Microsoft Azure AZ-800 — Section 8: Manage Windows Server by using domain-based Group Policies

Microsoft Azure AZ-800 — Section 8: Manage Windows Server by using domain-based Group Policies

63. Visualizing the concepts of Group Policy

Now one of the most powerful things that we Microsoft administrators have in an AIDS environment is something called group policies.

Now, group policies have been around since the beginning. We had them back in the nineties with Windows and RT, but they completely change things. When Active Directory came out in the year 2000, they released this concept known as GPOs Group Policy Objects.

So what does a group policy exactly? A group policy is going to allow you to deploy out some kind of a setting or parameter or some kind of a feature you want to turn on or turn off. You can even deploy software using group policies. I will say that’s kind of an older way to do it. There are newer ways to deploy software now, but ultimately you can still deploy software using group policies. But group policies is going to allow us to essentially control things in our environment as seamlessly as possible. It could be a situation where your boss walks up to you and says, Hey, I know we got 1000 Windows computers in our environment, but I need you to disable this feature. I need you to enable this feature, turn something on, turn something off, and you know, do that as quickly as possible. And with group policies, we can totally do that.

Now, group policies are kept inside of an object called a GPO, a group policy object. And this GPO, there are literally thousands of policies that can be turned on or turned off inside of it. Granted, you’re usually not going to enable thousands of policies. You’re going to enable the things you need and go from there. But ultimately, there are thousands of different things you can do inside of a GPO and you can apply that inside of this GPO, this object. And then the GPO can be applied at different areas of your Active Directory. And depending upon where that GPO is applied, it will affect different resources, different users, different computers. All right. Ultimately, that is how policies are broken down, by the way, they’re broken down based on users and computers.

Some policies are going to apply to user accounts and affect the environment for that particular user.

Some policies are going to affect computer accounts and affect the entire computer and ultimately anybody that sits there. But what I want to look at with you now is I want to talk about the different places that GPOs can be applied. And we’re going to talk about what happens when they conflict with each other and all that fun stuff.

So first off, I want you to know that there are essentially four different levels that a GPO can be applied to. First thing you’ve got is you’ve got this level called the local computer level. You have a level called the site level. All right. You have a level called the domain level, and then you have what’s called the O level, which is the organizational unit. All right. And essentially what happens with GPOs is they get applied down that hierarchical system that you’re seeing there. All right.

So. From each level down, they’re going to be applied from each level down to that corresponding child level. All right.

Now better explain that. Let me just kind of rearrange this a little bit. There we go.

So ultimately, though, GPOs can be applied at any one of these levels and they can filter down to the other levels.

So, we’ll make these little arrows here. All right. Just to kind of indicate that they are filtering down. All right.

Now, I will also warn you that the local computer level is a little different, the highest level. It is the first level that gets applied when it comes to policy.

So you can actually sit down at a computer and you can open up what’s called the local computer GPO and you can edit the settings on that specific computer.

So, for example, let’s add a Windows computer, and I only wanted this one computer to have certain policies applied. Then I could do that at the local computer level and those policies would only apply at that one level. In effect, that user logging on to that one, that one computer, the problem is, is if you apply policies at any other level, then they will always overrule the local computer level. If there is a conflict, if there is ever a conflict, they will always overrule the local computer level. All right.

So so for the most part, people don’t really use the local computer level a whole lot unless they are wanting to enable some things for a specific computer, like a kiosk or something like that. But the local computer level is not an actual Active Directory level. It is the local computer level, and it only applies to that one computer. All right.

So, I’m actually going to take this one out since it’s not an Active Directory level. I just wanted to kind of mention that one. And I want to focus on the big three. These are the big three. These are the ones that we really need to think about and understand. And of course, if you’re taking an exam, you’re going to want to you’re going to want to know especially information about these three so, I can apply at the site level, which would essentially apply to that geographic location.

