6.1.1 管理和设置组策略的工具
- 6.1.2 组策略可以执行的操作
- 6.1.3 组策略对象GPO GPO
- GPTGPOGUIDDC128GPCGPOGUIDGPT%systemroot%\SYSVOL\sysvol6.2 创建组策略GPO GPO GPO —— Builtin OU( )GPO GPO GPO 6.2.1 创建组策略OUGPO1Active Directory .GPOOU2GPO6.2.2 链接组策略
GPO GPO gPLink gPOptions GPO GPO1Active Directory .GPOOU2GPOGPO
6.3 组策略如何应用于活动目录
GPO 6.3.1 如何处理组策略
Windows 2000 Windows 2000 DLLswinnt\system32
6.3.2 控制组策略处理
Windows2000 ² WindowsGPOOUGPOWindowsOUOU² Windows 20005Windows 20000DC9030DCWindows 2000secedit /refreshpolicy user_policy /forcesecedit /refreshpolicy machine_policy /forceWindows Serve 2003gpupdate Active Directory secedit /refreshpolicy gpupdate /target:user /forcegpupdate /target:computer /forcegpupdate /force² 500kbps
6.3.3 解决组策略设置的冲突
DCGPOGPO
² DCGPO => DCGPO
² GPO
6.4 组策略的继承性
OU OU OU OU OU OU OU 6.4.1 启用阻止继承和禁止替代
Block InheritanceGPO OU GPO GPO GPO GPO
AccountsOU GPOAccountsOU OUAccountsOUProductionOU GPO ² GPO
GPO1OUOU AccountsOU ProductionOUAcctuser1Acctuser22Active Directory Accounts OU3Restricted Standard Desktop GPO GPO4 => =>
5GPOEnforced User PoliciesCtrl+Alt+Del
67Acctuser1Acctuser2Ctrl+Alt+DelOUOUGPO² GPO GPO ProductionOU 1AccountsOU ProductionOU2Production 
3Acctuser1Acctuser2Ctrl+Alt+DelOUOUGPO² 1Active Directory Accounts OU2Enforced User Policies
3Acctuser1Acctuser2Ctrl+Alt+DelOUOURestricted Standard Desktop Enforced User Policies6.4.2 安全组筛选 GPO GPO GPO DACL DACL GPO GPO GPO GPO OU DACL GPO ²
1
1OU2OUGPO3
2
OUGPO:
1DACL2OU3OUGPO4² GPO 1ManagementAcctuser22Active Directory Accounts OU3Enforced User Policies4ManagementManagementACE 6-8
56Acctuser1Ctrl+Alt+DelOUOURestricted Standard Desktop Enforced User Policies7Acctuser2Ctrl+Alt+DelOUOURestricted Standard Desktop Enforced User Policies6.5 委派组策略的管理控制
GPO²
² GPO
GPO² GPO
GPO
6.6 监控组策略
² 1=> Regedit2HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current\Version => => Diagnostics3Diagnostics => “DWDRD Value”RunDiagnosticsLoggingGlobal4RunDiagnosticsLoggingGlobal1
²
“%systemroot%\Debug\UserMode”Userenv.logUserEnvDebugLevel30002HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon300023000130000