Читать книгу Group Policy - Jeremy Moskowitz - Страница 8

Windows 10 is here.

Alas, Windows 8 and 8.1, we hardly knew ye.

And Windows 9 – we just skipped you entirely and jumped ahead to Windows 10.

For people buying this book for the first time, welcome. For people who have bought previous editions and are returning again (or again and again and again) – thank you for coming back.

Group Policy and Active Directory go hand in hand. If you have Active Directory, you get Group Policy.

If you’re very new to Group Policy, here’s the inside scoop. Group Policy has one goal: to make your administrative life easier. Instead of running around from machine to machine, tweaking a setting here or installing some software there, you’ll have ultimate control from on high.

Like Zeus himself, controlling the many aspects of the mortal world below, you will have the ability, via Group Policy, to dictate specific settings pertaining to how you want your users and computers to operate. You’ll be able to shape your network’s destiny. You’ll have the power. But you need to know how to tap into this power and what can be powered.

In this introduction and throughout the first several chapters, I’ll describe just what Group Policy is all about and give you an idea of its tremendous power. Then, as your skills grow, chapter by chapter, we’ll build on what you’ve already learned and help you do more with Group Policy, troubleshoot it, and implement some of its most powerful features.

For those of you who are already somewhat Group Policy savvy, there is some good and some bad news (which is the same news): From a Group Policy perspective, Windows 10 is not radically different from its Windows 7 or Windows 8 siblings.

Ironically, Group Policy’s innards did get the most recent update between Windows 8 and Windows 8.1, and those carry forward to Windows 10. I’ll explain these when the time comes, so you can understand the behavior changes. Take a look at Table I-1 for how the Windows Group Policy engine evolved when the internal version number changed.

Table I-1: How Windows and Group Policy evolved

Again, Table I-1 shows changes from a “Group Policy guts” perspective and is not necessarily reflective of what you can do (the actions you can perform) with Group Policy.

Knowing what’s changed within the Group Policy guts is a dual-edged sword. On the one hand, you could say to yourself, “Awesome! If I’m already an expert at Windows 7 and Group Policy, there’s not a huge hill to climb!” And that would be true. On the other hand, it’s also true that because Windows 8 through 10 didn’t shake things up too much, with regard to Group Policy “guts,” there’s not a lot of whiz-bang newness to uncover and show off. That being said, the updates in Windows 8.1 (which carry forward to Windows 10) will be covered in Chapter 3.

In a way, I really like the dual-edged sword. I like that there are a variety of new goodies and things you can do with Group Policy for Windows 10, some interesting updates, but not a radical head-spinning change. I like the fact that what is already working in practice doesn’t change that much. I like knowing that the time already invested in getting smarter in Group Policy isn’t for nothing, and you and I won’t have to relearn everything we ever knew all over again.

So, even though the “guts” haven’t changed all the much, there’s always new “stuff” you can accomplish with Group Policy as each operating system comes out.

As you likely already know, Group Policy is, at its heart, an “on-prem” system for management. Isn’t this antithetical to Microsoft’s new battle cry of “Mobile first, cloud first?”

If you want to read Microsoft’s own perspective on this, see:

http://news.microsoft.com/2014/03/27/satya-nadella-mobile-first-cloud-first-press-briefing/

Shouldn’t Group Policy get a huge overhaul in its underlying technology to align with “Mobile first, cloud first?”

Perhaps it doesn’t need it. Because Group Policy is, by its very nature, extensible, we can extend Group Policy to the cloud when needed if paired with (at least two) “add-ons.” Microsoft DirectAccess (beyond the scope of this book, but briefly touched upon in Chapter 3) enables Windows machines to act as if they are always connected on-premise, even though they might be over the Internet at a coffee shop. That being said, DirectAccess only works with the more pricey Enterprise version of the Windows client.

PolicyPak Cloud (demonstrated in Chapter 3 and “name dropped” throughout the book) can take existing Group Policy directives and get them to the cloud for use on traveling and even non-domain-joined machines. PolicyPak Cloud works with any version of Windows and isn’t limited to the more pricey Enterprise version.

If you’ve done some work already with Group Policy, you might notice that it could be described as various components under one roof; it roughly breaks down as follows:

● Group Policy Administrative Templates

● Group Policy Security Settings

● Group Policy Preferences

● Everything else, including third-party extensions

With all that power, and extendibility, Group Policy continues to stay not just relevant but, indeed, central to any Active Directory administrator’s tool belt of required knowledge.

And because Group Policy is extensible, it can keep working in a “Mobile first, cloud first” world.

