□ Group strategy
In WIN2000, in addition to the user's work environment and computer environment settings, group policies offer very powerful features. Level some of the features in group strategies.
A, setup policy settings
B, local strategy settings
C, script settings
D, the setting of the user work environment
E, the installation and deletion of the software.
F, redirection of the folder.
□ Group Policy Overview
Group policies can set group policies for sites, domain, and organization. These group strategies are stored in the x: /winnt/sysvol/sysvol/abc.com/policies directory.
Group Policy is "Computer Configuration" with "User Configuration".
A, computer configuration: When the computer is started, the computer's environment is set according to the contents of the Computer Configuration.
B. User configuration: When the user logs in, the user's work environment is set according to the content of "User Configuration".
Note: Local Group Policy: Stored within the X: / WinNT / System32 / GroupPolicy directory.
I. Application order and rules for group strategies:
Application sequence and rules of different group strategies:
1, local group strategy:
2, site group strategy:
3, domain set strategy:
4. Group Policy of Organizational Units:
By default, the policy of the post-application will overwrite the policy of previous applications. Specific description is as follows:
1. If a group policy is established in the high-level container, it is not established in the low-level container to establish a group policy, and the low-layer container will inherit the group policy established in the high-level container.
2. If a group policy is established in the low-level container, the low group policy is replaced with the high-level group policy.
3. If the parent container is not set, the low-level group policy does not inherit the parent group strategy.
4. If the parent container sets the group policy, the group policies in the sub-container are not set. Will inherit the parent group policy
Second, prevent the inheritance of strategies
You can set the group policy settings passed by the parent container by "Blocking the Policy Inheritance" checkbox in the sub-container group policy, which is set directly to the Group Policy.
Third, forced inheritance strategy.
You can inherit the group policy settings transmitted by the parent container by: "Prohibiting Alternate" checkbox in the group policy of the parent container.
□ Group strategy object
Set the way to set the Group Policy settings:
According to different computers, you can be in the following positions. "Domain Security Policy" or "Active Directory User and Computer" "Domain Control Security Policy", Local Security Policy. (Both "management tools").
The Group Policy is set by using the "Active Directory User and Computer".
Start - Program - Administrative Tools - Active Directory User and Computer - Select "Domain Controllers" Click the right mouse button - Properties - Group Policy (GPO).
First, change the group strategy
Let all members of the Domain User $ have permissions for "local login". Set steps:
1, Start - Program - Management Tool - Active Directory User and Computer - Select "Domain Controllers" Click the mouse button - Property - Group Policy.
2, select "Default Domain Controllers Policy" and click Edit.
3, the "Group Policy" window - Computer configuration --WIN settings - Security settings - Local Policy - User Rights Assignment - Double-click "Local Log in".
4, "Security Policy Settings" dialog box appears - click Add to add Domain Users to the group.
Second, the test "Log in local login" is normal.
Since the modified group strategy cannot take effect immediately, you must take advantage of one of the following three.
1, under "command prompt". Enter SECEDIT RefreshPolicy Machine_Policy. Let the computer configuration take effect, or the user profile:, change Machine_Policy to user_policy.
2, restart this computer.
3. Wait this policy to be applied to the computer.
Third, create a new user, test, can log in locally.
□ Management Template Strategy Settings
To set up the management model gear, hide the "Online Neighbor" icon of the user desktop.
2. Remove the "Run" "Help" in the "Start" menu.
3. Add "Logout" to the "Log" menu.
1. Establish an organizational unit and user account required to practice.
1. Establish an organizational unit TAIWAN ..
2. Newly build a user account Tony in the TAIWAN organization unit.
3. Create a new organizational unit Sales in the TAIWAN organizational unit.
4. Create a user account Scott in the Sales Organization Unit.
Second, set the functionality of testing group strategies.
Create a GPO within the TAIWAN organization, then use the TAIWAN organization unit to log in, test whether the GPO is valid. Then use the user Scott test within the next Sales organization, whether to inherit the GPO settings of TAIWAN.
A. Create a GPO in the TAIWAN organizational unit, named Taiwan Policy ..
1. Log in with the Administrator account.
2, start-program - management tool - Active directory user and computer - Double-click Domain Name - TAIWAN Organizational Unit - Properties - Group Policy - New GP0, name TAIWAN Policy.
B, change TAIWAN Policy settings
1. Select "Taiwan Policy" - radio "edit".
2, User Configuration - Management Template - Tasklets and 'Start' menu.
3. Double-click the right "From 'Start' Menu Delete 'Help' Command."
4, the properties dialog box appears - enabled.
5, determine, complete the settings.
C, test the Tony account, and the Scott account inherit the Taiwan Policy group policy.
Third, the alternative function of test group strategy
Create a GPO in the next organization of the TAIWAN organizational unit, then set the following:
The 'Help' command will be deleted from the "Start 'menu." The command is disabled.
A, build a new GPO within the Sales organization unit
1. Log in with the Administrator account.
2, start-program - management tool - Active directory user and computer - Double-click Domain Name - Right-click - Property - Group Policy - New (Name: Tainwan-Sale Policy) )--edit.
