Learn Microsoft Group Policy the Easy Way!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] this week it's the turn of microsoft group policy a classic yes but a really important skill how does it work well you've come to the right place let's take a look [Music] greetings my fellow youtubers welcome back to the channel i really appreciate you stopping by this week i'm in copenhagen sonny copenhagen and i'm teaching a course i thought you know a couple of weeks ago i did a session on microsoft active directory and we talked about the basics and so on and loads of people have come back and said that they love it and they want a little bit more so i thought okay who am i to argue with you guys because you guys know what you want obviously so this week i'm going to talk about group policy which is really related to active directory and all things windows server so i'm going to talk about exactly what it is how it works how to get set up and how to avoid potential pitfalls with it now i also got this week i got to say we just hit the uh 8 100 mark in terms of subscribers i gotta say thank you so much guys i really appreciate every each and every one of you who has subscribed to my channel um i'm trying to build a great channel here great community and you guys absolutely rock okay i've also had some fantastic questions um and hopefully i've gone ahead and i've answered all of those questions from all of you but if you do have questions of course like always pop them down below and i will do my best for you and by the way if you've not subscribed to the channel please go ahead click on that subscribe button up there hit that bell and you won't miss out on the good stuff in the future and as always uh it's great to have you on board so i think without any more chipper jabber i think it's about time that we got into some group policy a part of windows server and a really important part of your skill set ready here we go so first of all just to set the scene what i've done is i've gone into active directory and i've created a user account called james kirk if you missed that by the way on how to do that you can take a look at my last video on active directory which i recorded a couple of weeks ago um and just to give you a little bit of background into group policy where does it get all of its settings from so what i want to do is i'm going to open up a little utility called the registry editor all right and i'm going to right click onto this and you're going to want to open this up as an administrator the registry um is a really important aspect of modern computing and it kind of all changed back in 1995 when windows 95 first came out and to be honest hasn't really changed much since then but what we essentially have is you have a computer you've got your hkey classes root which contains basically all your different types of software that the system supports you've got h key current user so this is all the configuration settings about the user who is currently logged on at this machine and this is particularly important in group policy because in group policy you've got user settings and you've got computer settings all right so remember this now obviously the reason why we don't want to start messing around here um in the registry is it's complicated trying to find things trying to find settings is is just a nightmare and if you if you had to change all of these settings for a thousand or ten thousand users it would just be unpractical h key current local sorry h key local machine of course is all the settings about your machine so here you can find that we've got system for example and the you have something called the current control set and these are all your current settings for this particular machine now you'll notice here that there's a couple of previous control sets this is these are used in disaster recovery scenarios where for example boot sequences don't work right and you can go back to a previous uh setting so for you guys just key things to note all the user settings are stored in hkey current user and in hkey local machine it's all your computer settings hkey users contain all the information about all the users who have currently logged on now you can see here that there's not many logged on but one couple of interesting little things here you can see that we've got a few users and one user here ends with a 500. did you know that that's an administrator account so you can see if the number ends in 500 that's in an admin account the other thing that we've got is also the hkey current configuration for both the software and the system now like i said it would really be impractical for us to go and start editing the registry and so instead of that what we do is we have a look at group policy so let's take a look at the basics so from server manager what i want to do is i'm going to go up here into tools and i'm going to scroll down into group policy management and i'm just going to maximize the screen so we can see everything so what we can see here is first of all it says forestaydatum.com this is the name of my active directory forest and if i expand this out you can see that i've got domains sites group policy modeling and group policy results which are quite interesting testing tools now if i expand this out i'm going to go into adatum.com i'm just going to pull this over a little bit here just pull that over there yes okay and you can see that you've got something called a default domain policy now a default domain policy essentially affects every machine and every user on the domain within that you can see that you've got your various organizational units so down here i've got a organizational unit called sales now i've still got um my my active directory open here and you can see that within sales i've gone ahead and created a test user i'm a trekkie by the way if anybody knows um so i've created a user called captain kirk here now but with that in mind what i want to do is i'm just going to expand this and you can see that there is no group policy setting here so by default you get one group policy setting which is known as the default domain policy now what i want to do is i'm now going to go ahead i'm going to create a group policy setting so rather than me manually editing the