Windows Vista MCSE SecurityMessaging MVPMCT Group Policy Client

Windows Vista 群組原則新增功能謝合宜微軟特約技術顧問 MCSE : Security/Messaging MVP/MCT

Group Policy Client Service • 可靠性 –Windows Vista的基本目標 – 在以前: Group Policy 的處理由 Winlogon

Windows Vista: 多重 LGPOs • LGPO 與 AD GPO 套用順序與優先權沒有變動 (AD GPOs 依然有較高套用權) •

Enabling Userenv logging in Windows 2000, Windows Server™ 2003, and Windows XP • Add

Windows Vista: 群組原則紀錄的改善(II) • Admin events – Actionable set of events in “系統”紀錄的相關部分 (source

Windows Vista 共存使用情形 (ADMX/ADM 並存) • Windows Vista 未包含任何的 ADM 檔 (ADMX 檔已涵蓋原來的 ADM

ADMX vs. ADM Behavior ADMX (Windows Vista and later) ADM (Windows 2000, Windows Server

群組原則設定的組合 • 目前有1, 800+ 原則設定，Windows Vista將超過 2, 400 – 作業系統功能的大量支援 – 群組原則是Windows平台管理的基礎 Some examples:

卸除式存放裝置原則設定 Removable storage device Policy Settings • 可依“電腦”或“使用者”來分別設定原則控管，管理可依“read”或“write”來處理 • 卸除式存放裝置分類 – – –

使用者帳戶控制原則設定 User Account Control Policy setting • 以電腦來設定： Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options

更多安全相關原則設定 Windows Defender Wireless and Wired Configuration Network Access Protection Public Key Policy Configuration

Windows Long. Horn Server Comments and Templates • Comments – Enabled per-GPO and per-setting

Windows Long. Horn Server Search/Filters • Filter/Search By: – Text search of setting title,

For More Information… • Tech. Net – www. microsoft. com/taiwan/technet • Windows Vista –

Resources • What’s new in GP in Windows Vista – http: //www. microsoft. com/technet/windowsvista/library/

Slides: 41

Download presentation

Windows Vista 群組原則新增功能謝合宜微軟特約技術顧問 MCSE : Security/Messaging MVP/MCT

Group Policy Client Service • 可靠性 –Windows Vista的基本目標 – 在以前: Group Policy 的處理由 Winlogon 程序負責 – 現在：Group Policy 由獨立的服務來處理 • Group Policy Client • Application Management • 服務已經更加強固 – 本機管理員需要提升權限才能停止服務 – 服務重新啟動機制提供意外錯誤時的回復功能 – 與第三方Client Side Extensions (CSEs)隔絕 • 請參考 MSDN: IGPMClient. Side. Extension

Windows Vista: 多重 LGPOs • LGPO 與 AD GPO 套用順序與優先權沒有變動 (AD GPOs 依然有較高套用權) • LGPOs 可以建立在： – The machine – NEW: Admin or non-Admin local groups – NEW: Individual local users • 套用順序依舊！(machine LGPO 先處理……) – 個別使用者的 GPO “wins” • 單一使用者依然會套用相關群組的LGPO (Admins or the Non-Admins, not both) • 新的原則設定: 排除(Exclude)使用所有的 LGPOs

Multiple Local GPOs

Enabling Userenv logging in Windows 2000, Windows Server™ 2003, and Windows XP • Add or modify existing registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrent. VersionWinlogon Value: User. Env. Debug. Level Value Type: REG_DWORD Value Data: 10002 (hexadecimal) File is written to: %System. Root%DebugUser. ModeUserenv. log • KB 835302 – http: //support. microsoft. com/kb/835302/en-us

Windows Vista: 群組原則紀錄的改善(II) • Admin events – Actionable set of events in “系統”紀錄的相關部分 (source = ‘Group Policy Service’ not ‘Userenv’) – 可連結 Microsoft Web site 來取得更多相關資訊 • Operational events – Step-by-step 原則處理事件，位於”Group Policy” 應用程式紀錄 – 用來取代 Userenv. log – 單一原則更新處理過程會記錄到單一事件 ID 來群組所有事件 – 提供有用的資訊，如Username, GPO 清單, 原則套用的參數(total time, individual extension processing time, etc. )

