06: PolicyPak Admin Templates Manager: Switched Policies (without Loopback)

PolicyPak Admin Templates Manager- Switched Policies (without Loopback)

Hi. This is Jeremy Moskowitz, former Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you how you can get out of the dirty business of using Group Policy loopback.

Let me set the stage for you. I know you have situations just like this. You have gaggles of computers in OUs already. In this scenario, you can see I have my “West Sales Desktops.” I have my three computers all in the OU called “West Sales Desktops.” This could be desktops, laptops, VDI – anything like that.

The boss walks into your office and he says, “For the ‘West Sales Desktops,’ I need for you to kill the Control Panel for everybody.” So you decide you’re going to create a GPO called “Kill Control Panel.” You link it to your “West Sales Desktops,” and you start poking around inside Microsoft’s admin templates.

You go to computer side because only computers are going to be able to pick up the computer side stuff. You go to “Computer Configuration,” “Policies,” “Administrative Templates.” You look under “Control Panel,” but there’s nothing here that’s actually going to prevent access to the Control Panel. That’s because to prevent access to the Control Panel, that’s actually a user side function under “User Configuration,” “Policies,” “Administrative Templates,” “Control Panel.”

Said another way, you need this setting – “Prohibit access to Control Panel and PC settings” – over here on the computer side. The only way you can do that is with Group Policy loopback policy processing. If you’ve ever tried to do it, you know the problem. The problem is that the computers that are hanging out here in “West Sales Desktops” are going to get not just that one setting you want but a gaggle of other settings that you probably don’t want.With PolicyPak, we make that problem go away.

Here, we’ll continue on the “Kill Control Panel” GPO. Since we’re already editing it, what we’re going to do is simply on the computer side under “PolicyPak” select the “PolicyPak Administrative Templates Manager.” That“PolicyPak Administrative Templates Manager” has a superpower. That superpower is it can “Add” a “New Policy” on either stuff that would naturally live on the “Machine”/computer side or even on the “User” side. You can select “User” side stuff, and make them hit all your computers.

I’m selecting “User Policy” and diving down under “Control Panel,” and there it is: “Prohibit access to Control Panel and PC settings.” It looks exactly like Microsoft. We’ll just go ahead and click “Enabled” here and we’ll click “OK.” That’s all there is to it.

I’m selecting “User Policy” and diving down under “Control Panel,” and there it is: “Prohibit access to Control Panel and PC settings.” It looks exactly like Microsoft. We’ll just go ahead and click “Enabled” here and we’ll click “OK.” That’s all there is to it.

Now anytime we logon as anybody to any of these computers – I’ll go ahead and logon as “eastsalesuser1” here, I’ll logon to this second computer as “westsalesuser6,” and I’ll logon to this third computer as the domain admin, so if I logon as “administrator@fabrikam.com” – no matter who I logon as, I’m going to get those exact same settings.

Let’s go ahead and take a look at each computer and see if that’s true. Now that I’m logged onto this computer as “eastsalesuser1,” notice how I have no Control Panel ability here. But if I click “Devices and Printers” and I try to be sneaky and click back to “Control Panel,” you can see that operation has been restricted.

If I take a look at “Win7Computer64,” another computer in that OU, I’m logged on as a totally different guy, “westsalesuser6.” Try to do that exact same thing. Go to “Devices and Printers” and jump back to “Control Panel.” I don’t have access. I’m being prevented by the policy setting. That’s excellent.

If I log onto this last computer here and I go to “Control Panel,” you’ll see that it has also been restricted here as well.Now, gosh, that’s sort of a problem here. I mean, I am logged on as administrator. If I log on as administrator to another machine, maybe I do want access to the Control Panel. Well, the good news is with PolicyPak Admin Templates, you can specify item-level targeting to say, “Have this thing only work when certain conditions are true.”

Yes, we want this “Enabled” for all these computers, this user side policy to hit all these computers, but we don’t want certain people to be affected. For instance, we can say, using “Item Level Targeting,” select when you are not a member of “domain admins.” If you are not a member of domain admins, you are going to pick this setting up. If you are a member of domain admins, this setting is going to skip over you.

You can see the color is highlighted to orange now, we have “Item Level Targeting” on. Let’s go back to our first machine. We’ll “Switch User” and we’ll log on as a domain administrator (“administrator@fabrikam.com”). Now that I’m logged on, let’s see. I’m “Administrator.” There it is. There’s “Control Panel” right there. I can click on that, and I get access to the Control Panel.

Just to prove a point, if I “Log off” of this computer and I log on as anybody who is not a domain admin – so if I go back and pick “eastsalesuser1” – anybody on this computer, the policy will take effect and, therefore, prevent them from getting access to the Control Panel.So let’s see. Who am I? I’m “eastsalesuser1.” If I try to go to “Devices and Printers” and jump back to “Control Panel,” boom.

This means you have unbelievable power and flexibility by using “PolicyPak Administrative Templates Manager” to dictate either computer side stuff or user side stuff to your computers and then use “Item Level Targeting” either on a particular policy setting or, as we have shown in other videos, the idea of a “Collection” where multiple settings will only affect when those conditions are true.

I hope you like the idea of getting out of the dirty business of loopback policy processing mode and using PolicyPak Administrative Templates Manager to get your user side stuff to your gaggle of computers but in a fine-grained targeted manner using item-level targeting.

Thanks so much for watching. If you’re looking to get started with a trial, just get in touch and we’ll get started with you soon.

Thanks so much.

  • 513
  • 26-Jun-2019