Active Directory Cookbook for windows server 2003- P29 pptx

In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and expand the Group Policy Objects container.. Count: " & _ objGPOList.Count

Trang 1

strOU = "<OrgUnitDN>" ' e.g ou=Sales,dc=rallencorp,dc=com

boolBlock = TRUE ' e.g set to FALSE to not block inheritance ' - END CONFIGURATION -

set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants( )

' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified OU

set objSOM = objGPMDomain.GetSOM(strOU)

if IsNull(objSOM) then

WScript.Echo "Did not find OU: " & strOU

WScript.Echo "Exiting."

WScript.Quit

else

WScript.Echo "Found OU: " & objSOM.Name

end if

' on error resume next

objSOM.GPOInheritanceBlocked = boolBlock

if Err.Number <> 0 then

WScript.Echo "There was an error blocking inheritance."

WScript.Echo "Error: " & Err.Description

else

WScript.Echo "Successfully set inheritance blocking on OU to " & boolBlock end if

9.13.3 Discussion

By default, GPOs are inherited down through the directory tree If you link a GPO to a top-level

OU, that GPO will apply to any objects within the child OUs Sometimes that may not be what you want, and you can disable inheritance as described in the solutions

Try to avoid blocking inheritance when possible because it can make determining what settings should be applied to a user or computer difficult If someone sees that a GPO is applied at a top-level OU, they may think it applies to any object under it Using the Resultant Set of Policies (RSoP) snap-in can help identify what settings are applied to a user or computer (see Recipe 9.20)

9.13.3.1 Using VBScript

To block inheritance, I first have to get a GPMSOM object for the OU by calling the

GPMDomain.GetSOM method The only parameter to this method is the DN of the OU (or leave blank to reference the domain itself) Next, I call the GPMSOM GPOInheritanceBlocked method, which should be set to either TRUE or FALSE depending if you want inheritance blocked or not

Trang 2

9.13.4 See Also

MSDN: GPMDomain.GetSOM and MSDN: GPMSOM.GPOInheritanceBlocked

Recipe 9.14 Applying a Security Filter to a GPO

9.14.1 Problem

You want to configure a GPO so that it applies only to members of a particular security group

9.14.2 Solution

9.14.2.1 Using a graphical user interface

1 Open the GPMC snap-in

2 In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and expand the Group Policy Objects container

3 Click on the GPO you want to modify

4 In the right pane under Security Filtering, click the Add button

5 Use the Object Picker to select a group and click OK

6 Highlight Authenticated Users and click the Remove button

7 Click OK to confirm

9.14.2.2 Using a command-line interface

> setgpopermissions.wsf "<GPOName>" "<GroupName>" /permission:Apply

> setgpopermissions.wsf "<GPOName>" "Authenticated Users" /permission:None

' This code adds a security group filter permission to a GPO

' and removes the Authenticated Users filter permission

' - SCRIPT CONFIGURATION -

strGPO = "<GPOName>" ' e.g Sales GPO

strDomain = "<DomainDNSName>" ' e.g rallencorp.com

strGroupAdd = "<GroupName>" ' e.g SalesUsers

strGroupRemove = "Authenticated Users"

' - END CONFIGURATION -

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strGPO)

set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

Trang 3

WScript.Quit

elseif objGPOList.Count > 1 then

WScript.Echo "Found more than one matching GPO Count: " & _

objGPOList.Count

WScript.Quit

else

WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

end if

' Get permission objects to Apply GPO

set objGPMPerm1 = objGPM.CreatePermission(strGroupAdd, _

objGPMConstants.PermGPOApply, False)

set objGPMPerm2 = objGPM.CreatePermission(strGroupRemove, _

objGPMConstants.PermGPOApply, False)

' Get the existing set of permissions on the GPO

set objSecurityInfo = objGPOList.Item(1).GetSecurityInfo( )

' Add the new permission

objSecurityInfo.Add objGPMPerm1

' Remove Authenticate users

objSecurityInfo.Remove objGPMPerm2

on error resume next

' Apply the permission to the GPO

objGPOList.Item(1).SetSecurityInfo objSecurityInfo

WScript.Echo "There was an error setting the security filter."

WScript.Echo "Error: " & Err.Description

else

WScript.Echo "Added Apply permission for group " & strGroupAdd

WScript.Echo "Removed Apply permission for group " & strGroupRemove

end if

Creating a security filter for a GPO consists of granting a specific group the Apply Group

Policy permission on the ACL of the GPO By default, Authenticated Users are granted the Apply Group Policy right on all new GPOs, so you will also need to remove this right if you want to restrict the GPO to only be applied to members of another group

Avoid using "Deny" as part of the security filter because it can lead to confusion with accounts that have membership of groups with conflicting filter settings For example, if a user is a

member of a group that has "Deny" set in the filter and is also a member of a group that is allowed to apply the policy, the Deny setting will always win This can be difficult to

troubleshoot

Be very careful when changing permissions on GPOs If you create a very restricted GPO and apply a security filter to it, put tight controls on who

