1
00:00:06,000 --> 00:00:06,660
Question.

2
00:00:07,530 --> 00:00:14,220
Many organizations rely heavily on security group filtering to scope GPOs rather than linking GPOs to

3
00:00:14,220 --> 00:00:17,580
specific go use in these organizations.

4
00:00:17,610 --> 00:00:23,460
GPOs typically are linked very high in the Active Directory logical structure to the domain itself or

5
00:00:23,460 --> 00:00:24,720
to a first level of view.

6
00:00:25,530 --> 00:00:31,530
What advantages do you gain by using security group filtering rather than GPO links to manage a GPO

7
00:00:31,530 --> 00:00:31,980
scope?

8
00:00:32,850 --> 00:00:33,420
Answer.

9
00:00:34,320 --> 00:00:40,470
The fundamental problem of relying on oh used to skip the application of GPOs is that an EU is a fixed,

10
00:00:40,710 --> 00:00:43,140
inflexible structure within ads.

11
00:00:43,530 --> 00:00:47,070
A single user or computer can exist within only one EU.

12
00:00:47,880 --> 00:00:53,610
As organisations get larger and more complex, configuration requirements become difficult to match

13
00:00:53,610 --> 00:00:56,460
in a 1 to 1 relationship with any container structure.

14
00:00:57,360 --> 00:01:03,240
With security groups, a user or computer can exist in as many groups as necessary, and you can add

15
00:01:03,240 --> 00:01:08,370
or remove them easily without impacting the security or management of the user or computer account.

16
00:01:09,260 --> 00:01:15,140
Question Why might it be useful to create an exemption group, a group that has denied the apply group

17
00:01:15,140 --> 00:01:18,050
policy permission for every GPO that you create?

18
00:01:18,920 --> 00:01:19,490
Answer.

19
00:01:20,400 --> 00:01:25,830
There are very few scenarios in which you can guarantee that all of the settings in a GPO will always

20
00:01:26,760 --> 00:01:29,880
need to apply to all users and computers within its scope.

21
00:01:30,740 --> 00:01:35,930
By having an exemption group, you will always be able to respond to situations in which you must exclude

22
00:01:35,930 --> 00:01:37,250
a user or computer.

23
00:01:38,150 --> 00:01:42,380
This also can help in troubleshooting, compatibility and functionality problems.

24
00:01:43,280 --> 00:01:48,470
Sometimes specific GPIO settings can interfere with the functionality of an application.

25
00:01:49,280 --> 00:01:53,960
To test whether the application works on a clean installation of the Windows operating system.

26
00:01:54,110 --> 00:01:58,790
You might need to exclude the user or computer temporarily from the scope of GPOs.

27
00:01:59,670 --> 00:02:04,350
Question Do you use loopback policy processing in your organization?

28
00:02:05,190 --> 00:02:10,140
In which scenarios and for which policy settings can loopback policy processing add value?

29
00:02:10,960 --> 00:02:11,500
Answer.

30
00:02:12,390 --> 00:02:13,500
Answers will vary.

31
00:02:14,430 --> 00:02:20,400
Scenarios could include in conference rooms and kiosks on virtual desktop infrastructure, computers

32
00:02:20,400 --> 00:02:22,140
and in other standard environments.