Microsoft MCSA 2012 (70-410) - Overview of Group Policy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to module number 11 of exam 7410 implementing group policy this lesson is an overview of group policy maintaining a consistent computing environment across an organization is challenging administrators need a mechanism to configure and enforce user and computer settings and restrictions group policy can provide that consistency by enabling administrators to centrally manage and apply configuration settings group policy allows you to control the computing environment it is important to understand how group policy functions so you can apply group policy correctly this lesson provides an overview of group policy structure and defines local and domain based group policy objects it also describes the types of settings available for users and groups in this video we will describe the components of group policy describe multiple local GPOs describe storage option for domain GPOs describe GPO policies and preferences describe starter GPOs describe the process of delegating GPO management and describe the process of creating and managing GPOs so let's start our demonstration here we are at our server our domain controller we are going to talk about group policy objects or GPOs what is a group policy group policy settings are configuration settings that allow administrators to enforce settings by modifying the computer specific and user specific registry settings on domain based computers so there are modifications to the Windows registry so if you open regedit it's very difficult to orientate here to make changes and it is not recommended to manually edit the Windows registry but via group policy objects exploration of registry editor is very easy and very user friendly to manage Group Policy objects we go to tools and group policy management here we are at our forest level how to network dot local we can explore our domain how to network that local and also we can see the active directory structure if you open at the same time Active Directory users and computers as you can see there are company computers domain controllers training OU's and users container the same stuff appears here the place of all Group Policy objects is created here and stored here so by right-clicking we can make a new group policy object let's say that this group policy object helps us to set a standard wallpaper on Windows computers company wallpaper and click OK let me explain to you what happens now if you can right-click on it we can edit it and here as you can see we have two types of configuration one is computer configuration and the other is user configuration these settings or these registry settings are applied in two levels they can be applied to the whole computer regardless of which user is logged on so they are user general each user gets the same settings or they can be user specific regarding to the user who logs onto that computer registry settings or that GPO may differ to edit the setting we will use user configuration since it is user based under policies we can see administrative templates and here we have our desktop settings if we browse it we have desktop these settings are not alphabetically sorted so we must click on the beginning of the row and they are automatically sorted by name and here for example we have our setting of desktop wallpaper normally GPOs have three settings not configured enabled or disabled by default all the settings are not configured if we enable these settings here we can see the explanation what the setting does here we're going to specify our company logo which is going to be used in all our domain computers here we're going to use our company logo as a wallpaper how to network first we must copy it to a shared folder which users can easily access let's call this folder wallpapers and share this let's choose everyone and copy the wallpaper here so from this we're going to type the UNC path win 2012 wallpapers you and from here we can choose the wallpaper style Center fill and so on let's make it Center and click apply this setting is now finished we can close or minimize it if we want but making a new GPO doesn't affect anything at all if we don't link it with a specific organizational unit because it is a user based configuration we must link it to the o you which contains the users so if we are going to apply it to the trainer we will use users or if we are going to apply let's say student user we get to the training of you we can do this by drag-and-drop and click okay now let me open a Windows client machine here we are at our windows 8 client machine we are logged in as student and we are going to apply these new settings in order to hasten GPO update we can use from the command prompt the GP update command which stands for group policy update this command up the computer and user policy from our domain controller for these settings we must log off and on again we just logged off and logged on and as you can see now our new wallpaper is how to network and this is done by group policy here we are at our server again it is recommended that for each new policy to make another GPO in order to be more structured for example if we're going to map the network drive to our client machines we can create another group policy object or directly from here right-click it and create in this GPO a domain let's type storage mapping and click OK as you can see the new group policy object is created under this folder now we can edit this again this will be user based let's go to preferences let me explain to you what the differences are between policies and preferences policies normally are registry values that are updated once we remove them so if we apply a policy based gpo the registry is edited and when we remove or disable that particular GPO the modified registry settings are restored to the original values so nothing remains in the registry the preferences are quite the opposite when we apply preferences it permanently creates registry values and unless we edit the registry manually the modified registry values cannot be restored and also the settings that are applied via preferences are user specific if the user wants to change them he or she can do that but settings created through policies cannot be changed by users unless specified under Windows settings choose Drive Maps let's map our network drive under Drive maps let's click new and map drive here we will create a new one our location would be the UNC path win 2012 and let's say we want to map the general folder let's click general it is going to reconnect on computer startup so let's label this as general Docs on server we can use the first available drive letter or use a specific one let's say we want to use G for general and let's click apply this policy is finished now we can quickly switch to our client Windows 8 machine let's do a gpupdate you some policies apply at the next logon and some of them are applied automatically this policy is applied at next logon so let's quickly sign out and sign in again let's see what happens go to file explorer and as you can see now we have a new map drive which is general docs on our server since it is under preferences it is up to the user whether he or she wants to keep this drive mapped or not if we want we can disconnect it and it doesn't appear in Windows Explorer let me talk now about multiple local GPOs in Windows operating systems prior to Windows Vista there was only one available user configuration in the local group policy that configuration was applied to all users who logged on from that local computer this is still true but Windows Vista and newer Windows client operating systems and Windows Server 2008 and newer Windows server operating systems have an added feature multiple local GP OS in Windows 8 and Windows Server 2012 you can also now have different user settings for different local users but this is only available for the users configurations that are in group policy in fact there is only one set of computer configurations available in Windows 8 and Windows Server 2012 that affects all users of the computer to do this from our client which we want to make an exception we can run here MMC and click run as administrator let's put our credentials and here from this console we can add or remove snap-ins we are going to add group policy object editor snap in let's add this we can choose from local computer or from users and here we can select non administrators for example administrators or other users let's choose non administrators click OK and finish now