Group Policy. Jeremy Moskowitz
Чтение книги онлайн.

Читать онлайн книгу Group Policy - Jeremy Moskowitz страница 7

Название: Group Policy

Автор: Jeremy Moskowitz

Издательство: John Wiley & Sons Limited

Жанр: Зарубежная образовательная литература

Серия:

isbn: 9781119035688

isbn:

СКАЧАТЬ style="font-size:15px;">      Every Group Policy Object contains two halves: a User half and a Computer half. These two halves are properly called nodes, though sometimes they’re just referred to as either the User half and the Computer half or the User branch and the Computer branch.

A sample Group Policy Object with both the Computer Configuration and User Configuration nodes can be seen in Figure 1-2 (in the upcoming section, “Local Group Policy Editor”). Don’t worry; I’ll show you how to get there in just a second.

note.eps

      Just to make things a little more complicated, if you’re deploying settings using Active Directory (the most usual case) as opposed to walking up and creating a “local GPO” as we do later in Figure 1-2, the interface is a wee bit different and shows the Group Policy Preferences node. Hang tight for more on that.

      The first level under both the User and the Computer nodes contains Software Settings, Windows Settings, and Administrative Templates. If we dive down into the Administrative Templates of the Computer node, underneath we discover additional levels of Windows Components, System, Network, and Printers. Likewise, if we dive down into the Administrative Templates of the User node, we see some of the same folders plus some additional ones, such as Shared Folders, Desktop, Start Menu, and Taskbar.

      In both the User and Computer halves, you’ll see that policy settings are hierarchical, like a directory structure. Similar policy settings are grouped together for easy location. That’s the idea anyway – though, admittedly, sometimes locating the specific policy or configuration you want can prove to be a challenge.

      When manipulating policy settings, you can choose to set either computer policy settings or user policy settings (or both!). You’ll see examples of this shortly. (See the section “Searching and Commenting Group Policy Objects and Policy Settings” in Chapter 2, “Managing Group Policy with the GPMC and via Powershell,” for tricks on how to minimize the effort of finding the policy setting you want.)

note.eps

      Most policy settings are not found in both nodes. However, there are a few that overlap. In that case, if the computer policy setting is different from the user policy setting, the computer policy setting generally overrides the user policy setting. But, to be sure, check the Explain text associated with the policy setting.

      Wait… I Don’t Get It. What Do the User and Computer Nodes Do?

      One of the key issues that new Group Policy administrators ask themselves is, “What the heck is the difference between the Computer and User nodes?”

      Imagine that you had a combination store: Dog Treats (for dogs) and Candy Treats (for kids). That’s right; it’s a strange little store with seemingly two types of incompatible foods under the same roof. You wouldn’t feed the kids dog treats (they’d spit them out and ignore the treat), and you wouldn’t feed the kids’ candy to a dog (because the dogs would spit out the sour candy and ignore the treat).

      That’s the same thing that happens here. Sure, it looks tempting. There are lots of treats on both sides of the store, but only one type of customer will accept each type of treat.

      So, in practical terms, the Computer node (the first part of the policy) contains policy settings that are relevant only for computers. That is, if there’s a GPO that contains Computer-side settings and it “hits” a computer, these settings will take effect. These Computer-side settings could be items like startup scripts, shutdown scripts, and how the local firewall should be configured. Think of this as every setting relevant to the computer itself– no matter who is logged on at that moment.

      The User node (the second part of the policy) contains policy settings that are relevant only for users. Again, if there’s a GPO that contains User-side settings and it “hits” a user, these settings will take effect for that user. These User-side items make sense only on a per-user basis, like logon scripts, logoff scripts, availability of the Control Panel, and lots more. Think of this as every setting relevant to the currently logged-on user – and these settings will follow the user to every machine they pop on to.

      Feeding users dog treats, er, Computer-side settings doesn’t work. Same thing with feeding computers User-side settings. When a GPO hits user objects with Computer policy settings or computer objects with User policy settings, it simply will not do anything. You’ll just sit there and scratch your head and wonder why it doesn’t work. But it’s not that it’s not working; this is how it’s designed.

      Computer settings are for computer objects, and User settings are for user objects. If this is bad news for you, there are two ways to get out of the problem. One way is an in-the-box advanced technique called loopback processing that can help you out. Look for more information on loopback processing in Chapter 4. The other way is via a third-party tool called PolicyPak, which (among other things) can permit computers to embrace User-side settings. More on this in Chapter 6, “Managing Applications and Settings Using Group Policy.

      Active Directory and Local Group Policy

      Group Policy is a twofold idea. First, without an Active Directory, there’s one and only one Group Policy available.

      Officially, this policy directly on the workstation is called a local policy, but it still resides under the umbrella of the concept of Group Policy. Later, once Active Directory is available, the nonlocal (or, as they’re sometimes called, domain-based or Active Directory–based) Group Policy Objects come into play, as you’ll see later. Let’s get started and explore both options.

      Then, here’s the weird thing: after I’ve fully described Active Directory’s Group Policy, we’re going to take a second visit back to Local Group Policy. That’s because with Windows Vista and later, there’s a special superpower I want to show you, but I only want to explain it after we’ve explored the first two concepts. So, in summary, here’s the short-term road map:

      ● Local Group Policy for Windows XP and later

      ● Active Directory Group Policy for all operating systems

      ● Multiple Local Group Policy (MLGPO) for Windows Vista and later

      Trust me; it’s easier to learn it this way, even though we’re taking two passes at one concept.

note.eps

      While you’re plunking around inside the Group Policy editor (also known as the Group Policy Management Editor, or Group Policy Object Editor), you’ll see lots of policy settings that are geared toward a particular operating system. Some are only for specific operating systems, and others are more general. If you happen to apply a policy setting to a system that isn’t listed, the policy setting is simply ignored. For instance, policy settings described as working “Only for Windows 8” machines will not typically work on Windows XP machines. All policy settings have a “Supported on” field that should be consulted to know which operating systems can embrace which policy setting. Many of them will say something like “At least Windows XP” to let you know they’re valid for, say, XP and on.

      Understanding Local Group Policy

      Before we officially dive into what is specifically contained inside this magic of Group Policy or how Group Policy is applied when Active Directory is involved, you might be curious to see exactly what your interaction with Local Group Policy might look like.

      Local СКАЧАТЬ