What is Group Policy?
Group Policy is a tool that is disponible to administrators that are running a Windows 2000 ou later Active Directory Domain. It allows for centralized management of settings on client computers et servers joined to le domain as well as providing a rudimentary way to distribute software.
Settings are grouped into objects called Group Policy Objects (GPOs). GPOs are linked to an Active Directory organizational unit (OU) et can be applied to users et computers. GPOs cannot be applied to groups directly, bien que you can use security filtering ou item-level targeting to filter policy application based on group membership.
C'est cool, what can it do?
Anything.
Seriously, you can do anything that you want to users ou computers in votre domain. Il y a hundreds of pre-defined settings for things like folder redirection, password complexity, power settings, drive mappings, drive encryption, Windows Update, et so on. Anything that you ne peut pas configure via a pre-defined setting you can control via scripting. Batch et VBScript scripts are supported on tous supported clients et PowerShell scripts can be run on Windows 7 hosts.
Professional tip: Vous pouvez actually run PowerShell startup scripts on Windows XP et Windows Vista hosts as well as long as they have PowerShell 2.0 installed. Vous pouvez make a batch file that calls le script avec this syntax:
powershell Set-ExecutionPolicy RemoteSigned
powershell \\\\server\share\script.ps1
powershell Set-ExecutionPolicy Restricted
The premier line allows unsigned scripts depuis remote shares to be run on that host et le second line calls le script depuis le batch file. The third line sets sets le policy back to restricted (the default) for maximum security.
How are Group Policy Objects applied?
GPOs are applied in a predictable order. Local policies are applied first. Il y a policies set on le local machine via gpedit.msc. Site policies are applied second. Domain policies are applied third, et OU policies are applied fourth. If an object is nested inside of multiple OUs, alors le GPOs are applied at le OUs closest to le root first.
Keep in mind that si there is a conflict, le last GPO applied "wins." This means, par exemple, that le policy linked at le OU that a computer resides in will win si there is a conflict entre a setting in that GPO et one linked in a parent OU.
Logon et Startup Scripts seem cool, how do those work?
A logon ou startup script can live on tout network share as long as le Domain Users et Domain Computers groups have read access to le share that they are on. Traditionally, they reside in \\domain.tld\sysvol, mais c'est pas a requirement.
Startup scripts are run quand le computer starts up. They are run as le SYSTEM account on le local machine. This means that they access network resources as le computer's account. Par exemple, si you wanted a startup script to have access to a network resource on a share that has le UNC of \\server01\share1 et le computer's name was WORKSTATION01 you would need to assurez-vous que WORKSTATION01$ had access to that share. Since this script is run as system, it can do stuff like install software, modify privileged sections of le registry, et modify le plus files on le local machine.
Logon scripts are run in le security context of le locally logged on user. Hopefully votre users ne sont pas administrators, so that means that you ne va pas be able to use these to install software ou modify protected registry settings.
Logon et startup scripts were a cornerstone of Windows 2003 et earlier domains, mais leur usefulness has been diminished in later releases of Windows Server. Group Policy Preferences gives administrators a much better way to handle drive et printer mappings, shortcuts, files, registry entries, local group membership et beaucoup de autre things that could seulement be done in a startup ou logon script. If you're thinking that you might need to use a script for a simple task, il y a probably a Group Policy ou preference for it instead. Nowadays on domains avec Windows 7 (or later) clients, seulement complex tasks require startup ou logon scripts.
J'ai trouvé a cool GPO, mais it applies to users, Je veux it to apply to computers!
Yeah, I know. J'ai been there. Ceci est especially prevalent in academic lab ou autre shared computer scenarios où you want certains of le user policies for printers ou similaire resources to be based on le computer, pas le user. Guess what, you're in luck! You want to activez le GPO setting for Group Policy Loopback Mode.
You're welcome.
You said I can use this to install software, right?
Yep, you can. Il y a certains caveats, though. The software must be in MSI format, et tout modifications to it must be in an MST file. Vous pouvez make an MST avec software like ORCA ou tout autre MSI editor. If you ne make a transform, votre end result will be le même as running msiexec /i <path to software> /q
The software is aussi seulement installed at startup, so c'est pas a très fast way of distributing software, mais c'est free. In a low-budget lab environment, J'ai made a scheduled task (via GPO) that will reboot chaque lab computer at midnight avec a random 30 minute offset. Cela va ensure that software is, at a maximum, one day out of date in those labs. Still, software like SCCM, LANDesk, Altaris, ou anything else that can "push" software on an on-demand basis is preferable.
How often is it applied?
Clients refresh leur Group Policy Objects chaque 90 minutes avec a 30 minute randomization. That means that, par défaut, there can be up to a 120 minute wait. Also, certains settings, like drive mappings, folder redirection, et file preferences, are seulement applied on startup ou logon. Group Policy is meant for long-term planned management, pas for instant quick-fix situations.
Domain Controllers refresh leur policy chaque five minutes.
