لطفا منتظر باشید ...
Group Policy
Group Policy settings allow you to define the customizations and restrictions applied to the operating system, desktop environment, and applications for users, such as language settings, custom dictionaries, accessibility, desktop configurations, and other user preferences and restrictions. You can use Group Policy settings to grant and deny users the ability to customize their own computing environments.For centralized control of workstations, you should apply Group Policy settings by using Active Directory tools. In addition, each computer has one local Group Policy object that can be used outside an Active Directory domain. When you use Group Policy with Active Directory, you can precisely adjust Group Policy settings on computers and users by using security groups to filter Group Policy objects.
This section compares Windows NT 4.0 Workstation System Policy Editor with Windows 2000 Professional Group Policy, describes how to set Group Policy settings on individual workstations, alerts you to migration issues when you move individual workstations to a Windows 2000 Server network, describes where local Group Policy settings are stored and how they are enforced, and points you to resources where you can find more information about Group Policy in a Windows 2000 Server environment.It is important to understand the difference between local Group Policy, which is set on an individual computer, and centrally managed Group Policy, which is implemented by using Windows 2000 Server with Active Directory. The following sections primarily describe how to use local Group Policy settings on a computer that is not managed by Windows 2000 Server.
IMPORTANT
You cannot use security groups to filter Group Policy objects when you use local Group Policy on an individual computer.
For more information about planning and deploying Windows 2000 Server Active Directory and Group Policy, see "Active Directory Logical Structure" and "Group Policy" in the Distributed Systems Guide.
IMPORTANT
Group policy settings take precedence over user settings.
NOTE
The Microsoft® Internet Explorer Administration Kit 4.0 in the Microsoft® Internet Explorer 4.0 Resource Kit is used to control some desktop configuration settings on Windows 95 or Windows 98. You should not use Microsoft® Internet Explorer Administration Kit 5 to configure Group Policy on computers that are running Windows 2000 Professional. You should use Group Policy only to control configuration options.
Using Local Group Policy on Individual Computers
Although it is not recommended in large organizations, there might be instances when you need to deploy Group Policy on computers that are not managed in a Windows 2000 Server Active Directory domain.On a computer running Windows 2000 Professional, local Group Policy objects are located at %SystemRoot%System32GroupPolicy. You can use the following sets of Group Policy settings when the Group Policy snap-in is used on the local computer:Security settings. Defines security settings only for the local computer, not for a domain or network.Administrative Templates. These Group Policy settings allow you to set more than 450 operating system behaviors.Scripts. Allows you to specify scripts to automate what happens at computer startup and shutdown and when the user logs on and off.For more information about the Group Policy settings you can set in these categories, see the chapters in this book about the type of configuration setting in which you are interested. For example, to learn about Group Policy settings that affect desktop settings, see "Customizing the Desktop" in this book. For complete details about specific Group Policy settings, use the Explain tab on the Properties page of each Group Policy setting; or refer to "Group Policy Reference" on the Windows 2000 Resource Kit companion CD.To manage Group Policy on local computers, you must have administrative rights on those computers. You can open the Group Policy snap-in by using one of the following procedures.To gain access to Group Policy snap-in on the local computer
From the Start menu, click Run, and then type:MMCClick OK.In the Console menu of the MMC window, click Add/Remove Snap-in.On the Stand-alone tab, click Add.In the Add Snap-in dialog box, click Group Policy, and then click Add.When the Select Group Policy Object dialog box appears, click Local Computer to edit the local Group Policy object.Click Finish.Click Close, and then click OK. The Group Policy snap-in opens with its focus on the local Group Policy object.
If you want to open the Group Policy snap-in for setting Group Policy on a remote computer, you must do it when the extension is added to an MMC console file or do it as a command line option.
NOTETo gain access to Group Policy snap-in on remote computers
To use the Group Policy snap-in on a remote computer, you must have administrative rights on both computers and the remote computer must be part of the namespace.
- On the Start menu, click Run, and type:MMC– Or –Open an existing saved console (such as Console1.mmc).In the Console menu of the MMC window, click Add/Remove Snap-in.On the Stand-alone tab, of the Add/Remove Snap-in dialog box, click Add.In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add. The Group Policy Object option in the Select Group Policy Object dialog box is, by default, set to Local Computer.Click Browse. On the Computers tab, select the Another computer option.Either type in the name of the remote computer, or click Browse to locate the remote computer. You can use the Look in drop-down list box to select the domains to which you have access.
