Group Policy: Difference between revisions

From ICO wiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 1: Line 1:
Sellel teemal kirjutab Urmo Laaneots
Sellel teemal kirjutab Urmo Laaneots
Group Policy tõlgitud eestikeelde võiks tähendada GRUPIPOLIITIKAT. Kuna maailm tunneb seda inglisekeelse terminina, siis kasutangi  seda järgnevas tekstis inglisekeelsena.
Group Policy tõlgitud eestikeelde võiks tähendada GRUPIPOLIITIKAT. Kuna maailm tunneb seda inglisekeelse terminina, siis kasutangi  seda järgnevas tekstis inglisekeelsena.
 
<---------------------------------------->
'''Mis see on?'''
'''Mis see on?'''


Line 7: Line 7:
GP'd nähti esmakordselt operatsioonisüsteemis Windows 2000 - seda küll koos ZENworks Desktop Management tarkvara pakiga. Alates Windows XP'st kõik järgnevad operatsioonisüsteemid toetavad seda.
GP'd nähti esmakordselt operatsioonisüsteemis Windows 2000 - seda küll koos ZENworks Desktop Management tarkvara pakiga. Alates Windows XP'st kõik järgnevad operatsioonisüsteemid toetavad seda.


<---------------------------------------->
'''GP võrgus:'''
'''GP võrgus:'''


GP klient opereerib tõmbamise meetodil - aeg ajalt (konfigureeritav 60 ja 120 minuti vahele) ühendub klient serveriga, kust talle jagatakse temale või sisseloginud kasutajale (kui on mõni) vastav nimekiri GP seadeid. GP klient seejärel rakendab need seaded, mis seejärel muudavad operatsioonisüsteemi(osade) käitumist.  
GP klient opereerib tõmbamise meetodil - aeg ajalt (konfigureeritav 60 ja 120 minuti vahele) ühendub klient serveriga, kust talle jagatakse temale või sisseloginud kasutajale (kui on mõni) vastav nimekiri GP seadeid. GP klient seejärel rakendab need seaded, mis seejärel muudavad operatsioonisüsteemi(osade) käitumist.  


<---------------------------------------->
'''GP kohalikus arvutis:'''
'''GP kohalikus arvutis:'''


Kohalik Group Policy (KGP) on tavalisem nähe kudas Active Directory GP'd kasutab. Windows Vistast eelnevatel versioonidel, KGP suudab konfigureerida GP  
Kohalik Group Policy (KGP) on tavalisem nähe kudas Active Directory GP'd kasutab. Windows Vistast eelnevatel versioonidel, KGP suudab konfigureerida GP kohaliku arvuti jaoks, aga erinevalt Active Directory GP'le (ADGP), ei suuda teha poliitikaid induviduaalsetele kasutajatele arvutis. See tähendab, et KGP'ga määratud poliitikad käivad kõigile kasutajatele. KGP's on ka vähem valikuid kui ADGP'l. Loomulikult saab sellest kõigile kasutajatele mõeldud limiidist mööda pääseda, selleks kasutades registri muutjat (Registry Editor - regedit) ja seal vastavad muudatused teha HKCU või HKU võtmete alt. Nimelt KGP teeb muudatused registris HKLM võtme alt, seetõttu puudutades kõikki kasutajaid.
Microsoft pakub rohkem informatsiooni, kuidas Registry Editor'iga GP'sid määrata, TechNet'i portaalis. KGP'd saab kasutada ka domeenis oleval arvutil, samamoodi saab seda ka kasutada Windows XP kodukasutajatele mõeldud (Home Edition) versioonides (õpetus: [http://technet.microsoft.com/en-us/library/bb457072.aspx]).


