group-policy interview questions
Top group-policy frequently asked interview questions
Can I deny "Internet Explorer" via GPO and use Google Chrome as a default and the only Browser?
I wonder as Internet Explorer is a part of an Windows operating system, if it's possible to deny it.
I would like to force users to use Google Chrome only as a browser.
Source: (StackOverflow)
Where do I go to disable the password complexity policy for the domain?
I've logged onto the domain controller (Windows Server 2008) and found the option in local policies which is of course locked from any changes. However I can't find the same sort of policies in the group policy manager. Which nodes do I have to expand out to find it?
Source: (StackOverflow)
I'm trying to deploy an MSI via the Group Policy in Active Directory. But these are the errors I'm getting in the System event log after logging in:
- The assignment of application XStandard from policy install failed. The error was : %%1274
- The removal of the assignment of application XStandard from policy install failed. The error was : %%2
- Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : %%1274
- The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
When I reboot and log in again I simply get the same messages about needing to perform the update before the next logon. I'm on a Windows Vista 32-bit laptop. I'm rather new to deploying via group policy so what other information would be helpful in determining the issue? I tried a different MSI with the same results. I'm able to install the MSI using the command line and msiexec when logged into the computer, so I know the MSI is working ok at least.
Source: (StackOverflow)
We have a suite of Windows Services running on our servers which perform a bunch of automated tasks independently of one another, with the exception of one service which looks after the other services.
In the event that one of the services should fail to respond or hang, this service attempts to restart the service and, if an exception is thrown during the attempt, emails the support team instead, so that they can restart the service themselves.
Having done a little research, I've come across a few 'solutions' which range from the workaround mentioned in KB907460 to giving the account under which the service is running administrator rights.
I'm not comfortable with either of these methods - I don't understand the consequences of the first method as outlined in Microsoft's knowledge base article, but I definitely don't want to give administrator access to the account under which the service is running.
I've taken a quick look through the Local Security Policy and other than the policy which defines whether or not an account can log on as a service, I can't see anything else which looks like it refers to services.
We're running this on Server 2003 and Server 2008, so any ideas or pointers would be graciously received!
Clarification: I don't want to grant the ability to start/stop/restart ALL services to a given user or group - I want to be able to grant the permission to do so on specific services only, to a given user or group.
Further Clarification: The servers I need to grant these permissions on do not belong to a domain - they are two internet-facing servers which receive files, process them and send them on to third parties, as well as serving a couple of websites, so Active Directory Group Policy isn't possible. Sorry that I didn't make this clearer.
Source: (StackOverflow)
My company distributes a Windows Installer for a Server based product. As per best practices it is signed using a certificate. In line with Microsoft's advice we use a GlobalSign code signing certificate, which Microsoft claims is recognised by default by all Windows Server versions.
Now, this all works well unless a server has been configured with Group Policy: Computer Configuration / Administrative Templates / System / Internet Communication Management / Internet Communication settings / Turn off Automatic Root Certificate Update as Enabled.
We found that one of our early beta testers was running with this configuration resulting in the following error during installation
A file that is required cannot be installed because the cabinet file [long path to cab file] has an invalid digital signature. This may indicate that the cabinet file is corrupt.
We wrote this off as an oddity, after all no-one was able to explain why the system was configured like this. However, now that the software is available for general use, it appears that a double digit (percentage) of our customers are configured with this setting and no-one knows why. Many are reluctant to change the setting.
We have written a KB article for our customers, but we really don't want the problem to happen at all as we actually care about the customer experience.
Some things we have noticed while investigating this:
- A fresh Windows Server installation does not show the Globalsign cert in the list of trusted root authorities.
- With Windows Server not connected to the internet, installing our software works fine. At the end of the installation the Globalsign cert is present (not imported by us). In the background Windows appears to install it transparently on first use.
So, here is my question again. Why is it so common to disable updating of root certificates? What are the potential side effects of enabling updates again? I want to make sure we can provide our customers with the appropriate guidance.