So, if you understand sites, sites are objects that represent geographic locations, for example, I might have a site in New York, I might have a site in Dallas, I might have a site in Birmingham, Alabama. And if I if I wanted to affect users that are logging on in that area, New York, Dallas, Birmingham, I could apply the GPO at that level and that’s who it would affect. I’ve also got the domain level.

Now. The domain level will affect every one logging on to the domain.

So anyone logging onto the domain by default, it’s going to affect them.

So the triangle, in other words, the triangle representing everybody, that’s part of the domain. And then finally you have the O.U. Level. The O level is the organizational unit level, and that’s going to represent users and computers that are in a you now I’ll also say that this will filter down to child abuse as well.

So, if you have any child use underneath that, it’s going to filter down to them also. All right.

So what I’m going to do is we’re going to pretend for a moment that there’s a GPO at each level. All right. And then I want to look at how the policies will work if there is conflicts.

So, we’re going to put just a couple of policies here. We’ll say at the site level, we have a policy called Log on banner.

So, it’s just going to cause a message to show up on the screen when when somebody logs on. Maybe, if you’re logging on New York, you have a message about New York in there. Okay, whatever.

So that’s what a log on banner is. And then how about we put a wallpaper policy? So, we’ll do a wallpaper and it will be, I don’t know, we’ll say, How about a picture of an ocean? It’s an ocean background. All right. And then at the domain level, we are going to have a policy called the W Policy W, So, if you don’t know what that is, is Windows Server update services and it is used for controlling updates in the Microsoft environment. And then maybe why don’t we do a how about an audit policy? All right. All right. And also, this where password policies are going to reside, and I’ll talk more about that. All right. And then finally, at the EU level, we are going to have let’s have a policy that will disable. The run command. Maybe, you don’t want any users using the run feature in Windows, so, we’ll say disable run. All right.

So here is the question Which policies will the person get? So the person let’s say that the person in question is inside the queue. This where their account, their user account and computer.

So the user and computer are inside this. Their objects are inside, though. Which policies will they get? So which policies will apply? All right.

So here is the answer to that question. They’ll get the log on banner, right? They’ll get the ocean wallpaper. All right. And they will get the W policy. They will get the audit policy. All right. They will get the password policy. All right. And they will get disabled, run.

So, they’re going to get every one of these policies. Every one of them. All right. And why is that? Well, because it filters down.

So, if the users inside the so you they’re going to get all of these it filters down. If they’re in the queue, they’re logging on in the domain and they’re in the site in question. Let’s say this the New York site. They’re logging on to the New York site. They’re going to get all of these. They were logging on a different site than they wouldn’t get the site they were logging. They were in a different view. They wouldn’t get the disabled run. All right.

So now what we’re going to do, we’re going to cause a conflict and we’re going to talk about what happens when there’s a conflict.

So, we’re going to make the we’re going to make the wallpaper policy conflict. That’s an easy one to visualize.

So, we’re going to say that at the domain level, we have a wallpaper policy that is going to have a picture of a mountain mountain. JPG So, instead of an ocean, this going to be a mountain. All right. And then at the EU level, we are going to let’s have a picture of the desert.

So desert wallpaper. All right. And so, we’ve got we’ve got three conflicts now. All right. Ocean, mountain and desert.

So the question would be the big question obviously here would be which policy would the person get? Most people will usually lean towards this because it’s the top level policy. But I’ll actually tell you that it’s the bottom one so the user will end up getting. They will end up getting instead of the ocean wallpaper, the user will get the desert wallpaper. All right.

So, we’re just going to change this to desert. And that will be the wallpaper that the person ends up getting. And here’s why. Because by default, the last policy that applies is the one that you get. And so, they get processed in this order, the site, the domain, and then the you.

So the desert wallpaper is the last one that gets applied. That’s the one you’re going to end up getting.

Now, I also would like to show you how we can tweak what somebody’s going to get with a couple of features.

So there’s a couple of interesting features that we can enable. There is a feature. That is called block inheritance that you can enable. BLOCK Inheritance is a feature that when you apply it at a level, it will block all policies from above, with the exception of password policies. Password policies are a special set of policies that I’ll talk more about, but. BLOCK. BLOCK inheritance will block all policies except password policies.

