07 Group Policy Objects - Windows Server 2008 Tutorial

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to Train Signal you're watching get your control freak on well we're gonna start to control what your users can and can't do through this thing called group policy this is some good stuff in this video we're gonna start off by talking about what is you're gonna be building through this video they want to talk about what is group policy I'm gonna talk to you quite a bit about the foundations and some of the theory behind group policy but all along the way we're gonna be bouncing back and forth to machines illustrating pretty much at every step and they don't want to talk you through setting up four of my favorite policies it's actually more than just four settings keep in mind but there's four things that I like to do when I'm presiding over a network per se I'm gonna two-step you through those step by step alright so in a nutshell that's what we're gonna be doing there's a lot of stuff in here so let's go ahead and let's keep on moving here we're gonna be locking down the desktops for global antics the good news is is that the other 23 machines we're waiting on a backorder they finally came in and we ended up with a new assistant whose name is Jamie and Jamie set them all up and joined them all to the domain but what this means is now that people can actually start coming to work and what we need to do is we need to make sure that we control what they can do and what they can't do now this is a little more of an art than a science alright as you start to get used to working with group policy and really start to see its power and its ability you'll start to know what you can and can't do but nevertheless with this section before people step into our office we need to make sure we have some things locked down you know we are a securities firm we you know there's a lot of sensitive information that we deal with on a regular basis and so we need to make sure there's a few things set up right up ahead of time so you want to ensure that all desktop wallpaper is the same whatever machine now this is a pretty simple basic kind of everybody does this type of thing it's a really good idea because this also prevents people from putting weird stuff on their desktop like oh I don't know naked people right and you all know that we people have naked people on their desktop as a wallpaper that usually ends up in a sexual harassment lawsuit at least it does here in the states so want to prevent that users cannot access the display control panel we don't want people messing with the screen okay when you give people too many buttons to push they will push them and they'll end up squirreling something up and then it'll call you because well I did this to my computer now it doesn't work quite right then you figure out what button they pushed and you think of all Gino kitten you also want to make sure that users cannot install software now user access control and vistas gonna take care of waterless for us just so you know but we want to make sure that user access control is enabled on all the machines and they can't be turned off and here's the thing that a lot of system administers have started to be much more concerned about and that is this idea of USB sticks and mp3 players and other types of removable storage I mean how easy is it for somebody walk in to your network pop in a USB stick grab you know a couple hundred thousand dollars worth of data and then walk out with it on a little bitty thumb drive so I'm gonna show you how to actually prevent users from doing anything with those altogether so this is gonna be a very very useful setting for you I think but these are the things that we want to be able to ensure that our users cannot do so in order to make all of this happen okay we're gonna be using this thing called group policy and we're gonna go back to our Active Directory stuff we've been working with sharing files and such and folders in the last video but now we need to go back in Active Directory we're gonna be making all of this stuff happen through this really cool technology called group policy so let's talk a little bit about what a group policy object is okay group policy object what it does is it gives you control over what users and computers can and can't do but they've expanded group policy especially with Server 2008 and in the next couple of videos we're going to kind of see a bigger picture of what it can do for so it can do a lot more than just control what users can and can't do but here's what a group policy object is kind of in a nut it's an active directory object that contains settings that we can configured to control what's happening with users and computers and there are literally thousands I mean thousands of different settings that can be configured inside of each GPO and by the way GPO is how all the cool administrators say it so if you don't go ahead dot that into your cab you Larry feel free and here's how GPOs are used they're used with containers now containers will we're talked about there we're talking about domains talking about sites we're mostly going to be talking about Oh use especially in this particular video but here's the funny thing Group Policy objects ok are not applied directly to groups now groups can play a part and we'll see that later on in another video in this series but Group Policy objects aren't directly applied to groups so that it questions why is it called Group Policy okay that's those things that's probably worth an email to Microsoft because it really should be like container policy oh you policy either not group policy because a group is a particularly object and group policy does not directly apply to groups now in like I said a little bit later on I'm gonna show you how groups kind of get into the mix with group policy but group policy is applied to and used with containers domains sites but most of the time organizational units is we're gonna find out in this video now very quickly what I want to do right now at this point in time is I want to take you over to DC one via our remote desktop over on our client one machine I want to show you the console that we're going to be working with all throughout this particular video at the next couple of videos as we explore this whole group policy thing all right so here we are over honor of this two client one machine where are we working a lot last round let's go into DC one here by opening up our remote desktop shortcut here and then remember since we saved our credentials just went ahead and logged us in with them all right so we're gonna go to here to the server manager in DC 1 and let's just do a quick check we were working with our organizational units last time just as a quick review we have a New York organizational unit we have New York computers and New York users everything is still intact for those we still have our groups all intact down here at the bottom now remember our groups are gonna come into play with this whole group policy thing later on in the mix but here's the thing we're not going to actually be doing our group policy work here this is where we set up our objects so that we can apply a group policy we're gonna go ahead minimize server manager and let's go to the Start menu I'm gonna go here to the Administrative Tools and I'm gonna go to the gpmc or the group policy management console here I'll get this guy opened up and this is where we're going to be doing most of our work for this particular video all right now when we initially create our domain and here's our domain section here underneath the global Mattox comm forest here in the global antics comm domain we have a default domain policy now a default domain policy is always there it's always created now you could delete it if you want to you probably don't want to but if you do the world doesn't end just so you know hey all right so we're gonna be taking a look at this default domain policy because it's always there it's already pre-built for us there's nothing that we had to do to actually created except will create the domain now if I go ahead and I go here to the group policy objects you see that I have another group policy object living over here default domain controllers policy this is for well the domain controllers they go figure well talk about the whole domain controllers thing later on I want to take you into this default domain policy item here real quick and I just want to kind of show you around a little bit give you just a kind of the nickel tour I'm gonna right-click on it and select edit now this is going to open up a new console called the group policy management editor and this allows me to actually edit and make alterations to this particular group policy object notice here we have two sections computer configuration and user configuration so we actually have two sides of group policy for this video we're going to be sticking with user configuration okay so let's take a look at what we have in here here are the policy categories for our user configuration side we have software settings and this is if we want to have software installed across the network this is way cool we're gonna talk about this again in another video window settings which we might want to dip into here a little bit we have things like oh I don't know security settings scripts remote installation services folder redirection stuff all kinds of stuff that we can make alterations with here in Windows settings what we do most of our work in let me go and expand this a little bit we do most of our work in this administrative templates section though get this guy