Group Policy Objects phần 2

Chia sẻ: Nghia Tuan | Ngày: | Loại File: PDF | Số trang:7

Thêm vào BST

Báo xấu

121
lượt xem 16
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

In the first implementation of Group Policies in Windows 2000, calculating effective policy for a given user or computer was challenging.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Group Policy Objects phần 2

In the first implementation of Group Policies in Windows 2000, calculating effective policy for a given user or computer was challenging. This was especially true when there were many different GPOs at various levels within a given domain. At that time, Microsoft did not provide helper tools that would allow administrators to model the results of policies applied to a given computer or user. Thus, before undertaking a massive deployment of Group Policies within a corporate environment, it was imperative to carefully test all new policies. Note Many administrators used a command-line tool called GPResult.exe, which was supplied as part of the Windows 2000 Server Resource Kit. This tool generates a list of current GPO settings for a given user logged onto a given Windows 2000 computer. With Windows Server 2003, Microsoft introduced several Group Policy management improvements, including: Software Restriction Policies. The rapid growth of the Internet increases security threats to a network, both from worms or viruses and from attacks. A network also could face internal threats, such as human errors. With software restriction policies, organizations can protect their networks from malicious software or even suspicious code by identifying and specifying the applications that are allowed to run. Unfortunately, Windows 2000 and earlier versions of Windows NT are unable to process software restriction policies. To use such policies, all domains must be migrated to Windows Server 2003 domains in native mode and all clients must be upgraded to Windows XP. (For more information on software restriction policies, refer to Chapter 9.) Enhanced User Interface in the Group Policy Object Editor. Policy settings are more easily understood, managed, and verified with Web-view integration in the Group Policy Object Editor. Clicking on a policy instantly shows the text explaining its function and supported environments such as Windows XP or Windows 2000. Group Policy Management Console. Expected to be freely available as an add-in component, the Group Policy Management Console (GPMC) provides a new framework for managing Group Policy. With GPMC, an administrator can backup and restore Group Policy Objects (GPOs), import/export and copy/paste GPOs, report GPO settings, and more. New Policy Settings. With Windows Server 2003, Microsoft introduced more than 200 new policy settings that let administrators easily lock down or manage configurations. These settings also enable or prohibit most new features, such as Remote Assistance, AutoUpdating, and Error Reporting. User Data and Settings Management Enhancements. Administrators can automatically configure client computers to meet specific requirements of a user's business roles, group memberships, and location. Improvements include simplified
folder redirection and more robust roaming capabilities. These were addressed briefly in Chapter 10. Cross-Forest Support. Although GPOs can only be linked to sites, domains, or organizational units (OUs) within a given forest, the cross-forest feature in Windows Server 2003 enables several new scenarios that Group Policy supports. Resultant Set of Policy (RSoP). The Microsoft RSoP tool is probably the most important improvement, since it allows administrators to plan, monitor, and troubleshoot Group Policy. These capabilities in Windows 2000 were limited; only a GPResult.exe command-line Resource Kit utility was available. With RSoP, administrators can plan, preview, and verify policies and their effects on a specific computer or user. Unfortunately, RSoP is unavailable for Windows 2000 and earlier. Using Resultant Set of Policy Resultant Set of Policy (RSoP) is a long-awaited tool that allows system administrators to determine which Group Policy settings are being applied to a particular user or computer account. This tool can be used both for planning Group Policies before deploying them in a production environment and for troubleshooting problems with specific Group Policy settings. It implements one of the newest mechanisms for managing and troubleshooting Group Policies, and, therefore, deserves special attention. Unfortunately, like many improvements recently introduced by Microsoft, it is not available for Windows 2000 and earlier versions of Windows NT, nor for other legacy operating systems. On Windows Server 2003, RSoP can operate in two modes: Logging mode, which displays Group Policy settings for a specific user or computer. This mode is applicable for standalone computers running Windows Server 2003. At the time of this writing, it also could be used on Windows XP computers joined to Windows 2000 or Windows Server 2003 domains. Planning mode, which allows administrators to evaluate the affect of applying different Group Policy Objects Where does RSoP get information on the resulting Group Policies? To gather this data, it queries the Common Infrastructure Management Object Manager (CIMOM) database through Windows Management Instrumentation. The CIMOM database contains information on computers' hardware, software installation settings, scripts, folder redirection settings, security settings, and Internet Explorer maintenance settings. The CIMOM database is refreshed with the current information each time a computer logs on to the network. Note The Common Infrastructure Management (CIM) model, now known as the Web- Based Enterprise Management (WBEM) initiative, was adopted by the Distributed
