1
00:00:03,030 --> 00:00:03,810
Okay.

2
00:00:04,650 --> 00:00:07,530
In this module called Group Policy Processing.

3
00:00:07,530 --> 00:00:12,870
I'm going to dive in and talk a little bit more about how group policy is actually processed in your

4
00:00:12,870 --> 00:00:14,430
Active Directory environment.

5
00:00:15,360 --> 00:00:17,880
So how does group policy do its thing?

6
00:00:18,750 --> 00:00:21,120
Well, it's strictly a pull based operation.

7
00:00:21,210 --> 00:00:26,340
And what I mean by that is that group policy settings are always pulled from GPOs that reside in.

8
00:00:26,340 --> 00:00:32,760
And so as an administrator, you can never really push settings to a client, you can't push a button

9
00:00:32,760 --> 00:00:35,520
or flip a switch and make a setting go out to a client.

10
00:00:36,450 --> 00:00:42,000
The one exception, sort of quasi exception to that is that you can, from a central console, touch

11
00:00:42,000 --> 00:00:43,140
a client and say, pull.

12
00:00:43,140 --> 00:00:46,380
Now, in other words, do an update of group policy now.

13
00:00:47,270 --> 00:00:52,250
But that's as close as you get to a push, and it's really just telling it to do a pull at a specific

14
00:00:52,250 --> 00:00:52,700
time.

15
00:00:53,570 --> 00:00:58,850
So implicit in this kind of pull architecture, which I will make the point that it it's actually a

16
00:00:58,850 --> 00:01:00,830
fairly scalable architecture.

17
00:01:01,750 --> 00:01:06,760
Being able to have the client initiate the pull of group policy settings from group policy objects is

18
00:01:06,760 --> 00:01:09,060
a very ends up being very scalable.

19
00:01:09,070 --> 00:01:13,600
But the sort of implicit in that is this notion that you never really know for sure when a setting will

20
00:01:13,600 --> 00:01:15,970
arrive at a given Windows computer or user.

21
00:01:16,870 --> 00:01:21,460
So group policy, I like to say it's sort of loosely consistent at any given time.

22
00:01:22,300 --> 00:01:25,360
If you push a setting, you know that setting has arrived.

23
00:01:26,230 --> 00:01:31,630
But in group policy land, the pulling could happen when the user is logged on, when the user is logging

24
00:01:31,630 --> 00:01:33,850
on or when the machine is starting up.

25
00:01:34,740 --> 00:01:37,440
It could happen periodically in the background.

26
00:01:38,330 --> 00:01:43,450
And I'm going to talk about all the different phases of group policy processing in the next module.

27
00:01:44,330 --> 00:01:49,010
But the bottom line is you never can guarantee a setting has arrived at a particular time.

28
00:01:49,010 --> 00:01:51,680
And that's kind of one of the challenges of group policy.

29
00:01:52,550 --> 00:01:58,040
Again, you can fudge it by, you know, basically telling a computer or a user to pull settings now

30
00:01:58,040 --> 00:02:00,140
using a command called Update.

31
00:02:01,010 --> 00:02:03,530
And I'll show that in a later module for sure.

32
00:02:04,470 --> 00:02:06,720
So what's the doing, the actual polling?

33
00:02:07,560 --> 00:02:10,530
What is it on the client that's actually doing the polling?

34
00:02:11,370 --> 00:02:13,950
Well, it's something called client side extensions.

35
00:02:14,880 --> 00:02:17,340
I like to refer to those as CCS.

36
00:02:18,220 --> 00:02:21,430
And they're basically a fancy term for an agent on that system.

37
00:02:21,440 --> 00:02:26,830
So essentially, Microsoft has built in this agent infrastructure that is in Windows that is responsible

38
00:02:26,830 --> 00:02:29,500
for pulling group policy settings from GPOs.

39
00:02:30,430 --> 00:02:35,290
So CSC itself is really just a DLP or Dynamic Link library.

