Group Policy

From ICO wiki
Revision as of 17:40, 3 October 2010 by Ulaaneot (talk | contribs)
Jump to navigationJump to search

Sellel teemal kirjutab Urmo Laaneots ja see EI OLE VEEL VALMIS


Group Policy tõlgitud eestikeelde võiks tähendada GRUPIPOLIITIKAT. Kuna maailm tunneb seda inglisekeelse terminina, siis kasutangi seda järgnevas tekstis inglisekeelsena.



Mis see on?

Group Policy (edaspidi GP) on reeglite kogum, mis kontrollib kasutaja kontode ja arvuti kontode töökeskkonda. GP pakub Active Directory keskkonnas tsentraliseeritud operatsioonisüsteemi, programmide ja kasutaja seadete haldamist ja konfigureerimist. Teisisõnu GP'ga saab kontrollida mida kasutaja arvutis saab või ei saa teha. GP kasutatakse rohkem ettevõtetes, kuid teda võidakse kasutada ka mujal: koolides ja muudes väiksemates organisatsioonides. GP kasutatakse kõige rohkem turvalisuse tagamisel: näiteks keelatakse kasutajal minna Task Manageri, keelatakse kasutajale mõned kaustad või keelatakse käivitatavate failide alla laadimine ja käivitamine. GP eesmärk Microsofti arvates on vähendada kulutusi, mida tehakse kasutajatoele. GP'd nähti esmakordselt operatsioonisüsteemis Windows 2000 - seda küll koos ZENworks Desktop Management tarkvara pakiga. Alates Windows XP'st kõik järgnevad operatsioonisüsteemid toetavad seda.


GP võrgus:

GP klient opereerib tõmbamise meetodil - aeg ajalt (konfigureeritav 60 ja 120 minuti vahele) ühendub klient serveriga, kust talle jagatakse temale või sisseloginud kasutajale (kui on mõni) vastav nimekiri GP seadeid. GP klient seejärel rakendab need seaded, mis seejärel muudavad operatsioonisüsteemi(osade) käitumist.


GP kohalikus arvutis:

Kohalik Group Policy (KGP) on tavalisem nähe kudas Active Directory GP'd kasutab. Windows Vistast eelnevatel versioonidel, KGP suudab konfigureerida GP kohaliku arvuti jaoks, aga erinevalt Active Directory GP'le (ADGP), ei suuda teha poliitikaid induviduaalsetele kasutajatele arvutis. See tähendab, et KGP'ga määratud poliitikad käivad kõigile kasutajatele. KGP's on ka vähem valikuid kui ADGP'l. Loomulikult saab sellest kõigile kasutajatele mõeldud limiidist mööda pääseda, selleks kasutades registri muutjat (Registry Editor - regedit) ja seal vastavad muudatused teha HKCU või HKU võtmete alt. Nimelt KGP teeb muudatused registris HKLM võtme alt, seetõttu puudutades kõikki kasutajaid. Microsoft pakub rohkem informatsiooni, kuidas Registry Editor'iga GP'sid määrata, TechNet'i portaalis. KGP'd saab kasutada ka domeenis oleval arvutil, samamoodi saab seda ka kasutada Windows XP kodukasutajatele mõeldud (Home Edition) versioonides (õpetus: [1]).

Alates Windows Vista'st on toetatud mitmed KGP'd (Multiple Local Group Policy objects), mis lubavad seadistada GP'sid erinevatele kasutajatele.


Nüüd natukene infot, mis on muutunud GP'siga uue Windowsi (Windows 7'e) tulekuga Vaata videot: [2]


Processing order for policy settings

Group policies are processed in the following order; Local Group Policy objects - This applies to any settings in the computer's local policy (accessed by running gpedit.msc). There is only one local group policy stored per computer. Site - Next the computer processes any group policies that are applied to the site the computer is currently in. If multiple policies are linked to a site these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence. Domain - Any policies applied at the domain level (default domain policy) are processed next. If multiple policies are linked to a site these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence. Organizational Unit - Last group policies assigned to the Organization Unit the computer or user is a member of are processed. If multiple policies are linked to a site these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence. Inheritance - Inheritance can be blocked or enforced to control what policies are applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has inheritance blocked by a lower level administrator (domain administrator) this policy will still be processed. [edit]Group Policy Preferences

They are a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences.[3] Group Policy Preferences adds a number of new configuration items. These items also have number of additional targeting options that can be used to granularly control the application of these setting items. Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003 and Windows Vista with the addition of the Client Side Extensions (also known as CSE).[4] [5] [6] [7] [8] [9] Client Side Extensions are now included in Windows Server 2008, Windows 7 and Windows Server 2008 R2. [edit]Group Policy Management Console

Originally Group Polices were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7.[10][11] [12] [13] [edit]Security

Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function, without disabling lower-level means of accessing it.[14] Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings thus enforcing potentially lower security defaults or even returning arbitrary values.[15]