Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 50 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
50
Dung lượng
1,48 MB
Nội dung
Managing Group Policy CHAPTER 14
503
FIGURE 14-2 The folder structure for the central store where ADMX template
files are stored for the domain
note For a list of ISO language identifiers, see http://msdn.microsoft.com/en-us
/library/dd318691.aspx.
After you create this folder structure for the central store on the PDC Emulator, the FRS will
replicate this structure to all domain controllers in the domain. You choose the PDC Emulator
as the domain controller on which to create this folder structure manually because the PDC
Emulator is the default choice for the focus of the GPMC.
note Creating a central store is not a requirement for using Group Policy to manage
computers running Windows Vista or later. For example, in the absence of a central store,
an administrator can use the GPMC on an RSAT administrative workstation running
Windows 7 to create GPOs and then use the GPMC to configure these GPOs. The advan-
tage of configuring a central store is that all GPOs created and edited after the store is
configured have access to all of the ADMX files within the store, which makes the central
store useful for deploying any custom ADMX files that you want to share with other admin-
istrators in your domain.
Adding ADMX Templates to the Store
After you configure the central store, you must populate it using ADMX template files. You
can copy these ADMX template files from a computer running Windows7 by following these
steps:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
504
1. Log on to an administrative workstation running Windows7 using a user account that
is a member of the Domain Admins built-in group.
2. Open a command prompt and type the following command.
xcopy %SystemRoot%\PolicyDefinitions\* %LogonServer%\sysvol\%UserDNSDomain%\
policies\
PolicyDefinitions /s /y
3. Repeat this process from any administrator workstations running Windows7 that have
different languages installed.
After you copy the ADMX template files to the central store, the central store will be
replicated to all domain controllers in the domain as the contents of the SYSVOL share are
replicated by the FRS. Whenever you want to update the files or copy a custom ADMX file,
you must do this manually.
diReCt FRoM tHe SoURCe
Create and Populate the ADMX Central Store in a Single Step
Judith Herman, Group Policy Programming Writer
Windows Enterprise Management Division UA
A
s long as the ADMX central store directory exists, the Group Policy Management
Editor will ignore the local versions of the ADMX files. It is recommended that
as soon as the central store is created, the ADMX (and associated ADML files) are
used to populate the central store. If there is an empty central store directory when
the Group Policy Management Editor in Windows7 is started, the ADM nodes will
not display any policy settings because the Group Policy Management Editor reads
ADM policy settings display information only from the empty central store.
Creating and Managing GPOs
After your central store is configured and you have copied ADMX template files to it, you are
ready to create GPOs for managing your environment. Beginning with Windows 7, you can
create and manage GPOs in two ways:
n
From the graphical user interface (GUI) by using the GPMC. This is the only method
available for managing Group Policy on earlier versions of Windows.
n
From the command line or via script automation by using the new Windows PowerShell
Group Policy cmdlets. This method for managing Group Policy is new in Windows7 and
Windows Server 2008 R2 and is described in the section titled “Creating and Managing
GPOs Using Windows PowerShell” later in this chapter.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
505
Obtaining the GPMC
The GPMC is not included in a default Windows7 install. Instead, you must download and
install the RSAT for Windows7 to use the GPMC on a Windows7 computer. To do this, follow
these steps:
1. Obtain the appropriate RSAT package (x86 or x64) for your Windows7 administrative
workstation from the Microsoft Download Center at http://www.microsoft.com
/downloads/ and install the RSAT .msu package on your computer.
2. Open Programs And Features from Control Panel and select Turn Windows Features
On Or Off.
3. In the Windows Features dialog box, expand Remote Server Administration Tools, fol-
lowed by Feature Administration Tools.
4. Select the check box next to Group Policy Management Tools and click OK.
Alternatively, instead of managing Group Policy by installing RSAT on a computer running
Windows 7, you can manage it directly from a computer running Windows Server 2008 R2 by
installing the RSAT feature using the Add Features Wizard in Server Manager.
