1
00:00:03,070 --> 00:00:03,610
Okay.

2
00:00:03,640 --> 00:00:06,100
Let's summarize what we learned in this module.

3
00:00:07,000 --> 00:00:11,170
Client side extensions or CCS are the agents of group policy.

4
00:00:12,070 --> 00:00:17,860
So the group policy engine calls the client side extensions to do the work of processing GPOs and their

5
00:00:17,860 --> 00:00:18,430
settings.

6
00:00:19,330 --> 00:00:24,520
Each policy area typically has its own CAC, which is implemented as a DLR.

7
00:00:25,390 --> 00:00:31,540
Microsoft provides a bunch of these in the box for all the various policy areas admin templates, security

8
00:00:32,020 --> 00:00:34,780
preferences, all those different policy areas.

9
00:00:35,680 --> 00:00:42,100
Microsoft provides the CAC deal for third parties can also extend group policy capability by writing

10
00:00:42,100 --> 00:00:48,340
their own, and it snaps right into that engine and gets called just like the Microsoft ones do.

11
00:00:49,210 --> 00:00:53,830
User and computer objects and aid are the things that actually process policy.

12
00:00:54,730 --> 00:00:57,370
Key fundamental point about GPO.

13
00:00:58,210 --> 00:01:03,670
It's the user and computer object, not groups, not anything else in ADD that are the things that are

14
00:01:03,670 --> 00:01:05,740
doing the work of processing policy.

15
00:01:05,740 --> 00:01:07,330
The things that are being targeted.

16
00:01:08,200 --> 00:01:13,360
And that's how you need to think about group policy in general and GPO targeting in particular.

17
00:01:14,290 --> 00:01:20,950
So if you're in the GP, Ed, you look under computer configuration, everything you see under there

18
00:01:20,950 --> 00:01:23,470
is only going to be processed by computers.

19
00:01:24,400 --> 00:01:29,920
If you're in the user configuration section, everything you see in there is only processed by users.

20
00:01:30,850 --> 00:01:33,520
GPOs can be targeted using linking.

21
00:01:34,390 --> 00:01:38,800
Linking is the fundamental way of applying GPOs to users and computers.

22
00:01:39,700 --> 00:01:43,630
You can link at the site level, the domain level or at the EU level.

23
00:01:44,560 --> 00:01:50,680
So essentially you had those three options for how you target a particular GPO to a set of computers

24
00:01:50,680 --> 00:01:51,400
and users.

25
00:01:52,330 --> 00:01:52,900
Further.

26
00:01:52,900 --> 00:01:58,720
Once you've linked to GPO, you can exclude certain populations or include certain populations based

27
00:01:58,720 --> 00:01:59,560
on filtering.

28
00:02:00,430 --> 00:02:02,300
You can use security groups.

29
00:02:03,220 --> 00:02:05,570
You can use WMI filters.

30
00:02:06,460 --> 00:02:09,280
Those first two are at the whole GPO level.

31
00:02:10,210 --> 00:02:12,750
So if I'm in a group, I get the GPO.

32
00:02:13,570 --> 00:02:15,790
If I'm not in the group, I don't get it.

33
00:02:16,720 --> 00:02:19,510
Same with filtering of WMI filters.

34
00:02:20,410 --> 00:02:26,350
GP preferences is evaluated after the GPO has determined passed fail from those other methods.

35
00:02:27,220 --> 00:02:33,070
And preferences are evaluated on the per preference setting level based on whatever item level targeting

36
00:02:33,070 --> 00:02:33,820
you've defined.

37
00:02:34,720 --> 00:02:40,870
GPOs are processed using an order precedence that's local GPO first, then any site linked GPOs.

38
00:02:40,870 --> 00:02:45,100
Any domain linked GPOs and finally any EU linked GPOs.

39
00:02:46,000 --> 00:02:51,940
So when the user computer fires up their processing cycle, they look at the list of GPOs that applied

40
00:02:51,940 --> 00:02:56,110
based on linking and filtering and then apply those in this LSW order.

41
00:02:56,990 --> 00:03:03,020
And as I showed, you can have multiple GPOs at a given container level site domain or you.

42
00:03:03,050 --> 00:03:05,870
And you can also control the order of precedence on that.

43
00:03:06,800 --> 00:03:09,920
So number one, meaning the highest priority.

44
00:03:10,870 --> 00:03:15,160
That essentially means the GPO is processed last for that container.

45
00:03:16,140 --> 00:03:21,180
And therefore can overwrite any settings that conflict with it that are processed previously.

46
00:03:22,120 --> 00:03:26,590
And to that point, last writer wins in the event of settings conflicts.

47
00:03:27,590 --> 00:03:33,290
So what that means is under normal circumstances, if you've got conflicting settings at the domain

48
00:03:33,290 --> 00:03:38,390
and EU level, because the EU is typically closer to where the user computer resides.

49
00:03:39,360 --> 00:03:44,160
Those settings that are linked to the oh, you are going to win because they are processed last.

50
00:03:45,180 --> 00:03:50,220
So hopefully that gives you a good sense of how GPO is processed and targeted.

51
00:03:51,180 --> 00:03:56,460
And in the next section, we're going to talk about the tools that you can use to manage group policy.