In this chapter we will continue our topic about Group Policy. There are couple of things on how policies apply:
- Block policies from applying or preventing from applying
- Forcibly make a policy apply
- And can revert back and forth depending on your needs
Multiple Local Group Policy makes exceptions to the local group policy and also make exceptions based on their security accounts.
DEMO: LINK ENABLED
First, you can make a new policy under “group policy object” by right clicking it and choosing “New” and create it then link it elsewhere throughout your infrastructure.
Second, you can right click in the domain that you choose and choose “Create a GPO in this domain, and link it here..”.
After that if you right click on that policy, notice that it is “Link Enabled” in default. Or if you drag a policy from “Group Policy Objects” to anywhere in the infrastructure notice that the “Link Enabled” is still in default.
Now if you want to disaffect that policy you can just right click on it and choose delete which will just delete the link but the policy still exist in the “Group Policy object”. Or another way is to right click on that policy and disabled the “Link Enabled”.
Now if I go back to my machine you can see that my clock is still missing, well you should keep in mind that some policies are a little bit different than the others. First you need to make sure that you refresh the policy with the gpupdate.
So to re-enable the clock visibility we can right click on the taskbar and choose “properties”, then click “Customize”. Here you should be able to turn on or off the clock again.
Another thing is we can drag the hide clock policy to the domain so at this point this is going to apply to every computer. (Screen shot the desktop where the clock is disabled.) As you can see the clock is nowhere to be found it is because of the policy link in the domain.
For example, you don’t want to disable the clock in the hoit users so what you can do is to right click on the hoit users and choose “Block inheritance”. But take note that if you choose this it will all block the policies from applying the hoit users, it will block everything from above from flowing on down to it. But the domain admin has the power to unblock you. By just right clicking the hoit users then choose “Enforced”.
If you have a new policy and you want it to take effect immediately you just need to use the gpudate.
- You can go to run (note: shortcut for run is windows key + R)
- Type gpupdate
- If the policy is only a computer side update you can type “/target:computer“
- Or if it’s in the user side, you type “/target:user“
Now let me show you something, click on “hide clock” then click on details. As you can see the active directory and sysvol both incremented to 1, meaning it has only been changed once. Every time you make changes, it will make changes to the version of this policy too.
To prove that:
- Right click on the hide clock
- Choose edit
- And then just enable any policy
- Click ok
And now when I go back into the group policy management item and refresh it you can see that it actually increments because of the changes that we made. So let’s open the command prompt and then type “gpupdate /force” , this will force to apply any new existing policies regardless of the version number. if I don’t use force it will only apply policies that have incremented in their versions number.
You can also use Powershell to execute gpupdate, you just need to:
- Run Powershell as an Administrator
- Then type invoke-gpupdate press enter
RIGHT CLICK OU
Another thing that is new to Windows Server 2012 and Windows 8 is the right clicking of the OU. So let’s take a look here at my domain here, we have couple of policies in here and and I want everybody in this OU to receive it so what I’m going to do is to right click on the OU and choose refresh and then it will refresh everybody in hoit users organizational unit and they should get the new policy within a few minutes.
Now let’s talk about Templates and Central Store
- are the Actual GPO settings
- Can get additional templates from third party sources
- Each OS release adds new template settings
- Central Store – it allows you to take the most up-to-date templates that you have and copy them all to a central location like a domain controller. So instead of using the outdated copy of the template in the local machine, the computer will be using the updated one from the central store.
– is a single copy of our templates that all the administrators can use and they don’t have to worry about any mismatch templates.
- Previous windows could mismatch templates
- Already configured
- All that’s left to do is copy most current templates from Policy Definitions to the domain controller
To demonstrate all of this I’ve gone to Windows 8 computer where I installed the remote server administrative tools or the RSAT.
- Go to Server Manager
- Click tools and choose Group Policy Management
- And then open the hide clock policy
Now, to copy the most current version of the policy definitions:
- Go to windows directory
- Copy the Policy definitions
- Go to server by using the UNC path for administrative access which is double backlash sample(name of the server)c$
Note: This requires you to have administrative access to the server
- open windows
Note: You may notice that there’s a Policy Definitions folder right here, but just ignore that.
- You need to open sysvol (Sysvol is a special directory that gets copied to every single domain controllers so if I copied the policy definitions from the Windows 8 computer to this Sysvol on the Windows Server 2012 computer then it’s going to replicate it to the other domain controllers that I have.)
- Then open domain
- Open Policies and paste it there
Now let’s go back to hide clock item and right click and choose edit. Go down to policies and administrative templates and look it says “Retrieved from the central store”.
And that’s it, thank you for watching, and I hope you learned much in this video.