Active Directory (AD) Real Time Interview Questions

and Answers
I would like to share some of the Windows Active Directory Interview Questions and answers,
will start with basic questions and continue with L1, L2, L3 level questions
Also Read: Windows Server Administrator Interview Questions and Answers
What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft and used to store objects like
User, Computer, printer, Network information, It facilitate to manage your network effectively with
multiple Domain Controllers in different location with AD database, able to manage/change AD from
any Domain Controllers and this will be replicated to all other DC’s, centralized Administration with
multiple geographical location and authenticates users and computers in a Windows domain
What is LDAP and how the LDAP been used on Active Directory(AD)?
 http://www.windowstricks.in/ldap-and-ldap-query
What is Tree?
Tree is a hierarchical arrangement of windows Domain that share a contiguous name space

What is Domain?
Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication and
authorization mechanisms as well as a framework within which other related services can be
deployed

What is Active Directory Domain Controller (DC)?

Domain Controller is the server which holds the AD database, All AD changes get replicated to other
DC and vise vase

What is Forest?
Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous
name space however share a common schema and global catalog (GC)

What is Schema?
Active directory schema is the set of definitions that define the kinds of object and the type of
information about those objects that can be stored in Active Directory

Active directory schema is Collection of object class and there attributes

Object Class = User

Attributes = first name, last name, email, and others

Can we restore a schema partition?

http://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html
Tel me about the FSMO roles?
Schema Master

Domain Naming Master

Infrastructure Master
RID Master

PDC

Schema Master and Domain Naming Master are forest wide role and only available one on each
Forest, Other roles are Domain wide and one for each Domain

AD replication is multi master replication and change can be done in any Domain Controller and will
get replicated to others Domain Controllers, except above file roles, this will be flexible single master
operations (FSMO), these changes only be done on dedicated Domain Controller so it’s
single master replication

How to check which server holds which role?

Netdom query FSMO

Which FSMO role is the most important? And why?

Interesting question which role is most important out of 5 FSMO roles or if one role fails that will
impact the end-user immediately

Most armature administrators pick the Schema master role, not sure why maybe they though
Schema is very critical to run the Active Directory

Correct answer is PDC, now the next question why? Will explain role by role what happens when a
FSMO role holder fails to find the answer

Schema Master – Schema Master needed to update the Schema, we don’t update the schema daily
right, when will update the Schema? While the time of operating system migration, installing new
Exchange version and any other application which requires extending the schema
So if are Schema Master Server is not available, we can’t able to update the schema and no way
this will going to affect the Active Directory operation and the end-user

Schema Master needs to be online and ready to make a schema change, we can plan and have
more time to bring back the Schema Master Server

Domain Naming Master – Domain Naming Master required to creating a new Domain and creating
an application partition, Like Schema Master we don’t cerate Domain and application partition
frequently
So if are Domain Naming Master Server is not available, we can’t able to create a new Domain and
application partition, it may not affect the user, user event didn’t aware Domain Naming Master
Server is down

Infrastructure Master – Infrastructure Master updates the cross domain updates, what really
updates between Domains? Whenever user login to Domain the TGT has been created with the list
of access user got through group membership (user group membership details) it also contain the
user membership details from trusted domain, Infrastructure Master keep this information up-to-date,
it update reference information every 2 days by comparing its data with the Global Catalog (that’s
why we don’t keep Infrastructure Master and GC in same server)
In a single Domain and single Forest environment there is no impact if the Infrastructure
Master server is down
In a Multi Domain and Forest environment, there will be impact and we have enough time to fix the
issue before it affect the end-user

RID Master –Every DC is initially issued 500 RID’s from RID Master Server.  RID’s are used to
create a new object on Active Directory, all new objects are created with Security ID (SID) and RID
is the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain
security authority that issued the SID
When it gets down to 250 (50%) it requests a second pool of RID’s from the RID master.  If RID
Master Server is not available the RID pools unable to be issued to DC’s and DC’s are only able to
create a new object depends on the available RID’s, every DC has anywhere between 250 and 750
RIDs available, so no immediate impact
PDC – PDC required for Time sync, user login, password changes and Trust, now you know why the
PDC is important FSMO role holder to get back online, PDC role will impact the end-user
immediately and we need to recover ASAP
The PDC emulator Primary Domain Controller for backwards compatibility and it’s responsible for
time synchronizing within a domain, also the password master. Any password change is replicated
to the PDC emulator ASAP. If a logon request fails due to a bad password the logon request is
passed to the PDC emulator to check the password before rejecting the login request.

