Windows 2008 R2 AD Group Policy - Unified Domain User Desktop Background Detailed Graphic Tutorial


We first understand the following group policy knowledge:

1. Group Policy consists of two parts:

1 Computer configuration: For the configuration of the computer, it only takes effect on the computer. The application is started when the computer is started, before the login screen appears.

2 User Configuration: For user configuration, it only takes effect on all user accounts. Apply after the user logs in.

2. Group policies are divided into three categories according to the scope of application:

1 Group Policy for Domains: Settings are valid for the entire domain. In “AD Users and Computers, right click on Domain Name -> Properties -> Group Policy.

2 Group Policy for OU: Set the OU for this to take effect. In “AD Users and Computers, right click on OU Name -> Properties -> Group Policy.

3 Group Policy for Sites: Settings are in effect for this site. In “AD Sites and Services", right click on the site name -> Properties -> Group Policy.

Note: Type gpedit.msc in Run ” to start the local group policy, we want to be a domain group policy”! So you must right click on “AD users and computers” to enter.

3, Group Policy execution order:

1 Site->Domain->Organization Unit (OU)

2 Computer Configuration->User Configuration

4. Conflicts in Group Policy:

1 The opposite of the setting of the same item in different group policies is the group policy conflict. For example, in the Site Group Policy, “Hide the Network Neighborhood icon on the desktop" set to "Enable", and the group policy on the domain is set to "Disable". For another example: in the group policy of the domain, "password length" is set to “7”, and the group policy of the OU is set to “6”.

2 The result of the conflict: the result is executed afterwards.

5. Settings in Group Policy:

1 Software Installation: Install the application software automatically. Both computer configuration and user configuration are available. Preparation: The source installation file for the software, the executable file with the .msi suffix in the installation file. Place the source installation files for the software in a shared folder. (network path)

A, issued: It is up to the user to decide whether to install. If the package is published, after the user logs in, the system displays the released packages in Add/Remove Programs -> Add New Program. Not implemented in computer configuration.

B, assigned: mandatory installation, automatic installation.

2 WINDOWS Settings:

A, Computer Configuration: Script (Startup and Shutdown), Security Settings.

B, user configuration: IE maintenance, script (login and logout), security settings (key), remote installation service (installing WIN2000 PRO for clients), folder redirection (putting some important users The folder is redirected to the file server).

3 Administrative Templates:

A, Computer Configuration: WINDOWS components, systems, networks, printers.

B, user configuration: WINDOWS component, system, network, taskbar and start menu, desktop, control panel.

6, & ldquo; Group Policy & rdquo; Operation under the tab:

Delete: Delete the Group Policy object.


A Non-permanently deleted: <;Remove connections from the list”. Just delete it in the list, it can also be found in the system and added back or added to other containers.

B Permanent deletion: <;Remove the connection and permanently delete the group policy”. Completely deleted, can not be found in the system.

1/New: Create a new group policy.

3 Edit: Edit the settings for the specified group policy.

4 Add: Apply the existing Group Policy in the system to the specified container (domain, OU, site).

5 Options:

A Prohibit Substitution: Disables the items in the group policy that are executed afterwards to change the items of this group policy. For example, in the group policy of the domain, "password length" is set to “7”, and the OU's group policy is set to “6”, and in the group policy of the domain, “ prohibition of substitution" . Then the end result is "password length" is “7”.

B is disabled: The specified group policy is not applied on the container.

6 Attributes:

A Disable Computer Configuration: The computer configuration that specifies Group Policy does not take effect on the container.

B User configuration is disabled: User configuration for specifying Group Policy does not take effect on the container.

C “Security" tab: Settings for the control permissions for the specified group policy.

7 If there are multiple group policies on a single container, execute them at the top of the group policy list first, and then down.

A “Up”/“down” button: Modify the position of the group policy on the container in the list, thus modifying the order in which the group policies are executed on the container.

8 “Block Policy Inheritance> Options: Policies inherited from a more advanced site, domain, or organizational unit can be rejected at the site, domain, or organizational unit level. A higher level group policy is prohibited from executing on this container.

A “Blocking policy inheritance> If "Alternative" is enabled, the "Group Policy" object will not be blocked.

B “Blocking policy inheritance> can only be set on sites, domains, and organizational units, not on a single "Group Policy" object.

7, Best Practices

1 Group Policy:

A Disables unused portions of Group Policy objects.

B Use the blocking policy to inherit and disable some of the features.

C Minimizes the number of Group Policy objects associated with users in a domain or organizational unit. The more group policies that are applied to a user, the longer it will log in.

D Avoid cross domain group policy object assignments. If Group Policy is obtained from another domain, the processing of the Group Policy object will slow down login and startup.

Software Installation and Management

A Make sure that the Windows Installer package has been converted correctly before it is released or assigned. .msi or .mst file.

B Each Group Policy object is only assigned or issued once: for example, if you assign Microsoft Office to a computer that is affected by a Group Policy object, you can no longer assign or distribute it to users affected by Group Policy objects. .

C Repackage existing software.

D Use DFS.

E High-level assignment or distribution in the Active Directory hierarchy.

3 Folder Redirection

A Let the “My Picture” folder always follow the “My Documents” folder.

Previous 12 3 Next Read more

Copyright © Windows knowledge All Rights Reserved