Using Starter GPOs
Starter GPOs, introduced in the GPMC for Windows Server 2008 and Windows Vista SP1 with
RSAT, are read-only collections of configured Administrative Template (.admx) policy settings
that you can use to create a live GPO. Starter GPOs provide baselines of Group Policy settings
designed for specific scenarios. By using Starter GPOs as templates for creating domain-based
GPOs, you can deploy Group Policy quickly in different kinds of environments. Note that
Starter GPOs can contain only policy settings (ADM settings); they cannot include preference
items, security settings, or other types of Group Policy settings.
In Windows Vista SP1 and Windows Server 2008, you had to download Starter GPOs
before using them. Now, however, a default set of Starter GPOs are included in RSAT for
Windows 7 and in the GPMC feature of Windows Server 2008 R2.
RSAT for Windows7 includes two different categories of Starter GPOs:
n
Enterprise Client (EC) Client computers in this type of environment are members
of an AD DS domain and need to communicate only with systems running Windows
Server 2003. The client computers in this environment may include a mixture of
Windows versions, including Windows 7, Windows Vista, and Windows XP.
n
Specialized Security Limited Functionality (SSLF) Client computers in this type of
environment are members of an AD DS domain and must be running Windows Vista
or later. Concern for security in this environment is a higher priority than functionality
and manageability, which means that the majority of enterprise organizations do not
use this environment. The types of environments that might use SSLF are military and
intelligence agency computers.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
506
In addition to these two categories, the default Starter GPOs in RSAT for Windows7 can
also be categorized by whether they do the following:
n
Apply only to clients running Windows XP SP2 or later or Windows Vista SP1 or later.
n
Apply to users or to computers.
The result of this categorization is the following eight types of Starter GPOs included in
RSAT for Windows 7:
n
Windows Vista EC Computer
n
Windows Vista EC User
n
Windows Vista SSLF Computer
n
Windows Vista SSLF User
n
Windows XP EC Computer
n
Windows XP EC User
n
Windows XP SSLF Computer
n
Windows XP SSLF User
For more information concerning the default configuration of policy settings in Starter
GPOs designed for Windows Vista SP1 or later, see the Windows Vista Security Guide at
http://go.microsoft.com/?linkID=5744573. For more information concerning the default
configuration of policy settings in Starter GPOs designed for Windows XP SP2 or later,
see the Windows XP Security Compliance Management Toolkit at http://go.microsoft.com
/fwlink/?LinkId=14839. Updated information on Starter GPOs should also be available; search
for Windows7 Security Guide on the Microsoft Download Center.
Before you can use Starter GPOs, you must prepare your environment by creating a sepa-
rate folder for these GPOs in the SYSVOL share on your domain controllers. If your forest has
more than one domain, you must create a separate Starter GPOs folder in each domain of
your forest. To create the Starter GPOs folder, perform the following steps:
1. Open the GPMC and select the Starter GPOs node in the console tree for the domain.
2. Click the Create Starter GPOs Folder button in the details pane (see Figure 14-3).
3. Repeat for each domain in your forest.
After you create your Starter GPOs folder, you can use the default Starter GPOs as templates
when you create new GPOs, as described in the next section. You can also create and manage
your own Starter GPOs by right-clicking the Starter GPOs node in the console tree of the
GPMC.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
507
FIGURE 14-3 Creating the Starter GPOs folder in SYSVOL for the domain
Creating and Managing GPOs Using the GPMC
To create and configure a GPO using the GPMC, follow these steps:
1. Log on to an administrative workstation running Windows7 with RSAT using a user
account that is a member of the Domain Admins built-in group.
2. Right-click Start and then click Properties. On the Start Menu tab, click Customize.
Then in the Customize Start Menu dialog box, scroll down to System Administrative
Tools, select Display On The All Programs Menu And The Start Menu, and click OK.
