Windows Server 2008 Inside Out- P26

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

lượt xem

Windows Server 2008 Inside Out- P26

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows server 2008 inside out- p26', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:

Nội dung Text: Windows Server 2008 Inside Out- P26

  1. Managing Groups 1217 granted. In practice, you will almost always use security groups, because they include distribution group functionality and are the only types of groups that have DACLs. Domain Local Groups Consider using domain local groups first when you are giving groups or users access to local domain resources. For instance, if you have a domain named and you want users or groups in that local domain to access a shared folder in the north- local domain, you could create a domain local group called SalesPersons, insert in the SalesPersons group the users and global groups you want to give access to the shared folder, and then assign the SalesPersons group permissions on the resource. Access policies for domain local groups are not stored in Active Directory. This means that they do not get replicated to the global catalog and thus queries performed on the global catalog will not return results from domain local groups. This is because domain local groups cannot be determined across domains. Global Groups Use global groups to give users or groups access to resources according to how they have been organized. For instance, users from the Marketing or Development depart- ments could be put in separate global groups in order to simplify administration of their need to access resources like printers and network shares. Global groups can be nested in order to grant access to any domain in the forest. Universal Groups Universal groups have very few fundamental restrictions. Universal groups can be a tempting shortcut for administrators to use, because they can be used across domains in the forest. Memberships in universal groups can be drawn from any domain, and permissions can be set within any domain. However, using universal groups as your main method of grouping users, groups, and computers has a significant caveat. Universal groups are stored in the global catalog, and whenever changes are made to a universal group, the changed properties must be replicated to other domain controllers configured as global catalog servers. The replication of individual property changes rather than entire objects is an improvement for Windows Server 2008 that should Chapter 35 allow wider use of universal groups without causing network bottlenecks or slowed performance during authentication and global catalog changes. Which Group Scope Should You Use? There is a strategy in choosing when to use a group scope and which group scope to use. A common strategy is to organize user accounts into logical groups based on the permissions they need to access specific resources. In a business model, this often can be determined according to the department the user belongs to. For instance, the Devel- opment department of a software business may put all their developers in a Dev group, and then assign permissions to a network share to the Dev group. On the other hand, in a Windows Server 2008 environment it becomes more complex than this, because there are different scopes for groups. Furthermore, groups may contain not only users, but also computers and even other groups, and can be nested to any scale.
  2. 1218 Chapter 35 Managing Users, Groups, and Computers Some important constraints on group scope in Windows Server 2008 include the following: Universal groups are stored in the global catalog and replicated across the net- work. However, Windows Server 2008 has new features that allow caching of the global catalog and replication of only the changes in it. Global groups can be included in an object’s security data structure only if that object is in the same domain as the global group. In Windows 2000 native func- tional level or higher, global groups can be nested in order to grant access to any domain in the forest. Domain local groups cannot be processed in other domains. Group scope functionality and limitations include member inclusion and permissions. Table 35-4 lists how the three scopes function. Table 35-4 How Group Scope Functions Using Windows Server 2003 and Higher Domain Functional Levels Group Member Inclusion Permissions Universal You can include users, computer Within any domain, universal accounts, global groups, and groups can be added to other universal groups from any domain. groups and granted permissions. Global You can put in a global group Global groups can be added any user or computer account or to other global groups in any other global groups from the same domain in the forest and assigned domain. permissions. Domain local Same as universal groups, but Domain local groups can be added you can also include domain local only to other domain local groups groups from the same domain. in the same domain and assigned permissions. In native mode, Windows Server 2008 groups have nesting limitations that are depen- dent on the group scope. Limitations for nesting are listed in Table 35-5. Table 35-5 Group Scope Nesting in Windows 2000 Native Functional Level Chapter 35 Can Nest in Can Nest in Group Type Universal? Can Nest in Global? Domain Local? Universal No Yes Yes Global Yes Yes (only in the same domain) Yes Domain local No No No Why Use Domain Local Groups? Domain local groups are used when you want to give users, computers, or specific groups access to resources in a single local domain. In a domain local group, you can include other domain local groups with domain local scope, global groups, or univer- sal groups. You can also include single accounts in the domain local group. However,