stretched out a little bit in the administrative templates section we have the capacity to make alterations to things like at the control panel add remove programs and as we select different categories of our policies here we get the actual settings over here and if we select one of these settings it actually provides us with a nice definition and description of what's happening or what can happen with that particular policy now here's the thing I wanna show you real quickly how many settings we do actually have all right if I go down here to all settings for the administrative templates section right here you'll notice that for the user configuration side of group policy for all settings we have 1,332 settings and seriously am I going to show you all 1308 settings now now are you getting this kit with this course would be like 120 hours long we still wouldn't be able to get through all of them I'll say it puts you to sleep so we're going to hit you know like I said you might for favorite policies that I like to make sure are intact when I'm presiding over a any given network the nice thing about is that you don't have to know all 1,300 policies you know there's certain items that you know you're gonna know you're gonna need quickly and easily there's gonna be certain stuff that everybody's gonna want neat there's gonna be a lot of stuff that you won't yeah and that's okay you remember you don't have to know all of them because when you select any one of the policies it gives you a description of what that policy can do so if I go here to the standard section that turns off the description but I can skill still get the description though if I double-click on any one of these policies to configure it I go to the explain tab it tells me exactly what that policy does basically a duplicate of what was in that extended explanation tab so I can still get to the explanations and what this particular policy is going to do now in the settings a lot of our settings are either not configured enabled or disabled and different policies are going to have different effects on your users and on your network depending upon if you selected enabled or disabled so it's one of those things that you're gonna have to watch per policy okay now in this instance when I explained the add programs from Microsoft item if I disabled the setting or do not configure it so if I pick not configured or disabled then add programs from Microsoft is available to all users now if I enable it on the other hand this setting prevents users from using add or remove programs connect to connect to Windows Update okay so we have a very English side of this it's very easy to understand for most of these policies some of them are a little more convoluted than others obviously but nevertheless most of them are going to be pretty easy to understand now again different group policy settings are going to have different options so let's see if we can find one here let's a little more interesting let's take a look at this package point in print approved servers okay now for this particular setting if we enable it there's another setting here that allows us to add fully qualified server names so different settings are going to have different parameters that we're going to be able to add in now not all of them but some of them do especially when it comes to adding things like servers and you know adding printers that easily all kinds of that stuff I mean that's all going to have very specific parameters you're gonna have to put in for the different settings now there's one more thing they want to talk to you about while we're here and that is this preferences section this preferences session this is a brand new thing with Server 2008 we've never really seen this kind of stuff before in group policy and it's very very exciting we are going to talk about this in another video in this series coming up but we can do stuff like quickly add printers to everybody's network we can do stuff like altering the folder options we can even manage local users and groups if we need a local user you know in the window settings we can do things like mapping drawings and here's where we would add files we can create folders and manage folders there's just a bunch of way cool stuff that you can do from this preferences section but again I'm kind of getting ahead of myself just a little but I wanted to mention this to you so that when we come back to this in a couple of videos from now you'll know what it is and it'll be at least a little bit familiar to you alright so now we've had just kind of the nickel tour of the group policy management tools we've taken a look at the group policy management editor let's close it and we will leave open the group policy management console because we're going to come back to this as we start to create our initial policies for global man --tx but right now let's go back on over to the slides I want to talk to you more about the theory and the foundational concepts of group policy all right so let's talk about the difference between what we just saw the domain level policy stuff and local policy now here's the thing every windows computer and I mean every Windows computer even the ones you have at home have a local group policy component to them so you can actually control what can be done on that machine and what can be restricted but here's the kicker okay you don't want to have to go around to all of your computers in your domain and configure all the settings manually I mean seriously you know if you have 500 machines and you're going to use local group policies through the domain level policy yeah listen I've known guys who have done it and you know what when I back when I was a high school teacher and I didn't have full access early on to the domain level policy from my classroom well I went around to 30 machines and I configured them by hand using the local group policy of course that took just a stupid amount of time out of my day because if any of you are high school teachers or having any experience with high school kids at all you know that if you set up something that they that blocks it out of it they immediately try to go around it it's just the way it is it's just the nature of being a being a high school kid I think so I had to keep adding noon and more better policies had to keep locking more stuff down and every time I do that had to walk around to all 33 of my machines and it just got really crazy so when I was actually granted access to administer the policy for my classroom for those machines and for those users it made my life so much easier so here's the thing you can configure each computer separately using local policy you know because I mean really there's nothing like going around at 25 separate machines and making 26 modification each one right I mean that's really what our idea of a good time is huh huh yeah I don't think so seriously man that is just a huge time waste now even though it is a huge time waste I'm still right now I'm gonna take you over to a Vista machine I at least want to show you how to get into it because let's say you are faced with a situation where you'd are not granted access to canoe your group policy for your particular section of the network let's say you are in a high school environment or a nonprofit environment where they don't even have a domain controller you know let's say you're just in a work group environment so I'm gonna go ahead and take you over to the Vista machine I will at least want to show you how to get to the local group policy for each and every machine ok all right well here we are over on client - all right I'm didn't take you over to client one because you know we have the whole remote desktop thing happening on that so we're gonna do I want to show you this on client two real quickly we're going to go ahead and log in real quick on to client the client two machine right now it wants us to log in as Hank Richardson well Hank Richardson right now does not have access to our local policies there's two possible logins we could use we could either use the local administrator logon that we created way way back but if we don't remember it we might have to use our super coach login so I'm gonna go ahead just use the super coach login because quite honestly I don't really remember what the administrator password was that local administrator right now so but I do know that I can get into it with super coach because the super coach as the domain administrator is the highest level of authority and is provided the most amount of permissions so if I go to go ahead and close our control panel here so I can just kind of get this stuff out of the way and now I want to show you how to get to that particular group policy for this local machine I'm gonna go to the Start menu and here in the search box I'm going to type MMC now by the way if you're running Windows XP you would actually go to the start and you would go to run of course I don't have run on this machine so we're going to go jump right over here to the console now this is the MMC Microsoft management console this is what you'd also see inside of windows 2000 and 2003 we didn't have that nice pretty server manager back in the old days say that alright so I'm gonna go here to the file menu and the select add/remove snap-in and here in the add/remove snap-in i'm gonna go to the group policy objects editor here I'm going to select it it's gonna ask me which machine do I want to manage well I want to manage the group policy stuff on the local computer and I'm just going to tell it finish and that's really all there is to it so I select group policy object I can