Configure devices by using local settings and policies

1. Understanding the Windows Registry

Type Registry. Alright. This will bring up the registry editor. Registry Editor You can also just type "reg. Edit: That's another way to get in here. So, registry editor or simply reg? Edit: Alright, so as you can see, this is going to bring up this little Registry editing tool. And we just kind of cascade some of these folders here. So the Registry, there's actually five different files that create these things called Registry Hives. That's what HQ stands for. If you look closely there, you'll see that word "H key." That stands for Hive Key. A hive is kind of like a beehive. And this is where the registry stores all of its information. There are different values to remember when you are using your computer. So this is how Windows is going to keep track of all the things that we're changing and saving involving the Windows environment. Now, what do all these mean? Well, if you look at this first one here, you’ll see there's one called HP Classes Route. If you expand that one out, you're going to see all these extensions. Look at all these extensions. Don't they look like file extensions? Well, they are.

Have you ever wondered how Windows knows what programme to open in order to open a certain file? When I open up an.atext file, it uses Notepad normally. Or if I open up something like an aWord document, it knows to open Word. If I open a spreadsheet, it knows to open Excel. If I've got all that, well, it knows because when those programmes get installed, they will actually get registered in this HQ Classes root area, which programme is going to open which type of extension. So that's what this area of the Registry does. Underneath that you have a couple of these Registry Hives called Current. Notice There's one called "H key current user." And there's one called Hqcurrent. Config Now, interestingly enough, each of these twofolders here maps to the two other folders. You see, the HQ current user is actually linked with H key users. The HQ current config is linked to the HQ local machine. So here's the deal. When you're using Windows, Windows stores a lot of its configuration in RAM (Random Access Memory), which the operating system can access very quickly. So the word current means this is all the stuff that's in memory right now when you make changes in Windows, you start altering settings. It will make it to Ram first so that it's in memory.

And then it'll write it down to the hard drive. So when your computer shuts down, it's able to know that there was a change. So if I shut my computer down and I turn it back online and reboot it, then it's going to be able to pullit off the hard drive and it'll be able to show. So when I set my wallpaper to this right here, it first gets written to the current area of memory first, and then it gets written down to the local machine. Okay, so HQ current user, that represents the current user who's logged on. And this involves something called their profile, which I'm going to cover with you later. And all of their users state their different settings pertaining to just that one user. If you logged off this user and logged on to another user, you'd have a different area that was stored and ran just for that one user. Okay? And then HQ Users represent all the users that are on your computer. These numbers here are called Sidnumbers, and they get associated with your users, uniquely identifying your users. So users don't just get identified by name; they get identified by these unique numbers. Again, I always use the analogy. It's kind of like a Social Security number. It's a number that stays the same even if somebody changes their name. Right here you have the HQ localmachine and you have the HQ current config.

So the HQ current config is going to involve me going in and as I'm changing software in the operating system itself, it's going to throw it up in memory in this current config repository first and then it commits it down to the HQlocal machine, which is down on my hard drive. Okay, so the HQ local machine controls all these different settings that are stored locally down on your hard drive for the things you're doing in Windows,including all of your security, like Sam Security AccountsManager, which is where passwords and all that are stored along with other security stuff. You've also got the software area where Microsoft stores a lot of information about software that's running on your machine. Okay? Now as you expand these and you look through them, these folders are called keys, and you'll notice that some of them have different values. These different values involve the types of data that it stores. So you have types of data that allow you to store strings, which are like words and things that you need to remember.

You've got values that can just store numbers, numeric values. You've got values that allow you to store multiple numbers and multiple words. So a lot of this is saying "turn something on, turn something off." Of course, just like how you don't go under the hood of the car and start messing with things if you don't know what you're doing. The registry is sort of the same way, okay? You can search for things in the registry by clicking Edit and then you can say Find. And you can search for keywords. If I want, if I want to search for the word "run," for example, I can find the word "run." If that's not the one I'm looking for, I could say next and it's going to find the next one. Okay, so you can search for keywords that way if you need to. Why would you need to change the registry? Well, they are just like under the hood of the car. Sometimes you want to modify your operating system in a way that Microsoft didn't expect or necessarily want you to.

