Group Policy. Jeremy Moskowitz
Читать онлайн.| Название | Group Policy |
|---|---|
| Автор произведения | Jeremy Moskowitz |
| Жанр | Зарубежная образовательная литература |
| Серия | |
| Издательство | Зарубежная образовательная литература |
| Год выпуска | 0 |
| isbn | 9781119035688 |
Once you have added both snap-ins to your console, you’ll have a near-unified view of most of what you need at your fingertips. Both Active Directory Users and Computers and the GPMC can create and delete OUs. Both tools also allow administrators to delegate permissions to others to manage Group Policy, but that’s where the two tools’ functionality overlap ends.
The GPMC won’t show you the actual users and computer objects inside the OU, so deleting an OU from within the GPMC is dicey at best because you can’t be sure of what’s inside!
You can choose to add other snaps-ins, too, of course, including Active Directory Sites and Services or anything else you think is useful. The illustrations in the rest of this book will show both snap-ins loaded in this configuration. I suggest you save your “one-stop shop” to the Desktop and give it catchy name so you can quickly find it later when you need to.
Group Policy 101 and Active Directory
Let’s start with some basics to ensure that things are running smoothly. For most of the examples in this book, you’ll be able to get by with just the one Domain Controller and one or two workstations that participate in the domain, for verifying that your changes took place.
For the examples in this book, I’ll refer to our sample Domain Controller, DC01, which is part of my example Corp.com domain. For these examples, you can choose to rename the Default-First-Site-Name site or not – your choice.
Again, I encourage you to try these examples in your test lab and not to try them directly on your production network. This will help you avoid a CLM (career-limiting move).
For our examples, we’ll assume you’re using WIN10MANAGEMENT as your management station, which is a Windows 10 with RSAT machine.
Active Directory Users and Computers vs. GPMC
The main job of Active Directory Users and Computers is to give you an Active Directory object–centric view of your domain. Active Directory Users and Computers lets you deal with users, computers, groups, contacts, some of the Flexible Single Master Operations (FSMO) roles, and delegation of control over user accounts as well as change the domain mode and define advanced security and auditing inside Active Directory. You can also create OUs and move users and computers around inside those OUs. Other administrators can then drill down inside Active Directory Users and Computers into an OU and see the computers, groups, contacts, and so on that you’ve moved to those OUs.
But the GPMC has one main job: to provide you with a Group Policy–centric view of all you control. All the OUs that you see in Active Directory Users and Computers are visible in the GPMC. Think about it – it’s the same Active Directory behind the scenes “storing” those details about the OU and its contents.
However, the GPMC just doesn’t have a way to “view” the users, computers, contacts, and such. When you drill down into an OU inside the GPMC, you’ll see but one thing: the GPOs that affect the objects inside the OU.
In Figure 1-8, you were able to see the Active Directory Users and Computers view as well as the GPMC view – rolled into one MMC that we created earlier. Even though it’s not super-obvious from the screen shot, the Active Directory Users and Computers view of an OU and the GPMC view of the same OU are radically different. For instance, in Figure 1-8 I’ve added (for the sake of this discussion) an OU called Temporary Office Help and some other OUs, too, for fun.
When focused at a site, a domain, or an OU within the GPMC, you see only the GPOs that affect that level in Active Directory. You don’t see the same “stuff” that Active Directory Users and Computers sees, such as users, computers, groups, or contacts.
The basic overlap in the two tools is the ability to create and delete OUs. If you add or delete an OU in either tool, you need to refresh the other tool by pressing F5 to see the update. For instance, in Figure 1-8 you could see that my Active Directory has several OUs, including the one I added named Temporary Office Help.
Deleting an OU from inside the GPMC is generally a bad idea. Because you cannot see the Active Directory objects inside the OU (such as users and computers), you don’t know how many objects you’re about to delete. So be careful!
If I delete the Temporary Office Help OU in Active Directory Users and Computers, the change is not reflected in the GPMC window until it’s refreshed. And vice versa.
So, let’s summarize with three key points:
● Understanding that the two tools are “separate” and work on the same underlying database is key.
● Understanding that what you do in one tool (e.g., delete an OU) affects the other tool (because it’s affecting the same underlying database) is also key.
● The final key is realizing that you will need to occasionally “refresh” the view of each tool. This is because other administrators might be “doing stuff” to the GPOs and/or Active Directory user accounts. You won’t see their changes until you refresh your view.
Adjusting the View within the GPMC
The GPMC lets you view as much or as little of your Active Directory as you like. By default, you view only your own forest and domain. You can optionally add in the ability to see the sites in your forest as well as the ability to see other domains in your forest or domains in other forests, although these views might not be the best for seeing what you have control over.
Here’s how to view the various other items you may need to within the GPMC:
Viewing Sites in the GPMC When you create GPOs, you won’t often create GPOs that affect sites. The designers of the GPMC seem to agree; it’s a bit of a chore to apply GPOs to sites. To do so, you need to link an existing GPO to a site. You’ll see how to do this a bit later in this chapter.
However, you first need to expose the site objects in Active Directory. To do so, right-click the Sites object in GPMC, choose Show Sites from the context menu (see Figure 1-10), and then click the check box next to each site you want to expose.
Figure 1-10: You need to expose the Active Directory sites before you can link GPOs to them.
In our first example, we’ll use the site level of Active Directory to deploy our first Group Policy Object. At this point, go ahead and enable the Default-First-Site-Name so that you can have it ready for use in our own experiments.
Viewing Other Domains in the GPMC To see other domains in your forest, drill down to the Forest folder in Group Policy Management, right-click Domains, choose Show Domains, and select the other available domains in your forest. Each domain will now appear at the same hierarchical level in the GPMC.
Viewing Other Forests in the GPMC To see other forests, right-click the root (Group Policy Management) and choose Add Forest from the context menu. You’ll need to type the name of the Active Directory forest you want to add. If you want to add or subtract domains within that new forest, follow the instructions in the preceding paragraph.
Now that we’ve adjusted our view to see the domains and forests we want, let’s examine how to manipulate our GPOs and GPO links.
You can add forests with which you do not have a trust. However, GPMC defaults will not display these domains as a safety mechanism. To turn off the safety mechanism, choose View ⇒ Options to open the Options dialog box. In the General tab, clear Enable Trust Detection and click OK.
The