PolicyPak Admin Templates: Collections and Item Level Targeting .
Hi. This is Jeremy Moskowitz, former Group Policy MVP and Founder of PolicyPak Software. In this quick video, I’m going to show you the power of PolicyPakAdmin Templates Manager.
You’re familiar with Microsoft admin templates. They’re the 3000-some-odd policy settings that exist inside a Group Policy Object. Here you can see I’ve got a GPO linked to my “West Sales Users” called “Set Desktop Wallpaper.”If you were to dive down under “User” or “Computer” side, “Policies/Administrative Templates,” you’ve seen these before: 80 zillion policy settings that let you do awesome stuff in Group Policy.
The one that I want to demonstrate today just as something for us to hang our hat on is “Desktop Wallpaper.” If you set a desktop wallpaper here, wherever your West Sales Users go, they’re going to get exactly the same desktop wallpaper.
I’ve already done that. if I log on to this computer as “westsalesuser2,” you can see I’ve got this cool wallpaper. If I log on to my Windows 8 machine, I also get this cool wallpaper. If I go to the “Remote Desktop Connection” and head over to a Terminal Services or a Citrix machine, when I log on there what do you think is going to happen? That’s right. You guessed it: the same desktop background.
Instead of having the same exact experience wherever you go, wouldn’t it be great to be able to give your users flexibility for what they need? I’m using desktop background as an example here. There’s any number of things you might want to do.
Let me go ahead and “Log off” here. I’m going to also log off of my other session here, and I’m going to log out of my final session here as well.
Let’s go over to the same place. For our “West Sales Users,” let’s “Create a GPO in this domain, and link it here” and call it “Different Wallpapers for Different Occasions.” This is where it gets interesting. If you now click “Edit” in this GPO, you’re going to use PolicyPak’s component called the “Administrative Templates Manager.”
You’re going to set up different collections based on the different things you want to do. For instance, I’m going to “Add” a “New Collection” called “When Windows 7.” I’m going to set the “Item Level Targeting” on this collection for when all the items will apply for when the “Operating System” is “Windows 7.” There are 20-some-odd conditions that you choose from and lots of granularity here.
We’re saying that all the things we’re about to do will only hit the machine when “the operating system is Windows 7.” We can see we’ve got a new collection there, and inside this collection we’re going to “Add” that “New Policy” that changes the desktop background.
We’ll dive down under user side, “Administrative Templates/Desktop/Desktop” here, and we want to set the “Desktop Wallpaper.” Let’s go ahead and do that by going to “\dcsharewin7.jpg.” We’ll go ahead and click “OK” here. Again, this collection will hit only when its “Windows 7.”
Let’s create another collection. This collection will be called “When Machine Starts with Win8,” so this collection will only work “When Machine Starts with Win8.” How are we’re going to do that? We will “Change Item Level Targeting” on that collection.
This time we’re going to use what’s called the “Computer Name” match: when “the NetBIOS computer name is win8*” as this computer is here.What we can do is just use that same policy again, “New Policy,” and say under “Desktop/Desktop,” we’re going to select “Desktop Wallpaper” and select this time “\dcsharewin8.jpg.”
Now let’s create our final “New Collection,” which is when using Citrix or a Terminal Server session (“When using Citrix/TS”). This “Item Level Targeting” again will be what’s called a “Terminal Session.”If “the terminal session is Any,” you want all the items inside this collection to fire off.
In fact, instead of doing it by hand, why don’t we just “Copy” the existing policy we created and simply “Paste” it and then edit it. What we’ll do is we’ll just change “\dcsharewin8.jpg” to “\dcsharets.jpg.”
That’s it. Now we’ve got three collections. They’ll each only fire off under their own conditions. Let’s take it for a test drive.Let’s go ahead and click on each of our scenarios.
Let’s try a new user (“Other User”) just for fun: “westsalesuser3.” We’ll “Log on” to the Windows 7 machine. Let’s see what desktop background we get this time: the pretty Windows 7 desktop.
If we click on the Windows 8 machine, “westsalesuser3,” let’s see what happens here. We get that beautiful Windows 8 background.
Let’s now try that Terminal Services/Citrix “Remote Desktop Connection.” If I go to “trainingdc” and log on as “westsalesuser3,” what desktop background do we get over the Terminal Services or Citrix session? Let’s take a look. We get our beautiful Terminal Services session desktop background.
One other thing I want to point out here is that you can specify any given policy either inside or outside of a collection. Simply click on the setting you want, for instance “Control Panel,”and maybe “Prohibit access to Control Panel and PC settings.” It works exactly like it would if it were a Microsoft admin template except for every given setting you can specify “Item Level Targeting.”
If you wanted to specify maybe, that some particular users, like if “the user is” very particularly “westsalesuser1” – and let’s put another one in there; except we don’t want “AND,” we want it to be “OR,” so maybe we want a second user, “westsalesuser2,” – so with either of these users, who would get this policy because the GPO is linked to the “West Sales Users” OU, these two guys will get “Prohibit access to Control Panel and PC settings” and nobody else.
Individual policies anywhere at all, either in collections or not in collections, can have individual item-level targeting on it, giving you unbelievable flexibility.
We have more videos demonstrating PolicyPak Admin Templates Manager, so we hope you’ll watch those. If you’re ready to get started with your trial, we look forward to having you get in touch with us.
Thanks so much, and we’ll talk to you soon.