Groups

advertisement
Active Directory
Users & Computers
Group Policies
Users & Computers
domains
• domain
• trusted domains,
trusting domains
• subdomains
tree of domains
• forest of trees
Groups
•
•
•
•
•
•
Groups in Active Directory are directory objects that reside within
a domain and organizational unit container objects.
Active Directory provides a set of default groups upon installation,
and also allows the option to create groups.
A group is a collection of user and computer accounts, contacts
and other groups that can be managed as a single unit (objects of
DAC)
objects are distributed to several groups according to the object's
missions
A user group is a collection of user accounts that all have the same
security rights. User groups are also sometimes referred to as
security groups.
Domain Local
Global
- can be used in trusting domains
Universal
- contains users, groups, and computers from any domain in the forest
mmc
• File
| Add/Remove Snap-in...
Active Directory Users and Computers
• Builtin
•
Users
•
•
•
Domain Users
Guests
Administrators
• Computers
• Users
téměř 50 předdefinovaných objektů
Group
User/ Session
A built-in group that exists only on domain controllers. By default,
the group has no members. By default, Account Operators have
permission to create, modify, and delete accounts for users, groups,
and computers in all containers and organizational units (OUs) of
Active Directory except the Builtin container and the Domain
Controllers OU. Account Operators do not have permission to
modify the Administrators and Domain Admins groups, nor do they
have permission to modify the accounts for members of those
groups.
Account Operators
Administrator
A user account for the system administrator. This account is the first
account created during operating system installation. The account
cannot be deleted or locked out. It is a member of the
Administrators group and cannot be removed from that group.
A built-in group . After the initial installation of the operating
system, the only member of the group is the Administrator account.
When a computer joins a domain, the Domain Admins group is
added to the Administrators group. When a server becomes a
domain controller, the Enterprise Admins group also is added to the
Administrators group. The Administrators group has built-in
capabilities that give its members full control over the system. The
group is the default owner of any object that is created by a
member of the group.
Administrators
Anonymous
Authenticated Users
Description
A user who has logged on anonymously.
A group that includes all users whose identities were authenticated
when they logged on. Membership is controlled by the operating
system.
users
Organizational units
•
Organizational units are Active Directory containers into
which you can place
users,
groups,
computers,
and other organizational units.
•
An organizational unit mirrors organization's functional
or business structure
•
An organizational unit cannot contain objects from other
domains.
•
Can be linked to Group Policies
Group Policy
Group policy
• hromadné nastavení
•
•
•
systému Windows (cca 3500 položek konfigurace)
jeho komponent
různých dalších produktů
•
•
•
Microsoft Office
Google Chrome
...
Group Policy Editor
• editor lokálního objektu "Group Policy"
gpedit.msc
• editor objektů "Group Policy" uložených v Active
Directory
•
DC - Server Manager - Tools - Group Policy
Management - Edit
•
remote - Remote Server Administration Kit - Group
Policy Management - Edit
Computer + User
• Computer Configuration
platí pro všechny uživatele,
kteří se na daný počítač přihlásí
• User Configuration
je aplikováno na všech počítačích domény,
kde se daný uživatel přihlásí
• asi 3/4 položek jsou stejné
Software Settings
• instalace SW pomocí MSI balíčků
•
•
•
•
dialog Deploy Software
•
uninstall when out of the management scopr
publish
Assign
Advanced
Windows Settings
• DNS
• Startup/Shutdown scripts
• Deployed Printers
• Security Settings
• QoS
Security Settings
• Account policies
• Local Policies - Audit, User Rights, Security
• File System
• Registry
• Software Restriction Policies
• Application Control Policies (AppLocker)
• Public Key Policies
• Windows Firewall with Advanced Security
• IP Security Policies (IPSec)
Administrative Templates
•
Policy definitions (ADMX files)
•
•
•
•
•
•
Control Panel
•
Windows Components
•
• Internet Explorer
• Bitlocker
• Mobility Center
• Windows Update
• ...
Office
Network
Printers
Server (backup restrictions)
Start Menu and Taskbar (W8.1 Update 2)
System
Preferences
•
enables to deploy settings to client computers without
restricting the users from changing the settings
(Windows Server 2008, ...)
•
Windows Settings
•
•
•
•
•
•
•
Environment
Files
Folders
Ini Files
Registry
Network Shares
Control Panel Settings
Group Policy Management
• Forest
•
Domains
•
domain.enterprise.com
•
•
•
•
•
•
•
Default Domain Policy
other global domain policies
organizational units
Group Policy Objects
Sites
Group Policy Modeling
Group Policy Results
Active Directory
Group
Group
Group
Group
Group
Group
Active Directory
OU
OU
OU
OU
OU
OU
Active Directory
Group
Group
Group
Group
Group
Group
OU
OU
OU
OU
OU
OU
Active Directory
Group Policy Objects
GP
GP
GP
Active Directory
Group
Group
Group
OU
OU
OU
Group Policy Objects
GP
Group
Group
Group
OU
OU
OU
GP
GP
Group Policy client-side extensions (CSE)
•
Policy settings are grouped into categories, such as Administrative
Templates, Security Settings, Folder Redirection, Disk Quota,
Software Installation, and the Group Policy preference extensions.
•
The settings in each category require a specific CSE to process
them, and each CSE has its own rules for processing settings.
•
Group Policy preference extensions represent a set of client-side
extensions, not a single CSE. Each Group Policy preference
extension has rules to process settings.
•
Fast Logon Optimization and Fast Startup vs. Group Policy
Advanced Group Policy Management
•
Extension to Group Policy Management (server + client)
only in Microsoft Desktop Optimization Pack (Software Assurance)
•
Perform offline editing of GPOs so that you can create and test them before you deploy them to a
production environment.
•
Maintain multiple versions of a GPO in a central archive so that you can roll back if a problem
occurs.
•
Share the responsibility for editing, approving, and reviewing GPOs among multiple people by using
role-based delegation.
•
Eliminate the danger of multiple Group Policy administrators overwriting one another's work by
using the check-in and check-out capability for GPOs.
•
Analyze changes to a GPO, comparing it to another GPO or another version of the same GPO by
using difference reporting.
•
Simplify creating new GPOs by using GPO templates, storing common policy settings and
preference settings to use as starting points for new GPOs.
•
•
•
Delegate access to the production environment.
Search for GPOs with specific attributes and filter the list of GPOs displayed.
Export a GPO to a file so that you can copy it from a domain in a test forest to a domain in a
production forest.
Download