Local Group Policy (LGP) is a more basic version of the Group Policy used by Active Directory. In versions of Windows before Windows Vista, LGP can configure the Group Policy for a single local computer, but unlike Active Directory Group Policy, can not make policies for individual users or groups. It also has far fewer options overall than Active Directory Group Policy. The specific-user limitation can be overcome by using the Registry Editor to make changes under the HKCU or HKU keys. LGP simply makes registry changes under the HKLM key, thus affecting all users. The same changes can be made under HKCU or HKU to only affect certain users. Microsoft has more information on using the Registry Editor to configure Group Policy available on TechNet.[1] LGP can be used on a computer on a domain, and it can be used on Windows XP Home Edition.
Alates Windows Vista'st on toetatud mitmed KGP'd (Multiple Local Group Policy objects), mis lubavad seadistada GP'sid erinevatele kasutajatele.
Windows Vista supports Multiple Local Group Policy objects (MLGPO), which allows setting local Group Policy for individual users.[2]


<---------------------------------------->
<!-- Nüüd natukene infot, mis on muutunud GP'siga uue Windowsi (Windows 7'e) tulekuga -->
<script src="http://technet.microsoft.com/objectforward/default.aspx?type=VideoPlayer&video=http%3A%2F%2Fcontent4.catalog.video.msn.com%2Fe2%2Fds%2Falt-en-us%2FALTENUS_TECHNET%2FALTENUS_TECHNET%2F523604e7-14c6-46f0-a3aa-cc83d2f4702e.wmv&thumb=http%3A%2F%2Fcontent1.catalog.video.msn.com%2Fe2%2Fds%2Falt-en-us%2FALTENUS_TECHNET%2FALTENUS_TECHNET%2F3d8a56bd-ba63-451a-bc29-b9ad3bd70d3a.jpg&title=&width=400&height=400" type="text/javascript"></script>
<---------------------------------------->
-----------------------
Processing order for policy settings
Group policies are processed in the following order;
Local Group Policy objects - This applies to any settings in the computer's local policy (accessed by running gpedit.msc). There is only one local group policy stored per computer.
Site - Next the computer processes any group policies that are applied to the site the computer is currently in. If multiple policies are linked to a site these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence.
Domain - Any policies applied at the domain level (default domain policy) are processed next. If multiple policies are linked to a site these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence.
Organizational Unit - Last group policies assigned to the Organization Unit the computer or user is a member of are processed. If multiple policies are linked to a site these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence.
Inheritance - Inheritance can be blocked or enforced to control what policies are applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has inheritance blocked by a lower level administrator (domain administrator) this policy will still be processed.
[edit]Group Policy Preferences
They are a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences.[3]
Group Policy Preferences adds a number of new configuration items. These items also have number of additional targeting options that can be used to granularly control the application of these setting items.
Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003 and Windows Vista with the addition of the Client Side Extensions (also known as CSE).[4] [5] [6] [7] [8] [9]
Client Side Extensions are now included in Windows Server 2008, Windows 7 and Windows Server 2008 R2.
[edit]Group Policy Management Console
Originally Group Polices were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7.[10][11] [12] [13]
[edit]Security
Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function, without disabling lower-level means of accessing it.[14]
Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings thus enforcing potentially lower security defaults or even returning arbitrary values.[15]




Line 25: Line 56:
[http://en.wikipedia.org/wiki/Group_Policy
[http://en.wikipedia.org/wiki/Group_Policy
]
]
2. Technet: [http://technet.microsoft.com/en-us/library/bb457072.aspx]

Revision as of 18:32, 3 October 2010

Sellel teemal kirjutab Urmo Laaneots Group Policy tõlgitud eestikeelde võiks tähendada GRUPIPOLIITIKAT. Kuna maailm tunneb seda inglisekeelse terminina, siis kasutangi seda järgnevas tekstis inglisekeelsena. <----------------------------------------> Mis see on?

Group Policy (edaspidi GP) on reeglite kogum, mis kontrollib kasutaja kontode ja arvuti kontode töökeskkonda. GP pakub Active Directory keskkonnas tsentraliseeritud operatsioonisüsteemi, programmide ja kasutaja seadete haldamist ja konfigureerimist. Teisisõnu GP'ga saab kontrollida mida kasutaja arvutis saab või ei saa teha. GP kasutatakse rohkem ettevõtetes, kuid teda võidakse kasutada ka mujal: koolides ja muudes väiksemates organisatsioonides. GP kasutatakse kõige rohkem turvalisuse tagamisel: näiteks keelatakse kasutajal minna Task Manageri, keelatakse kasutajale mõned kaustad või keelatakse käivitatavate failide alla laadimine ja käivitamine. GP eesmärk Microsofti arvates on vähendada kulutusi, mida tehakse kasutajatoele. GP'd nähti esmakordselt operatsioonisüsteemis Windows 2000 - seda küll koos ZENworks Desktop Management tarkvara pakiga. Alates Windows XP'st kõik järgnevad operatsioonisüsteemid toetavad seda.

