In this video, we continue with Group Policy. First, we’ll talk about scope of Management or the “Order of Inheritance”.
To show this, let’s take a look at another policy here, which I made for Computer Configuration. Now what it will do is, it’s going to prevent users and computers from accessing or using In-Private browsing in Internet Explorer. In-Private browsing disables the ability to track your history, some of the cookies and other forms of data by preventing Internet Explorer from storing data about your Browsing Session.
Although I have already created this ahead of time, but I haven’t really set this up yet:
- Choose Edit
- Go the Administrative Templates
- Go down to Windows Components
- Then Internet Explorer
- Then down here to Privacy.
- Click on Turn off In-Private browsing,
- Enable Turn Off In-Private browsing
- Click OK
- Then link it to HOIT Computers, where my Win 8.1 computer is in.
Note that User policies should be linked to Organizational Units containing Users, for it only affects User Accounts, while Computer Policies to Organizational Units containing Computers for it only affects Computers. Although, you can link GPO’s to the domain itself. Now let’s try if my windows 8 machine can still use in private browsing. So I’m gonna try to:
- open my internet explorer
- click on safety
- then choose In-Private browsing or
- you can just use the shortcut which is CTRL + SHIFT + P
And there we could still use the… in private browsing but if we refresh our policy by running gpupdate, then open Internet Explorer again, click on safety, then look In-Private browsing, but surely, it isn’t there anymore. Now, what does this have to do with Scope of Management or Order of Inheritance? This relates to how group policies apply and the order to which they apply.
If the number of Users, Computers and GPO’s in an organization is quite a lot. It’s very likely that at some point, GPO’s will conflict with one another. And it is very important that an Administrator know how they apply or which GPO should apply to which User/Computer.
So I’m gonna go to my domain controller here and here you can see that I’ve created a new policy that prevents users from changing their desktop backgrounds and linked it to HOIT Users organizational unit. And you can also see that it’s been enabled already.
So if I logged on as “hoitUser01”, I shouldn’t be able to change the desktop background. But if I logged on as “Administrator”, I should be able to change the desktop background because the Administrator account isn’t inside the HOIT Users Organizational Unit but in the Users container over here.
But if you notice, the Hide Clock GPO, which is linked all the way up to the domain controller, is also enabled, which means that every User/Computer inside the domain will inherit the policy. It will affect everyone including the Administrator account because of the order of inheritance. This goes to show that multiple group policies may often apply to many Users/Computers because usually, by default, you have a list of default domain policies, including password policies, linked to everybody in the domain.
So the settings are gonna be applied cumulatively as long as they don’t conflict with one another. Like here, we have the default domain policy that applies to all users and computers in the domain. Then we got the hide clock which also applies to everybody in the domain, plus we got prevent changing the background here which applies to the HOIT Organizational Unit and everything inside it and lastly we got turn off InPrivate browsing here in the HOIT Computers. So we have 4 policies that apply cumulatively to HOIT computers Organizational Unit, given that there is no conflict between the policies.
And if there are conflict between GPO’s here are the things you have to keep in mind. First is that the last policy that is read in the Processing Order will take effect. For example, here in the domain I enabled “Turn off in-Private Browsing Computer” which means that every computer in the domain would have in Private Browsing in their Internet Explorer disabled. But down here in HOIT Computers I have “Turn off in-Private Browsing Computer which then enables the In-Private Browsing feature of Internet Explorer. And since that we GPO all the way down here from HOIT computers is read last, this should be the one that should take effect in the computers in the Organizational Unit.
Let me just show you if we could really use In-Private Browsing here in my Windows 8 computer. And there it is. And as for conflicts between Computer GPOs and User GPOs, Computer GPOs will always take precedence. And if you want to know what policies are applied to a certain user/computer:
- You can go down here to Group Policy Results
- Right click here and choose Group Policy Results Wizard
- Select a specific computer or type the name of the computer
- Click Next and then
- Select a specific user
- click finish
Then it will show you what GPO policies are being applied to this computer. These policies inside Denied GPOs are denied because they apply only to Users, and what we’re looking at right now are computer details. But if we scroll down to the User Details, you’ll see that those GPO’s denied above, are the ones applied
Now if you want to make an exemption to the policy for a certain user. For example, this policy right here, which applies to Authenticated Users inside this Organizational Unit. Where you can see here in advanced that Authenticated User can Read and Apply Group Policy. Now to make the exemption:
- You need to go to “Advanced”
- Click on “Add”
- Enter the name of the User
- You may still check “read”, but you wouldn’t want them to apply the group policy.
- So you need to check on “Deny” for Apply Group Policy.
- Then click ok
- “Are you sure you want this?” Yes, I do.
Remember that, this user is still part of the Authenticated Users which should mean that this policy should also apply to this user, but because we Denied Apply Group Policy for this User, it overrides the permission given to Authenticated Users which is to allow “Apply Group Policy”. So now, we have given this user exemption to the policy.
Now let’s talk about Policies and Preferences and what are the differences and similarities between the two. Both are mostly Registry Punches, although Policies are revertible to its default settings.
|-Setting is Permanent (Grayed Out UI)||-User can Reverse Setting (UI not Grayed out)|
|-Applied during Startup, Logon of Refresh||-You can Apply or Refresh and you can choose to NOT REAPPLY once you removed a setting.|
|-Removing Policy, Reverts it to Default||-Sticks to the Registry, even after deletion, until deleted from registry or until a new policy is applied which reverts the previous settings.|
|-Takes Precedence over Preference||-Not available for Local GPO|
Often Used for:
- Desktop Icons/Shortcuts
- Place URL on a Desktop or Setup a Default Home Page
- Place a new item on the “Send to” options when you right click on a file
- Drive Mapping
- Copy, Update or Delete Files
- Commonly desired but not required Settings
- Administrative Templates only
- Which are commonly used for Roles
- Configure settings for various types of Servers, Laptops, and Desktops
- or configure settings for any Security Sensitive items
- You can’t actually edit it but you use it as a template and create a new policy
And that’s the end of our video, thank you for watching and I hope you learned a lot in this video.