this is a local policy which means that this policy is going to be applied only to this machine and not to the other machines on our domain and here under user configuration administrative templates desktop under desktop wallpaper we can disable this and the non administrator users that log on to this specific machine will not have as their policy the default company wallpaper let's click OK now let's see where the GPOs are stored all the domain group policy objects are stored under local disk C under Windows sis fall and domain here we can see policies as we can see all are named using hexadecimal values so we don't understand anything but if we go to our group policy management let's choose for example company wallpaper policy under details we can see its unique ID which ends in 1 F e so this one is the policy for company wallpaper GPO if we open GPT ini let's open it with notepad we can see a version number what does this mean we can see here that this GPO has user version 1 if we make some changes to this existing tpo let's edit this quickly go to policies administrative templates desktop and let's hide the network location icon on desktop let's enable it and click apply let me change another one now from here let's do a refresh we can see that it's version changed what does this mean when the next GPO update occurs the computers notify that their group policy version has changed and try to get the new policies by checking their version numbers if the number is the same they don't apply any changes let me talk shortly about preferences preferences are available only on local domain group policy objects they cannot be found on local group policies and are the same for computer configuration and also for user configuration some characteristics of preferences are unlike group policy settings preferences are not enforced and users can change the configurations that are established by preferences preferences can be managed through the remote server administration tool our set preferences can be applied only once at startup or log on or refreshed at intervals unlike group policy settings preferences are not removed when the GPO is no longer applied but you can change this behavior preferences can be easily targeted to certain users or computers through a variety of ways such as security group membership or operating system version unlike group policy the user interface of the setting is not disabled let me explain this very quickly here we are at our drive Maps let's go to common if it's applied once we do not reapply it if you check this one or you can select run in logged on user or you can choose item level targeting let's choose it and make a new item let's say that this Drive mapping will only happen to the computers on our domain which have windows version let's say Vista if the computer has Windows 7 or 8 this drive mapping will not occur so this is a nice feature if we want to make granular application or if we want we can select the IP address range we can use the IP address range where some settings happen for our proxy at our company when a laptop for example enters our network range it's going to get automatically our local proxy settings let's continue with our starter GPOs what our starter GPOs starter GPOs our default templates to enable them we must first create our starter GPO folder let's create it and here as you can see we have some Microsoft based templates which help us to manage better our clients machines for example Vista XP or other starter GPOs we can save this let's type firewall ports starter and once we've saved it we can see it under our group policy objects that's our firewall port starter which has got some settings from our template or starter GPO also from here let's choose create a GPO and from here we can choose our starter GPO source let me walk you quickly through some settings of this policy if you go here under our settings here you can see all the settings that are configured to this starter GPO under computer configuration security settings here we have some configurations some inbound rules also connection security settings and so on we can load this from another computer or save this cabinet in order to take it to another domain the most common situation in which we use a starter GPO is when we want a group of settings for a type of computer role for example you might want all corporate laptops to have the same desktop restrictions or all file servers to have the same baseline group policy settings but enable variations for different departments let's make a new starter GPO let's type in laptop configuration let's edit this it is a normal GPO so under computer settings we can create some network settings let's say we want to turn on the BranchCache for example go to direct access and choose support email address let's type IT at how to network calm so under company computers go to workstations and select laptops let's create a GPO name it laptops configuration and here we can choose our template for laptop configurations so there's no need for extra configuration also administrators can delegate some of the group policy administrative tasks to other users these users do not have to be domain administrators they can be users that are granted certain rights for GPOs for example a user who manages a particular organizational unit could be tasked with performing reporting and analysis duties while the helpdesk group is allowed to edit GPIOs for thatöyou a third group of developers might be put in charge of creating windows management instrumentation filters to delegate a specific GPO let's go to our group policy objects let's say that our laptops configuration must be configured by our local IT staff under delegation we can choose to add let's say that our trainer as permissions to read edit settings delete or modify security so the trainer who is not a domain admin can modify the laptops configuration group policy object if we want something more specific we can go to advanced configurations and here we can choose the trainer to read write and apply group policy this is a way to delegate tasks for GPO configurations another way of delegation is via Active Directory users and computers let's say that our workstations will be managed by the IT support and servers only by domain admin under workstations we can delegate control let's click Next and type in trainer let's click next because we're going to create a custom task in this folder and all the other folders in it so this user is going to create group policy containers and delete group policy containers let's click Next and finish now the trainer user has the ability to modify edit or delete existing GPOs two workstations OU's the group policy objects are cumulative so if you have some configurations at our default domain policy it is going to be applied to all domain objects also the configurations of laptops which is underneath the domain apply only to laptops organizational units the default domain policy setting plus laptops configurations will be applied to all computers that are under laptops oh you to see that we can use group policy results right-click it and select group policy results wizard and let's select this computer administrator here we can see all the policies that apply to our administrator user when he or she logs on to this computer so this is cumulative all the settings that will affect the administrator user in this computer Group Policy modeling is a nice tool which helps us to ensure the effects of GPO for a specific user or computer account without applying it let's select training choose authenticated users and click Next if a user connects to our network he's going to get the following settings Drive maps company wallpapers storage mapping and default domain policy this helps us to build or have a better idea of a modeling pattern when a specific computer or user changes its location in this video we describe the components of Group Policy describe multiple local GPOs described GPO policies and preferences describe the process of delegating GPO management and describe the process of creating and managing GPOs let's have a quick peek at our coming video in the next video we will continue our look at implementing group policy with a look at group policy processing I thank you for watching this video and please have a look at your assignment for this module you

Info

Channel: Paul Browning

Views: 116,424

Rating: 4.8958654 out of 5

Keywords: Microsoft Certified Professional

Id: tenn_Ipn66c

Channel Id: undefined

Length: 23min 47sec (1427 seconds)

Published: Thu Dec 05 2013