3, the "Group Policy" window - User configuration - Management Template - Tasklets and 'Start' Menu
4. Double-click the "From 'Start'" menu to delete the 'Help' command. "- Disable - OK, setup.
5. Test and compare with the last test results.
4. In the GPO of the sub-container, if some strategies are set to "Unconfigured", these settings within the subset will inherit the settings in the parent container. However, it can be in the GPO of the sub-container, and the "Blocking Policy Inherit" check box is passed. The GPO of the sub-container is set to not inherit the setting of the parent container.
V. Forced inheritance group strategy
Can be in the parent container. Setting Forced Once All Subsets must inherit the GPO settings of the parent container. That is the "prohibited alternate" function of the parent container.
□ Account Policy Settings
Account Policy settings:
A. If the account policy is set for domain, this policy is applied to all the computers in the domain.
B, if you set an account policy for an organizational unit, this policy will only be applied to a computer within this organizational unit.
To set up an account policy:
"Active Directory User and Computer" (domain or organization) upper mouse right - Property - Group Policy - Select GPO - Edit - Computer Configuration --WIN Settings - Security Settings - Account Policy. The following is for "Password Policy" and "Account Lock Policy". Common items will be described.
First, the password strategy common term:
A, the maximum password of the password: set the longest use of the user password.
B. The shortest password of the password: sets the shortest use period of the user password.
C, the maximum length of the password: When setting the user password, the password requires a few characters.
D, Force Password History: Set whether you want to record the password used previously used to set the new password, can set the previously used password.
E does not keep password history. When setting a new password, you can set the previously used password. F, keep password history. When setting a new password, the reserved password cannot be used as a new password.
Second, account lock strategy
A. Account Lock Threshold: Setting the user locked the user after setting the user to log in several times.
B. Account Lock Time: After the user is locked, how long it is. Automatically unlock.
C, reset account lock counter: The lock counter starts to be 0, the user login failed is plus 1, the user is 0, if the lock counter value is equal to the account lock threshold, the account will be locked.
□ Setting of local strategies
Local policy settings include: audit strategy, user rights assignment policies, security options strategy.
First, the user rights assignment strategy
1. Setting steps: Active Directory Users and Computers (Domain or Organizational Units) Light click - Group Policy - Selected GPO - Edit - Computer Configuration --WIN Settings - Security Settings - Local Strategy - User Rights Assignment: Some Rights:
A, log in locally: Allow users to press CTRL DEL ALT to log in on this desk.
B, the domain increases the work: allows the user to add WinNT / Win2000 computers to the domain.
C. Turn off the system: Allows the user to close this computer.
D, access this computer with the network:
E, from the remote computer to close this computer.
F, backup files and directories.
G, restore files and directories.
H, managing audits and security logs.
I, change the time of the system.
J, load and unload the device driver.
K, obtain ownership of files or other objects.
Second, the security option policy
A. Don't display the last logged in user name on the login screen.
B. Allow shutdown before you log in.
C, prompt the user to change the user password before passing the password.
D, disable Ctrl Alt Del to log in
E, the user tries to log in to the message title when the user tries to log in.
□ Login / logout, start / turn off script
Login script: It is set for a user, that is, if a user is assigned to log in to the login script. This script will be automatically executed when it is logged in.
First, login / logout script settings
Use Notepad to write login and logout scripts:
Login script: Name: logon.vbs file content: wscripts echo "Welcome to Windows 2000, This Is A Logon Script TEST"
Logout Script: Name: Logoff.vbs File content: WSCRPTS Echo "Goodbye, this a logoff scripts test"
Set steps:
1, "Active Directory User and Computer" Mouse Right - Property - Group Policy - Selected GPO - Edit - User Configuration --WIN Configuration - Script (Login Derles) - Login
2. The display script file dialog box appears.
3, please copy your edited logon.vbs to the following directory:
% SystemRoot% / Sysvol / Sysvol / Domain / Policies / {Guid} / USER / Scripts / Logon
GUID, different GPOs have different GUID numbers. Each GUID is unique.
4. In the dialog box out in step 2 - Click Add "to add the logon.vbs to enter - OK.
5. Use similar way to add a logged out of script: logoff.vbs.
6. If GPO is set for domain, each user in the domain works. That is, the script will appear when logging in. If it is only set to an organizational unit, the user of the organizational unit that is set will appear.
7. Creating a user, testing scripting valid must.
Second, start / close the settings of the script.
Edit your start and close script:
Start Script: File Name: Startup.vbs File Content: WScript Echo "Welcome to Windows 2000, This Is A Startup Script Test" Close Script: File Name: Shutdown.vbs File Content: WScript Echo "Goodbye. This is a script test"
Set the steps for start / close scripts:
1, "Active Directory User and Computer" Mouse Right - Property - Group Policy - Selected GPO - Edit - Computer Configuration - WIN Configuration - Script (Start / Off) - Start
2, the "Startup Scripting File" dialog box appears.
