70-410 Objective 6.1 - Create and Manage GPO on Windows Server 2012 R2 Part 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back to another video in this video for objective 6.1 creating and managing Group Policy objects we're going to discuss everything there is to be discussed about Group Policy objects now GPO Management when we talk about group policy object and the gpmc or the group policy management console it kinda looks like Active Directory and it is to some extent but we don't manage users here we manage group policies and if we click on the group policy objects we'll actually see a list of all of the group policy objects now the word here to focus on is objects they are objects organizational units is why it looks so familiar to Active Directory users and computers because we see all of the organizational objects referenced in the left hand side now when we put those two together and what I mean by that is we could have created a GPO all by itself not linked to anything and when we linked a group policy object to an organizational unit it creates a brand new object called a GPO link object and we could see that right underneath the computers oh you now I had credit no you called computers usually computers will not show up because computers in the default domain when we credit oh mein by default is actually a special container it's just a container it's not a know you but we can see that link for restricted group corresponding to the group policy object called restricted group tying it to the oh you of computers now going back to the gpmc it's automatically installed with the active directory directory services role and if you're on a tech computer a client computer we can install it with the our sat tools now when we create a GPO there's a couple ways that we can do something called scoping it down means limiting who it gets applied to and I'm going to show you a much more extensive approach in a lab but when we click on the group policy object what we'll see is all of the links so I told you you know in the last slide we can have a group policy object and it could be linked to an O you well it can actually be linked to multiple OU's so this is kind of like a heads-up display as to if we change something at the GPO what all does it you know effect then we can specify security on the GPO now we by default it's allows authenticated users to apply the settings but we can actually specify that you know I I don't want every user to get these settings I only want a certain security group like our sales users getting this setting and you might have an O you where your sales users and all of your other users are combined and we're applying it to the O you but we won't really want it to apply to the sales users so again that's a way to scope it down to just apply to the users that you want to effect and then the last control we have is something called WMI filtering and the stands for wet windows management interface it's basically everything about your computer's so if I read the WMI I could actually come up with a query to find out whether or not your computer has a battery if your computer has a battery then it's probably a laptop so I could actually put a little sequel type filter in here and I'll show you that in labs where I only want this oh this GPO to apply on the ou2 computer objects that are not laptops and we can do that by putting in a W on my filter you know think of anything and we can filter the GPO based on this this gives us ultimate control Windows operating system version users attributes you name it if you can dream it up we can filter it now when we go to actually edit a GPO there's you know same layout every time it's changed from version to version and probably the most significant change was in Vista well Microsoft had purchased a company and I forget the name of the computer company I think was Business Objects and they basically bought the intellectual property and brought on about 3,600 additional group policy settings with Vista and every version they add more when we look at this it's broken down into two sections first is computer configurations the other is user configurations very simple computer configurations and changes we make here only apply to computers changes in user configuration only apply to users now going along each one of those sections have a policy and preferences policies are reapplied every 90 minutes and upon startup or login depending on what type of object preferences are only applied and not policy only applied on startup and login so a difference between a policy and a preference if I wanted to make sure that the computer would put a screensaver on in 45 minutes I can policy that and therefore lock the user out of changing it but if I said it as a preference when the user logs in it will be set at 45 minutes but the user can always go in and change that preference and it will never be replied during that session however upon next login depending on how we target it we could apply it every time moving along underneath policies we have software settings then is basically the installation of software and I hope to do a 411 and show you a deep dive at GPO specifically applying software through the software settings tab underneath Windows settings we'll have security will have local computer settings a couple other tabs I can't think of off top my head and then under administrative templates is where we have the most and that's really you know all of the different settings for the operating systems and and we can even add templates to this administrative template because they're all you know from admx files so if you wanted to policy office we can add an office template and boom we have a whole bunch of policies we can apply underneath the administrative templates for the office products now when we edit a GPO or an object or a or rather setting inside of the GPO and in this case it's turn off file history there are three states to that setting one is not configured and this is the default so you have to kind of read into this sometimes it's basically saying turn off file history so if it's not configured then final history is on if it's enabled then we're turning final history off and if it's disabled why would we disable it while we wouldn't why would we not have it just not configured well if we want to disable it we want to absolutely make sure that this is disabled so remember what I said before you could have several GPOs and maybe at the local computer we have enabled this but in one of the OU's we're gonna apply this GPO in this particular setting we want to make sure it's disabled and it will overwrite the local settings of the local computer so this is a way to have absolute you know by turning it to disabled we can absolutely make sure if it was changed somewhere else it changes at that lower level so inside of here you always want to make sure that you know it's always supported on the operating system it'll tell you what operating system this particular feature setting is supported we also see some you know help information what happens if you enable it what happens to you disable it and basically we go through each one of these different settings I'm gonna cover a lot of that stuff in the lab last thing I want to discuss is local GP OS now it is an objective on the exam and I did talk about it a little earlier in the videos here I just want to explain local GPO always existed since Windows 2000 however on Windows 2000 all the way up to 2008 meaning Windows 2000 2003 when we created a local GPO for a user it applied to everyone on that computer so if you locked local you know at the local settings if you locked a user out of a setting even an administrator was locked out of those settings with 2008 kind of change that that Vista we hit the option to when we create a GPO locally administrate the GPO we can select the users tab and we could select either administrators non administrators or a particular local user and a half the state we're at the local computer here this is not Active Directory the user if it exists on the local security account manager will show up here this is not to policy domain users its local users of the computer these are most significant or most helpful when we're talking about client machines and I'll give you an example my son has a computer I wanted to make sure that he didn't install things and I made a very stringent policy on his local account I don't have any group policy in my house and I am NOT gonna put up a domain but when I logged in as an administrator I wanted the functionality to be able to install stuff so this is where this comes in handy now the order of application is the local GPO gets processed first then if you have administrators or non administrator group policies they get applied then the users specific policy for the user that's logging in and I promise you will go through a lab but I'm not gonna spend a whole bunch of time on this it's important to understand the different local or multiple local GPOs but probably not enough to spend 20 minutes on a lab so I'll try and sneak one in there so I hope you got something out of this video if you haven't already please subscribe to my channel watch my videos share my videos enjoy my videos if you have any questions leave them down in the comment section below Facebook Google+ or Twitter and as always I thank you for watching

Info

Channel: NetworkedMinds

Views: 22,720

Rating: undefined out of 5

Keywords: networkedminds, group policy, wmi filtering, local gpo, local group policy, gpo, ou, organizations units, GPO links, enabled, not configured, disabled, vista, windows server, 2012 r2, 2008, group policy objects, gpmc, group policy management console, sql, ansi sql, gpo editor, editing, security filtering, active directory

Id: kMHJo73nsdM

Channel Id: undefined

Length: 13min 30sec (810 seconds)

Published: Sun Mar 06 2016