Tel me about Active Directory Database and list the Active Directory Database files?
NTDS.DIT

EDB.Log

EDB.Che

Res1.log and Res2.log

All AD changes didn’t write directly to NTDS.DIT database file, first write to EDB.Log and from log
file to database, EDB.Che used to track the database update from log file, to know what changes are
copied to database file.

NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system
root%\nrds\nrds.dit, Active Directory database engine is the extensible storage engine which us
based on the Jet database
EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log
where num is the increasing number starting from 1, like EDB1.Log
EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this
indicate the starting point from which data is to be recovered from the log file in case if failure
Res1.log and Res2.log:  Res is reserved transaction log file which provide the transaction log file
enough time to shutdown if the disk didn’t have enough space
What RAID configuration can be used in Domain Controllers?
http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html
Can we keep OS, log files, SYSVOL, AD database on same logical Disk?
http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html

What is Active Directory Partitions?

Active Directory partition is how and where the AD information logically stored.
What are all the Active Directory Partitions?
Schema
Configuration
Domain
Application partition
What is use Active Directory Partitions? And
How to find the Active Directory Partitions and there location?
Schema Partition – It store details about objects and attributes. Replicates to all domain controllers
in the Forest
DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com

Configuration Partition – It store details about the AD configuration information like, Site, site-link,
subnet and other replication topology information. Replicates to all domain controllers in the Forest
DN Location is CN=Configuration,DC=Domainname,DC=com

Domain Partitions – object information for a domain like user, computer, group, printer and other
Domain specific information. Replicates to all domain controllers within a domain
DN Location is DC=Domainname,DC=com

Application Partition – information about applications in Active Directory. Like AD integrated DNS
is used there are two application partitions for DNS zones – ForestDNSZones and
DomainDNSZones, see more
How to configure Active Directory Partitions?
You can only configure the Application partition manually to use with AD integrated applications,
refer to this article for details on that
How to create DNS zone in Application Directory Partition?
see on my previous article
How to move the DNS zone from Domain Partition to Application partition?
see on my previous article
How to take active directory backup?
System state backup will backup the Active Directory, NTbackup can be used to backup active
directory
Active Directory restores types?
Authoritative restore
Non-authoritative restore
Non-authoritative restore of Active Directory
Non-authoritative restore is restore the domain controller to its state at the time of backup, and
allows normal replication to overwrite restored domain controller with any changes that have
occurred after the backup. After system state restore, domain controller queries its replication
partners and get the changes after backup date, to ensure that the domain controller has an
accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of system
state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.
How perform a non-authoritative restore?
Just start the domain controller in Directory Services Restore Mode and perform system state
restore from backup
Authoritative restore of Active Directory
An authoritative restore is next step of the non-authoritative restore process. We have do non-
authoritative restore before you can perform an authoritative restore. The main difference is that an
authoritative restore has the ability to increment the version number of the attributes of all objects or
an individual object in an entire directory, this will make it authoritative restore an object in the
directory. This can be used to restore a single deleted user/group and event an entire OU.
In a non-authoritative restore, after a domain controller is back online, it will contact its replication
partners to determine any changes since the time of the last backup. However the version number of
the object attributes that you want to be authoritative will be higher than the existing version numbers
of the attribute, the object on the restored domain controller will appear to be more recent and
therefore, restored object will be replicated to other domain controllers in the Domain

How perform a non-authoritative restore?

