Название: Group Policy
Автор: Jeremy Moskowitz
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная образовательная литература
isbn: 9781119035688
isbn:
Using PowerShell, the cmdlet would be as follows to set a specific Group Policy Object (“Enforce 40 MB Disk Quota”) to link order 2:
Again – the “most last” applied GPO wins. So the GPO with a link order of 1 is always applied last and, hence, has the final say at that level. This is always true unless the Enforced function is used (as discussed later).
Understanding GPMC’s Link Warning
In the previous chapter, I pointed out that anytime you click a GPO link, you get the informational (or perhaps it’s more of a warning) message shown in Figure 2-3.
Figure 2-3: You get this message anytime you click the icon for a link.
This message is trying to convey an important sentiment: No man is an island, and neither is a Group Policy Object. Just because you created a GPO and it is seen swimming in the Group Policy Objects container doesn’t mean you’re the only one who is possibly using it.
As we work through examples in this chapter, we’ll manipulate various characteristics of GPOs and links to GPOs. If we manipulate any characteristics of a GPO we’re about to play with, such as the following, then all other levels in Active Directory that also link to this GPO will be affected by our changes:
● The underlying policy settings themselves
● The security filtering (on the Scope tab)
● The WMI filtering (on the Scope tab)
● The GPO status (on the Details tab)
● The delegation (on the Delegation tab)
For instance, imagine you had a GPO linked to an OU called Doctors and the same GPO linked to an OU called Nurses. If you edit the GPO in the swimming pool, or click the link to the GPO in either Doctors or Nurses and click Edit, you’re doing the same thing. Any changes made within the GPO affect both the Doctors OU and the Nurses OU.
This is sometimes a tough concept to remember, so it’s good to see it here again. You can choose to squelch the tip if you like. Just don’t forget its advice.
The difference between the GPO itself and the links you can create can be confusing. Be sure to check out the sidebar “On GPO Links and GPOs Themselves” a bit later in the chapter.
Another way to see this principle in action is by locating the “Auto-Launch calc.exe” GPO in either the link in the Human Resources Computers OU or the object itself within the Group Policy Objects container. Next, go to the Details tab and change the GPO status to some other setting. Then, go to the link or the actual GPO and see that your changes are reflected. You can even create a new OU, link the GPO, and still see that the change is there. This is because you’re manipulating the actual GPO, not the link. If you choose to squelch the message, you can get it back by choosing View ⇒ Options ⇒ General and selecting “Show confirmation dialog to distinguish between GPOs and GPO links.”
Stopping Group Policy Objects from Applying
After you create your hierarchy of Group Policy that applies to your users and computers, you might occasionally want to temporarily halt the processing of a GPO – usually because a user is complaining that something is wrong. You can prevent a specific GPO from processing at a level in Active Directory via several methods, as explained in the following sections.
Конец ознакомительного фрагмента.
Текст предоставлен ООО «ЛитРес».
Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.
Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.