double click select add make sure I select local computer and there it is so tell it okay and now I'm gonna go ahead and expand this here so we can see everything that's happening here's the local group policy you see I had the computer configuration and the user configuration you will remember that you know we have the software settings windows settings and the administrative templates but notice that preferences is missing okay we don't have the Preferences section here in local group policy because well this local group policy it's the local computer we're not setting up files and folders and shared maps shared drive maps and all the other stuff across several machines we're only doing it for this one machine so when I want to lock something down let's say I want to lock down the control panel I'm gonna go here to the control panel underneath the administrative templates I'm gonna use the standard option here so I can see just a little bit easier and I'm gonna prohibit access to the control panel and enable it okay that group policy setting is applied I'm gonna tell it okay that was really easy wasn't it yeah it was but now since this is local computer policy you don't have to do I'm gonna have to go around to all 25 of my other machines or I'm sorry 24 right and I can't do math in my head at all 24 machines and I have to turn this on yeah that sounds like a way to just really kill an afternoon or an evening doesn't it yeah and trust me it is because I've been there and I've done that so again you know we could do it this way we could go to every single machine we could login as the administrator we can open up the Microsoft management console also known as the MMC add in this local policy snap in to the console and go in and make these alterations to every single machine no we're not going to do that so let's we'll go back on over to the slides and let's talk a little more about foundational stuff well and using group policy at a domain level so like I said you can't configure each computer separately using the local group policy the local computer policy but the other way to do it is the smart way and that is to configure all of your machines at once from the comfort of your desk using the group policy management console on your domain controller now again just in case you don't have a domain controller because you know I've been in situations where I haven't had one but if we have a domain controller then there is no good reason why we need to be bouncing from machine to machine to machine making and you know half a dozen 2,000 or 3,000 settings on every single machine that's just wasting your time okay so what we want to do is we want to be able to set up our group policy objects at the domain level and then apply them using Active Directory okay and that way we can control all of our machines at once now here's the thing right now creating group policy objects that's a note that's that's a no-brainer it's very very easy you know we can even use the built-in ones that we have we can use the domain policy if we like it's usually not the best place to do a lot of restrictive settings though so normally what we do is we create a group policy object okay and this group policy object then what we have to do is link it to a particular container now most of the time your group policies are going to be linked to an organizational unit so if we create a group policy object that controls just the wallpaper and let's say that we link that group policy object to New York users then all of the users inside of the New York oh you this NY users organizational unit would then get that new wallpaper now here's the really cool thing about group policy objects we have a group policy object that you want to reuse over and over again you don't have to recreate it we can take the same object in this little illustration or we will take the same group policy object that controls wallpaper and not only just link it to New York users we're also going to link it to the IT user section so you users in the IT users oh you will also receive that new wallpaper so having our group policy objects linked to our containers and again uses our containers are going to be organizational units although there are other containers that we use gives us the ability to reuse our group policy object over and over and over again so once we have a good one you know doesn't matter how many organizational units full of users you you're going to create we can continue to use that guy over and over and over again saving us some work now let me tell you something else here this whole link you know when I was talking to you mean links are not difficult to understand okay but to kind of throw a little bit of a wrench into the mix a link is actually an active directory object - there's so much the stuff that we're doing in this whole video series that are is all about Active Directory objects so not only is the group policy object that controls our wallpaper and active directory object not only is our two organizational units are they active directory objects but also the links that allow us to control the wallpaper that's an active directory object to remember that an active directory object is nothing more than an entry in a database however every entry in our database has a lot of different properties and when we actually start building our group policy items and we start creating our links to the different views that our group policies are going to control I'm going to show you that our links have a couple of properties that we need to pay attention to and they're gonna be very very helpful to us when we start doing troubleshooting work alright so now we understand that once we have a group policy object we link it to a container usually nou but not always because GPOs can be linked at different levels for example we can link a GPO at the domain level and then everything in the domain by default unless we make any kind of alterations everything in the domain level is affected so let's say we just say that everybody is going to have the exact same wallpaper we could do that in that default domain policy remember how we were looking at that earlier this default domain policy is linked to global antics comm as a domain so that means anything that we set here in this default domain policy will apply to the entire domain at the organizational unit level everything in the organizational unit is then affected now this is a nice way to keep a little tired of control and what's happening in your network when we start breaking out our users into organizational units it's a lot easier to apply group policy will talk about that again in another video as well but we can also apply them to sites now we haven't really talked about sites at all in this series we've talked about them a little bit here and there we renamed our default first name side to New York and and stuff like that now we can't apply GPIOs also to the site level you know we don't normally all right I mean this is not something that we do on a normal everyday basis most of the time we restrict our gpo's to either our domains or our organization units but you can apply a group policy object or a GPO to a particular site now whenever we start talking more about sites later on in this video series it'll probably become a little more clear because we can use sites to control what happens at a physical location type of level but we're not quite there yet so we'll talk more about sites later on we're going to be focusing in on working with the domain and the organizational unit level more so the organizational unit level let me tell you a little bit of a secret about your default domain policy your default domain policy right here is almost always the least restrictive okay you're really gonna do very basic core kind of stuff here in the default domain policy you're gonna set up your stuff like your password policies okay your desktop wallpaper okay maybe you might do that here you know but chances are we're actually going to be doing a lot more of our work in the oh you level and remember since we can create a group policy object and we can link it to several different organizational units down here well then we can continue to reuse the same GPO over and over and over again now right now our structure is pretty basic but in another video we're gonna start breaking this out into a little more complex structures that will give us a little more ability to apply group policy more efficiently but we're gonna keep this one pretty simple okay so because really what we're really talking about is really talking about we what is a group policy object we're really getting the foundation underneath this here now we know that group policy objects now can be linked at the site level the öyou level and the domain level but here's another thing group policy has two sides users and computers know we've talked about the seen this already now here's the thing while you can configure settings for both sides in any one group policy object we generally don't okay why because it gets messy and annoying and it will give you a headache let me guarantee that why because I've done it we separate out our users and computers into separate organizational units so that way we can apply separately objects to them okay so when I'm creating a desktop lockdown policy like what we're going to be building in our exercise here when I create that for the users I'm going to be only working in the user configuration section in the user policy section and I'm going to apply and Link this group policy object to an organizational unit that only contains users and when I'm