1. Get our startup script files:% systemroot% / sysvol / sysvol / domain / policies / {guid} / machine / scripts / startup.
4. Go back to step 2 The dialog box that appears when you appear, click the Add button. Browse to select the Startup.vbs file.
5, add a similar way to the closing script file. Shutdown.vbs
6. After the setting is completed, if this GPO policy is set for domain, if the user within the domain will work. in case
This GPO is set for organizational units, which will work.
□ Deploy application
The application can be deployed for users and computers through Group Policy. This is to say
A, distribute the application to the user. When an application is released to the user via GPO. Users can add / delete applications themselves.
B, assign the application to the user or computer: When an application is reflected by the GPO of the Group Policy, the user will be "advertise" to the user, but this application Not really installed, just provide some installation information, waiting for your application to be installed. If it is assigned to a computer. The computer is automatically installed when the computer is started.
C, automatically repair the application. An application that is published or assigned. When the application is destroyed, it will be automatically repaired when the user logs in or the computer is restarted.
D, delete the user application: a published application, after the user is installed, if you don't want the user to use this application, just remove the application from the GPO.
First, release the app
Establish a folder that installs Windows installation package
1. Create a folder on any server, for example: C: / packages, this folder is to store applications.
2. Set this folder to share and give a shared name. Because users on the network must be accessed by UNC paths, they are set to set.
3. Copy the application to the shared folder.
Set the default package location
4, "Active Directory User and Computer" - Domain Name - Properties - Group Policy - Select GPO - Edit - User Configuration - Software Settings - Software Installation.
5, "Software Installation" - Properties.
6, the "Default Package Location" input box appears. Enter: The application's storage location, pay attention to the UNC path. // Computer Name / Shared Folder. --determine.
Publish application
7. Go back to Software Installation - New - "Package".
8, select the installation package for the exercise - click "Open".
9. Please select "Issued" - OK.
Install the published application
1. Use the domain or organizational unit user to log in
2, Start - Set - Control Panel - Add / Remove Programs.
3, add a new program - add a program from the network (there will be published applications). 4. Select the application you want to install - Click Add. - This application is installed.
Test automatic repair application function
1. Please find the installation location of the application.
2. Delete the installation folder for this application.
3. Re-log in with the application publishing the user.
4. Run the deleted application, it will find that the system will automatically reset the application.
Second, assign the application to the user.
Give the user to assign an application to the user distribution of applications basically
1. Create a shared folder on a server.
2, set the default package location
3. Assign an application to the user, in which the deployment method is: will "have released" to "Assigned" test assigned application
Once the user is logged in, you can start-set-control panel-add / delete applications - add new programs, will find the assigned application already installed, but actually "advertisement", no real installation .
Test automatic repair application function
This feature is similar to that test automatically fixes published applications.
Third, give a computer assignment application
Active Directory User and Computer - Domain or Organizational Unit - Properties - Group Policy - Selected GPO - Computer Configuration - Software Settings - Software Installation. Other places are similar to the user assigning applications.
1. Change the type of deployment of the application.
2. Cancel the deployed application. Right click on the deployed application - all tasks - delete.
3. Set whether the full installation interface appears when the application is installed, or only the interface is displayed. Right click on the deployed application - Properties - deployment.
4. Upgrade the application: Right click on the deployed application - Properties - Upgrade - Add
□ Folder is redirected
You can use the Group Policy to redirect the storage location of the special folders within Win2000, to other within the network. The so-called special folder refers to a storage location such as "My Document", "My Pictures". In general, these folders are in the local computer, which can specify within the network through "My Documents" - "Properties" - "Target Folder".
Redirect by following two ways
1. Setting up the folder of each user to each user.
2. For a group setting, the user's folder is redirected. That is, all of the groups
Taking the "My Document" folder explains how to turn folder and set it for a group.
1. Establish User1, User2 within the Active Directory User and Computer - ISERS organization, and then build a security, such as testGroup,
2. Create a folder in any server, such as x: documents, this file is used to store the user's "My Document" data.
3. Set the folder to sharing. The shared name is the same as the folder name.
4. Right click through "Active Directory User and Computer" - Domain Map - Property - Group Policy - Select GPO - Edit - User Configuration - Windows Configuration - Folder Heavy - My Documents.
5. Click the MY Documents to right - Property - Target - "Set" Select "Advanced - for Different User Group Specified Location" - Click Add.
6, add the "Specify Group and Location" dialog box. Please enter the group name at the Security Group member, and then enter the "My Document" folder path of the "My Document" of each user in this group in the Target Folder Position ". -" OK "is completed.
7, log out, using the user1 log in in the TestGroup group, "My Document" folder is changed to the path set above.
Turn the user's "My Document" folder to the network server has the following advantages.
1. You can access the folder regardless of any computer login field on the network.
2, these data stored in the server, the periodic regular backup of the possible information department, stores its backup, allowing the user more data. 3, possibly configure the user's "My Documents" on the server.
If the "My Document" is re-directed to other hard drives, even if the operating system is reinstalled, the data impact in the "My Document" folder will be relatively small.