<----------------------------------------> GP võrgus:

GP klient opereerib tõmbamise meetodil - aeg ajalt (konfigureeritav 60 ja 120 minuti vahele) ühendub klient serveriga, kust talle jagatakse temale või sisseloginud kasutajale (kui on mõni) vastav nimekiri GP seadeid. GP klient seejärel rakendab need seaded, mis seejärel muudavad operatsioonisüsteemi(osade) käitumist.

<----------------------------------------> GP kohalikus arvutis:

Kohalik Group Policy (KGP) on tavalisem nähe kudas Active Directory GP'd kasutab. Windows Vistast eelnevatel versioonidel, KGP suudab konfigureerida GP kohaliku arvuti jaoks, aga erinevalt Active Directory GP'le (ADGP), ei suuda teha poliitikaid induviduaalsetele kasutajatele arvutis. See tähendab, et KGP'ga määratud poliitikad käivad kõigile kasutajatele. KGP's on ka vähem valikuid kui ADGP'l. Loomulikult saab sellest kõigile kasutajatele mõeldud limiidist mööda pääseda, selleks kasutades registri muutjat (Registry Editor - regedit) ja seal vastavad muudatused teha HKCU või HKU võtmete alt. Nimelt KGP teeb muudatused registris HKLM võtme alt, seetõttu puudutades kõikki kasutajaid. Microsoft pakub rohkem informatsiooni, kuidas Registry Editor'iga GP'sid määrata, TechNet'i portaalis. KGP'd saab kasutada ka domeenis oleval arvutil, samamoodi saab seda ka kasutada Windows XP kodukasutajatele mõeldud (Home Edition) versioonides (õpetus: [1]).

Alates Windows Vista'st on toetatud mitmed KGP'd (Multiple Local Group Policy objects), mis lubavad seadistada GP'sid erinevatele kasutajatele.

<----------------------------------------> <script src="http://technet.microsoft.com/objectforward/default.aspx?type=VideoPlayer&video=http%3A%2F%2Fcontent4.catalog.video.msn.com%2Fe2%2Fds%2Falt-en-us%2FALTENUS_TECHNET%2FALTENUS_TECHNET%2F523604e7-14c6-46f0-a3aa-cc83d2f4702e.wmv&thumb=http%3A%2F%2Fcontent1.catalog.video.msn.com%2Fe2%2Fds%2Falt-en-us%2FALTENUS_TECHNET%2FALTENUS_TECHNET%2F3d8a56bd-ba63-451a-bc29-b9ad3bd70d3a.jpg&title=&width=400&height=400" type="text/javascript"></script>

<---------------------------------------->

Processing order for policy settings

Group policies are processed in the following order; Local Group Policy objects - This applies to any settings in the computer's local policy (accessed by running gpedit.msc). There is only one local group policy stored per computer. Site - Next the computer processes any group policies that are applied to the site the computer is currently in. If multiple policies are linked to a site these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence. Domain - Any policies applied at the domain level (default domain policy) are processed next. If multiple policies are linked to a site these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence. Organizational Unit - Last group policies assigned to the Organization Unit the computer or user is a member of are processed. If multiple policies are linked to a site these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence. Inheritance - Inheritance can be blocked or enforced to control what policies are applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has inheritance blocked by a lower level administrator (domain administrator) this policy will still be processed. [edit]Group Policy Preferences

They are a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences.[3] Group Policy Preferences adds a number of new configuration items. These items also have number of additional targeting options that can be used to granularly control the application of these setting items. Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003 and Windows Vista with the addition of the Client Side Extensions (also known as CSE).[4] [5] [6] [7] [8] [9] Client Side Extensions are now included in Windows Server 2008, Windows 7 and Windows Server 2008 R2. [edit]Group Policy Management Console

Originally Group Polices were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7.[10][11] [12] [13] [edit]Security

Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function, without disabling lower-level means of accessing it.[14] Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings thus enforcing potentially lower security defaults or even returning arbitrary values.[15]


Kasutatud kirjandus: 1. Wikipedia: [http://en.wikipedia.org/wiki/Group_Policy ]

2. Technet: [2]

Retrieved from "https://wiki.itcollege.ee/index.php?title=Group_Policy&oldid=12850"