当然是您能分配小组政策到安全小组!
我立即必须blog这-它将是处理”文章的更大的“GP的一部分虽则… 但这是需要出去那里快的IMHO重要材料:)
我听见了以下句子许多次(在无论怎样) : “您能只分配小组政策对象到站点、领域水平或者OU”…
-,但那只是 部分 真实! 通常在新闻组,论坛等。 这离开读者(即。 问GP问题的人或什么)与您不能“的印象击中了”成员的确定 安全小组 只(留给您 “站点或Domain/OU过滤” 并且/或者 “WMI过滤” 作为唯一可能选择可利用)。 但那不简单地是公平的到处理引擎的惊人的小组政策!
即使“WMI过滤”那些日子是相当知名的(在WS2003到达了)之后,许多人倾向于忘记一点-,但极端有效和灵活-叫的事 “安全过滤” (即使它更稍微是“基本的”与WMI比较)…
我们谈论它为一分钟或二,如果您感兴趣…
您能设置这种过滤在小组政策管理控制台(GPMC)之内在任一范围制表符:
-或代表团制表符(先进) :
您能看, 缺省 所有小组政策对象(GPO)包括 “验证的用户” 与两个 准许:“读” 并且 准许:“运用小组政策” 允许设置了。 这两允许是需要的为 用户和计算机 承担(或过程)特定GPO :
事关于非常重要“验证的用户”小组是它包括 所有用户和计算机帐户或者对象在广告领域之内 (领域控制器)。 默认情况下如此, GPO适用于两名计算机和用户(我们不谈论使失去能力的GPO零件等。 现在)。
那是“技术”解释为什么被安置的政策
a) 站点在站点之内适用于所有用户和计算机(用户站点跟随计算机工作区,站点跟随IP地址)
b) 领域水平在领域之内适用于所有用户和计算机
c) 所有特定OU在那之内适用于所有用户和计算机特殊OU (和次级OUs就此而言)
=> 默认情况下因为“验证的用户”安全小组在那里。 这些在新的GPOs默认允许由叫的某事处理 “安全形容标志”,但是更多在那在一些其他blog或文章。
So, we have Security permission on all of our GPOs (unfortunately not the GPO links, but that’s another talk) - leaving us with GREAT power to control to whom he particular GPO should be assigned (or ‘applied’). All we need to do is to change the default permissions and <Zaboooka!> we are in complete control.
First step is generally to remove the "Authenticated Users" group from the GPO in question. Click Remove (below Security Filtering section) on the Scope tab and click OK:
Click Add… and select the domain security group you want to "hit" - click OK when done:
And <poof>, this GPO will only apply to members of "The Sales Group" - or whatever group (or user, or computer object…) you selected:
Now all you need to do is to link the GPO to the Domain Level (or Site or OU if that’s better in your case) - but the Domain Level should be fine for most environments.
Now, you could turn this around and Exclude certain groups, users or computers - by setting Deny:"Apply Group Policy" instead. In some cases that might be the best choice - but as always with "deny" you have to watch out (manly because deny overwrites allow)!
Also note, that Security groups can include both user and computer accounts - we are maybe used to thinking that groups are for users only (in my experience most admins know the "Domain Users" group - but the "Domain Computers" group is not that well known)… But, with this in mind, you could make a group of computers instead of applying a WMI filter for instance (which is generally slower).
You could use other methods for setting permissions than the GPMC (like scripts) - but the GPMC is a wonderful tool for doing this easily - no sweat!
One way of automatically creating Security Groups from members of an OU is described in my article "Configuring Granular Password Settings in Windows Server 2008, Part 2" - these groups are referred to as Shadow Groups (cool, right). In some "filtering situations" that is nice to know…
Wow - that was nice getting it off my shoulders, and now I can refer to this blog entry whenever I get the question again - and so can you of course :-)
.
Popularity: 2%
Written by Jakob H. Heidelberg. Read more great feeds at is source WEBSITE
no comments.
Read more articles on otherSoftware and Group Policy and GPO.
- [+] Digg: Feature this article
- [+] Del.icio.us: Bookmark this article
- [+] Furl: Bookmark this article
