1
00:00:03,030 --> 00:00:03,810
Okay.

2
00:00:04,680 --> 00:00:11,370
Let's now focus on the final bit of this equation, which is once you've linked in filter to GPO or

3
00:00:11,370 --> 00:00:14,490
set of GPOs, what does the client do with that list?

4
00:00:15,420 --> 00:00:17,670
How does it process those GPOs?

5
00:00:18,550 --> 00:00:22,270
And that's where we want to talk about the order of processing.

6
00:00:23,110 --> 00:00:26,140
So because it is this hierarchical structure.

7
00:00:26,170 --> 00:00:31,840
In other words, you can have, oh, use and subclass and sub sub or use that contain users and computers.

8
00:00:32,710 --> 00:00:38,890
And you can link GPOs to, you know, any number of containers at the site, the domain or the OAU level.

9
00:00:39,760 --> 00:00:46,600
There has to be an order of precedence in GPO processing, especially if you run into situations where

10
00:00:46,600 --> 00:00:51,250
before giving computer a user, you might have conflicting settings applying in one or two of those

11
00:00:51,250 --> 00:00:52,060
GPOs.

12
00:00:52,990 --> 00:00:55,630
So what does that order of precedence look like?

13
00:00:56,540 --> 00:01:02,330
Well, the order is that once the computer or user figures out its list of GPOs that apply to it, the

14
00:01:02,330 --> 00:01:05,840
very first GPO that is processed is the local GPO.

15
00:01:06,710 --> 00:01:11,780
So if the local GPO has been defined with settings for either the computer or the user, then those

16
00:01:11,780 --> 00:01:13,340
settings are processed first.

17
00:01:14,240 --> 00:01:19,220
If the local GPO is empty because no one has done anything with it, then it's just ignored.

18
00:01:20,120 --> 00:01:29,240
Then any site linked GPOs GPO is linked to add sites or subnets will apply and I can say that this is

19
00:01:29,240 --> 00:01:30,050
that site link.

20
00:01:30,080 --> 00:01:32,060
GPOs are relatively rare.

21
00:01:32,980 --> 00:01:35,380
I don't see them implemented very often.

22
00:01:36,250 --> 00:01:40,420
They are primarily for determining policy based on your IP subnet.

23
00:01:41,320 --> 00:01:47,410
So if you have a good sense of your IP subnet structure, you could, you know, do things like printer

24
00:01:47,410 --> 00:01:49,990
mappings if you're in the Dallas branch office site.

25
00:01:50,860 --> 00:01:53,710
So those are the kinds of things that you can do with cycling.

26
00:01:53,710 --> 00:01:54,580
GPOs.

27
00:01:55,480 --> 00:01:56,890
Domain Link GPOs.

28
00:01:56,890 --> 00:02:03,250
Again, apply to everyone in the domain computers or users and those are processed third after local

29
00:02:03,250 --> 00:02:03,850
and site.

30
00:02:04,720 --> 00:02:07,330
And then finally all you link GPOs.

31
00:02:08,250 --> 00:02:13,200
Those GPOs that are linked closest to the user or computer object in most cases.

32
00:02:14,160 --> 00:02:15,630
Those are applied last.

33
00:02:16,560 --> 00:02:18,060
So there's this LSD.

34
00:02:18,060 --> 00:02:18,780
Oh, you order.

35
00:02:18,810 --> 00:02:23,730
It's easy to remember for processing, figuring out what order to apply group policy.

36
00:02:24,600 --> 00:02:25,220
Again.

37
00:02:25,230 --> 00:02:26,700
Why does the order care?

38
00:02:27,610 --> 00:02:30,160
Because you can have a drive mapping for the drive.

39
00:02:30,190 --> 00:02:35,560
Pointing at the sales share in one GPO and a drive mapping for the yes drive.

40
00:02:35,560 --> 00:02:38,410
Pointing at the marketing share in another GPO.

41
00:02:39,280 --> 00:02:41,410
So how do you decide which one wins?

42
00:02:42,280 --> 00:02:46,420
And and that's where this LSW processing order comes into play.