3. Click Start, then Administrative Tools, and then Group Policy Management. (Alterna-
tively, you can type gpmc.msc in the Start Search box and then click gpmc.msc when
it appears under Programs in your search results.)
4. Expand the console tree to select the domain or OU to which you will link the new
GPO when you create it.
5. Right-click this domain or OU and select Create A GPO In This Domain And Link It
Here.
6. Type a descriptive name for your new GPO, such as Seattle Computers GPO, and
(optionally) select a Starter GPO as a template for it. Then click OK.
7. Expand the domain or OU to display the GPO link for your new GPO beneath it, as
shown in the following image.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
508
8. Right-click the GPO link and then select Edit to open the GPO.
9. Configure policy settings and preference items in the GPO as desired for the comput-
ers and/or users targeted by the GPO.
note If a domain controller is unavailable when a computer running Windows7 tries
to log on to the network, the computer will log on using cached credentials and will use
the local copies of the ADMX template files to surface ADM policy settings in the Local
Group Policy Editor. Also, if an administrator uses a computer running Windows7 with
RSAT to start GPMC or the Local Group Policy Editor and no central store is found, local
copies of the ADMX template files will be used to surface ADM policy settings in the
Local Group Policy Editor.
Creating and Managing GPOs Using Windows PowerShell
Beginning with Windows7 and Windows Server 2008 R2, you can also use 25 new Windows
PowerShell cmdlets to create and manage GPOs from the PowerShell command line or by us-
ing PowerShell scripts. This new capability builds upon the earlier Component Object Model
(COM)–based Group Policy scripting capabilities found in Windows Vista and Windows Server
2008. This feature enables administrators to manage the full life cycle of GPOs, including cre-
ating, deleting, copying, configuring, linking, backing up and restoring, generating Resultant
Set of Policy (RSoP) reports, configuring permissions, and migrating (importing and export-
ing) GPOs across domains and forests and from test to production environments.
This new functionality is implemented using the GPMC application programming inter-
faces (APIs) and is available as a module that you can import from the Windows PowerShell
command line. This means that the GPMC must be installed on the computer from which you
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
509
run your Windows PowerShell commands. These new cmdlets provide functionality both for
performing GPMC operations and for reading and writing registry settings to GPOs (including
both policy settings and preference items).
You can also use Group Policy to configure policy settings that specify whether Windows
PowerShell scripts can run before non-PowerShell scripts during user computer startup and
shutdown and during user logon and logoff. By default, Windows PowerShell scripts run after
non-PowerShell scripts.
As shown in Table 14-3, the Windows PowerShell cmdlets in Group Policy can be organized
into five different categories according to their verb.
TABLE 14-3 Windows PowerShell cmdlets for Group Policy in Windows7 and Windows Server 2008 R2
VERB CMDLETS
Get Get-GPInheritance
Get-GPO
Get-GPOReport
Get-GPPermissions
Get-GPPrefRegistryValue
Get-GPRegistryValue
Get-GPResultantSetofPolicy
Get-GPStarterGPO
New New-GPLink
New-GPO
New-GPStarterGPO
Set Set-GPInheritance
Set-GPLink
Set-GPPermissions
Set-GPPrefRegistryValue
Set-GPRegistryValue
Remove Remove-GPLink
Remove-GPO
Remove-GPPrefRegistryValue
Remove-GPRegistryValue
Misc Backup-GPO
Copy-GPO
Import-GPO
Rename-GPO
Restore-GPO
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
510
As an example of using these new cmdlets, the procedure described here creates a
new Seattle Users GPO and links it to the Seattle Users OU beneath the Seattle OU in the
contoso.com domain to complement the Seattle Computers GPO created using the GPMC
in the previous section.
1. Log on to your domain controller and click the Administrator: Windows PowerShell
icon pinned to the taskbar. This opens the Windows PowerShell command-prompt
window.
