1 00:00:01,340 --> 00:00:05,320 Let's create a custom policy and link it to our HQ 2 00:00:05,320 --> 00:00:07,430 Data Team organizational unit. 3 00:00:07,430 --> 00:00:11,240 Nowadays, we do have this concept of Starter GPOs, where 4 00:00:11,240 --> 00:00:14,390 when you enable it you get these basic Starter ones that 5 00:00:14,390 --> 00:00:16,910 talk about updating firewall ports. 6 00:00:16,910 --> 00:00:21,540 These are, this just presents a way for you to easily import and 7 00:00:21,540 --> 00:00:25,490 export GPOs that already have preconfigured settings. 8 00:00:25,490 --> 00:00:30,440 Notice that we can click Load Cabinet. You can find pre‑created starter GPOs 9 00:00:30,440 --> 00:00:35,130 online, and the idea is that you can build your custom GPOs based on these 10 00:00:35,130 --> 00:00:40,190 settings, because oftentimes a Starter GPO would already have industry 11 00:00:40,190 --> 00:00:42,840 standard or compliance‑aligned settings in it. 12 00:00:42,840 --> 00:00:44,740 If you take a look at one of these, 13 00:00:44,740 --> 00:00:48,290 you'll notice that when you double‑click into a GPO there's a Settings 14 00:00:48,290 --> 00:00:53,420 tab, and this allows you to browse granularly down into the content of 15 00:00:53,420 --> 00:00:57,560 the policy, where eventually you can see what actually is being set. 16 00:00:57,560 --> 00:00:59,220 It can be useful for Sure. 17 00:00:59,220 --> 00:01:03,040 So I'm going to finish by going to HQ Data Team, and I'm going to 18 00:01:03,040 --> 00:01:06,460 say create a GPO in this domain and link it here. 19 00:01:06,460 --> 00:01:09,790 Now notice there's also a Link an Existing GPO option. 20 00:01:09,790 --> 00:01:12,890 Here's where we have our Block Inheritance. And then actually I 21 00:01:12,890 --> 00:01:15,490 made a couple changes farther up in the scope. 22 00:01:15,490 --> 00:01:19,160 I might want to force a refresh, for example. It's easy to 23 00:01:19,160 --> 00:01:22,380 do at the OU level. We can right‑click and do a Group 24 00:01:22,380 --> 00:01:24,290 Policy Update, as you see here. 25 00:01:24,290 --> 00:01:27,550 It says, You have chosen to force a Group Policy update on 26 00:01:27,550 --> 00:01:30,190 all computers within this container. 27 00:01:30,190 --> 00:01:34,610 Now, there's nothing in there, right? Do I have cli and Test OU? Let me go 28 00:01:34,610 --> 00:01:37,760 back to Users and Computers and figure out what's up. Oh, 29 00:01:37,760 --> 00:01:42,390 it looks like cli1 is in Domain Workstations, right, so let me go to Domain 30 00:01:42,390 --> 00:01:47,830 Workstations, and now I will right‑click and create a GPO in this domain and 31 00:01:47,830 --> 00:01:51,810 link it here, and I'll call this Control Panel GPO. 32 00:01:51,810 --> 00:01:55,020 Now I should be more granular than that according to best 33 00:01:55,020 --> 00:01:58,100 practices, but I'm just thinking of this example off the top of 34 00:01:58,100 --> 00:02:01,160 my head, so give me a break, okay? Now, as I said, 35 00:02:01,160 --> 00:02:04,050 if you're using Starter GPOs, you can import those 36 00:02:04,050 --> 00:02:06,140 settings as an excellent starting point. 37 00:02:06,140 --> 00:02:07,100 I'm not going to do that. 38 00:02:07,100 --> 00:02:08,940 I'm just going to create an empty one. 39 00:02:08,940 --> 00:02:10,080 And now that I have that, 40 00:02:10,080 --> 00:02:14,190 you can see the metadata for that GPO over at right. You can see that 41 00:02:14,190 --> 00:02:18,520 the link is enabled on the parent OU by default. We can right‑click the 42 00:02:18,520 --> 00:02:22,190 Control Panel GPO and see that the default settings are going to pick up 43 00:02:22,190 --> 00:02:26,660 authenticated users, so anybody signing on to cli1 is going to be 44 00:02:26,660 --> 00:02:28,550 subject to these settings. 