Right-click on the Group Policy Objects container in the target domain and select Manage Backups.. 9.21.4 See Also MS KB 298444 A Description of the Group Policy Update Utility Recipe 9
Trang 1
' Initialize the Domain object
set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Make sure backup location and ID are valid
set objGPMBackupDir = objGPM.GetBackupDir(strLocation)
set objGPMBackup = objGPMBackupDir.GetBackup(strBackupID)
WScript.Echo "Backup found:"
WScript.Echo " ID: " & objGPMBackup.ID
WScript.Echo " Timestamp: " & objGPMBackup.TimeStamp
WScript.Echo " GPO ID: " & objGPMBackup.GPOID
WScript.Echo " GPO Name: " & objGPMBackup.GPODisplayName
WScript.Echo " Comment: " & objGPMBackup.Comment
WScript.Echo
' Perform restore
set objGPMResult = objGPMDomain.RestoreGPO(objGPMBackup, _
objGPMConstants.DoNotValidateDC) ' This will throw an exception if there were any errors
' during the actual operation
on error resume next
objGPMResult.OverallStatus( )
if objGPMResult.Status.Count > 0 then
WScript.Echo "Status message(s): " & objGPMResult.Status.Count
for i = 1 to objGPMResult.Status.Count
WScript.Echo objGPMResult.Status.Item(i).Message
next
WScript.Echo vbCrLf
end if
' Print result
if Err.Number <> 0 then
WScript.Echo "Error restoring GPO " & objGPMBackup.GPODisplayName
WScript.Echo "Error: " & Err.Description
else
WScript.Echo "Restore successful."
WScript.Echo "GPO '" & objGPMBackup.GPODisplayName & _
"' has been restored."
end if
9.18.3 Discussion
To restore a GPO using GPMC, you first need a valid backup of the GPO The procedure for backing up a GPO is described in Recipe 9.17 You can then restore the GPO, even if the GPO has been deleted To restore a deleted GPO, use the following steps:
1 Right-click on the Group Policy Objects container in the target domain and select
Manage Backups
2 Highlight the GPO you want to restore and click the Restore Button
3 Click Yes to confirm
4 Click OK after the restore completes
Trang 2If you don't have a valid backup of the GPO, but you do have another GPO that is identical or similar to the one you want to restore (perhaps in another forest), you can copy that GPO to replace the one you want to restore See Recipe 9.3 for more on copying GPOs
9.18.3.1 Using VBScript
To restore a GPO, I have to first get a handle to the backup I am going to restore from This is done by instantiating an object to the backup location with GPM.GetBackupDir, and then calling
GPMBackupDir.GetBackup with the GUID of the backup to be restored If you need to
programmatically search for the backup ID, you can use the GPMBackup.SearchBackups method
to find the most recent backup or a backup with a particular display name
After I obtain a GPMBackup object, I call the GPMDomain.RestoreGPO method The first
parameter is the GPMBackup object that represents the backup to restore The second parameter is
a validation flag, and I use the constant that causes the restore to not be validated against a domain controller
9.18.4 See Also
Recipe 9.3 for copying a GPO, Recipe Recipe 9.17 for backing up a GPO, and MSDN:
GPMDomain.RestoreGPO
Recipe 9.19 Simulating the RSoP
9.19.1 Problem
You want to simulate the RSoP based on OU, site, and security group membership This is also referred to as Group Policy Modeling
9.19.2 Solution
This must be run against a Windows Server 2003 domain controller
9.19.2.1 Using a graphical user interface
1 Open the GPMC snap-in
2 In the left pane, right-click Group Policy Modeling and select Group Policy Modeling Wizard
3 Select a domain controller to process the query and click Next
4 Under User Information and/or Computer Information, select either the container you want to simulate to contain the user or computer or select a specific user or computer account, and click Next
5 Select a site if necessary, and click Next
Trang 36 If you selected a target user container or user account in step 4, you will be presented with an option to simulate different group membership Click Next when you are done
7 If you selected a target computer container or computer account in step 4, you will be presented with an option to simulate different group membership Click Next when you are done
8 If you selected a target user container or user account in step 4, you will be presented with an option to simulate any additional WMI filters Click Next when you are done
9 If you selected a target computer container or computer account in step 4, you will be presented with an option to simulate any additional WMI filters Click Next when you are done
10 Click Next to start the simulation
11 Click Finish
12 In the right pane of the GPMC window, the results of the simulation will be displayed
9.19.3 Discussion
With GPMC, you can simulate the RSoP based on user-defined OU, site, group, and domain membership This is very powerful because it allows you to create one or more GPOs, simulate it being applied to a user and computer and determine whether any changes are necessary before deployment
9.19.4 See Also
Recipe 9.20 for viewing the RSoP
Recipe 9.20 Viewing the RSoP
9.20.1 Problem
You want to view the actual RSoP for a user and computer This is a great tool for determining if policies are being applied correctly on a client
9.20.2 Solution
9.20.2.1 Using a graphical user interface
The RSoP snap-in is available only on Windows Server 2003 and Windows
