The plug-in of Group Policy Editor (GPE) in Microsoft Management Console (MMC) is equivalent to the system policy editor poledit.exe in NT 4.0. Every function node of GPE (such as software setting, window setting, management module, etc. ) is an extension of MMC plug-in. The extension in MMC plug-in is an optional management tool. If you are an application developer, you can extend the functions of GPO through customized extensions, thus providing additional policy control for your application.
Only the system running Win2K can execute group policy, while clients running NT 4.0 and Windows 9x cannot recognize or run GPO with AD architecture.
Second, the group policy and advertising.
To give full play to the functions of GPO, it needs the support of AD domain architecture. With AD, a centralized strategy can be defined, which can be adopted by all Win2K servers and workstations. However, every computer running Win2K has a local GPO (a GPO that resides on the file system of the local computer). With the local GPO, you can specify a policy for each workstation, which doesn't work in the AD domain. For example, for security reasons, you will not configure a public computer in the AD domain. With local GPO, you can obtain security and restrict the use of desktop by modifying local policies, without using GPO based on AD domain. There are two ways to access the local GPO. The method of 1 is to select Run on the start menu of the computer that needs to modify GPO, and then type: gpedit.msc
This operation is the same as the poledit.exe function in NT 4.0, and you can open the local policy file. The second method is to edit the local GPO manually by selecting the GPE plug-in in the MMC console and then selecting the local or remote computer.
The local GPO supports all default extensions except software installation and folder redirection. Therefore, these tasks cannot be accomplished by using only local GPO. If you want to give full play to the functions of GPO, you still need the support of AD.
Thirdly, the diversity and inheritance of GPO.
In AD, GPO can be defined at three different levels: domain, organizational unit (OU) or address. OU is a container in AD that can be assigned to manage users, groups, computers and other objects. An address is a collection of subnets on the network, and the address forms the replication boundary of AD. The namespace of GPO is divided into two categories: computer configuration and user configuration. Only users and computers can use GPO, such as printer objects and even user groups.
There are several ways to edit a policy in a domain or organizational unit (OU). In the MMC plug-in of an Active Directory user or computer, right-click the domain or organizational unit (OU), select Properties from the menu, and then select the Group Policy tab. When editing a policy in an address, you need to right-click the Active Directory address and service plug-in, and then right-click the desired address to get its GPO. In addition, you can also choose Run from the start menu, and then type: mmc.exe starts MMC, selects console, adds/removes plug-ins, then selects group policy plug-ins and browses, and the GPO in the AD domain will be displayed, and you can select a GPO to edit.
Depending on the location of the GPO in the AD namespace, there may be several GPOs that act on user objects or computer objects. GPO is generated by inheritance only when other objects in the domain are generated by inheritance. Win2K executes gpos in the following ways. First, the operating system executes the existing policies on the local system. Win2K then executes the defined address-level GPO, domain-level GPO and OU-based GPO. Microsoft abbreviated this priority order as LSDOU (GPO at local, address, domain and OU level in turn). Users can define gpos at many levels in this chain. Let's take the pilot domain as an example to illustrate how to view the GPO in the system. Start the MMC tool for Active Directory users and computers, right-click the pilot domain name, select the "Properties" item from the menu, and then select the Group Policy tab. The GPO at the top of this list, such as a domain-wide security policy, has the highest priority, so Win2K will execute it last. In addition to the local system, you can also define several gpos at each level, so if you can't strictly manage gpos, unnecessary problems will occur.
The inheritance mode of GPO is completely different from Novell's Zenworks strategy. In Zenworks, if multiple policy packages are used at different points on the Novell Directory Service (NDS) tree, only the policy package closest to the user object will work. In Win2K, if four GPOs are defined at different levels of AD, the operating system will use the "LSDOU" priority to implement these policies, which will be the "sum" of the four policies of the computer or user. In addition, sometimes settings in one GPO are offset by settings in other GPOs. Through the AD-level GPO, users can have more policy control delegation. For example, the company's security department is responsible for designing a security GPO for all system devices at the domain level. By using GPO, the system administrator of OU can have the right to install software on OU. In the Zenworks model, policies must be replicated at all levels where you want to use them, and the impact of policies on users or computer objects is not the sum of all policies.
