Group Policy. Jeremy Moskowitz

Чтение книги онлайн.

      Alternatively, you can create the OU in the GPMC. Just right-click the domain and choose New Organizational Unit from the context menu.

      1. In Active Directory Users and Computers, right-click the new Human Resources Users OU and choose New ⇒ Group.

      2. Create the new group HR-OU-Admins as a new global security group.

      1. In Active Directory Users and Computers, right-click the Human Resources Users OU and choose New ⇒ User.

      2. Name the user Frank Rizzo, with an account name of frizzo, and click Next.

      3. Modern domains require a complex password for a user. Again, my suggested password is p@ssw0rd. That’s a lowercase p, the at sign, an s, an s, a w, a zero, then r, and d.

      4. Finish and close the wizard.

      Easily Manage New Users and Computers

      The Computers folder and Users folder in Active Directory Users and Computers are not OUs. They are generic containers. You’ll notice that they are not present when you’re using the GPMC to view Active Directory. Because they are generic containers (and not OUs), you cannot link Group Policy Objects to them. Of course, these objects will receive GPOs if linked to the domain, because the containers are still in the domain. They just aren’t OUs in the domain.

      These folders have two purposes:

      ● If you ever did an upgrade from NT 4 domains to Active Directory, these User and Computer accounts would wind up in these folders. (Administrators are then supposed to move the accounts into OUs.)

      ● The two folders are the default location where older tools drop new accounts when creating new users and computers. Additionally, command-line tools, such as net user and net group, will add accounts to these two folders. Similarly, the Computers folder is the default location for any new client workstation or server that joins the domain. The same goes when you create computer accounts using the net computer command.

      So, these seem like decent “holding pens” for these kinds of objects. But ultimately, you don’t want your users or computers to reside in these folders for very long – you want them to end up in OUs. That’s where the action is because you can apply Group Policy to OUs, not to these folders! Yeah, sure, these users and computers are affected by site- and domain-level GPOs. But the action is at the OU level, and you want your computer and user objects to be placed in OUs as fast as possible – not sitting around in these generic Computers and Users folders.

      To that end, domains that are at least at the “Windows 2003 functional level” have two tools to redirect the default location of new users and computers to the OUs of your choice. For example, suppose you want all new computers to go to a NewComputers OU and all new users to go to a NewUsers OU. And you want to link several GPOs to the NewUsers and NewComputers OUs to ensure that new accounts immediately have some baseline level of security, restriction, or protection. Without a little magic, new user accounts created using older tools won’t automatically be placed there.

      Starting with Windows 2003 Active Directory, Microsoft provided REDIRUSR and REDIRCMP commands that take a distinguished name, like this:

      Now if you link GPOs to these OUs, your new accounts will get the Group Policy Objects dictating settings to them at an OU level. This will come in handy when users and computers aren’t specifically created in their final destination OUs.

      To learn more about these tools, see the Microsoft Knowledge Base article 324949 at http://support.microsoft.com/kb/324949.

      1. Double-click the HR-OU-Admins group.

      2. Click the Members tab.

      3. Add СКАЧАТЬ