1
00:00:03,050 --> 00:00:07,340
Let's look at some of the designs that we just talked about and see how they might play into a group

2
00:00:07,340 --> 00:00:08,390
policy deployment.

3
00:00:08,510 --> 00:00:13,130
So I've got actually both designs that I just showed you implemented in this ad tree for the sake of

4
00:00:13,130 --> 00:00:13,650
example.

5
00:00:13,670 --> 00:00:18,410
I've got a sales view and a marketing view, and they both have sort of the same structure where they

6
00:00:18,410 --> 00:00:20,840
have subclass for groups, machines and users.

7
00:00:20,870 --> 00:00:25,510
Under machines you'll see desktops, laptops, servers and VDI slash ideas.

8
00:00:25,520 --> 00:00:30,800
And you'll notice that the VDI slash idea so you has black inherited said as we mentioned in the kiosk

9
00:00:30,800 --> 00:00:33,380
scenario module that this is a good option.

10
00:00:33,380 --> 00:00:38,480
If you want to segregate your VDI or RDC servers or workstations, you can put them in there so you

11
00:00:38,480 --> 00:00:42,950
can set block inheritance and it simplifies the management of group policy for those devices.

12
00:00:42,980 --> 00:00:47,330
Now again, I've got different form factors and I could have underneath the marketing, oh, you in

13
00:00:47,330 --> 00:00:50,930
the machines or you I can have a GPO that sets policy for all machines.

14
00:00:50,930 --> 00:00:55,790
Sort of any common policy that may be applied across all computer objects can be set at this machines

15
00:00:55,790 --> 00:00:56,160
level.

16
00:00:56,180 --> 00:01:01,340
Now, the only downside to this kind of business unit approach is that let's say I have some GPO settings

17
00:01:01,340 --> 00:01:03,980
that apply to all machines across the organization.

18
00:01:03,980 --> 00:01:08,870
Well, that GPIO that I define has to be linked both here at this machines level and also down here

19
00:01:08,870 --> 00:01:09,590
under the sales.

20
00:01:09,590 --> 00:01:11,390
Oh, you structure at the machines level.

21
00:01:11,420 --> 00:01:16,250
The alternative, of course, is the first design I talked about, which is more of object type based

22
00:01:16,370 --> 00:01:21,140
and that's represented by this machines and people top level all use and the machines top level.

23
00:01:21,140 --> 00:01:25,910
Oyo has a similar structure to the marketing and sales oh use in that each of the different types of

24
00:01:25,910 --> 00:01:28,820
machines is broken out by form, factor by function.

25
00:01:28,820 --> 00:01:29,780
And then I can apply.

26
00:01:29,780 --> 00:01:35,030
If all machine accounts in the domain are under the structure, I can very easily apply a GPIO or link

27
00:01:35,030 --> 00:01:40,400
a GPIO to this level that has computer policy that applies to all systems regardless of form factor.

28
00:01:40,400 --> 00:01:44,690
Then I could come down here at the desktop level, apply policy to desktop based machines.

29
00:01:44,690 --> 00:01:46,370
That's different from laptop machines.

30
00:01:46,370 --> 00:01:49,550
And then for sure, servers are going to have a different set of policy.

31
00:01:49,550 --> 00:01:55,850
And so I can apply that at this level specific to servers and similarly with the VDI and RDC systems.

32
00:01:55,850 --> 00:02:00,320
So this allows me a little bit more flexibility in terms of targeting GPOs.

33
00:02:00,320 --> 00:02:05,690
I don't have to do as much linking and I could also have further differentiations underneath, for example,

34
00:02:05,690 --> 00:02:06,530
under the servers.

35
00:02:06,530 --> 00:02:09,530
Oh, you I can have observers and I can have web servers.

36
00:02:09,530 --> 00:02:12,740
And so I could be applying policy at these sub levels as well.

37
00:02:12,770 --> 00:02:16,190
Now on the people side with this structure, it's a little bit more challenging.

38
00:02:16,190 --> 00:02:21,140
If all the user accounts in the domain are under the people or you, I probably will have the need and

39
00:02:21,140 --> 00:02:24,080
desire to be able to subdivided further underneath people.

40
00:02:24,080 --> 00:02:29,390
So for example, interactive users here in service accounts or I might even go so far as to have different

41
00:02:29,390 --> 00:02:31,610
business units, people accounts under here.

42
00:02:31,640 --> 00:02:37,520
So I might have, for example, a sales IOU for the sales users and a marketing oh, you for the marketing

43
00:02:37,520 --> 00:02:38,120
users.