  3. Managing Groups 1219 including single user accounts can increase the amount of administration for you instead of reducing it, so unless management has specifically requested a special per- mission, this may not be the best route. A common scenario for using domain local groups is to provide access to printers for members of a department (such as the Developers department). In this scenario, you would use Active Directory Users And Computers: 1. Create a domain local group by right-clicking an OU, and then selecting New, Group. 2. Assign permissions to use the printer by adding the new domain local group to the printer by opening Control Panel, Printers And Faxes, then right-clicking Properties, selecting the Security tab, and finally adding the domain local group to the printer. 3. Create a global group. 4. Add the user accounts from the Development department to the global group 5. Add the global group to the domain local group you created at the beginning. This way, if you ever add a new printer, all you have to do is add access to it in the domain local group, and the developers automatically get access because their global group is part of the domain local group. If a new domain is added, all you have to do to give the people in the new domain access to the printer is add the new global groups from the new domain to the domain local group. Why Use Global Groups? An important aspect of global groups is they are not replicated outside their own domain. They are not part of the global catalog replication. Thus, you should use global group membership for objects that need high regular maintenance or modifica- tions. These changes will not be replicated across your network and thus will not slow network traffic over slow links. Therefore, a main reason to use global groups is to Chapter 35 organize users with similar needs within a domain to give them access to resources. For instance, you have two domains, one in the United States, the other in India. In each domain you have developers. Because your business model requires that neither group of developers needs access to the other’s source code, you could create two global groups, USA\Dev and India\Dev, and give the global groups permissions to different source code shares. Why Use Universal Groups? Using universal groups extends this idea so that users in groups of different domains may be able to access resources without affecting network traffic because of global catalog replication. By creating a universal group and adding global groups to it, you can give users from different domains in the forest access to the same resource. For instance, in the preceding scenario, a third group could be created for the developers,
  4. 1220 Chapter 35 Managing Users, Groups, and Computers called UniDev. This would be a universal group to which you would add both global groups, USA\Dev and India\Dev, and assign permissions to perhaps even a second network share of source code that both groups of users must access. This is a good strategy, because if you add new user accounts to the global groups, the changes are not replicated to the global catalog and little if no impact to network traffic is incurred. However, be careful about changing memberships to universal groups, because those changes are replicated across all links to other domain controllers configured with global catalogs. Creating a Group You may create groups in the Users container or in a new OU that you have created in the domain. To create a group, start Active Directory Users And Computers. Right-click the Users container or the OU in which you want to place the group, point to New, and then select Group. This displays the New Object–Group dialog box shown in Figure 35-15. Type a group name, and then select the Group Scope and Group Type. Click OK to create the group. Chapter 35 Figure 35-15 Creating a group. Windows Server 2008 has three group scopes and two group types you can select from. This allows you to create six different combinations of groups. You must be a member of the Account Operators, Domain Admins, or Enterprise Admins group to create new groups. Note The built-in accounts for Active Directory in Windows Server 2008 are located in two places. The built-in domain local groups such as Administrators, Account Operators, and Backup Operators are located in the Builtin container. Built-in global groups such as Domain Admins and Enterprise Admins are located in the Users container.
