1
00:00:03,060 --> 00:00:06,000
Let's see how local user group policy works.

2
00:00:07,030 --> 00:00:08,530
So I'm going to do.

3
00:00:08,560 --> 00:00:14,620
I created a local user and group policy GPO and I am going to go ahead and bring up Ed.

4
00:00:15,610 --> 00:00:18,220
And the first thing I want to do is kind of show you.

5
00:00:18,340 --> 00:00:23,800
I had mentioned that there are some differences in the per computer versus per user options under locally

6
00:00:23,800 --> 00:00:24,880
users in groups.

7
00:00:25,870 --> 00:00:28,660
Right now I'm under the price user option.

8
00:00:29,630 --> 00:00:33,040
I'm going to go ahead and right click and say new local group.

9
00:00:34,000 --> 00:00:39,310
And what you'll notice here is a set of options that do not appear under the computer side.

10
00:00:40,240 --> 00:00:42,130
And that's the sad current user.

11
00:00:42,160 --> 00:00:46,270
Remove the current user or do not configure for the current user.

12
00:00:47,270 --> 00:00:53,960
So essentially what this allows you to do is, let's say, for example, I wanted to set the local administrators

13
00:00:53,960 --> 00:00:54,860
group membership.

14
00:00:55,810 --> 00:00:59,170
I could say add the current user and apply this policy.

15
00:01:00,120 --> 00:01:06,540
And what that will essentially do is when the user logged on and processed this GPO, they would automatically

16
00:01:06,540 --> 00:01:08,970
be added to the local administrators group.

17
00:01:09,910 --> 00:01:15,880
And so essentially what you do is you get kind of dynamically adding the user to a whatever group you're

18
00:01:15,880 --> 00:01:19,480
interested in instead of having to specifically specify the user.

19
00:01:20,410 --> 00:01:24,490
And that can be really nice and flexible in certain situations.

20
00:01:25,450 --> 00:01:30,880
But most of the time what I'm going to end up doing is managing local user in-group preferences through

21
00:01:30,880 --> 00:01:36,150
the computer side because this is what I'm more interested in, managing it for the whole computer.

22
00:01:36,160 --> 00:01:38,560
And so what I want to do is a couple of things.

23
00:01:39,590 --> 00:01:43,190
First thing I want to do is I want to create a new local user.

24
00:01:44,130 --> 00:01:45,430
And I'm going to call it.

25
00:01:45,450 --> 00:01:48,840
I'm just going to say I'm going to call it a service account.

26
00:01:49,870 --> 00:01:51,400
So service account.

27
00:01:52,460 --> 00:01:53,780
Service account.

28
00:01:54,720 --> 00:01:57,390
And I'll give it a full name of service account.

29
00:01:58,400 --> 00:01:58,970
And.

30
00:01:59,930 --> 00:02:02,930
Remember I said that password has been deprecated.

31
00:02:03,910 --> 00:02:07,450
I don't have the hotfix applied so I can still enter it here.

32
00:02:08,420 --> 00:02:10,220
And I'm going to go ahead and do that.

33
00:02:10,220 --> 00:02:15,170
Even though I mentioned that, you know, typically you're not going to want to use this feature going

34
00:02:15,170 --> 00:02:18,530
forward because of that deprecated encryption capability.

35
00:02:19,530 --> 00:02:24,780
So I'm going to say that the password never expires and that the account never expires.

36
00:02:25,740 --> 00:02:29,670
And I'm going to go ahead and create this policy or this preference.

37
00:02:30,640 --> 00:02:35,890
And here you'll notice that it warns me that the password is stored in six bullets and discoverable,

38
00:02:35,890 --> 00:02:36,970
although obscured.

39
00:02:37,900 --> 00:02:42,610
So it at least tells me that, hey, that password is probably not too secure.

40
00:02:43,610 --> 00:02:46,910
So I've created this account called service account.

