Group Policy. Jeremy Moskowitz
Чтение книги онлайн.

Читать онлайн книгу Group Policy - Jeremy Moskowitz страница 22

Название: Group Policy

Автор: Jeremy Moskowitz

Издательство: John Wiley & Sons Limited

Жанр: Зарубежная образовательная литература

Серия:

isbn: 9781119035688

isbn:

СКАЧАТЬ style="font-size:15px;">      In this example, we’re going to use the Find command in Active Directory Users and Computers to find your workstation named WIN10 and move it into the Human Resources Computers OU.

      To find and move computers into a specific OU, follow these steps:

      1. In Active Directory Users and Computers, right-click the domain, and choose Find from the context menu to open the “Find Users, Contacts, and Groups” dialog box.

2. From the Find drop-down menu, select Computers. In the Name field, type WIN10 to find the computer account of the same name. Once you’ve found it, right-click the account and choose Move from the context menu, as shown in Figure 1-27. Move the account to the Human Resources Computers OU.

      3. Now that you’ve moved WIN10 (or other example machines) into the new OU, be sure to reboot those client computers.

warning.eps

      After you move the computer accounts into the Human Resources Computers OU, it’s very important to reboot your client machines. As you’ll see in Chapter 3, the computer does not recognize the change right away when computer accounts are moved between OUs.

      As you can see in this example (and in the real world), a best practice is to separate users and computers into their own OUs and then link GPOs to those OUs. Indeed, underneath a parent OU structure, such as the Human Resources OU, you might have more OUs (that is, Human Resources Laptops OU, Human Resources Servers OU, and so on). This will give you the most flexibility in design between delegating control where it’s needed and the balance of GPO design within OUs. Just remember that for GPOs to affect either a user or computer, that user or computer must be within the scope of the GPO – site, domain, or OU.

c01f027.tif

Figure 1-27: Use the Find command to find computers in the domain, then right-click the entry and select Move to move them.

      Verifying Your Cumulative Changes

      At this point, you’ve set up three levels of Group Policy that accomplish multiple actions:

      ● At the site level, the “Hide Screen Saver Option” GPO is in force for users.

      ● At the domain level, the “Prohibit Changing Sounds” GPO is in force for users.

      ● In the Human Resources Users OU, the “Hide Mouse Pointers Option/Restore Screen Saver Option” GPO is in force for users.

      ● In the Human Resources Computers OU, the “Auto-Launch calc.exe” GPO is in force for computers.

      At this point, take a minute to flip back to Figure 1-11 (the swimming pool illustration) to see where we’re going here. To see the accumulation of your policy settings inside your GPOs, you’ll need to log on as a user who is affected by the Human Resources Users OU and at a computer that is affected by the Human Resources Computers OU. Therefore, log on as Frank Rizzo at WIN10.

      If you’re using Windows 10, right-click the Desktop and choose Personalize. Note that the removal of “Change mouse pointers” is still in force (and the Screen Saver entry is restored). And, when you logged in as Frank Rizzo, did the computer GPO autolaunch Windows Calculator?

tip.eps

      These tests prove that even OU administrators are not automatically immune from GPOs and the policy settings within. Under the hood, they are in the Authenticated Users security group. See Chapter 2 for information on how to modify this behavior.

      The Three Possible Settings: Not Configured, Enabled, and Disabled

      As you saw in Figure 1-2 earlier in this chapter, nearly all administrative template policy settings can be set as Not Configured, Enabled, or Disabled. These three settings have very different consequences, so it’s important to understand how each works.

      Not Configured The best way to think about Not Configured is to imagine that it really says, “Don’t do anything” or even “Pass through.” Why is this? Because if a policy setting is set to Not Configured, then it honors any previously set setting (or the operating system default).

      Enabled When a specific policy setting is enabled, the policy will take effect. In the case of the Prohibit Changing Sounds policy setting, the effect is obvious. However, lots of policy settings, once enabled, have myriad possibilities inside the specific policy setting! (For a gander at one such policy setting, use the Group Policy Management Editor and drill down to User Configuration Policies Administrative Templates Windows Components Internet Explorer Toolbars and select the policy setting named Configure Toolbar Buttons.) So, as you can see, Enabled really means “Turn this policy setting on.” Either it will then do what it says or there will be more options inside the policy setting that can be configured.

      Disabled This setting leads a dual life:

      ● Disabled usually means that if the same policy setting is enabled at a higher level, reverse its operation. For example, we chose to enable the Prevent Changing Screen Saver policy setting at the site level. If at a lower level (say, the domain or OU level), we chose to disable this policy setting, the Screen Saver option will pop back at the level at which we disabled this policy. You can think of Disabled (usually) as “reverse a policy setting coming from a higher level.”

      ● Disabled sometimes has a special and, typically, rare use. That is, something might already be hard-coded into the Registry to be “turned on” or work one way, and the only way to turn it off is to select Disabled. One such policy setting is the Shutdown Event Tracker. You disable the policy setting, which turns it off, because in servers, it’s already hard-coded on. In workstations, it’s already hard-coded off. Likewise, if you want to kill the firewall for Windows XP (and later), you need to set Windows Firewall: Protect All Network Connections to Disabled. (You can find that policy setting at Computer Configuration ⇒ Policies ⇒ Administrative Templates ⇒ Network ⇒ Network Connections ⇒ Windows Firewall ⇒ Domain Profile (and also Standard Profile). Again, you set it to Disabled because the firewall’s defaults are hard-coded to on, and by disabling the policy setting, you’re “reverting” the behavior back.

      So, think of Not Configured as having neither Allow nor Deny set. Enabled will turn it on, and it will possibly have more functions. Disabled has multiple uses, and be sure to first read the help text for each policy setting. Most times it’s simply directly spelled out what Enabled and Disabled does for that particular setting. Last, test, test, test to make sure that once you’ve manipulated a policy setting, it’s doing precisely what you had in mind.

      Final Thoughts

      The concepts here are valid regardless of what your domain is running. It doesn’t matter if you have a pure or mixed Active Directory domain with various and sundry Domain Controller types. The point is that to make the best use of Group Policy, you’ll need an Active Directory.

      You’ll also need a Windows 10 or Windows Server 2016 management station to do your Group Policy work. Again, we talk more about why you need a Windows 10 management station in Chapters 3 and 6 and elsewhere.

СКАЧАТЬ