  5. Managing Groups 1221 SIDE OUT Creating group accounts at the command line At the command line, you can create groups using DSADD. For groups, AD path strings describe the group’s location in the directory from the group name to the actual contain- ers in which it is stored. You specify whether the group is a security group using -secgrp yes or that a group is a distribution group using -secgrp no. You specify the scope of the group using -scope u for universal, -scope g for global, and -scope l for domain local. For example, if you want to create a global security group called SeattleServices in the Services OU for the domain, the full path to this group object is CN=SeattleServices,OU=Services,DC=cpandl,DC=com. When creating the group object using DSADD, you must specify this path as follows: dsadd group "CN=SeattleServices,OU=Services,DC=cpandl,DC=com" -secgrp yes - scope g For the full syntax and usage, type dsadd group /? at a command prompt. Although quotation marks aren’t required in this example, I always use them to ensure that I don’t forget them when they actually are needed, such as when name components contain spaces. The directory services commands can also be used to perform many group management tasks. Using DSGET GROUP at a command prompt, you can: Determine whether a group is a security group by typing dsget group GroupDN -secgrp. Determine group scope by typing dsget group GroupDN -scope. N -scope. Determine the members of a group by typing dsget group GroupDN -members N where GroupDN is the distinguished name of the group. N Determine the groups of which a group is a member by typing dsget group GroupDN -memberof. The -expand option can be added to display the recur- N -memberof. sively expanded list of groups of which a group is a member. Using DSMOD GROUP at a command prompt, you can: Change group scope using dsmod group GroupDN -scope u for universal, N -scope g for global, and -scope l for domain local. Chapter 35 Add members by typing dsmod group GroupDN -addmbr MemberDN where N N GroupDN is the distinguished name of the group and MemberDN is the distin- N N guished name of the account or group you want to add to the designated group. Remove members by typing dsmod group GroupDN -rmmbr MemberDN. N MemberDN. Convert the group to a security group using dsmod group GroupDN -secgrp yes N or to a distribution group using dsmod group GroupDN -secgrp no. N no.
  6. 1222 Chapter 35 Managing Users, Groups, and Computers Adding Members to Groups The easiest way to add users to a group is to right-click the user in the details pane of Active Directory Users And Computers, and then select Add To A Group. The Select Groups dialog box appears and you can select the group of which the user is to become a member. You can also get to the same dialog box by right-clicking on the user name, selecting Properties, clicking the Member Of tab, and then clicking Add. Note To add multiple users to a group, select more than one user, using Shift+click or Ctrl+click, and follow the same steps. If you want to add both users and groups as members of a group, you can do this by performing the following steps: 1. Double-click the group entry in Active Directory Users And Computers. This opens the group’s Properties dialog box. 2. On the Members tab, click Add to add accounts to the group. 3. Use the Select Users, Contacts, Computers, Or Groups dialog box to choose users, computers, and groups that should be members of the currently selected group. Click OK. 4. Repeat steps 2 and 3 as necessary to add additional users, computers, and groups as members. 5. Click OK. Deleting a Group Deleting a group is as simple as right-clicking the group name within Active Directory Chapter 35 Users And Computers, and then selecting Delete. You should be very careful when deleting groups because, though it does not delete the user accounts contained by the group, the permissions you may have assigned to the group are lost and cannot be recovered by merely re-creating the group with the same name. C U O CAUTION ! The permissions on groups are internally characterized within Active Directory by unique SIDs that are allocated when the group is created. If you delete a group and then re-create it, it will have a new SID and thus new permissions.
  7. Managing Groups 1223 Modifying Groups There are a number of modifications, property changes, and management procedures you may want to apply to groups. You can change the scope, the members, and other groups contained in the group; move a group; delegate management of a group; and send mail to a group. Finding a Group When you have a substantial number of groups, you can use the Find function to locate the one you need to manage. Just right-click the domain or OU, and then select Find. In the Find Users, Contacts, And Groups dialog box, you can specify what type of object to find, change the starting point, or structure a search query from the available tabs. After the query has run, many administrative or management functions can be performed on the objects returned in the results window. SIDE OUT Saved queries in Active Directory In Active Directory Users And Computers, you can reuse and save queries. This allows you to find groups quickly and repeatedly when you want to manage and modify them. You can locate the Saved Queries folder in the default position at the top of the Active Directory Users And Computers console tree (left pane). You cannot save queries using the Find menu when you right-click a group. You can only save them using the Saved Query procedure that is found in the uppermost part of the tree in Active Directory Users And Computers and creating a new query. Managing the Properties of Groups When you double-click a group name in Active Directory Users And Computers, the Group Properties dialog box appears. You can configure the following six areas or functions: Chapter 35 General You change the description or group e-mail address here. In addition, you may be able to change the type of group or the scope of the group. When in Windows Server 2003 or higher domain functional level, there are limitations on changing group scope, as shown in Table 35-6. Members You can list, add, and remove group members. Member Of Lists the groups the current group is a member of. These can be domain local groups or universal groups from the local domain or universal groups from other domains in the current domain tree or forest. Managed By Add, clear, or modify the user account you want to make respon- sible for managing this group.
