Group Policy. Jeremy Moskowitz
Чтение книги онлайн.
Читать онлайн книгу Group Policy - Jeremy Moskowitz страница 20
Название: Group Policy
Автор: Jeremy Moskowitz
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная образовательная литература
isbn: 9781119035688
isbn:
But, as you can see in Figure 1-24, he cannot edit the GPOs. Under the hood, Active Directory doesn’t permit Frank to edit GPOs he didn’t create (and therefore doesn’t own).
In Chapter 2, I’ll show you how to grant specific rights to allow more than just the original creator (and now owner) of the object to edit specific GPOs.
Giving the ability to just link to existing GPOs is a good idea in theory, but often OU administrators are simply given full authority to create their own GPOs (as you’ll see later). For this example, don’t worry about linking to any GPOs. Simply cancel out of the Select GPO screen, close the GPMC, and log off from the server as Frank Rizzo.
Figure 1-24: The GPMC will not allow you to edit an existing GPO if you do not own it (or do not have explicit permission to edit it).
Granting OU Admins Access to Create New Group Policy Objects
By using the “Delegation of Control Wizard” to delegate the “Manage Group Policy links” attribute, you performed half of what is needed to grant the appropriate authority to Frank (and any additional future HR-OU-Admins) to create GPOs in the Group Policy Objects container and link them to the Human Resources OU, the Human Resources Users OU, or the Human Resources Computers OU (though we really don’t want to link many GPOs directly to the Human Resources OU).
You can grant the HR-OU-Admins the ability to create GPOs in the Group Policy Objects container in two ways. For now, I’ll show you the old-school way; in Chapter 2, I’ll show you the GPMC way.
One of Active Directory’s built-in security groups, Group Policy Creator Owners, holds the key to the other half of our puzzle. You’ll need to add those users or groups that you want to have the ability to create GPOs to a built-in group, cleverly named Group Policy Creator Owners. To do so, follow these steps:
1. Log off and log back on as Domain Administrator.
2. Fire up Active Directory Users and Computers.
3. By default, the Group Policy Creator Owners group is located in the Users folder in the domain. Double-click the Group Policy Creator Owners group and add the HR-OU-Admins group and/or Frank Rizzo.
In Chapter 2, you’ll see an alternate way to allow users to create GPOs.
Creating and Linking Group Policy Objects at the OU Level
At the site level, we hid the Screen Saver option. At the domain level, we chose to get rid of the Sounds option in the Windows 10 Personalization page.
At the OU level, we have two jobs to do:
● Prevent users from changing the mouse pointers (a Windows 7 and later policy setting)
● Restore the Screen Saver option that was taken away at the site level
To create a GPO at the OU level, follow these steps:
1. Since you’re on WIN10MANAGEMENT, log off as Administrator and log back on as Frank Rizzo ([email protected]).
2. Choose Start and type GPMC.MSC in the Start Search prompt.
3. Drill down until you reach the Human Resources Users OU, right-click it, and choose “Create a GPO in this domain, and Link it here” from the context menu to open the New GPO dialog box.
4. In the New GPO dialog box, type the name of your new GPO, say “Hide Mouse Pointers Option / Restore Screen Saver Option.” This will create a GPO in the Group Policy Objects container and link it to the Human Resources Users OU.
5. Right-click the Group Policy link and choose Edit from the context menu to open the Group Policy Management Editor.
6. To hide the mouse pointers option in the Group Policy editor, drill down through User Configuration ⇒ Policies ⇒ Administrative Templates ⇒ Control Panel ⇒ Personalization and double-click the Prevent changing mouse pointers policy setting. Change the setting from Not Configured to Enabled, and click OK.
7. To restore the Screen Saver setting for Windows 10, double-click the Prevent Changing Screen Saver policy setting. Change the setting from Not Configured to Disabled, and click OK.
8. Close the Group Policy Management Editor to return to the GPMC.
By disabling the Hide Screen Saver Tab policy setting, you’re reversing the Enable setting set at a higher level. See the sidebar “The Three Possible Settings: Not Configured, Enabled, and Disabled” later in this chapter.
Verifying Your Changes at the OU Level
On your test WIN10 machine, log back on as Frank. Because Frank’s account is in the OU, Frank is destined to get the site, domain, and now the new OU GPOs with the policy settings.
On WIN10, right-click the Desktop and choose Personalize from the context menu to open the Display Properties dialog box.
You can now (as Frank) click Themes, and when you then try to click on “Go to mouse pointer settings” you will see what’s in Figure 1-25.
You should also now (as Frank) be able to click within Personalization upon the Lock Screen menu, and when you try to click on “Screen saver settings” you will be able to open it.
In Figure 1-25, you can see the before (left) and after (right) when the policy is applied. Look closely, and note that the “Pointers” option in the Mouse Properties applet is removed and that the Screen Saver option is no longer grayed out and is now available.
Figure 1-25: On the top, we have Frank’s Personalization page where Frank can now get to his Screen Saver settings. On the bottom (left) you can see Frank’s Mouse Properties before the policy applies. On the bottom (right) you can see Frank’s Mouse Properties after the policy applies (and note the missing “Pointers” tabs).
This test proves, once again, that even OU administrators are not automatically immune from policy settings. Chapter 2 explains how to change this behavior.
Group Policy Strategy: Should I Create More or Fewer GPOs?
At times, you’ll want to lock down additional functions for a collection of users or computers. For example, you might want to specify that no users in the Human Resources Users OU can use the Control Panel.
At the Human Resources Users OU level, you’ve already set up a GPO that contained a policy СКАЧАТЬ