2. Type import-module GroupPolicy to import the Group Policy module into Windows
PowerShell. This step is required at the beginning of each Windows PowerShell script
or series of PowerShell commands that you execute to manage Group Policy.
3. Type $gpo = New-GPO "Seattle Users GPO" to create a new GPO named Seattle
Users GPO and assign the GPO to the Windows PowerShell variable named $gpo.
4. Type Get-GPO $gpo.DisplayName to retrieve the properties of the newly created
GPO and verify its creation, as shown here.
5. Type New-GPLink $gpo.DisplayName –target "ou=Seattle Users,ou=Seattle,dc=
contoso,dc=com" –order 1 to link the new GPO to the Seattle Users OU beneath the
Seattle OU in the contoso.com domain and assign the GPO a link order of 1.
If you refresh the GPMC view, you should now see the newly created GPO linked to the OU
you specified.
For more examples on how to use these new Group Policy cmdlets to create and manage
Group Policy, see the Windows PowerShell section of the Group Policy Team Blog on Microsoft
TechNet at http://blogs.technet.com/grouppolicy/archive/tags/PowerShell/default.aspx. For a gen-
eral introduction to the Windows PowerShell capabilities of Windows 7, see Chapter 13, “Over-
view of Management Tools.”
Editing GPOs
After you’ve created a GPO, you can edit the settings that it contains using one of two methods:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
511
n
From the GUI by using the Group Policy Management Editor, which can be started
from the GPMC. This is the only method available for editing GPOs in earlier versions
of Windows. Using this method, you can modify any GPO setting, including policy set-
tings, preference items, and security settings.
n
From the command line or via script automation by using the Set-GPRegistryValue,
SetGPPrefRegistryValue, Get-GPRegistryValue, Get-GPPrefRegistryValue,
Remove-GPRegistryValue, and Remove-GPPrefRegistryValue cmdlets, which are
among the new Windows PowerShell Group Policy cmdlets in Windows7. Using this
method, you can modify either policy settings or Group Policy preferences registry-
based preference items (you cannot modify other types of preference items using the
cmdlets). You cannot use Windows PowerShell to modify security settings, software
installation settings, or any other types of GPO settings.
Configuring Policy Settings
To configure a policy setting in a GPO, follow these steps:
1. Right-click the GPO or its associated GPO link in GPMC and select Edit to open the
GPO in the Group Policy Management Editor.
2. Expand the Policies node under either Computer Configuration or User Configuration
as desired.
3. Expand the Administrative Templates node under Policy and browse to select the
policy you want to configure, as shown here.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
512
4. Double-click the policy setting to open its properties, then enable or disable the set-
ting as desired, and (optionally) type a comment to document your action, as shown
here.
5. Click OK to apply the change to the GPO.
After Group Policy is updated for the users or computers targeted by the GPO, the policy
setting will be applied. This policy setting, which applies only to Windows7 and later versions,
displays a Search The Internet link above the Start menu button whenever a user types some-
thing into the Search box on the Start menu.
In addition to using the Group Policy Management Editor to configure policy settings,
you can use Windows PowerShell to do this if you have the GPMC installed on a computer
running Windows7 or Windows Server 2008 R2. For example, to edit the Seattle Users GPO
and enable the Add Search Internet Link To Start Menu policy setting as was done previously,
open a Windows PowerShell command-prompt window and follow these steps:
1. Type Import-module GroupPolicy to import the GroupPolicy module into Windows
PowerShell.
2. Type $key = "HKCU\Software\Policies\Microsoft\Windows\Explorer" to assign
the registry path for the Add Search Internet Link To Start Menu policy setting to the
variable named $key.