43
00:02:47,290 --> 00:02:53,950
So for a given user or computer account in AD, basically what happens is GPOs are evaluated based on

44
00:02:53,950 --> 00:02:54,670
how they're linked.

45
00:02:55,600 --> 00:03:00,850
So that computer account, lets take a computer account as an example.

46
00:03:01,750 --> 00:03:05,740
Computer account exists in some O.U within the hierarchy of AD.

47
00:03:06,940 --> 00:03:12,940
And when processing occurs for that computer account, it essentially evaluates all of the GPOs linked

48
00:03:12,940 --> 00:03:15,550
up the tree to the domain level that applied to it.

49
00:03:16,480 --> 00:03:22,090
So it makes that list of GPOs that are linked at each level of hierarchy up above that computer account

50
00:03:22,090 --> 00:03:22,750
in ADI.

51
00:03:23,680 --> 00:03:29,200
Then it looks at what filters might be on those GPOs and evaluates those based on whether it's a security

52
00:03:29,200 --> 00:03:36,220
group filter, whether the computer object and ADI is in that security group or not, or WMI filter.

53
00:03:36,220 --> 00:03:42,370
If it's like testing, for example, that the computer is running Windows seven, it evaluates that

54
00:03:42,370 --> 00:03:46,570
and comes up with a filtered list of GPOs that apply to that computer account.

55
00:03:47,470 --> 00:03:53,590
And then the client side extension sort of reordered those GPOs based on this LSW order.

56
00:03:54,530 --> 00:04:01,640
So of course, the local GPO, which resides on the computer itself, always gets processed first and

57
00:04:01,640 --> 00:04:06,860
then the domain or site or you linked GPOs get processed in the LSW order.

58
00:04:07,750 --> 00:04:11,080
And essentially an ordered list of GPO is created.

59
00:04:11,980 --> 00:04:17,500
Now, this, of course, implies that you can have multiple GPOs processed by a given computer or user

60
00:04:17,500 --> 00:04:18,540
account in ADI.

61
00:04:19,420 --> 00:04:21,070
And that's perfectly acceptable.

62
00:04:21,100 --> 00:04:26,530
In fact, most group policy implementations that you'll come across on a given computer or user, they're

63
00:04:26,530 --> 00:04:31,990
typically processing one five, ten, 1500s of GPOs in some cases.

64
00:04:32,860 --> 00:04:36,220
And this is a perfectly acceptable use of group policy.

65
00:04:37,100 --> 00:04:42,800
And certainly one that, while it does increase complexity, provides also a lot of flexibility for

66
00:04:42,800 --> 00:04:43,070
you.

67
00:04:43,940 --> 00:04:49,160
Now, in the case of conflicts, which is what we're really concerned with here and where LSW really

68
00:04:49,160 --> 00:04:55,970
helps out, there's an order of processing that is dictated by LSW that essentially says the setting

69
00:04:55,970 --> 00:05:01,280
in the GPL linked closest to the user account, an ad or computer account in ad wins.

70
00:05:02,210 --> 00:05:07,790
So what this means is if let's say you've got five GPOs being processed by that computer account.

71
00:05:07,880 --> 00:05:12,080
Well, the first one is going to be the local GPO, and that does its thing.

72
00:05:12,890 --> 00:05:19,280
And then the next one will be any site linked GPOs, then domain linked GPOs and all you linked GPOs.

73
00:05:20,210 --> 00:05:27,380
So the GPOs that are closest in terms of the view that the computer account resides in, if they contain

74
00:05:27,380 --> 00:05:31,550
settings that are also contained in upstream GPOs like the domain linked ones.

75
00:05:31,670 --> 00:05:34,910
Well those oh you linked ones will win if there are conflicts.

76
00:05:35,810 --> 00:05:41,660
So if a domain linked GPO sets a setting to one and an audio link, GPO sets it to zero, then the zero

77
00:05:41,660 --> 00:05:46,130
wins because it's linked closer and it's the last thing written by the computer object.

78
00:05:47,060 --> 00:05:53,240
So I would be remiss if I didn't also mention some opportunities for modifying that default LSW order.