NOTE
The Security Settings extension does not support remote management for local policy in Windows 2000.
Computer Name Formats
The supported computer name formats are as follows:
- NetBIOS names, for example, %ComputerName%. DNS-style, for example, %ComputerName.Microsoft.com%.
Starting the Group Policy Snap-in by Using Command Line Options
The Group Policy snap-in can be started with either of the following two command line switches.Gpcomputer Command Line Switch
You can use the gpcomputer command line switch by using either the NetBIOS name or the DNS name of the destination computer.The NetBIOS Syntax is as follows:
gpedit.msc/gpcomputer:"computername" |
The DNS syntax is as follows:
|
Gpobject Command Line SwitchYou can use the gpobject command line switch with an Active Directory Services Interface (ADSI) path. The syntax for this command line switch is as follows:
/gpobject:"ADSI path" |
This is illustrated in the following example:
gpedit.msc/gpobject:"LDAP://CN={GUID of the GPO},CN=Policies,CN=System,DC=Microsoft,DC=com" |
For these command line options to work with a saved console file, you must select the check box titled Allow the focus of the Group Policy snap-ins to be changed when launching from the command line. This only applies if you save the console. The Gpedit.msc file is saved with this option on.
Security Considerations
Local Group Policy does not allow you to apply security filters or to have multiple sets of Group Policy objects, unlike Active Directory–based Group Policy objects. You can, however, set Discretionary Access Control Lists (DACLs) on the %SystemRoot%System32GroupPolicy folder so that specified groups are either affected or are not affected by the settings contained within the local Group Policy object. This option is useful if you have to control and administer computers that are used in situations such as kiosk environments, where the computer is not connected to a local area network (LAN). Unlike Group Policy administered from Active Directory, the local Group Policy object uses only the Read attribute, which makes it possible for the local Group Policy object to affect ordinary users but not local administrators. The local administrator can first set the policy settings he or she wants and then set the DACLs to the local Group Policy object directory so that administrators as a group no longer have Read access. For the administrator to make subsequent changes to the local Group Policy object, he or she must first take ownership of the directory to give him or herself Read access, make the changes, and then remove Read access.
IMPORTANT
After you make changes to the Group Policy object, remember to remove Read access for the group in which you are a member. If you fail to remove Read access, it can be difficult, if not impossible, to gain access to the Group Policy object.
Setting Local Group Policy Settings
You can apply local Group Policy settings to the computer configuration or to the user configuration.Computer Configuration Includes all computer-related Group Policy settings that specify operating system behavior, desktop behavior, application settings, security settings, computer-assigned application options, and computer startup and shutdown scripts. Computer-related Group Policy settings are applied when the operating system initializes and during the periodic refresh cycle.User Configuration Includes all user-related Group Policy settings that specify operating system behavior, desktop settings, application settings, security settings, assigned and published applications options, user logon and logoff scripts, and folder redirection options. User-related Group Policy settings are applied when a user logs on to the computer and during the periodic refresh cycle.By default Group Policy settings are set to Not Configured. You can choose to select the Enable or Disable option for each Group Policy setting.
NOTE
If you use local Group Policy settings initially and then make the computer a member of a domain that has Group Policy settings implemented, local Group Policy settings are processed first, and domain-based Group Policy settings are processed next. If there is a conflict between the settings, the domain Group Policy setting prevails. However, if a computer subsequently leaves the domain, local Group Policy settings reapply.
IMPORTANT
If you deploy Windows 2000 Professional in an unmanaged environment and later want to move Windows 2000 Professional computers into a managed Active Directory domain, you might have to reinstall the operating system and applications to ensure that unauthorized changes have not been made to the system configuration.
If a local Group Policy setting is configured for Enabled or Disabled and the Active Directory Group Policy setting is set to Not Configured, the local Group Policy setting prevails on that computer.
Viewing Group Policy Settings
You can view the Group Policy settings in effect on a computer by using the GPResult.exe file that
is available on the Microsoft® Windows® 2000 Professional Resource Kit companion CD.
