字幕列表 影片播放 列印英文字幕 This video will look at the Group Policy settings enforced and blocked. By the end of the video you will be able to not only understand how to enforce and block Group Policy, but also have a better understanding of how to effectively deploy Group Policy in a hierarchy that matches the needs of your business. To review what we have covered in the previous videos, a computer will obtain an ordered list of Group Policy and apply it to the computer in that order. First of all Group Policy is retrieved from the local computer. This will be the first Group Policy to be processed. The rest of the Group Policies are retrieved from the domain. These are sorted so that they are in the order of Site, Domain, OU’s followed by child OU’s. In some cases you may have multiple Group Policies linked at the same level in Active Directory. In this example there are two Group Policies linked at the domain level. If I open Group Policy Management and make sure the domain is selected, notice that there are two Group Polices linked at the domain level. On the right hand side, notice there is a link order for each of the Group Polices. The Link Order determines the order in which the Group Policies will be applied when there is more than one. The Group Policy with a high link number will take preference over the other Group Policy. For this reason, they are processed in the reverse order. To understand why, if I go back to the diagram, notice what happens if I add the link numbers to the Group Policy diagram. The Domain Group Policy with Link Order 2 will be applied first. After this, the Domain Group Policy with the Link Order 1 is applied next. This means the Group Policy with the Link Order 1 will overwrite any settings applied from the Group Policy with Link Order 2. It may seem a bit confusing which order Group Policy is applied first, but if you think of higher priority Group Policy needs to overwrite lower priority it makes sense that Group Policy with a lower priority must be processed first. This is why local Group Policy is applied first. Local Group Policy has the lowest priority and thus any other Group Policies that have been applied have the capacity to overwrite any settings that are configured in the local Group Policy. In most situations, this works well, but let us consider a situation where this can cause problems. If you had a testing computer or a kiosk computer you may want the computer configured a certain way. Let us consider a Group Policy which configures the wallpaper and the Windows Firewall. The result will be that the wallpaper and Windows Firewall will be configured on the client computer. Now consider that a second Group Policy is created which changes the wallpaper. Notice how the firewall settings have been kept. To make sure firewall settings do not get applied from the previous Group Policy you would need to configure the firewall settings in the second Group Policy. These settings would replace the original settings. This works well when you first configure Group Policy, but let’s say later on additional Group Policy settings were configured, in this case a wireless setting. If you had a computer configured as a kiosk for example, you may not want new group policy settings appearing on the computer. To get around this problem, Group Policy allows an option to be configured called Block Inheritance. This setting is configured at the OU level. As shown here, there are four OU’s that will be processed in order. If blocked Inheritance was to be applied on the second OU, notice that now the Group Policy before this is no longer applied. Blocking Inheritance will allow you to have a clean slate, so to speak. Configuring Block Inheritance allows you to configure the Group Policy setting for an OU without having to worry about any settings that are applied above it. Notice also that the OU under the blocked OU, the third OU, is able to inherit the settings from the above OU. Blocking inheritance will prevent any settings configured previously from being applied, but will not prevent any settings after this from being applied. In some cases an administrator may have settings that they want all computers to have. They do not want an administrator to have the option to block settings that they have configured. To allow this, Group Policy has the option to enforce settings. The enforce setting option can be configured per Group Policy, unlike block inheritance which is configured per OU. To understand how Enforced works, consider a typical list of Group Policy settings that are waiting to be applied. These are in the order of Local, Site, Domain and OU’s. At the domain level there are two Group Policies. The second Group Policy will be applied first so the first Group Policy overrides any settings it configures. Now like before, let’s say an administrator on one of the OU’s, configures the OU to Block Inheritance. As before, the previous OU’s will not be applied. If you plan to enforce a Group Policy, it is best to create a Group Policy that contains settings that you only want to enforce. Settings that you are not too worried about being overwritten should be put into a different Group Policy. Notice that when the domain Group Policy is set to enforce it is moved to the end of the processing order. Since this Group Policy is being applied last now, this means that it will override any other settings configured before this. You may be wondering what would happen if an OU was configured to Enforce. Would this OU now override the settings configured by the Enforced Group Policy at the domain level? The answer is no. Notice that if an OU is configured with enforce , once again this Group Policy will be moved to the end but will be processed before the Enforced Domain Group Policy. This ensures that an enforce OU does not override a group Policy Enforce at the domain. Notice also, that if the Group Policy were enforced at the site level, the site Group Policy would also be moved to the end but would be the last Group Policy to be applied. In other words, any enforced Group Polices are applied in the order OU’s, Domain and Site. This is the reverse order that they would be applied in if they were not enforced. This ensures that the when Group Policy Settings are enforced the Group Policy setting are still applied in the correct hierarchical order. Now that you understand how the Group Policy order is determined, let us now have a look at how this works with the user and computer side of group Policy. As shown here, when the computer starts up the Group Policy is obtained from the local computer and domain and then sorted so that it can be processed. All the settings found in the computer side of the Group Policies are applied when the computer starts up. These are in the order shown. When a user logs in, the user side of Group Policy is applied in the same order that the computer side was applied in. This allows the user side of Group Policy to override what was applied in the Computer side of Group Policy. There are not that many Group Policy settings that overlap between the User and Computer side, so any occurrence of Computer Side settings overwriting User Side settings should be rare. I will now change to my Windows Server 2008 R2 Domain