1
00:00:03,070 --> 00:00:03,580
Okay.

2
00:00:03,730 --> 00:00:07,540
I'm going to talk about a few specific commonly used preference areas.

3
00:00:07,540 --> 00:00:11,470
And the first one I'm going to dive into is managing local users in groups.

4
00:00:12,480 --> 00:00:18,150
So there's this policy area or preference area within group policy preferences under both computer and

5
00:00:18,150 --> 00:00:20,370
user configuration called preferences.

6
00:00:20,370 --> 00:00:24,570
Backslash Control Panel Settings backslash, local users and groups.

7
00:00:25,550 --> 00:00:31,010
And the per user one has just a couple more options than the pre-computer one or a couple different

8
00:00:31,010 --> 00:00:31,570
options.

9
00:00:32,560 --> 00:00:38,050
One that's kind of interesting is the ability to add to currently logged on user to a local group.

10
00:00:39,040 --> 00:00:45,010
So when the user logs on if this preference is set, their user account is automatically added as a

11
00:00:45,010 --> 00:00:46,470
member of a local group.

12
00:00:47,450 --> 00:00:48,860
So I'll show you that.

13
00:00:49,010 --> 00:00:53,930
But that's a nifty kind of side feature of this that may come in handy in certain scenarios.

14
00:00:54,940 --> 00:00:59,500
So this particular area has functionality, at least on the group side.

15
00:00:59,620 --> 00:01:05,740
That's very similar to the restricted groups policy that I talked about in an earlier module on security

16
00:01:05,740 --> 00:01:06,460
policy.

17
00:01:07,380 --> 00:01:12,660
And it has the ability to basically add users to groups, remove users from groups.

18
00:01:13,660 --> 00:01:20,080
You can also use this area to manage the creation, the update or the deletion of local user accounts.

19
00:01:21,080 --> 00:01:27,410
So this area handles both groups and users and it is strictly geared towards local accounts, not Active

20
00:01:27,410 --> 00:01:28,550
Directory accounts.

21
00:01:29,550 --> 00:01:34,830
So you wouldn't use this to create groups and members and add members to those groups from an Active

22
00:01:34,830 --> 00:01:35,520
Directory?

23
00:01:35,730 --> 00:01:40,440
This is strictly around the local user accounts on a given workstation or server.

24
00:01:41,430 --> 00:01:47,240
It's really handy when you have environments that rely on those local accounts and local group memberships.

25
00:01:48,210 --> 00:01:54,000
So for example, a common scenario is you add domain global groups to local administrative groups so

26
00:01:54,000 --> 00:01:59,190
that, for example, the helpdesk team or the server team can manage and have administrative access

27
00:01:59,190 --> 00:02:00,720
on desktops and servers.

28
00:02:01,700 --> 00:02:03,290
So how this works.

29
00:02:04,300 --> 00:02:09,910
This kind of gives you a little screenshot of the user part of this particular preference area and you

30
00:02:09,910 --> 00:02:12,070
see some of the fields that are available.

31
00:02:13,030 --> 00:02:13,690
Again.

32
00:02:13,690 --> 00:02:17,200
It's got the action dropdown with the four actions available.

33
00:02:18,150 --> 00:02:22,920
And you can either create a new user account or set an existing user account.

34
00:02:23,940 --> 00:02:25,740
You could rename an account.

35
00:02:26,730 --> 00:02:31,830
You can change the full name or the description or other properties like whether the user can change

36
00:02:31,830 --> 00:02:33,030
password or not.

37
00:02:33,980 --> 00:02:36,740
Password never expires, etc..

38
00:02:37,670 --> 00:02:40,670
And group is a different UI but similar.

39
00:02:41,660 --> 00:02:47,240
You can select the group or you can create a new group and you can even rename or change the description

40
00:02:47,240 --> 00:02:47,840
on a group.

41
00:02:48,820 --> 00:02:54,070
So, you know, on the user side, you can set the group name or I'm sorry, the username.

42
00:02:55,020 --> 00:02:57,990
You can set those user profile properties.

