Yes of course you can assign Group Policies to Security Groups!是的,當然你可以指派組策略安全組!
I have to blog this right away - it will be part of a larger "GP Processing" article at some point though… But this is IMHO important stuff which needs to get out there quick我要博客這一權利距離-它會成為一個較大的"家庭醫生處理"的文章,在某一點,雖然… …但是這是i mho重要的東西,需要走出去快速 
I’ve heard the following sentence too many times (in one way or the other): "You can only assign Group Policy Objects to Site, Domain Level or OU’s"…我聽說過下列句子太多的時間(以某種方式或其他)說: "你只可以指派組策略對象,以網站,網域名一級或註明的" … …
- but that’s only partly true! -但是,這只是部分真實! Normally in newsgroups, forums etc. this leaves the readers (eg. someone who asked a GP question or whatever) with the impression that you cannot "hit" members of a certain Security Group only (which leaves you with "Site/Domain/OU Filtering" and/or "WMI Filtering" as the only possible a choices available).通常在新聞組,論壇等,這使得該讀者(例如有人問了一個GP的問題還是什麼)的印象是,你不能"打席"某安全組只(其中放過你"站點/域/歐過濾"和/或" WMI的過濾" ,作為唯一能夠提供可供選擇) 。 But that’s simply not fair to the amazing Group Policy processing engine!但是,這根本是不公平的驚人組策略處理引擎!
Even though "WMI Filtering" is pretty well-known these days (after WS2003 arrived), many people tend to forget the little - but extremely effective and flexible - thing called "Security Filtering" (even though it’s somewhat more "Basic" compared to WMI)…儘管" WMI的過濾" ,是相當知名的這些天(後ws2003抵達) ,其中許多人往往忘記了一點-但極為有效和靈活的-東西所謂的"安全過濾"(儘管它的一些更"基本"相比WMI的) … …
Let’s talk about it for a minute or two if you are interested… 讓我們說說它為一兩分鐘,如果你有興趣…
You can set this kind of filtering within the Group Policy Management Console (GPMC) on either the Scope tab:您還可以設置這種過濾內部的組策略管理控制台( GPMC ) ,無論是範圍統計表:
- or the Delegation tab (a bit more Advanced): -或代表團統計表(有點更先進) :
As you can see, by DEFAULT all Group Policy Objects (GPO) include "Authenticated Users" with both Allow:"Read" and Allow:"Apply Group Policy" permissions set.你可以看到, 默認所有的組策略對象( GPO中) ,包括"認證用戶" ,既允許: "閱讀" ,並允許: "適用於組策略"權限設置。 Both of these permissions are needed for users and computers to take on (or process) a given GPO:雙方的這些權限都需要用戶和計算機來承擔(或工藝)某一特定的GPO :
The thing about the very important "Authenticated Users" group is that it includes ALL User AND Computer accounts/objects within the AD domain (Domain Controllers too, right).這件事對於非常重要的"認證用戶"組的是,它包括了所有用戶和計算機帳戶/對象專案域 (域控制器太,右) 。 So, by default a GPO applies to both computers and users (we are not going to talk about disabling GPO parts etc. now).因此,在默認GPO中既適用於計算機和用戶(我們不打算談禁用的GPO零件等,現在) 。
That’s the "technical" explanation why policies placed on說的"技術"解釋為什麼政策放在
a) the Site applies to ALL users and computers within the Site (users site follows computer site, site follows IP address)一)網站,適用於所有用戶和計算機內部網站(用戶站點如下電腦網站,網址如下IP地址)
b) the Domain Level applies to ALL users and computers within the Domain b )在域級別適用於所有用戶和計算機內部域
c) any given OU applies to ALL users and computers within that particular OU (and sub-OUs for that matter) c )任何給予歐適用於所有用戶和計算機內的表示,尤其是歐(和亞ous為此事)
=> because the "Authenticated Users" security group is there by default. = > ,因為"認證用戶"安全組,是有預設的。 These default permissions on new GPOs are handled by something called "Security Descriptors" , but more on that in some other blog or article.這些缺省權限,對新的GPO是由一些所謂的"安全描述符" ,而是更多地認為,在一些其他博客或物品。
