Group Policy. Jeremy Moskowitz
Чтение книги онлайн.
Читать онлайн книгу Group Policy - Jeremy Moskowitz страница 19
Название: Group Policy
Автор: Jeremy Moskowitz
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная образовательная литература
isbn: 9781119035688
isbn:
Delegating Control for Group Policy Management
You’ve created the Human Resources OU, which contains the Human Resources Users OU and the Human Resources Computers OU and the HR-OU-Admins security group. Now, put Frank inside the HR-OU-Admins group, and you’re ready to delegate control.
Performing Your First Delegation
You can delegate control to use Group Policy in two ways: using Active Directory Users and Computers and using the GPMC.
For this first example, we’ll kick it old school and do it the Active Directory Users and Computers way. Then, in Chapter 2, I’ll demonstrate how to delegate control using the GPMC.
To delegate control for Group Policy management, follow these steps:
1. In Active Directory Users and Computers, right-click the top-level Human Resources OU you created and choose Delegate Control from the context menu to start the “Delegation of Control Wizard.”
2. Click Next to get past the wizard introduction screen.
3. You’ll be asked to select users and/or groups. Click Add, add the HR-OU-Admins group, and click Next to open the “Tasks to Delegate” screen, shown in Figure 1-21.
Figure 1-21: Select the “Manage Group Policy links” task.
4. Click “Manage Group Policy links,” and then click Next.
5. At the wizard review screen, click Finish.
You might want to click some or all the other check boxes as well, but for this example, only “Manage Group Policy links” is required. Avoid selecting “Generate Resultant Set of Policy (Planning)” and “Generate Resultant Set of Policy (Logging)” at this time. You’ll see where these options come into play in Chapter 2.
The “Manage Group Policy links” delegation assigns the user or group Read and Write access over the gPLink and gPOptions properties for that level. To see or modify these permissions by hand, open Active Directory Users and Computers and choose View ⇒ Advanced Features. If later you want to remove a delegated permission, it’s a little challenging. To locate the permission that you set, right-click the delegated object (such as OU), click the Properties tab, click the Security tab, choose Advanced, and dig around until you come across the permission you want to remove. Finally, delete the corresponding access control entry (ACE).
Adding a User to the Server Operators Group (Just for This Book)
Under normal conditions, nobody but Domain Administrators, Enterprise Administrators, or Server Operators can walk up to Domain Controllers and log on. For testing purposes only, though, we’re going to add our user, Frank, to the Server Operators group so he can easily work on our DC01 Domain Controller when we want him to.
To add a user to the Server Operators group, follow these steps:
1. In Active Directory Users and Computers, double-click Frank Rizzo’s account under the Human Resources Users OU.
2. Click the Member Of tab and click Add.
3. Select the Server Operators group and click OK.
4. Click OK to close the Properties dialog box for Frank Rizzo.
Normally, you wouldn’t give your delegated OU administrators Server Operators access. You’re doing it solely for the sake of this example to allow Frank to log on locally to your Domain Controllers.
Testing Your Delegation of Group Policy Management
At this point, on your WIN10MANAGEMENT machine, log off as Administrator and log in as Frank Rizzo ([email protected]).
Now follow these steps to test your delegation:
1. Choose Start and type GPMC.MSC at the Start Search prompt to open the GPMC.
2. Drill down through Group Policy Management, Domains, Corp.com, and Group Policy Objects. If you right-click Group Policy Objects in an attempt to create a new GPO, you’ll see the context menu shown in Figure 1-22.
As you can see, Frank is unable to create new GPOs in the swimming pool of the domain. Since Frank has been delegated some control over the Human Resources OU (which also contains the other OUs), let’s see what he can do. If you right-click the Human Resources OU in the GPMC, you’ll see the context menu shown in Figure 1-23.
Figure 1-22: Frank cannot create new GPOs in the Group Policy Objects container.
Figure 1-23: Frank’s delegated rights allow him to link to existing GPOs but not to create new GPOs.
Because Frank is unable to create GPOs in the swimming pool of the domain (the Group Policy Objects container), he is also unable by definition to “Create a GPO in this domain, and Link it here.” Although Frank (and more specifically, the HR-OU-Admins) has been delegated the ability to “Manage Group Policy links,” he cannot create new GPOs. Frank (and the other potential HR-OU-Admins) has only the ability to link an existing GPO.
Understanding Group Policy Object Linking Delegation
When we were logged on as the Domain Administrator, we could create GPOs in the Group Policy Objects container, and we could “Create a GPO in this domain, and Link it here” at the domain or OU levels. But Frank cannot.
Here’s the idea about delegating the ability to link to GPOs: someone with a lot of brains in the organization does all the work in creating a well-thought-out and well-tested GPO. Maybe this GPO distributes software, maybe it sets up a secure workstation policy, or perhaps it runs a startup script. You get the idea.
Then, others in the organization, like Frank, are delegated just the ability to link to that GPO and use it at their level. This solves the problem of delegating perhaps too much control. Certainly some administrators are ready to create their own users and groups, but other administrators may not be quite ready to jump into the cold waters of Group Policy Object creation. Thus, you can design the GPOs for other administrators; they can just link to the ones you (or others) create.
When “Link an Existing GPO” is selected (as seen in Figure 1-23), any GPO which lives in the Group Policy Objects “swimming pool” can be selected.
In this example, the HR-OU-Admins members, such as Frank, can leverage any currently created GPO to affect the users and computers СКАЧАТЬ