Group Policy. Jeremy Moskowitz
Читать онлайн.| Название | Group Policy |
|---|---|
| Автор произведения | Jeremy Moskowitz |
| Жанр | Зарубежная образовательная литература |
| Серия | |
| Издательство | Зарубежная образовательная литература |
| Год выпуска | 0 |
| isbn | 9781119035688 |
Figure 1-11 shows what our swimming pool will eventually look like when we’re done with the examples in this chapter.
Figure 1-11: Imagine your about-to-be-leveraged GPOs as just hanging out in the swimming pool of the domain.
Our swimming pool will be full of GPOs, with various levels in Active Directory “linked” to those GPOs. To that end, you can drill down, right now, to see the representation of the swimming pool. It’s there, waiting for you. Click Group Policy Management ⇒ Forest ⇒ Domains ⇒ Corp.com ⇒ Group Policy Objects to see all the GPOs that will exist in the domain by the time we’re done (see Figure 1-12).
Figure 1-12: The Group Policy Objects folder highlighted here is the representation of the swimming pool of the domain that contains your actual GPOs.
If you’re just getting started, it’s not likely you’ll have more than the “Default Domain Controllers Policy” GPO and “Default Domain Policy” GPO. That’s okay. You’ll start getting more GPOs soon enough. Oh, and for now, please don’t modify the default GPOs. They’re a bit special and are covered in great detail in Chapter 8.
All GPOs in the domain are represented in the Group Policy Objects folder. As you can see, when the Temporary Office Help OU is shown within the GPMC, a relationship exists between the OU and the “Hide Desktop Settings Option” GPO. That relationship is the tether to the GPO in the swimming pool – the GPO is linked back to “Hide Desktop Settings Option.” You can see this linked relationship because the “Hide Desktop Settings Option” icon inside Temporary Office Help has a little arrow icon, signifying the link back to the actual GPO in the domain. The same is true for the “Default Domain Policy,” which is linked at the domain level, but the actual GPO is placed below the Group Policy Objects folder.
Our Own Group Policy Examples
Now that you’ve got a grip on honing your view within the GPMC, let’s take it for a quick spin around the block with some examples!
For this series of examples, we’re going after the users who keep fiddling with their display doo-dads in Windows 10.
If you want to see these examples in action using Windows 10, start out on WIN10 by looking at the “Change the visuals and sounds on your computer” page, which is located by right-clicking the Desktop and choosing Personalize. In the left column, you’ll see items including “Change desktop icons” and “Change mouse pointers.” In the bottom section, you’ll see several entries, including Desktop Background, Window Color, Sounds, and Screen Saver, as shown in Figure 1-13.
Figure 1-13: The Windows 10 Personalization page – unconfigured by Group Policy
For our first use of Group Policy, we’re going to produce four “edicts” (for dramatic effect, you should stand on your desk and loudly proclaim these edicts with a thick British accent):
● At the site level, there will be no ability to change screen savers.
● At the domain level, there will be no ability to change Windows’ sounds.
● At the Human Resources Users OU level, there will be no way to change the mouse pointers. And, while we’re at it, let’s bring back the ability to change screen savers!
● At the Human Resources Computers OU, we’ll make it so whenever anyone uses a Human Resources computer, calc.exe automatically launches after login.
Following along with these concrete examples will reinforce the concepts presented earlier. Additionally, they are used throughout the remainder of this chapter and the book.
Understanding GPMC’s Link Warning
As you work through the examples, you’ll do a lot of clicking around. When you click a GPO link the first time, you’ll get this message:
This message is trying to convey an important sentiment – that is, multiple levels in Active Directory may be linked back and use the exact same GPO. The idea is that multiple levels of Active Directory could use the exact same Group Policy Object contained inside the Group Policy Objects container – but just be linked back to it.
What if you modify the policy settings by right-clicking a policy link and choosing Edit from the context menu? All instances in Active Directory that link to that GPO embrace the new settings. If this is a fear, you might want to create another GPO and then link it to the level in Active Directory you want. More properties are affected by this warning, and we’ll explore them in Chapter 4, “Advanced Group Policy Processing.”
If you’ve squelched this message by selecting “Do not show this message again,” you can get it back. In the GPMC in the menus, choose View ⇒ Options and select the General tab, then select “Show confirmation dialog box to distinguish between GPOs and GPO links” and click OK.
More about Linking and the Group Policy Objects Container
The GPMC is a fairly flexible tool. Indeed, it permits the administrator to perform many tasks in different ways. One thing you’ll do quite a lot in your travels with the GPMC is create your own Group Policy Objects. Again, GPOs live in a container within Active Directory and are represented within the Group Policy Objects container (the swimming pool) inside the domain (seen in Figure 1-11, earlier in this chapter). Any levels of Active Directory – site, domain, or OU – simply link back to the GPOs hanging out in the Group Policy Objects container.
To apply Group Policy to a level in Active Directory using the GPMC, you have two options:
● Create the GPOs in the Group Policy Objects container first. Then, while focused at the level you want to command in Active Directory (site, domain, or OU), manually add a link to the GPO that is in the Group Policy Objects container.
● While focused at the level you want to command in Active Directory (domain or OU), create the GPOs in the Group Policy Objects container and automatically create the link. This link is created at the level you’re currently focused at back to the GPO in the Group Policy Objects container.
Which is the correct way to go? Both are perfectly acceptable because both are doing the same thing.
In both cases the GPO itself does not “live” at the level in Active Directory at which you’re focused. Rather, the GPO itself “lives” in the Group Policy Objects container. The link back to the GPO inside the Group Policy Objects container is what makes the relationship between the GPO inside the Group Policy Objects container swimming pool and the level in Active Directory you want to command.
To get the hang of this, let’s work through some examples. First, let’s create our first GPO in the Group Policy Objects folder. Follow these steps:
1. Launch the GPMC. Click Start, and then in the search box, type GPMC.MSC.
2. Traverse down by clicking Group Policy Management ⇒ Forest ⇒ Domains ⇒ Corp.com ⇒ Group Policy Objects.
3. Right-click the Group Policy Objects folder and choose New from the context menu, as shown in Figure 1-14, to open the New GPO dialog