Group Policy. Jeremy Moskowitz

Читать онлайн книгу.

Group Policy - Jeremy Moskowitz


Скачать книгу
autolaunch calc.exe for anyone logging into a computer in the Human Resources Computers OU, follow these steps:

      1. If you’re not already logged in as Frank Rizzo, the Human Resources OU administrator, do so now on WIN10MANAGEMENT.

      2. Choose Start and type GPMC.MSC in the Start Search prompt.

      3. Drill down until you reach the Human Resources Computers OU, right-click it, and choose “Create a GPO in this domain, and Link it here” from the context menu.

      4. Name the GPO something descriptive, such as “Auto-Launch calc.exe.”

      5. Right-click the GPO, and choose Edit to open the Group Policy Management Editor.

      6. We want to affect our client computers (not users), so we need to use the Computers node. To autolaunch calc.exe, drill down through Computer Configuration ⇒ Policies ⇒ Administrative Templates ⇒ System ⇒ Logon, and double-click Run these programs at user logon. Change the setting from Not Configured to Enabled.

7. Click the Show button, and the Show Contents dialog box appears. You’ll see that this policy setting has a little “table editor” associated with it. In the first “row,” simply enter the full path to calc.exe as c: \windows\system32\calc.exe and click OK, as shown in Figure 1-26. Click OK to close the Show Contents dialog box, and click OK again to close the Run these programs at user logon policy setting.

c01f026.tif

Figure 1-26: When this policy setting is enabled and calc.exe is specified, all computers in this OU will launch calc.exe when a user logs in.

      8. Close the Group Policy Management Editor to return the GPMC.

tip.eps

      Be aware of occasional strange Microsoft verbiage when you need to enable a policy to disable a setting. Since Windows 2003, most policy settings have been renamed to “Prohibit <whatever>” to reflect the change from confusion to clarity.

      Moving Computers into the Human Resources Computers OU

      Since you just created a policy that will affect computers, you’ll need to place a workstation or two inside the Human Resources Computers OU to see the results of your labor. You’ll need to be logged on as Administrator on DC01 or WIN10MANAGEMENT to do this.

tip.eps

      Quite often computers and users are relegated to separate OUs. That way, certain GPOs can be applied to certain computers but not others. For instance, isolating laptops, desktops, and servers is a common practice.

      In this example, we’re going to use the Find command in Active Directory Users and Computers to find your workstation named WIN10 and move it into the Human Resources Computers OU.

      To find and move computers into a specific OU, follow these steps:

      1. In Active Directory Users and Computers, right-click the domain, and choose Find from the context menu to open the “Find Users, Contacts, and Groups” dialog box.

2. From the Find drop-down menu, select Computers. In the Name field, type WIN10 to find the computer account of the same name. Once you’ve found it, right-click the account and choose Move from the context menu, as shown in Figure 1-27. Move the account to the Human Resources Computers OU.

      3. Now that you’ve moved WIN10 (or other example machines) into the new OU, be sure to reboot those client computers.

warning.eps

      After you move the computer accounts into the Human Resources Computers OU, it’s very important to reboot your client machines. As you’ll see in Chapter 3, the computer does not recognize the change right away when computer accounts are moved between OUs.

      As you can see in this example (and in the real world), a best practice is to separate users and computers into their own OUs and then link GPOs to those OUs. Indeed, underneath a parent OU structure, such as the Human Resources OU, you might have more OUs (that is, Human Resources Laptops OU, Human Resources Servers OU, and so on). This will give you the most flexibility in design between delegating control where it’s needed and the balance of GPO design within OUs. Just remember that for GPOs to affect either a user or computer, that user or computer must be within the scope of the GPO – site, domain, or OU.

c01f027.tif

Figure 1-27: Use the Find command to find computers in the domain, then right-click the entry and select Move to move them.

      Verifying Your Cumulative Changes

      At this point, you’ve set up three levels of Group Policy that accomplish multiple actions:

      ● At the site level, the “Hide Screen Saver Option” GPO is in force for users.

      ● At the domain level, the “Prohibit Changing Sounds” GPO is in force for users.

      ● In the Human Resources Users OU, the “Hide Mouse Pointers Option/Restore Screen Saver Option” GPO is in force for users.

      ● In the Human Resources Computers OU, the “Auto-Launch calc.exe” GPO is in force for computers.

      At this point, take a minute to flip back to Figure 1-11 (the swimming pool illustration) to see where we’re going here. To see the accumulation of your policy settings inside your GPOs, you’ll need to log on as a user who is affected by the Human Resources Users OU and at a computer that is affected by the Human Resources Computers OU. Therefore, log on as Frank Rizzo at WIN10.

      If you’re using Windows 10, right-click the Desktop and choose Personalize. Note that the removal of “Change mouse pointers” is still in force (and the Screen Saver entry is restored). And, when you logged in as Frank Rizzo, did the computer GPO autolaunch Windows Calculator?

tip.eps

      These tests prove that even OU administrators are not automatically immune from GPOs and the policy settings within. Under the hood, they are in the Authenticated Users security group. See Chapter 2 for information on how to modify this behavior.

      The Three Possible Settings: Not Configured, Enabled, and Disabled

      As you saw in Figure 1-2 earlier in this chapter, nearly all administrative template policy settings can be set as Not Configured, Enabled, or Disabled. These three settings have very different consequences, so it’s important to understand how each works.

      Not Configured The best way to think about Not Configured is to imagine that it really says, “Don’t do anything” or even “Pass through.” Why is this? Because if a policy setting is set to Not Configured, then it honors any previously set setting (or the operating system default).

      Enabled When a specific policy setting is enabled, the policy will take effect. In the case of the Prohibit Changing Sounds policy setting, the effect is obvious. However, lots of policy settings, once enabled, have myriad possibilities inside the specific policy setting! (For a gander at one such policy setting, use the Group Policy Management Editor and drill down to User Configuration Policies Administrative Templates Windows Components Internet Explorer Toolbars and select the policy setting named Configure Toolbar Buttons.) So, as you can see, Enabled really means “Turn this


Скачать книгу