So, if I was to put block inheritance. Right here. Over this. Oh, you. It’s basically going to shield these policies from filtering down.

So, if you put the policy right here, it’s actually going to block it’s going to block all of these policies right here.

So, in other words, which policies would the person get this time? Well, the person is only going to get. They’re going to get disabled run, and they’re going to get password policy because again, password policies cannot be blocked. You will always get password policies. They are they did that on purpose because when you authenticate to the domain, you will always authenticate at the domain level.

So you always get those password policies there, a requirement for security purposes. But other than that, everything else will get blocked. All right.

Now, I would also like to tell you that there is a feature you can enable on a GPO that is more powerful than block inheritance if you need it. If you are a higher level admin, let’s say maybe you’re the domain admin and you need to forest policies down to lower levels. There is a feature you can turn on called enforced.

Now enforced is more powerful than block inheritance. And if I applied that, let’s say at a GPO at the domain level. Then it will forest down the policies to the lower levels.

So let’s talk about what policies would be applied now. All right. If we did that now, I’ll tell you. You will not get the site policies and I’ll explain why.

So you’re not going to get logged on banner. You’re not going to get ocean wallpaper. You will get w suss audit policy and password policy and you will get the wallpaper of the mountain wallpaper. Because anything that conflicts with something that’s enforced cannot be overwritten. It cannot be overwritten.

So mountain wallpaper will override the desert even though desert gets applied last. Does it matter because these policies have enforced associated with them? You will not get the site policies because the block inheritance is still there. The enforced is enabled at the domain level, not the site level.

So block inheritance cannot block the enforce, but it can still block things from the site. All right.

Now, what if were to enable this? At the site level as well. All right.

So, if we applied it there.

So what policies would we get now? Well, let’s take a look. Policies that we would get would be log on banner.

So, we would get log on banner. All right. We would get ocean wallpaper this time because it’s got enforced associated with it. We would get some policy. All right. Still, we would get audit policy. We would get the password policy. We would get disable run. And those would be the policies that would apply. All right.

So now you understand that how how the GPOs get applied. All right. In what order they get applied in and all that fun stuff. And remember. I know I erased the local computer level earlier. The local computer level does not support enforced or anything.

So you can never make a local computer level enforce anything. Local computer will always get overridden if there’s a conflict, always. There’s no way around that. But ultimately, that is the order things happen in. And again, the password policy is a special password, a special policy. You can only have one GPO also that has a password policy applied in it at a time. You can apply password policies at the level. You cannot apply password policy to the site level. If you try to do that, it won’t let you.

Now you may say, Well, what if I want to have different password policy for different groups? There is a way to do that, and it’s through a thing called fine grained password policy, but you can’t do it through GPOs. It’s done differently. All right. But ultimately, that is how GPOs get applied. And now you’re ready to jump in and start playing around with it.

64. Implement Group Policy in AD DS

It’s now time for us to take a look at GPOs within our domain controller, so domain controllers are the types of servers that will control your group policy objects and group policy objects will get replicated across all of your domain controllers within the domain. The GPUs are stored within the domain partition of Active Directory. All right, So, we’re going to take a look at our group policies that are built into our domain controller and learn how to configure them.

So start off with we’re going to click start we’re going to open up server manager. All right. Once server manager is done loading, we can go to the tools menu and we’re going to go to group policy management.

So group policy management console is the tool that you’re going to use to manage group policies.

OK, from there, we can see our forest only have a single domain, some and expand domains, and there’s an, which is my domain. I might expand that out. All right. And then we’re going to look at you’ll see all your use and all that there. I want to take a look at the group policy objects container right here now the group policy object container. This where your default GPOs are stored and by default in Microsoft adds, we have two GPUs.

OK. The first GPO that you’ll see there is called the default domain controllers policy. And then there’s the default domain policy.

Now the GPOs container, the group policy object container is the location where the actual GPUs are stored. And then what happens is your GPUs get linked to things.