Windows Vista 共存使用情形 (ADMX/ADM 並存) • Windows Vista 未包含任何的 ADM 檔 (ADMX 檔已涵蓋原來的 ADM 檔) • ADMX and ADM files 可以同時共存使用 – 用“新增/移除範本”來新增 ADM 檔(非 ADMX 檔). • Note: No plan to ship ADM to ADMX conversion tool

ADMX vs. ADM Behavior ADMX (Windows Vista and later) ADM (Windows 2000, Windows Server 2003 and Windows XP) 管理 Windows 2000, Windows Server 2003, Windows XP √ √ 管理 Windows Vista, Windows Server “Longhorn” √ X 多國語系支援 √ (配合ADML檔案) X 結合自訂 ADM 檔 √ √ 預設檔案位置本機 ADMX ADM 複製到 GPO 使用集中存放 √ X 避免GPO檔案的重覆(Sysvol膨脹) √ X 新增/移除範本 ADM Only 檔案的比較版本序號時間戳記

群組原則設定的組合 • 目前有1, 800+ 原則設定，Windows Vista將超過 2, 400 – 作業系統功能的大量支援 – 群組原則是Windows平台管理的基礎 Some examples: Removable Storage Devices IPSec / Windows Firewall Windows Defender Network Access Protection User Account Control Wired and Wireless Policy Power Management Internet Explorer Desktop Shell Printer Management Troubleshooting & Diagnostics Tablet PC Windows Error Reporting Globalization Remote Assistance

卸除式存放裝置原則設定 Removable storage device Policy Settings • 可依“電腦”或“使用者”來分別設定原則控管，管理可依“read”或“write”來處理 • 卸除式存放裝置分類 – – – CD/DVD Tapes USB plug-in devices Windows Portable Devices (WPD) All other external removable storage devices

使用者帳戶控制原則設定 User Account Control Policy setting • 以電腦來設定： Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options • 使用者帳戶控制原則設定式控制 “UAC”的使用行為

更多安全相關原則設定 Windows Defender Wireless and Wired Configuration Network Access Protection Public Key Policy Configuration Integrated IE 7. 0 Policy Settings Version 7. 0 Device Installation control

New Policy Settings

Windows Long. Horn Server Comments and Templates • Comments – Enabled per-GPO and per-setting – Free-form text - helpful for simple annotation of administrative intent • Templates – Contain recommended policy settings and values – Supports the encapsulation of best practices / scenarios – Will ship some initial scenario-based templates but anyone can create and share custom templates – GPMC provides “template management” support

Windows Long. Horn Server Search/Filters • Filter/Search By: – Text search of setting title, explain text and comments – Platform and application “supported” tag – Managed (“true policy setting”) – Configured (Enabled/Disabled) – Commented • Results of search is a filtered GPedit view

For More Information… • Tech. Net – www. microsoft. com/taiwan/technet • Windows Vista – www. microsoft. com/taiwan/windowsvista • Windows Vista: Resources for IT Professional – www. microsoft. com/technet/windowsvista/default. ms px • MVP Community社群網站 – www. microsoft. com/taiwan/community

Resources • What’s new in GP in Windows Vista – http: //www. microsoft. com/technet/windowsvista/library/ a 8366 c 42 -6373 -48 cd-9 d 11 -2510580 e 4817. mspx • New categories of Policy settings – http: //www. microsoft. com/technet/windowsvista/library/ 2 b 8 dc 2 fd-eafe-4 c 74 -914 c-ec 101133 feb 4. mspx • Managing the new ADMX files: A step by step guide – http: //www. microsoft. com/technet/windowsvista/library/ 02633470 -396 c-4 e 34 -971 a-0 c 5 b 090 dc 4 fd. mspx