41
00:02:47,850 --> 00:02:51,810
And now what I'm going to do is create a new local group preference.

42
00:02:52,770 --> 00:02:57,960
And I'm going to add that new local account that I just created to the administrators group.

43
00:02:58,910 --> 00:03:04,460
Now, if I browse to the domain, for example, I'm not going to know about that local account, so

44
00:03:04,460 --> 00:03:06,620
I can just type the name of the account in here.

45
00:03:07,620 --> 00:03:10,230
So I'm just going to say service account.

46
00:03:11,210 --> 00:03:12,800
And let me just verify that.

47
00:03:12,800 --> 00:03:13,640
That's correct.

48
00:03:13,790 --> 00:03:14,900
And that is correct.

49
00:03:15,020 --> 00:03:16,460
That's the service account.

50
00:03:17,500 --> 00:03:23,290
So I've got this policy now, this preference that adds service account to the local administrators

51
00:03:23,290 --> 00:03:23,680
group.

52
00:03:24,610 --> 00:03:31,060
And now what I can do is I'm going to go ahead and link this GPO to the oh, you where my computer object

53
00:03:31,060 --> 00:03:31,660
exists.

54
00:03:32,650 --> 00:03:35,500
Remember, this is a per computer preference.

55
00:03:36,480 --> 00:03:42,180
And now what I'm going to do is bring up my Windows seven client and go ahead and do a GP update.

56
00:03:43,160 --> 00:03:48,050
And I'm going to target just the computer because I'm processing computer policy here.

57
00:03:49,020 --> 00:03:55,110
And once that processes, I'm going to bring up the computer management MSI, snap in and refresh it

58
00:03:55,110 --> 00:03:55,740
and look.

59
00:03:56,720 --> 00:03:58,390
There's my service account.

60
00:03:59,360 --> 00:04:05,720
And if I go into groups and go in under administrators, there's the service account added to the administrators

61
00:04:05,720 --> 00:04:06,080
group.

62
00:04:07,070 --> 00:04:13,520
So what I did there is I created a preference that created a new local account and added it to the administrators

63
00:04:13,520 --> 00:04:13,880
group.

64
00:04:14,870 --> 00:04:17,270
So that's a really nice feature to have.

65
00:04:18,280 --> 00:04:20,960
I could have also just like restricted groups.

66
00:04:20,980 --> 00:04:26,560
If you'll remember in restricted groups policy, I used restrictive groups to add the Help Desk Admins,

67
00:04:26,560 --> 00:04:29,800
a global group to the Remote Desktop Users Group.

68
00:04:30,740 --> 00:04:34,580
And I could do the same thing with preferences if I wanted to.

69
00:04:35,450 --> 00:04:40,850
The ability to enforce that is a function of the fact that a normal non administrative user doesn't

70
00:04:40,850 --> 00:04:44,060
have the ability to modify local groups or users.

71
00:04:45,050 --> 00:04:50,570
So a preference is just as good as a restricted group policy in terms of its enforcement capability

72
00:04:50,570 --> 00:04:56,480
by virtue of the fact that the user simply doesn't have a regular user, simply doesn't have security

73
00:04:56,480 --> 00:04:59,870
rights to that particular area of the operating system.

74
00:05:00,810 --> 00:05:06,570
So, you know, preferences is nice because it has a few more options than restricted groups do.

75
00:05:07,450 --> 00:05:13,690
And it gives you some flexibility in terms of how you craft local group memberships and local user accounts.

76
00:05:14,640 --> 00:05:20,160
But again, remember that the deprecated password support might eventually get in your way when it comes

77
00:05:20,160 --> 00:05:25,290
to creating local accounts because most local accounts need some kind of password set.

78
00:05:26,250 --> 00:05:31,590
So you may be able to create the account, but you wouldn't be able to use it until a password has been

79
00:05:31,590 --> 00:05:33,150
set through some other means.