43
00:02:58,940 --> 00:03:03,410
And on the group side you can select the group name or you can create a group.

44
00:03:03,560 --> 00:03:05,900
If you wanted to create a new local group.

45
00:03:06,850 --> 00:03:12,070
You can selectively delete all members from a group or delete all users from a group.

46
00:03:13,060 --> 00:03:14,530
So you could delete.

47
00:03:14,530 --> 00:03:20,830
If there were individual user accounts in a local group, you might have a policy that says no individual

48
00:03:20,830 --> 00:03:22,360
user accounts in a group.

49
00:03:23,340 --> 00:03:27,300
So this will go in and delete all user accounts and leave all groups.

50
00:03:27,300 --> 00:03:29,250
Still a member of the existing group.

51
00:03:30,240 --> 00:03:34,020
You can also add or remove individual members from a group.

52
00:03:34,970 --> 00:03:41,270
So you can do this on an individual basis instead of deleting all member users or all members groups.

53
00:03:42,260 --> 00:03:45,860
You can add or delete individual groups or users.

54
00:03:46,860 --> 00:03:48,620
So lots of options here.

55
00:03:48,630 --> 00:03:53,970
And what I am going to do now is get into my test system and show you a little bit about how this works.

56
00:03:54,920 --> 00:03:57,890
But before I do that, I want to make one point.

57
00:03:58,850 --> 00:04:04,030
You'll see here that there's a password field on the local user account section of preferences.

58
00:04:04,950 --> 00:04:10,680
And it's important to note that Microsoft has actually deprecated the ability to set passwords in all

59
00:04:10,680 --> 00:04:14,220
group policy preference areas that support the use of passwords.

60
00:04:15,220 --> 00:04:19,650
So local user is one of them schedule tasks.

61
00:04:19,660 --> 00:04:25,180
You had the ability to, you know, set the user account and password of the user under which the scheduled

62
00:04:25,180 --> 00:04:26,200
task would run.

63
00:04:27,150 --> 00:04:27,960
Odyssey.

64
00:04:27,960 --> 00:04:30,960
Data Sources Drive Mappings Services.

65
00:04:31,970 --> 00:04:36,860
System services, you could set the service account, username and password.

66
00:04:37,770 --> 00:04:40,590
And all of those areas have been deprecated.

67
00:04:41,580 --> 00:04:47,340
The reason Microsoft has deprecated is that the way they were storing those passwords was in an encryption

68
00:04:47,340 --> 00:04:50,850
format within sizable portion of the group policy object.

69
00:04:51,810 --> 00:04:58,320
Remember that the group policy object uses both AD and Sissel to store settings related information.

70
00:04:59,250 --> 00:05:04,890
In the case of preferences and passwords in particular, they were using this encryption form that had

71
00:05:04,890 --> 00:05:06,450
a publicly published key.

72
00:05:06,450 --> 00:05:07,560
Encryption key.

73
00:05:08,500 --> 00:05:13,600
And what that mean was that anyone with the key could decrypt the passwords that had been set on local

74
00:05:13,600 --> 00:05:14,530
user accounts.

75
00:05:14,710 --> 00:05:16,810
It could have been the administrator account.

76
00:05:17,050 --> 00:05:19,720
The people that were using this preference item for.

77
00:05:20,700 --> 00:05:23,550
It could have been steadily tasks, whatever.

78
00:05:24,530 --> 00:05:31,040
You could easily get that encrypted password information out of the GPO even as a regular non privileged

79
00:05:31,040 --> 00:05:31,550
user.

80
00:05:32,570 --> 00:05:38,390
So Microsoft has deprecated the ability to set passwords in new preferences areas.

81
00:05:39,340 --> 00:05:45,010
There's a hotfix that if you apply that hotfix, that password field that you see up here is essentially

82
00:05:45,010 --> 00:05:45,670
grayed out.

83
00:05:46,670 --> 00:05:51,920
So that's just a warning that even though it's showing up in the UI, if you haven't installed that

84
00:05:51,920 --> 00:05:57,170
hotfix, I would not recommend using GP preferences to store passwords going forward.