1
00:00:03,050 --> 00:00:03,650
Okay.

2
00:00:03,680 --> 00:00:08,030
Now I want to talk about some deployment scenarios using security policy.

3
00:00:08,890 --> 00:00:14,260
And the first one I'm going to go through is group membership control, which is a pretty common scenario

4
00:00:14,260 --> 00:00:20,290
in a lot of situations, whether you're talking about controlling membership on desktops or servers,

5
00:00:20,470 --> 00:00:23,350
there are two ways to enforce the local group membership.

6
00:00:24,210 --> 00:00:29,280
And again, I'm going to reiterate that group policy does local group membership control.

7
00:00:30,140 --> 00:00:35,270
It does not do anything with respect to groups that are defined in Active Directory and that's a key

8
00:00:35,270 --> 00:00:35,960
distinction.

9
00:00:36,830 --> 00:00:42,230
You'll need other mechanisms besides group policy to control membership on Active Directory groups.

10
00:00:43,100 --> 00:00:47,090
But let's look at the ways that we can do this in group policy for local groups.

11
00:00:48,020 --> 00:00:51,020
So the first way is restricted groups policy.

12
00:00:51,920 --> 00:00:56,660
So you have the ability through restricted groups to do a couple of different kinds of control, which

13
00:00:56,660 --> 00:00:57,920
I'll talk about in a second.

14
00:00:57,920 --> 00:01:02,450
And that gives you the ability to essentially pretty much lock down the membership of the group and

15
00:01:02,450 --> 00:01:04,380
also which groups are in other groups.

16
00:01:04,400 --> 00:01:10,400
So adding groups to groups or adding users to groups the other way is actually through preferences,

17
00:01:10,580 --> 00:01:12,310
through group policy preferences.

18
00:01:12,320 --> 00:01:17,060
And I mentioned or alluded to this that even though group policy preferences has this preferences name

19
00:01:17,060 --> 00:01:22,070
in it, it is capable of doing lock down if the thing that you're controlling is generally not accessible

20
00:01:22,070 --> 00:01:23,150
to the normal user.

21
00:01:24,050 --> 00:01:26,330
So for example, group membership.

22
00:01:27,190 --> 00:01:32,260
If the user is not a local administrator on their workstation, they cannot adjust group membership

23
00:01:32,380 --> 00:01:36,940
no matter how it's delivered to them, whether it's through restrictive groups or through this control

24
00:01:36,940 --> 00:01:39,670
panel settings, local users and groups policy.

25
00:01:40,600 --> 00:01:43,960
So these two mechanisms provide similar features.

26
00:01:44,880 --> 00:01:47,660
I'll talk about where they're different, what the differences are.

27
00:01:47,670 --> 00:01:52,170
And in terms of, you know, controlling group membership on workstations and servers.

28
00:01:53,070 --> 00:01:58,680
So restricted groups allows you to create list of users or domain groups that you wish to be added as

29
00:01:58,680 --> 00:02:00,120
a member of a local group.

30
00:02:01,030 --> 00:02:02,920
So here's a scenario for this.

31
00:02:03,820 --> 00:02:09,100
The Workstation, Windows Workstation and Number Servers have a local group that's built in called remote

32
00:02:09,100 --> 00:02:10,120
desktop users.

33
00:02:10,240 --> 00:02:13,960
And members of this group can remote desktop to a server workstation.

34
00:02:14,830 --> 00:02:20,290
Now you might decide that you want your help desk users in Active Directory to be able to remote desktop

35
00:02:20,290 --> 00:02:22,450
to any desktop in your organization.

36
00:02:23,320 --> 00:02:29,110
So you can imagine creating a restricted groups policy that adds the Help Desk Group if there is such

37
00:02:29,110 --> 00:02:32,560
a thing in your domain to the local remote desktop users group.

38
00:02:33,430 --> 00:02:37,510
And that is perfectly, perfectly something you can do with restricted groups.

39
00:02:38,470 --> 00:02:43,540
The other thing you can do with restricted groups is have absolute control over the membership of a

40
00:02:43,540 --> 00:02:44,230
given group.

41
00:02:45,100 --> 00:02:50,440
And in that scenario, it will actually dynamically remove users in groups that are not in your so-called

42
00:02:50,440 --> 00:02:53,230
approved list east each time processes.

43
00:02:54,160 --> 00:03:00,280
So this is kind of cool and actually somewhat dangerous in that you can really shoot yourself in the

44
00:03:00,280 --> 00:03:03,160
foot if you don't build your group memberships correctly.

45
00:03:04,060 --> 00:03:09,400
But the point here is that the this particular mode of restricted groups has the ability to very tightly

46
00:03:09,400 --> 00:03:10,690
define group membership.

47
00:03:11,560 --> 00:03:14,200
Now the members of this group side of restricted groups.

48
00:03:14,350 --> 00:03:17,230
There's two boxes that you saw in that previous screen.

49
00:03:17,260 --> 00:03:21,850
The members of this group side are about absolute control that I was just talking about.

50
00:03:22,730 --> 00:03:27,350
The group is a member of side is where you would add users and groups to other groups.

51
00:03:28,280 --> 00:03:32,750
So you have to be careful when you're defining this and I'm going to go through this in a demo.

52
00:03:32,930 --> 00:03:34,790
Which side you're defining membership on?

53
00:03:35,060 --> 00:03:40,040
Because one side is absolute control and the other side is sort of discretionary control.

54
00:03:40,940 --> 00:03:45,380
Now with GP preferences, local users and groups, it's a little bit different.

55
00:03:46,310 --> 00:03:51,290
So with this you have a way to essentially add users and groups to another group, and that's really

56
00:03:51,290 --> 00:03:53,730
the main capability that this feature provides.

57
00:03:54,650 --> 00:03:58,410
But it also lets you rename the local group or add a description to it.

58
00:03:58,430 --> 00:04:02,060
You can delete all member users or all member groups from a group.

59
00:04:02,960 --> 00:04:07,940
So this is kind of almost similar to the absolute control power, except that it's just going in through

60
00:04:07,940 --> 00:04:11,840
and sweeping through all member users and all member groups to clear out the group.

61
00:04:12,700 --> 00:04:16,360
And then you can add or remove specific members to or from a group.

62
00:04:17,230 --> 00:04:22,690
So I can say, for example, that my helpdesk admins group will be added to the Remote Desktop Users

63
00:04:22,690 --> 00:04:23,020
Group.

64
00:04:23,890 --> 00:04:29,080
But Joe Smith, who was an admin that I have that's no longer with the company and has his credentials

65
00:04:29,080 --> 00:04:32,620
spread all over, these local groups will be removed from that group.

66
00:04:33,480 --> 00:04:38,590
And that's an easy scenario to handle with the preferences local users and groups feature.

67
00:04:39,510 --> 00:04:44,040
Now, even though it's a preference, users cannot override these, as I mentioned, unless they're

68
00:04:44,040 --> 00:04:47,850
a member of local administrators on their workstations or their server.

69
00:04:48,740 --> 00:04:54,560
This is just as good as any other policy because the operating system security protects against tampering

70
00:04:54,560 --> 00:04:56,360
of this kind of group membership stuff.

71
00:04:57,310 --> 00:05:02,620
So really cool capabilities around group membership control, local group membership control and group

72
00:05:02,620 --> 00:05:03,360
policy.

73
00:05:03,370 --> 00:05:07,240
And what I'm going to do next is give you a little bit of demo as to how this works.