1. What determines which users and computers receive a GPO's settings?
The GPO is applied to all objects in the domain regardless of location The GPO is linked to a site, domain, or OU, and applies to all users and computers within the linked container GPOs are assigned to individual user accounts through their account properties GPOs apply based on which domain controller the user authenticates to
2. In the LSDOU processing order, what happens when a domain-level GPO and an OU-level GPO define conflicting settings?
The domain-level GPO always wins because it has broader scope The OU-level GPO overrides the domain-level GPO for the conflicting setting, because more specific policies take precedence Both settings are applied simultaneously and the system uses whichever was created first The conflict causes an error and neither setting is applied
3. Why is SYSVOL relevant to security assessments?
Because SYSVOL stores the AD database (NTDS.dit) in an accessible location Because SYSVOL contains GPO scripts and templates readable by all authenticated users, which may include hardcoded credentials, scheduled task configurations, or infrastructure details Because SYSVOL is the only location where user passwords are stored Because SYSVOL is accessible only to Domain Admins and contains sensitive configuration files
4. Why are GPO edit rights a security concern separate from the settings a GPO delivers?
Because GPO edit rights allow users to delete the GPO entirely Because anyone who can edit a GPO can push scripts, scheduled tasks, or configuration changes to every system the GPO applies to — control over the GPO means control over those systems Because GPO edit rights automatically grant Domain Admin membership Because GPO edit rights bypass the LSDOU processing order
5. What is the difference between GPO creation and GPO application?
Creating a GPO immediately applies its settings to the entire domain Creating a GPO stores it in AD; the GPO only takes effect when it is linked to a site, domain, or OU GPO creation and application happen simultaneously and cannot be separated Application happens only when a domain controller is rebooted after GPO creation
6. An interviewer asks: 'If you found that your compromised user has write access to a GPO linked to the Domain Controllers OU, what could you do with it?' Which response demonstrates the strongest understanding?
I would read the GPO to find password policies and lockout settings I would modify the GPO to push a scheduled task or startup script that executes on every domain controller, giving me code execution on the highest-value servers in the environment I would delete the GPO to disrupt domain controller operations I would change the GPO to add my account to Domain Admins