not appropriate in every situation. To help you create WMI filters,

ou can obtain the free WBEMTest tool from Microsoft. Once you have created the WMI

ilter, you must link it to a GPO.

estrictions

MI filtering has many conditions associated with it, making it unsuitable at present for

deployment in mixed-mode networks. Here is what you should know:

Windows 2000 Professional clients (and earlier) ignore WMI filters and always apply

policies just as if the WMI filter did not exist.

Only Windows Server 2003 and later domains that have been prepped via the adprep

/domainprepcommand support WMI filters.

WMI filters are domain-local in scope; that is, you cannot link a WMI filter to a GPO in a

different domain.

Any given GPO can have only one associated WMI filter. (That is not too much of a

restriction when you consider that a filter might have a long list of queries contained within

it.)

sing the WBEMTest Tool

igure 96: Using the WBEMTest Tool


21/32



You can use the WBEMTest tool to become familiar with the structure of WMI. The GPMC

does not provide any method to browse the WMI repository. The WBEMTest tool can be

sed to display the WMI structure as a reference to build a filter from.

Viewing WMI Classes

A good way to become familiar with the WMI classes is to use the graphical WBEMTest tool,

hich you can run from a command prompt.

You will need to specify the namespace via the Open Namespacebutton, if it is anything

other than root\cimv2.

To view all of the classes beneath a root namespace, click the Enum Classesbutton, select

ecursive, and then click OK. You will see a dialog box like the one shown in Figure 97.

The WBEMTest Query Result Dialog Box

igure 97: WBEMTest Query Result Dialog Box

Then, if you double-click the item and click the Instancesbutton, you can see the instances of

objects of that class on the computer. For example, you would see that the Nameproperty of

he Win32_BIOSclass on this computer is PhoenixBIOS 4.0 Release 6.0.3. Another way to

express this is:


22/32


23/32



igure 98: Using PowerShell to Explore WMI (1)

se PowerShell to output a listing of all WMI classes within the root\CIMv2 namespace by

sing the following command:

Get-WMIObject -list | Out-GridView

This will output the list of objects to the GridView application which allows for convenient

avigation of the hundreds of items returned.

sing PowerShell to Explore WMI (2)


se PowerShell to output a listing of the items within a class by using the following command:

Get-WMIObject Win32_OperatingSystem

This will display the properties of the object to the screen. This information can then be used

o design the query you would like to use as a WMI Filter in a GPO.

sing PowerShell to Explore WMI (3)


24/32




se PowerShell to test a WQL query before attempting to use it in a GPO. Write the

command as follows:

Get-WMIObject -query {Select * from Win32_OperatingSystem WHERE Version =

'6.2.9200' AND ProductType = '2'}

This command returns results only if the computer it is run against is version 6.2.9200 and the

roduct type is 2. These are the attributes of a Windows Server 2012 machine.

Creating a WMI Filter


25/32



igure 101: Creating a WMI Filter

To create a new WMI filter:

1. In the GPMC, right-click the WMI Filters node and select New.

2. Name the filter, provide a description, and create your queries using WQL.

3. Choose the WMI filter from the Scope tab of a GPO.

ote

WQL is similar to SQL, so if you are familiar with SQL, all you need are the

specifics for the WMI data classes.

Changing the GPO Link Order


26/32



igure 102: Changing the GPO Link Order

The GPO link order controls the order in which GPOs are applied within each domain, site,

and OU.

To change the GPO link order, you can change the link order, moving each link up or down in

he list to the appropriate location, by using the Upand Downbuttons.

inks with the lowest number have higher precedence for a given site, domain, or OU. For

example, if you add three GPOs, the GPO highest in the list has a link order of 1. This GPO

ill be deployed last, and only after the other two GPOs have been deployed. Because it is

deployed last, the settings contained in that policy have a higher priority and will override any

identical settings defined in the other two GPOs.

Using Loopback Processing


27/32



igure 103: Using Loopback Processing

The User Group Policy loopback processing modepolicy setting applies the same user

settings for all users who log on to the computer, based on the computer they log on to.

hen you apply GPOs to users, normally the same set of user policy settings applies to those

sers when they log on to any computer. By enabling the loopback processing policy setting in

a GPO, you can configure user policy settings based on the computer location that they log on

o.

Those settings are applied regardless of which user logs on.

You set the loopback policy inside each GPO by using the User Group Policy loopback

rocessing modepolicy setting under Computer Settings\Administrative

Settings\System\Group Policy. Two options are available:

Merge: In this mode, the list of GPOs for the user is gathered during the logon process.