registry which is potentially a complete nightmare by the way this is so much easier all right so you can either create a group policy object in the domain and link it here you can link to an existing one so if you've created one elsewhere you can do that and again these i'll come back to in a second so i'm going to go ahead and i'm going to create this one and i'm going to call it my sales gp policy okay so my sales group policy i'm going to click on ok you can see a little group policy icon has appeared down below so what i'm going to do is i'll just click that so it doesn't open again now first of all you can see that this context menu has now opened up so if i click back onto the ou itself it shows me if there are any group policies linked to this organizational unit and you can see here indeed i've just created one called group policy sales yes but if i actually click onto the group policy itself you can see the menu has changed okay so we'll come back to that in a little while first of all what i want to do is i want to look at the group policy settings so i'm going to go ahead and i'm going to click on edit here and this now takes me into the group policy editor so you can see i've got a couple of windows open here and look at what we can see computer configuration and user configuration now you also have something called policies and preferences so policies should not be confused with preferences policies um are hard coded so if you make any changes in group policy they will be they basically implement the registry settings all right whereas group policy preferences these are kind of optional things and users can actually change those settings but when the user logs off and logs back on again those settings come back okay so first of all i'm going to go into group policies and you can see that you've got computer configuration and user configuration so just like the registry setting anything that you set at the computer configuration will affect every user who logs on at that computer whereas if you set it at the user configuration it will follow the user irrespective of the machine that they log into so i'm going to click kick off here i'm going to go into the user configuration and i'm going to expand this out and just a couple of things that you can do so check it out you can go into software settings and i can deploy some software to that user if i had some i can go into windows settings and i can try if i had a a logon or a logoff script that i wanted to push this user out to a use a really useful setting here are things like folder redirection so if you wanted to redirect the user start menu documents and things like that you could redirect them to a different to a shared folder for example on your network all right um things like policy based quality of service so if you're using voice or anything like that um this is where the really interesting action takes place so these are your group policy templates and your group policy templates contain all your different settings so control panel desktop network any shared folders that you might have the start menu and taskbar settings the system settings windows components and again all settings now remember that this is affecting the sales organizational unit so any computers within the sales ou or any users in the sales oh you and that's the reason why i'm doing some settings for the user settings all right so what i'm going to if by the way just a quick mention if it was the user or if it was the computer you would need to move the computers into the sales or you for it to take effect yeah just to clear that up so what i want to do is i'm now going to go into my windows components and you can see here you've got all your different windows components all your different settings here um what features do you want you want to make switch things off do you um do you want to have the user using windows hello for business um and so on so there's absolutely loads of things that you can do there but why i want to make this uh kind of simple at the moment so what i'm gonna do is i'm just gonna flip over to client one okay and i'm going to log on as captain kirk so here you can see he's now logged on as client one and he's logged on as a user and his name's captain kirk and you can see we pretty much got a full set of options here so pretty much everything is here that we need now if you want to curtail some of his settings what i can do is i'm just going to flip back to dc1 and let's see if we can make some changes for this user all right so first up then i'm going to have a look at some of the desktop settings and just to show you how it works you've got lots of different uh settings here that you can implement okay so for example i could say hide and disable all items on the desktop so you'll remember that he had a couple of items he had edge and something else so i'm going to enable that and what that does that enables it that writes that into the registry for that particular user um other things that we've got you've got the start menu and the taskbar so you can see that we've got lots of different options here and i can say do you want to you know add log off to the start menu for start to be in full screen i could lock the taskbar turn off personalized menus and you can do all kinds of things what i'll do actually i will go ahead and say yeah let's add the log off option to the taskbar all right so i'm just going to scroll that and move up and click ok all right so we've now added the log off to the start menu all right so i've done a couple of changes all right so let's see how that looks so let's just see what that looks like from the user perspective so i'm going to uh just close that i'm now going to now just before we come out of it to enforce these registry settings what i'm going to do is i'm just going to open a command prompt by typing cmd and you need to run this as an administrator all right and in here i'm going to type in gp update space forward slash force and what this will do is it will force the group policy settings to be written all right now i just like to point out of course that i'm gonna flip back to client one and what we're gonna need to do here for client one is you're gonna need to log off and of course you're going