Windows 2000 group policy details

This article focuses onGroup PolicyThis is a question about how the system works, how the system works internally, and how to use this technology in the Win2K environment, it is helpful to understand the principles of system policies in NT 4.0.

More detailed control over desktop configurations

The Group Policy is my favorite feature added in Windows 2000. It gives me a feature that Windows NT has never provided before, including comprehensive and detailed control over users' computers, we can regard group policies as improvements to system policies in NT 4.0. Group Policy ObjectGPOIs based on the Active DirectoryAD.

What is a group policy?

GPO is a physical policy associated with a domain, address, or organizational unit. In the NT 4.0 system, a single system policy file, such as ntconfig. pol, includes all executable policy functions, but relies on the settings of the system registry on the user's computer. In Win2K, GPO includes files and AD objects. You can specify registry-based settings and use the NT 4.0 format through the Group Policy. adm template file running Win2K local computer, Domain Security Settings and use Windows Installer network software installation, so that the folder can be redirected when installing the software.

The Group Policy Editor GPE in the Microsoft Management Console MMC) is equivalent to the System Policy Editor poledit.exe in NT 4.0. Every functional node in GPE, such as software setting, Windows setting, and management module, is an MMC plug-in extension. In an MMC plug-in extension, it is an optional management tool. If you are an application developer, you can expand the GPO functions through custom extensions to provide additional policy control for your applications.

Only systems running Win2K can execute group policies. Clients running NT 4.0 and Windows 9x cannot identify or run GPO with AD architecture.

Group Policy and AD

To make full use of GPO functions, we need the support of the AD domain architecture. with AD, we can define a centralized policy that can be used by all Win2K servers and workstations. However, each computer running Win2K has a local GPO resident on the local computer file system GPO). Through the local GPO, you can specify a policy for each workstation, it does not work in the AD domain. For example, for security reasons, you will not configure a public computer in the AD domain. With local GPO, you can modify local policies to obtain security and restrict the use of desktops without using GPO Based on the AD domain. There are 2 or 1st methods to access the local GPO. On the "Start" menu of the computer on which you want to modify the GPO, select "run" and type:

Gpedit. msc

This operation serves the same purpose as poledit.exe in NT 4.0. you can open the local policy file. You can select the GPE plug-in on the MMC console and select a local or remote computer to edit the local GPO.

Local GPO supports all default extensions except software installation and Folder Redirection. Therefore, you cannot do this only by using local GPO. If you want to make full use of the GPO function, AD support is still required.

GPO diversity and inheritance

In AD, GPO can be defined at three different levels: domain, organization unit OU, or address. OU is a container in AD that can be assigned to manage users, groups, computers, and other objects. The address is a collection of subnets on the network, and the address forms the replication line of AD. GPO namespaces are divided into two categories: Computer Configuration and user configuration. GPO can be used only by users and computers, and GPO cannot be applied to printer objects or even user groups.

There are several ways to edit a policy in a domain or organization OU. In the Active Directory user or computer MMC plug-in, right-click a domain or organization unit OU), select "properties" from the menu, and then select the "Group Policy" tab. When editing the policy in the address, you need to right-click the "Active Directory address and service" plug-in, and then right-click the desired address to get its GPO. In addition, you can select "run" from the "Start" menu, and then type:

Mmc.exe

Start MMC, select "console", "Add/Delete" plug-in, and then select "Group Policy" plug-in and "Browse". The GPO in the AD domain will be displayed, you can select a GPO for editing.

Depending on the location of GPO in the AD namespace, several GPO functions on user objects or computer objects. Only when other objects in the domain are generated by inheritance, GPO is generated by inheritance. Win2K executes GPO in the following way. First, the operating system executes the existing policy on the local system. Then, the IP address-level GPO, domain-level GPO, and OU-based GPO are defined by Win2K, microsoft regards this priority as the first letter abbreviated as LSDOU. The execution order is local, address, domain, and OU-level GPO ), you can define GPO at many layers of the chain. Take the pilot domain as an example to illustrate how to view the GPO in a system, start the "Active Directory user and computer MMC" tool, right-click the pilot domain name, and select the "attribute" item from the menu, then select the Group Policy label. The GPO at the top of the list, such as the domain-range security policy, has the highest priority. Therefore, Win2K will execute it at last. In addition to the local system, several GPO can be defined at each level. Therefore, if you cannot strictly manage GPO, unnecessary problems may occur.

The inheritance model of GPO is different from the Zenworks policy method of Novell. In Zenworks, if multiple rule sets are used at different points on the Novell Directory Service NDS) tree, only the Rule Set closest to the user object takes effect. In Win2K, if four GPO is defined at different levels of AD, the operating system uses "LSDOU" to prioritize these policies, the role of computers or users is the sum of the four policies ". In addition, the settings in one GPO are sometimes offset by those in other GPO settings. With the AD-level GPO, you can have more policy control authorizations. For example, the company's security department is responsible for designing the Security GPO for all system devices at the domain level. By using GPO, the system administrator of an OU can have the right to install software on the OU. In the Zenworks model, these policies must be copied at all layers of the policy to be used, and the role of the policy to users or computer objects is not the sum of all policies ".