  8. 1224 Chapter 35 Managing Users, Groups, and Computers Object View the canonical name of the group object. This tab is visible only in Advanced view. To access Advanced view, select Advanced Features from the View menu in Active Directory Users And Computers. Security Used to configure advanced permissions for users and groups that can access the group object in Active Directory. This tab is visible only in Advanced view. Table 35-6 Group Scope Conversions in Windows Server 2003 or Higher Domain Functional Level Can Be Converted Can Be Converted to Can Be Converted to Scope of Group to Universal Global Domain Local Universal NA Yes Yes Global Yes NA No Domain local Yes No NA Modifying Other Group Settings You can modify other group settings using Active Directory Users And Computers. You can perform the following tasks: Move a group To move a group, right-click it, and then select Move. The Move dialog box appears, allowing you to select the container to which you want to move the group. Alternatively, you can drag the group icon into a new container. You can also select multiple groups to move by using Windows keyboard short- cuts such as Ctrl, then selecting multiple groups, or using Shift and selecting the first and last group. Rename a group Right-click the group name, and then select Rename. Type the new group name, and then press Enter. Multiple group selection is disabled for this function. Send mail to a group Right-click the group name, and then select Send Mail. An error will occur if no e-mail address has been configured on the General tab of Group Properties. Otherwise, the default mail client will be used to open a new Chapter 35 mail message addressed to the group, which you can complete and send. Note Moving or renaming groups can alter the effective permissions of users and groups in unpredictable ways. With this in mind, you might want to check the effective permissions for member users and groups to ensure that the permissions are as expected.
  9. Managing Computer Accounts 1225 Managing Computer Accounts Computer accounts are managed and configured using Active Directory Users And Computers. By default, computer accounts are stored in the Computers container and domain controller accounts are stored in the Domain Controllers container. Computer accounts can also be stored in other containers, such as the OUs you’ve created. Com- puters may be joined and removed from a domain using Computer Management or the System tool in Control Panel. Creating a Computer Account in Active Directory When you create a new computer account in your domain, you must be a member of the Account Operators, Domain Admins, or Enterprise Admins group in Active Directory. To create a new computer account, start Active Directory Users And Computers. Right- click the container in which you want to create the new computer account, point to New, and then select Computer. This starts the New Object–Computer Wizard shown in Figure 35-16. Chapter 35 Figure 35-16 Creating a computer account. Type a computer name. By default, only members of Domain Admins can join com- puters to the domain. To allow a different user or group to join the computer to the domain, click Change, and then use the Select User Or Group dialog box to select a user or group account that is authorized to join the computer to the domain. If Windows NT systems can use this account, select the Assign This Computer Account As A Pre–Windows 2000 Computer check box. Click Next twice, and then click Finish.
  10. 1226 Chapter 35 Managing Users, Groups, and Computers Note Creating a computer account does not join the computer to the domain. It merely cre- ates the account to simplify the process of joining a domain. You can, however, create a computer account when you join a computer to a domain. SIDE OUT Creating computer accounts at the command line You can create computer accounts using DSADD as well. To do this, you’ll need to know the Active Directory service path string you want to use. For example, suppose you want to create a computer account called CustServicePC27 in the Computers container for the domain. The full path to this computer object is CN=CustServicePC27, CN=Computers,DC=cpandl,DC=com. When creating the computer object using DSADD, you must specify this path as follows: dsadd computer "CN=CustServicePC27,CN=Computers,DC=cpandl,DC=com" Here, CN= is used to specify the common name of an object and DC= is used to specify a domain component. With Active Directory path strings, you will also see OU=, which is used to specify the name of an organizational unit object. For the full syntax and usage, type dsadd computer /? at a command prompt. Although quotation marks aren’t required in this example, I always use them to ensure that I don’t forget them when they actually are needed, such as when name components contain spaces. The directory services commands can also be used to perform many computer man- agement tasks. Use DSMOD COMPUTER to set properties, disable accounts, and reset accounts. Use DSMOVE COMPUTER to move computer accounts to a new container or OU. Use DSRM COMPUTER to remove the computer account. Joining Computers to a Domain Chapter 35 When you join a computer to a domain, you must supply the credentials for creating a new computer account in Active Directory. The new computer will be placed in the default Computers container in Active Directory. Most of the time, there is a dialog box for joining a computer to the domain when you install or set up Windows 2000 or later for the first time. You must be a member of the Administrators group on the local computer to join it to the domain. Windows Server 2008 allows any authenticated user to join workstations to the domain—up to a total of 10—providing that you’ve already created the necessary computer accounts. To join a server to a domain, you must be a member of the Account Operators, Domain Admins, or Enterprise Admins group.