So, for example, if we expand out this O.U container here called domain controllers, you can see that the default domain controllers policy GPO is actually linked to the domain controllers container, the O.U, and then the default domain policies linked to the domain.

So right out of the gate, you can see that these GPUs are linked to these different places. You can even see the little shortcut looking symbol that’s associated with that icon that indicates that it’s actually a link and not the actual object.



So knowing that the default the main policy, GPO is linked to the domain, that means it applies to everything in the domain, it goes to the domain and everything down. And then the default domain controllers policy GPIO is only linked to the domain Shaw’s O.U, so, it is only for domain controllers.

So as you can imagine, that’s exactly how Microsoft planned it. They made it where the default domain controllers policy is a GPO that applies to domain controllers, and it actually contains policies in there that are going to control your domain controllers and it’s going to control things like Kerberos settings and all that fun stuff. And then the default domain policy contains policies for the entire domain, and this actually where password policies and in all of that are stored.

OK. Of course, anything you can figure in here is going to affect the entire domain for the most part, unless you’re tweaking a few things like password policies and all that. Microsoft does not recommend you mess with these two GPOs a whole lot. If anything, they recommend that you create a new GPU and apply things through that new GPU. All right.


So, I’m actually going to do that right now, I’m going to create a TPO. All right. And we’re going to learn how we could apply that to EPO.

So, I’m going to call this a right click right here, which is group policy objects, and you’ll see if I click new, it gives them the option to create a new GPIO now. I would also like to point out that we have this thing called a starter GPO that we could create a storage. EPO is like a template, OK, a template we could. We could apply.

So, I’ll see what I mean. If I come over here to start our GPO, I can click create a starter GPOs folder. And then from there, there’s already a couple of default ones that are available. One called Remote Update Firewall Ports and then reporting firewall ports, which will involve your firewall. But I’m going to right click here. I’m going to click new and I’m going to call this starter settings.

So maybe there are some settings that we want to show up in all of our GPOs so, we can click, OK. We could go right here. We can edit this GPO by right clicking it. All right. This started GPO, and it gives you control over just one section called administrative templates. All right.

So from there I could. Let’s say that, for example, we don’t want any wallpapers enabled on people’s computers. All right. We want to want to disable wallpapers so, we can go under user configuration. Desktop, there’s desktop folder here and then we could go desktop wallpaper and we could just disable that altogether.

So no wallpaper. That means that somebody cannot configure their wallpaper. It will be great out if they try to configure it.

OK, so, it will work.

So at that point, we’ve we’ve enabled that. All right. If we wanted to tweak some other stuff here, we could, but that’s the only thing I’m going to do for now. And then at that point, I’ve created my server, GPO.

So now if I go over here to create group policy objects, OK, if I clicked new. Right here, I could say, you know, let’s say sales, desktop settings.

So maybe there’s going to be some desktop settings for salespeople, specifically salespeople. I could choose the starter settings starter GPO, and it’s going to go ahead and inject that wallpaper just wallpaper feature into that GPO fact. If I edit the GPO right now and I go under, use your fake policies, administrative templates, desktop, you will see that the desktop features already disabled in it, and that’s what the starter GPO is going to do.

So again, if I was going to create, you know, a, let’s say, H.R. desktop settings. All right. And then maybe I’m going to create a oops, I forgot to add the starter GPIO, so let me let me go through the process of doing that. Let me just delete it, and we will re add it so H.R. desktop settings. Another way I could have done this I could have just created a GPO for the whole domain and just disabled wallpapers for everybody, but maybe we don’t want to disable wallpapers for the entire domain. Maybe, we only want to do it for these three departments, H.R. sales and finance. All right.

So, we’ll say finance desktop settings. All right, so there we go. And we’ve now applied it to all three of these now would have their desktop wallpaper policies disabled. Let’s take a look inside of someone right click, click Edit. And then from there, you’re going to see that there are two main sections of a GPO. You have computer configuration and user configuration. Computer configuration contains policies that are going to apply to computer accounts, and it’s going to affect pretty much any settings. That’s that for anybody that logs on to that one computer. All right. You’ll also notice that you have user config. User config applies to policies to specific users.

