1
00:00:00,740 --> 00:00:04,670
Some things you can do, again, this isn't really proven practice nowadays,

2
00:00:04,670 --> 00:00:06,850
but it's something you can do with Group Policy,

3
00:00:06,850 --> 00:00:08,650
and it might show up on the exam,

4
00:00:08,650 --> 00:00:11,790
which is why I'm showing it, is you can, for example,

5
00:00:11,790 --> 00:00:12,900
block inheritance.

6
00:00:12,900 --> 00:00:13,690
So you see here,

7
00:00:13,690 --> 00:00:17,610
I'm configuring Block Inheritance in my HQ Data Team

8
00:00:17,610 --> 00:00:21,180
organizational unit in my timw.info domain.

9
00:00:21,180 --> 00:00:25,010
And the idea here is that if there's a Group Policy scoped higher than the

10
00:00:25,010 --> 00:00:30,080
OU, for instance, the domain or site levels, then the block inheritance

11
00:00:30,080 --> 00:00:33,160
would prevent those upper GPOs from applying.

12
00:00:33,160 --> 00:00:34,260
Is that a good idea?

13
00:00:34,260 --> 00:00:35,960
Well, this is really an edge case.

14
00:00:35,960 --> 00:00:39,100
I just want you to be aware that it's possible to configure

15
00:00:39,100 --> 00:00:41,080
that. Now, you might think, yikes, well,

16
00:00:41,080 --> 00:00:44,810
what if you have domain policy that's governing passwords and your

17
00:00:44,810 --> 00:00:48,900
compliance requires that all organizational units consume those

18
00:00:48,900 --> 00:00:52,650
settings? You can enforce a Group Policy link.

19
00:00:52,650 --> 00:00:55,180
And when you enforce a link, like you see here,

20
00:00:55,180 --> 00:00:57,720
I'm enforcing my Default Domain Policy,

21
00:00:57,720 --> 00:01:00,670
that's going to ensure that those settings take precedence

22
00:01:00,670 --> 00:01:03,230
and they break through block inheritance.

23
00:01:03,230 --> 00:01:04,940
And when I say take precedence,

24
00:01:04,940 --> 00:01:09,570
they will also, that is, the enforced settings, will always override any

25
00:01:09,570 --> 00:01:13,500
other conflicts in that LSDOU hierarchy I mentioned before.

26
00:01:13,500 --> 00:01:16,960
So for your highest priority settings, you might want to consider

27
00:01:16,960 --> 00:01:20,350
enforced, but the reason why blocking and enforcement aren't really

28
00:01:20,350 --> 00:01:23,990
recommended so much, at least I don't formally recommend them unless you

29
00:01:23,990 --> 00:01:27,650
know you need them, is because it's going to ramp up your troubleshooting

30
00:01:27,650 --> 00:01:32,210
when it comes time to resolving resultant set of policy issues with your

31
00:01:32,210 --> 00:01:33,950
users and computers.

32
00:01:33,950 --> 00:01:35,940
What about Group Policy refresh?

33
00:01:35,940 --> 00:01:40,340
Hopefully you would expect that Group Policy is on a refresh cycle such that

34
00:01:40,340 --> 00:01:43,490
if you as an administrator make a change to Group Policy,

35
00:01:43,490 --> 00:01:48,110
you'd like that to be, in effect, in your management scopes as soon as possible.

36
00:01:48,110 --> 00:01:49,750
Well, for domain controllers,

37
00:01:49,750 --> 00:01:53,430
they refresh their own policy every 5 minutes by default.

38
00:01:53,430 --> 00:01:54,640
All domain members,

39
00:01:54,640 --> 00:01:58,690
it's a 90‑minute refresh cycle with a randomized 30‑minute offset.

40
00:01:58,690 --> 00:01:59,730
Why the offset?

41
00:01:59,730 --> 00:02:00,040
Well,

42
00:02:00,040 --> 00:02:04,820
it's so you don't get a whole bunch of Group Policy refresh requests at once,

43
00:02:04,820 --> 00:02:07,850
so you don't swarm or flood your domain controllers,

44
00:02:07,850 --> 00:02:11,560
particularly your PDC Emulator FSMO role holder.

45
00:02:11,560 --> 00:02:16,010
Now, GPOs are replicated across all domain controllers using that

46
00:02:16,010 --> 00:02:18,730
SYSVOL special shared directory, and again,

47
00:02:18,730 --> 00:02:22,260
it's the PDC Emulator that's responsible for managing Group

48
00:02:22,260 --> 00:02:25,870
Policy, so your Group Policy is going to fall flat on its face

49
00:02:25,870 --> 00:02:28,310
if your PDC Emulator is offline.

50
00:02:28,310 --> 00:02:32,230
This ties into our earlier learning where I taught you how to manage FSMO

51
00:02:32,230 --> 00:02:37,020
roles and potentially seize a role if you're in an emergency. You can force a

52
00:02:37,020 --> 00:02:46,000
Group Policy refresh on a local and/or N number of remote machines by using the PowerShell cmdlet Invoke‑GPUdate.