  11. Managing Computer Accounts 1227 To join a server or workstation to a domain, follow these steps: 1. Click System And Maintenance\System in Control Panel. In the Computer Name, Domain, And Workgroup Settings section, click Change Settings. This displays the System Properties dialog box with the Computer Name tab selected. 2. On the Computer Name tab, click Change. 3. Select Domain and type the name of the domain to which the computer should join. Click OK. 4. When prompted, type the name and password of a domain account that has the permissions to create a computer account in Active Directory, or join the computer to the domain, or both. Click OK. 5. The computer is joined to the domain, and a new computer account is created as necessary. If the changes are successful, you’ll see a confirmation dialog box. TROUBLESHOOTING OU S OO G The computer won’t join the domain If there are problems joining the computer to the domain, there may be an existing com- puter in the domain with the same name. In this case, you would change the computer name and then repeat this procedure. The computer must also have Transmission Con- trol Protocol/Internet Protocol (TCP/IP) properly configured. If you suspect a problem with the TCP/IP configuration, ping the loopback address to ensure TCP/IP is installed correctly and then check the configuration settings by typing ipconfig /all at the command prompt. Moving a Computer Account A corporation may have organizational changes requiring you to move a computer account. The computer account may be moved from one container to another. Plan and Chapter 35 test moving the computer account to ensure that possible confl icts in permissions or rights don’t occur. You can use the Effective Permissions tool in planning mode to simu- late moving computer accounts and to determine if there could be confl icts. To move a computer account, you can drag and drop the computer object from one container to another within the details pane of Active Directory Users And Computers. Alternatively, you can right-click the computer account name, select Move, and then select the container to which you want to move the account using the Move dialog box. You cannot move computer accounts for domain controllers across domains. You must first demote the domain controller, then move the computer account.
  12. 1228 Chapter 35 Managing Users, Groups, and Computers Disabling a Computer Account Security issues, such as malicious viral attacks or rogue user actions, may require you to temporarily disable a computer account. Perhaps a critical software bug has caused an individual computer to repeatedly try to receive authentication from a domain con- troller. You disable a computer account to prevent it from authenticating until you fi x the problem. You disable a computer account by right-clicking it in Active Directory Users And Com- puters and selecting Disable Account. This prevents the computer from logging on to the domain but does not remove the related account from Active Directory. Deleting a Computer Account When you delete a computer account using Active Directory Users And Computers, you cannot just re-create a new computer account with the same name and access. The SID of the original computer account will be different from that of the new account. To remove a computer account, right-click the computer account in Active Directory Users And Computers, and then select Delete. Managing a Computer Account Managing a remote computer is a common task when troubleshooting server or work- station problems. You see and configure computer management settings such as shares, system settings, services and applications, and the event log of the remote com- puter. Care should be taken when changing settings or restarting services on remote machines. Right-click the computer account name in Active Directory Users And Computers, and then select Manage to bring up Computer Management for that computer. Resetting a Computer Account Computer accounts, like user accounts, have passwords. Unlike user account pass- Chapter 35 words, computer account passwords are managed automatically. Sometimes, however, the password can get out of sync or there can be another issue that doesn’t allow the computer account to be authenticated in the domain. If this happens, the computer account can no longer access resources in the domain and you should reset the com- puter account. To reset a computer account, right-click the computer account name in Active Direc- tory Users And Computers, and then select Reset Account. If you reset the computer account, the computer must be removed from the domain (by placing it in a workgroup or other domain) and then rejoined to the domain. However, the Reset Account feature is not the best technique to use with member serv- ers and domain controllers. With member servers and domain controllers, you should