79
00:05:54,140 --> 00:06:00,170
So there's two, let's call them flags within group policy that modify the default behavior of GPO processing

80
00:06:00,170 --> 00:06:01,070
and inheritance.

81
00:06:01,940 --> 00:06:05,990
One of those is called BLOCK Inheritance and the other is called enforced links.

82
00:06:06,920 --> 00:06:11,940
Now, what BLOCK Inheritance is, is a flag that you set in PMC at a container level.

83
00:06:11,960 --> 00:06:14,570
It's usually done at the domain or you level.

84
00:06:15,420 --> 00:06:22,200
And it blocks all upstream GPOs from applying to those IOUs that are underneath or those computers and

85
00:06:22,200 --> 00:06:25,560
users that are underneath that, oh, you or you set the flag.

86
00:06:26,430 --> 00:06:32,580
And as you see in this screenshot, I can right click in this example my clients oyu under sales and

87
00:06:32,580 --> 00:06:33,810
set block inheritance.

88
00:06:34,680 --> 00:06:40,980
And what that means is any GPOs linked at the sales OYU or the at the domain or even on the site would

89
00:06:40,980 --> 00:06:43,440
essentially be ignored by computers in the client.

90
00:06:43,440 --> 00:06:49,080
So you and that's kind of what block inheritance does and it's typically used if you have some more

91
00:06:49,080 --> 00:06:54,300
youth that contains exceptions, machines that you don't or users that you don't want policy to apply

92
00:06:54,300 --> 00:06:54,960
to normally.

93
00:06:55,830 --> 00:07:00,330
Now, the alternative to the block inheritance flag is enforcing a link flag.

94
00:07:01,230 --> 00:07:05,700
So enforced links are done at the GPO link instead of on a container.

95
00:07:06,590 --> 00:07:11,300
And what an enforced link does is it says no matter what is happening downstream.

96
00:07:12,170 --> 00:07:18,350
In other words, if there's a block inheritance set on an IOU or whatever else may be happening, the

97
00:07:18,350 --> 00:07:21,560
GPO link that you've set enforced on will always win.

98
00:07:22,430 --> 00:07:24,890
In other words, it will always apply.

99
00:07:25,730 --> 00:07:27,920
And enforce Trumps block inheritance.

100
00:07:28,850 --> 00:07:34,790
So if you have a block inheritance flag set on an o u and a higher level GPO link has enforced, enabled,

101
00:07:34,790 --> 00:07:36,380
then enforced always wins.

102
00:07:37,280 --> 00:07:41,810
The idea there is that if you have an o u administrator that's decided, he doesn't want to receive

103
00:07:41,810 --> 00:07:44,390
group policy and sets the block inheritance flag.

104
00:07:44,540 --> 00:07:49,940
But you have an overall corporate administrator that might have, let's say, some domain wide settings

105
00:07:49,940 --> 00:07:52,940
that they want to enforce no matter what.

106
00:07:53,060 --> 00:07:57,890
You can set the enforced flag on that domain y GPO link and it will always win.

107
00:07:58,730 --> 00:08:01,490
And again, it's set on the link, not containers.

108
00:08:01,520 --> 00:08:06,380
So as you see in the screenshot, I've right clicked on that domain wide settings GPO that's linked

109
00:08:06,380 --> 00:08:09,140
at the domain level and selected the enforced flag.

110
00:08:09,980 --> 00:08:14,720
And it's usually set on links at the domain level because that's where it makes the most sense.

111
00:08:15,640 --> 00:08:18,940
But it can also be set at the site level or at o use.

112
00:08:19,870 --> 00:08:25,810
So if you have a hierarchy of O use, let's say in our scenario, you might want to set it at the sales

113
00:08:25,810 --> 00:08:26,200
level.

114
00:08:27,070 --> 00:08:32,440
If you ever GPO that's linked at the sales level, then you absolutely, positively want to apply to

115
00:08:32,440 --> 00:08:35,350
either the client subcu or the users subcu.

116
00:08:36,190 --> 00:08:39,340
So that's a good way of enforcing that kind of capability.