1
00:00:03,030 --> 00:00:03,810
Okay.

2
00:00:04,650 --> 00:00:09,990
Now I want to talk since we've kind of laid the groundwork on what administrative templates can do.

3
00:00:10,850 --> 00:00:15,740
I want to talk about how you can deploy them or strategies for deploying them to get the best out of

4
00:00:15,740 --> 00:00:16,010
them.

5
00:00:16,880 --> 00:00:21,950
So, you know, if you're faced with kind of a blank slate, you've got thousands of these admin templates

6
00:00:21,950 --> 00:00:27,200
settings in the box it's shipped by Microsoft via admin X files.

7
00:00:28,070 --> 00:00:29,180
Where do you start?

8
00:00:30,070 --> 00:00:34,240
Well, you know, there's a couple places that I typically recommend to folks.

9
00:00:35,200 --> 00:00:39,610
I mean, typically, you know, what you want to lock down in your organization and at least at a high

10
00:00:39,610 --> 00:00:45,310
level, you understand, you know, that you care about things like i.e. you might want to prevent the

11
00:00:45,310 --> 00:00:47,890
user from doing certain things on their desktop.

12
00:00:48,010 --> 00:00:50,980
Like running registry ed or running the command shell.

13
00:00:51,900 --> 00:00:54,630
You have a high level idea about what you want.

14
00:00:55,530 --> 00:01:00,390
The Microsoft provides a settings spreadsheet you can download from the Microsoft site.

15
00:01:01,290 --> 00:01:05,850
That is a kind of handy way of listing all of the available admin templates settings that ship in the

16
00:01:05,850 --> 00:01:08,520
box for each version of Windows as it's released.

17
00:01:09,410 --> 00:01:15,530
And there's also a neat application online at this u r l search dot azure websites, dot net where you

18
00:01:15,530 --> 00:01:19,790
can do a keyword search on admin templates, settings and find.

19
00:01:19,910 --> 00:01:23,090
Let's say you wanted to find a setting for media player.

20
00:01:23,990 --> 00:01:28,910
You can just type in media player and it will return all of the admin template settings that have that

21
00:01:28,910 --> 00:01:31,190
in their explain text or in the description.

22
00:01:32,030 --> 00:01:34,790
And so it's a great way of finding settings.

23
00:01:35,680 --> 00:01:39,700
I think discoverability in those thousands of settings is a big challenge.

24
00:01:39,910 --> 00:01:42,310
So that provides kind of a starting point for you.

25
00:01:43,150 --> 00:01:47,290
And then when it comes time to deploying those settings, what I like to do is.

26
00:01:48,240 --> 00:01:53,820
I mentioned earlier around not having one setting per show or at least not going to town on that idea

27
00:01:53,820 --> 00:01:56,730
and having hundreds of GPOs each with one setting.

28
00:01:57,600 --> 00:02:02,220
So one of the ways that I think you can get around this, especially with admin templates, is to group

29
00:02:02,220 --> 00:02:03,900
settings based on their function.

30
00:02:04,800 --> 00:02:10,410
So for example, you might have a GPO that defines all of the IEEE settings for the domain or for the

31
00:02:10,410 --> 00:02:15,540
business unit or a setting that controls the kind of the user experience.

32
00:02:16,460 --> 00:02:20,420
The Start Menu, Explorer Options, Desktop, etc..

33
00:02:21,300 --> 00:02:26,640
And then you might have a separate setting or separate GPO that has only Microsoft Office settings.

34
00:02:27,540 --> 00:02:31,680
And that way you can more granularly target these GPOs at the right audiences.

35
00:02:31,800 --> 00:02:37,350
And that can be, you know, kind of a really helpful thing as you're deploying into finding these GPOs.

36
00:02:38,280 --> 00:02:43,380
So think about grouping based on function or based on need or the use of the policies, rather than

37
00:02:43,380 --> 00:02:48,720
just sort of randomly picking a new GPO and creating a setting in it and applying it to all users or

38
00:02:48,720 --> 00:02:50,490
some of your users in the environment.

39
00:02:51,390 --> 00:02:56,910
Now, what this looks like is really illustrated in this kind of a graphic on a typical ad domain.

40
00:02:57,780 --> 00:03:00,600
So you've got your domain, you've got two people over you.

41
00:03:00,600 --> 00:03:04,620
And then underneath the people or you, you have a marketing and a sales you.

42
00:03:05,430 --> 00:03:11,400
And at the people level we've got a couple GPOs, the all users locked down and all users i.e. and each

43
00:03:11,400 --> 00:03:13,500
of those go to all of the users underneath the.

44
00:03:13,500 --> 00:03:14,130
So you.

45
00:03:14,970 --> 00:03:20,160
So these are settings that apply to every user regardless of whether they're in marketing or sales.

46
00:03:21,080 --> 00:03:24,980
And then what we do is more granularly and closer to the ultimate target.

47
00:03:25,160 --> 00:03:27,680
You might have some separate lockdown for marketing.

48
00:03:28,520 --> 00:03:33,230
Maybe you don't want marketing to be able to view a certain drive letter, or you don't want them to

49
00:03:33,230 --> 00:03:35,030
be able to open the command prompt.

50
00:03:35,930 --> 00:03:38,030
Well, this is a place you can do that.

51
00:03:38,960 --> 00:03:45,500
You can link a GPO with more specific, not conflicting, but more specific lockdown, specific to for

52
00:03:45,500 --> 00:03:46,520
the marketing folks.

53
00:03:47,390 --> 00:03:52,760
And similarly, sales, you could have their own lockdown GPO, that is settings that are specific to

54
00:03:52,760 --> 00:03:53,300
sales.

55
00:03:54,230 --> 00:03:59,600
So what happens is, if I'm a user in sales, I essentially get the sales locked down, GPO, the all

56
00:03:59,600 --> 00:04:06,830
user locked down, GPO and the all users, i.e. GPO and all of those apply to me at processing time

57
00:04:06,830 --> 00:04:09,050
to result in what the salesperson would get.

58
00:04:10,010 --> 00:04:12,110
Similarly for the marketing person.

59
00:04:12,980 --> 00:04:18,590
So in this way, you sort of build a layered approach and this approach actually works beyond just admin

60
00:04:18,590 --> 00:04:19,520
templates settings.

61
00:04:20,440 --> 00:04:22,380
It works for security policy.

62
00:04:22,390 --> 00:04:26,740
It works for a lot of different policy where you're linking the settings as close to their intended

63
00:04:26,740 --> 00:04:30,420
target as possible, which is a guideline that I mentioned early on.

64
00:04:30,430 --> 00:04:34,930
And you're really, you know, trying to get very specific about a particular audience.

65
00:04:35,860 --> 00:04:40,090
So the general stuff is linked higher up so that you only have to define it once.

66
00:04:40,300 --> 00:04:44,590
And then the more specific stuff is linked lower down on this specific target audience.