  13. Managing Computer Accounts 1229 use NETDOM RESETPWD. You can reset the computer account password of a member server or domain controller by completing the following steps: 1. Log on locally to the computer. If you are resetting the password of a domain controller, you must stop the Kerberos Key Distribution Center service and set its startup type to Manual. 2. Open a command prompt. Type netdom resetpwd /s:ComputerName /ud: domain\user /pd:* where ComputerName is the name of a domain controller in the computer account’s logon domain, domain\user is the name of an administrator account with the authority to change the computer account password, and * tells NETDOM to prompt you for the account password before continuing. 3. When you enter your password, NETDOM will change the computer account password locally and on the domain controller. The domain controller will then distribute the password change to other domain controllers. 4. When NETDOM completes this task, restart the computer and verify that the password has been successfully reset. If you reset a domain controller’s password, restart the Kerberos Key Distribution Center service and set its startup type to Automatic. Configuring Properties of Computer Accounts As with users and groups, there are many configuration tabs you can select when you are modifying a computer account. Right-click the computer name in Active Directory Users And Computers, and then select Properties. The following tabs are available: Delegation Allows you to configure delegation for the computer account as dis- cussed in “Configuring the Delegated Service or Computer Account” on page 1112. This tab is available only when the domain is operating in Windows Server 2003 or higher functional level. General Shows the computer’s name and role and allows you to set a description. You configure the computer for delegation by selecting the Trust This Computer For Delegation option. Chapter 35 Location Allows you to set a location for the computer. Managed By Allows you to specify the person or group responsible for the computer. Member Of Allows you to configure the group membership for the computer. Object Displays the canonical name of the user object with dates and Update Sequence Numbers. This tab is visible only in Advanced view. Operating System Displays the operating system version and service pack used by the computer.
  14. 1230 Chapter 35 Managing Users, Groups, and Computers Remote Install Allows you to set the unique identifier (globally unique identifier [GUID]/universal unique identifier [UUID]) and the remote installation server to use for a managed computer. This tab is available only for a managed computer. Security Used to configure advanced permissions for users and groups that can access this computer object in Active Directory. This tab is visible only in Advanced view. Dial-In Used to set the computer’s dial-in or VPN access controls as well as call- back, IP address, and routing options for dial-in or VPN or both. As you can see, much of the data for computer account properties is informational. The data you may need to change is probably on the Security tab, where you can add users or groups to the account and change permissions for users and groups that already exist or that you have added. You may also have to change the dial-in configuration as well as allow or deny dial-in access using the computer. Troubleshooting Computer Accounts As an administrator, you may see a variety of problems related to computer accounts. When you are joining a computer to a domain, you may experience problems due to incorrect network settings. The computer joining the domain must be able to communi- cate with the domain controller in the domain. You can resolve connectivity problems by configuring the computer’s local area network connection settings appropriately for the domain to which you are connecting. Be sure to check the IP address, default gate- way, and DNS server settings. Another common problem is related to insufficient permissions The user joining the computer to the domain must have appropriate permissions in the domain. Be sure to use an account with appropriate permissions to join the domain. After a computer is joined to a domain, you sometimes may see problems with the computer password or trust between the computer and the domain. Diagnosing a password/trust problem is fairly straightforward. If you try to access or browse resources in the domain and are prompted for a user name and password when you normally are not, you may have a password/trust issue with the computer account. For Chapter 35 example, if you are trying to connect to a remote computer in Computer Management, and you are repeatedly prompted for a user name and password where you weren’t pre- viously, the computer account password should probably be reset. You can verify a password/trust problem by checking the System event log. Look for an error with event ID 3210 generated by the NETLOGON service. The related error mes- sage should read as follows: This computer could not authenticate with RESOURCENAME, a Windows domain controller for domain DOMAINNAME, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
