Читать книгу Group Policy - Jeremy Moskowitz - Страница 20

In Chapter 1, we created and linked some GPOs, which we can see in the Group Policy Objects container, to determine how, at each level, we were affecting our users. In the following sections, we’ll continue by working with some advanced options for applying, manipulating, and using Group Policy.

Since we didn’t use PowerShell at all in the last chapter to create and link GPOs, let’s take 30 seconds to do the equivalent of what we did in the last chapter and do it right here, right now, using PowerShell. In short, let’s create a new, blank Group Policy Object, call it GPO123, then link it to the Human Resource Users OU (which is tucked within the Human Resources OU, which itself is within the domain Corp.com).Before we get started though, if you’re using an older version of Windows (and/or and older version of PowerShell) you might need to specify the command to import the Group Policy cmdlets before you get anything useful to happen. So if nothing appears to be working in PowerShell, start out with the command import-module grouppolicy (which can be seen in Figure 2-1).

If you are not running as the Built-In Administrator account, you will need to launch a PowerShell command prompt with Administrator permissions because you are doing something that requires elevated access and a PowerShell. You can do this by right-clicking the shortcut and then clicking the “Run as Administrator” option.

Now, here are the two PowerShell commands you could type to do the job.

Once you are running with Administrator permissions, you’re ready to continue on as follows. For instance, to create a new Group Policy Object, it’s as simple as:

or

Note how the domain name is proceeded by dc= and the OUs (parent and child) are proceeded by ou= in the PowerShell command.

The result can be seen in Figure 2-1.

Note that this didn’t do any real “work” inside the Group Policy Object; it just created it and linked it to our existing OU. If we go back to using the GPMC, you should be able to refresh the GPMC and then verify that the Group Policy Object is now linked to the right OU.

While still in the GPMC, clicking a GPO (or a link) lets you get more information about what it does. For now, feel free to click around, but I suggest that you don’t change anything until we get to the specific examples.

Figure 2-1: You can create and link GPOs using PowerShell. Be sure to put items with spaces in double quotes.

Various tabs are available to you once you click the GPO or a link. For instance, let’s locate the GPO that’s linked to the Human Resources Users OU. We’ll do this by drilling down to Group Policy Management ⇒ Forest ⇒ Domains ⇒ Corp.com ⇒ Human Resources ⇒ Human Resources Users and clicking the one GPO that’s linked there: “Hide Mouse Pointers Option/Restore Screen Saver Option.” With that in mind, let’s examine the various sections of a policy setting; you can flip through each of the tabs to get more information about the GPO you just found.

The Scope Tab Clicking a GPO or a GPO link opens the Scope tab. The Scope tab gives you an at-a-glance view of where and when the GPO will apply. We’ll examine the Scope tab in the sections “Deleting and Unlinking Group Policy Objects” and “Filtering the Scope of Group Policy Objects with Security” later in this chapter and in the WMI section of Chapter 4. For now, you can see that the “Hide Mouse Pointers Option/Restore Screen Saver Option” GPO is linked to the Human Resources Users OU. But you already knew that.

Using Microsoft’s own Group Policy PowerShell cmdlets to detail what Group Policy Objects are linked where is possible, but actually a little tricky. So, we cover how to do that in the PowerShell appendix, in the section “Documenting GPO Links.”

That being said, there is another quick way to do this, if you’re willing to download a third-party (but free) PowerShell cmdlet set from my pal Darren Mar-Elia from SDM Software at:

http://sdmsoftware.com/group-policy-management-products/freeware-group-policy-tools-utilities/.

You’re looking for the SDM GPMC PowerShell cmdlets.

Once the set is downloaded and installed, just re-open PowerShell, then import his cmdlets and run Darren’s command Get-SDMgplink, which lists all GPOs at a level. You simply specify the level. The two commands would be:

The result using the free SDM GPMC PowerShell cmdlet can be seen here. You can see that the line starting with Name details the one Group Policy Object (in my case) that is linked to that particular scope.

The Details Tab The Details tab contains information describing who created the GPO (the owner) and the status (Enabled, Disabled, or Partially Disabled) as well as some nuts-and-bolts information about its underlying representation in Active Directory (the GUID). We’ll examine the Details tab in the sections “Disabling ‘Half’ (or Both Halves) of the Group Policy Object” and “Understanding GPMC’s Link Warning” later in this chapter.