ready to do stuff for the computers well then I'll create a new group policy object and now create computer configuration policies I'll set those up and I'll apply that new policy object only to an organizational unit that contains computers okay again I've talked to you already about this whole Preferences thing each side has different preferences that are available so don't forget about that sometimes stuff that you're gonna look for might actually be a computer configuration rather than in user configuration but in just a little bit I'm going to show you how to find policies a little faster and a little easier okay all right now we have a basic core understanding at least I think so at least we have the foundational knowledge of group policy objects here's another thing okay when you're using group policy its applied in a very specific order and here's that order first of all whatever is on the local computer policy happens first okay so let's say that on the local computer policy we've decided that no users can put anything onto the desktop okay well then they're locked idle desktop that's it doesn't matter what happens down the line here nope doesn't matter one bit if the local computer policy says okay I'm denying access to this particular thing then access is denied to that particular thing however here's the deal we generally don't mess with local computer policy why because we would have to go around to every single machine and set it and all I can say is no no we're not going to do that right then whatever site policy is applied at the site is applied but again we generally don't apply policies to sites either hey you know there's gonna be rare occasions where you might want to but most of the time you're not gonna do it then whatever policy is running at the domain level remember that default domain policy then it gets applied and then the organizational unit policy gets applied so then again this is we're gonna be doing most of our work in this particular video series because this is where you're gonna be doing most of your work in real life although you might be doing some stuff at a domain policy level as well here's a really easy way for you to remember this LS do you and yes there's kind of a kind of a 60s reference hidden in this particular item here but you know is this kind of an easy way to remember it you know LS do you in terms of how Group Policy and the order in which they get applied to a user or a computer also here's something else that I would like for you to remember well let's say you have two different group policy objects let's say that one group policy object happens to be running here at the site level and one has to be running at the y-o-u level well guess what the last one wins okay generally speaking the last group policy that's applied is the one that wins so if you have conflicting policies if one says one thing and one says the other the last one wins and the last one is the always the öyou policy all right so here we go we've talked a lot about this theory stuff and it's kind of kind of heady so let's kind of really break this down let's get into the core level where the rubber really meets the road for this we need to ensure that our user accounts restricted in the following fashions this is the same thing we talked about earlier all desktop is the same on every machine and cannot be changed remember we don't want people putting up weird pictures or naked people on the desktop right we want to make sure that users cannot access the display control panel we're going to ensure that users cannot install software and that they cannot attach removable drives like USB sticks mp3 players cameras whatever any kind of removable storage media we want to ensure that they cannot attach now as administrators don't worry about it if you log in as the administrator you can always attach stuff unless you restrict yourself for some weird reason but for the users we want to ensure that those guys can't do that all right so here's what we're going to do we're going to be creating a single group policy object to start off with we're gonna remember work and they kind of try to keep it as simple as we can we're going to be applying all of these settings on the user side okay then we're going to be linking the group policy object that we're going to create to the NY users organizational unit and then after we've got it set up we're gonna test out this group policy object with L bingo remember L Binga from the other from the other video or so we're going to use his account and we're going to see if all of this works so let's go ahead and let's move on over to back to DC one via our remote desktop on our Vista client 1 and let's get this started all right so here we are over on the vista client 1 and of course we are still remote desktop into New York DC 1 and the group policy management console is still open just like we left it here and so we're gonna go ahead and start creating and that initial group policy object and we're gonna add in those policies that we just talked about now we're going to be applying the group policy object here to the New York users group oh you so really all of the users inside of our NY users are going to be affected by this policy and it also includes Hank Richardson so kind of keep that in the back of your mind until the next video ok we're going to right click on NY users and here's what we're going to do we're going to create a GPO in this domain and link it here remember we can create GPOs but they have to be linked now server 2008 gives us a little bit of a helping hand and creates and links it at the same time so let's go ahead and let's do that here let's go ahead and select create and we're going to call this guy desktop lockdown now notice here what says source starter GPO and it says none will go ahead and tell us okay I will talk to you a second here about GPOs and kind of take a short little tangent a starter GPO is basically a group policy object that you create previously let's say that their settings that you want to have applied to all machines or all computers you don't have to go back and reset those 20 settings over and over and over again well you can create a starter GPO and just simply make copies of it no it's kind of a nice little feature this is new to server 2008 by the way so if you've taken a look at this thing in 2000 2003 notes that this was not here right we're not going to concern ourselves right now really with the star GPO stuff we're just gonna go and continue to work with our desktop lock Town GPO now you see here when I clicked on it it tells me that I have selected a link to a group policy object so what I'm seeing right here underneath NY users is not the actual group policy it's just the link remember I told you that a link is also an active directory object right I'm gonna go ahead and tell this message okay and it's gonna give me some statistics and some information about the GPO over here on this side first of all it's gonna tell me what the location of that this particular link is it's gonna give me the details of this particular link and the settings that are part of the desktop lockdown policy now right now we haven't done anything except for creative it looks like we got a little bit of a warning here content within this application coming from the website about security MMC blah blah blah okay you know what we're gonna go ahead we're gonna add this item to our trusted zones remember when we're working with server most of the time we'll keep Internet Explorer kind of lockdown so that's not going to places and grabbing a hold of drive-by downloads or any nasty elements as well so I'm gonna go ahead and add this website to the zone and tell it to close I'd be fine because what you're actually seeing here is actually a web page just so you know so right now you see that there's no settings defined at all because it's it's wow we haven't done anything so also there's a delegation tab and we're gonna come back to this tab this is going to play a much needed role in another video but we'll deal with that when we come to it all right so let's go back over here to the desktop lock down and let's actually make some alterations to let's actually add some settings in here we need to right-click on the link and by the way our death actual desktop policy object lives here in the group policy objects folder okay so here's the desktop lockdown and this is kind of nice because when you select the actual group policy object you see where it's actually linked to so if I link desktop lockdown to two or three different organizational units I can see what organizational units I have linked it to here in this particular section all right so back over here to desktop lock down again it's telling me I've selected a link okay that's fine I'm gonna right-click it and select edit now even though I'm selecting the link and selected to edit on the link it's still going to open up the desktop lockdown policy object or so now we remember we're going to be working strictly with the user side of the desktop lockdown policy for this particular video we're not gonna worry about the computer configuration side in this video we'll worry about that one in another video okay in this same series so we're gonna go ahead and here go to the policies section and the items that we're gonna start looking at we want to concern ourselves with the desktop wallpaper initially okay so here in the policies we're gonna be looking under the administrative templates section this is where most of your policy setting and the most your positive work is actually going to be happening now there's a