  15. Managing Computer Accounts 1231 As part of the troubleshooting process, you should always check the status of the account in Active Directory Users And Computers. A disabled account has a white circle with a down arrow. A deleted account will no longer be listed, and you won’t be able to search for and find it in the directory. If a user was trying to connect to a resource on a remote computer, the computer to which they are connecting should have a related error or warning event in the event logs. If the related computer account is disabled or deleted, you will be denied access to remote resources when connecting to those resources from this computer. As an example, if you are trying to access FileServer75 from CustServicePC83 you will be denied access if the computer account is disabled or deleted. The system event log on the remote computer (FileServer75) should log related NETLOGON errors specifically related to the computer account, such as the following with event ID 5722: The session setup from the computer CORPPC18 failed to authenticate. The name(s) of the account(s) referenced in the security database is CORPPC18$. The following error occurred: Access is denied. With Kerberos authentication, a computer’s system time can affect authentication. If a computer’s system time deviates outside the permitted norms set in group policy, the computer will fail authentication. If you are still experiencing problems, check the computer’s group membership and the container in which it is located in Active Directory. Computer accounts, like user accounts, can be made members of specific groups and are placed in a specific con- tainer in Active Directory. The group membership of a computer determines many permissions with regard to security and resource access. Changing a computer’s group membership can significantly affect security and resource access. The container in which a computer is placed determines how Group Policy is applied to the computer. Moving a computer to a different container or OU can significantly affect the way policy settings are applied. Chapter 35
  16. CHAPTER 36 Managing Group Policy Understanding Group Policy . . . . . . . . . . . . . . . . . . . . 1234 Using Scripts in Group Policy . . . . . . . . . . . . . . . . . . . . 1264 Implementing Group Policy . . . . . . . . . . . . . . . . . . . . . 1238 Applying Group Policy Through Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1266 Managing Group Policy Through Delegation . . . . . . . 1249 Maintaining and Troubleshooting Group Policy . . . . . 1268 Managing Group Policy Inheritance and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1254 G roup Policy is designed to simplify administration by allowing administrators to configure user and computer settings in Active Directory Domain Services and then have those policies automatically applied to computers and enforced for computer and user accounts throughout an organization. Not only does this provide central man- agement of computers, it also helps to automate key administrative tasks. Using Group Policy, you can accomplish the following tasks: Configure security policies for account lockout, passwords, Kerberos, and auditing Redirect special folders such as a user’s Documents folder to centrally managed network shares Lock down computer desktop configurations Define logon, logoff, shutdown, and startup scripts Automate the installation of application software Maintain Microsoft Internet Explorer and configure standard settings Some of these features such as security policies and folder redirection have been dis- cussed in previous chapters. Other features are discussed in this chapter. The focus of this chapter, however, is on the management of Group Policy, which is the most chal- lenging aspect of implementing Group Policy in an organization. 1233
  17. 1234 Chapter 36 Managing Group Policy Note Group Policy settings for Windows Server 2008 have changed considerably. Under the Computer Configuration and User Configuration nodes, you find two new nodes: Policies and Preferences. Settings for general policies are listed under the Policies node. Settings for general preferences are listed under the Preferences node. When referencing set- tings under the Policies node, I’ll use shortcut references, such as User Configuration\ Administrative Templates\Windows Components rather than User Configuration\ Policies\Administrative Templates: Policy Definitions\Windows Components. This short- cut reference tells you the policy setting being discussed is under User Configuration rather than Computer Configuration and can be found under Administrative Templates\ Windows Components. Understanding Group Policy You can think of Group Policy as a set of rules that help you manage users and comput- ers. Like any set of rules, Group Policy is effective only under certain conditions. You can use Group Policy to manage servers running Microsoft Windows 2000 Server and later as well as client workstations running Windows 2000 and later. You cannot use Group Policy to manage Windows NT, Windows 95, Windows 98, or Windows Me. Note Like Active Directory, Group Policy has gone through several revisions. As a result of these revisions, some policies work only with a version of the Windows operating system that is compatible with a particular revision. For example, some group policies are com- patible with Windows 2000, Windows XP