Sometimes you might need to manipulate something. There are some features that you can turn on that you can't do just through the graphical operating system itself. You have to use the registry to do it. I encourage you to go to Google or Bingor or something and search for the top ten registry hacks for Windows Ten and see what you find. There are all sorts of things out there that you can manipulate in Windows that they don't let you manipulate graphically. Okay? Now if you ever were infected by malware, a virus of some kind or something, you could come in. If you could find that value in the registry where that virus was, you could delete it simply by finding the registry key. If you knew what the name of the registry key was, maybe your virus scanner was telling you there was a virus and it's having problems deleting the key, the registry key, because viruses are generally going to alter the registry in some way, shape, or form. If you were able to locate that key, you could return here and edit or delete it. And that's how you're going to delete a registry key.

Okay? All right. All in all, though, don't mess around with the registry unless you've really kind of gotten used to it and know what you're doing. I encourage you to do a little searching on some of the different registry hacks and then come in here and feel your way around and just see what's there,because it's really not all that complex of a system. It's a pretty simple idea. They're just storing the different values, and those values have to be present even after you reboot your computer. So you have some stuff that's in RAM right now, and you have some stuff that's committed to your hard drive. The stuff that's in RAM is the ones that say "current." Okay, so that gives you guys an idea of the registry. Again, I encourage you to do some searching around for some of the cool registry hacks that are available for Windows Ten and just see what's out there.

2. Configuring Local Group Policy Settings

And if I just type the word local, you'll see you have a local security policy which is going to focus on the security side of things. If you want to see all your policies, you can actually say just put in the word group and you'll see the edit group. Okay, so here are our group policies right here. Alright? And you'll notice there are two sides to this. There is a computer configuration side, computer configuration, and a user configuration side to this. Okay? Now the computer configuration side of this is going to apply settings related to the computer itself and how the computer interacts with Windows. And any policies that you turn on or off here are going to affect anybody that sits at this particular computer. The user side of this user configuration is going to affect users and their user settings and could actually be applied to specific users if you wanted. Okay, so the first thing I want to show you is how to configure the password settings on your computer.

Okay? So if you wanted to control the length, size, or make it remember passwords so people can't keep reusing the passwords and make it so people get locked out if they put in too many wrong passwords, I'll show you that that is controlled right here under computer configuration. OK, so I'm going to go under computer configuration. I'm going to expand Windows and then security settings. All right. And then you have account policies and then password policies. So here they are, right here, the different password policies that are available to you. all right? And if I wanted to, I could go through the process and zoom in a little bit for you. So again, it's computer config, window settings,security settings, account policies, password policies. That's how you get into this area here. So as you can see, you can see here, I've got some different policies that I could turn on or turn off. The first is enforced password history. This is going to make it so that Windows is going to remember a certain number of passwords. So the user can't just keep reusing the same password over and over and over again. Okay? Then you get the maximum password age.

This is the maximum number of days that somebody can keep a password before they have to change it. You'll notice that it's set to 42 days. So, after 42 days by default, somebody is going to have to change their password. Okay? The minimum password age is the minimum amount of time somebody must wait before they can change their password. So you have a maximum and you have a minimum. So if somebody changed their password today,they have to wait 24 hours before they can change it again. Then you've got the minimum password length, which is seven characters. That means they have to have at least a seven-character password. Okay? The password must then meet the complexity requirements.

This is something that is turned on and it requires you to have at least three of the four following requirements: an uppercase character,a lowercase character, a number, or a symbol. Okay? You have to have at least three of those four things. And then the last thing you'll see here is store passwords using reversal encryption. Now this is actually going to weaken your security. So you would not want to turn this on. This is an old feature that came out when Windows 2000 came out years ago, back in the days when we actually still had quite a few computers out there interacting with Windows. You could turn that on and it would make it so it would not store the password in the hash format. So this is for computers with operating systems that do not support what's known as password hashing,which is the format that passwords get put into when they're stored on a computer. They are in an encrypted format known as the hash format. And this is for computers that don't support that. So essentially, what that means is that if we enabled that, then it would allow passwords to be stored in a non-hash format, which of course is going to weaken our security. So, unless you have elderly clients, you should avoid turning this on. There was also another situation where if you were using a type of authentication protocol known as Chapchallenge Handshake authentication protocol in remote access, you might have to turn it on there. But that's all real legacy technology. Unless you've got some really old stuff going on out there, you should never have to turn that on. And by turning it on, you are weakening your security. Okay, so that is your password policy there. Let's take a look at the lockout policies now. So, if you come over here, you'll see the same kind of computer configuration, Windows settings, security settings, and account policies.