couple of different ways to get to a variety of different pauses first of all and take you here to all settings I like this okay this all settings section I'm gonna go ahead and go to standard here I don't want I don't really care to see this extended section because I know what I'm looking for and remember you can always get to the explanations by double-clicking on any one of the policy setting objects and go into the explained section right when I look here all settings I have one thousand three hundred and thirty two unique settings for the user side for the configuration now I could scroll through all thirteen hundred and some-odd settings but I have better things to do with my time right so here's what I'm going to do we can actually filter out four particular topics that we're looking for first of all or turn on this filter okay and now I'm gonna go here to the View menu and you see that the filter is on but I'm gonna go here to filter options now this is the thing that I'm going to recommend to use the most often all right first of all enable keyword filter should be checked marked and right now it's filtering for the word removable because I was messing around with this earlier now I'm going to do a filter for desktop hey let's see what we come up with here mo tell it to be Toth okay and it's going to refill tur for items that are specifically for the desktop or have desktop in the titles at the very least so I don't have nearly as many policies to look through so let me that's a little bit of a of an advantage desktop wallpaper hey here we go this is a good start here in the desktop wallpaper properties this is where I can actually set a specific wallpaper for all of my users now right now I see it's not configured and you notice here that when I do enable this policy I have additional parameters that I can specify like we were talking about just a little while ago now the wallpaper name okay this is pretty critical if we're going to enable this policy which by the way we are because remember we want the same desktop wallpaper on all of the machines or at least all of our user machines anyway we need to specify where that Pulte wallpaper lives and that's what we need to put here in the wallpaper name the easiest way to handle this is to create a shared folder out on a particular server probably our file server on them one in this case for global man --tx and then we can just put in the share address into it so that way it will actually pull the wallpaper off of that shared folder now let me tell you an advantage to this if you do a shared folder with one wallpaper let's say that you want to change the wallpaper six months from now or two weeks from now or even tomorrow all you have to do is place that one file yeah it is pretty cool so you know what that's what we're gonna do right now we're gonna go over to mem one and we're gonna create a shared folder for our wallpaper you know what I've cheated a little bit because I have created a a global mantis wallpaper to use and so we're going to actually take that wallpaper throw it into a shared folder so that way we can access it here and apply that wallpaper on all of our machines so let's go ahead and go on over there you know what I gotta tell you I think I'm really tired of just bouncing on over to the virtual machine so let's go ahead and setup a remote desktop shortcut to it let's go ahead and minimize this remote desktop and we're back here on the desktop of our Vista client 1 I'm gonna go down here to the Start menu and let's do the remote desktop connection thing score the options here and let's see here looks like I've already tested this out to make sure I can't get there and so we're gonna go here to the experience and make sure it's set to land that's good and so we're gonna go ahead and allow us to save credentials here and let's go ahead let's save and let's go ahead and let's save this guy to our desktop and we'll name him m1 that looks good and we'll save it out here there we go there he is and we'll go ahead and cancel this let's test this guy out we'll double click on him and I'm going to go ahead and turn off this whole warning thing I know where I'm connecting to so we'll click on connect and now we're going to be logging in as a super coach account of course and we'll go ahead and also remember the credentials so that way next time I just have to double click on it and jump directly over to mem one all right so here we are in them 1 and here is the global antics wallpaper that I created I've went ahead and posted it to the desktop it's pretty simple I had the logo here in the upper right hand corner nothing really extravagant I'm gonna go ahead and close this guy what I'm going to do is I'm going to go to the Start menu and to the computer and we're going to go to well you think let's do ops alright we'll go to the ops folder or the opposite vowel you my should say and let's go ahead let's make a new folder here and we'll just call it wallpaper so it's real easy to remember all make it lowercase and let's go ahead and share this folder as well right now it's just shared to super coach so let's go ahead and let's add in here the domain users all right and a lot of folks what they'll do is they'll share something to everyone this is not a very good idea when you share something to everyone that literally means everyone and that means people who are not necessarily a part of your network so we'll go ahead and not do everyone okay we're gonna keep this semi secure and make domain users have read-only permission to this folder now this is share level permissions remember so anything that we put into this folder will inherit that share level permission now we could do the whole NTFS thing but there's no reason to because basically we want all the domain users all of our users to be able to read this folder and grab the wallpaper so that our desktops are uniform across the enterprise ok all right so here's the path slash slash and y dash mem 1 dash 2 k 8 slash wallpaper hey it's pretty simple all right we'll tell it done and so now let's go ahead and let's shrink this down a little just a little bit so we can actually get to the wallpaper do though on the desktop here I'll double click on the wallpaper and let's drag and drop this guy real quick and we'll delete the copy hanging out here on the desktop that's fine so now our global antix wallpaper is hanging out here now it's kind of a long name and since I want to make it as easy as possible to get to I'm gonna do a quick renaming of this guy I'm gonna right-click on him and we'll select rename and I'm just gonna call it GB WP so it's short and the actual name of this file notice this is just a bitmap image I'm going to right click on it and go into its properties the actual name is G BW p dot BMP okay so it's GB WP for global magics wallpaper dot BMP alright because we're gonna need to put in that exact address in the exact file name over on our group policy object so let's go ahead let's minimize our New York mem 1 desktop and let's go ahead and go back to our DC 1 remote desktop look how easy that is once you have your remote desktop set up you could bounce back and forth you can have multiple remote desktop sessions open at once nowadays all right let's see here let's go back over to our group policy editor and let's go back to the desktop wallpaper and we will enable it and now we're going to put in our wallpaper name slash slash NY mem 1-2 K 8 slash wallpaper slash g b WP for a global mantis wallpaper dot BMP that's the file name right we'll have the wallpaper Center on every single desktop now this just so you know this particular wallpaper is actually 800 by 600 because that's the resolution that all of our machines are in now most desktops are at least 1024 by 768 so make sure your wallpaper is at least that size or larger depending upon the standard display of what you have running in your shop ok all right so we go ahead and we'll enable this wallpaper so we've started with the first item on our hit parade we've specified the desktop wallpaper and that's neat but here's the thing we're not preventing our users at this point from changing the wallpaper that's a little more rascally so here's what we're gonna do right now I'm going to turn this filter off because you've seen how the filter works now right you can go ahead and filter out by whatever topic that you're looking for in the group policy settings but they've also categorized stuff pretty well over here in the tree view so I'm going here into the desktop underneath administrative templates and we're gonna set up a few items over here first of all let's go directly into act into the desktop folder desktop wallpaper this is its original home ok so we've already turned that guy on so we're all good for that next I want to take a look here at this prohibit changes I know this looks interesting let's go ahead and double click on it and open it up and let's go into the explain tab this prevents the user for enabling or disabling active desktop or changing the active desktop configuration now active desktop is one of those ways that our users could still get into the desktop and make changes so what we're going to do is we are going to turn it off all right so we're going to enable this policy now look down here at the bottom see where it says supported on this policy supported on Windows Server 2003 that Windows XP and and something else let's go back here to see explain nope looks like we're not seeing it there either it's going to just tell it okay and let's go to the extended tab here there we go here's the operating systems that this prohibit