Group Policy. Jeremy Moskowitz
Чтение книги онлайн.
Читать онлайн книгу Group Policy - Jeremy Moskowitz страница 8
Название: Group Policy
Автор: Jeremy Moskowitz
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная образовательная литература
isbn: 9781119035688
isbn:
Local Group Policy Editor
The most expeditious way to edit the Local Group Policy on a machine is to click Start ⇒ Run and type in GPEDIT.MSC. This pops up the Local Computer Policy Editor.
You are now exploring the Local Group Policy of this workstation. Local Group Policy is unique to each specific machine. To see how a Local Group Policy applies, drill down through the User Configuration ⇒ Administrative Templates ⇒ System ⇒ Ctrl+Alt+Del options and select Remove Lock Computer, as shown in Figure 1-2. As seen in the figure, the default for all policy settings is Not Configured. To make this policy setting perform its magic, choose the Enabled radio button and click OK.
When you do, within a few seconds you should see that if you press Ctrl+Alt+Del, the Lock Computer option is unavailable.
To revert the change, simply reselect Remove Lock Computer and select Not Configured. This reverts the change.
You can think of Local Group Policy as a way to perform decentralized administration. A bit later, when we explore Group Policy with Active Directory, we’ll saunter into centralized administration.
This Local Group Policy affects everyone who logs onto this machine – including normal users and administrators. Be careful when making settings here; you can temporarily lock yourself out of some useful functions.
If you’re thinking to yourself, “Yep, I’ve done that,” then stay tuned. After the next section is complete, we’ll return to Local Group Policy and discuss the idea of Multiple Local Group Policy Objects, which can help ensure that you escape from this very jam.
Before we leave Local Group Policy (for now), remember something that I stated in the introduction. That is, many of the settings we’ll explore in this book are available to workstations or servers that aren’t joined to an Active Directory domain. Just poke around here in Local Group Policy to get a feel for what you can and cannot do without Active Directory. However, many functions, like Folder Redirection settings (discussed in Chapter 10, “Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager”), the Software Distribution settings (discussed in Chapter 11, “The Managed Desktop, Part 2: Software Deployment via Group Policy”), and others require Active Directory present to embrace these Group Policy directives.
You can point to other computers’ local policies by using the syntax gpedit.msc /gpcomputer:"targetmachine" or gpedit.msc /gpcomputer:"targetmachine.domain.com"; the machine name must be in quotes.
Figure 1-2: You can edit the Local Group Policy using the Local Group Policy Editor (GPEDIT.MSC).
Active Directory–Based Group Policy
To use Group Policy in the most meaningful way, you’ll need an Active Directory environment. An Active Directory environment needn’t be anything particularly fancy; indeed, it could consist of a single Domain Controller and perhaps just one Windows 10 workstation joined to the domain.
But Active Directory can also grow extensively from that original solitary server. You can think of an Active Directory network as having four constituent and distinct levels that relate to Group Policy:
● The local computer
● The site
● The domain
● The organizational unit (OU)
The rules of Active Directory state the following:
● Every server and workstation must be a member of one (and only one) domain and be located in one (and only one) site.
● Every user must be a member of one (and only one) domain and may also be located within one OU (and only one OU).
One of the most baffling questions people have when they start to dig into Group Policy is, “If a user can only be a member of one OU, how do I apply multiple Group Policy Object directives to one user?” I know it seems almost impossible based on the constraints listed, but I promise I’ll explain exactly how to do that in Chapter 2 in the section “Filtering the Scope of Group Policy Objects with Security.”
Full Windows vs. Windows RT and What It Means for Group Policy
Windows has two big flavors: full Windows and Windows RT.
Windows RT is the tablet edition that runs on ARM-based devices. Microsoft is not permitting Windows RT machines to join Active Directory. Therefore, there is no way to get Active Directory–based Group Policy on Windows RT. However, Windows RT will support Local Group Policy.
In this book we’re not going to be spending much time on Windows RT, because most of what we’ll do, we’ll do within the domain – and Windows RT machines are left out of the fun.
Windows RT has some non–Group Policy management capability so that administrators can control basic security settings. For more information about this feature, visit
Sadly, Windows RT has been out a few years (with the birth of Windows 8) and there still isn’t any way to manage these devices using Group Policy. If there ever comes a time that Windows RT machines can join the domain and get Active Directory Group Policy, I’ll write about it at www.GPanswers.com. But don’t hold your breath, as all indications suggest Windows RT will likely be depreciated and Microsoft will only be updating Windows RT to keep the lights on.
Group Policy and Active Directory
As you saw, when Group Policy is created at the local level, everyone who uses that machine is affected by those wishes. But once you step up and use Active Directory, you can have nearly limitless Group Policy Objects (GPOs) – with the ability to selectively decide which users and which computers will get which wishes (try saying that five times quickly). The GPO is the vessel that stores these wishes for delivery.
Actually, you can have only 999 GPOs applied and affecting a user or a computer before the system “gives up” and won’t apply any more.
You’ll create GPOs using the Group Policy Management Console, or GPMC for short. The GPMC can be added to a Windows Server 2016 computer or Domain Controller (see the section “Using a Windows Server 2016 Machine as Your Management Station”). The GPMC can also be added to a Windows 7, Windows 8, Windows 8.1, or Windows 10 machine via an extra download and install called RSAT. RSAT stands for Remote Server Administration Tools, and after installing it, you’ll find tools like Active Directory Users and Computers as well as the GPMC, which we’ll use right around the bend.
When we create a GPO that can be used in Active Directory, two things happen: we create some brand-new entries within Active Directory, and we automatically create some brand-new files within our СКАЧАТЬ