Group Policy Defined

If we take a step back and try to analyze the term Group Policy, it’s easy to become confused. When I first heard the term, I didn’t know what to make of it.

I asked myself, “Are we applying ‘policy’ to ‘groups’? Is this some sort of old-school NT 4 System Policy applied to Active Directory groups?”

Turns out, “Group Policy” as a name isn’t, well, excellent. At cocktail parties, when I tell the person next to me that I teach, write about, and make software to extend Group Policy, they don’t get what “Group Policy” means.

If I said something like “I teach databases,” he would cheerfully go back to his scotch and soda and leave me alone. But because I say, “I teach Group Policy to smart people looking to get smarter and build software that hooks into Group Policy,” he (unfortunately) wants to know more. He’ll say something like “What does that mean? I’ve never heard of Group Policy before.” And while I love talking about Group Policy with you, my friendly IT geeks, at a cocktail party full of stuffed shirts, I just want to get another canapé.

So, the name “Group Policy” can be kind of confusing, but it’s also intriguing. Microsoft’s perspective is that the name “Group Policy” is derived from the fact that you are “grouping together policy settings.” I don’t really love the name “Group Policy” – but it’s the name we have, so that’s what it’s called. As Juliet said in Romeo and Juliet (II, ii, 43–44), “What’s in a name? That which we call a rose by any other name would smell as sweet.”

For me, if I was consulted, I might have named it Windows Policy or Microsoft Policy. But, alas. Group Policy is the name it has.

Group Policy is, in essence, rules that are applied and enforced at multiple levels of Active Directory. Policy settings you dictate must be adhered to by your users and computers. This provides great power and efficiency when manipulating client systems.

Instead of running around from machine to machine, you’re in charge (not your users).

When going through the examples in this book, you will play the various parts of the end user, the OU administrator, the domain administrator, and the enterprise administrator. Your mission is to create and define Group Policy using Active Directory and witness it being automatically enforced. What you say goes! With Group Policy, you can set policies that dictate that users quit messing with their machines. You can dictate what software will be deployed. You can determine how much disk space users can use. You can do pretty much whatever you want – it is up to you. With Group Policy, you hold all the power. That’s the good news.

And this magical power only works on Windows 2000 and later machines. For the sake of completeness, this includes all versions of Windows 2000 and later: workstation and server. Of course, this includes all the modern Windows systems you would use, like Windows 10 and Windows Server 2016.

I’ll likely say this again in multiple places, but I want to get one “big ol’ misconception” out of the way right here, right in the introduction. The Group Policy infrastructure does not care what mode your domain is in. If you have only one type of Domain Controller or a mixture of Domain Controllers, 100 percent of everything we cover in this book is valid.

Said another way, even if your domain level is the oldest-of-the-old Windows 2000 mixed mode, you’re still pretty much 100 percent covered here. Group Policy is all about the client (the target) operating system and not the Domain Controllers or domain modes.

It is true that wireless settings and BitLocker key storage require schema updates to play nicely with Group Policy. But even then, Group Policy will still work running with the oldest-of-the-old servers.

If the range of control scares you, don’t be afraid! It just means more power to hold over your environment. You’ll quickly learn how to wisely use this newfound power to reign over your subjects, er, users.

Group Policy vs. Group Policy Objects vs. Group Policy Preferences

Before we go headlong into Group Policy theory, let’s get some terminology and vocabulary out of the way:

● Group Policy is the concept that, from on high, you can do all this “stuff” to your client machines.

● A policysetting is just one individual setting that you can use to perform some specific action.

● Group Policy Objects(GPOs) are the “nuts and bolts” contained within Active Directory Domain Controllers, and each can contain anywhere from one to a zillion individual policy settings.

● The Group Policy Preferences is a newer add-on to the existing set of the “original” Group Policy settings and abilities many have come to know and love. Group Policy Preferences (sometimes shortened to GPPrefs) don’t act quite the same as their original cousins. We’ll cover the Group Policy Preferences in detail in Chapter 5.

● Preference item is a way to describe one “Group Policy Preferences directive.” It’s like a “policy setting,” but for the Group Policy Preferences.

It’s my goal that after you work through this book, you’ll be able to jump up on your desk one day and use all the vocabulary at once. Like this: “Hey! Group Policy isn’t applying to our client machines! Perhaps a policy setting is misconfigured. Or, maybe one of our Group Policy Objects has gone belly up! Heck, maybe one of the preference items is misconfigured. I’d better read about what’s going on in Chapter 7, ‘Troubleshooting Group Policy.’”

