Windows Server 2016: Active Directory Users/Group Policies Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay guys so uh welcome to um this next video in this video I'm going to be talking about an extensive things about group policy uh I think you guys probably want that group policy well here's the thing so um I can't with this because um I got a lot of people who have complained complain that um you know we get a lot of users who are changing settings on computers I don't want my users going through there and making these types of changes and things like that now of course the required action director domain services in order to kind of collect iseman policy so you're probably wondering why didn't I make a video yet involving extra territorial is essentially it kind of coincides with group policy so I won't talk about both of them in this video so let's get started so what I'm now what we're here we've got a virtual machine running Windows Server 2016 now I just want a warning in virtual machine however if you have a regular server push key you can still you still see the same exact stuff now I'm here in this special thing I what I did was I went to start and I went over here to Administrative Tools and I just went here to a directory users and computers and all I did which is way down here it is going to take you over to this lovely fine little screen here well actor who uses a computer if you are in this type of environment here or or not you're probably going to see this you should see in something some extra directory if you're in like a enterprise helpdesk environment or something like that perhaps retreat this is very very similar so what I have done was I've essentially I basically made it up the barns IT what I did was I made a opera oh you or also known as essentially a organizational unit basically tells you what folds are which is quick a quick but you and this is basically it's very useful if you're let's say you're in a enterprise barment like to WWE and you have the following departments you've got finance you have your um your music department you have your budgetary department you have let's say alright so this is what I have here so what I did was I basically make an oh you just like this this is my finance department I'm going to make a organizational unit this is again integers basically folders that you making you can kind of sort whichever department you have so let me go to organization unit and I'm just going to type in uh we call this um IT itd our IT department and you can just call it click ok and now you have specifically you have a folder just like this a ITP or you have finance I'm going to make a number one we can call it um either like again these are not this is actually users use just groups of people within your environment so whenever you have a little issue of somebody calls in or something and they have an issue you pinpoint which departments are in it'll have all of your user name and information so I'm just gonna make a third organization unit were to call this let's call this um try to think what department can you possibly think of typically you always see all lovely human resources yes I call this human resources okay so I've got three different departments here okay so what I'm going to do is we're going to start with human resources I'm just usually a good example when I'm talking about the group policy because just a second the first thing we have to do is get to create um users and we've got to create groups let's start making some users I'm going to make user we call this um Mike verse name will be like the last name will be black and then reduced to just nicknames that I came up with I made up these names so you can make the the login name the logon name this is what their credentials going to be used to log on every screen now I normally use a use a certain format I like to format the best you training with the first thing dot last name so as you can see since I have like in the first day and since I have Blount as the last name I use just your first dot your last name um and this at or inside see that local that's the name of the domain that I created my night promote this as a domain controller so all we're going to do is we're just going to click Next and then it's going to take you over to the password so obviously what you want to do this is what most environments will do this is exactly what it all you really have to do is just click let's say you confirm your password I've set this to UM welcome to and you can sit like ocol to or whatever you want to do you can sense it look at the full password something that's no no or something that's very simple where you can totally user hey you know put this password in and um what you can do is you can change the password to whatever the user wants so that's why I have this checked well as a user brushed change crash square at next logon exactly the user can change the password like now it's a and this is something that it can do it um so I'm gonna do now this what this making pieces the dis options I just checked off never expired basically that means is this password is never changed unless the user decides to change it so you see what I mean so what I'm going to do is we just go here password never expires go here user um much change crash with a next logon and just let's click finish and then click OK and now you have a basis that you have a user yeah well I'm going to suggest as will be mostly users let's say I want to use um Jimmy Jimmy Smith and you just make it all I name the same way uh but it depends again this really depends on your environment some environments have it the first out your last name some of them have a first initial and then the last day again it really depends on your environment how you want to do things or if you have what policies your management they have set for how they want to have their law on information but this is something where you can typically do this so let's say I have Jimmy dot snip but I'm gonna go to click Next um password really do this the exact same way and then you click Next and then