Skupinová politika Windows 200x - požadavky Active Directory™ Klient Windows® 2000, Windows XP … Nejsou podporovány Windows NT® 4.x a nižší Nejsou podporovány Windows Me, 9x a nižší
Skupinová politika Vzdálené, centrální nastavení konfigurace počítače a uživatele GPO – objekt skupinové politiky Specifická nastavení pro: Administrative Templates Software Settings Scripts Folder Redirection Registry-based nastavení skupinové politiky Centrální správa softwarových instalací Startup, shutdown, logon, a logoff skripty Přesměrování uživatelských složek na síť Security Nastavení lokální, doménové, a síťové bezpečnosti
Active Directory Nová politika Správce Uživatelé Počítače
Aplikace skupinové politiky Windows 200x: Aplikuje se část Computer Settings Spustí se startovací skripty Start počítače Windows 200x: Aplikuje se část User Settings Spustí se logovací skripty Logování uživatele Pravidelná aplikace na klientech Desktopové počítače každých 90 minut a Domain Controllery každých 5 minut
Skupinová politika (Windows 200x) Objekty skupinové politiky ve Windows 200x jsou Active Directory objekty Objekty skupinové politiky se aplikují na kontejnery Active Directory Dědění na sub-kontejnery (OU) Filtrování v rámci OU přístupovými právy Skupinová politika ve Windows 200x se ukládá do HKLM nebo HKCU: \Software\Policies (preferované umístění) \Software\Microsoft\Windows\ CurrentVersion\Policies Segue: <Show of Hands> So, how many people here have worked with NT 4.0 Policies? (Most should have.) Well, Windows 2000 uses an entirely different model for how policies are created, applied, and managed. In Windows 2000, group policy objects are “Objects”, much as a user is an AD “Object”. Each policy object exists in an AD container, and applies to all of the users in that container, and the containers below it.
Odkud se aplikuje skupinová politika? Site 1 Domain 2 OU 3 4 OU Aplikace pouze na uživatele/počítač, ne na skupinu Skupinová politika se dědí Obecní pravidlo: Při konfliktu dvou nastavení vyhrává to „bližší“ Více GPOs v jedné OU jsou zpracovávány ze spodu seznamu nahoru (=horní „vyhrává“) Segue: Group Policy Objects are applied to users based on their membership in the Active Directory. Key Talking Points: A user or computer object in Active Directory can have more than one policy apply to it. Group Policy Objects can be created at the site, domain, and OU level, and all of these settings are applied together to the user or computer. Policy settings are inherited from higher level containers to lower level ones. The settings are cumulative, except when two policy settings contradict each other. When settings from two policy objects contradict each other, then the settings from the most specific policy “wins”. For instance, if a domain-level policy says to hide the “Run” command from the start menu, but a policy object created for marketing users says specifically to show it, then the run menu will be shown.
Nastavení skupinové politiky
Filtrování přístupovými právy Problém: jak aplikovat GPO na konkrétního uživatele v OU? Je možno “filtrovat” GPOs změnou přístupových práv na GPO Pro aplikování GPO jsou třeba přístupová práva Read a Apply Group Policy na GPO Pro modifikaci GPO jsou třeba přístupová práva Read a Write Segue: Up to now, we’ve applied policies to entire containers of users. However, we might want to have a policy that applies only to a single user or computer in an AD container. Key Talking Points: For instance, we might want to give RIS permissions only to one user in our Headquarters OU. To restrict access to a policy, we can apply security permissions to the Group Policy Object itself. Each policy object has several settings that can be applied to it, for a user or security group to apply a policy they need the “read” and “apply group policy” permissions.
