Each group policy object is only assigned or released once
Windows Installation Packages and Group Policy objects can only be assigned or distributed once. For example, if you assign Microsoft Office to a computer affected by a group policy object, you cannot assign or issue a user affected by the group policy object.
Use security group filtering group policies
Since the Group Policy can apply settings from multiple group policy objects to sites, domain, or units, thereby adding the group policy object associated with other directory objects. It is also possible to give priority to how these group policy objects affect the directory objects to apply their directory.
In Windows 2000, the computer belongs to the security group. Administrators can use the security group to further refine the computers and users affected by the group policy object. For any group policy object, administrators can filter the influence of group policy objects to computers as members of the security group. Filter using the Standard Access Control (ACL) editor. To use an ACL editor, click the Properties page of the Group Policy object, and then click Safe. The administrator can also use the ACL editor to delegate who modifies the Group Policy object.
Intent settings these permission results
Titting: Members of the security group should apply the Group Policy object to them. Set these permissions: Set the Apply Group Policy to Allow. Set "Read" to "Allow". RESULTS: Unless the members of this security group are at least the "Application Group Policy" set to "Reject", or the "Read" is set to "Reject", or the two are set to other security groups of "reject". Members, otherwise this group policy object is applied to all members of the security group.
Titting: Members of the security group are removed from this group policy object. Set these permissions: Set the "App Group Policy" to "Reject". Set "Read" to "Reject". RESULTS: No matter what permissions in this security group, this group policy object will never be applied to members of this security group.
意图: Member identity in the security group is independent of whether the application group strategy object is. Set these permissions: Set the "App Group Policy" to neither "allow" nor "rejection." Setting "Read" is neither "allowed" nor "rejection." RESULTS: When only the members in this security group set "Apply Group Policy" and "Allow" as a member of the "Allow" as a member of the other security group, the group policy object will be applied to this security. Group of members. As a member of any other security group, members in this security group must not set "App Group Policy" or "Read" to "Reject".
You can only apply "Group Policy" objects to site, domain, and organization. The Group Policy setting only affects the users and computers they contain. Group strategy objects are especially not suitable for security groups.
If the user or computer does not join the group policy, the domain or organizational unit, there is no combination of any security group, and these group policy settings can have an impact on the user or computer.
As described in the process, the Group Policy object is used as a whole in the segment of the group policy object level. Software Installation and Folder Heavy Demand Extensions Use Security Group Carefully Designs Controls outside the Group Policy object level. In addition to folder weight and software installation, the security group is not used to filter individual settings or subsets of group policy objects. For individual settings, it is implemented by editing or creating a group policy object.
Group Policy Settings Define multiple components of the user desktop environment that the system administrator needs to manage, for example, programs available for users, programs that appear on the user desktop, and "Start" menu options. Using Group Policy Management Unit, a specific desktop configuration can be created for a particular user group. The specified group policy settings are included in the Group Policy object, and the Group Policy objects are associated with the Active Directory object of the selected site, domain or organization unit.
Group Policy includes "user configuration" that affects users and "computer configuration" affecting the computer.
The strategy is applied as follows:
Unique local group strategy object.
Site Group Policy objects, in order of administrative management specified.
Domain set strategy objects, in order of administrative management.
For organizational unit group policy objects, in each organizational unit level (from the parent organization unit to sub-organization unit), in each organizational unit level, in each organizational unit level, in the order of administrative management. By default, when these policies are inconsistent, the post-applied policy will overwrite the previously applied policies. However, if these settings are inconsistent, the front and rear strategies will be active as a valid policy.
Local and non-local group strategy objects
There are two group strategic objects. Non-local group policy objects stored in the domain controller can only be used in the Active Directory environment. They apply to users and computers in the site, domain or organizational unit associated with Group Policy objects.
Local Group Policy objects are stored on all computers running Windows 2000. A local group policy object can only exist on a computer, and the object is available in non-local group policy objects. If the settings of the two conflicts, the settings of the non-local group policy object can overwrite the settings of the local group policy object. If it does not conflict, it can be applied.
Strategy inheritance
Typically, the group policy is transmitted from the parent container to the child container. If a specific "Group Policy" is assigned to a high-level parent container, this group policy applies to all containers under the parent container, including users and computer objects in each container. However, if you are explicitly specified for a group policy setting for a sub-container, the Group Policy settings of the child container will overwrite the settings of the parent container.