click finish and now you have a second user so now what I'm going to do is I'm going to go ahead and make a security group okay uh let's say now before we do that let's say the user is locked out they said you put in your password and it comes up with the it has locked out as a machine um what you could do uh you should do um let's go to properties and then go down here your account and just click on unlock account once you click a little off an account that's it so now they're back lock now if you go back in la jolla your machine now let's say they have a forgot their password all you have to do is just right click on your user with an Active Directory password and just put on new password and confirm password whenever a master it is and you can just click OK and then that's dead and that allows you to put in their passwords so click cancel now I'm going to do now is I'm going to create a security group a security group is essentially a group that allows you to pinpoint which one whoever's in this group this will be set for the group policies so let's call this employees employees HR right now why do you think I made it for this particular or additional apartment and not every department in some the department's they have different admin rights or whatever privileges you may want to have okay guys just how it would work so now what I'm going to go ahead and do is now we'll just go ahead and just right click add to this group and I just create it will call this employees each are um just click check names and then click OK we'll do the same thing with this user this is right click click on add to a group and then we'll call this employee the employer used and you can do a check name if you want you know you have to type in the whole thing if you don't have to this is table in time you know what I mean so we'll click OK so now you have these groups these eyes have added to our security group now we're gonna go in here and check out what exactly is in our security group this would be members of the following and I just call this I would call this local user and we'll just click OK ok well the user um so whatever that is set to that's fine now and it looks call this member of or better yet which is call this member of users so um I'm actually to remove that local user because it's kind of offended but we'll just go over the users and I'm going to also go with domain user ok that way the in the domain environment they can go to any machine and they can log right in ok so we'll click apply and then click OK now when I'm going to go ahead and do I'm going to show you guys something it's second because this is and everybody this is something basically waiting for okay this is what we call group policy management now actually what I'm going to do is I'm actually going to exit out of the paint now and we're going to bring it right back so all we have to do is we can just go ahead and minimize that let's go to start Administrative Tools and then go down to until you see group policy policy management now remember cerebus a recap its remember that all of these have to be added that died these roles had to be added before you can do this so once you have that done all you have to do is just we're going to go ahead and just remove that as a that little users that blue face so what we're going to do is we're to go ahead and go just type it in users so anyone who's a user in that group they cannot change the size okay um and what I'm going to do is now we have users in here and we've got local user user in here to them aim users to ever whoever's in here so what you want to name it here I'd say I'm at the Worcester County public school system and you don't want the student going in to make changes deciding as student as a security group and then you basically can set it what they have access to a point they cannot so what I'm going to go ahead and do now that we have user so again this is that force yet because you haven't made specific changes now that I think ones I'm going to call uh I'm going to make a group policy object and this is what in our force just the main controller we made up all aren't any local and it will go down here right-click on this step down here create and then go to create a group policy object this delay and link it here and we'll just call this um employees HR lovely right Oh asks so basil this out you just create enough job Jack and say we want to complete that other one that was a little so just like okay now while it down here I'm just gonna make this a little bit bigger that will do is just go down here to add and we'll take again let's say type in and close HR okay and I'm gonna put that in there going to quit in uh main users and they will just say it just to add users to this as well and it hit OK now that we have these our security groups in which is what we define is I could be our security groups what we'll do we're going to go ahead and I'm going to go ahead and um and this is who these risk level seek will be enforced for these falling groups as they see what this means under deep where this says security filtering so now I'm going to go ahead and do is I'm going to go ahead and right-click and hit edit and it's going to bring you over to the editor now um it's a difference now there's going to be two types of configuration however all the settings are pretty much the same the only difference is that you have such a configuration one is computer configuration so anyone who logs onto that computer that is joins that domain that those are the changes that happens into that this is for user configuration that is specific to the user which is what I want to do in this case this is typically which other users are in these groups and not the configure computer configuration because it really depends on who lulls into that machine um can make changes and whatnot so now we're going to go ahead and do is I'm just going to go ahead down here to policies Alicia Shetty all the different policies you could possibly be there's like thousands and thousands and of group politics government basically this is like the nickname but