Unlike a non-authoritative restore, an authoritative restores need to Ntdsutil.exe to increment the
version number of the object attributes
What are Active Directory Partitions can be restored?
You can authoritatively restore only objects from configuration and domain partition. Authoritative
restores of schema-naming contexts are not supported.
How many domain controllers need to back up? Or which domain controllers to back up?
Minimum requirement is to back up two domain controllers in each domain, one should be an
operations master role holder DC, no need to backup RID Master (relative ID) because RID master
should not be restored
Can we restore backup of domain controller to other/different domain controller?
Backup of one domain controller can’t be restoring to other domain controller, should be restored to
same domain controller

Sysvol Interview Questions and Answers

I would like to share collection of Sysvol and FRS Interview questions and answers this will be asked
on Windows Active Directory administrator job interview

What is the SYSVOL folder and why it’s used?

The Sysvol folder on a Windows domain controller is used to stores domain’s Group Policy settings,
default profiles and logon/logoff/startup/shutdown scripts, which is available in C:\Windows\SYSVOL
directory in all domain controllers within the Domain

What is NETLOGON folder?

Netlogon folder contain logon/logoff/startup/shutdown scripts which is inside the Sysvol folder

What is junctions point?

Check more about: Sysvol Junction point
What other folders in Sysvol and Sysvol folder structure/ Contents?
Check more about: netlogon and sysvol folder location
How policies get replicated from one DC to other DC?
Check more about: how sysvol replication works
What is the Difference between FRS and DFS-R?
Check more about: Difference between FRS and DFSR
How to Force sysvol replication?
Check more about: force sysvol replication on Windows 2003 and  force sysvol replication on
Windows 2008 and windows server 2012
What is the Sysvol Replication change in Windows 2008?
Check more about: sysvol replication change on windows 2012
Any Sysvol issues which you have faced in your environment?
USN journal wrap Error on sysvol
Morphed folder on Sysvol
FRS replication issues –
Sysvol share not sharing – May be an replication issue, please event log got more information

Tel me about Non-authoritative restore of SYSVOL or D2 restore

D2 is the default method for restoring SYSVOL and occurs automatically when you do a non-
authoritative restore of the Active Directory

When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored
domain controller is compared with that of its replication partners. After the domain controller
restarts, it replicates the any necessary changes, bringing it up-to-date with the other domain
controllers within the domain.
Tel me about Authoritative restore of SYSVOL or D4 restore
IN D4 restore a copy of SYSVOL that is restored from backup is authoritative for the domain. After
the necessary configurations have been made, Active Directory marks the local SYSVOL as
authoritative and it is replicated to the other domain controllers within the domain.

How to D2 and D4 restore?

Enable BurFlags registry to D2 or D4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\
Process at Startup
BurFlags

D2, for nonauthoritative mode restore

D4, for an authoritative mode restore

Active Directory real time issues and solutions

By ganesamoorthy s | June 9, 2015

3 Comments

As an Windows AD Administrator I have many Active Directory real time issues and solutions, we
have seen the questions like, Tel me about 2 real time issues which you have faced in your current
Active Directory environment, share one or two challenging issues which you have worked and
resolved, Tel me most challenging issues you recently involved

Many of my blog readers are asked to share couple of real time scenarios from my past experience
to preparing for an Windows and Active Directory interview, list of articles from my previous post,
read and understand to face the interview confidently

Active Directory real time issues and solutions

DNS Entry of Domain Controller is Resolving to Incorrect value

Replsummary showing unknown for largest delta on AD replication checks
Domain Controller failed test Machineaccount on DCDIAG
AD Slow Authentication and prompting for credentials again and again
How secure channel determine the Domain controller in cross-forest
Active directory Troubleshooting
Active Directory Replication failed with “Target principal name is incorrect”
 Replication failed with “The destination server is currently rejecting replication requests” Error
Troubleshoot Active Directory Server Replication

Group Policy (GPO) real time issues and solutions

Issue managing IE configuration through GPO

Why we can’t edit/view windows 2008, Vista and windows 7 GPO settings from windows 2003
Gpresult failed with ERROR Access Denied
Home page URL not working for IE7
GPO update failed in Slow Link VPN site with Event ID 1000 and 1054
Group Policy Processing over Slow Links
Group Policy slow link detection on windows server 2008

