Group Policy Management for Windows 2000 LAN

In the Windows 2000 operating system, we can use Group Policy to define the configuration of users and computers for users and computer groups. By using Group Policy, the Microsoft Management Console (MMC) can create personalized configurations for specific users and computer groups. The Group Policy configuration is contained in a Group Policy Object (GPO), which in turn is associated with a selected Active Directory service container such as a site, domain, or organizational unit (OU). Group Policy objects include two types of objects -- non-local and local Group Policy objects.

Non-local Group Policy objects stored in domain controllers can only be used in an Active Directory environment. They apply to users and computers in the site, domain, or organizational unit to which the Group Policy object is associated.

Local Group Policy objects are stored on each local computer. Only one local Group Policy object is stored on a single computer, and it has a subset of settings available in non-local Group Policy objects. If the settings of the two conflict, the settings of the non-local Group Policy object override the settings of the local Group Policy object. If there is no conflict, it can be applied.

Using Group Policy, we can define the user's work environment state only once, and then manage the user and computer by implementing the administrator-defined policy.

I. Group Policy Security Overview

Group Policy includes a number of security rights profiles that apply to a domain or computer group. A Group Policy object can be applied to all computers in the LAN. Group Policy is applied when a single computer starts, and Group Policy is periodically refreshed if the computer is not restarted when changes are made.

1. How Group Policy Works

Group Policy is associated with domains and folders in Active Directory Users and the MMC snap-in. The permissions granted by Group Policy are applied to the computers stored in this folder. Group Policy can also be applied to sites using the Active Directory Sites and Services snap-in. Subfolders inherit Group Policy from the parent folder, and subfolders may have their own Group Policy objects in turn. There may be more than one group policy assigned to a folder. Group Policy is a supplement to security groups that apply a single security profile to multiple computers. It enhances consistency and is easy to manage. Group Policy objects contain permissions and parameters that implement multiple types of security policies. In summary, Group Policy can be passed from the parent site to the child site and the local area network. If a specific group policy is assigned to an advanced parent site, the group policy is applied to all sites below the parent level, including user and computer objects in each container.

2, Group Policy Security Settings

The container located in the Group Policy Object Security Settings node includes: account policy, local policy, event log, restricted group, system service, registry , file system, public key policy, Internet Protocol security policy in Active Directory, etc. Some strategies apply only to the scope of the domain, that is, the policy settings are made within the domain. For example, an account policy is applied to all user accounts in the domain. Different account policies cannot be defined for different departments within the same domain. As for the scope of the security policy, both the account policy and the public key policy have a domain scope. All other policy ranges can be set at the department level.

3. Security Templates

Windows 2000 provides a set of security templates for use in network environment settings. A Security Template is a security settings profile on a Windows 2000 domain controller, server, or client computer that is appropriate for a particular security level. For example, the hisecdc template includes settings that are suitable for high security domain controllers. You can import a security profile into a Group Policy object and apply it to a level of computer. Import security profiles into a personal database to check and configure security policies for local computers.

Second, the implementation of group policy security management

Security management in the Windows 2000 LAN should be carried out from the server and workstation. The Active Directory service should be installed on the server first, then Group Policy should be implemented on the domain; second, the workstation should be placed in a domain managed by the server.

1. Start Active Directory Service

In the "Programs → Administrative Tools → Configure Server" option, select "Active Directory" on the left to start the Active Directory Installation Wizard. The key to the setup process is to set the server as the first domain directory tree. The DNS domain name is entered into the domain name provided by the ISP. If you do not connect to the Internet, you can set it arbitrarily.

2, open the Group Policy Console

Start the "Active Directory directory and users" item, right-click on the root directory in the right object container tree, and then click the "Properties" item Open the Group Policy console by clicking the Group Policy tab in the newly opened window.

3, set group policy

Windows 2000 Group Policy has more than 100 security-related settings and more than 450 registry-based settings, providing a number of options for managing user computer environments Once an option is set, it will be applied to all users and workstations logged into the domain. Here are some steps to set up common strategies, as a reference for policy settings.

a, enable the login user screen does not display the last login user name

This option can protect the security of user accounts and prevent account theft. The location of this option is found in the order of "Computer Configuration → Security Settings → Local Policies → Security Options". Double-click this option and select "Enable". The next time the user logs in to the domain, the policy will be applied to the workstation operated by the user.

b. Launch "Active Desktop Wallpaper"

With this option, all computers on the LAN that log in to the domain will use the same desktop wallpaper and cannot be changed. Therefore, through the setting of this strategy, temporary users can be prevented from replacing the desktop wallpaper at will, so that the workstations in the local area network have the same interface. The location of this option is User Configuration → Administrative Templates → Desktop → Active Desktop.

Comprehensive application of Windows 2000 account security, group policy security and folder permissions and other security attributes can protect the security of each workstation in the LAN. At the same time, using the account security attribute to protect the system files, it can also play a preventive role against the destruction of the virus.