Controller to have a look at how to configure the Block Inheritance and enforce options in Group Policy. If you have watched our previous videos on Group Policy, you will remember we created a Group Policy at the Domain Level that configured the desktop wallpaper for all users in the domain. You can see that the wallpaper on this Domain Controller is currently being set from this Group Policy, settings configured for the user do not effecting servers like Domain Controllers. To fix this problem, I will use block Inheritance. To configure it, open Group Policy Management from administrative tools under the start menu. At the top, you can see the Domain Wide Group Policy. This Group Policy was originally created to configure settings for users and computers, so should not be apply to Domain Controllers. To prevent this from happening, it is a simple matter of selecting the Domain Controller OU, right clicking it, and then selecting the option Block Inheritance. Notice that when I select this option the icon for the OU changes to an exclamation mark to indicate that Block Inheritance has been enabled. Blocking Inheritance will prevent the Domain Wide Group Policies from affecting the computer accounts in the Domain Controllers OU, however this this is only half of the work required. Remember that Group Policy is divided into a User part and a Computer part. So far, only the Computer part of Group Policy has been fixed. To fix the User part, I will open Active Directory Users and Computers. The user that is being used to perform administration on the server needs to be separated from the other users so that the Group Policy settings do not get applied to them. To do this, I will create an Organization Unit and call it, IT Support staff. The user that I will use to perform administration on the server is the Administrator account. This account is currently located in the Users OU. It is a simple matter of dragging the Administrator user from the Users OU and dropping it into the IT Support Staff OU. I will get a message telling me that moving objects in Active Directory will affect the system in particular Group Policy. Since this is what I want, I can choose yes and move on. Now that I have moved the administrator into their own OU, I can close Active Directory Users and Computers and go back to Group Policy Management. Since I have just created the OU it will not appear. In order to have it appear in Group Policy Management I need to press F5. Once the OU appears, I can right click it and select Block Inheritance. This will prevent the domain Group Policy setting affecting the Administrator account. To show that it has worked, I will now log off and quickly log back in. Once logged back in, Group Policy for the user will be reapplied. You will notice that once applied, the desktop Wallpaper has gone back to the default blue. The writing that was visible at the top was applied from the Domain Wide Group Policy which is now being blocked and thus having no effect. Unfortunately, blocking Inheritance like this is not a solution to everything. I will open Group Policy Management again to show you why. If I expand down to New York, Computers and the Test OU, a computer can be placed in here for testing and Group Policy settings once again may wanted to be blocked. Just like the other OU’s, I can right click and select Block Inheritance. This will prevent the Domain Wide Group Policies from being applied. In this case, there may be some settings that are in the Domain Wide Group Policy that you want applied to everyone. You do not want an administrator in charge of an OU down the domain tree deciding to block your setting. To get around this, you can right click on the Group Policy that you want settings to always be applied and select the option enforced. If you use the Enforce option it is recommend that you create two Group Polices. One Group Policy contains the settings that need to be enforced and the other Group Policy contains the options that do not need to be enforced. This way, you are not enforcing Group Policy settings that you do not mind being overwritten. Once again I will log off and log back on to see what the results are. Once I have logged back in and group policy for this user has been applied, notice that the desktop wallpaper has once again changed back to the wallpaper that was configured in the Domain Wide Group Policy so the desired result has not been achieved. I will once again open Group Policy Management to see if there is a better way of doing this. You can start to see that even having a few OU’s with Block Inheritance and Group Policy with the Enforce option on can start to make Group Policy management in your domain a lot more complex. You can understand why Microsoft recommends that Block Inheritance and Enforce only be used when absolutely needed. To go back to simple Group Policy administration, I will go through and clear the Enforce and Block Inheritance options. Now that these options have been cleared, let’s think about what we want to achieve. We essentially want Group Policy setting to be applied to all Users and Computers in the Domain, but not to the Servers or IT staff. To achieve this, I will right click on the London OU and select the option Link an Existing GPO and then select the Group Policy Object Domain Wide Group Policy. I will also do this with the New York OU so that is also using the Domain Wide Group Policy Object. As you can see, the Group Policy is being applied to both OU’s so there is no need to have the Domain Wide Group Policy being applied at the domain level. For this reason, I will delete it. Notice that by doing this I have had the same effect as blocking Inheritance had before. I have ensured that the settings are now being applied to Users and Computers in the Domain, but no longer being applied to IT users or the Domain Controllers. If I look under Group Policy Objects, notice the Group Policy is still referred to as a Domain Wide Group Policy. This is a little misleading so I will rename this Group Policy Object to Default Company Policy. This name is a little bit more descriptive of what the Group Policy does now. Notice on the right hand side, you can see which OU’s this Group Policy has been applied to, in this case London and New York. If you have a lot of OU’s it is worth looking here to see if all the OU’s in your domain have Group Policy being applied to them. You could also click on the OU to see which Group Policy are being applied to them. Now that I have made some changes, I will once again log off and log back on to see the results of this changes. Notice that when I log back in, the Desktop Wallpaper has once again gone back to the default Wallpaper, giving an indication that no Group Policy setting has been applied. All this was achieved without using the Block Inheritance or Enforce options. You can start to see that in a lot of cases the Block Inheritance and Enforce options can be avoided with careful planning. Thanks for watching anther video from IT Free Training. For more free videos for this course and others, please feel free to subscribe
B1 中級 美國腔 MCITP 70-640:執行和阻止組策略。 (MCITP 70-640: Enforcing and Blocking Group Policy) 20 1 Chrisene Chang 發佈於 2021 年 01 月 14 日 更多分享 分享 收藏 回報 影片單字