Jeremy Moskowitz

Group Policy


Скачать книгу

and run Darren’s command Get-SDMgplink, which lists all GPOs at a level. You simply specify the level. The two commands would be:

      The result using the free SDM GPMC PowerShell cmdlet can be seen here. You can see that the line starting with Name details the one Group Policy Object (in my case) that is linked to that particular scope.

c02uf001.tif

      The Details Tab The Details tab contains information describing who created the GPO (the owner) and the status (Enabled, Disabled, or Partially Disabled) as well as some nuts-and-bolts information about its underlying representation in Active Directory (the GUID). We’ll examine the Details tab in the sections “Disabling ‘Half’ (or Both Halves) of the Group Policy Object” and “Understanding GPMC’s Link Warning” later in this chapter.

      Should you change the GPO status here by, say, disabling the User Configuration of the policy, you’ll be affecting all other levels in Active Directory that might be using this GPO by linking to it. See the section “Understanding GPMC’s Link Warning” as well as the sidebar “On GPO Links and GPOs Themselves” a bit later in the chapter.

      You can see these details in the GPMC (top), and using PowerShell, you can use the Get-GPO cmdlet as seen in the screenshot on the (bottom).

c02uf002.tif

      The Settings Tab The Settings tab gives you an at-a-glance view of what’s been set inside the GPO. In our example, you can see the Enabled and Disabled status of the two policy settings we manipulated. You can click Hide (or Show) to contract and expand all the configured policy settings.

c02uf003.tif

      ● Clicking Hide at any level tightens that level. You can expose more information by clicking Show.

      ● Clicking the policy setting name – for example, Prevent Changing Mouse Pointers– displays the help text for the policy setting (but note that this is only applicable to Administrative Template settings). This trick can be useful if someone set up a GPO with a kooky name and you want to know what’s going on inside that GPO.

      ● If you want to change a setting, right-click the settings area and select Edit. The familiar Group Policy Management Editor will appear. Note, however, that the Group Policy Management Editor will not “snap to” the policy setting you want to edit. The editor always starts off at the root.

      ● Additionally, at any time you can right-click over this report and select Save Report, which does just that. It creates an HTML or XML report that you can then e-mail to fellow administrators or the boss, and so on. This is a super way of documenting your Group Policy environment instead of writing down everything by hand.

      You can use PowerShell to save a report of a specific Group Policy Object or all GPOs using the cmdlet Get-GPOReport. For instance, you could type:

      You could also do something like:

c02uf004.tif

      Both examples assume C:\temp\ is present. Note the second command is a little weird and dumps all the reports of all the GPOs into one big HTML file.

      If you’d like to see the “trick” for having a single report for each Group Policy Object, check out the section “Creating GPO Reports” in the PowerShell appendix.

      Now, I’ve said it before, but it bears repeating: You can also edit the settings by clicking the GPO or any GPO link for that object and choosing Edit. However, you always affect all containers (sites, domains, or OUs) to which the GPO is linked. It’s one and the same object, regardless of the way you edit it. See the sidebar “On GPO Links and GPOs Themselves” a bit later in the chapter to get the gist of this.

      Out, Out Annoying Internet Explorer Pop-ups!

      If you chose to run the GPMC on a Windows Server, you may run into security pop-ups when clicking the Settings tab. Certain aspects of the GPMC, such as the Settings tab, utilize Internet Explorer to display their contents.

      Since Internet Explorer is “hardened” on Windows Server machines, you will have limited access to the whole picture. When showing the Settings within the GPMC, you’ll be presented with a warning box:

c02uf005.tif

      You can bypass this by simply adding security_mmc.exe as a trusted website. This should make your problems go away.

      Optionally, you can also turn off Internet Explorer Enhanced Security Configuration. In Windows Server 2012 and later, you use Server Manager. Then select Local Server on the left side and select IE Enhanced Security Configuration on the right side. Finally, choose Off in the pop-up window that appears:

c02uf006.tif

      This is where you’ll be able to enable or disable the annoying, I mean, informative pop-ups. This approach is recommended in test labs but not recommended on production servers.

      The Delegation Tab The Delegation tab lets you specify who can do what with GPOs, their links, and their properties. You’ll find the Delegation tab in a lot of places, such as when you do the following:

      ● Click a GPO link or click a GPO in the Group Policy Objects container

      ● Click a site

      ● Click a domain

      ● Click an OU

      ● Click the WMI Filters node

      ● Click a WMI (Windows Management Instrumentation) filter itself (covered in Chapter 4)

      ● Click on the Starter GPOs section

      The PowerShell cmdlet to get the state of delegation (which could also be thought of as permissions) is Get-GPPermission, and the cmdlet to set or change the state of delegation would be Set-GPPermission.

      We’ll not jump into these PowerShell cmdlets here. We’ll use these cmdlets a little later in the section “Filtering the Scope of Group Policy Objects with Security.”

      At each of these locations, the tab allows you to do something different. I’ll discuss what each instance of this tab does a bit later in the section “Security Filtering and Delegation with the GPMC.”

      Raising or Lowering the Precedence of Multiple Group Policy Objects

      You already know that the “flow” of Group Policy is inherited from the site level, the domain level, and then from each nested OU level. But, additionally, within each level, say at the Temporary Office Help OU, multiple GPOs are processed in a ranking precedence order. Lower-ranking GPOs are processed first, and then the higher GPOs are processed.

In Figure 2-2, you can see that an administrator has linked two GPOs to the Temporary Office Help OU. One GPO is named “Enforce 50 MB Disk Quota” and another is named “Enforce 40 MB Disk Quota.”

      If the policy settings inside these GPOs both adjust the disk quota settings, which one will “win”? Client computers will process these two GPOs from lowest-link order to highest-link order. Therefore, the “Enforce 40 MB Disk Quota” GPO (with link order 2) is processed before “Enforce 50 MB Disk Quota” (link order 1). Hence, the GPO with the policy settings to dictate 50 MB disk quotas will win.

      So, if two (or more) GPOs within the same level contain values for the same policy setting (or policy settings), the GPOs will be processed from lowest-link order to highest-link order. Each consecutively processed GPO is then written. If there are any conflicts, the highest link order “wins.” This could happen where one GPO has a specific policy setting enabled and another GPO at the same level has