Читать книгу Group Policy - Jeremy Moskowitz - Страница 11

Group Policy is a big, big place. And you need a road map. Let’s try to get a firm understanding of what we’re about to be looking at for the next several hundred pages.

Group Policy Entities and Policy Settings

Every Group Policy Object contains two halves: a User half and a Computer half. These two halves are properly called nodes, though sometimes they’re just referred to as either the User half and the Computer half or the User branch and the Computer branch.

A sample Group Policy Object with both the Computer Configuration and User Configuration nodes can be seen in Figure 1-2 (in the upcoming section, “Local Group Policy Editor”). Don’t worry; I’ll show you how to get there in just a second.

Just to make things a little more complicated, if you’re deploying settings using Active Directory (the most usual case) as opposed to walking up and creating a “local GPO” as we do later in Figure 1-2, the interface is a wee bit different and shows the Group Policy Preferences node. Hang tight for more on that.

The first level under both the User and the Computer nodes contains Software Settings, Windows Settings, and Administrative Templates. If we dive down into the Administrative Templates of the Computer node, underneath we discover additional levels of Windows Components, System, Network, and Printers. Likewise, if we dive down into the Administrative Templates of the User node, we see some of the same folders plus some additional ones, such as Shared Folders, Desktop, Start Menu, and Taskbar.

In both the User and Computer halves, you’ll see that policy settings are hierarchical, like a directory structure. Similar policy settings are grouped together for easy location. That’s the idea anyway – though, admittedly, sometimes locating the specific policy or configuration you want can prove to be a challenge.

When manipulating policy settings, you can choose to set either computer policy settings or user policy settings (or both!). You’ll see examples of this shortly. (See the section “Searching and Commenting Group Policy Objects and Policy Settings” in Chapter 2, “Managing Group Policy with the GPMC and via Powershell,” for tricks on how to minimize the effort of finding the policy setting you want.)

Most policy settings are not found in both nodes. However, there are a few that overlap. In that case, if the computer policy setting is different from the user policy setting, the computer policy setting generally overrides the user policy setting. But, to be sure, check the Explain text associated with the policy setting.

Wait… I Don’t Get It. What Do the User and Computer Nodes Do?

One of the key issues that new Group Policy administrators ask themselves is, “What the heck is the difference between the Computer and User nodes?”

Imagine that you had a combination store: Dog Treats (for dogs) and Candy Treats (for kids). That’s right; it’s a strange little store with seemingly two types of incompatible foods under the same roof. You wouldn’t feed the kids dog treats (they’d spit them out and ignore the treat), and you wouldn’t feed the kids’ candy to a dog (because the dogs would spit out the sour candy and ignore the treat).

That’s the same thing that happens here. Sure, it looks tempting. There are lots of treats on both sides of the store, but only one type of customer will accept each type of treat.

So, in practical terms, the Computer node (the first part of the policy) contains policy settings that are relevant only for computers. That is, if there’s a GPO that contains Computer-side settings and it “hits” a computer, these settings will take effect. These Computer-side settings could be items like startup scripts, shutdown scripts, and how the local firewall should be configured. Think of this as every setting relevant to the computer itself– no matter who is logged on at that moment.

The User node (the second part of the policy) contains policy settings that are relevant only for users. Again, if there’s a GPO that contains User-side settings and it “hits” a user, these settings will take effect for that user. These User-side items make sense only on a per-user basis, like logon scripts, logoff scripts, availability of the Control Panel, and lots more. Think of this as every setting relevant to the currently logged-on user – and these settings will follow the user to every machine they pop on to.

Feeding users dog treats, er, Computer-side settings doesn’t work. Same thing with feeding computers User-side settings. When a GPO hits user objects with Computer policy settings or computer objects with User policy settings, it simply will not do anything. You’ll just sit there and scratch your head and wonder why it doesn’t work. But it’s not that it’s not working; this is how it’s designed.

Computer settings are for computer objects, and User settings are for user objects. If this is bad news for you, there are two ways to get out of the problem. One way is an in-the-box advanced technique called loopback processing that can help you out. Look for more information on loopback processing in Chapter 4. The other way is via a third-party tool called PolicyPak, which (among other things) can permit computers to embrace User-side settings. More on this in Chapter 6, “Managing Applications and Settings Using Group Policy.