I like to call this is the parental it's like the parental control for your work environment that's basically what this is ah so here's some of the things that I own the show you what you could probably probably block so when I'm gonna go ahead do is you show you once you get block whatever now um I'm going to go ahead and do first it's quickly go ahead and go down here to UM we're going to take first I'm going to go ahead and pick add and remove programs right this is something where I don't want my users going through and arm uninstalling stuff of our machines so what I'm going to go ahead and do is go ahead where this says remove at and remove programs just click keep your edit and then click your enabled you can spit whatever comment you want or any of the objects or what have you so what's this opening that will this one click apply and click OK so now if this being enabled that means that anyone who wants to try to do the sort of piece with the little head remove programs they can't remove any programs you see on sang so that's the other thing that's very very useful um this is pretty much enough so that you can't install anything from Adam remove programs let's go down here to this fly this gives you disable display control panels basically they can't it can't go through there and like try to change the background or the computers so that what you do is we'll just go down here to edit I on that hit enabled click apply and click OK out they can't change the slave settings on your machine let's say you have personalization now this stuff's about your feelings and screen savers and all that good stuff let's say you don't want them changing the background click enabled click apply.click ok now it can't change the background let's say you don't want them changing the screensaver so I just click here on edit click enable click apply click OK now they can't change the screensaver on the number one that they have it should be single try to do is changing the color and appearance now you can be advanced of how your environment is you look into what your environment is what you want going on your environment what you don't want going on in here in mind ah me personally I am more of a stickler I what like this is like law enforcement kind of is you're enforcing the laws of what the server is versus what you can and cannot do in this environment and most environments you should have like some policy agreement and they say well you can't do this oh yeah this too just in case so I said is where you can't change the background this is talking about prevent changing the theme so what I'm going to do is I'm just going to go ahead like they can't change the background the can change color the game team sound you can't change the screensaver because it applied click ok and that is getting the feeling or anything like that ok um this stuff is talking about enable screen saver if you disable it be nervous without one um you don't really have to worry about the stable again and so what you want to do um this songs about um you just go right in here and you can make a change right in this now let's go this basically you could basically you can block it from change screensaver you can prefect changing the sounds but I've already done that by changing the theme so sometimes these maybe um repaired and it is a square foot but I don't really have if you're if you like that kind of thing that's great I like using it exact not like users going through and doing everything one you can by the way if you want yes you may use it for home based environment you can do that ah I'll have another video for those users who are home based environments you don't really need to have legal service area you could just use local security policy which would does very very similar stuff so what I'm going to go ahead and do is I'm just down we go down here to programs and it's talks about how the programs control panel now this was where if I enable this policy they can't go in and they cannot go through to control panel at all that's what this basically says so um if you don't want you you're going to control panel at all you know they have to have them do it you have to allow you just sit here and block it right here and group policy um this talks about programs features and that talks about this is very similar to I'm going to enable this this is very similar to like add or remove programs so now they can't honest all anything if they have an updated machine you have updated workstation things like that let's say alright so now you can go down here to regional and language settings this is something I normally don't really check or change really but if you want to regulate that you can I usually don't really do this sort of it through that sort of piece because I don't want to regulate what language you're using of years because you may have an employee who may not be may be able to I mean I teach English and we connect a language you don't really want to write it like that but you can hide the geographic location and things like that I you don't restrict this but it's totally up to you what you like to do but this is like that you can normally do okay so um you talk to my partners um you can't go through and add extra prayers once you once we set them you cannot change them unless we go on to the Machine and change them this also says we've had a deletion of apprentice you cannot delete a printer so you need ously can't I set this to that with this crew policy it can't change the printers at all they can't add a printer they can't delete a front only we only the text in that environment can change the printers okay so that is what you can cut you could do as well okay let's go there's plenty of stuff you can edit you get blocked however I'm swimming this disclaimer that group policy is a layer of what I call firewalls it's like a layer it is not a replacement ball web based firewall so if you want to have something as you want to use to block websites and things like that you need something a firewall this web-based group policy is not wet face okay it's just not a web-based