Should you change the GPO status here by, say, disabling the User Configuration of the policy, you’ll be affecting all other levels in Active Directory that might be using this GPO by linking to it. See the section “Understanding GPMC’s Link Warning” as well as the sidebar “On GPO Links and GPOs Themselves” a bit later in the chapter.

You can see these details in the GPMC (top), and using PowerShell, you can use the Get-GPO cmdlet as seen in the screenshot on the (bottom).

The Settings Tab The Settings tab gives you an at-a-glance view of what’s been set inside the GPO. In our example, you can see the Enabled and Disabled status of the two policy settings we manipulated. You can click Hide (or Show) to contract and expand all the configured policy settings.

● Clicking Hide at any level tightens that level. You can expose more information by clicking Show.

● Clicking the policy setting name – for example, Prevent Changing Mouse Pointers– displays the help text for the policy setting (but note that this is only applicable to Administrative Template settings). This trick can be useful if someone set up a GPO with a kooky name and you want to know what’s going on inside that GPO.

● If you want to change a setting, right-click the settings area and select Edit. The familiar Group Policy Management Editor will appear. Note, however, that the Group Policy Management Editor will not “snap to” the policy setting you want to edit. The editor always starts off at the root.

● Additionally, at any time you can right-click over this report and select Save Report, which does just that. It creates an HTML or XML report that you can then e-mail to fellow administrators or the boss, and so on. This is a super way of documenting your Group Policy environment instead of writing down everything by hand.

You can use PowerShell to save a report of a specific Group Policy Object or all GPOs using the cmdlet Get-GPOReport. For instance, you could type:

You could also do something like:

Both examples assume C:\temp\ is present. Note the second command is a little weird and dumps all the reports of all the GPOs into one big HTML file.

If you’d like to see the “trick” for having a single report for each Group Policy Object, check out the section “Creating GPO Reports” in the PowerShell appendix.

Now, I’ve said it before, but it bears repeating: You can also edit the settings by clicking the GPO or any GPO link for that object and choosing Edit. However, you always affect all containers (sites, domains, or OUs) to which the GPO is linked. It’s one and the same object, regardless of the way you edit it. See the sidebar “On GPO Links and GPOs Themselves” a bit later in the chapter to get the gist of this.

Out, Out Annoying Internet Explorer Pop-ups!

If you chose to run the GPMC on a Windows Server, you may run into security pop-ups when clicking the Settings tab. Certain aspects of the GPMC, such as the Settings tab, utilize Internet Explorer to display their contents.

Since Internet Explorer is “hardened” on Windows Server machines, you will have limited access to the whole picture. When showing the Settings within the GPMC, you’ll be presented with a warning box:

You can bypass this by simply adding security_mmc.exe as a trusted website. This should make your problems go away.

Optionally, you can also turn off Internet Explorer Enhanced Security Configuration. In Windows Server 2012 and later, you use Server Manager. Then select Local Server on the left side and select IE Enhanced Security Configuration on the right side. Finally, choose Off in the pop-up window that appears:

This is where you’ll be able to enable or disable the annoying, I mean, informative pop-ups. This approach is recommended in test labs but not recommended on production servers.

The Delegation Tab The Delegation tab lets you specify who can do what with GPOs, their links, and their properties. You’ll find the Delegation tab in a lot of places, such as when you do the following:

● Click a GPO link or click a GPO in the Group Policy Objects container

● Click a site

● Click a domain

● Click an OU

● Click the WMI Filters node

● Click a WMI (Windows Management Instrumentation) filter itself (covered in Chapter 4)

● Click on the Starter GPOs section

The PowerShell cmdlet to get the state of delegation (which could also be thought of as permissions) is Get-GPPermission, and the cmdlet to set or change the state of delegation would be Set-GPPermission.

We’ll not jump into these PowerShell cmdlets here. We’ll use these cmdlets a little later in the section “Filtering the Scope of Group Policy Objects with Security.”

At each of these locations, the tab allows you to do something different. I’ll discuss what each instance of this tab does a bit later in the section “Security Filtering and Delegation with the GPMC.”

Raising or Lowering the Precedence of Multiple Group Policy Objects

You already know that the “flow” of Group Policy is inherited from the site level, the domain level, and then from each nested OU level. But, additionally, within each level, say at the Temporary Office Help OU, multiple GPOs are processed in a ranking precedence order. Lower-ranking GPOs are processed first, and then the higher GPOs are processed.