First, the list of GPOs for the computer is gathered. Next, the list of GPOs for the computer

is added to the end of the GPOs for the user. As a result, the GPOs of the computer have

higher precedence than the GPOs of the user.

Replace: In this mode, the list of GPOs for the user is not gathered. Instead, only the list of

GPOs based on the computer object is used. The user configuration settings from this list


28/32



are applied to the user.

When you use the Replaceoption, you must ensure that both the computer and user

portions of the GPO are enabled.

cronyms

The following acronyms are used in this section:

ACL Access Control List

ADSI Active Directory Service Interfaces

API application programming interface

IOS basic input/output system

CD compact disc

CPU central processing unit

LL dynamic-link library

N distinguished name

NS Domain Name System

FS Encrypting File System

QDN fully qualified domain name

RS File Replication Service

GPC Group Policy container

GPMC Group Policy Management Console

GPO Group Policy object

GPT Group Policy template

GUID globally unique identifier

P Internet Protocol

PSec IP Security

SI Microsoft Windows Installer

TFS New Technology File System

OS operating system

OU organizational unitDC primary domain controller

SNMP Simple Network Management Protocol


29/32



SQL Structured Query Language

AN wide area network

MI Windows Management

Instrumentation

QL WMI Query Language

Section Review

Summary

Group Policy is based on the following components:

Sysvol folder: A system folder that is located in the NTFSfile system of every Active

Directory domain controller. It contains administrative templates, security settings,

applied scripts, and details about MSI packages that will be installed.

PDC emulator: A single domain controller per domain is assigned the role of a PDC

emulator. This role is automatically assigned to the first domain controller in an Active

Directory domain.

Group Policy Container: Stores the policy setting information for a GPO. It stores the

details of every GPO that is created in Active Directory. The GPC contains the version

number of each GPO, its current status, and the installed components.

Group Policy template: Stores the files that are created by the GPO in the Sysvol

folder on the PDC emulator for each domain. It stores computer and user scripts, the

GPO template files, and the Registry.polfiles.

Group Policy is deployed in the following order:

1. Local Group Policy settings

2. Site policies

3. Domain policies

4. OU policies


30/32



The methods used to modify Group Policy processing are:

Block Inheritance and Enforce Options: The Block Inheritanceattribute prevents

higher-level policies from being applied to lower levels.

Applied at higher levels of the policy architecture, the Enforceoption ensures that certain

policies cannot be overridden or blocked. This option is applied to an individual GPO.

Security Filtering: Sets the ACLs to prevent or allow policies from applying to specific

users or groups.

WMI Filters: Consist of a collection of one or more queries (conditions) written in

WQL. When you build a WMI filter and apply it to a GPO, the GPO will apply only ifthe queries in the filter are all satisfied.

GPO Link Order: Controls the order in which GPOs are applied within each domain,

site, and OU.

Loopback Processing: Configures the user policy settings based on the computer

location that the users log on to.

nowledge Check

1. Which Active Directory component does the following text describe?

A system folder that is located in the NTFSfile system of every Active Directory domain

controller. It contains administrative templates, security settings, applied scripts, anddetails about MSI packages that will be installed.

2. What is the Group Policy deployment order?

3. Match each method used to modify Group Policy processing with its correct description.

Write the letter of the description in the Answer column.

Answer Method Description

1.________

GPO Link Order A.It prevents higher-level policies from being applied to lower levels.


31/32



2.________

Security

Filtering

B.Controls the order in which GPOs are applied within each domain, site,

or OU.

3.________

WMI Filters C.Configures the user policy settings based on the computer location that

the users log on to.

4.________

BlockInheritance

Option

D.Consist of a collection of one or more queries (conditions) written inWQL.

5.________

Loopback

Processing

E.Sets the ACLs to prevent or allow policies from applying to specific

users or groups.

Knowledge Check Answer Key

The correct answers to the Knowledge Check questions are bolded.

1. Which Active Directory component does the following text describe?

A system folder that is located in the NTFS file system of every Active Directory domain

controller. It contains administrative templates, security settings, applied scripts, and

details about MSI packages that will be installed.

Sysvol folder

2. What is the Group Policy deployment order?

Local

Site

Domain

OU

3. Match each method used to modify Group Policy processing with its correct description.

Write the letter of the description in the Answer column.

Answer Method Description


32/32

Documents

4 Understanding the Architecture of Group Policy Processing