So, if you’re trying to apply something to specific users, a lot of that’s going to be done under user config. If you’re trying to apply to everybody that is on it, sitting in a computer, it’s going to be computer config. In some cases, the two could conflict on certain things. If there’s ever a conflict, the computer config will automatically win. All right.

So keep that in mind. But the other thing you’ll notice is there’s a folder called policies and Preferences. Underneath both of these policies is what you’re going to use when you want to forest something on somebody. All right, which is mostly what we’re looking at right now. In this example, you want to forest settings on somebody. If you apply settings to policies, then what will end up happening is it will gray stuff out.

Somebody will not be able to change certain things, and things will be great out now. Preferences, in a nutshell, is going to make it where you are going to roll out defaults to people, so, they’ll have default settings that you apply. But then the person could go and change those, those settings if they wanted to. All right now, if we expand pulses under both of these, you’ll notice there are three folders underneath that you’ll have software settings, window settings and administrative templates.

Software settings is where you could actually apply deploy software. Again, it’s kind of an old way of doing things, but if you package up your software in what are called MSI packages, then you can. You can apply the software here and then you can go here and say package and it can be an MSI package, and it’ll let you apply it to ways you can assign it to people which forces it on people’s computers, or you can publish it to people, which makes it where they can go into a control panel and it’ll be available. But the software is not installed until they click to install it. Not getting into that right now, but just wanted to kind of mention it. A quick overview of it, but that software settings and then you have Windows settings, so a lot of your pre-configured Windows settings are here. The most important thing that you have here is your computer set security settings.

So a lot of your security capabilities and all that account policies, local policies restricting group system services that you want to configure all that to your registry settings. You can even make changes to file system.

OK. Lots and lots of stuff. And then everything else is an administrative templates. Administrative templates are policies that can be added to or customize. In fact, they’re stored in these little files called 80 Emacs files. You can actually, if you under the scripting behind it, you can actually script your own policies and import the files called HMX files and add to what you can do inside of a GPO. Not getting into that right now, but I did want to throw out that that’s possible.

So this where a lot of your stuff is control panel, network printers, servers and a lot here you can do. I encourage you to kind of dig in and and take a look at some of these different things you can do, including Windows components. You’ll see Windows Update settings configured here. There’s a tremendous amount of things here that you can configure. All right. And of course, you’ve got the same types of things over here, but they’re they’re more related to users as opposed obviously to computers, for example, you’ll notice that under Windows settings for a computer, you have scripts, startup and shutdown.

So, if you want to write a script that’s going to run as soon as somebody turns on their computer, you can do a startup script you want to run it when the computer shuts down it, a shut down script, or when it comes to users, you’ve got log on and log off scripts.

So, when users are logging on, they would have a log on script you could have run or if you when they’re logging off, you get a log off script.

OK. You can even do folder redirection where I can have certain folders redirect it to a server if I want. There is just so many things you can do, thousands of things you can do. All right. Inside of GPOs, when you really, really dig down deep into all the all of these different concepts.

OK. All right.

So, I’m going to go. Right up under ministry templates, and I’ve got desktop settings desktop and I’ve already, you know, disable the wallpaper, I could, let’s say, disable all items here. If you notice that it says remove the active desktop content from its users, from adding active content to their desktop. This gets into some of the active content that you can add and certain desktop computers interacting with the desktop. You can just disable all of that. All right. If you double click on these, you’ll see there’s also obviously a description for these different things. It tells you what operating systems it’s all supported on.

So Server 2003 XP Windows 2000. These are usually some of these are just minimum operating systems, though in higher light. You’ll notice that it says at least Windows 2000 on that one. All right. And I can configure network settings start menu settings if I want. Figure the start layout on somebody’s machine the way it looks. That can all be done here. I want to remove the run, the run command. See that remove run from start menu.