Professional, Windows Vista, Windows Server 2003 and Windows Server 2008, while others are compatible only with Windows XP Pro- fessional and Windows Server 2003 or with Windows Vista and Windows Server 2008. You can check compatibility when you are editing individual policy settings. Local and Active Directory Group Policy Two types of group policies are available. The first type is local group policy, which is stored locally on individual computers in the %SystemRoot%\System32\GroupPolicy Chapter 36 folder and applies only to a particular computer. Every computer running Windows 2000 or later has one or more local group policies. For a computer in a workgroup, local group policy is the only group policy available. A computer in a domain also has a local group policy, but it is not the only group policy available, and this is where the
  18. Understanding Group Policy 1235 second type of group policy, called Active Directory group policy (or more commonly just “group policy”), comes into the picture. Active Directory group policy physical components called Group Policy Template (GPT) are stored in the Sysvol folder. This folder is used by Active Directory for replicating policies and is represented logically as an object called a Group Policy object (GPO). A GPO is simply a container for the policies you configure and their settings that can be linked to sites, domains, and organizational units (OUs) in your Active Directory struc- ture. You can create multiple GPOs, and by linking those objects to different locations in your Active Directory structure, you can apply the related policy settings to the users and computers in those Active Directory containers. When you create a domain, two Active Directory group policies are created: Default Domain Controllers Policy GPO A default GPO created for the Domain Controllers OU and applicable to all domain controllers in a domain as long as they are members of this OU. Default Domain Policy GPO A default GPO that is created for and linked to the domain within Active Directory. You can create additional GPOs as necessary and link them to the sites, domains, and OUs you’ve created. Linking a GPO to Active Directory structure is how you apply Group Policy. For example, you could create a GPO called Technology Policy and then link it to the Technology OU. The policy then applies to that OU. Group Policy Settings Group Policy applies only to users and computers. Although groups can be used to specify to which users a particular policy applies, the actual policies are applied only to members of these groups. Group Policy settings are divided into two categories: Computer Configuration and User Configuration. Computer Configuration contains settings that apply to computers. User Configuration contains settings that apply to user accounts. Figure 36-1 shows the Default Domain Policy for a computer. As you can see in the fig- ure, both Computer Configuration–related and User Configuration–related settings are divided into three major classes, each of which contains several subclasses of settings: Software Settings Allow you to install software on computers and then maintain it by installing patches or upgrades. You can also uninstall software. Windows Settings Allow you to manage key Windows settings for both com- puters and users, including scripts and security. For users, you can also man- age Remote Installation Services, folder redirection, and Internet Explorer Chapter 36 maintenance. Administrative Templates Allow you to control Registry settings that configure the operating system, Windows components, and applications. Administrative Templates are implemented for specific operating system versions.
  19. 1236 Chapter 36 Managing Group Policy Figure 36-1 The Default Domain Policy. Group Policy Architecture Within the Windows operating system, the components of Group Policy have sepa- rate server and client implementations (see Figure 36-2). Each Group Policy client has client-side extensions that are used to interpret and apply Group Policy settings. The client-side extensions are implemented as dynamic-link libraries (DLLs) that are installed with the operating system. The main DLL for processing Administrative Tem- plates is Userenv.dll. The Group Policy engine running on a client triggers the processing of policy when one of two events occurs: either the system is started or a user logs on to the computer. When a system is started and the network connection is initialized, computer policy settings are applied. Administrators and others delegated permissions in Group Policy can use the Group Policy Management Editor to manage Group Policy. This snap-in for the Microsoft Management Console (MMC) provides the three top-level classes (Software Settings, Windows Settings, and Administrative Templates) that can be managed and makes use of a number of extensions. These extensions provide the functionality that allows you to configure various Group Policy settings. Some client-side extensions don’t have spe- cific implementations on the server because they are Registry-based and can be config- ured through Administrative Templates. Chapter 36
Đồng bộ tài khoản