You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

09: How to deploy Microsoft Group Policy Settings using PolicyPak Cloud

Have you ever wished you could get REAL Microsoft Group Policy deployed to your non-domain joined machines? Well wish no more: PolicyPak Cloud edition allows you to do exactly that, and this video shows you how.

How to deploy Microsoft Group Policy Settings using PolicyPak Cloud

Hi, this is Whitney with PolicyPak Software. In this video, we’re going to learn how to create, export and deploy real Group Policy through the cloud to a non-domain joined machine using PolicyPak’s cloud solution. We’ll deploy admin templates, we’ll deploy Group Policy preferences and we’ll deploy security settings.

Why don’t we start off by looking at the admin templates. We’re going to start off by creating a Group Policy Object. We’re just going to call this “Cloud Demo.” I’m going to “Edit” this. Now please note that I am not creating this in any particular OU. We are only using the GPO for the sake of being able to export out of it, so it doesn’t have to be attached to any particular OU.

To start off with, we’re talking about admin templates. Everybody knows what those are, so let’s go look at what they look like on the Group Policy side, on the side you usually would look at. You have your tree that you’re used to seeing. You’ve got “Control Panel” settings. You’ll see these ones and then you have more folders you can get into. We can look at “Personalization.”

All of this is stuff you’re familiar with. However, there’s no way to deploy this through the cloud to a non-domain joined machine. So what we’re going to do is go over to the “PolicyPak” node and go to the “Administrative Templates Manager.”

Here you could start by selecting “ADD NEW COLLECTION” that would then contain multiple policies. But for the sake of this video, I’m just going to go ahead and create one policy. Let’s go look at the new policy area. We’ll click “ADD NEW POLICY” here.

When it pops open, we’re actually highlighted on “Control Panel” right now. You’re going to notice that we see all the same things, and that’s because it is the same thing. We’re still looking in the same place that your GPMC looks to get the policies that exist now. It’s looking for the same ADMX files that you would have in your normal admin templates area. So you see we have those same ones. We looked at “Personalization,” and we see all of this just as before. So these are the same ADMX files that you are used to seeing.

In this case, I am going to create a policy to kill the Control Panel (“Prohibit access to Control Panel and PC settings”). I double clicked on that. I’m going to choose “Enabled.” I’m going to tell it “OK.” Then it’s going to ask me to continue adding policies, which in the real world I might actually be doing. But in this case, we’re just going to do the one. Now I’m going to go ahead and “Close” this out.

We have “Prohibit access to Control Panel” enabled, and that’s great. Now how do we get this out of the “Administrative Templates Manager” area and into the cloud? We’re going to start by exporting. We’re going to right click on this. We’re going to choose “Export as XML.” Then I’m just going to throw this right on the “Desktop,” and I’m just going to call this “Kill Control Panel.” If I move this over a little bit, there we go. We have that XML file called “Kill Control Panel.”

Now before we go uploading that or doing anything with the cloud, let’s go ahead and create a couple more policies to export. We want to do some preferences and we want to do some security settings.

Let’s go over to the computer side and let’s look at “Preferences.” I’m going to select “Shortcuts” and deploy a shortcut. Let me go ahead and create a “New/Shortcut.” This is going to be “PolicyPak Support.” I want it to be a “URL,” and I want it to sit on the “Desktop.” Let me just put that “Target URL” in there. Since it’s a help icon, let’s go ahead and look at that.

All right, now I’ve created this shortcut here. Again, how are we going to get the preferences out of “Preferences”? Because we’re actually doing this in the standard Group Policy area. What we’ll do now is go to the “PolicyPak” node, go to “Preferences Manager” and we’ll “SHOW WIZARD.”

This just lets you know we’re not creating any new items here. We’re actually exporting out of the preferences that we just created. So I’m going to click “Next,” and there we go. There’s my shortcut, “PolicyPak Support.” We’ll click “Next” once again. If we want, we can change the name by double clicking right here. I’m happy with the name as is, so I’ll go ahead and click “Next” here as well.

It wants to know where I should export that to, so I’m going to do that right on the “Desktop” again. I’ll click “OK” and “Next.” It tells us right here that “Extensions have been successfully exported to” “C:UsersAdministrationDesktop.” We can also see visually right here, it’s right there.

Now finally, we’ve done our admin templates, we’ve gotten preferences exported. Now we want to do a security setting. We’ll pop over here. We’ll create a security setting. I am just going to rename the guest account. You have to drill down just a little bit to get to here. We’ll go to “Security Settings/Local Policies/Security Options.” We want “Accounts: Rename guest account.” I’m just going to name it something innocuous. I’m just going to call it “PPGuestAccount.” We’ll add that.

