Microsoft Azure AZ-800 — Section 8: Manage Windows Server by using domain-based Group Policies Part 2
65. Implement Group Policy Preferences in AD DS
So on top of being able to utilize GPOs to forest things such as settings and restrictions on people’s devices, we can also deploy defaults with the use of something called a group policy preferences.
So group policy preferences are going to allow us to deploy different settings out, however, instead of disabling things to where a user can’t change it. In this case, a user will be able to go and change those settings. Where we’re going to do is through the user group policy preferences. We’re going to deploy default settings out that will apply as there are defaults. But if they want to go through and modify those settings, they can. All right.
So let me show you how we’re going to do that. We’re going to get a server manager here on our domain control.
OK, one server manager is officially loaded up. Were they going to open up group policy management console, which is the same tool we used for group policies? So, we go here to do policy management.
OK, expand this out and then go to group policy objects, we can see all of our GPOs that we’ve created and then we’re just going to edit a GPA.
So, I’m just going to go here and edit the let’s do the cell’s desktop settings. GPO just right click that, click Edit. All right? And then again, under a computer config and use config, we have the folder called preferences. Instead of policies. You’re going to use preferences.
Now Preferences is going to allow me to deploy these defaults out so, I can expand that out. And you can see under preferences, window settings, you have all these different things you can alter, as well as control panel settings, all these different things you can alter and then same thing under user configuration as well. You have Windows Settings and control panel settings, so there’s lots of stuff here you can play around with, including things like deploying printer printers out for inner objects out to people, which is really cool.
So, I can go here, I can deploy a TCP IP printer or a local printer to somebody machine. I’ve got network shares. I want to configure registry settings. I can configure environmental variables, I can push files shortcuts. There’s all sorts of fun stuff here you can play around with. All right, I’m going to focus on this right here. How about power options? So, if I wanted to deploy the power settings to these machine lights, such as how long the computer is going to be idle before it goes to sleep, things like that turning the screen off, turning the hard drives off all that stuff, I can control that through power options. I’m going to right click that messy new and then you got power options for Windows XP Power Scheme for Windows XP or Power Plan for at least Windows seven, obviously nowadays. Hopefully, you’re not using Windows XP, so you’re not you’re not using these tools. You’re going to be focused on this one. This Windows seven and higher.
So, we’re going to go power plan and then you have all these different things you can kind of tweak through here if you want.
OK, so mess with the harvest turn harvest off after a certain amount of time set to sleep.
So sleep after a certain amount of time. The battery set on battery for a certain amount of minutes. If plugged in for certain minutes, I’ll say it on battery. Four will say 20 minutes and we’ll leave it alone if it’s plugged in. All right, so you can also hibernate hibernation mode. Power button is pushed PCI Express devices if you want to adjust the power settings for that.
So there’s all this stuff here that I can tweak.
OK, now there’s something else that’s really neat about preferences that you don’t get through pulses. You come over here to the common Tab. There’s this thing called item level targeting. All right, which all if you go to targeting right here, you can add information that that’ll involve specific computers based on certain types of hardware or certain types of settings that are on somebody’s machine. In other words, if I wanted to make it where this preference only gets applied based on certain criteria, such as there must be a battery present.
OK.
So, in other words, if you were deploying this preference out somebody’s computer, it would not get deployed to their computer unless they have a battery and they’re hearing other words, pretty much they have to be a laptop, for the most part. You could do CPU speed. I mean, look at all this stuff. You could base it on RAM like a certain amount of RAM. There’s a battery present and the person must have, you know, four thousand ninety six megs of rain, which is roughly four gigs, right? And so essentially, you’re now only going to apply it based on that.
So this a really neat little feature you get, unfortunately, you don’t get that were with policies. The closest thing that’ll let you do the same thing with policies is the WMI filter feature, which you can you can do here, but you have to understand the my query language in order to do that. But with preferences, you can use that item level targeting. All right.
So Preferences is a neat little feature. Keep in mind, when you deploy this, they can go back and change it. And at that point, it’ll be changed. It’s not going to redeployed unless you detach it and then reattach it, and then it would redeploy it to somebody machine. But ultimately it is going to only be applied one time and preferences are again just defaults that I wanted to pull out people’s machine that will allow them to change it as far as them getting applied and refresh the bill get applied the very next time the policy gets applied on somebody’s machine, that’s when the preference will get applied.
