Group Policy. Jeremy Moskowitz

Читать онлайн книгу.

Group Policy - Jeremy Moskowitz


Скачать книгу
Controllers and log on. For testing purposes only, though, we’re going to add our user, Frank, to the Server Operators group so he can easily work on our DC01 Domain Controller when we want him to.

      To add a user to the Server Operators group, follow these steps:

      1. In Active Directory Users and Computers, double-click Frank Rizzo’s account under the Human Resources Users OU.

      2. Click the Member Of tab and click Add.

      3. Select the Server Operators group and click OK.

      4. Click OK to close the Properties dialog box for Frank Rizzo.

      Normally, you wouldn’t give your delegated OU administrators Server Operators access. You’re doing it solely for the sake of this example to allow Frank to log on locally to your Domain Controllers.

      Testing Your Delegation of Group Policy Management

      At this point, on your WIN10MANAGEMENT machine, log off as Administrator and log in as Frank Rizzo ([email protected]).

      Now follow these steps to test your delegation:

      1. Choose Start and type GPMC.MSC at the Start Search prompt to open the GPMC.

2. Drill down through Group Policy Management, Domains, Corp.com, and Group Policy Objects. If you right-click Group Policy Objects in an attempt to create a new GPO, you’ll see the context menu shown in Figure 1-22.

As you can see, Frank is unable to create new GPOs in the swimming pool of the domain. Since Frank has been delegated some control over the Human Resources OU (which also contains the other OUs), let’s see what he can do. If you right-click the Human Resources OU in the GPMC, you’ll see the context menu shown in Figure 1-23.

c01f022.tif

Figure 1-22: Frank cannot create new GPOs in the Group Policy Objects container.

c01f023.tif

Figure 1-23: Frank’s delegated rights allow him to link to existing GPOs but not to create new GPOs.

      Because Frank is unable to create GPOs in the swimming pool of the domain (the Group Policy Objects container), he is also unable by definition to “Create a GPO in this domain, and Link it here.” Although Frank (and more specifically, the HR-OU-Admins) has been delegated the ability to “Manage Group Policy links,” he cannot create new GPOs. Frank (and the other potential HR-OU-Admins) has only the ability to link an existing GPO.

      Understanding Group Policy Object Linking Delegation

      When we were logged on as the Domain Administrator, we could create GPOs in the Group Policy Objects container, and we could “Create a GPO in this domain, and Link it here” at the domain or OU levels. But Frank cannot.

      Here’s the idea about delegating the ability to link to GPOs: someone with a lot of brains in the organization does all the work in creating a well-thought-out and well-tested GPO. Maybe this GPO distributes software, maybe it sets up a secure workstation policy, or perhaps it runs a startup script. You get the idea.

      Then, others in the organization, like Frank, are delegated just the ability to link to that GPO and use it at their level. This solves the problem of delegating perhaps too much control. Certainly some administrators are ready to create their own users and groups, but other administrators may not be quite ready to jump into the cold waters of Group Policy Object creation. Thus, you can design the GPOs for other administrators; they can just link to the ones you (or others) create.

      When “Link an Existing GPO” is selected (as seen in Figure 1-23), any GPO which lives in the Group Policy Objects “swimming pool” can be selected.

      In this example, the HR-OU-Admins members, such as Frank, can leverage any currently created GPO to affect the users and computers in their OU – even if they didn’t create it themselves. In this example, Frank has linked to an existing GPO called “Word 2003 Settings.” Turns out that some other administrator in the domain created this GPO, but Frank wants to use it. So, because Frank has “Manage Group Policy links” rights on the Human Resources OU (and OUs underneath it), he is allowed to link to it.

But, as you can see in Figure 1-24, he cannot edit the GPOs. Under the hood, Active Directory doesn’t permit Frank to edit GPOs he didn’t create (and therefore doesn’t own).

tip.eps

      In Chapter 2, I’ll show you how to grant specific rights to allow more than just the original creator (and now owner) of the object to edit specific GPOs.

      Giving the ability to just link to existing GPOs is a good idea in theory, but often OU administrators are simply given full authority to create their own GPOs (as you’ll see later). For this example, don’t worry about linking to any GPOs. Simply cancel out of the Select GPO screen, close the GPMC, and log off from the server as Frank Rizzo.

c01f024.tif

Figure 1-24: The GPMC will not allow you to edit an existing GPO if you do not own it (or do not have explicit permission to edit it).

      Granting OU Admins Access to Create New Group Policy Objects

      By using the “Delegation of Control Wizard” to delegate the “Manage Group Policy links” attribute, you performed half of what is needed to grant the appropriate authority to Frank (and any additional future HR-OU-Admins) to create GPOs in the Group Policy Objects container and link them to the Human Resources OU, the Human Resources Users OU, or the Human Resources Computers OU (though we really don’t want to link many GPOs directly to the Human Resources OU).

      You can grant the HR-OU-Admins the ability to create GPOs in the Group Policy Objects container in two ways. For now, I’ll show you the old-school way; in Chapter 2, I’ll show you the GPMC way.

      One of Active Directory’s built-in security groups, Group Policy Creator Owners, holds the key to the other half of our puzzle. You’ll need to add those users or groups that you want to have the ability to create GPOs to a built-in group, cleverly named Group Policy Creator Owners. To do so, follow these steps:

      1. Log off and log back on as Domain Administrator.

      2. Fire up Active Directory Users and Computers.

      3. By default, the Group Policy Creator Owners group is located in the Users folder in the domain. Double-click the Group Policy Creator Owners group and add the HR-OU-Admins group and/or Frank Rizzo.

tip.eps

      In Chapter 2, you’ll see an alternate way to allow users to create GPOs.

      Creating and Linking Group Policy Objects at the OU Level

      At the site level, we hid the Screen Saver option. At the domain level, we chose to get rid of the Sounds option in the Windows 10 Personalization page.

      At the OU level, we have two jobs to do:

      ● Prevent users from changing the mouse pointers (a Windows 7 and later policy setting)

      ● Restore the Screen Saver option that was taken away at the site level

      To create a GPO at the OU level, follow these steps:

      1. Since you’re on WIN10MANAGEMENT, log off as Administrator and log back on as Frank Rizzo ([email protected]).

      2. Choose Start and type GPMC.MSC in the Start Search prompt.

      3. Drill


Скачать книгу