Understanding Group Policy Webcast

Q&A from 4-14-2006

I've got some more coming, thanks for your patience.

Questions and Answers:
Asked: I can no longer edit my domain windows firewall settings via the GPMC, its just not visible from my machine. What would cause this to happen?
Answered: You might not have the admin template (.adm file) that contains the Windows Firewall settings so you can manage them. Check out this document, and you should be able to find the portion that describes how to import those settings into your own administrative tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en
________________________________________
Asked: What is the best starting point for all group policy information at Microsoft?
Answered: You can actually enter http://www.microsoft.com/grouppolicy and get right to the main technology page that contains links to all related resources.
________________________________________
Asked: When you move the computers into a new OU, are they no longer listed in the OU you took them from?
Answered: Correct, when you move to a different OU, they will be removed from their existing OU and any GPO's associated with the old OU will no longer apply
________________________________________
Asked: Is there a hierarchical relationship among domain, site, and ou?
Answered: To some extent, yes - though sites are physical entities, and domains and OUs are logical. The order of "Local, site, domain, OU, and sub-OU" has to do with how policies are read and applied.
________________________________________
Asked: When you apply software to an OU, is it installed based on the computer they log into or is it user based?
Answered: Um... YES. :-) It depends on if you've created the software policy to apply to the user or to the workstation. You can do either. Or both. (but you probably would choose one or the other.)
________________________________________
Asked: In a small company and DO NOT plan on delegating administrating roles, can I create Groups instead of OUs
Answered: Sure.. but you may still want to use OUs for the sake of applying Group Policy, if not for simply organizing objects in your directory.
________________________________________
Asked: What is the order of precedence for policies set at different levels from Site to PC, with conflicting entries?
Answered: The default order is the last setting to be applied wins. The policies are applied in this order: local, site, domain, ou, child ou's. In default situations this is the policy closest to the user, for example. If you had a policy at the domain level that enabled the run command, and a policy at the OU level that disabled the run command. By Default the run command would be disabled, why because the OU level is applied after the domain policy is applied. However you can change this behavior, with the no override and block inheritance options.
________________________________________
Asked: could you give me the website to down load the virtual server
Answered: http://www.microsoft.com/windowsserversystem/virtualserver/software/default.mspx
________________________________________
Asked: Will everything in the GPO be mapped when doing a backup/import from your production to your test environment? (GPMC help file states that some items may be dropped or cannot be mapped)
Answered: Yeah. If you backup and "restore", you can only restore to the domain from which it was backed up, because it includes domain specific information . When you "import" a backup into a new domain, you lose domain-specifics, which might mean any settings that depend on domain specific information.
________________________________________
Asked: Where in the file system can I find the Administrative Template Files. (Example: Admin Template for Setup Windows Update Automatic Updates, wuau.adm,  in Client Computers)?
Answered: In the %systemroot%\windows\sysvol and %systemroot%\windows\inf directories.
________________________________________
Asked: Is a Local Admin a minimum privilege to read Security Log from a server?
Answered: Yes, All users can view application and system logs. Security logs are accessible only to system administrators.
________________________________________
Asked: Would a GPO also apply for users that are VPN'd into the domain?
Answered: Yes. Unless a slow link is detected, policy should apply.
________________________________________
Asked:  Where is the Group Policy Management Console Download:
Answered: http://www.microsoft.com/windowsserver2003/gpmc/gpmcintro.mspx
________________________________________
Asked: Is the GPMC just a snap in to the MMC or is it available as a stand alone app.
Answered: It installs as and is runable as a standalone app, but it is really an MMC based tool.
________________________________________
Asked: how would one un-tatoo the registry?
Answered: You would have to recreate the policy and then delete the setting.
________________________________________
Asked: Is the GP staging environment done for GPO modeling and results?
Answered: You can run GPO Modeling and Results against a live production environment, too.. no fear of getting in the way of production processing.
________________________________________