大多数的什么是“新”的组策略增强在Windows 2008 R2在Windows 2008实际上,然而,许多组织从未迁移过的Active Directory 2003年至2008 Active Directory的,所以这是所有新来的管理员谁已经基本从Active Directory中消失了直到Active Directory 2008 R2。什么微软已经在Windows 2008(和2008 R2)组策略做的都已经真棒!所以你分钟启动组策略管理控制台(GPMC),你会发现不只是计算机配置容器和用户配置容器,但计算机和用户容器下的是“政策”和“首选项”。
该策略容器是相同的容器已经在AD一直以来,你必须容器帐户策略,Windows设置,管理工具,安全性等,但在“首选项”是一套全新的“意见”对政策。对于一些1000+的政策,而不是东西更多基于文本的“描述”,还有为你“看”一个GUI用户控制面板类型的东西,你可以通过GUI到“设置”设置,请单击。当您设置的设置,然后单击OK,你可以有效地创建了组策略。所以对于像Internet Explorer设置,你只需点击屏幕上的复选框或选项,这些设置被设定。或者您也可以通过GUI,或通过GUI设置的显示设置做驱动器映射。这整个地区首真正使环境政策更容易。这就像你是在控制面板中的工作站上,而是你选择什么是对“政策”的管理系统集...
Policies and Preferences
As mentioned, Windows 2008 Group Policy introduced a brand new set of configurable settings known as Preferences. Group Policy Objects are now organized into Policy settings and Preference settings. Preferences provide many of the features that the Group Policy infrastructure was lacking in previous versions, and preferences also provide many functions that were commonly handled with complex logon and startup scripts, with Registry file import tasks, and by administrators configuring the default user profile on workstations and servers. Many preference settings, such as Registry keys and Drive Maps, would have previously been applied with scripts that required the workstation to be logged on to or started up on the internal network. With preference settings in domain group policies, these settings can now be applied during the Group Policy refresh interval, which can greatly increase the successful application of these types of settings.
策略设置和首选项设置有不同的特点。策略设置强制执行,所有用户通常更改任何配置的策略设置的限制。如果策略设置包含图形界面,配置的情况下,通常设定变灰为策略配置的远程桌面设置的最终用户。策略设置,如软件安装和计算机或用户脚本计算机启动或关闭以及用户登录和注销周期中只处理。
开机,关机,以及用于计算机和登录,注销和刷新周期,为用户刷新周期中:偏好设置应用于计算机和用户一样的策略设置。首选项设置,但配置却没有得到执行。作为这样的一个例子,使用用户偏好打印机,打印机可以安装在用户简档和设置为默认打印机,但最终用户将仍然保留在必要时定义不同的默认打印机的能力。首选项设置中的刷新间隔应用,但某些设置,比如创建注册表项和值,可能需要重新启动计算机或用户注销/登录周期去实际应用新设置。很重要的一点需要注意的是域组策略首选项是在Windows 7和Windows Server 2008和Windows Server 2008 R2,但视窗XP,Windows Server 2003和Windows Vista中支持的所有必要的更新,以支持首选项设置。
Preference settings are all different, but they each share common administrative functionality. Each preference setting will either be presented in a graphic interface similar to, if not exactly, what the end user can see and access within the user profile. This is one distinction between preference and policy settings, as most policy settings are enabled, disabled, or not configured whereas a preference setting can contain several configuration features.
Furthermore, each preference settings can have multiple items defined within it, each with a separate configuration value. As an example, a Drive Map preference can have a setting item of a mapped drive P and a mapped drive U defined within the single domain group policy preference setting.
除了具体的设置是唯一的每个偏好选项,如驱动器盘符的驱动器映射或文件夹路径,网络共享偏好,每个设置还包含了一组常用的选项,很多还包括优先行动。
优先行动
优先行动确定的偏好设置将如何应用到用户或计算机。许多偏好设置也包含一个名为偏好行动的选项。最常见的优先行动包括创建,替换,更新和删除操作:
►创建,创建动作创建或配置偏好设置,如果设置不存在。如果设置已经存在,不采取行动。
► Replace—The Replace action deletes and recreates the setting on the computer or within the user profile.
►更新,更新操作创造,如果它不存在的设定,但如果设置已经存在,部分或全部的设置配置进行更新,以符合首选项设置。更新是默认的动作,比替换操作较少干扰。它可以用来确保该设置被配置为需要,但处理速度将被优化,因为如果已经设置匹配它将被跳过。
►删除-delete动作简单地删除从计算机或用户简档的优先级设置。例如,删除操作可以删除映射驱动器,删除注册表项,或删除计算机或用户配置文件的打印机。
Preference Common Options
每个偏好设置包含包含可用于特定设置启用几个选项的共同标签。常见的选项包括处理设置仅一次的能力,这是伟大的设置默认配置为新用户配置文件或对现有域的组策略一个新的偏好设置。
项目级别目标
One of the most functional preference common options is the item-level targeting option. Item-level targeting allows administrators to define the scope of application for a particular preference setting item such as a Drive Map. So with item-level targeting an administrator can create a single domain group policy and have a single Drive Map preference defined that will apply different preference setting items to subsets of computers or users based on the specifications of the item-level target. For example, a Drive Map preference that defined the G drive for groups can be configured to map \\server10\Sales to members of the domain security group named sales, based on the item-level targeting option configuration settings. The same preference can also define the G drive to \\server10\HR for members of the domain Human Resources group based on a different configuration for item-level targeting.
所以你会发现当你迁移到活跃Directory 2008 R2 are new features for setting and configuring policies that make policy configuration and management a LOT easier to understand and to apply. A common question I get is “do I need to migrate ALL of my Active Directory domain controllers and global catalog servers to be able to see the new “preferences” feature in GPMC, the answer is “no”. You just need to add a Windows 2008 (or 2008 R2) member server to the network, add the Active Directory Domain Services “role”, and run DCPromo on that system that will extend the Active Directory schema to support the new preferences features. