Information Technology Reference
In-Depth Information
6. Click
File
,
Add/Remove Snap-in
from the MMC menu. In the Available snap-ins list box,
click
Group Policy Object Editor
, and then click
Add
.
7. In the Select Group Policy Object dialog box, click
Browse
. In the Browse for a Group Policy
Object dialog box, click the
Users
tab. Click
Administrators
in the Name list box, and then
click
OK
. Click
Finish
and then
OK
.
8. Click to expand
Local Computer
\
Administrators Policy
. Click to expand
User Configuration
and
Administrative Templates
, and then click the
Control Panel
node.
9. In the right pane, double-click
Prohibit access to the Control Panel
. In the Properties dialog
box, click
Disabled
, and then click
OK
.
10. Click
Start
. The Control Panel should be displayed on the Start menu. Type
compmgmt.msc
in the Start Search text box and press
Enter
. The Computer Management MMC opens.
11. Click to expand the
Local Users and Groups
snap-in, and then click the
Users
folder. Right-
click the middle pane and click
New User
.
12. In the New User dialog box, type
TestGPO
in the User name text box and
Password01
in
the Password and Confirm password text boxes.
13. Click to clear the
User must change password at next logon
check box. Click
Create
, and
then click
Close
. Close Computer Management.
14. Log off Vista and log back on as
TestGPO
with
Password01
. You have to enter the user-
name as
VistaXX\TestGPO
so that Vista knows you're logging on to the local computer.
15. Click
Start
. Notice that Control Panel isn't on the Start menu. Type
Control Panel
in the
Start Search text box and press
Enter
. You get an error message stating that the operation
was canceled because of restrictions on the computer. Click
OK
.
16. Log off the Vista computer and log back on to the domain from your Vista computer as
advuser1
.
17. Click
Start
. Control Panel isn't displayed on the Start menu, which demonstrates that the
Local Computer Policy affects domain users as well as local users. The only local GPO that
doesn't affect domain users is the user-specific GPO, which can be configured for users only
in the local SAM database.
18. Log off and log back on to the Vista computer as Administrator. Open the Group Policy
Object Editor (referring to Step 2 if you need help). Change the Prohibit access to the
Control Panel policy back to
Not configured
.
19. Close all open windows.
7
Domain GPOs
Domain GPOs
are stored in Active Directory on domain controllers. They
can be linked to a site, a domain, or an OU and affect users and computers whose accounts are
stored in these containers. A domain GPO is represented by an Active Directory object, but it's
composed of two separate parts: a group policy template (GPT) and a group policy container
(GPC). The GPT and GPC have different functions and hold very different information, but they
do have these things in common:
•
Naming structure
—Each GPO is assigned a globally unique identifier (GUID), a 128-bit
value represented by 32 hexadecimal digits that Windows uses to ensure unique object
IDs. The GPT and GPC associated with a GPO are stored in a folder with the same name
as the GPO's GUID. This naming structure makes associating each GPO with its GPT and
GPC easier.
•
Folder structure
—Each GPT and GPC has two subfolders: Machine and User. The
Machine folder stores information related to the Computer Configuration node of a GPO,
and the User folder stores information about the User Configuration node.
One reason administrators must understand the structure of GPOs is so that they know
where to look when problems arise, particularly with replication of GPOs (covered later in this
Search WWH ::
Custom Search