Group Policy. Jeremy Moskowitz
Чтение книги онлайн.

Читать онлайн книгу Group Policy - Jeremy Moskowitz страница 16

Название: Group Policy

Автор: Jeremy Moskowitz

Издательство: John Wiley & Sons Limited

Жанр: Зарубежная образовательная литература

Серия:

isbn: 9781119035688

isbn:

СКАЧАТЬ (site, domain, or OU), manually add a link to the GPO that is in the Group Policy Objects container.

      ● While focused at the level you want to command in Active Directory (domain or OU), create the GPOs in the Group Policy Objects container and automatically create the link. This link is created at the level you’re currently focused at back to the GPO in the Group Policy Objects container.

      Which is the correct way to go? Both are perfectly acceptable because both are doing the same thing.

      In both cases the GPO itself does not “live” at the level in Active Directory at which you’re focused. Rather, the GPO itself “lives” in the Group Policy Objects container. The link back to the GPO inside the Group Policy Objects container is what makes the relationship between the GPO inside the Group Policy Objects container swimming pool and the level in Active Directory you want to command.

      To get the hang of this, let’s work through some examples. First, let’s create our first GPO in the Group Policy Objects folder. Follow these steps:

      1. Launch the GPMC. Click Start, and then in the search box, type GPMC.MSC.

      2. Traverse down by clicking Group Policy Management ⇒ Forest ⇒ Domains ⇒ Corp.com ⇒ Group Policy Objects.

3. Right-click the Group Policy Objects folder and choose New from the context menu, as shown in Figure 1-14, to open the New GPO dialog box.

      4. Let’s name our first edict, er, GPO, something descriptive, such as “Hide Screen Saver Option.”

5. Once the name is entered, you’ll see the new GPO listed in the swimming pool. Right-click the GPO and choose Edit, as shown in Figure 1-15, to open the Group Policy Management Editor.

      6. To hide the Screen Saver option, drill down by clicking User Configuration ⇒ Policies ⇒ Administrative Templates ⇒ Control Panel ⇒ Personalization. Double-click the Prevent changing screen saver policy setting to open it. Select the Enabled setting, and click OK.

      7. Close the Group Policy Management Editor.

c01f014.tif

Figure 1-14: You create your first GPO in the Group Policy Objects container by right-clicking and choosing New.

c01f015.tif

Figure 1-15: You can right-click the GPO in the Group Policy Objects container and choose Edit from the context menu to open the Group Policy Management Editor.

note.eps

      Note that in earlier iterations of the GPMC, this setting was named differently and placed in another node. It used to be called Hide Screen Saver Tab and was located in the Display node within Control Panel. As you can see, as the operating system evolves, so do the names of the policy settings, Group Policy Preference items (described in Chapter 5), and the capabilities within the GPMC itself. This is why it’s pretty important to always use the “latest, greatest” GPMC, as we are doing in this book.

      Understanding Our Actions

      Now that we have this “Hide Screen Saver Option” edict, er, GPO floating around in the Group Policy Objects container – in the representation of the swimming pool of the domain – what have we done? Not a whole lot, actually, other than create some bits inside Active Directory and on the Domain Controllers. By creating new GPOs in the Group Policy Objects folder, we haven’t inherently forced our desires on any level in Active Directory – site, domain, or OU.

      To make a level in Active Directory accept our will, we need to link this new Group Policy Object to an existing level. Only then will our will be accepted and embraced. Let’s do that now.

      Applying a Group Policy Object to the Site Level

      The least-often-used level of Group Policy application is at the site. This is because it’s got the broadest stroke but the bluntest application. And more and more organizations use high-speed links everywhere, so it’s not easy to separate computers into individual sites because (in some organizations) Active Directory is set up to see the network as just one big site!

      Additionally, since Active Directory states that only members of Enterprise Administrators (EAs) can modify sites and site links, it’s equally true that only EAs (by default) can add and manipulate GPOs at the site level.

note.eps

      When a tree or a forest contains more than one domain, only the EAs and the Domain Administrators (DAs) of the root domain can create and modify sites and site links. When multiple domains exist, DAs in domains other than the root domain cannot create sites or site links (or site-level GPOs).

      However, site GPOs might come in handy on occasion. For instance, you might want to set up site-level GPO definitions for network-specific settings, such as Internet Explorer proxy settings or an IP security policy for sensitive locations. Setting up site-based settings is useful if you have one building (set up explicitly as an Active Directory site) that has a particular or unique network configuration. You might choose to modify the Internet Explorer proxy settings if this building has a unique proxy server. Or, in the case of IP security, perhaps this facility has particularly sensitive information, such as confidential records or payroll information.

      Therefore, if you’re not an EA (or a DA of the root domain), it’s likely you’ll never get to practice this exercise outside the test lab. In upcoming chapters I’ll show you how to delegate these rights to other administrators, like OU administrators.

      For now, we’ll work with a basic example to get the feel of the Group Policy Management Editor.

      We already stood on our desks and loudly declared that there will be no Screen Saver options at our one default site. The good news is that we’ve already done two-thirds of what we need to do to make that site accept our will: we exposed the sites we want to manage, and we created the “Hide Screen Saver Option” GPO in the Group Policy Objects container.

warning.eps

      Implementing GPOs linked to sites can have a substantial impact on your logon times and WAN (wide area network) traffic if not performed correctly. For more information, see Chapter 7 in the section “Group Policy Objects from a Site Perspective.”

      Now all we need do is to tether the GPO we created to the site with a GPO link.

      To remove the Screen Saver option using the Group Policy Management Editor at the site level, follow these steps:

      1. Inside the GPMC snap-in, drill down by clicking the Group Policy Management folder, the Forest folder, and the Sites folder.

      2. Find the site to which you want to deliver the policy. If you have only one site, it is likely called Default-First-Site-Name.

3. Right-click the site and choose “Link an Existing GPO,” as shown in Figure 1-16.

      4. Now you can select the “Hide Screen Saver Option” GPO from the list of GPOs in the Group Policy Objects container within the domain.

      Once you have chosen the GPO, it will be linked to the site.

warning.eps

СКАЧАТЬ