Directory
- Directory
- Group Policy
- Group Policy Object GPO
- Experiment with the computer configuration of a group of policies
- User Configuration for experiment two-Group Policy
- Experiment three first selection settings
- Experiment with four groups of policies to change the computer desktop
Group Policy
Group Policy is divided into two parts: Computer Configuration and User Configuration .
1. Computer Configuration: When the computer is powered on, the computer environment is set according to the properties configured by the computer. For example, if we set up a Computer configuration Group Policy within the ad domain of jmilk.com, this policy will be applied to all computers within that domain.
2. User configuration: When the user logs on, the user's working environment is set according to the user's configured properties. For example, if we configure Group Policy for organizational unit teacher , all users under the organizational unit will apply the policy.
Group Policy Object GPO
Group Policy is set through Group Policy Objects , and after a Group Policy object has been established, the GPO is linked to the specified site, domain, and organizational unit. Then the attribute value of this GPO will affect the site, domain, organizational unit.
Experiment one: Computer Configuration for Group Policy
In a domain controller's system, only users in certain groups can log on by default, and the average user is a service logon. For example, a user in the Domain Users group within jmilk.com cannot log on to a domain controller unless they are given permission to allow local logons . We can give these users login rights through Gpo:default Domain Controllers Policy .
Step1: Log on to the domain controller with the privileges of the system administrator.
Step2: Open Group Policy controller
Step3: Expand Domain Controllers, and right-click Edit gpo:default domain Controllers Policy .
Step4: Enter the Group Policy Management Editor , expand Computer Configuration to user Rights Assignment , locate the allow local login policy, and then double-click Start. Add group jmilk\domain Users
Note : After you successfully join Jmilk\domain Users to the policy, you need to wait a while to synchronize the updates. Or you can also use commands gpupdate /force
to synchronize even. After the synchronization is complete, we can create an organizational unit within the
Experiment Two: User Configuration for Group Policy
For example, there is an organizational unit teacherwithin the ad domain jmilk.com , and we want to set it for all users within the organizational unit, and to qualify them through a proxy server within the enterprise Internet. Assume that the proxy server URL is: proxy.jmilk.com, the port number is 8080. At the same time, we want to disable the ability to change the connection label of the browser internal explorer to the proxy settings, so as not to prevent users from changing this option privately.
We need to create a GPO that is linked to teacherand then manipulate it by modifying the way this GPO sets values.
Step1: Log on to the domain controller as a system administrator
STEP2: Group Policy Management tools
Step3: Expand teacher organizational unit, right-click, create a GPO in this organizational unit and link to here
Step4: Go to the Group Policy Editor and edit this GPO
Step4: Select the connection option under Internal Explorer under the User Configuration policy, and then double-click Proxy Settings to fill in the proxy.jmilk.com and 8080 ports, OK.
Step5: Expand the Internal explorer under Administrative Templates under the user Settings policy under Windows Components, edit the status of the disable change proxy setting to enabled on the right.
Step6: Using directives gpupdate /force
to update synchronization Group Policy
Step7: Verify Group Policy. Logging in using any user under the teacher organizational unit and viewing the proxy server settings in the Internal Explorer option has dimmed.
Experiment three: Preferred settings
Group Policy can also be divided into policy settings and preference settings
1. Preferred settings: Only Domain Group Policy has the preferred policy feature. The properties of the preferred settings policy can be changed by the client itself. Therefore, the preferred setting is generally used for the default value setting.
2. Policy setting: is a mandatory setting, the client cannot change the policy properties after applying these settings.
Note : When a project is processed at the same time by preference settings and policy settings, the preferences are set to priority.
Also preferred setting to automatically create a local user account for the computer win7pc within the organizational unit teacher Henry.
Note : First, you need host:win7pc to be within the domain so that it can be parsed by DNS.
Step1: Log on to the domain controller using system administrator status
Step2: When host:win7pc is added to the ad domain, it is added to the Computers container by default. So you need to computers China to find win7pc after right click, move, select the organizational unit teacher.
Step3: Open the Group Policy Management tool
Step4: Edit the original gpo:proxy under organizational unit teacher in Group Policy manager
Step5: Under Computer Configuration under Group Policy Manager , under Preferences under Control Panel settings, right-click on local Users and groups, and select New local user.
Step6: In the new local user window that pops up, fill in the information for the user you want to create, and then click the frequently used tab
STEP7: In the Common tab, select apply once and do not repeat the update . Click the target button when you select the project-level target . To assign the application object of this project to the computer win7pc
STEP8: Specify the policy target computer, then click OK for all windows
Step9: Update the synchronization gpupdate, and then log on to the host:win7pc after the management appliance to open the Computer Management to see if Henry user exists.
Experiment Four: Group Policy changes the computer desktop
In some enterprises require each employee to use the domain account login to the computer, to use the desktop wallpaper with Enterprise logo.
Step1: Log on to the domain controller as the system administrator.
Step2: Open The ad computer and user management tools and create an organizational unit Sharedesktop
Step3: Create the users you need to manage under organizational unit Sharedesktop , or move the users you want to manage to this organizational unit.
STEP4: Ensure that users have remote login and local logon rights
Remote Login :
- In Group Policy manager, open the Group Policy in the Domain Controllers organizational unit
- In the Group Policy Editor, navigate to User rights assignment, local policies, security settings, Computer Configuration settings
- To join the remote Desktop Users group in allow log on locally
- You can also join the Remote Desktop Users group when you are allowed to log on through Terminal Services
- Join users who need remote services to the Remote Desktop Users group
- Update Group Policy: Gpupdate/target:computer/force
Log on Locally :
- In experiment one , we have given the accounts belonging to the Domain Users Group permission to log on locally. Therefore, any user belonging to the domain users Group is able to log on locally to the DCs.
Step5: Open the Group Policy Manager and create and link under organizational unit sharedesktop gpo:desktop
Step6: Edit Gpo:desktop
6. Set Active Desktop under the Administrative Template under User Configuration to enable activedesktop, while ensuring that Active Desktop is disabled option remains not configured .
STEP7: Share the folder of desktop wallpapers you want to share, while ensuring that everyone and administrator have full Control
Right-click the folder you want to share, and select Properties. Click on advanced sharing, pop-up bin tick to share this file, then click Permissions
Ensure that everyone and administrator have full Control rights
Sharing complete
STEP8: Testing shared files
Landed in win7pc as Chihiro, and run–> \dns1.jmilk.com\image
Step9: Enable desktop wallpaper policy and then set the share path of your wallpaper
STEP10: Make sure Gpo:desktop is already linked to the organizational unit you need
Step11: 11. Execute the instructions to force the update of the gpupdate /force
synchronization Group Policy. Then use your domain user under this organizational unit to log on to the computer under the domain.
Windows r2_ Group Policy