1
00:00:00,740 --> 00:00:01,030
Next,

2
00:00:01,030 --> 00:00:04,810
we'll turn our attention to Group Policy in Azure AD Domain

3
00:00:04,810 --> 00:00:07,410
Services. Well, Tim, where's the content?

4
00:00:07,410 --> 00:00:11,080
The thing with Azure AD Domain Services in Group Policy is there's

5
00:00:11,080 --> 00:00:15,370
really no difference from local Active Directory Domain Services,

6
00:00:15,370 --> 00:00:17,180
and you'll see that in the next demo.

7
00:00:17,180 --> 00:00:20,040
That's really the surprise/non‑surprise.

8
00:00:20,040 --> 00:00:24,220
So what I want to do is roll up some Group Policy‑proven practices for you to

9
00:00:24,220 --> 00:00:28,780
think about. Guidance nowadays tends to be using your built‑in Default Domain

10
00:00:28,780 --> 00:00:34,190
Policy only for global account policies. Makes sense. Password, policies, and

11
00:00:34,190 --> 00:00:36,210
account lockout, and that kind of stuff.

12
00:00:36,210 --> 00:00:38,860
The built‑in Default Domain Controllers Policy,

13
00:00:38,860 --> 00:00:41,620
it's recommended you just configure auditing for

14
00:00:41,620 --> 00:00:43,440
your domain controllers in there.

15
00:00:43,440 --> 00:00:45,900
You'll want to definitely think about and optimize

16
00:00:45,900 --> 00:00:47,750
your organizational unit structure.

17
00:00:47,750 --> 00:00:48,070
Why?

18
00:00:48,070 --> 00:00:51,820
Because you want to scope your GPOs granularly at the OU

19
00:00:51,820 --> 00:00:54,800
level. By targeting at the OU, it's going to dramatically

20
00:00:54,800 --> 00:00:56,430
simplify your troubleshooting.

21
00:00:56,430 --> 00:01:00,820
Trust me on that. I would recommend you avoid GPO blocking, enforcing, and

22
00:01:00,820 --> 00:01:04,560
disabling policies, not only for ease of troubleshooting,

23
00:01:04,560 --> 00:01:07,880
but you want to also think about simplicity in terms of

24
00:01:07,880 --> 00:01:12,610
optimizing logon. The longer the logon, it may be that you've

25
00:01:12,610 --> 00:01:15,670
got a whole bunch of Group Policies enabled,

26
00:01:15,670 --> 00:01:19,810
some of which are disabled, some are enabled, and you've got blocking and

27
00:01:19,810 --> 00:01:23,470
enforcement, and the more work you're forcing your domain controllers to

28
00:01:23,470 --> 00:01:25,770
do to resolve all of these Group Policies,

29
00:01:25,770 --> 00:01:29,120
you know who's paying the price for that? Whoever is signing on to that

30
00:01:29,120 --> 00:01:33,770
station, or you're biting your nails waiting for your member servers to come

31
00:01:33,770 --> 00:01:36,570
back up so they can start delivering services again.

32
00:01:36,570 --> 00:01:39,350
So you want to think about sign‑in speed for sure.

33
00:01:39,350 --> 00:01:40,210
To that point,

34
00:01:40,210 --> 00:01:44,530
you can selectively disable user or computer configurations, and again,

35
00:01:44,530 --> 00:01:48,940
this is going to have a positive impact on GPO processing and logons.

36
00:01:48,940 --> 00:01:51,840
If you're delivering computer settings in a GPO,

37
00:01:51,840 --> 00:01:56,250
you can disable the whole user configuration side of the GPO, and vice

38
00:01:56,250 --> 00:01:59,560
versa. Unless you need both user and computer settings,

39
00:01:59,560 --> 00:02:01,360
disable the one you don't need.

40
00:02:01,360 --> 00:02:02,130
And lastly,

41
00:02:02,130 --> 00:02:05,350
the pattern nowadays, and this goes throughout all of software development

42
00:02:05,350 --> 00:02:09,210
if you're familiar with the microservices architecture, is to avoid

43
00:02:09,210 --> 00:02:12,330
monolithic GPOs that try to do everything. Again,

44
00:02:12,330 --> 00:02:15,260
the maintainability of those, on one hand,

45
00:02:15,260 --> 00:02:17,140
you might think you're being simple, you know,

46
00:02:17,140 --> 00:02:18,110
keep it simple.

47
00:02:18,110 --> 00:02:22,060
I just have one big old custom GPO. Though, if there's a problem,

48
00:02:22,060 --> 00:02:25,410
I know that it's in the one GPO, or chances are it's in the one

49
00:02:25,410 --> 00:02:28,470
GPO. And you know what, that may be true, but then you're going

50
00:02:28,470 --> 00:02:31,770
to have to look through that pile of settings to try to isolate

51
00:02:31,770 --> 00:02:32,770
what the problem is.

52
00:02:32,770 --> 00:02:36,970
If you've created a number of granular GPOs, you can

53
00:02:36,970 --> 00:02:39,970
test by disabling those one by one,

54
00:02:39,970 --> 00:02:43,220
doing a split half approach, and then when the problem occurs,

55
00:02:43,220 --> 00:02:47,710
you know that the most recent GPO that is enabled is the problem.

56
00:02:47,710 --> 00:02:51,330
In fact, I kind of explained that backwards. The split half approach would be,

57
00:02:51,330 --> 00:02:55,670
for instance, to disable them all and enable Group Policies one at a time.

58
00:02:55,670 --> 00:02:57,670
And when you get the problem recurred,

59
00:02:57,670 --> 00:03:05,000
at least I know that it's from this most recently applied Group Policy object. Now, let's do that second demo.