Group Policy Preferences is the new type of Group Policy Object setting
that is available if you have a Windows Sever 2008 server or Windows
Vista SP1 computer. In order not to bog you down with the details of
Group Policy
To administer Group Policy Preferences you need to have a Windows Server
2008 server OR a Windows Vista desktop, which is running SP1 and has
the RSAT installed. Both of these environments have the new Group Policy
Management Console (GPMC) installed on them which is required to
administer Group Policy Preferences.
Creating New Local Groups
The creation of a new local group on numerous desktops can be a daunting task. Group Policy Preferences provide an easy way to accomplish this for nearly all of your Windows desktops and servers. You can create a new local group on a server or desktop by ether targeting the computer object or user object. In most cases when you want to create a new local group, you will target computer objects.To accomplish this task, create and link a GPO to an organizational unit which contains the computer object you want to target. Edit the GPO and expand Computer Configuration|Preferences|Control Panel Settings|Local Users and Groups. Right click on Local Users and Groups, then select New - Local Group. This will open up the New Local Group dialog box, which is shown in Figure.
To create a new group, select the Create option on the Action drop down
list. Then, type in the name of the local group, description for the
local group, etc. Figure 2 illustrates an example of creating a new
local group named LocalHelpDesk.
Modifying Local Group Membership Using Group Policy Preferences
Whether you are creating new local groups or modifying existing groups, you can control the membership of the local group using Group Policy Preferences. Although this task can be accomplished using Restricted Groups which have been in Group Policy for some time (Computer Configuration|Windows Settings|Security Settings|Local Policies|Restricted Groups), using Group Policy Preferences to complete the task provides you more granular control.Restricted Groups is a “delete and replace” control, which will take the current list of group members and delete them, before replacing them with the list of users and groups that are configured in the policy.
The Group Policy Preference for Local Groups is much different. Here, you have the ability to control which user and group accounts are added, which ones are deleted, and even control the removal of all users and/or groups before getting granular with you control. Figure 3 illustrates what a configuration might look like after you control your new LocalHelpDesk group.
Notice that the “Remove all user accounts” and “Remove all group accounts” check boxes can be left unchecked or configured. If you configure both of these check boxes the Local Group policy will behave just like Restricted Groups.
Another key point is the ability to control the addition or removal of a new user or group. Figure 4 illustrates what the setting looks like when you add in a new group to the Members list, giving you the ability to add or remove the group from the local group you are managing.
Managing the Local Administrators or Other Local Group
If you want to manage an existing local group, you can do that easily too. We just looked at a situation where we modified the group membership. However, there is still more. Here I want to focus on the local Administrators group, which is essential for managing the local computer. If a user has membership in this group, that user can do anything to the computer, regardless of the desires and configurations from the domain. Thus, it is imperative that you manage the membership of this group.In most instances administrators want to have the Domain Admins group and local Administrator user account have membership in the local Administrators group. In addition to this, administrators typically don’t want the user of the computer to have their user account have membership in the local Administrators group.
To make all of this happen within minutes of configuring the Group Policy Preference, configure a new Local Group policy under the User Configuration|Preferences|Control Panel|Local Users and Groups node instead of under the Computer Configuration. Figure 5 illustrates why you want to configure the policy under the User Configuration node.
Notice that the Local Group Policy in Figure 5 has a new check box, “Remove the current user”. This will take the user account that was used to log on to the computer out of the local Administrators group. As you can see, this is an extremely powerful setting. Combine this with the addition of the Domain Admins and local Administrator, which is also shown in Figure 5, and you have now accomplished something that could take you weeks in just mere minutes.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.