Other real time issues and solutions, Printer, User Profile and Account lockout

Account lockout
How to resolve the Print Spooler service crash issue (Print spooler service is not running)
How to find the domain controller that contains the lingering object
Reconfigure roaming profile folder and home folder permission for all the users
Roaming profile issues

1. Question 1. Why Should We Use Group Policy?

Answer :
o For deploying software
o We can apply security
o For controlling Users environment, settings, per computer settings
o To manage desktop environment (To standardize environment)
o To modify the registry
2. Question 2. What Is Group Policy Object?
Answer :
We call the actual unit that we are creating, deleting, managing, working with is called
Group Policy object.
Group Policy objects have two components:
o Group Policy container
o Group Policy template
3. Question 3. What Is Group Policy Container?
Answer :
It is the container in the Active Directory where the Group Policy can be applied. (i.e.,
either Organizational unit or Domain or Site)
4. Question 4. What Is Group Policy Template?
Answer :
 When you create a group policy container automatically a template will be created in
the hard drive, in sysvol folder of the Domain Controller that is called Group Policy
template.
5. Question 5. Where Is Group Policy Template Stored?
Answer :
Group Policy template stored in sysvol folder.
6. Question 6. How To Create A Group Policy?
Answer :
Start –>Programs –>Administrative tools ->Active Directory Users and computers -
>Right click on the container on which you want to apply Group Policy->Select
properties-> Click on Group Policy tab->Click on New
7. Question 7. What Are The Steps Do We Have When We Are Creating Group Policy?
Answer :
There are two steps, one is creating Group policy and linking to the container.
Generally we create the group policy at container only so when you click on New it
creates and links the GPO to that container at a time. Suppose if you want to link a
group policy object to a container which is already created click on Add select the
group policy.
8. Question 8. What Are The Buttons Available On Group Policy Tab In Properties Of A
Container?
Answer :
o New (Creates new GPO)
o Add (links a GPO to this container which has created already)
o Edit (Edits the existing GPO)
o Delete Deletes the GPO
o Options (here you get the following check boxes): (i) No override – Prevent
other GPO from overriding policy set in this one; and(ii) Disabled – This GPO
is not applicable to this container
o Properties
Note: When you are deleting a GPO it asks two things:
o Remove the link from this list
o Remove the link and delete the GPO permanently
9. Question 9. What Is No Override Option In Gpo?
Answer :
Generally the policies set at one level will be overridden in other level, so if don’t want
to override this policy under the sub levels of this one you can set this.
Ex: If you set No override at Domain level then that GPO will be applied through out
the Domain, even though you have the same policy differently at OU level.
10. Question 10. What Is Block Inheritance Of Gpo And Where It Is?
 Answer :
The Block inheritance GPO option blocks the group policies inheriting from the top
level, and takes effect of this present GPO.
Right click on the container –> click on Group Policy –ègo to properties >on the
bottom of the General tab you will find Block inheritance check box
Ex: If you select Block inheritance at OU level then no policy from the Domain level, or
Site level or local policy will not applied to this OU.
11. Question 11. You Have Set The No Override Option At Domain Level And Block
Inheritance At Ou Level. Which Policy Will Take Effect?
Answer :
If you have set both then No override wins over the Block inheritance. So No override
will take effect.
12. Question 12. What Are The Options That Are Available When You Click On Option
Button On General Tab?
Answer :
o General
o Disable computer configuration settings (The settings those are set under
computer configuration of this GPO will not take effect.)
o Disable user configuration settings (The settings those are set under User
configuration of this GPO will not take effect.)
o Links (Displays the containers which have links to this GPO)
o Security (With security option you can set level of permissions and settings
to the individual users and groups. Ex: If you want to disable this GPO to a
particular user on this container, on security tab select that user and select
the deny check box for apply the Group Policy. Then the GPO will not take
effect to that user even though he is in that container.)
13. Question 13. What Will You See In The Group Policy Snap In?
Answer :
You will see two major portions, and under those you have sub portions, they are:
o Computer Configuration
o Software settings
o Software installations
o Windows settings