changes are actually going to work on so Server 2003 Windows XP Windows 2000 what's missing yeah Vista we're gonna have a bunch of Vista clients this is a brand new shop we're not gonna have these older operating systems so for right now you do what we don't have to turn this guy on go ahead and let's just disable this guy or let's leave it not configured because it's not going to make any difference to our machines right so we're gonna be looking for policy settings that are going to be affecting Vista all right so let's go back over here to the extended let's take a look here now I'm not seeing it not seeing it not seeing it not seeing it at least Windows 2000 okay well that's good prohibit adding items this one's only for 2003 XP and Windows 2000 so at least Windows 2000 that means it will operate on Vista so we're gonna be a-ok there alright so let's go now into the control panel settings because there's some more stuff in here that's going to be of more interest to us I'm going to expand control panel and go here to the display tab here in the display tab first of all remember how we said we want to make sure that our users cannot change stuff so here's what we're gonna do first of all we're going to remove the display options in the control panel altogether so our users aren't even gonna be able the control panel whatsoever again we can take a look at the quick explanation now this disables the display option but there's still ways that people can get around it alright so there's also one in here prohibit access to the control panel that will also help to prevent our users from getting into any which way if possible now most of the time if a setting is not available for people to click on they generally won't click on it however in every place you've ever worked at there's always that that one guy or one gal who's taken a few classes and they know how to get around a lot of this group policy stuff so we might also want to go ahead and lock it about the control panel altogether that may or may not be a good idea depending upon what you want users to be able to do and what you want them to be able to accomplish and then want you to kind of keep something in mind as we go through all of this stuff let's go ahead and let's just leave this enabled and tell it okay everything that you turn off for the users means more stuff for you to do when a user needs that particular function okay so if you turn off the ability for users to actually get into the control panel all together and by the way that's over here underneath control panel right if we prohibit access to the control panel and our users need something in the control panel to do something that is related to their work that means you or a member of your staff have to go over to that machine log off the user and log on with a an account that is exempt from this policy so something that you want to keep in mind okay I'm gonna go ahead and I'm going to leave this disabled or not configure Grilli so because I'm thinking mmm this may or may not be a good idea for our initial sake because remember you can always come back and turn these back on alright so if you find that your user or a bunch of users are getting into the control panel doing stuff that you don't want them to be doing you can always come back and turn this guy back on alright so I'm going to go back to the display tab and here's what I really want to do I want to prevent them from changing the wallpaper right and again it says at least Windows 2000 which means Vista is going to be included in this particular setting so I'm going to prevent my user from changing the wallpaper properties by enabling this policy let's go to the explanation tab some of these settings rely on other settings in this particular object so one of the things you really need to as you're setting this up never skip the explanation tab okay it's always gonna be a good idea for you to know exactly what this thing is going to do and if there's anything else that this particular setting relies upon right here you see no you must also enable the desktop wallpaper setting to prevent users from changing the desktop wallpaper well fortunately we've already done that right so we have met the requirements for this particular policy so our users will not be able to change it and we have set the appropriate policy for the desktop wallpaper take a look at this here too to remove the desktop tab this is might be something we should probably do in order to make sure that our users can't get to the desktop we might want to change this one as well as go ahead and tell it okay let's see if we could find this guy here hi desktop tab the desktop tab just basically allows users to go into the desktop settings and we're gonna go ahead and enable it we're gonna make sure that the desktop tab is also gone so anytime that they might want to try another workaround the desktop tab is still gone so we're kind of you're doing it maybe a little more than what we need to but in the realm of locking down your desktops it's better to be safer than sorry you know because if it ever causes you any problems I want you to remember you can always come in here and turn it off you know a group policy is very flexible in that fashion all right so let's click here on the standard tab and let's see here we have enabled removed display in the control panel altogether we have hidden the desktop tab we have prevented our users from changing wallpaper so with this particular study remember how I said we were setting up my favorite four settings okay well in order to accomplish this one task we had to enable several different settings in this policy object so why would you keep that in mind you know in order to perform one you may have to turn on several different policies in order to make that happen because remember some policies rely hourly should say some settings rely on other settings all right so we've got this one down next let's take a look at this whole being able to prevent them from installing software so let's go here to add or remove programs now user access control just so you know on Vista will prevent a lot of this whole software installation thing but what we're going to do is we're gonna go ahead and we're going to remove the add or remove programs altogether just prevent our users from using that particular item let's say that somebody gets ahold of administrative credentials and they're able to go in and use add or remove programs they can still use it because it's still available in Vista in order to install you have to have administrative credentials otherwise you can't install anything so just again this is just more of a you know better to be safer than cider type of thing also we're adding and removing the windows components let's go ahead let's enable that - to lock them out of that one add a program from CD or floppy disk will enable that's programs from Microsoft let's go to naval that one any programs from the network we might want to hang on to that one that might be something that might come into play later on for us so really what I'm doing where a lot of these is I'm turning them on just more of as a precaution in case someone finds a way around one of the settings and trust me I've worked with high school kids long enough to know that they will find a way there is a way I have seen high school kids inner-city high school kids go through Microsoft's support pages and TechNet pages and a variety of other sites as well trying to find a way around a particular setting alright so we have initially prevented folks from at least finding and seeing ways to install applications you know what let's go to the all settings and let's do a quick filter and let's see if there's any others that we might want to turn on as well here we'll go to the filter options and let's do a quick filter for install and if we go in here to add or remove programs looks like some of these are already been in place printers programs basically just going to do a quick look through to see if there's any other settings that I might have missed because again there's what twelve thirteen hundred settings right so this is something that we might want to stop and look at hey let's take a look at this driver installation thing I'm gonna open up this code signing for drivers this is gonna be all those things that are gonna prevent people from installing their own hardware this might not be a bad idea - especially if the hardware does not come with what we call Windows signed drivers a Windows signed driver basically just means that that particular software driver for our hardware device has been tested by Microsoft and has proved to be a ok to work with this particular operating system so I'm gonna go ahead and enable this policy here and I'm gonna go ahead and block users from installing any kind of hardware that might have a driver that is not Windows tested okay all right so we'll tell that guy okay I'll see windows components and all settings here now here we go here's a bunch of them that we should take a look at let's see if there's anything in here that's really critical always install with elevated privileges hmm let's take a look at that one now you'll see here that this particular setting must be set for the machine ie the computer and the user to be enforced so if we actually want to use or deny this one we would actually have to go over here to the computer configuration section set it there as well as well as here all right I'm not going to worry about this one because this one is if I go to the explenation tab if I disable or the setting or do not configure the system applies the current users