Group policy application

- [Instructor] Group Policies allow us to take any users or computers in an organizational unit and apply many different types of policies to them. So if we go into Tools, and Active Directory Users and Computers, then you can see my Users folder. So you can see that it's a folder, because it doesn't have any special, different type of icon in it. Whereas Domain Controllers, which is the only organizational unit to start off with in Active Directory on-premises, is a little different. We can go in and we can affect the Domain Controllers if we'd like using Group Policies, but I'd like to affect some of the users or computers inside my organization. So I'm going to create a new organizational unit. So I'm going to right-click and choose New, and then choose Organizational Unit. And I'm just going to call this one, since I've already created a bunch of HR resources, I'll call this one HR OU. There we go, there's HR OU. There's really not much else to configure. We just need to go ahead and start dropping in resources into it. So I'm going to drop in my HR user just by dragging, and then I can drop in any computers that I might have as well, but I don't have any right now, and I only want to affect the user. So when you create a Group Policy that affects the user, it's going to affect them no matter where they log in. If you create a policy that affects a computer, it's going to affect whoever logs into it. So you just need to decide, is this a user policy or a computer policy? Now I'm going to go to Tools, and I'm in my Active Directory Domain Controller, and by default you're going to see something called Group Policy Management, and it's going to see my new OU I just created, so I can create a policy that's bound to it. So I'll expand my domain, and there's my HR OU. Now there's already a couple of different policies that were created when the domain was created. The first one is the Default Domain Policy. The Default Domain Policy is going to affect every single user or computer in the domain, and you don't want to delete that policy, because it's required in order for Group Policy and Active Directory to work properly. So if you go in and you see that it's been deleted or renamed or something like that, then you can go in and recreate it using a command that you can look up from Microsoft. The second domain policy that shows up is the Default Domain Controllers Policy. So the Default Domain Controllers Policy only affects Domain Controllers, and you want to have different policies for Domain Controllers, because if you, for instance, set up a policy at the default level that's going to negatively affect the Domain Controllers, then you may not be able to log into your Domain Controllers, and that could be a real problem. So Microsoft wisely kept those two separate. But I'm going to create a brand new policy inside my HR OU organizational unit. So I'm going to right-click and choose to create a Group Policy Object in this domain and link it here. And here's going to be the name. I'll just call it Test, just as an example. Now I need to edit it, so I'll right-click and choose Edit. And this is something that every sysadmin with on-premises Active Directory will want to know how to do. So here are your two options. You have Computer Configuration and User Configuration. Some policies overlap, so some policies are going to be the same in Computer as well as User Configuration. What happens if you have the settings for Computer different than User, and it's the same type of policy? Well, Microsoft's just going to choose which one it's going to apply, and it may not be the one that you want. So you want to make sure that you properly configure your policy so they don't overlap. So here you can see Software Settings, Windows Settings, and here you can see Software Settings and Windows Settings. So not all of them are going to overlap, but some of them will. Same thing with Administrative Templates. So let's say, for instance, that on my desktop I want to remove the Recycle Bin. So I'll double-click on Remove Recycle Bin, I'll choose Enabled, click OK, and now when the users log in, they won't see a Recycle Bin. They'll still be able to get to it through File Explorer, but it just won't show up on their desktop. And you can see a lot of different types of policies that you can set up, Prohibit changes, Enable Active Desktop, you know, some of these are for older operating systems as well. And you can even click on All Settings, and it's going to give you a list of all the Administrative Templates that you can apply. You can do the same with Windows Settings and Software Settings as well. And there are more than hundreds of options here. There are thousands of options. Let's take a look at the Allow Drag and Drop or Copy and Paste File. So double-click on that, and here you can see this particular policy, and you can enable it or disable it. Something interesting, though, is let's say you don't configure it, what's going to happen? Well, it's a good idea to look at this Help section on the right-hand side, it says, "The policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone." And it tells you what's going to happen if you enable it. It tells you what's going to happen if you disable it. But what if you don't configure it? Well, in this case, if you don't configure it, then users can drag files or copy and paste. So it means it's enabled by default. And some policies are going to be disabled by default, which is interesting. So let's say that I enabled it, and I can choose the dropdown, choose Enable, Disable, and there's a third option in this case called Prompt. Now you have to be at least in Windows XP Service Pack 2 2003, or Service Pack 1. So this particular policy has been around for a long time, and you could use the latest operating system and it will still work. Some policies will only work up to, say, Windows XP, and after that they just don't apply anymore, such as the Windows Active Desktop, they no longer do that. All desktops are now going to be active. Keep in mind that Group Policies do not work in Azure Entra ID, they don't exist. However, if you replace on-premises Active Directory with Azure Entra ID Domain Services, then you can re-enable Group Policies at that point. But if you don't use that and you're just using a hybrid configuration with on-premises AD and Entra ID, then you're only going to affect computers that are joined to the on-premises domain, and not just registered with Entra ID. Group Policies can affect any user or computer in Active Directory in ways you need to manage your resources.