And then you'll see account lockout. Okay? So with this, you've got a lockout policy. This is if somebody keepsentering their password and it's wrong. Okay, so the first one I'll look at right here is the account lockout threshold. So what that's going to do is if somebody enters their password wrong a certain number of times, it's going to lock them out. Notice that that's set to zero right now. As a result, if they enter their password, they can do so as many times as they want. They're not going to get locked out. If I was to set that to three, for example,then the person would get locked out after three attempts. Now the duration is how long they would be locked out. So if I set that to an hour, if they get locked out, they will be locked out for an hour.

OK? And then the reset account lockout counter after that is going to reset the strike counter, the threshold counterbalance. So if I set this to three, okay, and I set the reset account lockout counter after 15 minutes, when somebody puts in a wrong password, that timer will begin ticking away for the next 15 minutes. And then they'd have one strike against them. They put another password in wrong. That'd be a second strike. If they waited the full 15 minutes before putting in another bad password, then their strikes would get reset. Keep in mind also that when a user logs on, that's going to reset their password as well, okay? When somebody logs on, that's also going to reset their strike counter. So if I come over here, you're also going to notice that I've got a lot of things here. So those are my password policies and lockout policies. But I've got a lot going on here. I can deploy software here if I'm in a domain. There are lots of Windows related settings here, administrative templates, there's lots of stuff you can do here,turning things on and off.

Okay? One thing I want to kind of hone in on right now is the concept of scripts. You'll notice that under Computer Config Windows, and then underneath those window settings,I've got scripts I can actually deploy,start up, or shut down scripts.So when the computer is booting up, it will run a script if I want to, or when the computer is shutting down, I can have it run a script if I want to by editing these policies, okay? Now over here, if I go under User Configuration WindowsSettings, I'll notice I've got log on and log off. So if I wanted to apply a log on script when the user logs on and applies a script, then I could do that. If I wanted to apply a log off script when the user is logging off and have it run something, I could do that. Now, I've got a little script here. If I open up my File Explorer and go to my C drive here, all right, I've got a folder called Scripts I've created. And I've got a little logo script that I've created here, a little Visual Basic script. So if I wanted to apply that to this computer,all I would need to do is come here. Let's say it's a logoff script. So I'm here to sign in.

I can go to log off right here,and then I can add that script. All I've got to do is browse to where it's at, all right? And here it is, a scripts folder. Log off, and it's now applied. And at that point, every time the person logs off the computer, it's going to run the script. Keep in mind this is just for this one computer because we're only applying to local policies. Now, again, that is using the local groupPolicy Editor, which gives you access to all the policies and windows for the local machine. If you went over here and you typed the word local as I said earlier, I could just open the security side of all this by clicking Local security. This is just going to show you the security related policies on this machine. So what you're basically seeing here is what's underneath this, and that's just a quick way to get into the security. So there's my accountpolicies, password policies, and local. But you'll notice that I can't change script information here like I could through the other tool.

And the reason for that is that, as you may notice, scripts are under window settings, not under security settings. So the local security policy is just a way to get underneath that and start making changes. Okay? Again, remember though, all that you set here is only going to be applied to the local computer, okay? And when you do implement these local policies, they happen immediately. Whereas you're going to find when you apply groups in a domain, they do not always happen instantly. Okay? But I'll explain that in this next little segment.

3. Understanding Group Policy Objects

So here I am now on my domain controller. I'm in NYC. One. Now, on a domain controller, you can actuallycreate group policies on a much larger scale than just on a local computer. In fact, you can create these things called GPOs. GPOs are group policy objects, which are logical objects that can contain all these policies. As I said earlier, you can have something like 40 different settings that you can configure inside of a GPO. I could actually configure settings in a GPO,and then I could apply them to large groups of users or large groups of computers. Okay, so let me show you where that's at. All right, here I am on the domain controller. I'm going to click Start. I'm going to go to the server manager, all right? And then, once the server manager is up and running, wait for the little bar to go away here. Once it's up and running, though, I can click tools, and then I can go to this tool right here called group policy management.

So I'm going to open that up now. Okay, so here it is right here. Let me zoom in on this for you a little bit. All right, so in here, I've got my forest,I've got domains, and I've got Examlabpractice.com, which is my domain in my lab, all right? So from there, if I expand that out,I've got a container called group policy objects. And you're going to notice that there are already some default policies. These are GPOs right here, group policy objects. All Microsoft domains will now come with two GPOs. The first one here is called the default domain policy. And if you'll notice, it is linked underneath the domain,say, a little shortcut, that means it's linked and it will apply to everybody in the entire domain. Okay? And this particular GPO is actually where password policies are stored for your entire domain.