Management Task Force (DMTF). This emerging standard, intended for all computer systems, offers a common way of describing and managing systems. Windows Management Instrumentation, which is built into Windows 2000, Windows XP, and Windows Server 2003, is the Windows-specific implementation. It can be used to discover information about Windows systems as well as manage them. To obtain results using RSoP: 1. Start MMC console, then select the Add/Remove Snap-in command from the File menu. Click the Add button on the Standalone tab, and select the Resultant Set of Policy from the list of available standalone snap-ins. Click Close, then click OK. Note To request RSoP, you must either be logged on to the machine as the user whose policy you want to see, have local Administrator privileges on the machine you are querying (membership in the local Administrators, Domain Admins, or Enterprise Admins group is required), or have been delegated control over RSoP. 2. After adding the Resultant Set of Policy snap-in, select Generate RSoP Data from the Action menu. RSoP Wizard will start. Click Next. 3. RSoP Wizard will display the Mode Selection window (Fig. 11.9). To see Group Policy settings applied to a specific user or computer, select the Logging mode option and click Next. Note that logging mode might be the only mode available. Figure 11.9: RSoP Wizard prompts you to select a mode
4. Next, the wizard will display a window prompting you to select a computer. You can either display Group Policy settings for the local computer or click the Browse button and select a remote system. Make your selection and click Next. You will be prompted to select a specific user for whom you need to display policy settings (Fig. 11.10). Select a user and click Next. Figure 11.10: The User Selection window displayed by RSoP Wizard 5. The wizard will display the next window summarizing your selections. To change your selections, click Back. To confirm the selected options and proceed with the query, click Next, and RSoP will start the query. When the query completes, the wizard will display the final window, where you need to click Finish. 6. RSoP will appear for the selected user on the selected computer (Fig. 11.11). Click the RSoP folder to view data. Note that you can also set the order in which policies are applied. Simply right-click on the policy element, select Properties, then click the Precedence tab (Fig. 11.12).
Figure 11.11: RSoP query results Figure 11.12: The Precedence tab displays the order of policy application Note To immediately view RSoP for the current user on the local Windows Server 2003 computer, click the Start button, select the Run command, enter the rsop.msc command into the Open field, and click OK. You will immediately notice that there is a Group Policy problem if a red × on the user or computer configuration level appears. (This indicates an error.) To view information on the error, right-click the marked object, select Properties and go to the Error Information tab. How Group Policy Administrative Templates Affect the Registry
Now that I have introduced some theoretical foundation required for understanding Group Policy Objects (GPOs), it is time to present some of the GPO features that influence the system registry. As previously emphasized in this chapter and in Chapter 10, both Windows NT 4.0 and Windows 9x supported so-called System Policies, which were simply special types of registry files delivered to users at logon time. These registry files (their default names were Ntconfig.pol and Config.pol) were used to centrally modify HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE registry root keys. For example, within a given policy file, it was possible to specify different registry modifications for different users, computers, or global groups. The template ADM files controlled which registry keys and values could be modified and what the possible values could be. These template files represented text files using special macro language to specify which key or value was to be modified and how. Most savvy administrators customized ADM files to enforce the desirable policy. In particular, the following two keys became the primary targets for enforcing system policies: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio\Policie s HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies However, System Policies were limited and difficult to use. Starting with Windows 2000, the situation has improved. If you refer back to Table 11.1, you'll notice that old-style System Policies used in legacy versions of Windows have become part of Group Policy Object (GPO). In Windows 2000 and its successors, the Administrative Templates portion of GPO performs functions identical to those of old system policies. Furthermore, GPO-based administrative templates still use the ADM file format. The default templates, such as System.adm and Inetres.adm, are stored under the \ADM folder within the Group Policy Template (GPT). If you carefully study the format of these files, you will notice that the structure of ADM files in Windows Server 2003 is similar to that of Windows 2000 and even of Windows NT 4.0. The main difference is that each new version supports additional macro keywords to provide new functionality. For example, the EXPLAIN keyword, introduced with Windows 2000 and supported on all later versions, lets the developer of a specific ADM file create Help text associated with a given policy item. The SUPPORTED keyword, introduced with Windows XP and Windows Server 2003, allows the developer to specify supported OS versions. This is an important point, since, as multiple examples have shown in this chapter, not all new features introduced with the release of Windows Server 2003 are supported on Windows XP, to say nothing of earlier Windows versions.
Each GPO can have a different set of ADM files, and each machine or user can process multiple GPOs. Flexibility in the area of desktop and application control and lockdown is as granular as you want to make it. Having looked at the mechanics of how administrative templates are used, let's move on to what administrators see when they edit a GPO using these templates. Start up the Group Policy tool MMC snap-in, focused on a GPO. Every Windows 2000 or Windows Server 2003 domain contains a Default Domain Policy when first installed, so if you haven't created any other GPOs, you can start by editing that one. To do so: 1. Start the Active Directory Users and Computers MMC snap-in, right-click the name of the domain of interest, and select the Properties command from the context menu. 2. Go to the Group Policy tab. Highlight the GPO of interest. (Note that if you haven't created any GPOs, only the Default Domain Policy will be available.) Click the Edit button.