Group Policy. Jeremy Moskowitz
Чтение книги онлайн.
Читать онлайн книгу Group Policy - Jeremy Moskowitz страница 23
Название: Group Policy
Автор: Jeremy Moskowitz
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная образовательная литература
isbn: 9781119035688
isbn:
Even though most of the examples of a target computer are Windows 10 in this book, you can usually substitute a Windows 7 or 8 machine as your target and see similar (if not often identical) results.
The more you use and implement GPOs in your environment, the better you’ll become at their basic use while at the same time avoiding pitfalls when it comes to using them. The following tips are scattered throughout the chapter but are repeated and emphasized here for quick reference, to help you along your Group Policy journey:
GPOs don’t “live” at the site, domain, or OU level. GPOs “live” in Active Directory and are represented in the swimming pool of the domain called the Group Policy Objects container. To use a GPO, you need to link a GPO to a level in Active Directory that you want to affect: a site, a domain, or an OU.
GPOs apply locally and also to Active Directory sites, domains, and OUs. There is a local GPO that can be used with or without Active Directory. Everyone on that computer must embrace that local GPO. Then, Active Directory Group Policy Objects apply: site, domain, and then OU. Active Directory GPOs “trump” any local policy settings if set within the Local Group Policy. Active Directory is a hierarchy, and Group Policy takes advantage of that hierarchy.
Avoid using the site level to implement GPOs. Users can roam from site to site by jumping on different computers (or plugging their laptop into another site). When they do, they can be confused by the settings changing around them. Use GPOs linked to the site only to set up special sitewide security settings, such as IPsec or the Internet Explorer Proxy. Use the domain or OU levels when creating GPOs whenever possible.
Implement common settings high in the hierarchy when possible. The higher up in the hierarchy GPOs are implemented, the more users they affect. You want common settings to be created and set one time. It’s not optimal to create many GPOs performing the same functions at other lower levels, which will just clutter your view of Active Directory with the multiple copies of the same policy setting.
Implement unique settings low in the hierarchy. If a specific collection of users is unique, try to round them up into an OU and then apply Group Policy to them. This is much better than applying the settings high in the hierarchy and using Group Policy filtering later.
Use more GPOs at any level to make things easier. When creating a new wish, isolate it by creating a new GPO. This will enable easy revocation by unlinking it should something go awry.
Strike a balance between having too many and too few GPOs. There is a middle ground between having one policy setting within a single GPO and having a bajillion policy settings contained within a single GPO. At the end of your design, the goal is to have meaningfully named GPOs that reflect the “wishes” you want to accomplish. If you should choose to end those wishes, you can easily disable or delete a specific GPO.
As you go on your Group Policy journey… Don’t go at it alone. There are some nice third-party independent resources to help you on your way. I run www.GPanswers.com, which has oodles of resources, downloads, a community forum, downloadable eChapters, video tutorials, links to third-party software, and my in-person and online versions of my hands-on training seminars. Think of it as your secret Group Policy resource.
My pal (and technical editor for this edition of the book) Alan Burchill runs www.grouppolicy.biz and has a wonderful set of step-by-step articles and tips and tricks and such.
My pal (and technical editor for a previous edition) Darren Mar-Elia runs “GPO Guy,” which is part of his software company, SDM Software. Check it out at http://sdmsoftware.com/gpoguy/.
My pal (and technical editor for a previous edition) Jakob Heidelberg has a lot of great articles (mostly on Group Policy topics) at www.heidelbergit.dk/.
Chapter 2
Managing Group Policy with the GPMC and via PowerShell
In Chapter 1, “Group Policy Essentials,” you got to know how and when Group Policy works. We used Active Directory Users and Computers to create and manage users and computers, but we used the Group Policy Management Console (GPMC) to manage Group Policy. We got a little workout with the GPMC when creating new GPOs and linking them to various levels in Active Directory.
And, for just a moment, we went back to the old-school way to delegate control to Frank and the HR-OU-Admins group to link existing GPOs to their Human Resources OU structure.
In this chapter, I’ll cover the remainder of the daily tasks you can perform using the GPMC. As a reminder, the GPMC is for all implementations of Active Directory. That is, you can use the GPMC to manage your Active Directory – whatever the Domain Controllers are that constitute it.
You just need the GPMC loaded up on some machine. Now, in the previous chapter, I put a pretty fine point on it: you want this machine to be one of the latest machines possible, either a Windows 10 or a Windows Server 2016 machine. There are some older editions, but I don’t recommend you use them.
For this edition of the book, I’ve decided to also show the PowerShell equivalent of the GPMC process. In other words, for almost all the things you can do in the GPMC, you could, if you wanted, use PowerShell.
But first, let’s answer the question, Why would you want to do the items within the GPMC using PowerShell? Said another way, if the clickety-clicks are straightforward and easy, why would you want to make it harder on yourself and typety-type your way through the same process?
The answer to that would be if you need to do anything that’s repeatable process. For instance, in this chapter, you’re going to learn how to do things like this:
● Create a Group Policy Object and give it a name.
● Link a Group Policy Object to an OU.
● Order Group Policy Objects at a level, say, the OU level.
Yep, I’m definitely going to show you how to clickety-click your way to success here. But I’m also going to show you the typety-type way using PowerShell. So if you needed to do the same thing over and over again, you could recycle the typety-types and make it a repeatable script.
If you wanted to fully ignore all the PowerShell text, and focus just on the GPMC clickety-clicks, you could do that.
Also, that being said, I’m not going to be going deep into PowerShell, syntax rules, or actually making scripts. There are zillions of PowerShell tutorials and books that talk about how to do that. And, one of the appendices, entitled “Scripting Group Policy Operations with Windows PowerShell,” has a mini-section right at the top entitled “Preparing for Your PowerShell Experience.” There you’ll learn what I think are the three most important pieces of getting started with PowerShell:
● Getting PowerShell up and running
● Downloading the latest help from Microsoft
● Setting up to run actual scripts (which shouldn’t be needed for the one-liners in this chapter)
So, СКАЧАТЬ