70-410 Objective 6.1 - Create and Manage GPO on Windows Server 2012 R2 Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back to another video in this video for objective 6.1 creating and managing Group Policy objects we're going to discuss everything there is to be discussed about Group Policy objects so let's begin by talking about the group policy object itself and what exactly it is a group policy object is an object where we can actually create policies and we get policy computers and users by applying them to organizational units now it's either applied to computers or users so there's a little bit of a strategy here and we'll discuss that in one of the labs but when it's applied to a computer it is applied during startup when it's applied to a user it's applied to that user when they log on now there's something called a background refresh that happens every 90 minutes and this is why we call them policies it's because the computer or the user object gets policy the GPO reapplied to them so if an administrator went in and changed something in 90 minutes or so the policy would reapply to that user or computer and it would put it back in the compliance now local computers regular computers that are either part of a domain or not part of a domain also have a local group policy and before Vista and Windows Server 2008 they really only had one GPO that applied to the machine and the user more specifically the user and if it if you created a GPO on the local computer it would apply to everybody logging on so if you said you know the Start menu only shows the classic no matter what kind of user you administrator and non administrator or average user that policy would still come down on you now with Vista and Server 2008 r2 I'm going to show you here in a couple slides how it has changed it is stored in the file system so as you see here under see windows system32 there's a group policy folder and there's two folders underneath that called machine and user and this is obviously for the computer settings and the user settings now these settings that when we open it up and we'll look at it in a lab have fewer options than active directory based GPOs active directory GPOs have many more features and local GPOs are the least significant and I'm going to show you why now it's hell active directory GPO is processed now I want you to remember this mnemonic LSD - oh you that is hell active directory is applied so if we had something set and I'm looking at the picture here if I had something set at the local computer and I had a contradictory setting at the site level that contradictory setting would be success or changed by the site level now if I had that same setting attached to the domain object like the default domain policy and it was contradictory - it was set at the site and the local letting or local setting it would be success at the domain level and then the OU user applied and the OU user applied in hierarchy so if we had an a user per se in East oh you and he was logging on to a particular computer that computers GP a-- would be processed then the site if there's any usually there's none by default then the domain which is a default domain policy then the cells of you then the user oh you then the East oh you and if there was a setting in any one of these OU's the last one wins so it's the same setting in all these I've use the last oh you wins and that would be the east group policy object now there's another type they talked about in the book like it's a type of GPO it's just really a new feature that I believe was introduced it was it was introduced in Windows Server 2008 and it's called a starter GPO the idea behind this is again I don't know how well it's used uh if you have a certain baseline of settings so in other words in this case we have wallpaper is the corporate wallpaper Windows updates are enabled and desktop gadgets are disabled we can create a starter GPO and then anytime we want to create a new GPO when we create it we specify that starter GPO and all three of those settings will come over and then we can add and then in this case on the right hand side there when those media center disabled and Windows Mobility Center disabled again I guess if you were setting security settings starter GPOs you know really work these one-off settings I would say probably not you'd probably find yourself undoing them in the new GPO but they are a way of creating a baseline of settings and they are an objective on the exam now my favorite topic a GPO then and now so prior to Windows Server 2008 templates although they're great and and Windows 2000 was a game changer they really had not changed until Windows 2008 they were these ADM templates they're language-specific which means that if you want templates the same templates for your organization for another locale like Spanish or Chinese or some other language you'd have to download a whole separate group of templates and then whoever created the GPO would not be able to read them because they get basically uploaded to the GPO when that person creates the GPO and the only person that can change it is either a something is bilingual or be the person who originally created it so it also creates a necessary GPO bloat in the sysvol now the GameChanger windows 2008 to present created a hierarchy of something called a DMX and a DML files now the admx files they really just contain settings they don't contain any verbage inside them other than pointers to where the verbage is and that's where the ADM elves come in so what you'd see in the group policy object editor like you know desktop settings that would actually not be contained the verbage would not be contained in the admx however what would be contained is the registry setting to change that specific feature the ADM L files are actually in a folder that's named after an ISO IETF or internet Engineering Task Force standard where it would be locale - language so en - us okay actually I think it would be backwards English en and then - us for the locale and this allows multilingual administration because now if we have more than one locale like Spanish and English we can reference the same admx file and just put the a DML file for that other locale and when that person sitting at that computer with a different locale goes in to edit the admx file they'll automatically pick up the proper a DML file so it's no longer uploaded to the system all however I'm going to show you some really new great feature called the central store where you manually upload it to this as well and this way everybody uses the same settings but going back to that point it was since Windows 2000 it was common that wherever you created the GPO from your local group policy template files would be uploaded to the GPO that's no longer the case with a DMX and a DML files now that that's central store if you were to look at your local computer and let's say you just install Windows 8 one and you went into the C Windows or the system root and you went to a location called policy definitions you would find a whole bunch of admx files along with a folder with your locale and my case my locale would be en - US and inside that folder would be all of the corresponding a DML language files for the ADM axes now if we wanted to centralize all of these settings we would go to our domain and we type in slash slash contoso com we'd go into our system all generally when you go to slash slash contoso com you're going to find two folders net logon and sis file net logins for older operating systems like logon scripts or support for login scripts the sysvol you will find your domain name under now underneath the domain name you'll find two other folders one is scripts which is a we shared out as netlog on and the other is policies and this is where you'll find all of your Active Directory policy folders and what you'll do is you'll create a folder called policy definitions now I have an error there that that should not have a space between policy and definitions but I'll show that T in the lab and underneath that you'd take all of your admx files from the local machine in the locale files with the ad ml files and you'd copy them into policy definitions now no matter where you are in the network no matter what client obviously it has to support it but no matter what client or service pack level when you open up GPO and create a new GPO the policies are referenced from the policy definitions rather than your local machine so I hope you got something out of this video if you haven't already please subscribe to my channel watch my videos share my videos enjoy my videos if you have any questions leave them down in the comment section below Facebook Google+ or Twitter and as always I thank you for watching

Info

Channel: NetworkedMinds

Views: 39,409

Rating: undefined out of 5

Keywords: networkedminds, Group Policy, local gpo, local group policy, application order, gpo processing, starter gpo, adm, admx, adml, templates, central store, policydefinitions, active directory, GPO, 70-410, domain controller, domain, windows server, 2012 r2, site, ou, organizational unit, default domain policy

Id: VUdHwKiXA_I

Channel Id: undefined

Length: 12min 54sec (774 seconds)

Published: Sat Mar 05 2016