XP
Open the RSoP snap-in by running rsop.msc from the command line This will cause the RSoP snap-in to evaluate the group policies for the target computer and pop open a MMC console so that you can browse the applied settings
You can target a different computer by right-clicking the top of the tree in the left pane and
Trang 49.20.2.2 Using a command-line interface
> gpresult
With the Windows Server 2003 version of gpresult, you can specify a /S option and the name
of a computer to target, which allows you to run the command remotely With Windows 2000, there is a /S option, but it enables super verbose mode There is no way to target another
computer with the Windows 2000 version For a complete list of options with either version, run
gpresult /? from a command line
9.20.3 Discussion
If you implement more than a few GPOs, it can get confusing as to what settings will apply to users To address this problem, you can query the resultant set of policy on a client to determine what settings have been applied
The registry on the target computer is another source of information You can view the list of policies that were applied to the computer by viewing the subkeys under this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History
The settings that were applied are not stored in the registry, but you can obtain the GPO name, distinguished name, SYSVOL location , version, and where the GPO is linked
9.20.4 See Also
Recipe 9.19 for simulating the RSoP
Recipe 9.21 Refreshing GPO Settings on a Computer
9.21.1 Problem
You've made some changes to a GPO and want to apply them to a computer by refreshing the group policies for the computer
9.21.2 Solution
9.21.2.1 Using a command-line interface
On Windows Server 2003 or Windows XP, use this command:
> gpupdate [/target:{Computer | User}]
On Windows 2000, use this command:
> secedit /refreshpolicy [machine_policy | user_policy]
Trang 59.21.3 Discussion
The new gpupdate command is a much-needed improvement over the older secedit utility With gpupdate you can force all settings to be applied with the /force option (the default is only changed settings) You can apply the computer or user settings of GPOs using the /target
option, and you can force a logoff or reboot after the settings have been applied using the
/logoff and /boot options
9.21.4 See Also
MS KB 298444 (A Description of the Group Policy Update Utility)
Recipe 9.22 Restoring a Default GPO
9.22.1 Problem
You've made changes to the Default Domain Security Policy, Default Domain Controller
Security Policy, or both, and now want to reset them to their original configuration
9.22.2 Solution
This tool can be run only from a Windows Server 2003 domain controller
9.22.2.1 Using a command-line interface
The following command would replace both the Default Domain Security Policy and Default Domain Controller Security Policy You can specify Domain or DC instead of Both, to only restore one or the other
> dcgpofix /target:Both
Note that this must be run from a domain controller in the target domain where you want to reset the GPO
9.22.3 Discussion
If you've ever made changes to the default GPOs and would like to revert back to the original settings, the dcgpofix utility is your solution dcgpofix works with a particular version of the schema If the version it expects to be current is different from what is in Active Directory, it will not restore the GPOs You can work around this by using the /ignoreschema switch, which will restore the GPO according to the version dcgpofix thinks is current The only time you might experience this issue is if you install a service pack on a domain controller (dc1) that extends the schema, but have not installed it yet on a second domain controller (dc2) If you try to run
Trang 6dcgpofix from dc2, you will receive the error since a new version of the schema and the
dcgpofix utility was installed on dc1
Trang 7Chapter 10 Schema
Introduction
Recipe 10.1 Registering the Active Directory Schema MMC Snap-in
Recipe 10.2 Enabling Schema Updates
Recipe 10.3 Generating an OID to Use for a New Class or Attribute
Recipe 10.4 Generating a GUID to Use for a New Class or Attribute
Recipe 10.5 Extending the Schema
Recipe 10.6 Documenting Schema Extensions
Recipe 10.7 Adding a New Attribute
Recipe 10.8 Viewing an Attribute
Recipe 10.9 Adding a New Class
Recipe 10.10 Viewing a Class
Recipe 10.11 Indexing an Attribute
Recipe 10.12 Modifying the Attributes That Are Copied When Duplicating a User Recipe 10.13 Modifying the Attributes Included with Ambiguous Name Resolution Recipe 10.14 Adding or Removing an Attribute in the Global Catalog
Recipe 10.15 Finding the Nonreplicated and Constructed Attributes
Recipe 10.16 Finding the Linked Attributes
Recipe 10.17 Finding the Structural, Auxiliary, Abstract, and 88 Classes
Recipe 10.18 Finding the Mandatory and Optional Attributes of a Class
Recipe 10.19 Modifying the Default Security of a Class
Recipe 10.20 Deactivating Classes and Attributes
Trang 8Recipe 10.21 Redefining Classes and Attributes
Recipe 10.22 Reloading the Schema Cache
Introduction
The Active Directory schema contains the blueprint for how objects are structured and secured,
what data they can contain, and even how they can be viewed Having a thorough understanding
of the schema is paramount for any Active Directory administrator Understanding key concepts,