So whether it’s the 90 120 minutes or whether it’s update such force, that’s when it’s going to be applied. Ultimately, though, preferences are pretty easy to use. I encourage you to kind of jump in and explore these a little bit, get familiar with them. But ultimately, they’re pretty easy to use are definitely easier than configuring policies.
66. Implement Group Policy in Azure AD DS
It’s now time to go through the process of looking at how Azure ADB’s handles group policies now, honestly, there isn’t really a whole lot of differences, especially if you understand some of the fundamentals of how to set up Azure AIDS, which I’ve done earlier to start out here on Portal Dot Azure com. I’m going, it’s going to click the menu button. I’m going to go to resource groups, and I created a resource group earlier called Azure AIDS. And then inside that resource group, I created an instance of Azure AIDS called Exam Lab Practice Dot Azure. And then I also created a server right here that’s called Server AIDS Demo AIDS demo. And here it is, right here and then I can just connect to it through RDP, which I have already done.
So here it is right here.
Now I’m going to go to the server manager tool, which you can get to by clicking Start Clicking Server Manager. Once you’re in server manager, you would want to go to ols and then group policy management. But there’s a problem. You don’t see group policy management, and that would be because we don’t have the group policy management console installed.
So, we’re going to do that by going to the manage menu. We’re going to go to add roles and features. I’m going to click next, next, next and next until you get to the features page and then you’re going to install the group policy management console here. Meanwhile, you can also, if you want, you could install the remote server admin tools as well. That gives you some additional tools that can interact with Active Directory and all that fun stuff. You can kind of expand all these out and select the things that you want. All right.
So, in my case, I’ve got everything that I want here. I wanted to add anything else I could, but I think I’m good.
So, I’m going to go ahead now and I’m going to click Next, Next, next. And we’re ready to install. I’m going to go out and Paul’s a recording while this being installed.
So the installation takes about five minutes. Once that’s complete, we can hit close, we can go to ols and then you’ll notice we got our different tools here available to us. The one we care about, though, right now is the group policy management console here.
So, we’re going to click that. And that’s going to open up new policy management council, just like it does on a normal machine. When you’ve done this in previous lectures here, and so as you can see, I can expand out my forest domains or it is exam. I practice on Azure and then I can go to group policies. And here are the GPOs. You’ll notice there’s a couple of few default GPOs that are there that aren’t on the on-premise actor, director on on-premise Active Directory. There’s only two GPOs, and that’s the default domain controllers policy in the default domain policy. All right. If you click on those, you’ll notice you get a message, says the permissions for the GPO in the small folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent contact administrator who has the rights to modify the GPO.
OK, so, I didn’t do a hybrid environment with this. I didn’t connect this Jamal on-premise environment, So, it’s popping up that little permissions message, but you’ll also notice that you’ve got the two new GPUs that are show up. Here are the ADC computers GPIO, as well as a user’s GPU. And so these are some default ones that they set up, as well as there’s an event log GPU.
Now, if you want to see what’s in there, there’s not really much in there, to be honest with you. But if you click this, you can go right here to settings and then if you click show all, you can see all the policies that are are inside here, which if you expand this out, you’re going to see there’s very little there’s very, very little here, very, very little at all expanding this out. You’ll notice that they have set some preferences.
So a computer panel, control panel settings, local users groups, and they basically set some local groups and made the administrators the ADT see the ADT s active vector domain services. Administrators are our local admins, and that’s what this doing here. And you could do the same thing for users, the users. If you click on that click settings, you can see the policies that are there. All right. And as you can see, there’s not really anything at all that’s enabled. They’ve configured some, some permissions over the GPO. But ultimately, if you look down here, this what matters. There’s not really anything configured.
So, if you wanted to, though, if you wanted to adjust to use your users in your environment, you would edit this GPU is going to do that for you. If you want to just computers in your environment, you can. You can do that right here. You’ll also notice that they’ve got some abuse. You can spend out the abuse. You can see those right there. And if you wanted to apply GPOs to these specific things, you can, but again, ultimately as far as group policy objects are concerned, it works pretty much identical for the most part, as it does on-premise.
So, if you understand the concepts for the on-premise Active Directory, you’re going to understand the concepts for Azure AIDS.