Windows Server 2003 群組原則設定與管理 林寶森

What Are User Rights? Examples of User Rights

User Rights vs. Permissions User Rights: Actions on System User Rights: Actions on System Permissions: Actions on Object

What Is a Restricted Group Policy? Use restricted group policy to control membership –Specify what members belong to a group –Members that are not specified in the policy are removed during configuration or refresh To apply restricted group policy –Define the policy in a security template - OR - –Define the setting directly on a GPO

What Is Auditing? Auditing tracks user and operating system activities and records selected events in security logs Enable auditing to: – Create a baseline – Detect threats and attacks – Determine damages – Prevent further damage Audit access to objects, management of accounts, and users logging on and logging off What occurred? When? Who did it? What was the result?

What Is Audit Policy? An audit policy determines the security events that will be reported to the network administrator Set up an audit policy to: –Track success or failure of events –Minimize unauthorized use of resources –Maintain a record of activity Security events are stored in security logs

Best Practices for Configuring Auditing Audit success events in the directory service access category Audit success events in the object access category Audit success and failure events in the system category Audit success and failure events in the policy change category on domain controllers Audit success and failure events in the account management category Audit success events in the logon category Audit success events in the account logon category on domain controllers Set an appropriate size for the security log

Assigning Scripts by Using Group Policy Startup/ShutdownStartup/Shutdown User Computer Logon/LogoffLogon/Logoff Computer Configuration Startup/ShutdownStartup/Shutdown Scripts User Configuration Logon/LogoffLogon/Logoff

Assigning Group Policy Script Settings Logon Properties Scripts Logon Scripts for Log On Script [AUCKLAND.contoso.msft] NameParameters Development.vbs Information Services.vbs UpUp UpUp Down Add... Edit... Remove Show Files... OKCancel Apply To view the script files stores in this Group Policy Object, press the button below. Copy the script to the appropriate GPT Add the script to the appropriate GPO

What Is Folder Redirection? Folder Redirection enables users and administrators to redirect the folders to a new location –The new location can be a folder on the local computer or a shared folder on the network –Users can work with documents on a server as if the documents are located on the local drive Create a standard Desktop Reduce size of roaming profiles Files Are Not Saved on the Client Computer Folder Redirection Application Data Desktop My Documents My Pictures Start Menu

Settings Required to Configure Folder Redirection Use basic Folder Redirection for: – Users who use a common area - or - – Users who use private data With advanced Folder Redirection, the server hosting the folder location is based on group membership Accounting Users Accounts N-Z Accounts A-M Accounting Managers AnnePa MistyS Private

Setting a Target Location Desktop Properties Target Settings You can specify the location of the Desktop folder No administrative policy specifiedSetting: OKCancel Apply The Group Policy Object will have no effect on the location of this folder. Desktop Properties Target Settings You can specify the location of the Desktop folder Basic – Redirect everyone’s folder to the dame locSetting: OKCancelApply This folder will be redirected to the specified location. An example target path is: \\server\share\%username%. Target folder location \\london\desktops\%username% Browse Desktop Properties Target Settings You can specify the location of the Desktop folder Advanced – Specify locations for various user grouSetting: OKCancelApply This folder will be redirected to different locations based on the security group membership of the users. An example target path is \\server\share\%username% Security Group Membership Group CONTOSO\acct\\london\acct\%username% CONTOSO\sales\\london\sales\%username% Path AddAdd Edit Remove Use the % username% variable

Configuring Folder Redirection Settings Desktop Properties ? ? Setting Target Specify the redirection settings for Desktop. Move the contents of Desktop to the new location. Grant the user exclusive rights to Desktop. Leave the folder in the new location when policy is removed. Redirect the folder back to the local user profile location when policy is removed. Policy Removal Setting Target

Software Deployment Process Change the software deployment properties 3 3 Use a GPO to deploy software 2 2 Create a software distribution point 1 1 Publish Assign Property 1Property 2Property 3

Assigning vs. Publishing Software Software Distribution Point Publish software using document activation ? Publish software using Add or Remove Programs Assign software during Computer Configuration Assign software during User Configuration

Default Options for Software Installation Specify whether to use default values or user- defined values Specify the location of the software distribution point that contains the.msi package files Specify how to deploy the software

What Are Software Categories? Software categories function across domains

What Is Software Association? Sales Word 2000 Accounting Word 2002 Manage application associations on a per-GPO basis Accounting GPO Word 2002 Sales GPO Word 2000 FileName. doc

What Is Software Modification? Single instance on server You can add and remove modifications only during deployment of a software package GPO3 Accounting GPO2 Marketing GPO1 Sales

Types of Software Upgrades Mandatory upgrade Users can use only the upgraded version Optional upgrade Users can decide when to upgrade Selective upgrade You can select specific users for an upgrade Deploy next version of the application 2.0

How Software Redeployment Works 2 2 Redeploy the package Group Policy Place the software upgrade on the server 1 1 Upgrade 3 3 The user logs on and activates the software 4 4 The user logs on and invokes the software Upgrade

Methods for Removing Deployed Software Forced removal Software is automatically deleted from a computer and it is not advertised Optional removal Software is not deleted from a computer and no upgrades to the software can be installed