What is GPO
If you’re using a Windows computer in an Active Directory environment, Group Policy settings can be defined on the domain controller. Network administrators have one place where they can configure a variety of Windows settings for every computer on the network.
These settings can also be enforced, so users can’t change them.
For example, using group policy, a network administrator can block access to certain sections of the Windows control panel, or set a specific website as the home page for every computer on the network.
This can be useful for locking down computers, restricting access to specific folders, control panel applets, and applications.
It can also be used to change a variety of Windows settings, including ones that can’t be changed from the control panel or require registry tweaks to change.
Group Policy Container
The Group Policy container, located under cn=system, is an Active Directory storage area for Group Policy object properties; it includes both computer and user Group Policy information. The Group Policy container has the following properties:
■ Version Information 版本序号This makes sure that the information is synchronized with the Group Policy template information.
■ Status Information 组策略状态This indicates whether the Group Policy object is enabled or disabled.
■ Components with Settings in GPO List of components (extensions) that have settings in the Group Policy object.
■ Policy Settings as Defined by the Extension Snap-ins
For example, the Group Policy container stores information used by the Software Installation snap-in to describe the status of the software available for installation. This data repository contains data for all applications, interfaces, and APIs that provide for application publishing and assigning.
Group Policy Template
Group Policy objects also store Group Policy information in a folder structure called the Group Policy template that is located in the System Volume folder of domain controllers (Sysvol) in the \Policies subfolder. The Group Policy template is the container where Administrative Template–based policy settings, Security Settings, applications available for Software Installation, and script files are stored.
When modifying a Group Policy object, the directory name given to the Group Policy template is the GUID of the Group Policy object that you modify. For example, a Group Policy template folder might be named as shown in the following example:
%systemroot%\sysvol\SYSVOL\www.Reskit.com\Policies{47636445-af79-11d0-91fe-080036644603}
A Group Policy snap-in can store data outside the Group Policy object; however, this requires that at least a link to the Group Policy object be stored either in a Group Policy container (Active Directory data store) or in a Group Policy template (file-type data stored on the Sysvol folder).
How Clients Process GPOs
Client-Driven
- the client identifies which GPOs are assigned to it from Active Directory —— looking at the gPLink attribute of the various containers where it belongs. It looks for the gPLink attribute that exists within certain Active Directory objects. This attribute, when populated, points to the name and location of the GPO that the client must consider.
- From the gPLink attribute on each of its container objects, the client is able to assemble a list of the GPOs it will need to apply, including the order it should apply them (based on location of the GPO, filtering, and Enforcement / Blocking rules).
- Once the client has its list of GPOs, it checks the Group Policy Container (GPC) for each and gets information on where the GPO contents can be located.
- The first time the client does this, it has all new policies to apply and will go through each to apply what’s needed.
- the GPO contents are located in the Group Policy Template (GPT) within the SYSVOL share.
- It’s an ongoing process. It will continually check to see if there are any changes in those GPOs assigned to it (or if there are new GPOs, GPOs that have been removed, etc.).
version number
The way a client knows whether it has new settings to apply is through a GPO’s version number. Every change that is put into a GPO causes its version number to increase. If a client checks the GPO and sees that there is a newer version number than the one it is aware of, that GPO is processed.
The GPMC also records the SYSVOL version number as well as the AD version number. This can be very important in troubleshooting.
If the AD portion (the GPC) of the GPO is showing one version number
and the portion of the GPO in SYSVOL (the GPT) is showing another,
this means the GPO is not fully synchronized and the client may be applying the wrong settings.
**
Order
it may be possible to have multiple GPOs to apply, there is always the possibility that these GPOs will have conflicting settings.
if you’ve set something on your Local GPO but your domain administrators require a different setting, your local setting will be overwritten.
the last GPO applied will overwrite any settings applied earlier.
And the GPOs closest to the client location in the directory structure will be applied last.
Permission
When you filter a GPO, you specifically designate which users, group and computers are allowed to apply a GPO
若有收获,就点个赞吧
0 人点赞
