Group Policy. Jeremy Moskowitz
Чтение книги онлайн.

Читать онлайн книгу Group Policy - Jeremy Moskowitz страница 15

Название: Group Policy

Автор: Jeremy Moskowitz

Издательство: John Wiley & Sons Limited

Жанр: Зарубежная образовательная литература

Серия:

isbn: 9781119035688

isbn:

СКАЧАТЬ Each domain will now appear at the same hierarchical level in the GPMC.

      Viewing Other Forests in the GPMC To see other forests, right-click the root (Group Policy Management) and choose Add Forest from the context menu. You’ll need to type the name of the Active Directory forest you want to add. If you want to add or subtract domains within that new forest, follow the instructions in the preceding paragraph.

      Now that we’ve adjusted our view to see the domains and forests we want, let’s examine how to manipulate our GPOs and GPO links.

tip.eps

      You can add forests with which you do not have a trust. However, GPMC defaults will not display these domains as a safety mechanism. To turn off the safety mechanism, choose View ⇒ Options to open the Options dialog box. In the General tab, clear Enable Trust Detection and click OK.

      The GPMC-centric View

      As I stated earlier, one of the fundamental concepts of Group Policy is that the GPOs themselves live in the “swimming pool” inside the domain. Then, when you want to utilize a GPO from that swimming pool against a level in Active Directory, you simply link a GPO to that level.

Figure 1-11 shows what our swimming pool will eventually look like when we’re done with the examples in this chapter.

c01f011.eps

Figure 1-11: Imagine your about-to-be-leveraged GPOs as just hanging out in the swimming pool of the domain.

Our swimming pool will be full of GPOs, with various levels in Active Directory “linked” to those GPOs. To that end, you can drill down, right now, to see the representation of the swimming pool. It’s there, waiting for you. Click Group Policy Management ⇒ Forest ⇒ Domains ⇒ Corp.com ⇒ Group Policy Objects to see all the GPOs that will exist in the domain by the time we’re done (see Figure 1-12).

c01f012.tif

Figure 1-12: The Group Policy Objects folder highlighted here is the representation of the swimming pool of the domain that contains your actual GPOs.

note.eps

      If you’re just getting started, it’s not likely you’ll have more than the “Default Domain Controllers Policy” GPO and “Default Domain Policy” GPO. That’s okay. You’ll start getting more GPOs soon enough. Oh, and for now, please don’t modify the default GPOs. They’re a bit special and are covered in great detail in Chapter 8.

      All GPOs in the domain are represented in the Group Policy Objects folder. As you can see, when the Temporary Office Help OU is shown within the GPMC, a relationship exists between the OU and the “Hide Desktop Settings Option” GPO. That relationship is the tether to the GPO in the swimming pool – the GPO is linked back to “Hide Desktop Settings Option.” You can see this linked relationship because the “Hide Desktop Settings Option” icon inside Temporary Office Help has a little arrow icon, signifying the link back to the actual GPO in the domain. The same is true for the “Default Domain Policy,” which is linked at the domain level, but the actual GPO is placed below the Group Policy Objects folder.

      Our Own Group Policy Examples

      Now that you’ve got a grip on honing your view within the GPMC, let’s take it for a quick spin around the block with some examples!

      For this series of examples, we’re going after the users who keep fiddling with their display doo-dads in Windows 10.

If you want to see these examples in action using Windows 10, start out on WIN10 by looking at the “Change the visuals and sounds on your computer” page, which is located by right-clicking the Desktop and choosing Personalize. In the left column, you’ll see items including “Change desktop icons” and “Change mouse pointers.” In the bottom section, you’ll see several entries, including Desktop Background, Window Color, Sounds, and Screen Saver, as shown in Figure 1-13.

c01f013.tif

Figure 1-13: The Windows 10 Personalization page – unconfigured by Group Policy

      For our first use of Group Policy, we’re going to produce four “edicts” (for dramatic effect, you should stand on your desk and loudly proclaim these edicts with a thick British accent):

      ● At the site level, there will be no ability to change screen savers.

      ● At the domain level, there will be no ability to change Windows’ sounds.

      ● At the Human Resources Users OU level, there will be no way to change the mouse pointers. And, while we’re at it, let’s bring back the ability to change screen savers!

      ● At the Human Resources Computers OU, we’ll make it so whenever anyone uses a Human Resources computer, calc.exe automatically launches after login.

      Following along with these concrete examples will reinforce the concepts presented earlier. Additionally, they are used throughout the remainder of this chapter and the book.

      Understanding GPMC’s Link Warning

      As you work through the examples, you’ll do a lot of clicking around. When you click a GPO link the first time, you’ll get this message:

c01uf006.tif

      This message is trying to convey an important sentiment – that is, multiple levels in Active Directory may be linked back and use the exact same GPO. The idea is that multiple levels of Active Directory could use the exact same Group Policy Object contained inside the Group Policy Objects container – but just be linked back to it.

      What if you modify the policy settings by right-clicking a policy link and choosing Edit from the context menu? All instances in Active Directory that link to that GPO embrace the new settings. If this is a fear, you might want to create another GPO and then link it to the level in Active Directory you want. More properties are affected by this warning, and we’ll explore them in Chapter 4, “Advanced Group Policy Processing.”

      If you’ve squelched this message by selecting “Do not show this message again,” you can get it back. In the GPMC in the menus, choose View ⇒ Options and select the General tab, then select “Show confirmation dialog box to distinguish between GPOs and GPO links” and click OK.

      More about Linking and the Group Policy Objects Container

      The GPMC is a fairly flexible tool. Indeed, it permits the administrator to perform many tasks in different ways. One thing you’ll do quite a lot in your travels with the GPMC is create your own Group Policy Objects. Again, GPOs live in a container within Active Directory and are represented within the Group Policy Objects container (the swimming pool) inside the domain (seen in Figure 1-11, earlier in this chapter). Any levels of Active Directory – site, domain, or OU – simply link back to the GPOs hanging out in the Group Policy Objects container.

      To apply Group Policy to a level in Active Directory using the GPMC, you have two options:

      ● Create the GPOs in the СКАЧАТЬ