to need to log back on again so again i'm just going to let's just put the password of captain kirk in again so i'm logging in as kirk and let's see if those group policy settings have taken effect okay so look you can see here those icons have gone the settings have changed so the good news is the group policy has now been applied okay so i'm going to switch back to my dc and let's have a look now at some of the advanced settings so let's look at some of the enforcement actions i'm just going to close that down and i'm going to go back into my group policy management here now i'm going to go into sales and what i'm going to do is i'm going to click onto the sales ou and looking at the properties here you can see that if i go into there is a tab that says group policy inheritance and what that means is there are two types of policies in play there's an explicit policy which i've explicitly applied to my ou and there is an implicit policy which in this case is the domain policy which has come down is waterfalled down from the default policy now from an admin perspective i might not want that so what i can do is you can right click the organizational unit here and i can say hey you know i want to block inheritance of this ou and you can see like a little blue exclamation mark appears here okay and you can see it's now blocking the default domain policy now you switch your hat now from your organizational unit admin now to your domain administrator so the kind of things that you can put out for the default domain policy and for example i'm going to go in here and i'm going to go into let's say my computer configuration into my windows settings and in here you might have things like security settings so for example things like account policies um things like do you want the do you want to monitor the event log um things like account policies includes things like your password policies you know how many characters do you want do you want to enforce things like multi-factor authentication do you want to have an account policy where you can set an account policy threshold so if the users forget their passwords all very very useful things other things that you can do here you can also create a startup or a shutdown script and this just this is just one of thousands of different options here so the fact is though that once you've created that policy let's say your you know account policy password policy the last thing that you want is you don't want an administrator of an organizational unit being able to basically block inheritance of that policy so what you can do here is i can select this policy and i can say actually no i don't want you to override this i want to enforce this policy to my all my users in the entire organization you can see that a little yellow triangle has appeared here so now if i go back to this oh you check it out look what we can see now you can see that we have enforced so it's enforcing that domain policy onto all of my users including sales but you've also got your sales policy as well and these are so important this setting is so important so again what we've got here is you can basically select the policy here and i can right click and i can enforce that push that down to all of my users as opposed to this option where you select the ou and i can block inheritance above and that's fine that works in some cases however but in many cases if you were a domain admin you don't want the user here overriding things like passwords so very important settings as part of group policy now um so that's just kind of some of the settings obviously you know within 30 minutes we can only go through a few of these and hopefully that's given you a starter for 10 as they say other things that we've got here you've also got things like group policy modeling and group policy modeling allows you to do a what if type scenario so you can put in a particular user a particular ou and it will say basically what if you know what would that policy look like all right and to be honest you could see this modeling you would just have to go into this modeling um however one thing that has changed in recent years is if i click into the ou here um you can see that you can also go into the the actual policy itself and you can see you can actually go in and view the settings so this is actually showing you at a glance what settings have been done all right so that's a really nice uh feature okay starter gpos you you can create these are basically like templates of course and you can use that that's great um so yeah there we go just a little bit about group policy so in that session we've looked at the registry we spoke about the registry we spoke about how group policy is a gui or a ui version of the registry i mentioned that the the registry is split into two so both computer components and um user components and you can edit them by editing the actual policy itself and you can see you've got the computer and user configuration settings we also spoke about how you can enforce a policy and we also spoke about the concept of blocking inheritance within group policy i hope you found that really useful so there you have it that's it for this week group policy an integral part and a really important skill set uh as part of microsoft active directory and windows server i really hope you enjoyed it and that you got a lot out of it of course if you did we'd love big thumbs up here so go ahead and hit that like button i really would appreciate it and if you've not subscribed by the way go ahead come and join us hit that subscribe button ring that bell and you'll be notified of any new videos all right and of course if you get any quests comments about this or any of my other sessions just get them down below that alright that's it for this week from sunny copenhagen so you stay safe and i'll see you next time take care hey thanks so much for dropping by today here's a couple of videos that you may enjoy and while you're here go ahead click on the subscribe button and you won't miss out [Music] you
Info
Channel: Andy Malone MVP
Views: 112,045
Rating: undefined out of 5
Keywords:
Id: rEhTzP-ScBo
Channel Id: undefined
Length: 23min 57sec (1437 seconds)
Published: Tue Mar 29 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.