Group policy application

- [Instructor] Group policies in an on-premises Active Directory are powerful tools to manage users and their environment. We can change the wallpaper, require a password length, redirect their documents folder, map a drive, and so much more. As a CIS admin running on-premises Active Directory, you'll need to fully understand how group policy works in your environment. I'm logged into the Active Directory domain controller. And in Server Manager, I'm going to click on Tools and then choose Group Policy Management. And I'll expand the Forest, expand the Domain. And there's our domain right here. And we can see there's a default domain policy which has very little configured. We can add a new policy or we can edit the policy that's here. And we also have this domain controllers policy as well. Now, the reason why there's a separate domain controller policy from the default policy is because if we do something to the default domain policy that also takes out the domain controllers ability for a user to log in, then we can use the default domain controller policy to allow us to override anything in the default domain policy. Now, we have the domain here. I'm going to right-click and choose to create a new group policy object. What we see here, this is a group policy object and this is a group policy object. All it is is basically a file that tells us how to configure our users to be able to use their computers. So I'll right-click and choose Create a GPO and link it here. And I'll call it Custom Settings and click Okay. And there's our custom settings group policy object or GPO. Now, I'm going to right-click and choose to edit it. And here's where we're going to see hundreds of different options that we can change that will affect either a user or a computer or both. So here at the top, you see the computer configuration. And in order to apply that, we'll have to restart the computer. And then we have the user configuration and that we can just type the command GP update. And then it will start using that new user configuration. Some of the policies are the same and some of the policies are completely different based on whether it's for a computer or a user. So I'm going to expand Policies and then go to where it says Windows Settings. And then I'm going to go to Security Settings. And I'm going to go to where it says Account Policies and here's our password policy list. So here's where we can say how long the password has to be or the minimum, the maximum, how long the password's going to last, again, the minimum or the maximum. So for instance, if we said minimum password length, by default, it is seven, but if we click on define this policy, we can change that to, let's say, eight. Now Microsoft, nowadays, is recommending 15. But that's a bit long for a demonstration, so I'll just change it to eight. And I'll click Okay. Another interesting thing is the password must meet complexity requirements. So if we do enable this, then what it's going to do, as you see in the explanation, is it's going to also allow a special character that you see here. So a special character might be a dollar sign, pound sign, percent, those kinds of things. Now, I'm going to choose a couple other options and I'm going to collapse the Windows Settings and go to where it says Administrative Template. And here, for instance, we see control panel here. We can set some control panel settings. As you see here, we've got personalization, force a specific lock screen, prevent changing lock screen, that kind of thing. Now, if we go down to the same location under users, which just affects users instead of computers, so that means any user that logs into a computer with a specific user name. And we go to Administrative Templates. We see what looks like mostly the same type of information. We still see the control panel. We also see desktop, which we don't see under computer configuration. I'm going to click on Control Panel, and we can see a lot of other options that we didn't see under the computer policies. So for instance, I can go to where it says Display or Disable the Display Control Panel. I'm going to go back to where it says Desktop, and I'm going to double-click on where it says Remove Recycle Bin icon from desktop, and choose Enabled. So what that should do is it should automatically hide the recycle bin from the desktop of the user that logs in. So I'm going to close that. And we can see that this is at the root level of our domain. If I instead created or moved this group policy object to a different organizational unit, and you can see here, we have domain controllers, we have accounting, that kind of thing, then it will only affect any users or computers that are in the accounting organizational unit. So instead of having it applied to everyone in the domain, as it is now, I could apply it to just a specific OU. I'm going to leave it at the root level. And I'm going to log in as a user and make sure that the recycle bin disappears. I've now logged in and it's no longer showing the recycle bin on the desktop. So we know that group policy worked. We can also go in to command prompt and run a command just to see what group policies were applied. It's best to run it as the administrator so that way you can see all the results, otherwise you get some of the results are blocked. I'll need to type in the administrator username and password because this user doesn't have access as an administrator. So I need to type in gpresult/r. And here are the results, showing the results of what group policies were applied. So if you scroll up to where it says Computer Settings, we can see the applied group policy objects were the custom settings policy. Now, I also made changes to the user section. So under Applied Group Policy Objects, we also see the custom settings group policy there as well. If I applied to one but not the other, you would just see it in the one location. Group policy is a necessary skill to have to manage Active Directory in an on-premises or hybrid environment.