Читать книгу Group Policy - Jeremy Moskowitz - Страница 13

At this point, it’s best not to jump directly into adding, deleting, or modifying our own GPOs. Right now, it’s better to understand how Group Policy works “on paper.” This is especially true if you’re new to the concept of Group Policy, but perhaps also if Group Policy has been deployed by other administrators in your Active Directory.

By walking through a fictitious organization that has deployed GPOs at multiple levels, you’ll be able to better understand how and why policy settings are applied by the deployment of GPOs.

Let’s start by taking a look at Figure 1-6, the organization for our fictitious example company, Example.com.

This picture could easily tell a thousand words. For the sake of brevity, I’ve kept it down to around 200. There are two domains: Example.com and Widgets.example.com. Let’s talk about Example.com:

● The domain Example.com has two Domain Controllers. One DC, named EXAMPLEDC1, is physically located in the California site. Example.com’s other Domain Controller, EXAMPLEDC2, is physically located in the Phoenix site.

● As for PCs, they need to physically reside somewhere. SallysPC is in the California site; BrettsPC and AdamsPC are in the Delaware site. JoesPC is in the Phoenix site. FredsPC is in the California site, and MarksPC is in the New York site.

● User accounts may or may not be in OUs. Dave’s and Jane’s account are in the Human Resources OU.

● Computer accounts may or may not be in OUs. FredsPC is in the Human Resources OU. AdamsPC is specifically placed within the High Security OU. And that High Security OU is actually within the Human Resources OU (also known as a sub-OU.). JoesPC, SallysPC, BrettsPC, and MarksPC are hanging out in a container and aren’t in any OUs.

Using Active Directory Sites and Services, you can put in place a schedule to regulate communication between EXAMPLEDC1 located in California and EXAMPLEDC2 located in Phoenix. That way, the administrator controls the chatter between the two Example.com Domain Controllers, and it is not at the whim of the operating system.

Figure 1-6: This fictitious Example.com is relatively simple. Your environment may be more complex.

Another domain, called Widgets.example.com, has an implicit transitive two-way trust to Example.com. There is only one Domain Controller in the Widgets.example.com domain, named WIDDC1, and it physically resides at the Phoenix site. Last, there is MarksPC, a member of the Widgets.example.com domain, and it physically resides in the New York site and isn’t in any OU.

Understanding where your users and machines are is half the battle. The other half is understanding which policy settings are expected to appear when they start logging onto Active Directory.