Shulou(Shulou.com)06/01 Report--

This article introduces how to understand the inheritance of group policy permissions in domain controllers. The content is very detailed. Interested friends can refer to it for reference. I hope it can help you.

What is the problem with inheritance of group policy permissions in domain controllers

In the domain controller group policy management, I encountered the most headache problem is the inheritance of group policy permissions. As we all know, group policy configuration has inherited characteristics for ease of permission setting. That is, by default, the configuration of a higher level is passed down to a lower level, even if the lower level does not have permission to do so, and so on. Therefore, before we manage the group policy of the enterprise network, we need to understand this inherited characteristic of the group policy first, so that we can get twice the result with half the effort in the subsequent management. Otherwise, we'll only get half the results.

Suppose there is now a simple network architecture named.

In the domain OU settings, there is an Office Clerk OU, which in the group policy settings, when the system logs on, the default user name is the last logged on user. That is to say, in the system login window, will show the last login account name. Now below this OU, there is also an OU named Salesperson. In this architecture, the office clerk OU is called the parent OU, and the salesperson OU is called the child OU.

Now let's look at how group policies are inherited.

1. Salesperson OU inherits office clerk OU group strategy

If the parent OU is configured with a group policy, but its child OU is not configured with the group policy, the parent OU will transfer the group policy of the child OU to the child OU, thus realizing the inheritance function of the group policy. Here, we should pay attention to a problem, that is,"the child OU has not configured this group policy" here means that no similar group policy has been configured. If it has been configured, no matter whether it is allowed or prohibited, the inheritance of group policy will not occur again.

That is to say, if the Office Clerk OU, the network administrator configured a group policy, in the system login time to display the last login user name. And if there is no configuration for this group policy in its child OU Sales OU,(perhaps by default, if you log in with a domain account, the last logged in username will not be displayed). At this time, the domain controller will think that the policy has not been configured in the Sales OU, and will inherit the group policy of the Office Clerk OU. When logging in next time, the domain account name of the last login will be displayed.

And the inheritance of this group policy will continue. For example, if there are OUs in Sales Group 1 and Sales Group 2 below this sales group, the group strategy of this office clerk group will always be passed to Sales Group 1, Sales Group 2, and so on. However, one thing to note here is that when we view the Group Policy of the child OU, the Group Policy of the parent OU will not be displayed. That is to say, when the group policy is inherited to the OU of the salesperson, we look at the group policy setting, and the group policy of "Show Last Logged In Account Name" is still not configured. However, it does inherit this group policy. So, this gives us a certain degree of confusion when it comes to group strategy maintenance.

Second, the salesperson OU boycotted the office clerk OU group strategy

We have emphasized above that in group policy inheritance, group policy inheritance events can occur only when the group policy corresponding to the child OU has not been configured by default, although it may have default values. However, this inheritance is broken if the child OU sets the corresponding Group Policy, even if only to reflect its default values.

Officially, if a policy is configured in a child container, the configuration value overrides the configuration value passed down by the parent container. This sentence has two meanings.

First, when the parent OU is configured with a certain group policy and the child OU is also configured with this group policy, then no matter whether the two group policies are consistent or not, the child OU will not inherit the group policy of the parent OU. That is to say, if the group policy configuration of the child OU is the same as that of the parent OU, it will directly use its own group policy without caring how the group policy of the parent OU is configured. If their group policy configurations are contradictory, the child OU will ignore the group policy of the parent OU even more. My son's grown up, and I can't control him anymore.

Second, if the parent OU has configured a certain group policy, but the child OU has not configured this group policy at that time, the child OU will inherit this parent OU. However, later the network administrator found that the child OU could not adopt this group policy, so he reset it in the group policy of the child OU. At this point, the reset value overrides the value passed down by the parent OU group policy.

Here is an example to illustrate this principle.