o Administrative templates
o User configuration
o Software settings
o Software installations
o Windows settings
o Administrative templates
 Note: Administrative templates are for modifying the registry of windows 2000
clients.
14. Question 14. What Is The Hierarchy Of Group Policy?
Answer :
o Local policy
o Site Policy
o Domain Policy
o OU Policy
o Sub OU Policy (If any are there)
15. Question 15. Who Can Create Site Level Group Policy?
Answer :
Enterprise Admin
16. Question 16. Who Can Create Domain Level Group Policy?
Answer :
Domain Admin
17. Question 17. Who Can Create Organizational Unit Lever Group Policy?
Answer :
Domain Admin
18. Question 18. Who Can Create Local Group Policy?
Answer :
Local Administrator or Domain Administrator
19. Question 19. What Is The Refresh Interval For Group Policy?
Answer :
Refresh interval for Domain Controllers is 5 minutes, and the refresh interval for all
other computers in the network is 45 minutes (this one doubt).
20. Question 20. Why Do We Need To Manage And Control Desktop Environment?
Answer :
o To decrease support time
o Eliminate potential for problems
o One standard environment to support
o Eliminate distractions
o To increase productivity
21. Question 21. What Is Group Policy Loop Back Process? How To Set It?
Answer :
Start –>programs –>Administrative tools –>Active Directory users and computers –
>Right click on the container –>click on Group policy tab –>Click on edit –>click on
Computer settings –>click on Administrative templates –>system –>Group policy –
>click on User group policy loop back processing mode –> click OK –> Select enable
22. Question 22. What Are The Players That Are Involved In Deploying Software?
 Answer :
o Group Policy: Within GP we specify that this software application gets
installed to this particular computer or to this particular user.
o Active Directory: Group Policy will be applied somewhere in Active
Directory.
o Microsoft Installer service
o Windows installer packages: The type of package that can be used by
Group Policy to deploy applications is .msi packages i.e., Microsoft Installer
packages.
23. Question 23. What Is The Package That Can Be Used To Deploy Software Through
Group Policy?
Answer :
Windows installer packages (.msi files)
24. Question 24. What Is Microsoft Installer Service?
Answer :
Microsoft Installer Service runs on the client machines in the Windows 2000 domain.
It installs the minimum amount of an application, as you extend functionality it
installs the remaining part of application. It is responsible for installing software in
the client. It is also responsible for modifying, upgrading, applying service packs.
25. Question 25. What Is Local Security Policy, Domain Security Policy, And Domain
Controller Security Policy In The Administrative Tools?
Answer :
o Local Security policy: This is group policy applied to local machine
o Domain Security Policy: Group Policy applied at domain level
o Domain Controller Security Policy: Group Policy applied at domain
controller level.
26. Question 26. What Are The Design Considerations For Group Policy?
Answer :
The following should be considered for designing group policies:
o Minimize linking: Because there may be a chance deleting the original one
with seeing who else are using this GPO. Minimizing linking for simplicity.
o Minimum number of GPO’s: Microsoft suggests that one GPO with 100
settings will process faster than 100 GPO’s each with one setting. This is
for performance.
o Delegate
o Minimize filtering: To keep simple your environment, try to minimize
filtering.
If you have more number of GPO’s for a container, whatever GPO is on top will be
applied first. If you want, you can move GPO’s up and down.
 If there is conflict between two GPO’s of same container, the last applied GPO will be
effective. i.e., the bottom one will be effective.
27. Question 27. What Is Group Policy In Active Directory ? What Are Group Policy
Objects (gpos)?
Answer :
Group Policy objects, other than the local Group Policy object, are virtual objects. The
policy setting information of a GPO is actually stored in two locations: the Group
Policy container and the Group Policy template.
The Group Policy container is an Active Directory container that stores GPO
properties, including information on version, GPO status, and a list of components
that have settings in the GPO.
The Group Policy template is a folder structure within the file system that stores
Administrative Template-based policies, security settings, script files, and
information regarding applications that are available for Group Policy Software
Installation.
The Group Policy template is located in the system volume folder (Sysvol) in the
Policies subfolder for its domain.
28. Question 28. What Is The Order In Which Gpos Are Applied ?
Answer :
Group Policy settings are processed in the following order:
