CREATING A GROUP POLICY OBJECT IN THIS PROCEDURE, YOU CREATE A NEW GPO...

Question

3.  Link the Members GPO to each of the role-specific containers and move it to the bottom of the Group Policy Object Links list in the Group Policy tab in the Domain Controllers Properties dialog box. Important When you link a GPO to multiple container objects, you are only creating links between the object pairs; you are not creating copies of the GPO. Therefore, when you modify the policy settings for the GPO from one of the linked containers, the changes you make affect all the containers to which you have linked the GPO. The order in which the GPOs appear in the Group Policy Object Links list is critical. GPOs that are higher in the list have higher priority, so that a setting in the first policy listed will overwrite a setting in the second. If you list the GPOs in the wrong order, a different set of policy values than you had planned might be in effect. Tip Although Active Directory objects inherit group policy settings from their parent objects by default, it is possible to block the inheritance. Display the Properties dialog box for an object, click the Group Policy tab, and then select the Block Policy Inheritance check box to prevent that object from inheriting group policy settings from its parent objects. Creating a Container Hierarchy Instead of manually linking your GPOs to the various organizational unit objects in your Active Directory tree, you can also create a hierarchy of organizational unit objects, as shown in Figure 9-13. In this figure, you see the Members organizational unit, with the role-specific organizational units beneath it. Figure 9-13 An organizational unit hierarchy As with most tree hierarchies in Windows operating systems, the properties of a parent object are passed down to the child objects beneath it. Therefore, when you create a GPO and link it to the Members container, not only the computer objects in Members receive the policy settings from the GPO; all the computers in the role-specific organi­zational units receive these settings. Note The one exception to the rule of group policy inheritance is that subdomains do not inherit group policy settings from their parent domains. Tip If you plan to create a hierarchy of organizational units that includes domain controllers in one of the role-specific containers, you will not be able to move the Domain Controllers organizational unit object that Windows Server 2003 creates automatically at domain cre­ation to another location in the tree. However, you can create a new organizational unit object in the hierarchy and move the computer objects there from the Domain Controllers container. To create security configurations for the servers in the role-specific organizational units, you create a new GPO for each container. When you do this, the policy settings in the GPOs linked to the role-specific containers take precedence over the settings for the same policies in the parent container’s GPO. The rules governing the combination of inherited and direct policy settings are as follows: ■ If the parent container’s GPO contains a policy setting, and the same policy is undefined in the child container’s GPO, the objects in the child container use the setting from the parent GPO. ■ If the child container’s GPO contains a policy setting, and the same policy is unde­fined in the parent container’s GPO, the objects in the child container use the set­ting from the child GPO. ■ If the parent container’s GPO contains a policy setting, and the same policy has a different setting in the child container’s GPO, the objects in the child container use the setting from the child GPO. Real World GPO Combination When you apply multiple GPOs to a container, whether with multiple links or with a hierarchical GPO arrangement, it is important to understand the difference between an undefined policy and an explicit policy setting. An undefined policy is not necessarily the same as a Disabled setting. When you leave a policy unde­fined in the GPO, the computers to which that GPO applies use the operating sys­tem’s default setting, which might be Enabled, Disabled, or something else, depending on the policy. If you define a policy with an Enabled value in the par­ent container’s GPO, you must explicitly define the same policy in the child con­tainer’s GPO to assign it a different value, even if that value is the same as the Windows Server 2003 default setting. Practice: Deploying Multiple GPOs In this practice, you use two different methods to combine the policies in the GPOs you created for the Member Servers and Domain Controllers organizational units in the practices for Lessons 1 and 2 of this chapter. First, you link both GPOs to a single con­tainer and modify the order in which the system applies them. Then, you create a hier­archy of organizational units and use group policy inheritance to combine policy settings.

CREATING A GROUP POLICY OBJECT IN THIS PROCEDURE, YOU CREATE A NEW GPO...

3. Link the Members GPO to each of the role-specific containers and move it to the

bottom of the Group Policy Object Links list in the Group Policy tab in the

Domain Controllers Properties dialog box.

Important When you link a GPO to multiple container objects, you are only creating links

between the object pairs; you are not creating copies of the GPO. Therefore, when you modify

the policy settings for the GPO from one of the linked containers, the changes you make

affect all the containers to which you have linked the GPO.