Trang 4

can modify the GPO and how If for some reason that security filter was removed (resulting in no security filters), the restrictive GPO could be applied to every user or computer in the domain

First, I have to find the target GPO I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section I use an if elseif else conditional statement to ensure that only one GPO is returned If none or more than one were returned, I abort the script If only one GPO is returned, I create two

GPM.CreatePermission objects for the group I want to add as a security filter and for the

Authenticated Users group Next, I use the GPMGPO.GetSecurityInfo to retrieve the current ACL on the GPO Finally, I add the permission to the ACL for group I want as the new security filter, and I remove the permission for Authenticated Users

9.14.4 See Also

MSDN: GPM.CreatePermission and MSDN: GPMGPO.GetSecurityInfo

Recipe 9.15 Creating a WMI Filter

WMI filters can be configured only on a Windows Server 2003 domain controller, and they will apply only to Windows Server 2003- and Windows XP-based clients

9.15.1 Problem

You want to create a WMI filter

9.15.2 Solution

2 In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and click the WMI Filters container

3 Right-click on the WMI Filters container and select New

4 Enter a name and description for the filter

5 Click the Add button

6 Select the appropriate namespace, enter a WQL query, and click OK

7 Repeat steps 5 and 6 for as many queries as you need to add

8 Click the Save button

Trang 5

At the time of publication of this book, there were no GPM methods available for creating WMI filters

WMI filters are new in Windows Server 2003 and provide another way to filter how GPOs are applied to clients WMI filters live in Active Directory as objects under the WMIPolicy container within the System container for a domain A WMI filter consists of a WMI Query Language (WQL) query that when linked to a GPO will be run against all clients that the GPO applies to If the WQL returns a true value (that is returns nonempty results from the WQL query), the GPO will continue to process If the WQL query returns false (nothing is returned from the query), the GPO will not be processed

The great thing about WMI filters is that the vast amount of information that is available in WMI

on a client becomes available to filter GPOs You can query against CPU, memory, disk space, hotfixes installed, service packs installed, applications installed, running processes, and the list goes on and on

For example, if you want to create a GPO that applies only to computers that are running

Windows XP Professional, it would have been really difficult to accomplish under Windows

2000 You would have either needed to create a security group that contained all of those

computers as members (and apply a security filter), or move all of those workstations to a

particular OU With a WMI filter, this becomes trivial Here is an example WQL query that would return true when run on a Windows XP Professional workstation:

select * from Win32_OperatingSystem

where Caption = "Microsoft Windows XP Professional"

9.15.4 See Also

Recipe 9.16 for applying a WMI filter to a GPO and MSDN: Querying with WQL

Recipe 9.16 Applying a WMI Filter to a GPO

WMI filters can be configured only on a Windows Server 2003 domain controller, and they will apply only to Windows Server 2003- and Windows XP-based clients

9.16.1 Problem

You want to apply a WMI filter to a GPO

9.16.2 Solution

Trang 6

2 In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to target, and expand the Group Policy Objects

container

3 Single-click on the target GPO

4 In the right name, at the bottom of the window you can select from the list of WMI filters

5 After you've selected the WMI filter, click Yes to confirm

' This code links an existing WMI filter with a GPO

strGPO = "<GPOName>" ' e.g Sales GPO

' e.g {D715559A-7965-45A6-864D-AEBDD9934415}

strWMIFilterID = "<WMIFilterID>"

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the GPO

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

objGPMConstants.SearchOpEquals, _

cstr(strGPO)

WScript.Echo "Did not find GPO: " & strGPO

WScript.Quit

objGPOList.Count

WScript.Quit

else

end if

on error resume next

' Retrieve the WMI filter

strWMIFilter = "MSFT_SomFilter.Domain=""" & _

strDomain & """,ID=""" & _

strWMIFilterID & """"

set objWMIFilter = objGPMDomain.GetWMIFilter(strWMIFilter)

WScript.Echo "Did not find WMI Filter: " & strWMIFilterID

WScript.Quit

Trang 7

else

WScript.Echo "Found WMI Filter: " & objWMIFilter.Name

end if

' Link the filter and print the result

objGPOList.Item(1).SetWMIFilter(objWMIFilter)

WScript.Echo "Failed to set WMI filter."