firewall but it's definitely useful for your area where environment is only useful for that very purpose now what we'll do is we'll go through and you can do a cadet stop his'n talks about pivot closing items deleting items things like that I usually you could cry if it changes this little prevents users from enabling or disabling that that's or change the configuration so if you don't want the users changing the settings on that that's fine you can just sit there and say for hit big changes and you here by the way if you're in most environments that you may see contact your system administrator when you log in that's because some but somebody or somewhere your environment it's got some server running with a group policy being enforced on that mark so that's just something to put out there this is the stuff that we use like blog proxies and things like that through your internet explorer so um so yes um let's go through and I'm going to go down to UM network this is talked about network connections and they these are some of the stuff like you can prohibit access to advanced settings you can prohibit advanced um advanced configuration this is great like a user could sit around and change the IP address of your machine you cannot change that so I don't want them change that stumblin enable that policy click apply and click ok so data can't go through with change the IP address um a lot of this stuff like X's the arteries of a LAN connection if you don't even want them seeing the IP interest you could have that let disable too so they can't really do that when they log on ok said you ready let's lock it down as much as you want it's really really that sample um so this is another little pig so I could go through like start start menu and you see like this the softly that's happens in the apse you all this stuff relays relating to the start menu remove all program listen now usually can't see what programs are installed so you can go through and just enable that now what I'm going to do is I'm going to remove the games don't want the games want people playing games on the machine least local to the machine I just look at apply click OK and that's why user can't play a game most point a machine and this is your perfect record Chris environment or a school-based environment whichever one you want and by the way with all those back users I have something a little special in a separate video however not group policy works with Macs so you can do not search internet you can remove set programs settings menu you could go through and lock all task bars you go for your do not allow pending items on jump lists remove the volume control so they can't really change the volume control you can basically set it to uh where it's muted automatically they would have to plug in a headset in to things like that there again very incredible stuff you lock down your environment is like I said as much as you want this one talks about event users from installing applications from start so I'm just gonna click apply and click OK that takes care of that you can this removes the battery meter I'm not going to reduce that if you if you want to that's fine I would recommend it if you happen to tell but it's up to solely up to you what the removing of a battery meter or things like that says removing the networking icon so removing the every meter so you can't really change the battery things like that thanks to Kaito more of a laptop issue or things like that the lunar sector laptops you definitely as a user I would want to see let's say a user has an issue where they don't know if you remove the battery leader and that user doesn't know how much better stuff on that laptop and thereafter mobile oil that could be a big concern that could be an issue that could be brought up so that's why it's something I would advise against blocking but again that's totally up to you um so now let's go to like a control all the lead me move change password people vaca computer task manager things like that I usually don't disable these but it's only up to you if you want you can block users from going to task manager everything it's like you can go look Control Alt Delete and try to end the task if you want you to go through there and block it this one talks about driver installations you can even go free like something like power management for a password I definitely in able this um connects here takes care of that just talks about Google storage access let's talk about those lovely flash drives that DVD drives and things like that if you want to just have a club a cloud-based environment or let's say you don't really trust users yeah I like how they still have it as a group policy floppy drives you know and 2016 most people are not using floppy diskettes anymore or floppy drives but definitely these CDs and DVDs select if you don't want users coming in with their DVD and to be like Big Momma's House or Pirates of the Caribbean in your work environment you can use this wait click hit edit click apply and click OK so that I just an able to sponsor typical says you can't go through and watch movies on this environments this will be a work or school page and whatever technical environment it tools to be and use all you you cannot go through there and make that change so so that is that's another piece of things you can change the writing access that tour like this if you're burning CDs or things like that um most people should not be burning DVDs over face environment so I would just go ahead and apply this and just like ok that way you can't burn a DVD and I can't even do anything with a CD or DVD ok it just can uh we will hold this to talk about flash drives you could block users from plugging their flash drive into your machines if you want to um it depends on the environment it depends on what the management has set up a policy we need 1/2 anybody don't want to have happen it really depends hey honestly it really really not like I said and there's a lot of stuff up on loop box I could go you basically like let's say hey alright let's talk about another one Internet Explorer now