So we looked at password policies on the local side, but actually a domain is going to set its policies here. Now, what happens if your domain policies end up conflicting with local policies on people's machines? Well, domain policies win if there's ever a conflict between policies that are applied in a domain and those that are applied to a computer that has local policies. If the local policies conflict, the local policies are going to lose the battle, all right? Domain policies are going to overrule those local policies. So the password policies you specify here will take precedence over any local policies. all right? This GPO is called the default domain controller policy. If you'll notice, there is an organisational unit little folder thing herewhere your domain controllers live, okay? And that GPA applies there. So this is going to apply settings that are related to your domain. So if I wanted to, I could edit theseGPOs by clicking on one and going to the action menu. Actually, you've got to click it right here and then go to the action menu. And then at that point, I can go ahead and edit it or you can right click it and edit it. Either way, it's going to bring up a tool called the Group Policy Management Editor. Alright? very similar to the local GroupPolicy Editor that we saw earlier. right? And you'll notice computer config and user config. One thing you will notice is that you have a folder called Policy that contains those three folders along with local policies, and then one called Preferences. So one thing that's neat in a domain is that I can apply policies which are going to enforce things, restrict things, turn things on, turn things off,and the user or computer doesn't have any choice.

They have to accept them. People's machines will be configured with defaults that will allow people to change those defaults if they want. So I could actually expand that and I could configure things in their control panel and all that stuff, and they would actually be able to change those settings. So if you want them not to be able to change settings, you would apply things using policies. If you want them to be able to change certain things and you just want to set their defaults, you would use preferences. Okay, so if you look closely here, I showed you a Local Policies.I can expand Windows Settings and then Security Settings. And I've got my password policies. These are the scripts we looked at: startup and shutdown scripts. Okay, There are account policies here, so that's what they look like for the domain. Okay, I wanted to change those. I wanted to require you to have a ten-character password. I could do that right there.

Okay, well, I set it to nine, but if I wanted to go to ten, all right, and then if I wanted to change your account lockout settings here, that's where I could do it, enable it here, set the policies I want. All right. Another thing you've got, you've got all sorts of stuff. I can do an audit policy where I require your computer to write things down that it's doing. I've got User Rights Assignment that lets me configure all sorts of different settings involving what they can and cannot do on their machines. There's a lot you can do here. Now this GPO that I just looked at was the default domain policy, which applies to the entire domain. But if I wanted to, I could go here to GroupPolicy objects and I could actually create a new GPO. Let's say I wanted to create an aGPO that changed everybody's wallpaper to something. Maybe the company is requiring everybody to have a certain company logo or something as their wallpaper. Maybe we've had complaints in our company about people having wallpapers that offend people. So I could go in here and I could create a policy called the Wallpaper Policy. Okay? You name it, anything you want. It really doesn't matter what you name it. But then I can edit that GPO. I can edit that GPO and I can, let's see.

So wallpaper would be a user-related setting. So I'm going to expand user configuration policies. And then we'll go to administrative templates and then desktop. Click on the desktop. Here it is, right here. So I could set the wallpaper for somebody by clicking this link here. Okay, I could enable this policy and then I could point to where that wallpaper is. Now keep in mind, if the wallpaper was on everybody's hard drive, you could use a local path. But if the wallpaper is stored somewhere on a network share, which is probably going to be the most common way to do it, then you would use backslashare and then the wallpaper name. So I would say backslash. Let's say NYC server oneslash wallpapers is the shared folder slash. And then we'll put in the name of the wallpaper; we'll say Companylogo JPG. So let's pretend like we had wallpaper there. This would set everybody's wallpaper to this company logo. And then if I wanted, I could have it stretched across the screen so it's full screen. And I've now got that wallpaper policy enabled.

And I'd click, okay, as you can see over here, let me maximise it. It's now enabled, okay. So I can close that out. All right. And I can apply this GPO, right? Now this GPO does not apply to anything. So this wallpaper policy is not going to affect anybody. Now, if I wanted to, I could drag and drop it and apply it to the domain and it would affect everybody. If I only wanted it to affect New York,then I would apply it over New York. If I only wanted to affect people that were in Atlanta or Chicago, I could do that. So I'm going to do that in Atlanta. I'm going to drag and drop it over the Atlanta O. all right? It's going to say, okay, you're going to link it, and then at that point it's going to apply to Atlanta. You're going to notice you can have a hierarchical area of GPOs that can be applied. You can apply GPOs to what are called "sites," which represent geographic locations and active directories. They can be applied to domains as well as to others.