3. Use the Set-GPRegistryValue cmdlet, as shown in Figure 14-4, to create a new DWORD
registry value named AddSearchInternetLinkinStartMenu under the registry key and
assign a value of 1 to this registry value.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
[...]... information on how to troubleshoot Group Policy application issues for Windows 7 and Windows Vista SP1, see “Troubleshooting Group Policy Using Event Logs” at http://technet2.microsoft.com/WindowsVista/en/library/7e940882-33b743db-b0 97- f 375 2c84f67f1033.mspx?mfr=true Troubleshooting Group Policy Chapter 14 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 521 Direct from the Source An... running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 and copy the ADMX files from your computers running Windows7 to this store Summary Chapter 14 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 5 27 n Migrate your custom ADM files to ADMX format using ADMX Migrator Do not migrate the default ADM files found on previous versions of Windows; Windows7 does... GPEDIT(b6c.10c8) 12:10:03 :71 6 PDX parser: Obtained appropriate PDX resource file 'C: \Windows\ PolicyDefinitions\en-US\FolderRedirection.adml' for language 'en-US' GPEDIT(b6c.10c8) 12:10:03 :71 7 PDX parser: Parsing resource file 'C: \Windows\ PolicyDefinitions\en-US\FolderRedirection.adml' GPEDIT(b6c.10c8) 12:10:03 :71 9 PDX parser: Parsing resource file completed successfully GPEDIT(b6c.10c8) 12:10:03 :72 0 PDX parser:... http://technet.microsoft.com /en-us/library/cc7096 47. aspx n Deploying Group Policy Using Windows Vista at http://technet.microsoft.com/en-us /library/cc766208.aspx n “Troubleshooting Group Policy Using Event Logs” at http://technet.microsoft.com /en-us/library/cc749336.aspx n Windows Group Policy Resource Kit: Windows Server 2008 and Windows Vista (Microsoft Press, 2008) n Windows Group Policy Administrator’s... by AGPM Additional Resources These resources contain additional information and tools related to this chapter Related Information n n “What’s New in Group Policy” in Windows Server 2008 R2 and Windows7 at http://technet.microsoft.com/en-us/library/dd3 678 53.aspx n “Group Policy Frequently Asked Questions (FAQ)” at http://technet.microsoft.com /en-us/windowsserver/grouppolicy/cc8 175 87. aspx n “Group Policy... capabilities of this new format ADMX Migrator is available from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=10 377 4 and can be installed on Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server 2003 SP1 or later, and Windows XP SP2 or later, provided that MMC 3.0 and the Microsoft NET Framework 2.0 are installed Important ADMX Migrator was developed... needed if: n Your clients run Windows Server 2008 or Windows Vista n Your Windows XP and Windows Server 2003 clients run Internet Explorer 7 and/or the latest service packs For clients that run Windows Server 2003 and Windows XP operating system versions that support the CSEs, the following list indicates the requirements and where to obtain XMLLite from the Download Center: n Windows XP SP3 XMLLite is... Resources Chapter 14 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 529 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark C hapter 1 5 Managing Users and User Data n Understanding User Profiles in Windows 7 531 n Understanding Libraries 546 n Implementing Corporate Roaming 556 n Working with Offline Files 585 n Summary 608 n Additional Resources ... are saved, which changed from the My Documents known folder in Windows XP to the Documents known folder in Windows Vista Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 531 Windows 7 does not introduce any significant changes to the underlying structure of user profiles or where they are stored However, Windows 7 does change the user experience of accessing user profile folders... profile namespace In Windows Vista and later versions of Windows, this namespace is organized in a significantly different manner than in earlier versions of Windows, including Windows XP and Microsoft Windows 2000 Understanding these differences is essential for understanding how RUP works in mixed environments, such as a network that has computers running Windows 7 and computers running Windows XP Such . http://go.microsoft.com/fwlink/?LinkId=10 377 4 and can be installed on
Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server
2003 SP1 or later, and Windows. in
RSAT for Windows 7:
n
Windows Vista EC Computer
n
Windows Vista EC User
n
Windows Vista SSLF Computer
n
Windows Vista SSLF User
n
Windows XP EC