Source: (StackOverflow)
This is a Canonical Question about Active Directory Group Policy Basics
What is Group Policy? How does it work and why should I use it?
Note: This is a Question & Answer to new administrator that might not be familiar with how it functions and how powerful it is.
Source: (StackOverflow)
One of our remote Windows 7 Professional users just reported that he received an Upgrade Reservation Offer for Windows 10. It appears the Get Windows 10 "App" running in his system tray is legit. So far, this is only seems to be hitting devices that are not domain-joined.
Short of uninstalling/hiding the Windows Update that enabled the upgrade, is there any way to disable the Upgrade App (and of course the upgrade itself)?
Source: (StackOverflow)
I am doing a lot of work in higher education where it is a rather common requirement to reconfigure a number of Windows domain members (e.g. PCs in a classroom) for the duration of a specific course or event and have this configuration undone afterwards.
As most of the configuration changes we are requested to do can be done through Group Policy Objects and those changes automatically get reversed when the GPO is unlinked or deactivated at the OU level, this is a very comfortable route to take.
The only downside is that repeated manual linking and un-linking of GPOs on OUs needs a lot of reminders and IT staff on duty before the courses start and after they end - something the operations team cannot guarantee at all times.
Is there a way to specify a time frame for the validity of a specific GPO?
Source: (StackOverflow)
Like I suppose a lot of people, we have a Windows/Active Directory environment and a lot of internal line of business apps that require Java. Our experience is that Java does not play nice in such a corporate network environment. Initial installation is fine (at least there's an MSI these days), but keeping things ticking over can be quite a challenge.
Specific issues we encounter include:
- Java has it's own updater, and so it does not tie into our internal patch management systems.
- The lack of any tools for management of Java settings via GPOs.
- The requirement for users to manually configure certain settings.
- Multiple Java runtimes on each machine (Oracle Jinitiator is a particular culprit here).
- Critical settings files stored under the Program Files folder.
with us it's mostly a batch of logon scripts and hacky workarounds, but I'm interested in hearing how other people handle these items, and if there are any other things one needs to watch out for here.
Source: (StackOverflow)
I'm finding that most users ignore the "There are updates ready to be installed, click here to install" message that WSUS pushes out. Until now we haven't forced the install but I'm thinking about changing the group policy to enforce updates nightly. This will sometimes require a reboot which I want to enforce through GP as well.
I know there will be push-back from the users but am wondering if this is defendable best practice. It seems like the right thing to do to ensure PCs are up to date and secure.
Source: (StackOverflow)
I'm trying to add and remove Library locations from Windows 7's "Library" locations in for each of my users.
While its easy to do this from the desktop, and its easy to disable libraries appearing in explorer, how can I add or remove locations from a library location (e.g. remove c:\users\public\documents from the user's documents library)?
I don't need to 'lock' their list of library locations, I'm happy for them to add and remove their own locations as they wish, but I want to control the initial locations that they are offered.
Source: (StackOverflow)
BACKGROUND/RESEARCH
I honestly believe that questions like this one: Using GPO in Active Directory domain to force workstations Windows Firewall to disabled - how? existed because Windows Admins in general were taught long ago that:
"the easiest thing to do when dealing with a domain computer is to
just have a GPO on the domain to disable the Windows Firewall...it
will cause you much less heartache in the end." - random IT instructors/mentors from years gone by
I can also say that at MOST companies I've done side work for this has been the case, where a GPO at a minimum disabled the Windows Firewall for the domain profile and at WORST disabled it also for the public profile.
Even further, some will disable it for the servers themselves: Disable firewall for all network profiles on Windows Server 2008 R2 through GPO
A Microsoft Technet Article on the WINDOWS FIREWALL recommends you DO NOT disable the Windows Firewall:
Because Windows Firewall with Advanced Security plays an important
part in helping to protect your computer from security threats, we
recommend that you do not disable it unless you install another
firewall from a reputable vendor that provides an equivalent level of
protection.
This ServerFault question asks the real question: Is it alright to turn off firewall in a LAN using Group Policy? -- and the experts here are even mixed in their view.
