Group Policy permission inheritance for domain controllers (1)

Domain ControllerInGroup PolicyWhat are the specific issues with permission inheritance? The details are described below.

In the Group Policy Management of domain controllers, the biggest headache is the inheritance of Group Policy permissions. We all know that to facilitate permission settings, the configuration of group policies has the inheritance feature. That is to say, by default, the configuration of the upper level will be passed to the lower level, even if the lower level does not have this permission, and so on. Therefore, before managing the group policies of an enterprise network, we need to first understand the inheritance feature of the group policies so that we can get twice the result with half the effort in subsequent management. Otherwise, we will only get half the result.

Assume that the name is now like the next simple network architecture.

In the domainOUIn the settings, there is an OU of the office clerk. In the Group Policy settings, when the system logs on, the default user name is the user who logged on to the system. That is to say, the account name of the last logon is displayed in the system login window. Now there is another OU named sales personnel under this OU. In this architecture, the office clerk OU is called the parent OU, And the salesperson OU is called the Child OU.

Now let's take a look at how group policies are inherited.

I. The salesperson OU inherits the Group Policy of the office clerk OU.

If the parent OU is configured with a group policy but its child OU is not configured with this group policy, the parent OU will pass the Group Policy of this child OU to the Child OU, this allows you to inherit group policies. Note that "sub-OU has not configured this Group Policy" indicates that no similar group policy has been configured, group Policy inheritance will no longer occur.

That is to say, if the OU is an office clerk, the network administrator configures a group policy to display the username of the last logon when logging on to the system. However, if no configuration is made for the Group Policy in its sub-OU sales personnel OU (maybe by default, if you log in using a domain account, is not display the user name of the last login ). At this time, the domain controller will assume that the sales personnel OU has not configured this policy, and it will inherit the Group Policy of the office clerk OU. At the next login, displays the account name of the last logon domain.

In addition, the inheritance of this Group Policy will continue. For example, if there is another OU in the sales personnel group, the group policy of this office clerk group will always be passed to the sales group and sales group. However, note that the Group Policy of the parent OU is not displayed when we view the Group Policy of the sub-OU. That is to say, when the Group Policy is inherited to the OU Of the salesperson, we can see the setting of the Group Policy. The "show account name of Last login" group policy is still not configured. However, it actually inherits the Group Policy. Therefore, this gives us a certain degree of confusion when maintaining group policies.

Ii. Sales staff OU resist the Group Policy of office clerks OU

We have all stressed that in group policy inheritance, the Group Policy corresponding to the sub-OU must not be configured by default, although it may have a default value, group Policy inheritance event. However, if the Sub-OU sets the corresponding group policy, this inheritance will be interrupted even if only the default value is displayed.

In the official statement, if a policy in the sub-container is configured, the configuration value overwrites the configuration value passed by its parent container. This sentence has two meanings.

First, when the parent OU is configured with a group policy and the Child OU is configured with this group policy, no matter whether the two groups are consistent or not, the sub-OU does not inherit the Group Policy of the parent OU. That is to say, if the group policy configuration of the sub-OU is the same as that of the parent OU, it directly uses its own group policy, instead of worrying about how the Group Policy of the parent OU is configured. If their group policy configurations are in conflict with each other, the sub-OU will not pay more attention to the Group Policy of the parent OU. My son is too old to be a father.

Second, if the parent OU is configured with a group policy and the Child OU has not yet configured the policy, the Child OU inherits the parent OU. However, the network administrator later found that the sub-OU cannot adopt this group policy, and then reset it in the Group Policy of the sub-OU. In this case, the reset value overwrites the value passed by the parent OU group policy.

The following is an example to deepen your understanding of this principle.

Assume that, in the parent OU office clerk group, our network administrator sets a "disable network neighbor display on the desktop" Group Policy for security considerations. At this time, if the Sub-OU sales Administrator group sets this group policy at the beginning, no matter whether it is prohibited or allowed, the sub-OU will not consider inheriting the Group Policy of the parent OU. That is to say, when the son has his own attention, he will not listen to Lao Tzu's words. If the sub-OU has not configured the Group Policy at the beginning, after the sales administrator adds the OU to the office clerk OU, the sub-OU inherits the Group Policy of the parent OU. However, for some consideration, the network administrator set "allow network neighbors to be displayed on the desktop" on the sub-OU group policy ", in this case, the configuration value will overwrite the configuration value inherited by the original parent OU.

The above two principles are the two basic laws of group policy inheritance. In actual work, in addition to the above rules, you also need to know some unwritten rules, or are called priority issues.