Group Policy. Jeremy MoskowitzЧитать онлайн книгу.
descriptive, such as “Hide Screen Saver Option.”
5. Once the name is entered, you’ll see the new GPO listed in the swimming pool. Right-click the GPO and choose Edit, as shown in Figure 1-15, to open the Group Policy Management Editor.
6. To hide the Screen Saver option, drill down by clicking User Configuration ⇒ Policies ⇒ Administrative Templates ⇒ Control Panel ⇒ Personalization. Double-click the Prevent changing screen saver policy setting to open it. Select the Enabled setting, and click OK.
7. Close the Group Policy Management Editor.
Figure 1-14: You create your first GPO in the Group Policy Objects container by right-clicking and choosing New.
Figure 1-15: You can right-click the GPO in the Group Policy Objects container and choose Edit from the context menu to open the Group Policy Management Editor.
Note that in earlier iterations of the GPMC, this setting was named differently and placed in another node. It used to be called Hide Screen Saver Tab and was located in the Display node within Control Panel. As you can see, as the operating system evolves, so do the names of the policy settings, Group Policy Preference items (described in Chapter 5), and the capabilities within the GPMC itself. This is why it’s pretty important to always use the “latest, greatest” GPMC, as we are doing in this book.
Understanding Our Actions
Now that we have this “Hide Screen Saver Option” edict, er, GPO floating around in the Group Policy Objects container – in the representation of the swimming pool of the domain – what have we done? Not a whole lot, actually, other than create some bits inside Active Directory and on the Domain Controllers. By creating new GPOs in the Group Policy Objects folder, we haven’t inherently forced our desires on any level in Active Directory – site, domain, or OU.
To make a level in Active Directory accept our will, we need to link this new Group Policy Object to an existing level. Only then will our will be accepted and embraced. Let’s do that now.
Applying a Group Policy Object to the Site Level
The least-often-used level of Group Policy application is at the site. This is because it’s got the broadest stroke but the bluntest application. And more and more organizations use high-speed links everywhere, so it’s not easy to separate computers into individual sites because (in some organizations) Active Directory is set up to see the network as just one big site!
Additionally, since Active Directory states that only members of Enterprise Administrators (EAs) can modify sites and site links, it’s equally true that only EAs (by default) can add and manipulate GPOs at the site level.
When a tree or a forest contains more than one domain, only the EAs and the Domain Administrators (DAs) of the root domain can create and modify sites and site links. When multiple domains exist, DAs in domains other than the root domain cannot create sites or site links (or site-level GPOs).
However, site GPOs might come in handy on occasion. For instance, you might want to set up site-level GPO definitions for network-specific settings, such as Internet Explorer proxy settings or an IP security policy for sensitive locations. Setting up site-based settings is useful if you have one building (set up explicitly as an Active Directory site) that has a particular or unique network configuration. You might choose to modify the Internet Explorer proxy settings if this building has a unique proxy server. Or, in the case of IP security, perhaps this facility has particularly sensitive information, such as confidential records or payroll information.
Therefore, if you’re not an EA (or a DA of the root domain), it’s likely you’ll never get to practice this exercise outside the test lab. In upcoming chapters I’ll show you how to delegate these rights to other administrators, like OU administrators.
For now, we’ll work with a basic example to get the feel of the Group Policy Management Editor.
We already stood on our desks and loudly declared that there will be no Screen Saver options at our one default site. The good news is that we’ve already done two-thirds of what we need to do to make that site accept our will: we exposed the sites we want to manage, and we created the “Hide Screen Saver Option” GPO in the Group Policy Objects container.
Implementing GPOs linked to sites can have a substantial impact on your logon times and WAN (wide area network) traffic if not performed correctly. For more information, see Chapter 7 in the section “Group Policy Objects from a Site Perspective.”
Now all we need do is to tether the GPO we created to the site with a GPO link.
To remove the Screen Saver option using the Group Policy Management Editor at the site level, follow these steps:
1. Inside the GPMC snap-in, drill down by clicking the Group Policy Management folder, the Forest folder, and the Sites folder.
2. Find the site to which you want to deliver the policy. If you have only one site, it is likely called Default-First-Site-Name.
3. Right-click the site and choose “Link an Existing GPO,” as shown in Figure 1-16.
4. Now you can select the “Hide Screen Saver Option” GPO from the list of GPOs in the Group Policy Objects container within the domain.
Once you have chosen the GPO, it will be linked to the site.
Did you notice that there was no “Are You Sure You Really Want To Do This?” warning or anything similar? The GPMC trusts that you set up the GPO correctly. If you create GPOs with incorrect settings and/or link them to the wrong level in Active Directory, you can make boo-boos on a grand scale. Again, this is why you want to try any setting you want to deploy in a test lab environment first.
Again, there is a good reason GPOs for sites must be pre-created. Since Sites does not belong to a specific domain but rather the forest, you cannot assume which “domain swimming pool” a particular GPO should be added to. By creating them this way, you know which domain you created them in first and then to what site you want them linked.
Figure 1-16: Once you have your first GPO designed, you can link it to your site.
Verifying Your Changes at the Site Level
Now, log onto any workstation or server that falls within the boundaries of the site to which you applied the sitewide GPO. If you didn’t change any of the defaults, you should be able to log onto any computer in the domain (say, WIN10) as any user you have defined – even the administrator of the domain.
Right-click the Desktop and select Personalize. Then click Lock Screen on the left, and try the Screen Saver option toward the bottom of the page. When you try it, you’ll see what happens, which you can also see in Figure 1-17.
Don’t panic if you do not see the changes reflected the first time you log on. See Chapter 3, “Group Policy Processing Behavior Essentials,” in the section “Background Refresh Policy Processing” to find out how to encourage changes to appear. To see the Screen Saver tab disappear right now, log off and log back on. The policy should take effect.