So, we’ll just disable that if I want. All right, so once we configure what we want inside of a GPO, at that point, we have to apply it. All right. And so one of things I can do there very easily is I can just drag and drop.

So, if I drag and drop this over to sales, click OK, it’s now only going to apply to sales. All right. And then if I if I did some stuff in H.R, I could apply it just to H.R.. If I want to do this finance, I could apply just to finance. And now those both have DPOs associated with them as well.


Now, let’s say that I had I’m just going to create a GPO called restrict control. All right.

Now let’s say that inside the GPO, I added a bunch of restrictions that I want to apply and apply it to the domain level here.

OK. There’s a problem with that.

Now the problem with that is it’s going to apply to everybody in the domain that also, includes your I.T. people.

So, if I restrict control, that’s going to affect my people that are part of this IT0.

So this where I want to show you the block and here it is feature. I’m going to say block inheritance and you’re going to see a little blue. All I had to do is right click that Oh, you and you and click Walk in here and you’ll see a little blue exclamation mark. And that’s indicating that the that it is now blocked. All right. That it is now been blocked on that. Oh, you, of course, this also going to create another slight problem.

OK? It’s going to block the inheritance for the ITU. That means they will not get the restrict control GPO. But you know what else it means? It means they will not get the default domain policy either, except for pass through policies because you can’t start passing policies from coming down.

OK. But there are other things inside the default the main policy that I do want my people to get. I just don’t want them to get restrict control.

So how can I make it where they don’t get restrict control? But they but they do get default domain policy.

So generally speaking, the way you would do that is you would enable enforced on the one that you do want them to get.

So, if I want my people to get the default domain policy, I’m going to right click that I’m going to click enforced.

So now when enforce conflicts would block inheritance, it will override block inheritance. But because the restrict control does not have enforced on it, the people will block that.

OK, so that is how block inheritance and enforce works.

So something else to look at is let’s go under sales here and let’s click on the sales desktop settings GPO. It’s going to tell you that you have selected a link except a link to a GPO, except for changes to a link. Properties changes you make here are global. That means that if this GPO is linked to other places, if you change it, it’s going to affect all those other places as well. That’s what it’s saying. It’s almost they do not show this again. Click OK. And then over here, I want to point out a couple of things involving what we call the scope of a GPO.

So what is the scope of a GPO? The scope of a GPO is where is this applied? So, it’s applied only at the cells are you right now? That’s what this saying. And then it’s applied to a group called the Authenticated Users Group.

OK, now the authenticated user group, this going to make it where it applies to any, any authenticated user that’s inside. This container is going to get the GPO. But what if we wanted to further restrict who this was going to go to? OK, for example, if we go back and we go to ols and we go to Active Directory users and computers. And we look at the groups we have, we actually have multiple sales groups, right? So, if we go here, we’ve got inside sales, modify outside sales, sell support. What if we only wanted this to affect inside sales? All right.

So not every sales person, just people that are part of inside sales.

So what you can actually do is you can add inside sales right here. And you could remove the authenticated users group now by doing that, you’re now only going to affect people that are in the inside sales group that are in that. Oh, so that’s how we can further scope it.

Now something else you can do, there’s a thing called my filtering. My is windows management instrumentation. You can create this thing called a WMI filter. You come over here to W my filters right here. You can click new. And if you look up the uses a language called the W, the W, my query language WQ will. If you research that a little bit, you can write this thing called a query. It’s very similar to a SQL query, and you can tell it to look for specific resources on somebody’s machine, for example, if I only wanted to apply a GPO to computers that have at least four gigs of RAM through policies, I could write a query that could do that. It would only apply to computers with at least four gigs of RAM, or if I wanted to look for a certain model of motherboard. There’s lots of fancy things that you can do there with queries. We’re not going to get deep into that in this course, but that is something that you can look up if you wanted to learn how to write my queries. There’s lots of information out there on how to do it.

OK, but it is a pretty complicated language to learn. All right.

