1
00:00:03,040 --> 00:00:03,820
Okay.

2
00:00:04,690 --> 00:00:09,490
So now what I want to do is create a scenario to illustrate some of the admin template settings for

3
00:00:09,490 --> 00:00:13,540
EII and how they can work with group policy preferences internet settings.

4
00:00:14,470 --> 00:00:18,430
So I've created this GPO called i.e. Lockdown Policy.

5
00:00:19,300 --> 00:00:22,570
We're going to go ahead and bring up the editor on it.

6
00:00:23,450 --> 00:00:26,120
And first, let's go into admin templates.

7
00:00:27,050 --> 00:00:31,970
I want to show you the site to zone assignment list that I mentioned admin templates was good at setting

8
00:00:31,970 --> 00:00:32,540
earlier.

9
00:00:33,440 --> 00:00:35,690
If I go in under Internet Explorer.

10
00:00:36,600 --> 00:00:40,560
This is per user now that I'm setting this under user configuration.

11
00:00:41,430 --> 00:00:45,830
Ongoing in under Internet Explorer Internet Control Panel Security page.

12
00:00:46,700 --> 00:00:51,200
If I come over here to the right, you'll see this policy called site to zone assignment list.

13
00:00:52,100 --> 00:00:56,420
Now, this is very frequently used, and I'm going to go ahead and bring it up.

14
00:00:57,310 --> 00:01:02,440
If you look at the Help text, it explains that you can assign websites or web domains to particular

15
00:01:02,440 --> 00:01:04,280
zones using numeric values.

16
00:01:04,300 --> 00:01:09,880
So one for Internet zone, two for trusted sites, three for Internet zone, and four for restricted

17
00:01:09,880 --> 00:01:10,360
sites.

18
00:01:11,260 --> 00:01:16,630
So if I enable this policy, I can go ahead and type in some domain names that I'm interested in assigning

19
00:01:16,630 --> 00:01:17,770
to particular zones.

20
00:01:17,920 --> 00:01:22,150
And so I'll assign Microsoft.com and Google.com to the trusted sites zone.

21
00:01:22,330 --> 00:01:25,660
And now those are in there and the policy has been set in this GPO.

22
00:01:26,500 --> 00:01:32,320
Now, what I want to do is, by contrast go into GP preferences and set a couple of Internet Explorer

23
00:01:32,320 --> 00:01:34,270
settings for IE10 and above.

24
00:01:35,200 --> 00:01:38,710
So I'm going to go ahead and double click this existing one.

25
00:01:39,580 --> 00:01:42,790
The first thing I want to do is set the homepage to Google.

26
00:01:43,710 --> 00:01:47,610
So I'm going to go ahead and set the homepage to Google.com.

27
00:01:48,480 --> 00:01:54,870
Then what I'm going to do is go in and define a proxy setting, and I've already got a proxy setting

28
00:01:54,870 --> 00:01:55,650
defined here.

29
00:01:56,560 --> 00:01:58,150
It's a proxy PAC file.

30
00:01:59,050 --> 00:02:02,920
This is a central file that can be used to set proxy settings on a browser.

31
00:02:02,950 --> 00:02:04,780
So let's go ahead and accept that.

32
00:02:05,680 --> 00:02:07,930
And so now I've got these two things set.

33
00:02:08,820 --> 00:02:13,020
I've got the homepage set in preferences and I've got the proxy set.

34
00:02:13,930 --> 00:02:17,500
I'm going to go ahead and say, okay to this to accept those changes.

35
00:02:18,430 --> 00:02:23,740
And now what I want to do is take this GPO and link it to an O u that contains a user that I have in

36
00:02:23,740 --> 00:02:24,880
my test environment.

37
00:02:25,810 --> 00:02:28,240
So I've got the IEEE locked down policy.

38
00:02:29,180 --> 00:02:32,030
I'm linking it to this users o you underneath the sales.

39
00:02:32,030 --> 00:02:37,040
Oh you and I've got a user called Joe Sales on this machine here, this Windows seven machine.

40
00:02:37,940 --> 00:02:41,840
So this is me as Joe Sales logged into this Windows seven machine.

41
00:02:42,710 --> 00:02:44,150
Now, if I bring up.

42
00:02:45,010 --> 00:02:46,960
Internet options on the browser.

43
00:02:47,860 --> 00:02:53,290
You'll see here that currently the home page is set to Microsoft.com, that I don't have any trusted

44
00:02:53,290 --> 00:02:56,410
sites to find and I don't have any proxy settings defined.

45
00:02:57,330 --> 00:02:58,500
Okay, great.

46
00:02:59,460 --> 00:03:02,700
So now let's go ahead and run update on this machine.

47
00:03:03,570 --> 00:03:08,430
And I'm going to use the force parameter because it always helps me make sure that I'm getting the most

48
00:03:08,430 --> 00:03:11,970
frequent or the most recent group policy settings that have been delivered.