If the parent organization has no configured policy settings, the sub-organization unit will not inherit these organizational units. Disabled strategy settings are also disabled after inheriting. If a policy is configured for the parent organization, there is no configured policy in the sub-organization unit, then the child organization unit will inherit the policy settings of the parent organization unit.
If the parent policy and sub-policy are compatible, the child can inherit the father policy, and its subset is also available. As long as the strategy is compatible, they can inherit. For example, if the parent policy places a folder on the desktop, the child setting uses another folder, and the user will see two folders at the same time.
If the same policy configured for the parent organizational unit configured, the child will not inherit the parent's policy settings. The settings in the child are available.
Starting and logging in the order in the event
The following series shows the application sequence of computer policies and user policies when computer startup and user login:
1, the network starts. Remote Procedure Call System Services (RPCSS) and Multi-General Nometry Provo Provider (MUP) will start.
2. Get a group policy object of the computer ordered list. This list may depend on the following factors:
Whether the computer is part of the Windows 2000 domain and is therefore controlled by the Active Directory.
The location of the computer in Active Directory.
If the group policy object list does not change, it will not be processed. You can change this behavior using policy settings.
3. Computer Policy has been applied. These are settings under the "Computer Configuration" in the collected list. By default, these operations will be synchronized, the order is as follows: local, site, domain, organizational unit, sub-organization unit, etc. The user interface is not displayed when the computer policy is processed.
4, the startup script starts running. This is hidden by default and in sync. Each script must be completed before the next script begins, or timeout processing. The default timeout is 600 seconds. You can use a variety of policy settings to change the behavior.
5. Users to log in with the Ctrl-Alt-DEL key.
6. After the user verifies the identity, the user profile controlled by the currently valid policy settings will be loaded.
7. Users can get an ordered list of group policy objects. This list may depend on the following factors:
Whether the user is part of the Windows 2000 domain, and whether it is thus controlled by the Active Directory.
Whether the loopback and the status of the loopback policy setting ("merge" or "replace") are enabled.
The location of the user in Active Directory.
If the list of group policy objects to be applied is not changed, no processing is made. You can change this behavior using policy settings.
8, user strategy has been applied. These are all settings under the "User Configuration" in the collected list. By default, these operations will be synchronized, the order is as follows: local, site, domain, organizational unit, sub-organization unit, etc. The user interface is not displayed when processing a user policy. 9, the login script starts running. Unlike Windows NT 4.0 scripts, the login script based on group policy is hidden by default and run asynchronous. User object scripts (running in normal window in Windows NT 4.0) finally run.
10. Display the operating system user interface predefined by the Group Policy.
By default, group policy objects can only be created or edited on the domain controller of the main domain controller simulator. This token changes from one domain controller to another controller over time, and copy Active Directory information to keep the domain controller synchronous state.
The organizational unit must be copied to the domain controller holding the token to the domain controller that is created here.
Although the group policy object exists as a storage entity on a single domain, and when the affected customer reads the group policy of the link site, it must be read from the domain, but it allows multiple domains in the forest to obtain the same group policy. Objects (and the policies included).
Synchronize application user group policies during startup
Indicates that the system will only display the login prompt after the group policy update is complete. This policy applies only to Group Policy settings that appear in the User Configuration folder. If the policy is enabled, the user can log in until the user group policy setting is updated.
If this policy is disabled, the system does not wait until the policy update is completed, inviting users to log in. As a result, the "login to the Windows" dialog may appear quickly, but the Windows interface may be ready before all policies are applied. To determine if the system synchronizes the computer policy and the Windows Explorer, check the "Synchronize Application Cork Group Policy during startup".
Consider notifying the user that their strategy is regularly updated so that they can identify the marks of the policy update. When the Group Policy is updated, the Windows desktop will be updated, which will flash instantly and close the open menu. In addition, the forced restrictions of Group Policy settings, such as limits to the user to run programs, may hinder the ongoing tasks.
"This policy is not applied during background processing" option to prevent the system from updating the affected policies in the background while using. The background update can interrupt the user, causing the program to stop running or operate an exception, and even under a few cases.
