With regards to Group Policy, what does OU stand for?

With regards to Group Policy, what does OU stand for?

• Ordinary user
• Organizational unit
• Overwrite upload
• Online umbrella 

EXPLANATION

 Organizational Unit (OU) is a container in Active Directory domain that can contain different objects from the same AD domain: other containers, groups, user and computer accounts. Active Directory OU is a simple administrative unit within a domain on which an administrator can link Group Policy objects and assign permissions to another user.

 Thus, we can distinguish two main tasks when using OU, except for storing objects in Active Directory:

• Delegation of management and administrative tasks within the domain to other administrators and users without granting them the domain administrator permissions;
• Linking Group Policies (GPO) to all objects (users and computers) in this OU.

Read More

From first to last, in what order are Group Policy objects applied?

From first to last, in what order are Group Policy objects applied?

• Local computer, domain, AD site, OU, child OU
• Child OU, OU, AD site, domain, local computer
• Domain, AD site, OU, child OU, local computer
• Local computer, AD site, domain, OU, child OU 

EXPLANATION

By default, Group Policy is inherited and cumulative, and it affects all computers and users in an Active Directory container.

GPOs are processed in the following order:

•     The local GPO is applied.
•     GPOs linked to sites are applied.
•     GPOs linked to domains are applied.
•     GPOs linked to organizational units are applied. For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied.

Note  The order in which GPOs are processed is significant because when policy is applied, it overwrites policy that was applied earlier.

The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier
The policies are applied in the hierarchy --> Local machines, Sites, Domains and Organizational Units.(LSDOU)

More info: Group Policy processing and precedence

http://technet.microsoft.com/en-us/library/cc785665%28WS.10%29.aspx
Step-by-Step Guide to Understanding the Group Policy Feature Set
http://technet.microsoft.com/en-us/library/bb742376.aspx

---

Read More

Which folder contains login scripts in an Active Directory domain?

Which folder contains login scripts in an Active Directory domain?

• Scripts
• Schema
• System32
• Sysvol 

EXPLANATION

The logon script is the file that does the actual action. It could be almost any action, as noted above. So we’ll start by creating that script. The default location for logon scripts is the NETLOGON share, which, by default, is shared on all Domain Controllers in an Active Directory forest, and is located in the following folder:

%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\scripts

Where %SystemRoot% is usually “C:\Windows” and <domain DNS name> is the DNS name of the domain, similar to “Techlanda.local”. This folder, which is a part of the SYSVOL special folder, is replicated to all the Domain Controllers in the domain.

Read More

Which of the following is NOT a valid Active Directory group scope?

Which of the following is NOT a valid Active Directory group scope?

• Distribution
• Domain Local
• Global
• Universal 

EXPLANATION

Group Scopes

The different group scopes make it possible for groups to be used differently to assign permissions for accessing resources. A group’s scope defines the place in the network where the group will be used or is valid. This is the degree to which the group will be able to reach across a domain, domain tree, or forest. The group scope also determines what users can be included as group members.
In Active Directory, there are three different group scopes:

• Global groups: Global groups are containers for user accounts and computers accounts in the domain. They assign permissions to objects that reside in any domain in a tree or forest. Users can include a global group in the access control list (ACL) of objects in any domain in the tree/forest. A global group can, however, only have members from the domain in which it is created. What this means is that a global group cannot include user accounts, computer accounts, and global groups from other domains. The domain functional level set for the domain determines which members can be included in the global group.
  
  • Windows 2000 Mixed: Only user accounts and computer accounts from the domain in which the group was created can be added as group members.
  • Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, and other global groups from the domain in which the group was created can be added as group members.
• Domain Local groups: Domain local groups can have user accounts, computer accounts, global groups, and universal groups from any domain as group members. However, only domain local groups can assign permissions to local resources or to resources that reside in the domain in which the domain local group was created. This means that only domain local groups in the ACL of objects that are located in the local domain can be included. The domain functional level set for the domain determines which members can be included in the domain local group.
  
