1
00:00:03,030 --> 00:00:03,810
Okay.

2
00:00:04,650 --> 00:00:09,420
In this module, we're going to talk about the tools of the trade of group policy management.

3
00:00:10,320 --> 00:00:15,210
And what that really gets down to is the M.C. that I've shown you examples of already.

4
00:00:16,120 --> 00:00:20,050
The GMC is your friend when it comes to managing group policy.

5
00:00:20,950 --> 00:00:25,660
It's really the main tool for doing group policy management and you can do a lot of stuff and group

6
00:00:25,810 --> 00:00:26,950
in PMC.

7
00:00:27,100 --> 00:00:29,830
So we're going to dive into that a little bit in this module.

8
00:00:30,700 --> 00:00:36,700
In order to get the PMC on your desktop machine or server machine, you need to install the Remote Server

9
00:00:36,700 --> 00:00:38,350
Administration Tools package.

10
00:00:39,250 --> 00:00:43,000
It can be installed on Windows Server or desktop as queues.

11
00:00:43,860 --> 00:00:47,490
And it's available depending on which version of Windows you're running.

12
00:00:47,670 --> 00:00:50,010
It's available using different mechanisms.

13
00:00:50,940 --> 00:00:55,080
So on the desktop SKUs like Windows seven and Windows eight or ten.

14
00:00:55,260 --> 00:01:01,590
The rest tools are downloaded from the Microsoft Download site, and there are specific versions for

15
00:01:01,590 --> 00:01:05,760
Windows seven and for Windows eight, and even Windows ten has a different version.

16
00:01:05,850 --> 00:01:11,640
So you need to make sure you get the right version of the SAT it installs as a kind of of a feature

17
00:01:11,640 --> 00:01:15,450
module on that MCU package, an update to the operating system.

18
00:01:16,290 --> 00:01:21,360
And that gives you the ability to get at those features and install or select the PMC.

19
00:01:22,260 --> 00:01:23,760
So I'll show this in a demo.

20
00:01:23,940 --> 00:01:29,310
But once you download and install the feed that doesn't automatically get you PMC on Windows seven or

21
00:01:29,310 --> 00:01:32,880
Windows ten, you actually have to go in and select that feature.

22
00:01:33,760 --> 00:01:39,130
On Server 2008 or two or server 2016 zero or 2022.

23
00:01:39,970 --> 00:01:43,840
RSA is actually a feature that you can add in server manager.

24
00:01:44,780 --> 00:01:49,490
So if you go in under the ad roles and feature section of server manager, you'll be able to add the

25
00:01:49,490 --> 00:01:54,740
RS SAT feature and then explicitly select group policy management as the feature you want to install

26
00:01:54,740 --> 00:01:57,950
in RSA and that essentially installs PMC.

27
00:01:58,820 --> 00:02:04,070
The other thing you can do in PMC is you can manage other domains in forests other than the one that

28
00:02:04,070 --> 00:02:06,890
you've got installed on your Windows desktop or server.

29
00:02:07,800 --> 00:02:13,530
So AMC has this capability to manage multiple domains and even multiple forests.

30
00:02:14,460 --> 00:02:17,160
There is some requirement around this, however.

31
00:02:18,040 --> 00:02:21,340
You need to be trusting of the domain where you're running DMC.

32
00:02:21,460 --> 00:02:26,200
So what this means is you need at least a one way trust from your foreign domain, so to speak.

33
00:02:27,120 --> 00:02:30,110
Or foreign forced to the domain in which you're running.

34
00:02:30,420 --> 00:02:31,110
M.S..

35
00:02:32,030 --> 00:02:34,920
GP M.S. unfortunately doesn't support run.

36
00:02:34,940 --> 00:02:41,000
As for those non trusted domains, like some of the other server administration tools do, and this

37
00:02:41,000 --> 00:02:46,640
can be kind of a pain if you're trying to manage GPOs across untrusted forests, essentially you have

38
00:02:46,640 --> 00:02:51,050
to go to a server or workstation in that untrusted domain and manage it from there.

39
00:02:51,900 --> 00:02:57,690
And if you're going to manage other domains, GPOs from BMC, you need at least read access from those

40
00:02:57,690 --> 00:02:58,320
domains.

41
00:02:59,190 --> 00:03:04,230
And of course, if you're going to edit those domains, other domains, GPOs, you're going to need

42
00:03:04,230 --> 00:03:04,500
right.

43
00:03:04,500 --> 00:03:06,210
Access to those GPOs.

44
00:03:07,090 --> 00:03:10,870
I'm going to talk more about delegation in a subsequent module.

45
00:03:11,740 --> 00:03:16,960
But essentially you need to be able to perform those operations on the foreign domains just like you

46
00:03:16,960 --> 00:03:18,340
would on your current domain.

47
00:03:19,210 --> 00:03:24,580
The other thing you can do in kind of a cross domain fashion is you can link GPOs across domains.

48
00:03:25,540 --> 00:03:30,910
So if you have Domain A and you've defined a GPO in domain A and you've got a domain B that's trusting

49
00:03:30,910 --> 00:03:36,610
by a trusting of domain and has an O you, let's call it the marketing o you.

50
00:03:37,450 --> 00:03:42,880
You can link a GPO from domain A to the o u in domain B and that's absolutely possible.

51
00:03:43,780 --> 00:03:49,000
As a general rule, I tend to avoid it because there are performance implications of doing that.

52
00:03:49,900 --> 00:03:55,570
If when a user logs in or a computer starts up and has to process a group policy, if they have to cross

53
00:03:55,570 --> 00:04:00,670
a trust to read the GPO that's in domain, then it's going to perform a little bit more poorly.

54
00:04:01,540 --> 00:04:06,790
And it depends on network connections and those sorts of things, but it's not generally recommended

55
00:04:06,790 --> 00:04:08,770
unless you absolutely have to do it.

56
00:04:09,670 --> 00:04:12,400
You can also run into more permission issues.

57
00:04:13,320 --> 00:04:16,040
If you're crossing domain boundaries, it becomes.

58
00:04:16,140 --> 00:04:19,710
You have to be a little bit more explicit about how you grant permissions.

59
00:04:20,640 --> 00:04:22,550
That's just something to keep in mind.

60
00:04:23,480 --> 00:04:29,090
I'm going to talk about in module 12, I'm going to talk about other ways of handling cross domain challenges.

61
00:04:29,090 --> 00:04:33,440
We're getting GPOs between domains and specifically around importing domains.

62
00:04:34,340 --> 00:04:38,930
So now let's take a look at some of the stuff on our test system and see how it all works.