44
00:02:38,120 --> 00:02:40,100
So I have some flexibility here.

45
00:02:40,130 --> 00:02:45,410
This still allows me to set again policy that applies to all users linked here at this people or you

46
00:02:45,410 --> 00:02:49,160
and then policy that is specific to marketing and sales down below here.

47
00:02:49,190 --> 00:02:54,110
So both of those approaches are completely reasonable and depending on your business needs will drive

48
00:02:54,110 --> 00:02:56,090
sort of which direction you go with this.

49
00:02:56,090 --> 00:03:00,770
I tend to like just in terms of my own personal preference, I tend to like this machines and people

50
00:03:00,770 --> 00:03:05,510
at the top level approach because I like the idea of being able to link in a single place to a place

51
00:03:05,510 --> 00:03:10,780
sort of global policy and then be able to subdivide and segregate other policy based on sub AWAs.

52
00:03:10,820 --> 00:03:14,690
Now the one thing you don't want to do is get too deep in your own use structure.

53
00:03:14,690 --> 00:03:19,250
It becomes a lot more difficult to manage and you really just don't want to have, you know, five or

54
00:03:19,250 --> 00:03:21,110
six levels deep on subdivisions.

55
00:03:21,110 --> 00:03:26,030
You really only want to subdivide sort of to meet the needs of group policy and your ad administration.

56
00:03:26,030 --> 00:03:27,290
So balance those two.

57
00:03:27,290 --> 00:03:32,630
And if you find yourself having to create too many subplots to, for example, segregate group policy,

58
00:03:32,630 --> 00:03:34,640
you might then start looking at filtering.

59
00:03:34,670 --> 00:03:40,730
So doing security group filtering or you know, for example, WMI filtering and a good example of that

60
00:03:40,730 --> 00:03:45,710
might be so within the sales, oh, you under people, you might have sales managers and sales users.

61
00:03:45,710 --> 00:03:50,420
We don't really want to have to create an oh you called users and an all you called managers because

62
00:03:50,420 --> 00:03:55,010
people are going to move around shift around and you don't want to have to be moving people around no

63
00:03:55,010 --> 00:03:57,380
use in order to accommodate group policy.

64
00:03:57,380 --> 00:04:02,390
So that's a scenario where you can use security groups and probably get the job done more efficiently.

65
00:04:02,390 --> 00:04:07,070
I would say that as a rule of thumb, if you have to move objects between or use to meet your group

66
00:04:07,070 --> 00:04:11,750
policy targeting goals, then you're probably taking the wrong approach and should rethink using, for

67
00:04:11,750 --> 00:04:16,400
example, security group filtering or WMI filtering to accomplish those goals.

68
00:04:16,400 --> 00:04:18,770
So that's just kind of a high level overview.

69
00:04:18,770 --> 00:04:23,060
There's obviously lots of different design approaches you can take with Active Directory.

70
00:04:23,090 --> 00:04:27,830
I've seen people take design approaches where under the machines or you they'll have different OS version

71
00:04:27,830 --> 00:04:28,340
or use.

72
00:04:28,460 --> 00:04:31,460
So for example, Windows ten might be underneath the machine.

73
00:04:31,460 --> 00:04:37,520
So you instead of just this form factor type it tend to avoid OS version approaches because OS versions

74
00:04:37,520 --> 00:04:39,170
change as machines get upgraded.

75
00:04:39,320 --> 00:04:43,970
And again, if you're having to move objects between, oh, use to accommodate your group policy or

76
00:04:43,970 --> 00:04:46,220
design goals, then maybe you need to rethink it.

77
00:04:46,220 --> 00:04:52,160
I like the notion of using WMI filters for object version or for I'm sorry for OS version testing.

78
00:04:52,160 --> 00:04:53,870
Very tried and true method.

79
00:04:53,870 --> 00:04:59,690
So having a WMI filter that applies to all Windows ten machines linked to the GPOs if you want to target

80
00:04:59,690 --> 00:05:00,500
in the desktop.

81
00:05:00,530 --> 00:05:01,100
So you only.

82
00:05:01,150 --> 00:05:02,140
The window, ten machines.

83
00:05:02,140 --> 00:05:04,300
You can use a WMC filter for that.

84
00:05:04,300 --> 00:05:09,600
And it's a lot more efficient and certainly a lot easier to maintain than creating new OS version or

85
00:05:09,610 --> 00:05:10,040
use.

86
00:05:10,060 --> 00:05:14,860
So again, lots of approaches, but there are some that have sort of shove shaken out over time that

87
00:05:14,860 --> 00:05:17,140
have proven to be more sort of efficient than others.