such as class inheritance, class types, attribute syntax, and attribute indexing options, is critical to
being able to adequately design an Active Directory infrastructure and should be considered
mandatory for any developer that is writing applications or automation scripts that utilize Active
Directory
If you are one of the lucky few who is designated as a schema administrator (i.e., member of the
Schema Admins group), then the importance of the schema is already well known to you This
chapter serves a guide to accomplishing many of the day-to-day tasks you will need to do as a
schema administrator If you feel you need more nuts and bolts information on how the schema
works, I suggest reading Chapter 4 of Active Directory, Second Edition (O'Reilly)
The Anatomy of Schema Objects
An interesting feature of Active Directory that is not common among other LDAP
implementations is that the schema is stored within Active Directory as a set of objects This
means that you can use similar interfaces and programs to manage the schema as you would any
other type of object
All schema objects are stored in the Schema container (e.g.,
cn=schema,cn=configuration, <ForestRootDN>) The schema is comprised of two classes of
objects, classSchema and attributeSchema Unsurprisingly, the classSchema objects define
classes and attributeSchema objects define attributes The Schema container contains a third
type of object called subSchema, also known as the abstract schema, which is defined in the
LDAP v3 specification (RFC 2251) There is only a single subSchema object in the Schema
container, named cn=Aggregate, and it contains a summary of the entire schema
Table 10-1 and Table 10-2 contain useful attributes of classSchema objects and
attributeSchema objects, respectively
Table 10-1 Attributes of classSchema objects
Attribute Description
adminDescription Description of the class
auxiliaryClass Multivalued attribute containing any auxiliary classes defined
Trang 9Table 10-1 Attributes of classSchema objects
Attribute Description
for the class
defaultHidingValue Boolean that determines whether objects of this class are hidden
by default in administrative GUIs
defaultSecurityDescriptor Default security descriptor applied to objects of this class
governsID Object identifier (OID) for the class
isDefunct Boolean that indicates whether the class is defunct (i.e.,
deactivated)
lDAPDisplayName Name used when referencing the class in searches or when
instantiating or modifying objects of this class
mayContain Multivalued attribute that contains a list of attributes that can be
optionally set on the class
mustContain Multivalued attribute that contains a list of attributes that must
be set on the class
objectClassCategory Integer representing the class's type Can be one of 1
(structural), 2 (abstract), 3 (auxiliary), or 0 (88)
possibleInferiors Multivalued list of other object classes this object can contain
possSuperiors Multivalued list of object classes this object can be subordinate
to
rDNAttID Naming attribute (i.e., RDN) of instances of the class
schemaIDGUID GUID of the class
showInAdvancedViewOnly Boolean that indicates whether instances of this class should
only be shown in Advanced mode in the administrative GUIs
systemAuxiliaryClass
Multivalued attribute containing any auxiliary classes defined for the class This can only be modified internally by Active Directory
systemFlags Integer representing additional properties of the class
systemMayContain
Multivalued attribute that contains a list of attributes that can be optionally set on the class This can only be modified internally
by Active Directory
Trang 10Table 10-1 Attributes of classSchema objects
Attribute Description
systemMustContain
Multivalued attribute that contains a list of attributes that must
be set on the class This can only be modified internally by Active Directory
systemPossSuperiors Multivalued list of object classes this object can be subordinate
to This can only be modified internally by Active Directory
Table 10-2 Attributes of attributeSchema objects
Attribute Description
adminDescription Description of the attribute
attributeID OID for the attribute
attributeSecurityGUID GUID to be used to apply security credentials to a set of
objects
attributeSyntax OID representing the syntax of the attribute This is used in
conjunction with oMSyntax to define a unique syntax
isDefunct Boolean that indicates if the attribute is defunct (i.e.,
deactivated)
isMemberOfPartialAttributeSet Boolean that indicates if the attribute is a member of the
partial attribute set (i.e., the global catalog)
isSingleValued Boolean that indicates whether the attribute is single
valued or multivalued
linkID
If this is populated, it will contain an integer that represents a link (either forward or backward) to another attribute
lDAPDisplayName
Name used when referencing the attribute in searches or when populating it on objects Note that this value may not
be the same as cn
oMSyntax
An integer representing the OM type of the attribute This
is used in conjunction with attributeSyntax to determine a unique syntax for the attribute
schemaIDGUID GUID of the attribute
searchFlags Integer representing special properties related to searching
with the attribute This includes how the attribute is