This terminology can be a little confusing – considering that each term includes the word policy. In this text, however, I’ve tried especially hard to use the correct nomenclature for what I’m describing. If you get confused, just come back here to refresh your brain about the definitions.

Note that there is never a time to use the phrase “Group Policies.” Those two words together shouldn’t exist. If you’re talking about “multiple GPOs” or “multiple policy settings” or “policy settings vs. preference items,” these are the preferred phrases to use, and never “Group Policies.”

Where Group Policy Applies

Group Policy can be applied to many machines at once using Active Directory, or it can be applied when you walk up to a specific machine. For the most part, in this book I’ll focus on using Group Policy within an Active Directory environment, where it affects the most machines.

A percentage of the settings explored and discussed in this book are available to member or stand-alone Windows machines – which can either participate (that is, be “joined” to Active Directory) or not participate (that is, it’s “non-domain-joined”) in an Active Directory environment.

However, the Folder Redirection settings (discussed in Chapter 10) and the Software Distribution settings (discussed in Chapter 11) are not available to stand-alone machines (that is, computers that are not participating in an Active Directory domain). In some cases, I will pay particular attention to non–Active Directory environments. However, most of the book deals with the more common case; that is, we’ll explore the implications of deploying Group Policy in an Active Directory environment.

The “Too Many Operating Systems” Problem

If we line up all the operating systems that you (a savvy IT person) might have in your corporate world, we would likely find one or more of the following (presented here in date-release order):

● Windows 2000 (Workstation and Server), RTM through SP4

● Windows Server 2003, RTM through SP2

● Windows XP, RTM through SP3

● Windows Vista, RTM through SP2

● Windows Server 2008, RTM (known as SP1, actually) through SP2

● Windows 7 RTM, through SP1

● Windows Server 2008 R2, through SP1

● Windows Server 2012, RTM

● Windows Server 2012 R2

● Windows 8 client, RTM

● Windows 8.1 client, RTM

● Windows 8.1 Update 1

● Windows 10, RTM

● Windows Server 2016, RTM

For the love of Pete (whoever Pete is), that’s a lot of potential operating systems. Okay, okay – perhaps you don’t have all of them. You likely don’t have any more Windows 2000 (or maybe you do, tucked in a back room somewhere, quietly processing something or other).

The point, however, is that Group Policy can apply to all of these systems. Under most circumstances, “old stuff” will work correctly on newer machines. That is, generally, something that could affect, say, an XP machine will also (generally) continue to affect a Windows 10 machine.

With that in mind, here’s an example of what I’m not going to do. I’m not going to show you an example of something in the book, then say something like, “and this example is valid for Windows XP, Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8, Windows 8.1, Windows 8.1 Update 1, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows Server 2016.”

My head (and yours) will just explode if I do that and you need to read it each time.

So, here’s what I am going to do. You’ll read my discussion about something, then I’ll say something like, “and this example is valid for Windows XP and later.” That would mean that the thing I’m about to show you (for example, a policy setting) should work A-OK for XP and later machines (all the way to Windows 10 and also usually for servers, like Windows Server 2016, too). Similarly, if I say, “and this is valid for Windows Vista and later,” that means you’ll be golden if the target machine is Windows Vista and later (all the way through Windows 10 and Windows Server 2016).

Of course, there are a handful of exceptions: things that only work on one particular operating system in a possibly peculiar way. For instance, there are a handful of Windows Vista–only settings that aren’t valid for Windows 7 and Windows 8. There are Windows 10–specific settings that won’t work on older machines. Again, I’ll strive for clarity regarding the exceptions – but the good news is, those are few and far between.

If you get lost, here’s a quick cheat sheet to help you remember “which machines act alike”:

● Windows 2000 Workstation and Windows Server

● Windows Server 2003 and Windows XP

● Windows Server 2008 and Windows Vista

● Windows 7 and Windows Server 2008 R2

● Windows 8 and Windows Server 2012

● Windows 8.1 and Windows Server 2012 R2

● Windows 10 and Windows Server 2016

Just to be even more specific, Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows Server 2016 are ludicrously close brothers. They look alike, throw the same temper tantrums, and enjoy the same kinds of movies. But they’re not identical. They are, in fact, different, but in most cases, they’re super-duper similar and will react the same way when poked.

For this edition of the book, we decided to make a conscious choice about how to present Group Policy. Most of the walk-throughs, examples, and screen shots in the book will be of Windows 10 and Windows Server 2016.

Since I wrote the last edition of this book, two friends have passed away. Those friends, of course, are Windows XP and Windows Server 2003. It’s impossible to know how much XP is still out there, but my unscientific guess would be that 30 percent of the PCs in the business world are still using XP as I write these words. That’s not a lot, but it’s certainly not a little either.