This tool gives you information about both domain and local Group Policy settings.This command-line tool displays information about the Group Policy settings on the computer and the user who is logged on.GPResult.exe provides the following general information.Operating System
- Type (Professional, Server, Domain Controller). Build number and Service Pack details. Whether Terminal Services is installed and, if so, the mode it is using.
User Information
User name and location in Active Directory (if applicable). Domain name and type (Windows 2000 or Windows NT). Site name. Whether the user has a local or roaming profile and location of the profile. Security group membership. Security privileges.
Computer Information
Computer name and location in Active Directory (if applicable). Domain name and type (Windows 2000 or Windows NT). Site name.
GPResult also provides the following information about Group Policy:
- The last time Group Policy was applied and the domain controller that applied the Group Policy,
both for the user and for the computer. The complete list of applied Group Policy objects and their details, including a
summary of the extensions that each Group Policy object contains. Registry settings that were applied and their details. Folders that are redirected and their details. Software management information with details about assigned and published applications. Disk quota information. Internet protocol security settings. Scripts.
NOTE
Gpresult.exe does not display information about Internet Explorer Maintenance Group Policy settings.
Extensions to the Group Policy Snap-in
The Group Policy snap-in includes several snap-in extensions. A Group Policy snap-in extension can extend either or both of the User or Computer Configuration nodes in either the Windows Settings node or the Software Settings node. Most of the snap-in extensions extend both of these nodes, but frequently with different options. The local Group Policy snap-in extensions include the following components:Administrative Templates These include registry-based Group Policy settings, which you use to mandate the registry settings that govern the behavior and appearance of the desktop, including the operating system components and applications. Administrative templates are stored in the Gptext.dll file.Security Settings You can use the Security Settings extension to define security configuration for computers. You can define local computer, domain, and network security settings. Security settings are stored in the Wsecedit.dll file.Scripts You can use scripts to automate computer start up and shut down and the user logon and logoff process. For these purposes, you can use Windows Script Host to include Microsoft® Visual Basic® Scripting Edition programming system (VBScript), and Microsoft® JScript® programming system type scripts. Scripts are stored in the Gptext.dll file.The following snap-ins are available only in an Active Directory domain.Software Installation You use the Software Installation snap-in to centrally manage software in your organization. You can assign and publish software for groups of users and computers. The software installation snap-in is stored in the Appmgr.dll file.Folder Redirection The Folder Redirection snap-in allows you to redirect special folders to the network. Folder redirection information is stored in the Fde.dll file.Internet Explorer Maintenance Use Internet Explorer Maintenance to define and manage Internet Explorer Group Policy settings.
Administrative Templates
The Administrative Templates folder contains Group Policy settings that manage a variety of Windows 2000 features, components, and services. The settings are stored in an administrative template (.adm) file.The .adm file is a text file that consists of a hierarchy of categories and subcategories that together define how the options are displayed through the Group Policy snap-in user interface. It also indicates the registry locations of a particular selection, specifies any options or restrictions (in values) that are associated with the selection, and in some cases, specifies a default value to use if a selection is activated.Windows 2000 includes three .adm files—System.adm, Inetres.adm, and conf.adm—which contain all the settings initially displayed in the Administrative Templates node. The Administrative Templates node of the Group Policy snap-in can be extended by using custom .adm files. However, unlike other Group Policy snap-in extensions, it is not extensible by an MMC snap-in extension.
Local Group Policy Objects
A local Group Policy object exists on every computer, and, by default, only nodes under Security Settings are configured; settings in other parts of the local Group Policy object's namespace are set to Not Configured. The local Group Policy object is stored in %SystemRoot%System32GroupPolicy, and it has the following ACL permissions:
Administrators: full controlOperating system: full control User: read
Gpt.ini FileAt the root of each Group Policy template folder is a file called Gpt.ini. For local Group Policy objects, the Gpt.ini file stores information that indicates the following:
Which client-side extensions of the Group Policy snap-in contain User or Computer data in
the Group Policy object. Whether the User or Computer portion is disabled. Version number of the Group Policy snap-in extension that created the Group Policy object.