So, we have Security permission on all of our GPOs (unfortunately not the GPO links, but that’s another talk) - leaving us with GREAT power to control to whom he particular GPO should be assigned (or ‘applied’).所以,我們的安全許可,對我們所有的GPO (可惜不是郵政總局聯繫,而且這又是講) -離開我們極大的權力以控制人,他特別號應被指定(或'應用' ) 。 All we need to do is to change the default permissions and <Zaboooka!> we are in complete control.我們所需要做的是改變默認權限和<zaboooka!>我們正處在全面控制。
First step is generally to remove the "Authenticated Users" group from the GPO in question.第一步通常是去除的"認證用戶"組從GPO中的問題。 Click Remove (below Security Filtering section) on the Scope tab and click OK:單擊移除(以下安全過濾段) ,就範圍選項卡並單擊確定:
Click Add… and select the domain security group you want to "hit" - click OK when done:點擊添加… ,並選擇域安全小組,你要"打" -點擊確定時的做法是:
And <poof>, this GPO will only apply to members of "The Sales Group" - or whatever group (or user, or computer object…) you selected:和<poof> ,這GPO中,將只適用於會員的"銷售小組" -或組(或用戶,或計算機對象… … ) ,您選擇:
Now all you need to do is to link the GPO to the Domain Level (or Site or OU if that’s better in your case) - but the Domain Level should be fine for most environments .現在,所有你需要做的,是聯在一起的GPO到域一級(或網站或歐若說的好,在你的案件) -但域水平應罰款最多的環境。
Now, you could turn this around and Exclude certain groups, users or computers - by setting Deny :"Apply Group Policy" instead.現在,你可以把這個靠近,並排除某些團體,用戶或計算機-通過設置否認: "適用於組策略" ,而不是。 In some cases that might be the best choice - but as always with "deny" you have to watch out (manly because deny overwrites allow)!在某些情況下,這可能是最好的選擇-但正如總是與"否認"你必須留意(男子漢,因為否定改寫允許) !
Also note, that Security groups can include both user and computer accounts - we are maybe used to thinking that groups are for users only (in my experience most admins know the "Domain Users" group - but the "Domain Computers" group is not that well known)… But, with this in mind, you could make a group of computers instead of applying a WMI filter for instance (which is generally slower).同樣注意,保安集團,可以包括用戶和計算機帳戶-我們也許用以為集團用戶只(根據我的經驗,大多數管理員都知道"域用戶"組-但是,"域計算機"組,是不是眾所周知) … …但是,這一點,你可以讓一組電腦,而不是申請WMI的過濾器,例如(這是普遍較慢) 。
You could use other methods for setting permissions than the GPMC (like scripts) - but the GPMC is a wonderful tool for doing this easily - no sweat!你可以用其他方式訂定的權限比gpmc (如腳本) -但g pmc是一個奇妙的工具,這樣做很容易-沒有汗水!
One way of automatically creating Security Groups from members of an OU is described in my article其中一個方法自動創建安全組的成員,一個OU是描述我的文章 "Configuring Granular Password Settings in Windows Server 2008, Part 2" "配置顆粒密碼設置,在Windows Server 2008 ,第2部分" - these groups are referred to as Shadow Groups (cool, right). -這些集團被稱為影子群體(冷靜,右) 。 In some "filtering situations" that is nice to know…在一些"過濾的情況下" ,也就是知道更好…
Wow - that was nice getting it off my shoulders, and now I can refer to this blog entry whenever I get the question again - and so can you of course哇-這是尼斯獲得過我的肩膀上,現在我可以參考這個博客入境時,我碰到的問題,再一次-等,可你當然
. 。
Popularity: 4%人氣: 4 %
Written by Jakob H. Heidelberg. 寫雅各布每小時海德堡。 Read more great feeds at is source 閱讀更多偉大的飼料,是源頭 WEBSITE 網站
no comments 沒有評論 . 。
Read more articles on 查看更多文章 otherSoftware othersoftware and 及 Group Policy 組策略 and 及 GPO 郵政總局 . 。
- [+] Digg [ + ] digg : Feature this article :特徵這篇文章
- [+] Del.icio.us [ + ] del.icio.us : Bookmark this article :收藏這篇文章
- [+] Furl [ + ] furl : Bookmark this article :收藏這篇文章