  • Windows 2000 Mixed: User accounts, computer accounts, and global groups from any domain can be added as group members.
  • Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, global groups, and universal groups from any domain can be added as group members. Other domain local groups from the same domain as group members can also be added.
• Universal groups: Universal groups can have user accounts, computer accounts, global groups, and other universal groups from any domain in the tree or forest as members. This basically means that users can add members from any domain in the forest to a universal group. Users can use universal groups to assign permissions to access resources that are located in any domain in the forest. Universal groups are only available when the domain functional level for the domain is Windows 2000 Native or Windows Server 2003. Universal groups are not available when domains are functioning in the Windows 2000 Mixed domain functional level. Users can convert a universal group to a global group or to a domain local group if the particular universal group has no other universal group as a group member. When adding members to universal groups, it is recommended to add global groups as members and not individual users.

Read More

There are two types of groups recognized by Active Directory: Security and _________

There are two types of groups recognized by Active Directory: Security and _________

• Peer
• Domain
• Global
• Distribution 

EXPLANATION

Group Types

Two types of groups can be created in Active Directory. Each group type is used for a different purpose. A security group is one that is created for security purposes, while a distribution group is one created for purposes other than security purposes. Security groups are typically created to assign permissions, while distribution groups are usually created to distribute bulk e-mail to users. As one may notice, the main difference between the two groups is the manner in which each group type is used. Active Directory allows users to convert a security group into a distribution group and to convert a distribution group into a security group if the domain functional level is raised to Windows 2000 Native or above.

• Security groups: A security group is a collection of users who have the same permissions to resources and the same rights to perform certain system tasks. These are the groups to which permissions are assigned so that its members can access resources. Security groups therefore remove the need for an Administrator to individually assign permissions to users. Users that need to perform certain tasks can be grouped in a security group then assigned the necessary permissions to perform these tasks. Each user that is a member of the group has the same permissions. In addition to this, each group member receives any e-mail sent to a security group. When a security group is first created, it receives an SID. It is this SID that enables permissions to be assigned to security groups – the SID can be included in a resource’s DACL. An access token is created when a user logs on to the system. The access token contains the user’s SID and the SID of those groups to which the user is a member of. This access token is referenced when the user attempts to access a resource. The access token is compared with the resource’s DACL to determine which permissions the user should receive for the resource.
• Distribution groups: Distribution groups are created to share information with a group of users through e-mail messages. Thus, a distribution group is not created for security purposes. A distribution does not obtain an SID when it is created. Distribution groups enable the same message to be simultaneously sent to its group members. Messages do not need to be individually sent to each user. Applications such as Microsoft Exchange that work with Active Directory can use distribution groups to send bulk e-mail to groups of users.

Read More

Which tool gives you a real-time graphical look at Microsoft Windows (Vista and later) performance information?

Which tool gives you a real-time graphical look at Microsoft Windows (Vista and later) performance information?

• Task Monitor
• Resource Monitor
• Task Viewer
• Event Monitor 

EXPLANATION

Resource Monitor, a utility in Windows Vista and later, displays information about the use of hardware and software resources in real time. Users can launch Resource Monitor by executing resmon.exe.

Resource Monitor is a necessary complement to Task Manager, which is too limited (Windows 7 here). For instance, only Resource Monitor will show what discs are currently spinning. 

Read More

Which tool can you use to troubleshoot Active Directory problems?

Which tool can you use to troubleshoot Active Directory problems?

• Repadmin
• WSRM
• Hammer
• Repmon 

EXPLANATION

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
This document describes how to use the Repadmin.exe tool to monitor, diagnose, and troubleshoot common replication problems in your Active Directory® environment. All the information in this document applies to computers running the Microsoft® Windows® 2000 Server and Windows Server® 2003 operation systems. This document includes the following topics:

• Repadmin Introduction and Technology Overview
  
• Repadmin Requirements, Syntax, and Parameter Descriptions
  
• Repadmin Usage Scenarios
  
• Repadmin for Experts
  

To obtain a copy of this guide in .doc file format, see Troubleshooting replication with repadmin on the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=129020).

 

Read More