Jeremy Moskowitz

Group Policy


Скачать книгу

to California. It doesn’t matter where they usually reside; again, they’re only affected by the site-level GPOs when they’re physically present in that site. So if they travel to California, they will get the GPOs related to California first; then other GPOs (described later) will apply.

      So, don’t think that user accounts reside at the site level. Rather, they reside in the OU level but are using computers in the site and, hence, get the properties assigned to all users at that site.

tip.eps

      Sites are defined using the Active Directory Sites and Services tool. IP subnets that constitute a site are assigned using this tool. That way, if a new computer turns on in Delaware, Active Directory knows what site the computer is in.

      At the Domain Level

      Here’s what we have working at the domain level:

      At the OU Level

      At the organizational unit level, we have the following:

      Bringing It All Together

      Now that you’ve broken out all the levels and seen what is being applied to them, you can start to calculate what the devil is happening on any specific user and computer combination. Looking at Figure 1-6 and analyzing what’s happening at each level makes adding things together between the local, site, domain, and organizational unit GPOs a lot easier.

      Here are some examples of RSoP for specific users and computers in our fictitious environment:

note.eps

      At no time are any domain GPOs from the Example.com parent domain automatically inherited by the Widget.example.com child domain. Inheritance for GPOs only flows downward to OUs within a single domain – not between any two domains – parent to child or otherwise, unless you explicitly link one of those parent GPOs to a child Domain Container.

      If you want one GPO to affect the users in more than one domain, you have four choices:

      ● Precisely re-create the GPOs in each domain with their own GPO.

      ● Copy the GPO from one domain to another domain (using the GPMC, as explained in Chapter 2 in the section “Basic Interdomain Copy and Import”).

      ● Use a third-party tool that can perform some magic and automatically perform the copying between domains for you.

      ● Do a generally recognized no-no called cross-domain policy linking. (I’ll describe this no-no in detail in Chapter 7 in the section “Group Policy Objects from a Domain Perspective.”)

      Also, don’t assume that linking a GPO at a site level necessarily guarantees the results to just one domain. In this example, as in real life, there is not necessarily a 1:1 correlation between sites and domains. Indeed, without getting too geeky here, sites technically belong to the forest and not any particular domain.

      At this point, we’ll put our example Example.com behind us. That was an on-paper exercise to allow you to get a feel for what’s possible in Group Policy–land. From this point forward, you’ll be doing most items in your test lab and following along.

      Group Policy, Active Directory, and the GPMC

      The Group Policy Management Console (GPMC) was created to help administrators work in a “one-stop-shop” place for all Group Policy management functions. Since 2003, it was freely downloadable as an add-on to either Windows XP or Windows Server 2003 systems.

      Today, the GPMC is built into the server operating systems (Server 2008 R2, Windows Server 2016, etc.). And it’s also available for download as part of the RSAT tools for your own machine (say, Windows 7 or 10).

      Even though I’ve said it before, it bears repeating: it doesn’t matter if your Active Directory or domains or Domain Controllers are Windows 2000, Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2, Windows Server 2016, or whatever. The Group Policy infrastructure doesn’t care what domain type or Domain Controllers you have.

      The GPMC’s name says it all. It’s the Group Policy Management Console. Indeed, this will be the MMC snap-in that you use to manage the underlying Group Policy mechanism. The GPMC just helps us tap into those features already built into Active Directory. I’ll highlight the mechanism of how Group Policy works throughout the next three chapters.

      One major design goal of the GPMC is to get a Group Policy–centric view of the lay of the land. The GPMC also provides a programmatic way to manage your GPOs. In fact, the GPMC scripting interface allows just about any GPO operation. You can do the same “stuff” with the GPMC that you do with the mouse programmatically with VBScript and PowerShell.

      We’ll explore scripting Group Policy operations normally performed with the GPMC, but instead using PowerShell in Appendix A, a downloadable bonus chapter, “Scripting Group Policy Operations with Windows PowerShell.”

note.eps

      The VBScript GPMC scripts, which were previously part of the downloadable GPMC package, are not included in the newest GPMC. You have to specifically download them from the GPMC scripting center at http://tinyurl.com/23xfz3 or search for “Group Policy Management Console Sample Scripts” in your favorite search engine.

      There are lots of ways you could manage your Group Policy universe. Some people walk up to their Domain Controllers, log onto the console, and manage their Group Policy infrastructure there. Others use a management workstation and manage their Group Policy infrastructure from their own Windows 10 workstation (suggested).

      I’ll talk more about the use and best practices of a Windows 10 management workstation in Chapter 6.

      Implementing the GPMC on Your Management Station

      As I mentioned, the GPMC isn’t built into Windows 10. But it is built into Windows Server 2016. Remember earlier I stated that you could manage your Active Directory from anywhere. And this is true. You could walk up to a Domain Controller, you could install the GPMC on a Windows Server 2016 server, or you could use Terminal Services to remotely connect to a Domain Controller.

      But in this book, you won’t be. Your ideal management station is a Windows 10 machine (where we’ll manually introduce the GPMC) or a Windows Server 2016 machine (which is ready to go, no pesky downloads needed).

      Windows 7 and Windows Server 2008 R2 are perfectly fine choices as well, but there is a small downside with those GPMCs. That is, they aren’t the “latest, greatest” and do lack some of the newest features, which we’ll explore in the next chapter. One good example of this is that the Windows 7 version of GPMC will not have the Group Policy Preferences item type for Internet Explorer 10. The idea is that Microsoft will only put new or updated functionality in the latest, greatest GPMC, and today, that GPMC is Windows 10’s (and Windows Server 2016’s). (They share the same guts.) That being said, if you only had a Windows 7 GPMC to use, it wouldn’t be the end of the world, and you’ll likely be pretty happy.

      If you must use something else (Windows XP, Windows Server 2003, or Windows Vista), you’ll see me pepper in some advice for those. But you’ll really want to use the recommended set to get the most out of this book

      Using a Windows 10 or Windows Server 2016 Management Station

      For this book, and for real life, I recommend that you use what’s known as a Windows 10 management station. And, to make use of it to implement Group Policy in your domain, you’ll need to introduce the downloadable GPMC on it.

      Note that you could also use a Windows Server 2016 machine as your management station. Honestly, the Windows 10 GPMC that you’ll download