1 00:00:03,060 --> 00:00:03,590 Okay. 2 00:00:03,600 --> 00:00:08,700 So what I want to do now is illustrate some of these concepts around administrative template lockdown 3 00:00:08,700 --> 00:00:09,930 that we just talked about. 4 00:00:10,830 --> 00:00:16,650 So I've created a GPO linked to the marketing of you called Lockdown Policy, and I'm going to go ahead 5 00:00:16,650 --> 00:00:23,850 and edit this GPO and I'm going to bring up the user side administrative templates, and I'm going to 6 00:00:23,850 --> 00:00:25,080 do something simple. 7 00:00:26,010 --> 00:00:31,540 I'm going to prevent access to the registry editing tools, in other words, registry, edit or reg 8 00:00:31,560 --> 00:00:37,980 edit and I'm going to also disable reg it from running silently and I'm going to go ahead and enable 9 00:00:37,980 --> 00:00:38,790 that policy. 10 00:00:39,690 --> 00:00:44,640 Now what I'm going to do is come over to my client machine and go ahead and run a GP update. 11 00:00:45,540 --> 00:00:47,610 Well, first I'm going to show you that. 12 00:00:47,610 --> 00:00:49,950 Yes, indeed, registry editor runs. 13 00:00:50,830 --> 00:00:55,570 And then I'm going to go ahead and come to the command prompt and issue a pop date on the user. 14 00:00:56,450 --> 00:00:58,580 And we'll let that run to completion. 15 00:00:59,450 --> 00:01:04,970 And what that's going to do is process that new registry, restriction policy registry ed restriction 16 00:01:04,970 --> 00:01:10,790 policy such that now if I type right jetted you'll see here that I get the message registry editing 17 00:01:10,790 --> 00:01:12,800 has been disabled by your administrator. 18 00:01:13,700 --> 00:01:14,180 Great. 19 00:01:14,210 --> 00:01:18,980 So essentially now that policy has been deployed to me and I'm now being affected by it. 20 00:01:19,850 --> 00:01:23,270 I've essentially locked down from using the registry editor. 21 00:01:24,200 --> 00:01:29,060 Now what I want to do is show you how if I come to this policy and essentially unlink it or disable 22 00:01:29,060 --> 00:01:32,390 the link so this link is no longer valid within this O.U. 23 00:01:32,420 --> 00:01:40,460 This marketing, oh, you come back to my client and again issue the update and now try to run registry 24 00:01:40,460 --> 00:01:40,910 ed. 25 00:01:41,810 --> 00:01:44,090 Sure enough, it comes up just fine. 26 00:01:44,930 --> 00:01:50,090 And while I'm in Registry Editor, let's look at some of the policy areas that I talked about, those 27 00:01:50,090 --> 00:01:50,600 keys. 28 00:01:51,530 --> 00:01:57,320 So for example, here you'll see under each HQ, I underscore current underscore user backslash software, 29 00:01:57,320 --> 00:01:58,610 backslash policies. 30 00:01:58,610 --> 00:02:03,890 I've got a number of policies that have been delivered to me related to various admin templates, settings 31 00:02:03,890 --> 00:02:04,880 that have been defined. 32 00:02:05,770 --> 00:02:09,640 In this case, I have some internet settings that define cache properties. 33 00:02:10,570 --> 00:02:15,280 I've got some power settings and I've got some app management settings. 34 00:02:15,280 --> 00:02:19,960 And this particular one is the always download Missing Comm Components Policy Setting. 35 00:02:20,860 --> 00:02:24,490 So kind of gives you an a little bit of an idea of how this works. 36 00:02:25,420 --> 00:02:30,700 So what essentially happened with the registry editor is I applied the policy and it delivered a key 37 00:02:30,700 --> 00:02:35,110 to one of these key y underscore current underscore user policy sub keys. 38 00:02:36,000 --> 00:02:42,720 And then I unlinked the policy and did a pop date and it applied that or removed that registry editor 39 00:02:42,720 --> 00:02:44,940 restriction that had previously applied. 40 00:02:45,780 --> 00:02:51,150 And then essentially the registry editor was then available to me, as it always was, without the policy 41 00:02:51,150 --> 00:02:51,750 in place.