The local Group Policy object Gpt.ini file can contain the following information.GPCUserExtensionNames This includes a list of globally unique identifiers (GUIDs) that tells the client-side engine which client-side extensions have User data in the Group Policy object. The format is the following:
[{<GUID of client-side extension>}{<GUID of MMC extension>}{<GUID of |
GPCMachineExtensionNames This includes a list of GUIDs that tells the client-side engine which client-side extensions have Computer data in the Group Policy object.Options This refers to Group Policy object options such as User portion disabled or Computer portion disabled.GPCFunctionalityVersion This is the version number of the Group Policy extension tool that created the Group Policy object.
Group Policy Folder
The local Group Policy folder contains the following subfolders:AdmContains the .adm files for the Group Policy template.UserIncludes the Registry.pol file, which contains the registry settings that apply to users. When a user logs on to the computer, the Registry.pol file downloads and applies to the HKEY_CURRENT_USER portion of the registry. The User folder contains the following subfolders:
- MicrosoftIEAK contains settings for the Internet Explorer Maintenance snap-in. ScriptsLogoff contains scripts that run when the user logs off the computer. ScriptsLogon contains scripts that run when the user logs on to the computer.
MachineIncludes the Registry.pol file, which contains the registry settings that apply to the computer. When the computer initializes, the Registry.pol file downloads and applies to the HKEY_LOCAL_MACHINE portion of the registry. The Machine folder contains the following subfolders:
- MicrosoftWindows NTSecEdit contains the security settings file Gpttmpl.inf. ScriptsShutdown contains scripts that run when the computer shuts down. ScriptsStartup contains scripts that run when the computer starts up.
NOTE
The User and Machine folders are created when Windows 2000 Professional is installed. Other folders are created as Group Policy settings are set.
Registry.pol Files
The Administrative Templates extension of Group Policy saves information in the Group Policy template in Registry.pol files. These files contain the customized registry settings that you specify (by using the Group Policy snap-in) to be applied to the Machine (HKLM) or User (HKCU) portion of the registry. The Windows 2000 Registry.pol file is analogous to the Windows 95 or Windows 98 Config.pol file and the Windows NT 4.0 NTConfig.pol file.
NOTETwo Registry.pol files are created and stored in the Group Policy template, one for Computer Configuration, which is stored in the Machine subdirectory, and one for User Configuration, which is stored in the User subdirectory.The .pol files that are created by Windows NT 4.0 and Windows 95 can be applied only to the operating system on which they were created. The .pol file produced by the Windows NT 4.0 System Policy Editor is a binary file, whereas the Registry.pol file produced by Administrative Templates node of the Group Policy snap-in is a text file with embedded binary strings.To view the effect of a Registry.pol file on a Windows 2000 Professional workstation, use Gpresult.exe /s or Gpresult.exe /v after the Registry.pol file is applied.For more information about Registry.pol files, see the Microsoft Platform SDK link the Web Resources page at http://windows.microsoft.com/windows2000/resKit/webresources.
The format of the .pol files in the Group Policy template differs from that of previous versions of Windows NT and Windows 95 operating systems.
System Policy Editor
Although System Policy Editor (Poledit.exe) is largely replaced by Group Policy, it is still useful in some circumstances, such as the following:For Managing Computers That Are Running Windows 95 or Windows 98You must run the Windows 2000 version of System Policy Editor locally on computers running Windows 98 or Windows 95 to create Config.pol files that are compatible with the local operating system.For Managing Computers That Are Running Windows NT 4.0 Workstation or Windows NT 4.0 ServerThese computers also need their own version of the .pol file (Ntconfig.pol).For Managing Windows 2000–based Computers That Are Not Connected to a Windows 2000 Server NetworkA Windows 2000–based computer that is not joined to any domain is not subject to Group Policy settings by way of Active Directory. The only Group Policy settings that apply to such a computer are those associated with local Group Policy, which contains settings that are applied to that computer and all of its users.It is possible to provide settings for multiple users by using System Policy Editor to create an Ntconfig.pol file. For information about distributing the Ntconfig.pol file, see the "Implementing Profiles and Policies for Windows NT 4.0" link on the Web Resources page at http://windows.microsoft.com/windows2000/resKit/webresources.You should use only the Group Policy settings that are intended for use with Windows 2000 Professional (System.adm, Inetres.adm, and Conf.adm), which install by default with the Group Policy snap-in. To prepare these files for use with System Policy Editor, remove the #if ver constructs from the files. Otherwise, the policy settings will not display in the file.