permissions when it installs programs that a system administrator does not distribute or offer all right well that's fine because what we're doing is we're going to lock tonight all that anyway let's keep on scrolling down here to see anything else prevent removable media source for any and stall yeah that's squid and figured configured that one this will ensure that our users can't bring in say like an SD card or USB stick and install from that alright so we'll tell that okay in just a minute I'm gonna show you how to prevent access to any kind of removable media but this one it again is just one of those safer than sorry or types of things all right so we're looking pretty good here I'm not seeing any other policy settings that are going to probably make that much of a difference here's something that I want to talk to you about these two opt on top the install on demand using Internet Explorer let's open this guy up and let's hit the explanation there is a capability to install applications from the side of Windows Explorer you know stuff like Ron's stuff like your Flash Player you know stuff like that this might be something that's good to go ahead and leave on because you know Flash Player and stuff that happens inside of Internet Explorer most of the time it's going to be okay spyware and antivirus software should take care of any nasty drive-by downloads that might occur this one I'm going to go ahead and leave it not configured I'm not going to disable the policy because it's really not that critical all right so let's go ahead let's turn off the filter now and there's one more thing that I want to set up here with you while we're working on this it was that whole removable Drive you know removable device or removable storage stuff it's hiding out here underneath the system category underneath the administrative templates let's scroll down here just a second and go into the removable storage access now this is becoming more and more of a of an issue with users and for system administrators because folks can walk in with a USB stick or any other type of removable media plug it into the machine and then download a bunch of files and then walk off with it so that can be problematic what we're going to use we're going to be a little more secure in it with this one or all removable storage classes we're going to deny all access open that guy up and you see here that this is supported only on Vista so here's the deal somebody walks in with a XP machine well this is particular policy is not going to apply to that one of those things I really need you to keep in the back of your head okay is that if you set up a whole bunch of Vista policies that's great for your particular machines but if somebody walks in with an XP machine and you join into the domain those policies will not necessarily flow down some of them will some of them won't it depends upon which setting or which operating system in that particular setting needs to operate all right so we're gonna go ahead and enable this let's look at the explenation tab here configure access to all removable storage classes this policy takes precedence over any individual removable storage policy if you enable this policy setting no access is allowed to any removable storage class okay well that's neat we'll tell it okay and you notice here that there are additional removable storage class items in here like the CDs DVDs floppy drives removable disks tape drives WPD devices those are your mp3 players okay and mp3 players can cause a problem because they are considered a storage medium and you can actually drag and drop files just straight to like a Microsoft Zune or any number of other mp3 players that are out there available so we're just going to deny access to all of them okay we're just gonna go ahead and just put a blanket code on this and remember if this gives you problems and we say all right well this has given me a problem with one particular device that everyone needs then you might have to come back turn this particular policy on and then deny specific individual classes you know so let's say that all removable storage is not working for you because you need CD and DVD access well then we can turn everything else off by enabling all the rest of these policies and leave these not configured all right so we've done a pretty good job here we have enabled a particular wallpaper we've made sure that users cannot change that wallpaper we have denied access to removable classes we've also denied access to the displayed control panel so I think all of our group policy settings are enabled tell you what let me go here to all settings real quick and let me show you how you can figure out exactly and very quickly which settings you've turned on in the all settings tab you can go here to the state item you can sort for the state and you'll see here are all of the items that we have turned on and again I know I told you we're going to be applying four of my favorite settings well these four settings require more than four items here and some of these I kind of you know saw hey this looks like fun let's go ahead and turn that on just to be safer than sorry but again if it's gonna give you problems we can go back and turn it off all right so let's go ahead and close out of our group policy management editor and notice I didn't have to click on the Save button or anything and you know there's a reason for that somehow we ended up over here in the DNS server sections but turn that one off and let's go back here to our group policy management learn how learn which button to turn on coach all right so we're back here in the group policy management we have edited desktop lockdown and now if I go here to the settings for this particular GPO I'm gonna go ahead and press the f5 key to refresh this one and there we go all right so now I can click on the show and I can see exactly which components are turned on and that's kind of nifty all right so we can go through here and see exactly which particular settings we have applied in this one particular group policy object all right let's click here on the scope tab and this particular group policy object is linked to New York users or NY users so this is a ok this is looking pretty good now by the way I want to show you this real quick I can right click on this link and I could uncheck link enabled let's say that this group policy object is really giving me a lot of headaches you know especially during testing and by the way always test your group policy stuff before where you roll it out to your entire enterprise otherwise you're gonna make people angry and bad things can happen but if I disable the link because remember a link is an active directory object - if I disable the link then this group policy object does not currently apply to the particular organizational unit right we want to make sure that link is enabled and you notice here that that little guy kind of Gray's out and then comes back when you enable it you can always take a look at the scope tab and see if that link is enabled or not all right so our desktop lockdown policy is created our settings are intact our guy is linked and so now what's next yep we got to test it out so what I'm gonna do now is I'm gonna go over to CL - our second Vista client we're gonna log in as L Binga and we're gonna see if all the settings that we have enabled apply to L Benga because L Benga is you know he does live in NY users I'm gonna go over here to the server manager let's just double check to make sure click here on in the server manager on NY users and let's scroll down here where is L Benga L bingo where are you all right so there's L Benga and he is in the NY users organizational unit so that means let's go back over to group policy management l bengis account should be affected by this desktop lockdown all right all right tell it okay so let's try it out all right so here we are back on client to our vista client and here's the console we were looking at the local computer policy we didn't turn anything on here so let's go ahead and close this out and who's logged in right now oh soon for coaches okay well let's go ahead let's log off as super coach and we're gonna log back in as Elle bingum and as soon as we log back in as Elle bingo we should be able to see all of the settings applied whoops I need to switch the user don't I all right we go other user l Binga alright we'll login here and in just a second here we should be presented with all right well our desktop wallpaper didn't show through that's not quite that's not very good let's right-click and let's see if we can get to the settings nope okay well that one worked all right so we're okay there let's go to the Start menu and let's go to the control panel and og look there is no control panel yep that's right we turned it off didn't we so we're a ok for that one that one seemed to work as well now what I'm going to do here is I'm going to actually try to install a or actually insert a USB stick and I'm physically doing that here I know you can't really see that but I'm trying to put in a USB stick and scroll to the Start menu and go to computer let's see if I can see it when I hit the f5 key and I've got nothing all right well that's good so that worked too why don't happen if I go to uninstall and change a program here hmm well I can still get to this so the Windows Features is still there so this one didn't work either we got we got some problems here we got to go back and get these particular policies fixed now before we do that there is another tool that I want to introduce you to here real quick and that is a command-line option