Windows_learn 004 adds basic knowledge and Group Policy

Windows_learn 004 adds basic knowledge and Group Policy

Content Overview

AD DS (Active Directory Domain Service)

Check that ad DS is installed correctly

Create installation media (import domain data offline)

Usage rules for groups (p129)

Fourth. Using Group Policy to manage user work environment (p132)

Features of Group Policy

Group Policy is divided into two parts, computer Configuration and User Configuration.

Settings within Group Policy can be differentiated into policy settings and preference settings in two different ways

Application time limit for Group Policy (p138)

Rules for processing Group Policy

Using Group Policy to manage user environments (p167)

Security Options Policy (p176)

WMI Filter (p192)

AD DS (Active Directory Domain Service)

Container and Organization Units, OU

Domain Tree

Trust relationship

Forest

Schema

Domain Controller DC

Member Server

LDAP (Lightweight Directory Access Protocol)

DN (distinguish Name)

RDN (Relative distinguish Name)

GUID (Global Unique IDentifier)

UDN (User pricipal Name) Principal N. I, the protagonist

SPN (Service Principal Name)

Global Catalog GC

Site

Directory partition

Schema Directory Partition

Configuration Directory Partition

Domain Directory Partition

Application Directory Partition

RODC (Read only domain controller)

AD LDS (Active directory Lightweight Directory Services)

Active directory Database

Active Directory databases: used to store Active Directory objects

Log file: A change log used to store the Active Directory database,

This log can be used to recover the Active Directory database

Sysvol folder: Used to store shared folders (for example, files related to Group Policy)

Check that ad DS is installed correctly

Nslookup

Set Type=srv

_gc._tcp.mysky.com

Create installation media (import domain data offline)

Ntdsutil

Activate instance NTDS

Ifm

Create full PATH

Create full C:\installationMedia

Add multiple user accounts at once P119

Csvde.exe can be added but not modifiable

Ldifde.exe can be added or modified

Dsadd.exe Dsmod.exe Dsrm.exe You know

Group (p125)

Domain Local Group

Global Group

Universal Group

Windows built-in local domain group p127

Account Operators

Administrators

Backup Operators

Guests

Network Configuration Operators

Performance Monitor Users

Pre-Windows Compatible Access

Print Operators

Remote Desktop Users

Server Operators

Users

Windows built-in global groups

Domain Adminis

Domain Computers

Domain Controllers

Domain Users

Domain Guests

Windows built-in universal groups

Enterprise Admins

Schema Admins

Windows Special Group account

Everyone

Authenticated Users

Interactive

Network

Anonymous Logon

Dialup

Usage rules for groups (p129)

A, G, DL, P

A, G, G, DL, P

A, G, U, DL, P

A, G, G, U, DL, P

A:user Account

G:global Group

Dl:domain Local Group

U:universal Group

P:permission

Fourth. Using Group Policy to manage user work environment (p132)

Features of Group Policy

Settings for the account policy: such as setting the user's password length, age, lockout account, etc.

Settings for local Policies: such as assignment of user rights, security settings, etc.

Settings for Scripts (Scripts): Settings such as logon and logoff, startup and shutdown scripts

Settings for the user's work environment: such as hiding the user's desktop icon, removing the Start menu from running shutdown, etc.

Software Installation and removal: When a user logs on or when the computer starts, automatically installs, deletes, fixes software for it, etc.

Restricting the operation of the software: set the user to run only the specified software, or not to run the specified software

Folder Redirection: Change the location of folders such as files, Start menu, etc.

Restrict access to Removable storage devices: Used to prevent confidential documents within the enterprise from being easily taken away from the company

Many other system settings: such as allowing all computers to automatically specify the CA, limit the installation of device drivers, etc.

Group Policy is divided into two parts, computer Configuration and User Configuration.

Group Policy Application Scope

Sites site

Domains domain

Organizational Unit Organization Unite

A Group Policy object (a GPO)

Built-in GPOs

Default Domain Policy

Default Domain Controller Policy

Gpo

GPC (Group Policy Container) is stored in the ad's database, documenting the GPO properties and version

GPT (Group Policy Template) store GPO settings values and related files

Path in \sysvol\sysvol\ domain name \polities

Settings within Group Policy can be differentiated into policy settings and preference settings in two different ways

Only the Domain Group Policy has the preference setting feature, the local machine policy does not have this feature

Policy settings are mandatory settings clients cannot change after they apply these policies

The preferred setting is the default setting that the client can change itself

If both settings are configured with the same item, the policy setting takes precedence

To apply the preferred settings for client requirements Download the installation

(CSE, Client-side extension) KB943729 Wind7 already included

(XMLLite) Wind7 already included

Application time limit for Group Policy (p138)

Application time limit for computer Configuration

Automatically applied when the computer is powered on

The computer is powered on, and the system is automatically applied at regular intervals.

Domain controller: Default 5 minutes automatically applied once

Non-domain controllers: Apply every 90-120 minutes by default

The system is automatically applied every 16 hours regardless of whether the policy setting value is changed

User-configured application timelines

Users are automatically applied when they log on

User is logged in, the default is automatically applied every 90-120 minutes,

And the Security configuration policy is automatically applied every 16 hours regardless of the policy change

Manually apply: Open a Command Prompt window on a domain member computer to run

Gpupdate/target:user/force

Rules for processing Group Policy

General rules for inheritance and processing

When a parent container and a child container rule do not conflict, the child container inherits the rules of the container, such as the conflict nearest priority

Computer Configuration and User Configuration conflicts when Computer configuration is applied first

Apply Rule Order site GPOs--Domain GPOs--organizational unit GPOs

Exceptions for inheritance settings

Block Inheritance Policy

Enforce inheritance policy (enforcing inheritance)

Using Group Policy to manage user environments (p167)

User Rights Assignment Policy (p174)

Computer Configuration-->windows Settings--Security settings--Local Policies--User rights Assignment

Common Permissions Policy description

Allow log on locally allows user Ctrl+alt+delete login

Deny Log on locally deny

Add workstations to domain allows users to join computers

Shutdown The System allows users to shut down

Access This computer from the network

Deny This computer from the network

Force Shutdown from A Remote System

Backup Files and directories

Restore File and directories

Change the System time

Load and Unload Device Drivers

Take Ownership of Files Or other Objects

Security Options Policy (p176)

Computer Configuration-->windows Settings--Security settings--Local Policies--security options

Common Permissions Policy description

Interactive Logon:do not require Ctrl+alt+del

Interactive Logon:number of previous logons to cache local cache

Interactive Logon:do not display last user name

Shutdown:allow system to is shut down without have to log on

Logon, logoff, startup, shutdown scripts (p177)

Folder Redirection (p181)

That can be implemented to put a user's desktop files or some path to other servers

WMI Filter (p192)

This article is from the "Winthcloud" blog, make sure to keep this source http://winthcloud.blog.51cto.com/2180779/1915846

Windows_learn 004 adds basic knowledge and Group Policy