To further control GPO, Microsoft provides three settings to limit the complexity of GPO inheritance. At the address, domain, and OU levels, you can select a check box to prevent inheritance from a higher level. Similarly, at each level, you can select the default domain policy option by opening the "Active Directory user and computer" plug-in, right-clicking the domain or OU where GPO is located, and selecting "attribute" from the menu ", then select the "Group Policy" label. Highlight the project you want to modify, and then select the "options" button. The options available are "not overwritten" or "forbidden ". If the "Do Not Overwrite" option is selected, the GPO still works even if the check box that cannot be inherited is selected. This function is useful if you want to execute a GPO in any place. If an OU administrator attempts to block security policy inheritance, GPO containing the security policy will still be executed by the system. The "prohibit" check box can completely prohibit the execution of a GPO. This function is particularly effective when you edit a GPO and do not want other users to execute it.

GPO execution and filtering

Only users and computer objects can execute group policies. When a computer is started or shut down, Win2K executes the policy defined in the configuration section of the GPO computer. When a user logs on or logs out, Win2K executes the policy defined in the user configuration section in the GPO. For example, you can run the secedit.exe program to execute the Security Policy Application in the command line. In addition, the Administrator module can regularly refresh the GPO settings of users and computers. By default, this refresh is performed every 90 minutes, this refresh makes it difficult for other users to modify policies defined by Group policies. However, the software installation policy will not be refreshed, because no one wants to periodically change the policy to cause the software to "LOAD", especially when other users are using it. The software installation policy is enabled only when the computer is started or the user logs on to the computer.

Although only computers and user objects in AD can execute GPO, We can filter the GPO effect. Using the Security Group and Application Group Policy zookeeper in Win2K is a new security feature in Win2K, so that a specific user group cannot execute a GPO. Right-click the name of GPO in MMC, select "attribute", and then select "security" to view the current security settings of GPO. The authenticated user group has the right to apply group policies, so that all users affiliated with this GPO can execute it. In Win2K, security groups can include users and computer objects. Therefore, the security group can be used to carefully adjust how users and computer objects execute a GPO. You can also assign a GPO software installation part to individual application security groups. For example, if you publish 10 applications in a GPO instance, you can specify to only allow the financial user group to access 5 of them. When other users log on to this domain, they will not find these five applications.

Internal composition of GPO

A gpo consists of two parts: Group Policy container GPC) and Group Policy template GPT ). GPC is an example of GPO in AD. In a special container called a system, there is a 128-bit GUID with a unique ID code in the world ). In the "active user directory user and computer" plug-in, select "Browse" and select "Advanced properties" from the MMC menu to view the "System" container. GPT is the expression of the Group Policy in the Win2K file system. All GPO-related files depend on GPT.

Problems caused by GPO

Although GPO is powerful, it is not easy to master it. The most difficult thing to grasp is how to determine how an effective policy works for computers or users in the domain. Because GPO can exist at different layers in the AD chain, this judgment is particularly difficult. At the same time, because you can assign a GPO control, it is not easy to know whether other GPO will affect the GPO in the container that you do not have control. Therefore, calculating the "Policy result set" RSoP received by a computer or user object is quite difficult. Although Microsoft does not provide RSoP tools, a third-party vendor has provided corresponding tools for calculating RSoP.

Another difficulty is the execution of policies. If GPO exists on many layers of the AD chain, all GPO will be executed every time the user logs on or starts the system. In the Win2K system, Microsoft has released some new functions to optimize the system performance. First, the version information of GPO depends on the workstation and GPO. If the GPO does not change, the system will not execute it. In addition, you can disable GPO execution by users or computers on The GPE property page. If a GPO is created to distribute scripts used to shut down the system or start the system and disable the user configuration of GPO, the workstation will not be able to parse the GPO and determine whether it has changed.

The last challenge is that GPC and GPT are two separate entities. GPC is an object in AD. It is not synchronized with the copy of the files contained in GPT, which means that when a GPO is created, GPC may have started copying files before GPT begins to copy files to Sysvol on the domain controller.

The origin of all problems is that AD uses a multi-subject replication mode. Theoretically, when another system administrator edits a GPO on a domain controller, you can also edit it on a domain controller. Therefore, when a GPE is created, the domain controller acts as the PDC in the "operation subject" by default. The "operator subject" is a series of hosting functions in the AD infrastructure. servers used as PDC can be compatible with workstations running NT and Win9x .) In general, you can grant the permission to edit GPO to a few system administrators to avoid this situation and ensure that others are informed when editing GPO. In addition, when editing a GPO, you must "Disable" it and re-enable it after modification.

The advantage and disadvantage of GPO is that GPO allows users to flexibly control the Win2K environment, but complexity comes with flexibility. If GPO can be used correctly and flexibly, Win2K can provide more powerful functions.

I hope this article will help readers with the detailed explanation of Windows 2000 group policies. More knowledge about group policies needs to be learned and consolidated by readers.