Aim: To explore about the Group Policy in Windows 7
Group Policies:
In Windows7,the Group Policy architecture includes these enhancements, as discussed in the following sections:
· Group Policy Client service
· Support for Network Location Awareness
· Multiple Local Group Policy Objects(LGPOs)
· Updated management tools and policy file formats
1. Introducing the Group Policy Client Service
The Group Policy Client service completely isolates Group Policy notification and processing from the Windows logon process. Separating Group Policy from the Windows Logon process:
· Ensures that a single service cande liver the needed Group Policy functionality
· Enables more dynamic control over how policy settings are applied, maintained, and updated
· Reduces the resources used for back ground processing of policies while increasing overall performance
· Allows delivery of new Group Policy files as part of the update process and application of those updates without restart
The Group Policy Client service is a standalone service that runs under the Svchost process and no longer uses the trace logging functionality in userenv.dll. As a result, Group Policy event messages are now written to the system log with the event source of Microsoft-Windows-Group Policy, and the Group Policy Operational log replaces previous Userenv logging. The operational event log provides detailed event messages specific to Group Policy processing. When trouble shooting Group Policy issues, you’ll use this log rather than userenv.log as you did windows and earlier versions.
2. Using Multiple Local Group Policy Objects
Unlike Windows XP and earlier implementations of Group Policy, Group Policy in Windows Vista and Windows7 allows the use of multiple LGPOs on a single computer. Previously, computers had only one LGPO. Windows Vista and Windows 7 allow you to assign a different LGPO to each local user or group. This allows the application of a policy to be more flexible and support a wider array of implementation scenarios.
Multiple LGPOs are particularly useful when computers are being used in a stand alone configuration rather thana domain configuration, because local administrator users no longer have to explicitly disable or remove settings that interfere with their ability to manage a computer before perform administrator tasks. Instead, an administrator user can implement one LGPO for administrators and another LGPO for non administrators.
3. Enhancing Group Policy Application
Thanks to the Network Location Awareness feature in Windows Vista and Windows7, Group Policy can respond better to changing network conditions and no longer relies on ICMP(ping) for policy application. Network Location Awareness ensures that a computer is aware of the type of network to which it is currently connected—in other words, whether the computer is on a home ,public, or work network—and is responsive to changes in the system status or network configuration. This gives Group Policy access to the resource detection and event notification capabilities in the operating system, allowing Group Policy to determine when a computer is in standby mode or resuming from hibernation, as well as when a network connection has been disabled or disconnected. In cases where the network isn’t available, Group Policy won’t wait for the network, allowing for faster startup.
Because ICMP (ping) is no longer used for slow link detection, business networks can filter this protocol on their firewalls. Group Policy uses Network Location Awareness to determine the network bandwidth. When mobile users connect to a business network, Group Policy can detect the availability of a domain controller and initiate a background refresh of policy over the VPN connection.
4. Improving Group Policy Management
Windows7 includes the Group Policy Management Console(GPMC)and Group Policy Object Editor (GPOE) for managing Group Policy. If you are an administrator, you can install the GPMC as part of the Remote Server Administration Tools for Windows7. GPOE is included with Windows 7.
Using the GPMC, shown in Figure 1, you can manage Active Directory Group Policy in an enterprise environment. To edit Group Policy for your local computer or users, skip ahead to the next example. To open the GPMC, follow thesesteps:
1. Log on to a computer running Windows 7withan administrative user account.
2. Click Start, type mmc into the Search box,and then press Enter.
3. In the Microsoft Management Console, click File→Add/Remove Snap-in.
4. In the Add or Remove Snap-in dialog box, click Group Policy Management Console, click Add, and then click
ok
5. You can now navigate through the fore stand domains in the organization to view individual Group Policy
Objects (GPOs).
6. If you expand the site, domain, or organizational unit node in which a related policy object is stored, you can
right-click the policy object and then choose Edit. This opens the object for editing in the GPOE
Figure1.Accessing Active Directory Group Policy Using theGPOE,showninFigure2,you can manage group policy for your local computer. To open the GPOE, follow these steps: 1. Log onto a computer running Windows 7with an administrative user account. 2. Click Start, type mmc into the Search box, and then press Enter. 3. In the Microsoft Management Console, click File→Add/Remove Snap-in. 4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor and then click Add. 5. In the Select Group Policy Object dialog box, the default object is the Local Computer Group Policy Object. If this is the object you want to work with, click Finish. If this isn’t the object you want to work with, click Browse, select the object you want to work with, and then click OK. 6. Click OK to close the Add or Remove Snap-ins dialog box.
7. You can now work with the GPO you’ve opened.
Figure2.Accessing Local Group Policy For Windows Vista and Windows 7, the GPMC and GPOE have been updated to work with XML-based Administrative Templates and use a document format referred to as ADMX. These tools can also work with the previous ADM format. ADMX files are divided into language-neutral and language-specific file sets. The language-neutral files ensure that a GPO has the same core policies. The language-specific files allow policies to be viewed and edited in multiple languages. Because the language-neutral files store the core settings, policies can be edited in any language for which a computer is configured, thus allowing one user to view and edit policies in English and another to view and edit policies in Spanish. The mechanism that determines which language is used is the language pack installed on the computer.
In domains, ADMX files are stored in a central store—the domain-wide directory created in the System volume (Sysvol). Previously, Administrative Templates were stored with each GPO. In the new implementation, only the current state of the setting is stored in the GPO and the ADMX files are stored centrally. As a result, this reduces the amount of storage space used as the number of GPOs increases, and it reduces the amount of data being replicated through out the enterprise. Aslong as you edit GPOs using Windows Vistaor Windows 7, new GPOs will not contain either ADM or ADXM files inside the GPO. 5. Editing Group Policy After you access a policy for editing, you can use the GPOE to work with group policies. The GPOE has two main nodes: Computer Configuration Enables you to set policies that are applied to computers, regardless of who logs on User Configuration Enables you to set policies that are applied to users, regard less of which computer they log on to The Computer Configuration and User Configuration nodes have subnodes for the following: Software Settings Enables you to set policies for software settings and software installation Windows Settings Enables you to set policies for name resolution, scripts, printers, security, and quality of service Administrative Templates Enables you to set policies for the operating system, Windows components, and programs The policy settings you’ll work with the most are those found under Administrative Templates. You can enable, disable, and configure policy settings for Administrative Templates by completing the following steps: 1. Open the policy object you want to edit. Access the GPOE for the resource you want to work with.
2. Expand Computer Configuration→AdministrativeTemplatesorUserConfiguration→Administrative Templates as appropriate for the type of policy you want to set.
3. After you expand the policy subfolders as appropriate, double-click a policy or right-click it and select Edit to display its Properties dialog box.
4. The Help section of the dialog show description of the policy, if one is available.
5. Use the following buttons to change the state of the policy:
Not configured
The policy is not configured.
Enabled
The policy is enabled.
Disabled
The policy is disabled.
6. If you enabled the policy, set any additional parameters specified .
7. Click OK to save your settings.
Policy changes are applied when Group Policy is refreshed. Windows automatically refreshes policy periodically. However, with some types of policies you may need to log out and then log back in, or restart the computer
Result: Hence the Windows 7 group policies has been studies and the configurations are properly done.
コメント