As far as I’m concerned though, XP and Windows Server 2003 are dead ends. I mean, they really are: Microsoft has stopped supporting them except in extreme circumstances and special handling cases.

But I do want to be super-clear about something: I am also specifically going to note and talk about the differences between the various operating systems. For instance, I’ll definitely be expressing some concepts as originally found in Windows 2000, and also Windows XP and Windows Vista – things that were originally in these operating systems’ behaviors but are absent or changed now.

When explaining Group Policy, I like to explain how Group Policy evolved from Windows 2000 through Windows XP and Vista and now on to Windows 10. I like to talk about the “old-school” stuff sometimes, because I find it helps explain why Windows does some things today that seem, well, odd or confusing. If I explain the older operating systems, for example, Windows 2000 and Windows XP, it’s actually easier to understand modern Windows. But as far as actual examples go in this book, sayonara XP (and Windows Server 2003). When it’s necessary to get a deeper perspective on details of Windows XP, I might refer you to previous editions of this book.

And now, a quick word about Windows Vista.

Yes, friends. Vista happened.

We also cannot deny the existence of Windows Vista and that it actually came and went without anyone caring at all.

That being said, even though Microsoft “didn’t quite get the taste right” with regard to Windows Vista, the individual ingredients continue to be the base of our Windows soup going forward. So, that means Windows 7, 8, and 10 are honestly very minor upgrades from Vista.

And pretty much everything that was once valid for Vista is also valid for Windows 7, Windows 8, and Windows 10. Therefore, you’ll see me write a lot about, “and this works for Windows Vista and later,” or in some places, like table listings, you’ll see “Valid for Vista+” – meaning that whatever I’m referencing will work on Vista (if you have it), but it will also work on Windows 7, almost always Windows 8, and onward to Windows 10.

A Little about Me, This Book, PolicyPak, and Beyond

Group Policy is a big concept with some big power. This book is intended to help you get a handle on this new power to gain control over your environment and to make your day-to-day administration easier. It’s filled with practical, hands-on examples of Group Policy usage and troubleshooting. It is my hope that you enjoy this book and learn from my experiences so you can successfully deploy Group Policy and manage your desktops to better control your network. I’m honored to have you aboard for the ride, and I hope you get as much out of Group Policy as I do.

I’ve had and continue to have a long history with Group Policy.

I’ve been writing about and speaking about Group Policy in my hands-on workshops for over 10 years.

I’ve been one of about a dozen Group Policy MVPs, as anointed by Microsoft for 12 years.

And, I’ve also founded a company called PolicyPak Software, which extends Group Policy to do more amazing things than what is possible with what is in the box alone. For instance, here are some of the things you can do with the products from PolicyPak:

● Manage just about any third-party application using Group Policy (like Java, Flash, Firefox, Lync [now Skype for Business], OpenOffice, and hundreds more).

● Craft exactly when and how Group Policy Admin Template template settings will be applied to users or computers.

● Keep Group Policy Preferences items working – even when the computer goes offline.

● Learn when a machine is in compliance and out of compliance with what you need it to be.

● Deploy almost all Group Policy directives over the Internet and on to machines that might never otherwise be able to get Group Policy.

So, I’m going to try to walk a fine line here. With your permission, I am going to, from time to time, describe when something from PolicyPak could enhance a situation or solve a problem that cannot be solved out of the box. I’ll show you real examples of how to solve real problems.

And I’m doing it not to sell you something, but if that happens, that’s okay, too. The point, really, is to demonstrate a problem or situation that might not have any other way out of it. So basically, if I didn’t explain that the “PolicyPak possibility” to fix a particular problem existed, you wouldn’t know about it and you’d still always be stuck in a rut.

Meanwhile, as you read this book, it’s natural to have questions about Group Policy or managing your desktops. To form a community around Group Policy, I have a popular community forum that can be found at www.GPanswers.com.

I encourage you to visit the website and post your questions to the community forum or peruse the other resources that will be constantly renewed and available for download. For instance, in addition to the forum at www.GPanswers.com, you’ll find these resources:

● Full downloadable PowerShell scripts from the PowerShell chapter

● Tips and tricks

● A third-party Group Policy Solutions Guide, and lots, lots more!

If you want to meet me in person, book me for onsite training, or attend my live public Group Policy courses; my website at www.GPanswers.com has a calendar with upcoming events. I’d love to hear how this book met your needs or helped you out.

Thanks again for being a part of the journey.