Once again, we’re still in the Group Policy area. So we want to switch back over to “PolicyPak.” We’re going to do the same thing to export this that we did with the preferences. We’ll go to the “Security Settings Manager” section. We’ll choose “SHOW WIZARD” once again.

Please note here this let’s us know there are four policy types that are not supported, but the rest of them are. So we’ll click “Next” here.

It found my security policy. It tells us that it is “Exportable,” so we’re going to select “Include in Export.” We’ll click “Next.” Here we could actually add item-level targeting if we wanted to where you could have a particular policy hit a particular set of users or operating systems or IP address ranges or things like that. But we’re not going to get into that today. We’re just going to go ahead and export as it is, so we’ll click “Next.”

Again, we have to decide where we want to put this. This time we’re going to name it. We’re going to call it “Rename Guest Account.” We’ll click “Save.” It doesn’t exist. “Yes,” we do want to create that. Once again we’ll click “Next.” Once again it tells us, and once again we can see that we’ve done this.

Now we have all this XML. What are we going to do with it? Let’s go ahead and go over to the PolicyPak website. I’m already logged in right here to the PolicyPak Cloud portal. I’m going to go over here to the “XML Data Files” tab, and I’m going to choose “Upload XML Data File.”

Now you’ll note I have some XML files in here already. This area is just essentially the swimming pool. They correspond to GPOs, but these directives aren’t necessarily linked to any particular machine or computer group or company group or anything like that. So just be aware of that.

We’re going to go ahead and “Upload XML Data” file. We’ll just start from the bottom and work our way up. “Shortcuts” is a fine description as far as I’m concerned right now, so we’ll go ahead and “Add” that. We’ll do the same with the other two files we created as well. “Rename Guest Account,” that one just says “PolicyPak Security Manager.” Why don’t we add “: Rename Guest Account” to that so that we’ll remember what it is that we’re looking at. “Add” that.

Finally, we’ll put “Kill Control Panel” on there. This one is not as descriptive as I want, so I’m going to call it “PPATM: Kill Control Panel.” We’ll “Add” that. And there we have it. We’ve uploaded our three directives as we want to.

Now in order to get them to apply to any particular machine, we’re going to need to go over to the “Computer Groups” area. I have one computer in the “All” group, and I have that same computer in “East Sales.” What I’ll need to do is link those XML data files to my “East Sales” company group, which corresponds to your OU structure.

Now before I do that, I want to go over to my endpoint really quick and point out first of all that this machine is actually “NOT DOMAIN JOIN.” And prior to receiving these directives, I don’t see a PolicyPak Support icon right here. If I look at my “Local Group Policy Editor,” if I look at my guest account, my guest account is currently called “Guest.” And if I try to get to the “Control Panel,” then I still have full access to it.

So now let’s go back over to our management station and let’s link those XML data files to my company group here. I’m going to choose “Link XML here.” I’m going to choose those three that we just uploaded, so let’s “Add” those three. And done.

Now we’re going to go back over to our endpoint. Usually, this would happen in 60 minutes. That’s how often the background refresh happens for the PolicyPak Cloud. But for the sake of this demo, I’m going to go ahead and run this immediately. So it’s “ppcloud /sync.”

This not only syncs with the cloud immediately, but it also lets us know what policies we’re receiving on this machine. We see that under “Preferences” we’re receiving one “Shortcut” and then a second one. There it goes. It just popped up right there. We know that we received the “Kill Ctrl Panel” one. We also have the “Rename Guest Account.”

We can see clearly that we received the shortcut. We can assume that we can’t get to “Control Panel” anymore. Let’s see what happens when we click that. There we go, just like we expected to see. Finally, let me close this out. Let me rerun this. Now that this has popped open, let’s drill our way down to find the name of that guest account. We’ll look at “Local Policies/Security Options” and there we go. We have “PPGuestAccount.”

That’s how we just delivered real Group Policy through the cloud to a non-domain joined machine. We used PolicyPak Admin Templates Manager to kill the Control Panel. We used the Preferences Manager to get the shortcut up there in the corner. And we used the Security setting to change the name of the guest account. So that’s pretty magical.

If that’s interesting to you and if you’re not on PolicyPak yet, go ahead and give us a call and we’ll be happy to get you started with a free trial right away.

  • 473
  • 26-Jun-2019