Active Directory By the Numbers: Windows Server 2003

Group Policy Objects

Client Management: Group Policy Objects

So far, we've joined our client computers to our domain. They can access shares that they have the proper permissions to, and are denied access to folders in which they have no permission. But we can do more. Imagine the following scenario, using our three departments of Marketing, Art, and Accounting:

So how can we force these departments' computers to take on the attributes described here? This can be done by using the Group Policy Object ( GPO ). The GPO is a set of rules that govern a computer's behavior in an Active Directory domain. Simply put, it's client management.

GPOs can be applied using Active Directory Users and Computers ( recall that we've already used this console when creating our OUs, users, and groups ), or Active Directory Sites and Services , discussed in the next chapter. You may apply a number of GPOs in the same domain, and they all take on an inheritance behavior similar to NTFS permissions. In Active Directory Users and Computers, for example, GPOs are applied from top to bottom, with each child object inheriting the traits of its parent. For example, our South Wing OU contains three sub-OUs named Users, Groups, and Shared Folders. If we were to apply a GPO to the parent OU South Wing, all three sub-OUs ( and their contents ) inherit South Wing's GPO settings, as shown here:

Категории