o Local Group Policy object : Each computer has exactly one Group Policy
object that is stored locally. This processes for both computer and user
Group Policy processing.
o Site : Any GPOs that have been linked to the site that the computer
belongs to are processed next. Processing is in the order that is specified
by the administrator, on the Linked Group Policy Objects tab for the site in
Group Policy Management Console (GPMC). The GPO with the lowest link
order is processed last, and therefore has the highest precedence.
o Domain: Processing of multiple domain-linked GPOs is in the order
specified by the administrator, on the Linked Group Policy Objects tab for
the domain in GPMC. The GPO with the lowest link order is processed last,
and therefore has the highest precedence.
o Organizational units : GPOs that are linked to the organizational unit that
is highest in the Active Directory hierarchy are processed first, then POs that
are linked to its child organizational unit, and so on. Finally, the GPOs that
are linked to the organizational unit that contains the user or computer are
processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or
no GPOs can be linked. If several GPOs are linked to an organizational unit, their
 processing is in the order that is specified by the administrator, on the Linked Group
Policy Objects tab for the organizational unit in GPMC.
The GPO with the lowest link order is processed last, and therefore has the highest
precedence.
This order means that the local GPO is processed first, and GPOs that are linked to
the organizational unit of which the computer or user is a direct member are
processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If
there are no conflicts, then the earlier and later settings are merely aggregated.)
29. Question 29. How To Backup/restore Group Policy Objects ?
Answer :
o Begin the process by logging on to a Windows Server 2008 domain
controller, and opening the Group Policy Management console. Now,
navigate through the console tree to Group Policy Management | Forest: |
Domains | | Group Policy Objects.
o When you do, the details pane should display all of the group policy objects
that are associated with the domain. In Figure A there are only two group
policy objects, but in a production environment you may have many more.
The Group Policy Objects container stores all of the group policy objects for
the domain.
o Now, right-click on the Group Policy Objects container, and choose the Back
Up All command from the shortcut menu. When you do, Windows will open
the Back Up Group Policy Object dialog box.
o As you can see in Figure B, this dialog box requires you to provide the path
to which you want to store the backup files. You can either store the
backups in a dedicated folder on a local drive, or you can place them in a
folder on a mapped network drive. The dialog box also contains a
Description field that you can use to provide a description of the backup
that you are creating.
o You must provide the path to which you want to store your backup of the
group policy objects.
o To initiate the backup process, just click the Back Up button. When the
backup process completes, you should see a dialog box that tells you how
many group policy objects were successfully backed up. Click OK to close
the dialog box, and you’re all done.
o When it comes to restoring a backup of any Group Policy Object, you have
two options. The first option is to right-click on the Group Policy Object, and
choose the Restore From Backup command from the shortcut menu. When
you do this, Windows will remove all of the individual settings from the
Group Policy Object, and then implement the settings found in the backup.
 o Your other option is to right-click on the Group Policy Object you want to
restore, and choose the Import Settings option. This option works more like
a merge than a restore.
o Any settings that presently reside within the Group Policy Object are
retained unless there is a contradictory settings within the file that is being
imported.
30. Question 30. You Want To Standardize The Desktop Environments (wallpaper, My
Documents, Start Menu, Printers Etc.) On The Computers In One Department. How
Would You Do That?
Answer :
o Go to Start->programs->Administrative tools->Active Directory Users and
Computers
o Right Click on Domain->click on preoperties
o On New windows Click on Group Policy
o Select Default Policy->click on Edit
o on group Policy console
o go to User Configuration->Administrative Template->Start menu and
Taskbar.
o Select each property you want to modify and do the same.
31. Question 31. What Is The Difference Between Software Publishing And Assigning?
Answer :
Assign Users :The software application is advertised when the user logs on. It is
installed when the user clicks on the software application icon via the start menu, or
accesses a file that has been associated with the software application.