WScript.Echo "Error: " & err.description

else

WScript.Echo "Set WMI filter successfully."

end if

You can link only one WMI filter to a GPO This is not necessarily a limitation because you can still link more than one GPO to a site, domain, or OU If you need multiple WMI filters to apply

to a GPO, copy the GPO and apply a new WMI filter to it See Recipe 9.15 for more information

on WMI filters

I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section I use an if elseif else conditional statement to ensure that only one GPO is returned If none or more than one are returned, I abort the script If only one GPO is returned, I call GPMDomain.GetWMIFilter to instantiate a GPMWMIFilter object based on the WMI filter GUID specified in the configuration section If you need to

programmatically search for the WMI filter ID, you can use the GPMDomain.SearchWMIFilters

method After I retrieve the GPMWMIFilter object, I call the GPMGPO.SetWMIFilter method to set the filter for the GPO

9.16.4 See Also

MSDN: GPMDomain.GetWMIFilter and MSDN: GPMGPO.SetWMIFilter

Recipe 9.17 Backing Up a GPO

9.17.1 Problem

You want to back up a GPO

9.17.2 Solution

Trang 8

2 In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to back up, and expand the Group Policy Objects container

3 Right-click on the GPO you want to back up, and select Back Up

4 For Location, enter the folder path to store the backup files

5 For Description, enter a descriptive name for the backup

6 Click the Back Up button

7 You will see a progress bar and status message that indicates if the back up was

successful

8 Click OK to exit

> backupgpo.wsf "<GPOName>" "<BackupFolder>" /comment:"<BackupComment>"

' This code backs up a GPO to the specified backup location

strGPO = "<GPOName>" ' e.g Default Domain Policy

strLocation = "<BackupFolder>" ' e.g c:\GPMC Backups

strComment = "<BackupComment>" ' e.g Default Domain Policy Weekly

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the GPO you want to back up

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strGPO)

WScript.Echo "Did not find GPO: " & strGPO

WScript.Quit

objGPOList.Count

WScript.Quit

else

End if

' Kick off the backup

On Error Resume Next

set objGPMResult = objGPOList.Item(1).Backup(strLocation, strComment)

' Call the OverallStatus method on the GPMResult

' This will throw an exception if there were any

' errors during the actual operation

Trang 9

objGPMResult.OverallStatus( )

if objGPMResult.Status.Count > 0 then

WScript.Echo "Status messages:" & objGPMResult.Status.Count

for i = 1 to objGPMResult.Status.Count

WScript.Echo objGPMResult.Status.Item(i).Message

end if

' Print the results

WScript.Echo "The backup failed."

WScript.Echo "Attempted to backup GPO '" & strGPO & "' to location " & strLocation

WScript.Echo "Error: " & err.description

else

set objGPMBackup = objGPMResult.Result

WScript.Echo "Backup completed successfully."

WScript.Echo "GPO ID: " & objGPMBackup.GPOID

WScript.Echo "Timestamp: " & objGPMBackup.TimeStamp

WScript.Echo "Backup ID: " & objGPMBackup.ID

end if

The GPMC provides a way to back up individual (or all) GPOs A GPO backup consists of a set

of folders and files that catalog the GPO settings, filters and links, and is created in the backup location you specify You can back up a GPO to a local drive or over the network to a file server Restoring a GPO is just as easy and is described in Recipe 9.18

Prior to GPMC, the only way to back up GPOs was by backing up the System State on a domain controller The System State includes Active Directory and SYSVOL (both components are needed to completely back up a GPO) To restore a GPO using this method, you'd have to boot into DS Restore mode and perform an authoritative restore of the GPO(s) you were interested in Needless to say, the GPMC method is significantly easier

A good practice is to back up your GPO backups Since all the back-up information is captured

in a series of files, you can back up that information to media, which provides two levels of restore capability You could restore the last backup taken, which could be stored on a domain controller or file server, or you could go to tape and restore a previous version

In the folder you specify to store the GPO backups is a list of folders that have GUIDs for names This does not make it very easy to distinguish which backups are for which GPOs A quick way

to find that out is to use the querybackuplocation.wsf script This will list each of the folder GUID names and the corresponding GPO it is for:

> querybackuplocation.wsf "c:\gpmc backups"

Trang 10

I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section I use an if elseif else conditional statement to ensure that only one GPO is returned If none or more than one is returned, I abort the script If only one

is returned, I call the GPMGPO.Backup method to back up the GPO The first parameter is the directory to store the GPO backup files, and the second parameter is a comment that can be stored with the back up This comment may come in handy later for doing searches against the backups on a server, so you may want to think about what to put for it

9.17.4 See Also

Recipe 9.18 for restoring a GPO and MSDN: GPMGPO.Backup

Recipe 9.18 Restoring a GPO

9.18.1 Problem

You want to restore a GPO

9.18.2 Solution

2 In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to back up, and expand the Group Policy Objects container

3 Right-click on the GPO you want to restore, and select Restore from Backup

4 Click Next

5 Select the backup folder location and click Next

6 Select the backup you want to restore and click Next

7 Click Finish

8 You will see the restore status window After it completes, click OK to close the window

> restoregpo.wsf "<BackupFolder>" "<GPOName>"

' This code restores a GPO from a back up

strGPO = "<GPOName>" ' e.g Sales Users GPO

strLocation = "<BackupFolder>" ' e.g c:\GPMC Backups

strBackupID = "<BackupGUID>" ' e.g {85CA37AC-0DB3-442B-98E8-537291D26ED3}

Định dạng
Số trang	10
Dung lượng	33,94 KB