40
00:02:36,160 --> 00:02:41,710
And it's called by another operating system component, which I'll refer to as the group policy engine

41
00:02:41,710 --> 00:02:43,210
on a given Windows system.

42
00:02:44,050 --> 00:02:49,750
And each policy area or group of policy areas in some cases provide their own CSC.

43
00:02:50,620 --> 00:02:56,560
So, for example, wireless security is a policy area implemented in group policy, and it has a d l

44
00:02:56,560 --> 00:03:03,400
l called w l l into d l l similar with folder redirection or scripts.

45
00:03:04,300 --> 00:03:08,980
Microsoft ships these in the box and windows for the policy areas that they provide.

46
00:03:09,820 --> 00:03:15,130
And in fact, third parties can build their own cases that just get registered on to the system and

47
00:03:15,130 --> 00:03:18,430
are sort of along for the ride when the group policy engine kicks off.

48
00:03:19,290 --> 00:03:23,250
And it calls the CC's that it needs to call for a given GPO.

49
00:03:24,090 --> 00:03:27,720
So it's fairly extensible in terms of its architecture.

50
00:03:28,620 --> 00:03:33,660
It's just a bunch of these cases that get called when a group policy engine has to do work.

51
00:03:34,510 --> 00:03:40,300
And that's really what the agent of group policy is, is the engine calling all these client side extensions.

52
00:03:41,230 --> 00:03:46,720
So you can find references to all of them in the registry under this registry path that I've shown here.

53
00:03:47,620 --> 00:03:49,810
This is really just for information.

54
00:03:50,680 --> 00:03:55,570
It's not you don't really ever have to touch or manipulate the stuff that you see in these registry

55
00:03:55,570 --> 00:03:56,590
keys directly.

56
00:03:57,460 --> 00:04:02,710
But it's good to know it's an easy place to come and look to see where client side extensions are registered

57
00:04:02,710 --> 00:04:06,100
on a system and what client side extensions are registered.

58
00:04:06,130 --> 00:04:12,640
If you ever have to troubleshoot that now, you can actually control CSC behavior for a given policy

59
00:04:12,640 --> 00:04:14,560
area through group policy itself.

60
00:04:15,500 --> 00:04:18,680
So group policy provides a mechanism to do this.

61
00:04:19,580 --> 00:04:25,580
And essentially what you're doing is in a group policy object in GPIO ed under computer configuration

62
00:04:25,580 --> 00:04:29,890
backslash policies backslash sys backslash group policy policy.

63
00:04:29,900 --> 00:04:34,010
You can think do things like change the slow link behavior of a CSC.

64
00:04:34,850 --> 00:04:40,310
The slow link behavior is something that controls whether the actual the CSC actually does any work

65
00:04:40,490 --> 00:04:44,300
if a slow link between the client and a domain controller is detected.

66
00:04:45,190 --> 00:04:48,430
I'll talk more about slow link detection in a later section.

67
00:04:49,270 --> 00:04:55,300
But essentially you can do you can modify the behavior of CC's based on this, the options within these

68
00:04:55,300 --> 00:05:01,570
group policy areas so you can change whether a CC runs when GPOs haven't changed.

69
00:05:02,430 --> 00:05:03,180
By default.

70
00:05:03,180 --> 00:05:09,240
If GPOs haven't changed since the last processing cycle, a CC won't do any work, but you can force

71
00:05:09,240 --> 00:05:12,600
it to do work at every processing cycle if you decide to do so.

72
00:05:13,440 --> 00:05:17,220
You can also change whether CC can run in the background or not.

73
00:05:18,090 --> 00:05:21,360
There's two kinds of processing foreground and background.

74
00:05:22,240 --> 00:05:24,970
And this essentially allows you to control that.

75
00:05:25,900 --> 00:05:28,390
So let's dive into a demo of some of this.