1
00:00:00,940 --> 00:00:04,540
Group Policy in Active Directory Domain Services.

2
00:00:04,540 --> 00:00:07,700
With Group Policy, we're talking about configuration management.

3
00:00:07,700 --> 00:00:10,430
We're talking about ensuring that our domain controllers,

4
00:00:10,430 --> 00:00:11,330
member servers,

5
00:00:11,330 --> 00:00:14,580
and client workstations are all in compliance with our

6
00:00:14,580 --> 00:00:16,870
security and management policies.

7
00:00:16,870 --> 00:00:21,340
In terms of history, way back when, before Windows 2000 Server,

8
00:00:21,340 --> 00:00:25,070
we had Windows NT, and there we had System Policy.

9
00:00:25,070 --> 00:00:29,830
And this is the progenitor, if you don't mind the 5‑yen term,

10
00:00:29,830 --> 00:00:31,850
of Group Policy as we know it today.

11
00:00:31,850 --> 00:00:34,290
So you can see Local Computer and Local User,

12
00:00:34,290 --> 00:00:38,610
and then we had the ability to scope System Policy to the domain level as well.

13
00:00:38,610 --> 00:00:43,530
But you're delivering settings directly to the registry that affect the

14
00:00:43,530 --> 00:00:47,450
HKEY_LOCAL_MACHINE or the HKEY_CURRENT_USER hives in the registry.

15
00:00:47,450 --> 00:00:48,930
And the thing with System Policy,

16
00:00:48,930 --> 00:00:52,870
it was great at the time to be able to lock down server and workstation systems,

17
00:00:52,870 --> 00:00:55,270
but those changes, those registry changes,

18
00:00:55,270 --> 00:00:55,850
were permanent.

19
00:00:55,850 --> 00:00:56,960
With System Policy,

20
00:00:56,960 --> 00:01:02,060
it was very difficult to undo your work or layer system policies.

21
00:01:02,060 --> 00:01:05,600
This is fixed, definitely, with Windows 2000 Server,

22
00:01:05,600 --> 00:01:07,830
Active Directory, and Group Policy.

23
00:01:07,830 --> 00:01:08,710
Here, again,

24
00:01:08,710 --> 00:01:12,160
we're delivering User and Computer settings to target server

25
00:01:12,160 --> 00:01:14,420
and workstation systems all in Windows,

26
00:01:14,420 --> 00:01:17,650
although I do want to say parenthetically that there are

27
00:01:17,650 --> 00:01:20,840
independent software vendors that have adapted Windows Group

28
00:01:20,840 --> 00:01:23,570
Policy for use in non‑Windows environment,

29
00:01:23,570 --> 00:01:24,930
particularly macOS.

30
00:01:24,930 --> 00:01:27,910
Check the exercise files if you're interested in more info.

31
00:01:27,910 --> 00:01:32,010
But, anyway, Group Policy is beautiful, because it's,

32
00:01:32,010 --> 00:01:35,350
well, because Microsoft engineered it correctly right out of the gate.

33
00:01:35,350 --> 00:01:38,340
It really hasn't changed much in the past 20‑odd years.

34
00:01:38,340 --> 00:01:42,960
And the biggest thing to me that is a fix from System Policy is

35
00:01:42,960 --> 00:01:47,200
the fact that we can modularly layer Group Policy and you're never

36
00:01:47,200 --> 00:01:49,110
permanently tattooing the registry.

37
00:01:49,110 --> 00:01:54,640
When the Group Policy is out of scope, the state of the system registry reverts.

38
00:01:54,640 --> 00:01:55,930
It's really nice.

39
00:01:55,930 --> 00:01:56,180
Now,

40
00:01:56,180 --> 00:01:59,870
what are some representative settings that we can deliver using

41
00:01:59,870 --> 00:02:02,000
these Group Policy Objects in Active Directory.

42
00:02:02,000 --> 00:02:06,860
A very common and important one would be password policy and account policies.

43
00:02:06,860 --> 00:02:09,030
We could roll that into security settings,

44
00:02:09,030 --> 00:02:12,760
ensuring that if someone tries to brute force by logging on or

45
00:02:12,760 --> 00:02:15,430
attempting a logon over and over and over again,

46
00:02:15,430 --> 00:02:19,460
once they reach a threshold, their account is locked out for a period of time.

47
00:02:19,460 --> 00:02:22,090
This hopefully will slow down the attacker to the point

48
00:02:22,090 --> 00:02:24,010
where they give up and they move on.

49
00:02:24,010 --> 00:02:27,730
Now you might know that password policy has undergone some revisions,

50
00:02:27,730 --> 00:02:30,640
particularly over the last few years, in terms of,

51
00:02:30,640 --> 00:02:35,120
it used to be earlier in my career, we'd always in IT be fighting with users,

52
00:02:35,120 --> 00:02:38,030
forcing them to change their passwords on a regular basis,

53
00:02:38,030 --> 00:02:41,080
but the current thinking on that, and you may already know this,

54
00:02:41,080 --> 00:02:45,380
is that it's much better for the user to hold onto one strong password than be

55
00:02:45,380 --> 00:02:49,010
forced to change passwords that do just arbitrary things,

56
00:02:49,010 --> 00:02:55,060
simple password, simple password 1, simple password 2, I love you 55,

57
00:02:55,060 --> 00:02:56,190
these sorts of things.

