4. Group Policy
One of the most powerful administration tools in AD DS is Group Policy. Group Policy
is a feature that enables you to deploy combinations of configuration
settings (which are essentially registry settings) to large numbers of
users or computers on an AD DS network at once.
To use Group Policy, you create a Group Policy object (GPO),
which is a collection of computer and/or user configuration settings
packaged as a single unit. You then link the GPO to a domain, OU, or
site object in AD DS. Once you do this, every leaf object in the
domain, OU, or site to which you linked the GPO receives the
configuration settings in it and applies them to the computer or the
currently logged-in user.
Note
You can link GPOs only to domain, OU, or site objects. You cannot
link them to individual leaf objects (including groups, strangely
enough), nor can you link them to the predefined objects that use the
container object type, such as the Computers and Users objects.
For example, you can use the Windows Update client on an individual
computer to configure the system to download and install new operating
system updates as they become available. Windows SBS 2011 includes
Windows Server Update Services (WSUS), however, which enables your
server to supply updates to the client workstations on the network.
Rather than make you configure each individual workstation to download
updates from the WSUS server, the Windows SBS 2011 setup program
creates a GPO called Update Services Client Computers Policy, which contains Windows Update configuration settings, and links it to your domain, as shown in Figure 3. As a result, all the computers in the domain receive these settings and configure themselves to use WSUS for their updates.
Because the Update Services Client Computers Policy GPO is linked to
your domain object, all the computers on your network receive its
settings. One of the main reasons for creating
OUs, however, is to segregate objects that you want to receive
different settings. For example, Windows SBS creates separate SBSComputers and SBSServers OUs in your domain so that it can assign different GPOs to the workstations and server.
Windows SBS 2011 includes a number of GPOs with different functions, which it links to appropriate objects in the default AD
DS hierarchy. This is an excellent example of good Group Policy
organization. GPOs have hundreds of possible settings, and keeping
track of which ones you have deployed to which locations can be
difficult. Although you can conceivably create a single GPO that
contains all the settings you want to deploy to certain users and
computers, it is much more efficient, from an organizational
standpoint, to create multiple GPOs for specific purposes.
5. Hierarchy and Inheritance
The use of terms such as tree and leaf
in AD DS terminology should give some idea of the directory service’s
hierarchical architecture. AD DS is based on domains, which you can
group into trees and forests, but within each domain, you can build a
root-like structure using OUs. Just as in a file system, influence in a
domain flows downward through the container objects to the individual
leaf objects. When you link a GPO to a domain object, the settings in
that GPO flow down to all the OUs in the domain and all the leaf
objects in the OUs. In the same way, linking a GPO to an OU causes all
the leaf objects inside to receive the settings, even objects within
subordinate OUs.
You can see one example of how the design of the AD hierarchy
is useful to administrators in the default Windows SBS 2011 domain. As
mentioned earlier, there is a Computers OU in your domain’s MyBusiness
OU, and in the Computers OU, there are two more OUs: SBSComputers and
SBSServers. Why use three OU levels, though, when you could simply
create the SBSComputers and SBSServers OUs directly beneath the
MyBusiness OU?
One reason is that adding the level containing the Computers OU
enables you to apply Group Policy settings in three different ways. By
linking a GPO to the SBSComputers OU or the SBSServers OU, you can
apply settings to all the client computers or all the servers in the
domain. However, by linking a GPO to the Computers OU, you can apply
settings to all the computer objects in the domain clients and servers
at once.
The downward flow of influence in an AD DS domain is not limited to Group Policy settings. AD DS has a system of permissions that define who can access particular objects and what they can do with the objects they access. The AD
DS permissions system is completely independent from the other
permission systems in Windows Server 2008 R2, such as NTFS and registry
permissions, but it works in very much the same way. If you assign
permissions to a container object, such as a domain or an OU, every
object in that container inherits those permissions, including other
container objects.
The Windows SBS Console enables you to perform many of the most
common AD DS maintenance tasks, although it generally does not identify
them as such. Windows SBS 2011 tries to insulate administrators from
the complexities of AD DS, but when you create or manage a user or a
group in the Windows SBS Console, you are actually creating an AD DS
object and modifying its attributes.
Although you might want to stick to the Windows SBS Console when
performing administrative tasks at first, you should also be aware of
the AD
DS tools included with the Windows Server 2008 R2 operating system.
These tools provide more comprehensive access to the AD DS and enable
you to work with AD DS objects on any Windows computer.
6.1 Using Active Directory Users and Computers
The Active
Directory Users And Computers Console is the most commonly used AD DS
management tool. Like most Windows Server 2008 R2 tools, it is a
snap-in for the Microsoft Management Console (MMC) utility. Unlike
Windows SBS Console, which displays only certain AD DS objects, Active
Directory Users And Computers is based on a tree display of your entire
domain, as shown in Figure 4.
In the Active Directory Users And Computers Console, the left pane (also called the Scope pane)
displays your domain and all the container and OU objects beneath it,
using an expandable tree arrangement, just like the file system in
Windows Explorer. Selecting a container or OU in the Scope pane
displays all the objects it contains in the right pane (also called the
Detail pane). Double-clicking a leaf object, such as user, computer, or group, opens the Properties sheet for the object, as shown in Figure 5.
As you can see in Figure 5, a user object’s Properties sheet in the Active
Directory Users And Computers Console contains much more information
than its Windows SBS Console equivalent, and enables you to modify many
more of the object’s attributes. This is not the full extent of the
console’s capabilities, though. To see even more information about your
AD DS domain, you can select Advanced features from the View menu to display additional objects, as shown in Figure 6.
Few administrators require access to these advanced features on a
regular basis, but it is good to know that they are available.
The Advanced Features mode also displays additional attributes for
each object. The Properties sheet for a user object, for example, has
five additional tabs, as shown in Figure 7.
