Active Directory Users & Computers Policies
Users & Computers
domains domain trusted domains, trusting domains subdomains tree of domains forest of trees
s s in Active Directory are directory objects that reside within a domain and organizational unit container objects. Active Directory provides a set of default groups upon installation, and also allows the option to create groups. A group is a collection of user and computer accounts, contacts and other groups that can be managed as a single unit (objects of DAC) objects are distributed to several groups according to the object's missions A user group is a collection of user accounts that all have the same security rights. User groups are also sometimes referred to as security groups. Domain Local Global Universal - can be used in trusting domains - contains users, groups, and computers from any domain in the forest
mmc File Add/Remove Snap-in... Active Directory Users and Computers Builtin Users Domain Users Guests Administrators Computers Users
téměř 50 předdefinovaných objektů User/ Session Description Account Operators A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (s) of Active Directory except the Builtin container and the Domain Controllers. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Administrator A user account for the system administrator. This account is the first account created during operating system installation. The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group. Administrators A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. The Administrators group has built-in capabilities that give its members full control over the system. The group is the default owner of any object that is created by a member of the group. Anonymous A user who has logged on anonymously. Authenticated Users A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
users
Organizational units Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit mirrors organization's functional or business structure An organizational unit cannot contain objects from other domains. Can be linked to Policies
Policy
hromadné nastavení policy systému Windows (cca 3500 položek konfigurace) jeho komponent různých dalších produktů Microsoft Office Google Chrome...
Policy Editor editor lokálního objektu " Policy" gpedit.msc editor objektů " Policy" uložených v Active Directory DC - Server Manager - Tools - Policy Management - Edit remote - Remote Server Administration Kit - Policy Management - Edit
Computer + User Computer Configuration platí pro všechny uživatele, kteří se na daný počítač přihlásí User Configuration je aplikováno na všech počítačích domény, kde se daný uživatel přihlásí asi 3/4 položek jsou stejné
Software Settings instalace SW pomocí MSI balíčků dialog Deploy Software publish Assign Advanced uninstall when out of the management scopr
Windows Settings DNS Startup/Shutdown scripts Deployed Printers Security Settings QoS
Security Settings Account policies Local Policies - Audit, User Rights, Security File System Registry Software Restriction Policies Application Control Policies (AppLocker) Public Key Policies Windows Firewall with Advanced Security IP Security Policies (IPSec)
Administrative Templates Policy definitions (ADMX files) Control Panel Network Printers Server (backup restrictions) Start Menu and Taskbar (W8.1 Update 2) System Windows Components Internet Explorer Bitlocker Mobility Center Windows Update... Office
Preferences enables to deploy settings to client computers without restricting the users from changing the settings (Windows Server 2008,...) Windows Settings Environment Files Folders Ini Files Registry Network Shares Control Panel Settings
Forest Policy Management Domains domain.enterprise.com Default Domain Policy other global domain policies organizational units Policy Objects Sites Policy Modeling Policy Results
Active Directory
Active Directory
Active Directory
Active Directory Policy Objects GP GP GP
Active Directory Policy Objects GP GP GP
Policy client-side extensions (CSE) Policy settings are grouped into categories, such as Administrative Templates, Security Settings, Folder Redirection, Disk Quota, Software Installation, and the Policy preference extensions. The settings in each category require a specific CSE to process them, and each CSE has its own rules for processing settings. Policy preference extensions represent a set of client-side extensions, not a single CSE. Each Policy preference extension has rules to process settings. Fast Logon Optimization and Fast Startup vs. Policy
Advanced Policy Management Extension to Policy Management (server + client) only in Microsoft Desktop Optimization Pack (Software Assurance) Perform offline editing of GPOs so that you can create and test them before you deploy them to a production environment. Maintain multiple versions of a GPO in a central archive so that you can roll back if a problem occurs. Share the responsibility for editing, approving, and reviewing GPOs among multiple people by using role-based delegation. Eliminate the danger of multiple Policy administrators overwriting one another's work by using the check-in and check-out capability for GPOs. Analyze changes to a GPO, comparing it to another GPO or another version of the same GPO by using difference reporting. Simplify creating new GPOs by using GPO templates, storing common policy settings and preference settings to use as starting points for new GPOs. Delegate access to the production environment. Search for GPOs with specific attributes and filter the list of GPOs displayed. Export a GPO to a file so that you can copy it from a domain in a test forest to a domain in a production forest.