Implicitní GPO práva Authenticated Users Read Apply Group Policy Local System, Domain Admins, Enterprise Admins Všechna práva kromě Apply Group Policy Segue: This screen shot shows the Security tab on a group policy object’s properties dialog box. Key Talking Points: Notice that Authenticated Users are granted read and apply access by default. When you create a group policy object, you need to manually restrict access to it. You can either dis-allow access, or specifically deny access. The policy will apply to the strictest setting. This means that if a user is a member of two groups, one of which is allowed access and another which is specifically denied access, then the user will not apply the policy. This is a good way to have a policy apply to everybody in an OU except a certain user or group.
Modifikace dědění Block Inheritance zabrání dědění skupinové politiky z rodičovského kontejneru Enforced zabrání potlačení skupinové politiky v nižším kontejneru Enforced má přednost před Block Inheritance Vyšší Enforced má přednost před Enforced nižší úrovně Segue: Now, in the last demo we saw how policy placement within an AD container affected priority. But what happens when policies are in different OU’s? Key Talking Point: As we saw earlier, when policies are in different OU’s they cumulatively inherit from higher level containers to lower level ones. There are times, however, when we might not want the users in one particular OU to inherit any policies from the containers above it. In this instance, we can set the “Block Inheritance” property on that OU. However, as a site administrator, we might not want to allow any of our more local administrators to block our policy. If this is the case, we can set the “No Override” property on our policy, and this will take precedence over their “Block Inheritance” Now, what would happen if the lower-level admin made their policies “No Override” as well? In this case, the higher-level “No Override” wins.
Instalace software pomocí GPO Publish Assign Segue: Applications can be automatically distributed to workstations either by publishing or assigning the application. Key Talking Points: Administrators can use Software Installation and Maintenance to either publish or assign software: Publish. An administrator typically publishes an application that people may find useful, allowing each person to decide whether or not to install the application. Published applications appear in the Control Panel, and have to be manually installed by the user. Assign. An administrator typically assigns an application if people need the application to perform their job. If an application is assigned to people, they have the application on their desktops automatically. Assigned applications appear in the Start Menu, but actually get installed the first time a user tries to run the application. In both cases, the applications can be set to automatically install when a user runs an associated file. For instance, if we assign the MS Word application, and a user double-clicks on a .doc file, then MS Word will install itself, then open the file.
Služba Windows Installer Windows Installer přináší: Snadnou přípravu a sjednocení instalačních skriptů Samoopravitelnost aplikací Run-from-server, Install on first use Možnost plné deinstalace Zajistí oddělení dat uživatel/počítač Instaluje se zvýšenými privilegii Segue: To be able to Assign an application, the app must support the Windows Installer Service. Key Talking Points: The Windows Installer Service should be familiar to anyone who has installed Office 2000. Windows Installer Service allows you to have features like self-heal, per-feature installation, install on first use, etc. If you want to assign or publish a legacy application that doesn’t support the Windows Installer Service, then you can repackage the application using Seagate WinInstall LE. This program is included on the Windows 2000 Server CD-ROM. Repackaging an application is a quick-and-dirty way to get the program out to your users. In order to get all of the features out of the Windows Installer Service, you might want to consider re-compiling the application. Tools from Seagate software and WISE software are available to do this. One other major advantage to Windows Installer Service applications is that they distinguish between per-user roaming information and per-computer information. Per-user information gets stored in the HKCU/Software/Policies registry key and in the user profile /application data subdirectory.
Představení GPMC Co je GPMC? Cíle návrhu GPMC Nástroj pro správu skupinové politiky: Sada skriptovatelných rozhraní pro správu skupinové politiky MMC Snap-in Ke stažení na www.microsoft.com Cíle návrhu GPMC Sjednocení správy skupinové politiky Adresování problémů při nasazení Podstatně vylepšený UI Programový přístup ke skupinové politice
Nové vlastnosti GPMC Podstatně vylepšený UI Generování reportů Vyhledávání, WMI filtrování Integrace Resultant Set of Policy (RSoP) Group Policy Modeling = planning mode Group Policy Results = logging mode Backup/Restore Import/Export, Copy/Paste Skriptování operací s GPO (ne nastavení!)