The order in which the GPOs appear in the Group Policy Object Links list is critical.

GPOs that are higher in the list have higher priority, so that a setting in the first policy

listed will overwrite a setting in the second. If you list the GPOs in the wrong order, a

different set of policy values than you had planned might be in effect.

Tip Although Active Directory objects inherit group policy settings from their parent objects

by default, it is possible to block the inheritance. Display the Properties dialog box for an

object, click the Group Policy tab, and then select the Block Policy Inheritance check box to

prevent that object from inheriting group policy settings from its parent objects.

Creating a Container Hierarchy

Instead of manually linking your GPOs to the various organizational unit objects in

your Active Directory tree, you can also create a hierarchy of organizational unit

objects, as shown in Figure 9-13. In this figure, you see the Members organizational

unit, with the role-specific organizational units beneath it.

An organizational unit hierarchy

As with most tree hierarchies in Windows operating systems, the properties of a parent

object are passed down to the child objects beneath it. Therefore, when you create a

GPO and link it to the Members container, not only the computer objects in Members

receive the policy settings from the GPO; all the computers in the role-specific organi­

zational units receive these settings.

Note The one exception to the rule of group policy inheritance is that subdomains do not

inherit group policy settings from their parent domains.

Tip If you plan to create a hierarchy of organizational units that includes domain controllers

in one of the role-specific containers, you will not be able to move the Domain Controllers

organizational unit object that Windows Server 2003 creates automatically at domain cre­

ation to another location in the tree. However, you can create a new organizational unit object

in the hierarchy and move the computer objects there from the Domain Controllers container.

To create security configurations for the servers in the role-specific organizational units,

you create a new GPO for each container. When you do this, the policy settings in the

GPOs linked to the role-specific containers take precedence over the settings for the

same policies in the parent container’s GPO. The rules governing the combination of

inherited and direct policy settings are as follows:

If the parent container’s GPO contains a policy setting, and the same policy is

undefined in the child container’s GPO, the objects in the child container use the

setting from the parent GPO.

If the child container’s GPO contains a policy setting, and the same policy is unde­

fined in the parent container’s GPO, the objects in the child container use the set­

ting from the child GPO.

If the parent container’s GPO contains a policy setting, and the same policy has a

different setting in the child container’s GPO, the objects in the child container use

the setting from the child GPO.

Real World GPO Combination

When you apply multiple GPOs to a container, whether with multiple links or

with a hierarchical GPO arrangement, it is important to understand the difference

between an undefined policy and an explicit policy setting. An undefined policy

is not necessarily the same as a Disabled setting. When you leave a policy unde­

fined in the GPO, the computers to which that GPO applies use the operating sys­

tem’s default setting, which might be Enabled, Disabled, or something else,

depending on the policy. If you define a policy with an Enabled value in the par­

ent container’s GPO, you must explicitly define the same policy in the child con­

tainer’s GPO to assign it a different value, even if that value is the same as the

Windows Server 2003 default setting.

Practice: Deploying Multiple GPOs

In this practice, you use two different methods to combine the policies in the GPOs

you created for the Member Servers and Domain Controllers organizational units in the

practices for Lessons 1 and 2 of this chapter. First, you link both GPOs to a single con­

tainer and modify the order in which the system applies them. Then, you create a hier­

archy of organizational units and use group policy inheritance to combine policy

settings.

Bạn đang xem 3. - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 293 PHẦN 6 PPTX

receive the policy settings from the GPO; all the computers in the role-specific organi

organizational unit object that Windows Server 2003 creates automatically at domain cre

If the child container’s GPO contains a policy setting, and the same policy is unde

fined in the parent container’s GPO, the objects in the child container use the set

is not necessarily the same as a Disabled setting. When you leave a policy unde

fined in the GPO, the computers to which that GPO applies use the operating sys

depending on the policy. If you define a policy with an Enabled value in the par

ent container’s GPO, you must explicitly define the same policy in the child con

practices for Lessons 1 and 2 of this chapter. First, you link both GPOs to a single con

tainer and modify the order in which the system applies them. Then, you create a hier