Shulou(Shulou.com)06/01 Report--

Windows_learn 004 ADDS fundamentals and Group Policy

Content overview

AD DS (Active Directory Domain Service)

Check that AD DS is installed correctly

Create installation media (offline import domain data)

Rules for the use of groups (p129)

Chapter 4 using Group Policy to manage the user's work Environment (p132)

Features of Group Policy

Group policy is divided into two parts: computer configuration and user configuration.

The settings within group policy can be divided into two types: policy settings and preferred settings.

Application time limit of group policy (p138)

Processing rules for Group Policy

Use Group Policy to manage the user environment (p167)

Security options Policy (p176)

WMI filter (p192)

AD DS (Active Directory Domain Service)

Container and Organization Units, OU

Domain tree

Trust Relationship

Forest

Schema

Domain Controller DC

Member Server

LDAP (Lightweight Directory Access Protocol)

DN (Distinguish Name)

RDN (Relative Distinguish Name)

GUID (Global Unique IDentifier)

UDN (User Pricipal Name) Principal n. Myself, protagonist

SPN (Service Principal Name)

Global Catalog GC

Site

Directory partition

Schema Directory Partition

Configuration Directory Partition

Domain Directory Partition

Application Directory Partition

RODC (read only domain controller)

AD LDS (Active Directory Lightweight Directory Services)

Active Directory database

Active Directory database: used to store Active Directory objects

Log files: used to store change logs in the Active Directory database

This log can be used to restore the active directory database

SYSVOL folder: used to store shared folders (such as files related to Group Policy)

Check that AD DS is installed correctly

Nslookup

Set type=srv

_ gc._tcp.mysky.com

Create installation media (offline import domain data)

Ntdsutil

Activate instance ntds

Ifm

Create full PATH

Create full c:\ installationMedia

Add multiple user accounts P119 at the same time

Csvde.exe can be added but not modified

Ldifde.exe can be added or modified

Dsadd.exe dsmod.exe dsrm.exe, you know,

Group group (p125)

Domain Local Group

Global Group

Universal Group

Windows built-in local domain group p127

Account Operators

Administrators

Backup Operators

Guests

Network Configuration Operators

Performance Monitor Users

Pre-Windows 2000 Compatible Access

Print Operators

Remote Desktop Users

Server Operators

Users

Global groups built into Windows

Domain Adminis

Domain Computers

Domain Controllers

Domain Users

Domain Guests

Windows built-in generic group

Enterprise Admins

Schema Admins

Windows special group account

Everyone

Authenticated Users

Interactive

Network

Anonymous Logon

Dialup

Rules for the use of groups (p129)

A 、 G 、 DL 、 P

A 、 G 、 G 、 DL 、 P

A 、 G 、 U 、 DL 、 P

A 、 G 、 G 、 U 、 DL 、 P

A: user Account

G: Global group

DL: Domain Local group

U: Universal group

P: Permission

Chapter 4 using Group Policy to manage the user's work Environment (p132)

Features of Group Policy

Setting the account policy, such as setting the user's password length, usage period, locking the account, etc.

Local policy settings, such as user rights allocation, security settings, etc.

Settings for scripts (Scripts): such as login and logout, startup and shutdown scripts

Settings of the user's work environment, such as hiding the user's desktop icon, deleting the start menu, running shutdown, etc.

Software installation and deletion: when the user logs in or the computer starts, the software is automatically installed, deleted, repaired, etc.

Restrict the operation of software: set that users can only run specified software, or cannot run specified software.

Folder redirection: such as changing the location of folders such as files, start menus, etc.

Restrict access to removable storage devices: used to prevent confidential documents within the enterprise from being easily taken away from the company

Many other system settings, such as letting all computers automatically info the specified CA, limiting the installation of device drivers, etc.

Group policy is divided into two parts: computer configuration and user configuration.

Scope of application of group policy

Site site

Domain domain

Organizational unit Organization Unite

Group Policy objects (Group Policy Object, GPO)

Built-in GPO

Default Domain Policy

Default Domain Controller Policy

GPO

GPC (Group Policy Container) is stored in AD's database, recording GPO attributes and versions

GPT (Group Policy Template) stores GPO settings and related files

The path is\ SYSVOL\ sysvol\ domain name\ Polities

The settings within group policy can be divided into two types: policy settings and preferred settings.

Only the group policy of the domain has the preferred setting function, but the local computer policy does not have this feature.

Policy settings are mandatory settings cannot be changed after the client applies these policies

The preferred setting is the default setting that the client can change on its own

If both settings are configured with the same project, the policy setting takes precedence.

Download and install the client requirements to apply the preferred settings

(CSE, client-side extension) KB943729 wind7 has been included

(XMLLite) wind7 already contains

Application time limit of group policy (p138)

Application time limit of computer configuration

The computer will be applied automatically when it is turned on.

When the computer has been turned on, the system is automatically applied at regular intervals.

Domain controller: automatically applied every 5 minutes by default

Non-domain controller: applies every 90-120 minutes by default

Regardless of whether the policy setting value has changed or not, the system will still apply automatically every 16 hours

Application time limit of user configuration

Will be automatically applied when the user logs in

If the user is logged in, it will be automatically applied every 90-120 minutes by default.

Regardless of whether the policy changes or not, the security configuration policy is automatically applied every 16 hours

Manual application: open a command prompt window to run on a domain member computer

Gpupdate / target:user / force

Processing rules for Group Policy

General rules of inheritance and processing

When the rules of the parent container and the child container do not conflict, the rules of the child container inheriting the husband container take precedence if the conflict occurs.

When computer configuration conflicts with user configuration, computer configuration is given priority.

Apply rule order site GPO-- > domain GPO-- > organizational unit GPO

Inheritance settings for exceptions

Block inheritance policy

Mandatory inheritance Policy (Enforcing Inheritance)

Use Group Policy to manage the user environment (p167)

User Rights assignment Policy (p174)

Computer configuration-- > windows Settings-- > Security Settings-- > Local Policy-- > user Rights assignment

Common permission policy description

Allow Log on locally allows users to log in with Ctrl+Alt+Delete

Deny Log on Locally refuses

Add Workstations To Domain allows users to join computers to a domain

Shutdown The System allows users to shut down their phones

Access This Computer From the network

Deny this computer From the network

Force Shutdown From A Remote System

Backup Files And Directories

Restore File And Directories reduction

Change The System Time

Load And Unload Device Drivers

Take Ownership Of Files Or Other Objects

Security options Policy (p176)

Computer configuration-- > windows Settings-- > Security Settings-- > Local Policy-- > Security options

Common permission policy description

Interactive logon: Do not require CTRL+ALT+DEL

Interactive logon: Number of previous logons to cache local cache

Interactive logon: Do not display last user name

Shutdown: Allow system to be shut down without having to log on

Login, logout, startup, shutdown scripts (p177)

Folder redirection (p181)

That is, you can put a user's desktop file or some path to another server.

WMI filter (p192)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.