1
00:00:03,030 --> 00:00:03,810
Okay.

2
00:00:04,650 --> 00:00:09,270
Let's dig in a little bit on some of these elements that we've just discussed around the client side

3
00:00:09,270 --> 00:00:11,400
extensions in the group policy engine.

4
00:00:12,270 --> 00:00:17,580
So just to review, if I bring up the registry editor and I'm on my server test system.

5
00:00:18,420 --> 00:00:23,730
And again, you know, this phenomenon of client side extensions and group policy engine, that's it's

6
00:00:23,730 --> 00:00:28,260
the same regardless of whether we're talking about Windows server or Windows desktop SKUs.

7
00:00:29,190 --> 00:00:33,960
So if I dig into the registry where I had mentioned these client site extensions are registered, you'll

8
00:00:33,960 --> 00:00:38,970
see here that there's these grid named keys and each one represents a different client side extension.

9
00:00:39,000 --> 00:00:44,040
In this case, it's the client side extension for a group policy preferences, local users and groups.

10
00:00:44,040 --> 00:00:46,770
And it shows the Delta, the DL path.

11
00:00:47,660 --> 00:00:52,580
And then there's some options that are used to basically control the group policies, engines, behavior

12
00:00:52,580 --> 00:00:54,870
with respect to this client side extension.

13
00:00:55,730 --> 00:00:57,530
And there's some function names in here.

14
00:00:57,590 --> 00:01:01,730
Most of this stuff, we never have to touch it and certainly never directly.

15
00:01:02,600 --> 00:01:08,060
But it just informs the group policy engine about each of these client side extensions behaviors.

16
00:01:08,930 --> 00:01:10,740
And this goes down the list, you can see.

17
00:01:10,760 --> 00:01:15,800
Actually, this one is interesting, this three, five, three, seven, eight on and on.

18
00:01:15,830 --> 00:01:17,840
It has no information related to it.

19
00:01:17,930 --> 00:01:23,060
This is the kind of the default client side extension that this is the one that does administrative

20
00:01:23,060 --> 00:01:24,080
template processing.

21
00:01:24,080 --> 00:01:25,850
And so there's no details around it.

22
00:01:26,030 --> 00:01:29,150
It's kind of built in to the group policy engine, if you will.

23
00:01:30,020 --> 00:01:32,950
You know, I keep talking about the group policy engine.

24
00:01:32,960 --> 00:01:34,400
So what exactly is that?

25
00:01:35,270 --> 00:01:40,340
Well, you don't really see it in any kind of manifest way, except if I bring up the services control

26
00:01:40,340 --> 00:01:41,120
panel applet.

27
00:01:41,330 --> 00:01:47,240
What you'll see here is there's a group policy client service and that really is at least in later versions

28
00:01:47,240 --> 00:01:52,400
of Windows, the group policy engine, the thing that is doing all of the work of calling the CCS and

29
00:01:52,400 --> 00:01:56,060
figuring out which GPOs apply to the giving user or computer.

30
00:01:56,920 --> 00:01:58,240
And that client service.

31
00:01:58,240 --> 00:02:01,890
If I look at log on, you'll notice that it's using local system account.

32
00:02:01,900 --> 00:02:02,830
You can't change it.

33
00:02:03,730 --> 00:02:07,930
In fact, if I even try to stop it or started, this is all grayed out.

34
00:02:08,800 --> 00:02:11,530
And the reason for that is this client, obviously.

35
00:02:12,400 --> 00:02:17,890
Is protected from, you know, users just coming in and saying, stop the group policy client so I don't

36
00:02:17,890 --> 00:02:18,910
get group policy.

37
00:02:19,810 --> 00:02:25,570
So this service is hardened, if you will, such that only members of local system or only the local

38
00:02:25,570 --> 00:02:27,400
system account can modify it.

39
00:02:28,300 --> 00:02:34,540
And that's a pretty good thing, I think, because it prevents the the casual user from essentially

40
00:02:34,540 --> 00:02:36,010
turning off group policy.

41
00:02:36,910 --> 00:02:42,250
So the other area that I wanted to mention that I talked about in the slides was this area in administrative

42
00:02:42,250 --> 00:02:46,900
template policy where you can actually control the behavior of client side extensions.

43
00:02:47,770 --> 00:02:55,420
If I come down under administrative template system and this is for the computer side computer configuration.

44
00:02:56,290 --> 00:02:58,890
So this applies to computer objects and aid.

45
00:03:00,130 --> 00:03:05,500
You'll see here that I have a bunch of different policy items that let me control various policy.

46
00:03:06,410 --> 00:03:12,470
So for example, if I come in under configure security policy processing, I can open this up and if

47
00:03:12,470 --> 00:03:19,640
I enable it, then I can tell it not to apply security policy during background processing and process,

48
00:03:19,640 --> 00:03:22,370
even if the group calls the object have not changed.

49
00:03:23,240 --> 00:03:28,760
Remember I mentioned that the normal behavior for group for the group policy engine is it won't do work

50
00:03:28,760 --> 00:03:30,530
if a GPO hasn't changed.

51
00:03:30,530 --> 00:03:32,660
That applies to that given user computer.

52
00:03:33,590 --> 00:03:36,170
So this overrides that default behavior.

53
00:03:37,050 --> 00:03:39,810
And you know, many of these are similar to that.

54
00:03:40,740 --> 00:03:46,710
So I'll come in to wireless policy and this one has another option allow processing across a slow link.

55
00:03:47,650 --> 00:03:53,290
Certain client side extensions by default will not run if a slow link is detected between the client

56
00:03:53,290 --> 00:03:56,230
and the domain controller that it's getting group policy from.

57
00:03:57,130 --> 00:04:00,310
So in that case I can override that behaviour as well.

58
00:04:01,240 --> 00:04:04,480
So in this case I can override that behaviour as well.

59
00:04:05,350 --> 00:04:10,750
And that's just kind of a sampling of the things that you can control with with client side extension

60
00:04:10,750 --> 00:04:11,380
behavior.

61
00:04:12,290 --> 00:04:15,020
Most of the time, you're not going to need to touch this.

62
00:04:15,890 --> 00:04:21,470
And certainly for basic deployments of group policy up even to some large deployments of group policy.

63
00:04:21,470 --> 00:04:26,280
You may never do anything in here, but it's good to know that you can if you need to.

64
00:04:26,300 --> 00:04:32,240
And I have seen in certain circumstances, for example, somebody configure security policy processing

65
00:04:32,240 --> 00:04:38,180
to process, even if GPOs have not changed because that sort of ensures that security policy is always

66
00:04:38,180 --> 00:04:39,350
correct and up to date.

67
00:04:40,280 --> 00:04:46,550
Now, that may not apply in your environment, but essentially it's it's nice to know that that option

68
00:04:46,550 --> 00:04:47,150
is there.