And understand I'm not referring to disabling/enabling the SERVICE: How can I back up my recommendation to NOT disable the Windows Firewall service? -- so as to be clear that this is about whether or not the firewall service enables the firewall or disables it.
THE QUESTION AT HAND
So I get back to the Title of this question...what can be done to properly re-enable the Windows firewall on a domain? Specifically for client workstations and their domain profile.
Before simply switching the GPO from Disabled to Enabled, what planning steps should be taken to ensure that flipping the switch doesn't cause critical client/server applications, allowable traffic, etc. to suddenly fail? Most places won't tolerate the "change it and see who calls the Helpdesk" mindset here.
Are there checklists/utilities/procedures available from Microsoft to handle such a situation? Have you been in this situation yourself and how did you deal with it?
Source: (StackOverflow)
The basic problem I'm having is that I have >100,000 useless machine certificates cluttering up my CA, and I'd like to delete them, without deleting all certs, or time jumping the server ahead, and invalidating some of the useful certs on there.
This came about as a result of accepting a couple defaults with our Enterprise Root CA (2008 R2) and using a GPO to auto-enroll client machines for certificates to allow 802.1x authentication to our corporate wireless network.
Turns out that the default Computer (Machine) Certificate Template will happily allow machines to re-enroll instead of directing them to use the certificate they already have. This is creating a number of problems for the guy (me) who was hoping to use the Certificate Authority as more than a log of every time a workstation's been rebooted.
(The scroll bar on the side is lying, if you drag it to the bottom, the screen pauses and loads the next few dozen certs.)
Does anyone know how to DELETE 100,000 or so time-valid, existing certificates from a Windows Server 2008R2 CA?
When I go to delete a certificate now, now, I get an error that it cannot be delete because it's still valid. So, ideally, some way to temporarily bypass that error, as Mark Henderson's provided a way to delete the certificates with a script once that hurdle is cleared.
(Revoking them is not an option, as that just moves them to Revoked Certificates, which we need to be able to view, and they can't be deleted from the revoked "folder" either.)
Update:
I tried the site @MarkHenderson linked, which is promising, and offers much better certificate manageability, buts still doesn't quite get there. The rub in my case seems to be that the certificates are still "time-valid," (not yet expired) so the CA doesn't want to let them be deleted from existence, and this applies to revoked certs as well, so revoking them all and then deleting them won't work either.
I've also found this technet blog with my Google-Fu, but unfortunately, they seemed to only have to delete a very large number of certificate requests, not actual certificates.
Finally, for now, time jumping the CA forward so the certificates I want to get rid of expire, and therefore can be deleted with the tools at the site Mark linked is not a great option, as would expire a number of valid certificates we use that have to be manually issued. So it's a better option than rebuilding the CA, but not a great one.
Source: (StackOverflow)
Whenever I run the Group Policy Result wizard and select a Domain Controller as the target computer, the summary shows BUILTIN\Administrators in the list of "Security Group Membership when Group Policy was applied" under Computer Configuration, as illustrated below:
(Domain, user and computer name left out)
Since Domain Controllers are not a member of Administrators (at least not from what I can see in ADUC), my question is simply, why?
Are Domain Controllers actually members of the Administrators group, or is GPResults wrong (and why)?
Source: (StackOverflow)
I'm not sure what exactly this feature is called. But in Windows Server 2008, it has the Vista Public/Private/Domain locations. This makes sense for laptops, and none at all for servers.
My problem is that sometimes some network adapters decide they are now on a public network. This completely activates the firewall, even for the "domain" networks. So net effect is that I reboot some machines, and then they never come back on the network until we KVM in and tell it that the network is private.
What's the name of this feature? Is there a GP setting I can use to turn it off and make all networks be "domain"?
Edit: Thanks, that's that NLA is. I tried disabling the service on a non-domain machine, and it just flips everything public. On a domain machine, the Network List Service refuses to stop -- I'll try group policy.
Source: (StackOverflow)