49
00:03:12,870 --> 00:03:19,380
So as soon as that finish is running, we'll say no to logging off and let's go back in the browser

50
00:03:19,380 --> 00:03:20,640
and see what's changed.

51
00:03:21,480 --> 00:03:26,880
If I go in under internet options, you'll see now that my homepage has changed to Google.com.

52
00:03:27,720 --> 00:03:34,170
If I go under security trusted sites sites now you'll see Google and Microsoft have been added to the

53
00:03:34,170 --> 00:03:37,020
trusted sites own and I can no longer change anything.

54
00:03:37,890 --> 00:03:42,780
So this is one of the side effects or one of the capabilities of admin templates is that when it makes

55
00:03:42,780 --> 00:03:46,560
changes, it prevents me from making any subsequent changes to those.

56
00:03:47,490 --> 00:03:51,780
So I can't edit these trusted sites that have been added by the administrator.

57
00:03:52,690 --> 00:03:54,670
And you'll see here this message.

58
00:03:55,570 --> 00:03:59,380
It says Some settings are managed by your system administrator.

59
00:04:00,310 --> 00:04:05,170
Now, if I come in under connections, let's look and see if we've gotten my proxy setting.

60
00:04:06,010 --> 00:04:09,460
We haven't gotten my proxy setting, at least not visibly.

61
00:04:10,310 --> 00:04:12,680
But what I'll do here is close the browser.

62
00:04:13,590 --> 00:04:14,580
Bring it back up.

63
00:04:14,730 --> 00:04:15,840
Let it go to Google.

64
00:04:16,710 --> 00:04:18,900
And go back in and see what I get.

65
00:04:19,770 --> 00:04:20,730
And there it is.

66
00:04:21,630 --> 00:04:26,490
And the reason that happened is because there are some settings that will require the application that's

67
00:04:26,490 --> 00:04:28,350
being configured to be restarted.

68
00:04:29,220 --> 00:04:32,850
And in this case, a proxy configuration is one of those.

69
00:04:33,750 --> 00:04:37,110
Now, what you notice here also is that I can change this.

70
00:04:38,010 --> 00:04:41,610
I can disable using this automatic configuration script.

71
00:04:42,520 --> 00:04:45,400
And if I come back into it, it's still disabled.

72
00:04:46,330 --> 00:04:51,850
So because this was delivered as a preference, it's perfectly reasonable for me to go ahead and change

73
00:04:51,850 --> 00:04:52,360
it back.

74
00:04:53,230 --> 00:04:55,780
Now, that's probably not a great behavior.

75
00:04:56,680 --> 00:05:00,730
If I'm an administrator, I want to be able to enforce something like proxy.

76
00:05:01,630 --> 00:05:05,440
So what I'm going to do is go into my i.e. lock down policy again.

77
00:05:06,310 --> 00:05:07,750
Go ahead and edit it.

78
00:05:08,670 --> 00:05:13,020
I'm going to come down to admin templates, Windows Components, Internet Explorer.

79
00:05:13,950 --> 00:05:18,630
Let's go ahead and expand that out a little bit and then I'm going to go ahead and sort these settings.

80
00:05:19,550 --> 00:05:24,500
And if I go down here, you'll see an option that says Disable changing connection settings.

81
00:05:25,430 --> 00:05:30,710
That sounds about what I want, so I'm going to go ahead and enable that.

82
00:05:31,610 --> 00:05:35,570
So now that's enabled on this GPO that is being processed by sales.

83
00:05:36,500 --> 00:05:39,680
So now what I want to do is come back to my Windows client.

84
00:05:40,600 --> 00:05:42,670
And go ahead and do my pup date.

85
00:05:43,540 --> 00:05:48,490
And once that finishes running, I'm going to go back into IEEE and see how, if anything, has been

86
00:05:48,490 --> 00:05:50,590
affected by that policy I just set.

87
00:05:51,520 --> 00:05:57,460
So let's go into Internet options, connections and look, the launch settings button that used to be

88
00:05:57,460 --> 00:05:59,890
available to me to change is now disabled.

89
00:06:00,790 --> 00:06:07,210
So now that proxy is set by preferences, but the launch settings button is disabled by admin templates.

90
00:06:08,080 --> 00:06:13,750
So I'm taking advantage of the power of both of these different settings to be able to essentially configure

91
00:06:13,750 --> 00:06:18,820
proxy in one case using preferences and disable the ability for the user to change it.

92
00:06:19,000 --> 00:06:22,630
What they would normally be able to change using admin templates in another.

93
00:06:23,560 --> 00:06:28,900
So this is kind of a great example of a common way of deploying, i.e. configuration using both of these

94
00:06:28,900 --> 00:06:31,420
different policy areas to their best benefit.