Assign Computers :The software application is advertised and installed when it is
safe to do so, such as when the computer is next restarted.
Publish to users : The software application does not appear on the start menu or
desktop. This means the user may not know that the software is available. The
software application is made available via the Add/Remove Programs option in
control panel, or by clicking on a file that has been associated with the application.
Published applications do not reinstall themselves in the event of accidental deletion,
and it is not possible to publish to computers.
32. Question 32. What Are Administrative Templates?
Answer :
Administrative Templates are a feature of Group Policy, a Microsoft technology for
centralised management of machines and users in an Active Directory environment.
Administrative Templates facilitate the management of registry-based policy. An
ADM file is used to describe both the user interface presented to the Group Policy
administrator and the registry keys that should be updated on the target machines.
 An ADM file is a text file with a specific syntax which describes both the interface and
the registry values which will be changed if the policy is enabled or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP
Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm,
conf.adm and wuau.adm). These are merged into a unified “namespace” in GPEdit
and presented to the administrator under the Administrative Templates node (for
both machine and user policy).
33. Question 33. Can I Deploy Non-msi Software With Gpo?
Answer :
create the file in.zap extension.
34. Question 34. Name Some Gpo Settings In The Computer And User Parts ?
Answer :
Group Policy Object (GPO) computer=Computer Configuration, User=User
ConfigurationName some GPO settings in the computer and user parts.
35. Question 35. A User Claims He Did Not Receive A Gpo, Yet His User And Computer
Accounts Are In The Right Ou, And Everyone Else There Gets The Gpo. What Will
You Look For?
Answer :
make sure user not be member of loopback policy as in loopback policy it doesn’t
effect user settings only computer policy will applicable. if he is member of gpo filter
grp or not.
You may also want to check the computers event logs. If you find event ID 1085 then
you may want to download the patch to fix this and reboot the computer.
36. Question 36. How Frequently Is The Client Policy Refreshed ?
Answer :
90 minutes give or take.
37. Question 37. Where Is Secedit ?
Answer :
It’s now gpupdate.
38. Question 38. What Can Be Restricted On Windows Server 2003 That Wasn’t There In
Previous Products ?
Answer :
Group Policy in Windows Server 2003 determines a users right to modify network
and dial-up TCP/IP properties. Users may be selectively restricted from modifying
their IP address and other network configuration parameters.
39. Question 39. You Want To Create A New Group Policy But Do Not Wish To Inherit.
Answer :
Make sure you check Block inheritance among the options when creating the policy.
40. Question 40. How Does The Group Policy ‘no Override’ And ‘block Inheritance’
Work ?
Answer :
Group Policies can be applied at multiple levels (Sites, domains, organizational Units)
and multiple GP’s for each level. Obviously it may be that some policy settings
conflict hence the application order of Site – Domain – Organization Unit and within
each layer you set order for all defined policies but you may want to force some
polices to never be overridden (No Override) and you may want some containers to
not inherit settings from a parent container (Block Inheritance).
A good definition of each is as follows:
No Override – This prevents child containers from overriding policies set at higher
levels
Block Inheritance – Stops containers inheriting policies from parent containers
No Override takes precedence over Block Inheritance so if a child container has
Block Inheritance set but on the parent a group policy has No Override set then it will
get applied.
Also the highest No Override takes precedence over lower No Override’s set.
To block inheritance perform the following:
o Start the Active Directory Users and Computer snap-in (Start – Programs –
Administrative Tools – Active Directory Users and Computers)
o Right click on the container you wish to stop inheriting settings from its
parent and select
o Select the ‘Group Policy’ tab
o Check the ‘Block Policy inheritance’ option
o Click Apply then OK
To set a policy to never be overridden perform the following:
o Start the Active Directory Users and Computer snap-in (Start – –
Administrative Tools – Active Directory Users and Computers)
o Right click on the container you wish to set a Group Policy to not be
overridden and select Properties
o Select the ‘Group Policy’ tab
o Click Options
o Check the ‘No Override’ option
o Click OK
o Click Apply then OK