58
00:02:56,190 --> 00:02:58,230
And that will be reflected in the demo.

59
00:02:58,230 --> 00:03:00,900
You'll see how Group Policy has evolved a little bit

60
00:03:00,900 --> 00:03:02,780
with password and account policy.

61
00:03:02,780 --> 00:03:04,490
Desktop and application settings,

62
00:03:04,490 --> 00:03:08,220
now this is not only enforcing a consistent desktop experience

63
00:03:08,220 --> 00:03:10,900
for your users on their client workstations,

64
00:03:10,900 --> 00:03:14,300
but we also want to prevent configuration drift on our

65
00:03:14,300 --> 00:03:16,690
Windows Server infrastructure machines.

66
00:03:16,690 --> 00:03:19,160
That's what configuration management is about.

67
00:03:19,160 --> 00:03:22,890
We want to make sure that the configuration or the desired state

68
00:03:22,890 --> 00:03:25,700
of our systems remains compliant and static,

69
00:03:25,700 --> 00:03:28,020
such that even if one of your colleagues were to

70
00:03:28,020 --> 00:03:33,270
make a change directly in the OS, we could have GPO override that change.

71
00:03:33,270 --> 00:03:35,870
We can do software deployment with Group Policy,

72
00:03:35,870 --> 00:03:37,750
and it's been like that for a long time.

73
00:03:37,750 --> 00:03:40,380
We can do folder redirection like roaming,

74
00:03:40,380 --> 00:03:41,690
home folders, again,

75
00:03:41,690 --> 00:03:45,020
the landscape has shifted quite a bit over the last

76
00:03:45,020 --> 00:03:47,080
several years with cloud services now.

77
00:03:47,080 --> 00:03:51,280
The concept of a roaming user profile and the disk space

78
00:03:51,280 --> 00:03:53,510
that that could involve and the bandwidth,

79
00:03:53,510 --> 00:03:54,090
frankly,

80
00:03:54,090 --> 00:03:57,960
that that could involve has really gotten to be less of an issue with

81
00:03:57,960 --> 00:04:01,870
increasing network speeds and seemingly limitless storage.

82
00:04:01,870 --> 00:04:06,890
And then we have network settings, configuring organizational Wi‑Fi, etc.

83
00:04:06,890 --> 00:04:09,360
Now, you might be thinking, well, Tim, isn't GPO,

84
00:04:09,360 --> 00:04:15,330
isn't Group Policy and the Group Policy Object idea outdated in 2022?

85
00:04:15,330 --> 00:04:15,750
I mean,

86
00:04:15,750 --> 00:04:19,490
in the System Center product family you've got System Center Config Manager.

87
00:04:19,490 --> 00:04:21,680
That product's been around a long, long time.

88
00:04:21,680 --> 00:04:25,490
If you're old like me, you might remember Microsoft Systems Management Server,

89
00:04:25,490 --> 00:04:28,790
or SMS, that was the precursor to System Center.

90
00:04:28,790 --> 00:04:29,330
And yes,

91
00:04:29,330 --> 00:04:32,230
you can use System Center to do software deployment

92
00:04:32,230 --> 00:04:36,590
and folder redirection and desktop, you can overlap a lot of these things,

93
00:04:36,590 --> 00:04:37,760
but then again,

94
00:04:37,760 --> 00:04:40,700
Group Policy is built in natively in the OS and

95
00:04:40,700 --> 00:04:44,640
doesn't require expensive licenses, and infrastructure servers,

96
00:04:44,640 --> 00:04:46,540
and agents, and all of that.

97
00:04:46,540 --> 00:04:50,850
All of your Windows machines actually have a local Group Policy Object,

98
00:04:50,850 --> 00:04:54,880
so there's Group Policy built in regardless of whether a machine is

99
00:04:54,880 --> 00:04:57,210
a member of an Active Directory domain or not.

100
00:04:57,210 --> 00:04:58,680
You may also be thinking, Tim,

101
00:04:58,680 --> 00:05:02,040
what about Microsoft Intune and Azure Active Directory?

102
00:05:02,040 --> 00:05:03,170
Well, again, that's true,

103
00:05:03,170 --> 00:05:05,850
Microsoft Intune can do mobile and endpoint

104
00:05:05,850 --> 00:05:07,790
management from a cloud‑based perspective,

105
00:05:07,790 --> 00:05:13,330
and there is a Group Policy‑like settings delivery service built into the cloud.

106
00:05:13,330 --> 00:05:15,330
I just want to say that it's not either/or.

107
00:05:15,330 --> 00:05:17,890
Group Policy is not being sunsetted.

108
00:05:17,890 --> 00:05:25,000
It's still a completely valid and appropriate way to do configuration management in Active Directory Domain Services.