“Windows Server 2003 组策略基础结构”白皮书.doc

Group Policy InfrastructureMicrosoft CorporationPublished: April 2003Updated: November 2004AbstractAdministrators use Group Policy to specify managed configurations for groups of computers and users. Group Policy includes options for registry-based policy settings, security settings, software installation, scripts, folder redirection, Remote Installation Services, and Internet Explorer maintenance. Intended for system administrators, architects, and others who need to create and manage Group Policy settings, this paper explains Group Policy infrastructure and shows how Group Policy Management Console (GPMC), a new MMC snap-in with scripting interfaces, fits into this infrastructure. The paper includes detailed information about Group Policy processing as well as many best practices useful to the Group Policy administrator.Microsoft Windows Server 2003 White PaperThe information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2003 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, IntelliMirror, Jscript, MS-DOS, Visual Basic, VisualC+, Visual Studio, Windows, Windows Media, and WindowsNT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.ContentsIntroduction1Administrative Requirements for Using Group Policy1GPMC System Requirements1Feedback on this Paper1Whats New About Group Policy in Windows Server20032Group Policy Management Console2New policy settings2Administrative Templates Changes3Command Line Refresh of Policy3WMI Filtering3Tools for Best Practice Organizational Unit Design3Forest Trust4Domain Rename4Restore GPOs tool4Wireless Support4Software Restriction Policy Settings4Internet Explorer Enhanced Security Configuration5Overview of Group Policy Infrastructure and Mechanics6Linking Group Policy Objects to Active Directory Containers6Group Policy Hierarchy6Managing Inheritance of Group Policy7Filtering the Scope of the Group Policy Object9Security Filtering9WMI Filtering10MMC Snap-in Extension Model11Group Policy Object Editor Namespace12Computer Configuration and User Configuration12Extensions to the Group Policy Object Editor12Client-side Extensions to Group Policy13Group Policy Storage13Migrating GPOs Across Domains15Migration Tables15GPMC as the Solution for Migrating GPOs15Scripting Group Policy Tasks17Delegating Group Policy18Using Security Groups to Delegate Group Policy18Managing Group Policy Links for a Site, Domain, or Organizational Unit19Creating GPOs19Editing Group Policy Objects20Delegating an individual GPO20Specifying Group Policy to Control the Behavior of MMC extensions21Restricting Access to a List of Permitted Snap-ins21Controlling Access to a Snap-in21Creating Custom Group Policy Object Editor Consoles22Group Policy Extension Snap-ins23Administrative Templates23Handling .adm files in Group Policy Object Editor24Handling .adm files in GPMC25Using Administrative Templates25New policy settings25True Policy Settings Compared with Group Policy Preferences25Creating Custom .adm Files26Viewing Group Policy Preferences27Impact of GPO Replication27Security Settings27Default Security Templates29Incremental Security Templates30Using Software Installation and Maintenance31Assigning Applications31Publishing Applications32Scripts32Types of Scripts32Specifying Policy Settings for Script Behavior33Folder Redirection34Folder Redirection Improvements for WindowsXP and Windows Server200334User Interface changes34My Pictures no longer shown in the Folder Redirection Node36Redirected Folders automatically made available offline36Internet Explorer Maintenance36Exporting Internet Explorer Settings for Earlier Clients36Managing Internet Explorer Maintenance Advanced Settings37Using Internet Explorer Customization Wizard and Internet Explorer Profile Manager37Remote Installation Services37Group Policy Modeling and Results38Introduction38Group Policy Results38Group Policy Modeling38Using GPMC Reports38RSoP Architecture39Security and RSoP39Group Policy Results and Modeling Examples40Group Policy Results40What is the current state of Folder Redirection for the current user?40What is the current state of Folder Redirection for a sampling of users?40Why did this happen?40Group Policy Modeling40Precedence Details40Change of Site40Change of Folder Redirection Mode41RSoP Schema41Group Policy Processing42Initial Processing of Group Policy42Synchronous and Asynchronous Processing42Fast Logon in WindowsXP Professional42Folder Redirection and Software Installation Policies43Time Limit for Processing of Group Policy43Background Refresh of Group Policy43Periodic Refresh Processing44On-Demand Processing44Messages and Events44Refreshing Policy from the Command Line45Syntax45Parameters45Slow Links and Remote Access Issues45Group Policy and Slow Links46Setting Policy for Slow-Link Definition46Application of Group Policy During a Remote Access Connection47Client-side Processing of Group Policy48Computer Policy for Client-Side Extensions48Policy Settings for Group Policy49Group Policy Replication and Domain Controller Selection50Options governing selection of a domain controller for GPMC51Specifying a Domain Controller by Using Group Policy52Local Group Policy53Local Group Policy