1
00:00:03,050 --> 00:00:04,010
In this module.

2
00:00:04,040 --> 00:00:09,380
What I want to do is talk about group policy deployment, sort of this is more of the maybe the theoretical

3
00:00:09,410 --> 00:00:14,000
or the logical around all the stuff we've been talking about so far, which is to say you've got the

4
00:00:14,000 --> 00:00:18,180
basic skills about how to manage group policy, how to troubleshoot group policy.

5
00:00:18,200 --> 00:00:21,590
Now I want to talk about how to deploy it in real world environments.

6
00:00:21,590 --> 00:00:26,270
And I think the key here is that it's always a balancing act between designing a group policy friendly

7
00:00:26,270 --> 00:00:29,180
Active Directory and meeting the needs of your aid management.

8
00:00:29,240 --> 00:00:34,370
The challenge here is that aid design is often driven by different goals than group policy design.

9
00:00:34,370 --> 00:00:39,260
What you have already being driven by the security needs of the organization, the needs to delegate

10
00:00:39,260 --> 00:00:44,360
administration to subgroups of administrators, and all the applications that use aid driving you in

11
00:00:44,360 --> 00:00:45,170
one direction.

12
00:00:45,200 --> 00:00:47,330
I'll tell I'll give you a perfect example.

13
00:00:47,330 --> 00:00:52,460
There's a lot of directory enabled applications that use LDAP and a lot of those applications are not

14
00:00:52,460 --> 00:00:57,050
Windows applications, they're Unix or Linux or Java or some other kind of platform.

15
00:00:57,050 --> 00:01:01,730
And oftentimes they only use aid for authentication and they only search on a single container.

16
00:01:01,730 --> 00:01:06,950
Within adds, you provide a base distinguished name and given that they benefit highly from having all

17
00:01:06,950 --> 00:01:11,930
of your users in a single flat view, that's not a great approach from a group policy perspective,

18
00:01:11,960 --> 00:01:16,670
because then you get into the situation where if you want to distinguish policy by a particular set

19
00:01:16,670 --> 00:01:21,920
of users, you then have to rely heavily on users being in particular groups and using security group

20
00:01:21,920 --> 00:01:22,520
filtering.

21
00:01:22,520 --> 00:01:27,230
In that scenario, you've got a design being at cross-purposes to group policy design.

22
00:01:27,230 --> 00:01:32,840
Group policy is really about ease of targeting, the ability to differentiate by platform, for example,

23
00:01:32,840 --> 00:01:37,910
server versus workstation or desktop versus laptop, and then sometimes also by delegation.

24
00:01:37,910 --> 00:01:42,980
As I showed in an earlier module, you can delegate administration of group policy, for example, and

25
00:01:42,980 --> 00:01:43,850
also admin.

26
00:01:43,850 --> 00:01:48,830
So sometimes the driver will send you in a particular direction in terms of your aid design.

27
00:01:48,860 --> 00:01:52,850
Let's look at some ad designs that are maybe friendly, if you will.

28
00:01:52,880 --> 00:01:57,320
This particular design starts out with a top level of use based on object type.

29
00:01:57,350 --> 00:02:00,620
So we've got machines, we've got people and we've got groups.

30
00:02:00,620 --> 00:02:03,710
And then the sub AWAs are distinguished by either their role.

31
00:02:03,740 --> 00:02:08,930
For example, under people we have interactive users, we have service accounts or they're basically

32
00:02:08,930 --> 00:02:11,420
they're type or form factor which is under machines.

33
00:02:11,420 --> 00:02:17,480
We have laptops, desktops, servers, VDI and RDA systems and each of those have their own view that

34
00:02:17,480 --> 00:02:22,460
allow you to sort of more easily distinguish and manage group policy based on other factors other than

35
00:02:22,460 --> 00:02:23,990
just a flat or you structure.

36
00:02:24,020 --> 00:02:29,240
Another approach is to take the more geographic or business unit approach or your top level or use are

37
00:02:29,240 --> 00:02:35,510
based on either geography, east or west or department or business unit, sales market, etc. And underneath

38
00:02:35,510 --> 00:02:40,010
each of those you have sort of the secondary structure that's identical, that has users computers.

39
00:02:40,010 --> 00:02:45,440
And under each of those users and computers you then have going back to our previous design or previous

40
00:02:45,440 --> 00:02:48,500
diagram, the sub was based on role or form factor.

41
00:02:48,500 --> 00:02:53,780
So you're essentially adding a layer that is the business unit or the geographic distinction and allowing

42
00:02:53,780 --> 00:02:57,710
you to sort of further differentiate and target from a group policy perspective.

43
00:02:57,800 --> 00:03:02,330
So that's a different approach that allows you to distinguish based on business function in addition

44
00:03:02,330 --> 00:03:04,490
to things like form factor and user type.

45
00:03:04,490 --> 00:03:08,270
Let's kind of poke around in on our test system and look at how that might work.