Okay? And oddly enough, if you had a wallpaper policy in the domain and you had a wallpaper policy in this Atlanta Ou, the Atlanta Ou by default would override the Microsoft domain unless you enabled something in the domain that I could call enforced. If you enable this feature called enforce,you can make it so the higher level always overrides the lower level. You can also enable this thing called "block inheritance," which will try to make it so that these objects don't receive any policies from a higher level. So I could say block inheritance and Atlanta would no longer receive policies from the higher levels, the domain or the site. Okay? However, if enforced is turned on, enforced will always override block inheritance if enforced is turned on. If there's a conflict, not to turn this into an active directory server class, just giving you a quick rundown on that. So that's how conflicts are handled. Okay? All right. Hopefully, that gives you an understanding, a little bit of an understanding now, of how we handle GPOs in a domain. One thing I do want to say, though, is that policies do not take effect immediately, okay. Policies get refreshed on people's computers when a user logs on. The user settings get refreshed on people's computers. When computers boot up Computer settings get refreshed on people's computers, and then they get refreshed on a timer.

They'll get refreshed every 90 to 120 minutes. A lot of people wonder why they do it every 90 to 120 minutes. You can imagine if you had a very large number of computers that were all trying to refresh policies at the same time, and they all booted up and they'd all get their policies in 90 minutes. That would really hurt the performance of domain control. So what they did, Microsoft said, was that it said computers do it every 90 to 120 minutes. They'll refresh their policies. There's a 30 minute offset, so it's a maximum of 90 minutes, and then a 30 minute random period, which is the offset period. Okay? And that way, one computer might do it in 97 minutes, another computer might do it in 105 90 minutes, So that's the way that it's managed right now.

You can also force computers to refresh their policies. If I do it on Ou, I can actually do this on Ouhere,and I can do what's called a GP update, group policy update. It's going to try to go out and locate all the computers that are in the area and refresh them. Now, another way you can do it is let mejump over to my client, my Windows Ten client here. Let me just log him on. He got logged off there for a second,but in the command prompt, and then I'm just going to run this command called Gpupdateforce. If you don't put in the force switch,then it just refreshes new policies. If you do use the force, as they say,it's going to run through all the policies that have already been applied as well as new policies. So we're going to run that and it's going to start updating your policies, okay? So it takes a moment, and then it's going to update the user settings. It's going to update the computer settings, then the user settings, and then your policies have been refreshed. Okay? Another thing you can do that's kind of cool is you can run a command called GP result.

And the GP result will show you which policies are applied on this computer. If I do a slash V, which stands for verbose, it's going to show me more details about what's on this machine. So I can run that little command here, as you can see, and it shows me the different policies that are applied on this computer. Okay, so I'm just kind of scrolling up here. See the different policies that are being applied. There's your password policies, and it's telling you who gave that policy to you. The GPO is called the default domain policy. Okay? So I've got another thing I can do that's really neat. I really like this. I can type GP, result slash h h for HTML, and I can specify an HTML file, so I could say results HTML. And it's going to store it in an HTMLfile, a web page based file, all right? And it's going to be right there on my C drive. I'm going to go to File Explorer, and then I'll go to my C drive. And then you'll see the results. I'm going to open that up. It's going to pull that up in Chrome in this case.

And then you'll see this little report that it's going to build that makes it really easy for us to visualise what policies are on our machines. So here it is, right here. As you can see, a really nice little report. It gives me information about the policies that are on the machine, the policies that are being applied, and then what those policies entail. If I click "Show all," it will expand everything for me as well, and I can see every policy. Okay? Hopefully, that gives you a good understanding of GPOs in the domain and how to apply them, how to force them to get refreshed, and then how to sort of check and see what policies are on the machine so that you can better troubleshoot those policies if there was ever a problem.

Study with ExamSnap to prepare for Microsoft 365 Certified: Modern Desktop Administrator Associate Practice Test Questions and Answers, Study Guide, and a comprehensive Video Training Course. Powered by the popular VCE format, Microsoft 365 Certified: Modern Desktop Administrator Associate Certification Exam Dumps compiled by the industry experts to make sure that you get verified answers. Our Product team ensures that our exams provide Microsoft 365 Certified: Modern Desktop Administrator Associate Practice Test Questions & Exam Dumps that are up-to-date.