Group Policy. Jeremy Moskowitz
Читать онлайн книгу.Policy” as a name isn’t, well, excellent. At cocktail parties, when I tell the person next to me that I teach, write about, and make software to extend Group Policy, they don’t get what “Group Policy” means.
If I said something like “I teach databases,” he would cheerfully go back to his scotch and soda and leave me alone. But because I say, “I teach Group Policy to smart people looking to get smarter and build software that hooks into Group Policy,” he (unfortunately) wants to know more. He’ll say something like “What does that mean? I’ve never heard of Group Policy before.” And while I love talking about Group Policy with you, my friendly IT geeks, at a cocktail party full of stuffed shirts, I just want to get another canapé.
So, the name “Group Policy” can be kind of confusing, but it’s also intriguing. Microsoft’s perspective is that the name “Group Policy” is derived from the fact that you are “grouping together policy settings.” I don’t really love the name “Group Policy” – but it’s the name we have, so that’s what it’s called. As Juliet said in Romeo and Juliet (II, ii, 43–44), “What’s in a name? That which we call a rose by any other name would smell as sweet.”
For me, if I was consulted, I might have named it Windows Policy or Microsoft Policy. But, alas. Group Policy is the name it has.
Group Policy is, in essence, rules that are applied and enforced at multiple levels of Active Directory. Policy settings you dictate must be adhered to by your users and computers. This provides great power and efficiency when manipulating client systems.
Instead of running around from machine to machine, you’re in charge (not your users).
When going through the examples in this book, you will play the various parts of the end user, the OU administrator, the domain administrator, and the enterprise administrator. Your mission is to create and define Group Policy using Active Directory and witness it being automatically enforced. What you say goes! With Group Policy, you can set policies that dictate that users quit messing with their machines. You can dictate what software will be deployed. You can determine how much disk space users can use. You can do pretty much whatever you want – it is up to you. With Group Policy, you hold all the power. That’s the good news.
And this magical power only works on Windows 2000 and later machines. For the sake of completeness, this includes all versions of Windows 2000 and later: workstation and server. Of course, this includes all the modern Windows systems you would use, like Windows 10 and Windows Server 2016.
I’ll likely say this again in multiple places, but I want to get one “big ol’ misconception” out of the way right here, right in the introduction. The Group Policy infrastructure does not care what mode your domain is in. If you have only one type of Domain Controller or a mixture of Domain Controllers, 100 percent of everything we cover in this book is valid.
Said another way, even if your domain level is the oldest-of-the-old Windows 2000 mixed mode, you’re still pretty much 100 percent covered here. Group Policy is all about the client (the target) operating system and not the Domain Controllers or domain modes.
It is true that wireless settings and BitLocker key storage require schema updates to play nicely with Group Policy. But even then, Group Policy will still work running with the oldest-of-the-old servers.
If the range of control scares you, don’t be afraid! It just means more power to hold over your environment. You’ll quickly learn how to wisely use this newfound power to reign over your subjects, er, users.
Group Policy vs. Group Policy Objects vs. Group Policy Preferences
Before we go headlong into Group Policy theory, let’s get some terminology and vocabulary out of the way:
● Group Policy is the concept that, from on high, you can do all this “stuff” to your client machines.
● A policysetting is just one individual setting that you can use to perform some specific action.
● Group Policy Objects(GPOs) are the “nuts and bolts” contained within Active Directory Domain Controllers, and each can contain anywhere from one to a zillion individual policy settings.
● The Group Policy Preferences is a newer add-on to the existing set of the “original” Group Policy settings and abilities many have come to know and love. Group Policy Preferences (sometimes shortened to GPPrefs) don’t act quite the same as their original cousins. We’ll cover the Group Policy Preferences in detail in Chapter 5.
● Preference item is a way to describe one “Group Policy Preferences directive.” It’s like a “policy setting,” but for the Group Policy Preferences.
It’s my goal that after you work through this book, you’ll be able to jump up on your desk one day and use all the vocabulary at once. Like this: “Hey! Group Policy isn’t applying to our client machines! Perhaps a policy setting is misconfigured. Or, maybe one of our Group Policy Objects has gone belly up! Heck, maybe one of the preference items is misconfigured. I’d better read about what’s going on in Chapter 7, ‘Troubleshooting Group Policy.’”
This terminology can be a little confusing – considering that each term includes the word policy. In this text, however, I’ve tried especially hard to use the correct nomenclature for what I’m describing. If you get confused, just come back here to refresh your brain about the definitions.
Note that there is never a time to use the phrase “Group Policies.” Those two words together shouldn’t exist. If you’re talking about “multiple GPOs” or “multiple policy settings” or “policy settings vs. preference items,” these are the preferred phrases to use, and never “Group Policies.”
Where Group Policy Applies
Group Policy can be applied to many machines at once using Active Directory, or it can be applied when you walk up to a specific machine. For the most part, in this book I’ll focus on using Group Policy within an Active Directory environment, where it affects the most machines.
A percentage of the settings explored and discussed in this book are available to member or stand-alone Windows machines – which can either participate (that is, be “joined” to Active Directory) or not participate (that is, it’s “non-domain-joined”) in an Active Directory environment.
However, the Folder Redirection settings (discussed in Chapter 10) and the Software Distribution settings (discussed in Chapter 11) are not available to stand-alone machines (that is, computers that are not participating in an Active Directory domain). In some cases, I will pay particular attention to non–Active Directory environments. However, most of the book deals with the more common case; that is, we’ll explore the implications of deploying Group Policy in an Active Directory environment.
The “Too Many Operating Systems” Problem
If we line up all the operating systems that you (a savvy IT person) might have in your corporate world, we would likely find one or more of the following (presented here in date-release order):
● Windows 2000 (Workstation and Server), RTM through SP4
● Windows Server 2003, RTM through SP2
● Windows XP, RTM through SP3
● Windows Vista, RTM through SP2
● Windows Server 2008, RTM (known as SP1, actually) through SP2
● Windows 7 RTM, through SP1
● Windows Server 2008 R2, through SP1
● Windows Server 2012, RTM
● Windows Server 2012 R2
● Windows 8 client, RTM
● Windows 8.1 client, RTM
● Windows 8.1 Update 1
● Windows 10, RTM
●