Suppose, on the parent OU office clerk group, our network administrator sets a group policy of "Do not show network neighbors on the desktop" for security reasons. At this point, if the child OU sales administrator group initially sets this group policy, whether prohibited or allowed, the child OU will not consider inheriting this group policy from the parent OU. In other words, when a son has his own attention, he will not listen to his father. If the child OU is not configured with this group policy at the beginning, then when the Sales Administrator OU is added to the Office Clerk OU, it inherits the group policy from the parent OU. However, later, for some consideration, the network administrator set the group policy of the child OU to "Allow network neighbors to be displayed on the desktop." At this time, this configuration value will overwrite the configuration value inherited from the original parent OU.

These two principles are the two fundamental laws of group policy inheritance. In practice, in addition to these rules, you need to know some unwritten rules, or priorities.

1. Priority of computer configuration and user configuration

Group policy in a domain, like the group policy of a computer itself, has two types: computer configuration and user configuration. Now, what if we accidentally configure group policy and the computer configuration conflicts with the user configuration?

In general, the system is based on computer configuration priority, regardless of the priority of computer configuration and user configuration. That is, in the computer configuration, the group policy of "Disallow network neighbors from displaying on desktop" is configured, and in the user configuration, it is set to allow. At this time, although the user configuration is behind, but after the user logs in, the network neighbor configuration is still not found on the desktop. Thus, computer configuration takes precedence over user configuration.

Therefore, in order to avoid the trouble of subsequent work, network administrators use a single configuration mode when configuring group policies, either through user configuration or through computer configuration. However, in general, it is recommended that group policy be implemented through computer configuration when each user has a host.

2. Accumulation problem of group strategy

In the above description, I have already talked about the accumulation problem in group strategy inheritance. That is to say, if the user's group has three layers, they are three OUs for office clerk, sales management and sales. Sales Group 1 is equivalent to grandson, which will inherit all the group policies in the Office Clerk and Sales Management OU. Of course, the OU of Sales Group 2 in the early stage has not been configured with corresponding group policies. This accumulation problem of group policy is beneficial to our group policy configuration in some ways. However, everything has its advantages and disadvantages. When the authority is accumulated, our subsequent management will be very troublesome. For this reason, the author suggests that when planning OU levels, not too many, in general, not more than three layers. If it exceeds this level, reaching four, five or even more levels, it will be difficult for network administrators to control the accumulation of this authority.

3. Prioritization of Local Computer Policy and OU Group Policy

We all know that users can configure group policy locally to manage computers. In previous articles, I have addressed similar issues. A new problem arises when an enterprise introduces domain controllers. What happens if the group policy of a domain controller, such as OU, conflicts with the user's own group policy?

For example, before the enterprise has adopted domain controller or domain group policy management, computer management is carried out through the local group policy of the computer. For example, in the local computer group policy, the group policy of "prohibiting network neighbors from being displayed on the desktop" is set. However, after using domain management, network administrators find it inconvenient not to display network neighbors on the desktop, so at the domain level, set the group policy of allowing network neighbors to be displayed on the desktop. When a computer joins the domain, the group policy conflicts with the domain computer group policy. In this case, domain group policy takes precedence.

This is different from the group policy where the child OU rejects the parent OU mentioned above. We need to pay attention to this problem when managing the group policy.

4. Child OU refuses to inherit group policy from parent OU

In the management of group policy, we can also set up to realize that the child OU refuses to inherit the group policy of the parent OU under any circumstances. That is to say, the group policy value of the child OU is directly adopted. When some group policies of the child OU are not configured, the default value is directly used.

That is, there is now an Office Clerk OU that has the group policy "Do not show network neighbors on the desktop." If we set "Block Policy Inheritance" when we create the Sales Manager OU, then when we add the Sales Manager OU to the Office Clerk OU, the Sales Manager OU will not inherit any group policy from the parent OU. Even though the Salesperson OU has not configured the "Show network neighbors on desktop" group policy at all, it still uses the default value.

In any case, we do not recommend using this "block policy inheritance" option, because in this case, we need to configure the child OUs one by one. If it is handled in this way, it will increase the workload. Use this strategy only if the child OU group strategy differs significantly from the parent OU group strategy. When there is a slight difference, we can override the inherited values by configuring the corresponding group policy on the child OU, rather than adopting the extreme method of "preventing policy inheritance."

About how to understand the group policy permission inheritance problem in the domain controller to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.