45 00:02:28,550 --> 00:02:34,420 Now, you can directly specify a domain computer account in your GPO access list. 46 00:02:34,420 --> 00:02:38,410 Watch this, if I go to Add and I change the Object Type filter to 47 00:02:38,410 --> 00:02:43,070 include Computers, I can do a search for cli1, for example, and I 48 00:02:43,070 --> 00:02:47,070 can bring that guy in, give the computer read permission so it 49 00:02:47,070 --> 00:02:49,440 will process the GPO itself. 50 00:02:49,440 --> 00:02:52,560 So lastly, let me right‑click and edit this, and if we're 51 00:02:52,560 --> 00:02:54,760 going to do computer‑wide settings, 52 00:02:54,760 --> 00:02:56,930 it makes sense that we would want to focus on the 53 00:02:56,930 --> 00:02:59,490 computer configuration side of the fence. 54 00:02:59,490 --> 00:03:02,760 So let's open up Computer Configuration, Preferences, 55 00:03:02,760 --> 00:03:05,820 Control Panel Settings here, and if we come down to, say, 56 00:03:05,820 --> 00:03:08,540 Printers, we can create a new network printer. 57 00:03:08,540 --> 00:03:14,920 I'm going to say its IP address is 10.10.10.100, and the Local Name is 58 00:03:14,920 --> 00:03:20,070 office‑printer, and the Printer path is rootdc1\printer1. 59 00:03:20,070 --> 00:03:22,910 So basically I just want you to see here that we're 60 00:03:22,910 --> 00:03:24,660 just working through the GUI here. 61 00:03:24,660 --> 00:03:27,760 The preferences, and particularly the Control Panel 62 00:03:27,760 --> 00:03:29,370 Settings, has a different UI. 63 00:03:29,370 --> 00:03:33,950 This reflects an old acquisition that Microsoft made a long time ago. 64 00:03:33,950 --> 00:03:38,590 We can see there's Windows Setting, Environment variables, Folders, etc., etc. 65 00:03:38,590 --> 00:03:41,600 It doesn't matter specifically what I'm configuring here, I 66 00:03:41,600 --> 00:03:45,140 just want you to see. Let me actually come up to Policies, 67 00:03:45,140 --> 00:03:46,750 and Administrative Templates. 68 00:03:46,750 --> 00:03:50,600 There's also Control Panel in there, as a matter of fact, let's try to find, 69 00:03:50,600 --> 00:03:55,220 and Printers is in there as well, so you can see there's no one, in most cases, 70 00:03:55,220 --> 00:03:58,690 there's no one spot to find a canonical setting. 71 00:03:58,690 --> 00:04:03,160 There's our Software installation, Startup Scripts, etc., etc., etc. 72 00:04:03,160 --> 00:04:06,240 Let me go under Administrative Templates, 73 00:04:06,240 --> 00:04:10,670 Network, DNS Client, and let's just set Dynamic update to Enabled 74 00:04:10,670 --> 00:04:14,720 to formally force DNS, or Dynamic DNS update. 75 00:04:14,720 --> 00:04:19,970 I just want to make a couple changes to this policy, because I want to both 76 00:04:19,970 --> 00:04:24,130 run a Group Policy Update, and we can see that that completed without errors, 77 00:04:24,130 --> 00:04:27,180 but I also want to see the Group Policy Results. 78 00:04:27,180 --> 00:04:30,600 So let's go to Group Policy Results Wizard and run through this. 79 00:04:30,600 --> 00:04:33,840 We're going to say this computer, Current user, click Next, 80 00:04:33,840 --> 00:04:36,640 and we'll finish the wizard, and we see a report here. 81 00:04:36,640 --> 00:04:40,190 Let me maximize the screen. And we can see down at the bottom under 82 00:04:40,190 --> 00:04:43,870 Group Policy Objects, let me scroll up on that one, we can see that 83 00:04:43,870 --> 00:04:46,560 the Applied GPO's are the LocalGPO, 84 00:04:46,560 --> 00:04:50,190 but that's being overridden by the Default Domain Policy. 85 00:04:50,190 --> 00:04:53,390 And then we can see our specific settings down here. 86 00:04:53,390 --> 00:04:58,130 Let's expand the Default Domain Policy and see when it was last applied. 87 00:04:58,130 --> 00:05:00,700 it's not getting right down to the settings level, 88 00:05:00,700 --> 00:05:09,000 but at least it shows which policies are actually in effect on that machine and it gives us a basis for troubleshooting.