Group Policy. Jeremy Moskowitz
Читать онлайн книгу.alt="c01f020.tif" target="_blank" rel="nofollow" href="#i000006630000.png"/>
Figure 1-20: When you complete all these steps, your Human Resources OU should have a Human Resources Users OU and Human Resources Computers OU. In the users’ side, put Frank Rizzo and the HR-OU-Admins.
Alternatively, you can create the OU in the GPMC. Just right-click the domain and choose New Organizational Unit from the context menu.
To create the HR-OU-Admins group, follow these steps:
1. In Active Directory Users and Computers, right-click the new Human Resources Users OU and choose New ⇒ Group.
2. Create the new group HR-OU-Admins as a new global security group.
To create the first user to go inside HR-OU-Admins, follow these steps:
1. In Active Directory Users and Computers, right-click the Human Resources Users OU and choose New ⇒ User.
2. Name the user Frank Rizzo, with an account name of frizzo, and click Next.
3. Modern domains require a complex password for a user. Again, my suggested password is p@ssw0rd. That’s a lowercase p, the at sign, an s, an s, a w, a zero, then r, and d.
4. Finish and close the wizard.
If you’re following along, Frank Rizzo’s login will be [email protected]
.
Easily Manage New Users and Computers
The Computers folder and Users folder in Active Directory Users and Computers are not OUs. They are generic containers. You’ll notice that they are not present when you’re using the GPMC to view Active Directory. Because they are generic containers (and not OUs), you cannot link Group Policy Objects to them. Of course, these objects will receive GPOs if linked to the domain, because the containers are still in the domain. They just aren’t OUs in the domain.
These folders have two purposes:
● If you ever did an upgrade from NT 4 domains to Active Directory, these User and Computer accounts would wind up in these folders. (Administrators are then supposed to move the accounts into OUs.)
● The two folders are the default location where older tools drop new accounts when creating new users and computers. Additionally, command-line tools, such as net user
and net group
, will add accounts to these two folders. Similarly, the Computers folder is the default location for any new client workstation or server that joins the domain. The same goes when you create computer accounts using the net computer
command.
So, these seem like decent “holding pens” for these kinds of objects. But ultimately, you don’t want your users or computers to reside in these folders for very long – you want them to end up in OUs. That’s where the action is because you can apply Group Policy to OUs, not to these folders! Yeah, sure, these users and computers are affected by site- and domain-level GPOs. But the action is at the OU level, and you want your computer and user objects to be placed in OUs as fast as possible – not sitting around in these generic Computers and Users folders.
To that end, domains that are at least at the “Windows 2003 functional level” have two tools to redirect the default location of new users and computers to the OUs of your choice. For example, suppose you want all new computers to go to a NewComputers OU and all new users to go to a NewUsers OU. And you want to link several GPOs to the NewUsers and NewComputers OUs to ensure that new accounts immediately have some baseline level of security, restriction, or protection. Without a little magic, new user accounts created using older tools won’t automatically be placed there.
Starting with Windows 2003 Active Directory, Microsoft provided REDIRUSR
and REDIRCMP
commands that take a distinguished name, like this:
Now if you link GPOs to these OUs, your new accounts will get the Group Policy Objects dictating settings to them at an OU level. This will come in handy when users and computers aren’t specifically created in their final destination OUs.
To learn more about these tools, see the Microsoft Knowledge Base article 324949 at http://support.microsoft.com/kb/324949.
To add Frank Rizzo to the HR-OU-Admins group, follow these steps:
1. Double-click the HR-OU-Admins group.
2. Click the Members tab.
3. Add Frank Rizzo.
When it’s all complete, your OU structure with your first user and group should look like Figure 1-20, shown previously.
Delegating Control for Group Policy Management
You’ve created the Human Resources OU, which contains the Human Resources Users OU and the Human Resources Computers OU and the HR-OU-Admins security group. Now, put Frank inside the HR-OU-Admins group, and you’re ready to delegate control.
Performing Your First Delegation
You can delegate control to use Group Policy in two ways: using Active Directory Users and Computers and using the GPMC.
For this first example, we’ll kick it old school and do it the Active Directory Users and Computers way. Then, in Chapter 2, I’ll demonstrate how to delegate control using the GPMC.
To delegate control for Group Policy management, follow these steps:
1. In Active Directory Users and Computers, right-click the top-level Human Resources OU you created and choose Delegate Control from the context menu to start the “Delegation of Control Wizard.”
2. Click Next to get past the wizard introduction screen.
3. You’ll be asked to select users and/or groups. Click Add, add the HR-OU-Admins group, and click Next to open the “Tasks to Delegate” screen, shown in Figure 1-21.
Figure 1-21: Select the “Manage Group Policy links” task.
4. Click “Manage Group Policy links,” and then click Next.
5. At the wizard review screen, click Finish.
You might want to click some or all the other check boxes as well, but for this example, only “Manage Group Policy links” is required. Avoid selecting “Generate Resultant Set of Policy (Planning)” and “Generate Resultant Set of Policy (Logging)” at this time. You’ll see where these options come into play in Chapter 2.
The “Manage Group Policy links” delegation assigns the user or group Read and Write access over the gPLink
and gPOptions
properties for that level. To see or modify these permissions by hand, open Active Directory Users and Computers and choose View ⇒ Advanced Features. If later you want to remove a delegated permission, it’s a little challenging. To locate the permission that you set, right-click the delegated object (such as OU), click the Properties tab, click the Security tab, choose Advanced, and dig around until you come across the permission you want to remove. Finally, delete the corresponding access control entry (ACE).
Adding a User to the Server Operators Group (Just for This Book)
Under normal conditions,