In order to further control GPO, Microsoft provides three settings to limit the complexity of GPO inheritance. At the address, domain, and OU levels, users can prevent inheritance from higher levels by selecting check boxes. Similarly, at each level, users can choose the default domain policy option by opening the Active Directory Users and Computers Plug-in, right-clicking the domain or OU where the GPO is located, selecting Properties from the menu, and then selecting the Group Policy tab. Highlight the item you want to modify, and then select the Options button. Available options are Do Not Overwrite or Prohibit. If the "Do not overwrite" option is selected, the GPO will still work even if the "Cannot be inherited" check box is selected. This function is very useful if you want to execute GPO anywhere. If the administrator of the OU tries to prevent the inheritance of the security policy, the GPO containing the security policy will still be executed by the system. The Prohibit check box can completely prohibit the execution of a GPO, which is especially effective when you edit a GPO and don't want other users to execute it.
Fourthly, the implementation and filtering of GPO.
Only users and computer objects can execute group policy. Win2K executes the policies defined in the computer configuration section of GPO when the computer starts and shuts down, and executes the policies defined in the user configuration section of GPO when users log in and log out. In fact, some policies can be executed manually when the user logs in. For example, secedit.exe program can be run in command line mode to execute security policy application. In addition, the GPO settings of users and computers can be refreshed periodically through the administrator module policy. By default, it is refreshed every 90 minutes, which makes it difficult for other users to modify the policies defined through group policy. However, the software installation policy will not be refreshed, because no one wants to change the policy regularly, resulting in software "? Load ",especially when other users are using it. Computer and user objects install software policies only when the computer is started or the user logs in.
Verb (abbreviation of verb) The internal composition of GPO.
GPO consists of two parts: Group Policy Container (GPC) and Group Policy Template (GPT). GPC is an example of GPO in AD. There is a globally unique ID code (GUID) with 128 bits in a special container called system. Select Browse in the Active Users Directory Users and Computer Plug-ins, and select Advanced Properties from the MMC menu to view the system container. GPT is the expression of group policy in Win2K file system, and all files related to a GPO depend on GPT.
Sixth, the difficulties brought by GPO.
Although GPO is very powerful, it is not easy to master it. The most difficult thing to master is how to judge how an effective strategy works for computers or users in the domain, which is especially difficult because GPO can exist at different levels of the advertising chain. At the same time, because you can assign control over the GPO, it is not easy to know whether other GPOs will affect the GPO in the container over which you have no control. Therefore, it is difficult to calculate the policy result set (RSoP) received by a computer or user object. Although Microsoft does not provide tools to calculate RSoP, some third-party vendors provide corresponding tools to calculate RSoP.
Another problem is the implementation of the strategy. If there are gpos at many levels in the advertising chain, all gpos will be executed every time a user logs in or the system starts. In Win2K system, Microsoft introduced some new functions to optimize the performance of the system. First, the version information of GPO depends on the workstation and GPO. If the GPO has not changed, the system will not execute it. In addition, on the property page of GPE, users or computers can be prohibited from executing GPO. If a GPO is set up to distribute scripts when the system is shut down or started up, the user configuration part of the GPO will be disabled, which will prevent the workstation from parsing the GPO and determining whether it has changed.
The last problem stems from the fact that GPC and GPT are two independent entities. GPC is an object in AD, which is out of sync with the file replication contained in GPT, which means that when creating GPO, GPC may have started to copy files to Sysvol on the domain controller.
The root of all the problems is that AD adopts multi-agent replication mode. Theoretically, when another system administrator edits a GPO on the domain controller, you can also edit it on the domain. Therefore, when establishing GPE, it refers to the domain controller acting as PDC in the "operation subject" by default. ("Operation subject" is a series of hosting functions in the AD infrastructure, and the server used as PDC can be compatible with workstations running NT and Win9x. Usually, this situation can be avoided by granting only a few system administrators the right to edit a GPO and ensuring that if someone edits a GPO, others will know about it. In addition, it should be noted that when editing a GPO, it should be "disabled" and re-enabled after modification.