Group Policy Objects phần 2

In the first implementation of Group Policies in Windows 2000, calculating effective policy for a given user or computer was challenging.
Nội dung trích xuất từ tài liệu:
Group Policy Objects phần 2In the first implementation of Group Policies in Windows 2000, calculating effectivepolicy for a given user or computer was challenging. This was especially true when therewere many different GPOs at various levels within a given domain. At that time,Microsoft did not provide helper tools that would allow administrators to model theresults of policies applied to a given computer or user. Thus, before undertaking amassive deployment of Group Policies within a corporate environment, it was imperativeto carefully test all new policies.Note Many administrators used a command-line tool called GPResult.exe, which was supplied as part of the Windows 2000 Server Resource Kit. This tool generates a list of current GPO settings for a given user logged onto a given Windows 2000 computer.With Windows Server 2003, Microsoft introduced several Group Policy managementimprovements, including: Software Restriction Policies. The rapid growth of the Internet increases security threats to a network, both from worms or viruses and from attacks. A network also could face internal threats, such as human errors. With software restriction policies, organizations can protect their networks from malicious software or even suspicious code by identifying and specifying the applications that are allowed to run. Unfortunately, Windows 2000 and earlier versions of Windows NT are unable to process software restriction policies. To use such policies, all domains must be migrated to Windows Server 2003 domains in native mode and all clients must be upgraded to Windows XP. (For more information on software restriction policies, refer to Chapter 9.) Enhanced User Interface in the Group Policy Object Editor. Policy settings are more easily understood, managed, and verified with Web-view integration in the Group Policy Object Editor. Clicking on a policy instantly shows the text explaining its function and supported environments such as Windows XP or Windows 2000. Group Policy Management Console. Expected to be freely available as an add-in component, the Group Policy Management Console (GPMC) provides a new framework for managing Group Policy. With GPMC, an administrator can backup and restore Group Policy Objects (GPOs), import/export and copy/paste GPOs, report GPO settings, and more. New Policy Settings. With Windows Server 2003, Microsoft introduced more than 200 new policy settings that let administrators easily lock down or manage configurations. These settings also enable or prohibit most new features, such as Remote Assistance, AutoUpdating, and Error Reporting. User Data and Settings Management Enhancements. Administrators can automatically configure client computers to meet specific requirements of a users business roles, group memberships, and location. Improvements include simplified folder redirection and more robust roaming capabilities. These were addressed briefly in Chapter 10. Cross-Forest Support. Although GPOs can only be linked to sites, domains, or organizational units (OUs) within a given forest, the cross-forest feature in Windows Server 2003 enables several new scenarios that Group Policy supports. Resultant Set of Policy (RSoP). The Microsoft RSoP tool is probably the most important improvement, since it allows administrators to plan, monitor, and troubleshoot Group Policy. These capabilities in Windows 2000 were limited; only a GPResult.exe command-line Resource Kit utility was available. With RSoP, administrators can plan, preview, and verify policies and their effects on a specific computer or user. Unfortunately, RSoP is unavailable for Windows 2000 and earlier.Using Resultant Set of PolicyResultant Set of Policy (RSoP) is a long-awaited tool that allows system administrators todetermine which Group Policy settings are being applied to a particular user or computeraccount. This tool can be used both for planning Group Policies before deploying them ina production environment and for troubleshooting problems with specific Group Policysettings. It implements one of the newest mechanisms for managing and troubleshootingGroup Policies, and, therefore, deserves special attention. Unfortunately, like manyimprovements recently introduced by Microsoft, it is not available for Windows 2000 andearlier versions of Windows NT, nor for other legacy operating systems.On Windows Server 2003, RSoP can operate in two modes: Logging mode, which displays Group Policy settings for a specific user or computer. This mode is applicable for standalone computers running Windows Server 2003. At the time of this writing, it also could be used on Windows XP computers joined to Wind ...