NOTEAlthough earlier versions of System Policy Editor work only with ASCII-encoded .adm files, Group Policy in Windows 2000 also supports Unicode-encoded .adm files.
You can use Windows 2000 .adm files only in the System Policy Editor (Poledit.exe) that is included with Windows 2000.
Windows NT 4.0 and Windows 2000 Policy Comparison
Windows NT 4.0 introduced the System Policy Editor (Poledit.exe), a tool that you use to specify user and computer configurations that it stores in the Windows NT registry. With the System Policy Editor, you control the user work environment and enforce system configuration settings for all domain computers running Windows NT 4.0 Workstation or Windows NT 4.0 Server. System Policy settings are registry settings that define the behavior of various components of the desktop environment.In Windows 2000, you can create a specific desktop configuration for a particular group of users and computers by using the Group Policy snap-in. For Windows 2000–based clients, the Group Policy snap-in almost entirely supersedes the System Policy Editor. It allows management of desktop configurations for large, possibly nested, and even overlapping groups of computers and users. Group Policy objects that are not local work by being linked to any number of sites, domains, or organizational units in Active Directory.System Policy in Windows NT 4.0, Windows 95, and Windows 98The System Policy settings you specify with System Policy Editor (Poledit.exe) have these characteristics:
They are applied to domains.They can be further controlled by user membership in security groups.They are not secure. They can be changed by a user with the registry editor (Regedit.exe). They overwrite user preferences.They persist in users' profiles, sometimes beyond their useful lives.
After a registry setting is set using Windows NT 4.0 system policy, the setting persists until
the specified policy setting is reversed or the user edits the registry.They are limited to administratively mandated desktop behavior that is based on registry settings.
With more than 110 security-related settings and more than 450 registry-based settings, Windows 2000 Group
Policy provides you with a broad range of options for managing the user's computing environment.
Windows 2000 Group Policy has these characteristics:
It can be based on Active Directory or defined locally. It can be extended by using MMC or .adm files. It stores settings in a secure location. It does not overwrite user preferences. It does not leave settings in the users' profiles when the effective policy is changed. It can be applied to users or computers in a specified Active Directory container (sites, domains, and organizational units). It can be further controlled by user or computer membership in security groups. It can be used to configure many types of security settings. It can be used to apply logon, logoff, startup, and shutdown scripts. It can be used to install and maintain software. It can be used to redirect folders (such as My Documents and Application Data).It can be used to perform maintenance on Internet Explorer.
System policy settings are applied to the user and the computer when the user logs on, whereas Group Policy settings are applied to the computer when the computer starts and to the user when the user logs on. Also, Group Policy settings refresh every 90 minutes by default, with a 30 minute offset.For more information about setting local security Group Policy settings, see "Security" in this book. For more information about using Group Policy settings see "Group Policy" in the Distributed Systems Guide; or refer to "Group Policy Reference" on the Windows 2000 Resource Kit companion CD.
Migrating from Windows NT 4.0 to Windows 2000
The effect of persistent registry settings in Windows NT 4.0 can be problematic when a user's group membership changes. An advantage of Windows 2000 Group Policy is that this does not occur. This is because in Windows 2000, registry settings that are written to the following two, secure registry locations are removed when a Group Policy object no longer applies:
SoftwarePolicies SoftwareMicrosoftWindows
CurrentVersionPolicies
If you deploy Windows 2000 Professional in an unmanaged environment and later want to move Windows 2000 Professional computers into a managed Active Directory domain, you might have to reinstall the operating system and applications to ensure that unauthorized changes have not been made to the system configuration.If a local Group Policy setting is configured for Enabled or Disabled and the Active Directory Group Policy setting is set to Not Configured, the local Group Policy setting prevails on that computer.For more information about using Windows 2000 Professional in Active Directory environments, see "Introducing Windows 2000 Deployment Planning" in the Deployment Planning Guide.