Object53Local Group Policy Object and DACLs53Viewing Policy settings When the Group Policy Object Editor is Focused on the Local Computer53Local Group Policy Object Processing54Modifying the Local GPO on a Domain-based Computer54Group Policy Loopback Support55Using Loopback for Terminal Services56Loopback Processing and Security Filtering56Design Considerations for Organizational Unit Structure and Use of Group Policy Objects57Organizational Unit Structure57Design Principles58Administration of Group Policy Objects58Separate Users and Computers into Different organizational units58Redirecting the Users and Computers Containers in Windows Server2003 Domains59Best Practice Organizational Unit Structure59Functional Compared with Geographical Organizational Unit Structure60Minimize the Number of Group Policy Objects Associated with Users or Computers60Minimize the Use of the Block Policy Inheritance Feature60Minimize the Use of the Enforce Feature61Use Loopback Processing Only When Necessary61Avoid Using Cross-Domain GPO Assignments61Avoid Editing the Default Domain GPO61Design Examples61Layered GPO Design Model62Monolithic GPO Design Model63Single Policy Type GPO Design Model64Multiple Policy Types GPO Design Model65Teams or Matrix Organizations GPO Model66Public Computing Environment GPO Model67Delegation with Central Control67Delegation with Distributed Control68Deployment Considerations69Administering a Mix of Windows2000 and Windows Server2003 Domains69Delegation of Group Policy Results and Group Policy Modeling69Group Policy Modeling69WMI Filtering69Upgrading Windows2000 Domains to Windows Server2003 Domains and Interactionwith Group Policy Modeling70Using Group Policy Features Across Forests70Group Policy and Active Directory Sites71Using Group Policy and Internet Explorer Enhanced Security Configuration71IntelliMirror Features without Active Directory73Roaming User Profiles and Logon Scripts73Folder Redirection73Internet Explorer Maintenance73Applying Administrative Templates (Registry-Based Policy)73Setting Registry-based Policy in a Windows NT4.0 Domain74Migrating Policy-Enabled Clients from Windows NT4.0 to Windows2000 orWindows Server200375Windows NT4.0 and Windows2000 Policy Setting Comparison75Migrating to Windows2000 or Windows Server200376Client Computers76Upgrading Computer or User Accounts from Windows NT4.0 to Windows Server200376Using Group Policy in a Mixed Environment of Windows2000 and WindowsXP Clients76Active Directory with Windows2000 and WindowsXP Clients76Comparing IntelliMirror Features on Windows2000 and WindowsXP76Comparing Clients under Windows Server2003 Active Directory77Comparing clients under Windows2000 Active Directory77Comparing Clients Under Windows NTServer 4.078Folder Redirection and Software Installation78Internet Explorer Maintenance79Roaming Profiles79Security Settings7964 bit Integration Issues79Appendix A: Security Settings and User Rights80Security Settings in the Default Domain Controllers Policy80Help for Windows NT4.0 Administrators83Changing Password Policy for the Domain83Changing Auditing Policy or User Rights for Domain Controllers84Changing local Password Policy on member Workstations or Servers(Non-Domain Controllers)84Frequently Asked Questions about Security Settings84Appendix B: Group Policy Storage86Group Policy Container86Group Policy Template86Gpt.ini File86Gpt.ini for Active Directory GPOs87Local Group Policy Objects87Group Policy Template Subfolders87Registry.pol Files88How Registry.pol Files Are Created90Appendix C: WMI Filtering91How WMI Works91Active Directory Schema additions91Using WMI in Mixed Environments91Examples of WMI Filters91Software inventory-based targeting (Ored set)91Software inventory-based targeting( Anded set)92Operating system-based targeting92Hardware inventory-based targeting92Resource-based targeting92Computer-based targeting93Asset tag-based targeting93Hardware configuration-based targeting93Configuration-based targeting93File attribute-based targeting93Time zone-based targeting93Hot fix-based targeting93Further Information94Appendix D: Frequently Asked questions95Infrastructure - Server side95Infrastructure - Client side96Tools98Group Policy Management Console98Group Policy Object Editor99General Issues99Glossary101Related Links109Feedback on this Paper109Newsgroups About Group Policy109IntroductionIntended for system administrators, architects, and others who need to create and manage Group Policy settings, this paper explains Group Policy infrastructure and shows how the new Group Policy Management Console (GPMC) fits into this infrastructure. The paper includes detailed information about Group Policy processing as well as many best practices useful to the Group Policy administrator.Introduced in Windows 2000 Server, Group Policy provides directory-based desktop configuration management. With Group Policy, you can specify settings for registry-based policies, security, software installation, scripts, folder redirection, Remote Installation Services, and Internet Explorer maintenance. The Windows Server2003 family of operating systems, extends Group Policy in a number of ways through GPMC, which includes scripting interfaces, Group