what's one of the biggest problems that I see a lot in to bases violence you have kids in the high school level you don't want the kids I don't let's say I use a good example okay a perfect example I don't want kids coming in Bob hasn't let these firewall say I'm using a firewall like that sir websites are checkpoint and I set it to where I don't want any users going on YouTube porn or things like that pornography um playing games on my environment I don't even want the users going on Facebook and Twitter okay and let's say so these kids decide okay I could go through a proxy a proxy is essentially an IP address that allows you is like a alternate IP addresses you could switch in its well what happens is pinch it out to another environment so basically does when the proxy does can be used for this purpose and that purpose can be to bypass filtering to bypass whatever firewall I have set in my environment that I have black that is blocked so once again it sort of Normandy address in a port so once a user has that information they can put it right into internet options and once they have that they can basically go through and do whatever they want and in fact they can have the IP address so they could bypass your filter your firewall that you have set as a cybersecurity administrator or system administrator and they can go through and go to Facebook Twitter YouTube games whatever it is one okay I don't want that going on so with this new policy talks up everything internet explorer related um this is how you kind of you could crack down so let's go through and talk about internet explorer now unless you have turn off favorites where if you don't want to use this twenty favorite card you don't have to allow to do that now what I usually what you could normally try to do now one of the I wish the group policy had was a plane called a search bar which I'll try to see if we do but if not it's not a big deal I just wished it you know they had it that's a big deal but they probably don't and that's fine so this one talk about Outlook Express out expresses the like a Explorer version of Microsoft Outlook don't see or use anymore neither on office so the browser menus and see will be back now this talks about tip of the day touring it turning off the print menus you can keep them from block get you could block them from printing from in the next war if you don't want to praying from there you know these are you're talking about this table the connections page this group policy is a very very important one this is what I was talking about with my devil like I said you know the kids going into your school they or your state you're at Johns Hopkins Hospital and you have people pointing pew there and playing games instead of working and let's say you have a firewall set that block people playing games on the network people decide and going to go through it put up IV address or proxy and it could use a podcaster firewall so I'm going to go ahead and do right now is I'm going to go ahead and block them from doing that so I have to do this one says simply connection page so what happens when you have this this disabled that is good that means you just can't go through and put proxy servers at least or Internet Explorer now apparently there's four providers for my little Firefox but that's not good policy that may be good policy but we'll talk about that in a separate video so this talked about the Advanced tab so like users can go through and make this kind of change like advanced and stuff like that so we'll just click enable click apply click OK and now they can go even go to video man speaks of it this is for its general abuse is fine the can change like your home page and web page commands and things like that that's fine what I don't want is I don't like is people going through and pocket server so they can bypass the filter okay so that's that's a big problem like I said you could do all this the beauty of group policy let me show you something else let's say you Windows Media Player let's say you don't want users watch videos on your environment or things like that you could go in these are talking about scans things like that this is um it's about networking this is more so now this one doesn't have I don't have anything where you can block Windows Media Player for warming it's kind of odd as a policy but ok so now we're going to go another special feature cold um Windows Update and you're probably wondering they can't they can't update the machine notifications and I'll show you notifications so now you just can't even go where policy they can't go through and try to do Windows Update okay and like I said and there's a whole lot there's a lot more just in that's just a lot a lot more always installed with elevated privileges so only the administrators can install anything a prohibit prevent removable media resource programs for removal media so they can't just go through in my environment you don't want them installing programs of your flash drive so I just go like it apply a click okay make sure that this split says hit rollback and I love how you basically I like how it tells you right this little section they have a special section I just wish check it make it bigger but apparently not but it'll tell you what exactly that new policy does that policy does a broader detail or whatever did I think you want box box so okay let's get into that's power management so on this one where we're going to make our stop for the day I will make a second video on policy there's a lot of stuff you can do with respect to group policy and we'll talk about almost to some more in a next video absolutely saying thank you all so much for watching this video I definitely appreciate it it's very group policy is a very very useful tool and it's really quite enjoyable so thank you all very much and have a wonderful day

Info

Channel: BRNS IT

Views: 25,043

Rating: undefined out of 5

Keywords: windows, server, 2016, active, directory, group policy, block, firewalls

Id: K8bYJhZxMVs

Channel Id: undefined

Length: 41min 38sec (2498 seconds)

Published: Mon Oct 10 2016