Читать книгу Group Policy - Jeremy Moskowitz - Страница 16
Chapter 1
Group Policy Essentials
Group Policy 101 and Active Directory
ОглавлениеLet’s start with some basics to ensure that things are running smoothly. For most of the examples in this book, you’ll be able to get by with just the one Domain Controller and one or two workstations that participate in the domain, for verifying that your changes took place.
For the examples in this book, I’ll refer to our sample Domain Controller, DC01, which is part of my example Corp.com domain. For these examples, you can choose to rename the Default-First-Site-Name site or not – your choice.
Again, I encourage you to try these examples in your test lab and not to try them directly on your production network. This will help you avoid a CLM (career-limiting move).
For our examples, we’ll assume you’re using WIN10MANAGEMENT as your management station, which is a Windows 10 with RSAT machine.
Active Directory Users and Computers vs. GPMC
The main job of Active Directory Users and Computers is to give you an Active Directory object–centric view of your domain. Active Directory Users and Computers lets you deal with users, computers, groups, contacts, some of the Flexible Single Master Operations (FSMO) roles, and delegation of control over user accounts as well as change the domain mode and define advanced security and auditing inside Active Directory. You can also create OUs and move users and computers around inside those OUs. Other administrators can then drill down inside Active Directory Users and Computers into an OU and see the computers, groups, contacts, and so on that you’ve moved to those OUs.
But the GPMC has one main job: to provide you with a Group Policy–centric view of all you control. All the OUs that you see in Active Directory Users and Computers are visible in the GPMC. Think about it – it’s the same Active Directory behind the scenes “storing” those details about the OU and its contents.
However, the GPMC just doesn’t have a way to “view” the users, computers, contacts, and such. When you drill down into an OU inside the GPMC, you’ll see but one thing: the GPOs that affect the objects inside the OU.
In Figure 1-8, you were able to see the Active Directory Users and Computers view as well as the GPMC view – rolled into one MMC that we created earlier. Even though it’s not super-obvious from the screen shot, the Active Directory Users and Computers view of an OU and the GPMC view of the same OU are radically different. For instance, in Figure 1-8 I’ve added (for the sake of this discussion) an OU called Temporary Office Help and some other OUs, too, for fun.
When focused at a site, a domain, or an OU within the GPMC, you see only the GPOs that affect that level in Active Directory. You don’t see the same “stuff” that Active Directory Users and Computers sees, such as users, computers, groups, or contacts.
The basic overlap in the two tools is the ability to create and delete OUs. If you add or delete an OU in either tool, you need to refresh the other tool by pressing F5 to see the update. For instance, in Figure 1-8 you could see that my Active Directory has several OUs, including the one I added named Temporary Office Help.
Deleting an OU from inside the GPMC is generally a bad idea. Because you cannot see the Active Directory objects inside the OU (such as users and computers), you don’t know how many objects you’re about to delete. So be careful!
If I delete the Temporary Office Help OU in Active Directory Users and Computers, the change is not reflected in the GPMC window until it’s refreshed. And vice versa.
So, let’s summarize with three key points:
● Understanding that the two tools are “separate” and work on the same underlying database is key.
● Understanding that what you do in one tool (e.g., delete an OU) affects the other tool (because it’s affecting the same underlying database) is also key.
● The final key is realizing that you will need to occasionally “refresh” the view of each tool. This is because other administrators might be “doing stuff” to the GPOs and/or Active Directory user accounts. You won’t see their changes until you refresh your view.
Adjusting the View within the GPMC
The GPMC lets you view as much or as little of your Active Directory as you like. By default, you view only your own forest and domain. You can optionally add in the ability to see the sites in your forest as well as the ability to see other domains in your forest or domains in other forests, although these views might not be the best for seeing what you have control over.
Here’s how to view the various other items you may need to within the GPMC:
Viewing Sites in the GPMC When you create GPOs, you won’t often create GPOs that affect sites. The designers of the GPMC seem to agree; it’s a bit of a chore to apply GPOs to sites. To do so, you need to link an existing GPO to a site. You’ll see how to do this a bit later in this chapter.
However, you first need to expose the site objects in Active Directory. To do so, right-click the Sites object in GPMC, choose Show Sites from the context menu (see Figure 1-10), and then click the check box next to each site you want to expose.
Figure 1-10: You need to expose the Active Directory sites before you can link GPOs to them.
In our first example, we’ll use the site level of Active Directory to deploy our first Group Policy Object. At this point, go ahead and enable the Default-First-Site-Name so that you can have it ready for use in our own experiments.
Viewing Other Domains in the GPMC To see other domains in your forest, drill down to the Forest folder in Group Policy Management, right-click Domains, choose Show Domains, and select the other available domains in your forest. Each domain will now appear at the same hierarchical level in the GPMC.
Viewing Other Forests in the GPMC To see other forests, right-click the root (Group Policy Management) and choose Add Forest from the context menu. You’ll need to type the name of the Active Directory forest you want to add. If you want to add or subtract domains within that new forest, follow the instructions in the preceding paragraph.
Now that we’ve adjusted our view to see the domains and forests we want, let’s examine how to manipulate our GPOs and GPO links.
You can add forests with which you do not have a trust. However, GPMC defaults will not display these domains as a safety mechanism. To turn off the safety mechanism, choose View ⇒ Options to open the Options dialog box. In the General tab, clear Enable Trust Detection and click OK.
The GPMC-centric View
As I stated earlier, one of the fundamental concepts of Group Policy is that the GPOs themselves live in the “swimming pool” inside the domain. Then, when you want to utilize a GPO from that swimming pool against a level in Active Directory, you simply link a GPO to that level.
Figure 1-11 shows what our swimming pool will eventually look like when we’re done with the examples in this chapter.
Figure 1-11: Imagine your about-to-be-leveraged GPOs as just hanging out in the swimming pool of the domain.
Our swimming pool will be full of GPOs, with various levels in Active Directory “linked” to those GPOs. To that end, you can drill down, right now, to see the representation of the swimming pool. It’s there, waiting for you. Click Group Policy Management ⇒ Forest ⇒ Domains ⇒ Corp.com ⇒ Group Policy Objects to see all the GPOs that will exist in the domain by the time we’re done (see Figure 1-12).
Figure 1-12: The Group Policy Objects folder highlighted here is the representation of the swimming pool of the domain that contains your actual GPOs.
If you’re just getting started, it’s not likely you’ll have more than the “Default Domain Controllers Policy” GPO and “Default Domain Policy” GPO. That’s okay. You’ll start getting more GPOs soon enough. Oh, and for now, please don’t modify the default GPOs. They’re a bit special and are covered in great detail in Chapter 8.
All GPOs in the domain are represented in the Group Policy Objects folder. As you can see, when the Temporary Office Help OU is shown within the GPMC, a relationship exists between the OU and the “Hide Desktop Settings Option” GPO. That relationship is the tether to the GPO in the swimming pool – the GPO is linked back to “Hide Desktop Settings Option.” You can see this linked relationship because the “Hide Desktop Settings Option” icon inside Temporary Office Help has a little arrow icon, signifying the link back to the actual GPO in the domain. The same is true for the “Default Domain Policy,” which is linked at the domain level, but the actual GPO is placed below the Group Policy Objects folder.