Policy Results, Group Policy Modeling, and more.The Group Policy settings that you create are contained in a Group Policy object (GPO). By linking a GPO with selected Active Directory service system containerssites, domains, and organizational unitsyou can apply these settings to the users and computers in those Active Directory containers. To create GPOs, you use GPMC in conjunction with the Group Policy Object Editor, an MMC snap-in, also known previously as the Group Policy snap-in, Group Policy Object Editor, or GPedit.Administrative Requirements for Using Group PolicyIn order to use of all of its features, Group Policy requires Active Directory and client computers running Windows2000 or later. To set Group Policy for a selected Active Directory container, you must have a Windows2000 or Windows Server2003 domain controller installed, and you must have read and write permission to access the system volume of domain controllers (Sysvol folder) and modify rights to the currently selected directory container. The system volume folder is automatically created when you install a domain controller (or promote a server to domain controller). NoteGroup Policy depends on Active Directory; therefore, it is crucial to understand Active Directory and its structure. It is highly recommended that you familiarize yourself with Active Directory concepts before implementing Group Policy. To learn about Active Directory, see the Active Directory white papers at /ad. Information on planning and implementing Active Directory is available from the Windows Deployment and Resource Kits page at /reskit.GPMC System RequirementsGPMC can manage both Windows2000 and Windows Server2003 domains with Active Directory. In either case, the computer on which the tool itself runs must be running Windows Server2003 or WindowsXP Professional (with WindowsXP Service Pack1 and the Microsoft.NET Framework). Note: When installing GPMC on WindowsXP Professional with SP1, a post SP1 hotfix is required. This hotfix (Q326469) is included with GPMC. GPMC Setup prompts you to install WindowsXP QFE Q326469 if it is not already present. Feedback on this PaperIf you have any comments about this paper, contact mailto:.Whats New About Group Policy in Windows Server2003This section summarizes new features in Windows Server2003 Group Policy. The biggest change for Group Policy in Windows Server2003 is the introduction of GPMC, the new solution for Group Policy management that helps you manage an enterprise more cost-effectively. It consists of a new Microsoft Management Console (MMC) snap-in and a set of scriptable interfaces for managing Group Policy. GPMC is available for download from the Microsoft GPMC Web site at /windowsserver2003/gpmc. This paper assumes you are using GPMC. Group Policy Management ConsoleGPMC simplifies the management of Group Policy by providing a single place for managing core aspects of Group Policy. It addresses the top Group Policy deployment requirements by providing the following functionality: A user interface that makes Group Policy much easier to use. Backup/restore of GPOs. Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters. Simplified management of Group Policyrelated security. HTML reporting for GPO settings and Resultant Set of Policy (RSoP) data. Scripting of policy-related tasks that are exposed within this tool (not scripting of settings within a GPO). GPMC is used to create, view, and manage GPOs while the Group Policy Object Editor is used to edit GPOs. More information about GPMC is contained throughout this paper. For additional information about GPMC including step-by-step instructions for completing tasks, see the following resources: Group Policy Administration using the Group Policy Management Console. This white paper provides additional technical details of functionality in GPMC. GPMC Help. Available when you install GPMC, this provides step-by-instructions for GPMC tasks and addresses key concepts in GPMC. Microsoft GPMC Web site at /windowsserver2003/gpmc/. This site provides links to the latest GPMC resources including downloading information.New policy settingsWindows Server2003 includes more than 200 new policy settings. The new Windows Server2003 policy settings allow administrators to control the behavior of: System restore, error reporting, PC Health. Terminal server. Networking such as SNMP, Quality of Service (QoS), personal firewall, and dialup connections. DNS and net logon. Roaming user profiles and Group Policy. Control panel. Windows Media Player. Wireless configuration. Software restriction policy.Administrative Templates Changes For Administrative Templates policy settings, Group Policy Object Editor provides explain text directly in the Web view of the console. You also can find this explain text by double-clicking the policy setting and then clicking the Explain text tab. In either case, this text shows operating system requirements, defines the policy setting, and includes any specific details about the effect of enabling or disabling the policy setting. Because new Administrative Template policy settings have been added that only work on specific versions of the operating system such