OK, so from there, that’s the other thing we could do. We could create a filter and then I could apply that w my filter to this GPO right here. All right.

OK, another thing I can do is click details and I can see some details about the GPO, the unique identifier of it. In fact, those are stored inside of your domain controllers.

So small container.

So, if I actually open up on a domain controller, I go to the C drive, I go to windows. Let’s scroll down. You got a folder called Sissy Ball, and then from there we go into the domain and then we have policies. Here’s the location of your GPOs, and the identifier for that is right here. If if you want to back up your GPOs, you need to back up this folder here.

OK, you can go to settings and this generates a little report, requires me to add something to my firewall, and it gives me a report of the settings that are going to be enabled inside of the GPO and. And then you can do delegation, this shows you the permissions of who can control GPO. Speaking of reports, you can do a little simulation. You can generate a report simulating changing something like adding somebody to an 0U or something like that through group policy modeling. You can also do the group policy results feature, which is really cool, which is going to show you in real time what what setting somebody would get.

So, for example, I could right click and I could say, run this wizard brows will say, somebody is logging onto this computer. Maybe, it’s the admin. What policies will they get if they log onto this computer and you’re going to get this nice little report that’s going to show you the policies that they get? All right. Another thing you can do and you can do this pretty much on any Windows computer is if you go to a command prompt like, let’s say, I was in front of like a Windows computer, a client computer, OK, not just a server. I can run this command result. Slash h for h html sicko and slash test dot h html. And it’s going to generate a report on that person’s computer.

So, if you if you have to troubleshoot a user’s computer for users saying, Hey, there’s something wrong, my computer isn’t letting me, I don’t know, change the wallpaper or whatever my run commands missing whatever the user’s complaining about, you could sit down at their computer, run this command at command prompt as an ad man, and then you can open it up. Open up the little test document here to HTML, and you can view this little report that will show you all the policies that are in place on the machine right now.

So, I can see every policy that’s in place on this machine right now.

OK. Very handy little report. All right. When you apply group policies, group policies will take effect. They get refreshed on people’s computers every 90 to 120 minutes, so.

So like if you’ve got a thousand computers in your domain and you apply a GPO, that’s going to apply to all of them. Like an like this right here. This restrict control, it can be 90 to 120 minutes before they take effect.

Now, why is it 90 to 120? Why is it not 90 or 120? Well, it’s a minimum of 90 minutes. And then Microsoft wanted a 30 minute offset period, so every computer waits at least 90 minutes and then each computer chooses a random time after that.

So computer one might refresh in ninety seven minutes computer to my reference, refreshing 102 minutes computer three might refresh in a hundred and five minutes.

So on and so forth.

OK, that whether or not all refreshing at the same time, you can also, if you want, you can go right here. You’ll notice that you can right click a GPIO and you can say group policy update, but that will only refresh computer settings on somebody’s machine. If there’s no if there’s no, I’m sorry, it’ll only refresh your computer if there’s a computer in this. Oh, you if there’s just users in the EU, it’s not going to do anything. There’s got to be computers inside, and at that point it’ll contact all the computers and refresh the settings. You can also forest a refresh by typing update slash forest.

So, if you’re sitting in a user’s computer and you know that a policy has been applied recently, but you’re afraid the policy hasn’t taken effect, you can do a GPU update slash force, and that’s going to forest the policies to get refreshed on some of these machines.

OK, So, it’s 90 to 120 minutes on on computers and servers. On domain controllers, policies refresh every five minutes, so DC refresh every five minutes. Everything else, right, refreshes 90 120 minutes. You can do a GP update slash forest to forest it. The other thing that’ll trigger an update is if somebody reboots their computer at a triggered the computer policies to refresh, and when a user logs off, logs on that will also trigger a refresh for user policies. All right. All right, well, hopefully that now gives you an idea of how policies work and you, as you can see, you can apply them to these different levels. By the way, the site is down here.

So, if you’ve got sites, you can you can right click sites, you can say show sites and you can add the different sites. And that’s how you can apply policies at the site. The domain and the O.U.