Group Policy Objects phần 1

Group Policy Objects Starting with Windows NT 4.0, Microsoft introduced System Policy, a mechanism for using the registry to "lock down" specific portions of user desktops to prevent users from tweaking the configuration
Nội dung trích xuất từ tài liệu:
Group Policy Objects phần 1Group Policy ObjectsStarting with Windows NT 4.0, Microsoft introduced System Policy, a mechanism forusing the registry to lock down specific portions of user desktops to prevent users fromtweaking the configuration. System Policy was a significant step forward in centralizedadministration. However, it didnt completely address most enterprise issues related toreducing the Total Cost of Ownership (TCO), such as: Software distribution Configuration management Security managementBecause of this, Microsoft continued its research and developed Group Policy Objects(GPOs), which, starting with Windows 2000, have replaced System Policy.Note Group Policy is implemented only on Windows 2000 and later. Windows NT 4.0 doesnt support the storage or processing GPOs. However, Windows 2000 and its successors can process the old-style Windows NT 4.0 System Policies (such as Ntconfig.pol) when a user logs on to a Windows NT 4.0 domain from a computer running Windows 2000, Windows XP, or Windows Server 2003.A local GPO exists on every workstation or server running Windows 2000, Windows XP,or Windows Server 2003. By default, a local GPO is stored in the folder%SystemRoot%System32GroupPolicy. The local GPO is a standalone object; you mustmanage it on each computer running Windows 2000 or later using the MMC GroupPolicy snap-in. Except for its prominence on individual computers, Group Policy showsits power in the AD infrastructure. For example, some of the GPO capabilities availablein an AD-based domain environment (centralized software deployment, folderredirection, etc.) are not available on local GPOs. For GPOs to fulfill their real promise, itis necessary to deploy Active Directory and start migrating all workstations and serversto Windows 2000 or later.One of the key features in Microsofts Change and Configuration Management (CCM)strategy is the ability to use AD as a kind of application repository. For example, in ADinfrastructure you can advertise applications such as Word, Excel, or Visio as ADobjects. These can be distributed to and installed by end users, depending upon where theobjects related to the users or their computers reside in the directory. The name of thefeature you use for this advertisement function is Software Installation.Specifically, Software Installation is defined within a Group Policy Object (GPO). GPOsare AD objects that can be applied to a local machine, site, domain, or organizational unit(OU). Similarly to Group Policy in Windows 2000, Group Policies in Windows Server2003 can be applied to containers: entire sites, domains, or OUs. A GPO is linked to acontainer and applied only to the computers or users whose accounts exist within it. It israrely efficient or practical to implement site policies, so most policies will beimplemented at the domain or OU level. In addition to domain policies, a local GroupPolicy is configured and can be adjusted on individual workstations or servers.Note The acronym LSDOU (Local, Site, Domain, OU) is used to describe the cumulative order in which GPOs are applied to users and machines. Each policy is applied during boot or logon. The local policy is applied first, then the domain policy, then the OU policy. Even within these containers, GPO application is cumulative. For example, if we have three OUs — OU1, OU2, and OU3 — the policies linked to OU1 are applied to the users and computers listed in OU2. Policies in OU1 and OU2 are applied to OU3. If a setting is not configured in a previous GPO, the new GPOs setting will be applied. If the new GPO and the old GPO have a conflicting setting, the conflict is resolved by applying the new GPOs setting. But if this setting is not configured, the previous one will remain.It is important to understand the affect GPOs have on the system registry and how theyinterrelate and interact with it. GPOs are multifunction AD objects, which comprisemultiple nodes (Fig. 11.4). Each node within a GPO provides a different kind of controlover computers (Computer Configuration node) or users (User Configuration node).Figure 11.4: GPOs are multifunction AD objects composed of multiple nodes, eachproviding a different control over computers or users.Table 11.1 summarizes the most common per-computer and per-user nodes available inGPOs. Table 11.1: Available Functionality Nodes in Group Policy ObjectsComputer or user: Node DescriptionnameComputer: Software Settings: Computer-based deployment of applicationsSoftware InstallationComputer: Windows Settings: Computer-based configuration of security (includesSecurity Settings items such as account policy, audit policy, and event log configurations)Computer: Windows Settings: Specification of computer startup and shut ...