called gpupdate slash force now I can actually access gpupdate from here from El beggars account actually so if I do gpupdate and hit the enter key it's actually going to try to update the policy for me and see if we can actually get those new policy settings downloaded from our domain controller okay the user policy update has completed successfully that's good and the computer policy update which I know we didn't do anything with right has completed successfully so let's go ahead let's exit out of that and let's go ahead and log off and let's log back on we may even have to do a restart let's find out all right and we'll try this one more time here hey there we go alright so our looks like our policy did work at that time our desktop wallpaper has been applied fantastic so we needed to do that quick gpupdate now I just did it on this machine so here's another trick that I want to teach to you as well let's move back on over to dc1 and I want to tell you one more command that you should that really I should have ran before I moved over here to client two but I want you to see what we had to do if in case our group policies didn't apply the first time because you know what that happens a lot so but since our gpupdate stuff did work let's go ahead let's try to get to our control panel again up it's still gone if I go back here to computer and I go to uninstall or change a program yeah that one's not working either really so we need to kind of get rid of this one notice that install is not here though well that's good so at least part of our installation policy is working eh okay chances are what I really should do is I should go back to that group policy management editor and I should go through and find additional policies to get rid of this thing altogether okay that'll be your homework alright because I think you're seeing how group policy works now we've applied several different settings and remember this is just for the user so the really nice thing is no matter what computer our user logs into let's say that L Benga let's say his computer just completely crashes one day and so you happen to have a spare machine you set it up you join it to the domain and L Banga logs into it well L Benga should see as soon as he logs into it this particular desktop and he should not have access to the displays panel settings or any of that stuff no matter which machine he goes to all right so we're looking pretty good let's bounce back on over to DC one let me teach you one more trick and we will wrap this one up all right so I'm back over here on nydc1 I'm gonna go ahead and close my group policy management console and I'm going to show you one more trick here let's do a quick CLS you know so I'm in the command prompt here is the quick trick that I should have ran as soon as I created my group policy it's it's again gpupdate which is group policy update space slash force now what this little command is going to do I'll just press the Enter key is this going to push down the policy to all machines at all users that are affected by in those particular use now that means if you have 20 new policy objects set up and you've applied them to 12 different oh use those group policy objects and those settings are going to be pushed down over the network so it's going to be sucking bandwidth alright so when you're doing gpupdate slash force make sure it's not in the middle of the day especially if you have a lot of group policy stuff running in your active directory because it's all gonna be pushed down the wires and it's going to take up some bandwidth so you're gonna you might end up seeing a little bit of network slowdown so run gpupdate usually at the beginning of your day or at the end of your day before everyone is logged in ok all right so our user policy updates are completed successfully this should kind of be just one those things you need to get into kind of an automatic mindset about because gpupdate slash force will prevent any weirdness from at least I should say prevent more weirdness from happening with a group policy group policy is kind of a more an art than a science and it's gonna take you a while to figure out which policies are going to work for your network the ones that I've shown you are pretty standard they're not really gonna cause much of an issue alright so we know that our group policy works I've shown you how to set it up so let's go ahead and let's do a wrap up of this video and let's move on to the next one all right so let's quit start our wrap-up with a vocabulary review here real quick Group Policy object an active directory object that allows you the administrator to control what users can do on computers via settings or sometimes also known as policies and you know what don't be confused when folks use the word policies or settings okay we're talking about settings or policies we're talking about those items inside a group policy object a lot of times also you hear people talk about GPO as you'll see them in a book as as referenced GPO just an alias Cades stands for group policy object a link remember that a link is an active directory object that allows a GPO group policy object to affect a particular container remember our containers are usually domains or just organizational units LS do you write the processing order in which GPIOs are applied remember we always start off with the local computer policy and then we go to the site policy gets applied next but usually in most networks these two are generally not set up in a lot of places even though we can do local computer policy we can do policies on sites we generally only apply group policy objects to domains and to organizational units now again you might work for the one company that does both local computer policy and site policy and if so good for you but generally it's a little bit of overkill there's other ways to break down group policy into more specific application we'll talk about those in the coming videos ok gpmc just an acronym that a lot of times you'll hear folks say or read about it in books I just answer a group policy management console and that's just where we did all of our group policy work right the local computer policy remember that the local computer policy is just a group policy object that applies only to a local computer and only affects that one computer now remember that we generally don't do a lot of local group policy on individual computers because we would have to set those up on every single machine if you have 500 machines your network are you gonna go to all 500 machines I think not you guys you can but you don't need to right because we can do all this work at the domain level and at the öyou level alright so after watching this video you should be able to create and Link a group policy object to and know you and we did that we did that all in one fell swoop didn't we we just created and linked it by doing a quick right-click on the o you in the group policy management console you should be able to apply settings in a GPO to lock down the users ability to do stuff like change the desktop we set the wallpaper make sure the user can't change it right we lock down their ability to even use the display control panel all together we just so they can't even see it or reach it also we reduce their ability to attach USB Drive or other removable storage device and also we prevented their ability to install software we still have the ability to uninstall software right so there are some other policies in there that we probably should have messed with also remember that you know when it comes to installing software that user account control in vista actually prevents user class accounts from installing software altogether all right but that's a vista lesson and not Server 2008 lesson there's another section in the computer configuration side of the policy by the way I'm going to show to you in the upcoming videos that will further lock this down for you AC for Vista so I'll show those to you in the coming videos but anyway you should be able to also describe the order in which group policies are processed and remember that it starts with a local group policy the local computer policy I mean the site policy the domain policy then the öyou policy and all these things are accumulative and apply their policies so there's a conflicting policy remember usually the last one wins also you should be able to describe which containers you can link a GPO to remember that you can link a group policy object to the domain level the öyou level but also the site level which we generally don't do all right friends well hey that wraps up this particular video we're gonna keep talking about more group policy stuff in the next one because in the next video we're gonna talk about why Hank just got really really mad and would like to fire you for us so you have to do something really really fast in order to make him happy so stay tuned see me in the next video and I'll show you exactly what we're talking about

Info

Channel: Harsha S Srinivas

Views: 20,798

Rating: undefined out of 5

Keywords: windows server 2008 training, windows server 2008 tutorial, windows server, windows server 2012 tutorials, windows server videos, windows server troubleshooting videos, windows server 2012 guide, windows server installation tutorial, windows server management, Upgrading windows server, Windows Server 2008 (Operating System), Active Directory (Software), Windows Server 2012 (Operating System), Server (Film Character), Group Policy Objects - Windows Server 2008 Tutorial

Id: _89pTKRy8c8

Channel Id: undefined

Length: 81min 45sec (4905 seconds)

Published: Sun Nov 30 2014