Group Policy. Jeremy Moskowitz
Чтение книги онлайн.

Читать онлайн книгу Group Policy - Jeremy Moskowitz страница 24

Название: Group Policy

Автор: Jeremy Moskowitz

Издательство: John Wiley & Sons Limited

Жанр: Зарубежная образовательная литература

Серия:

isbn: 9781119035688

isbn:

СКАЧАТЬ this chapter, and do the clickety-clicks.

      2. If you’re already reasonably PowerShell savvy, then just go for the PowerShell examples in this chapter if you want to try them out.

      3. If you’re warming up to PowerShell, jump to the appendix entitled “Scripting Group Policy Operations with Windows PowerShell” and read the section “Preparing for Your PowerShell Experience,” get set up, then come back to this chapter as a reference for most of what can be done with Group Policy and PowerShell.

      Again, you should have already created your management station with the GPMC in the previous chapter. Remember, if you don’t use a Windows 10 machine (or Windows Server 2016) as your management station, you won’t have access to all the latest awesome powers in the Group Policy arsenal. In this chapter, you’re going to be working again with your WIN10MANAGEMENT machine where you’ve already loaded the updated GPMC.

      With that in mind, let’s get to know the GPMC a bit better.

note.eps

      I’m going to assume you’ve already installed the GPMC on either your Windows 10 management station (WIN10MANAGEMENT) or your Windows Server 2016 Domain Controller (DC01). If you haven’t tackled those installation steps, go back to Chapter 1 and find the section “Implementing the GPMC on Your Management Station.”

      Once you’re ready to get started, from the Start screen, type GPMC.MSC.

      Common Procedures with the GPMC and PowerShell

      In Chapter 1, we created and linked some GPOs, which we can see in the Group Policy Objects container, to determine how, at each level, we were affecting our users. In the following sections, we’ll continue by working with some advanced options for applying, manipulating, and using Group Policy.

Since we didn’t use PowerShell at all in the last chapter to create and link GPOs, let’s take 30 seconds to do the equivalent of what we did in the last chapter and do it right here, right now, using PowerShell. In short, let’s create a new, blank Group Policy Object, call it GPO123, then link it to the Human Resource Users OU (which is tucked within the Human Resources OU, which itself is within the domain Corp.com).Before we get started though, if you’re using an older version of Windows (and/or and older version of PowerShell) you might need to specify the command to import the Group Policy cmdlets before you get anything useful to happen. So if nothing appears to be working in PowerShell, start out with the command import-module grouppolicy (which can be seen in Figure 2-1).

note.eps

      If you are not running as the Built-In Administrator account, you will need to launch a PowerShell command prompt with Administrator permissions because you are doing something that requires elevated access and a PowerShell. You can do this by right-clicking the shortcut and then clicking the “Run as Administrator” option.

      Now, here are the two PowerShell commands you could type to do the job.

      Once you are running with Administrator permissions, you’re ready to continue on as follows. For instance, to create a new Group Policy Object, it’s as simple as:

      or

      Note how the domain name is proceeded by dc= and the OUs (parent and child) are proceeded by ou= in the PowerShell command.

      The result can be seen in Figure 2-1.

      Note that this didn’t do any real “work” inside the Group Policy Object; it just created it and linked it to our existing OU. If we go back to using the GPMC, you should be able to refresh the GPMC and then verify that the Group Policy Object is now linked to the right OU.

      While still in the GPMC, clicking a GPO (or a link) lets you get more information about what it does. For now, feel free to click around, but I suggest that you don’t change anything until we get to the specific examples.

c02f001.tif

Figure 2-1: You can create and link GPOs using PowerShell. Be sure to put items with spaces in double quotes.

      Various tabs are available to you once you click the GPO or a link. For instance, let’s locate the GPO that’s linked to the Human Resources Users OU. We’ll do this by drilling down to Group Policy Management ⇒ Forest ⇒ Domains ⇒ Corp.com ⇒ Human ResourcesHuman Resources Users and clicking the one GPO that’s linked there: “Hide Mouse Pointers Option/Restore Screen Saver Option.” With that in mind, let’s examine the various sections of a policy setting; you can flip through each of the tabs to get more information about the GPO you just found.

      The Scope Tab Clicking a GPO or a GPO link opens the Scope tab. The Scope tab gives you an at-a-glance view of where and when the GPO will apply. We’ll examine the Scope tab in the sections “Deleting and Unlinking Group Policy Objects” and “Filtering the Scope of Group Policy Objects with Security” later in this chapter and in the WMI section of Chapter 4. For now, you can see that the “Hide Mouse Pointers Option/Restore Screen Saver Option” GPO is linked to the Human Resources Users OU. But you already knew that.

      Using Microsoft’s own Group Policy PowerShell cmdlets to detail what Group Policy Objects are linked where is possible, but actually a little tricky. So, we cover how to do that in the PowerShell appendix, in the section “Documenting GPO Links.”

      That being said, there is another quick way to do this, if you’re willing to download a third-party (but free) PowerShell cmdlet set from my pal Darren Mar-Elia from SDM Software at:

      http://sdmsoftware.com/group-policy-management-products/freeware-group-policy-tools-utilities/.

      You’re looking for the SDM GPMC PowerShell cmdlets.

      Once the set is downloaded and installed, just re-open PowerShell, then import his cmdlets and run Darren’s command Get-SDMgplink, which lists all GPOs at a level. You simply specify the level. The two commands would be:

      The result using the free SDM GPMC PowerShell cmdlet can be seen here. You can see that the line starting with Name details the one Group Policy Object (in my case) that is linked to that particular scope.

c02uf001.tif

      The Details Tab The Details tab contains information describing who created the GPO (the owner) and the status (Enabled, Disabled, or Partially Disabled) as well as some nuts-and-bolts information about its underlying representation in Active Directory (the GUID). We’ll examine the Details tab in the sections “Disabling ‘Half’ (or Both Halves) of the Group Policy Object” and “Understanding GPMC’s Link Warning” later in this chapter.

      Should you change the GPO status here by, say, disabling the User Configuration of the policy, you’ll be affecting all other levels in Active Directory that might be using this GPO by linking to it. See the section “Understanding GPMC’s Link Warning” as well as the sidebar “On GPO СКАЧАТЬ