In Figure 2-2, you can see that an administrator has linked two GPOs to the Temporary Office Help OU. One GPO is named “Enforce 50 MB Disk Quota” and another is named “Enforce 40 MB Disk Quota.”

If the policy settings inside these GPOs both adjust the disk quota settings, which one will “win”? Client computers will process these two GPOs from lowest-link order to highest-link order. Therefore, the “Enforce 40 MB Disk Quota” GPO (with link order 2) is processed before “Enforce 50 MB Disk Quota” (link order 1). Hence, the GPO with the policy settings to dictate 50 MB disk quotas will win.

So, if two (or more) GPOs within the same level contain values for the same policy setting (or policy settings), the GPOs will be processed from lowest-link order to highest-link order. Each consecutively processed GPO is then written. If there are any conflicts, the highest link order “wins.” This could happen where one GPO has a specific policy setting enabled and another GPO at the same level has the same policy setting disabled.

Just to clear up a confusing little point: it turns out the highest-link order is not the highest numbered GPO listed at a level. Oh no – that would be too easy. Indeed, the highest-link order is shown as the lowest displayed number. Great. Just another fun fact to keep you on your toes.

Changing the order of the processing of multiple GPOs at a specific level is an easy task with the GPMC. For instance, suppose you want to change the order of the processing so that the “Enforce 40 MB Disk Quota” GPO is processed after the “Enforce 50 MB Disk Quota” GPO. Simply click the policy setting you want to process last and click the down arrow icon. Similarly, if you have additional GPOs that you want to process first, click the GPO and click the up arrow icon. The multiple arrow icons will put the highlighted GPO either first or last in the link order – depending on the icon you click.

Figure 2-2: You can link multiple GPOs at the same level.

Using PowerShell, the cmdlet would be as follows to set a specific Group Policy Object (“Enforce 40 MB Disk Quota”) to link order 2:

Again – the “most last” applied GPO wins. So the GPO with a link order of 1 is always applied last and, hence, has the final say at that level. This is always true unless the Enforced function is used (as discussed later).

Understanding GPMC’s Link Warning

In the previous chapter, I pointed out that anytime you click a GPO link, you get the informational (or perhaps it’s more of a warning) message shown in Figure 2-3.

Figure 2-3: You get this message anytime you click the icon for a link.

This message is trying to convey an important sentiment: No man is an island, and neither is a Group Policy Object. Just because you created a GPO and it is seen swimming in the Group Policy Objects container doesn’t mean you’re the only one who is possibly using it.

As we work through examples in this chapter, we’ll manipulate various characteristics of GPOs and links to GPOs. If we manipulate any characteristics of a GPO we’re about to play with, such as the following, then all other levels in Active Directory that also link to this GPO will be affected by our changes:

● The underlying policy settings themselves

● The security filtering (on the Scope tab)

● The WMI filtering (on the Scope tab)

● The GPO status (on the Details tab)

● The delegation (on the Delegation tab)

For instance, imagine you had a GPO linked to an OU called Doctors and the same GPO linked to an OU called Nurses. If you edit the GPO in the swimming pool, or click the link to the GPO in either Doctors or Nurses and click Edit, you’re doing the same thing. Any changes made within the GPO affect both the Doctors OU and the Nurses OU.

This is sometimes a tough concept to remember, so it’s good to see it here again. You can choose to squelch the tip if you like. Just don’t forget its advice.

The difference between the GPO itself and the links you can create can be confusing. Be sure to check out the sidebar “On GPO Links and GPOs Themselves” a bit later in the chapter.

Another way to see this principle in action is by locating the “Auto-Launch calc.exe” GPO in either the link in the Human Resources Computers OU or the object itself within the Group Policy Objects container. Next, go to the Details tab and change the GPO status to some other setting. Then, go to the link or the actual GPO and see that your changes are reflected. You can even create a new OU, link the GPO, and still see that the change is there. This is because you’re manipulating the actual GPO, not the link. If you choose to squelch the message, you can get it back by choosing View ⇒ Options ⇒ General and selecting “Show confirmation dialog to distinguish between GPOs and GPO links.”

Stopping Group Policy Objects from Applying

After you create your hierarchy of Group Policy that applies to your users and computers, you might occasionally want to temporarily halt the processing of a GPO – usually because a user is complaining that something is wrong. You can prevent a specific GPO from processing at a level in Active Directory via several methods, as explained in the following sections.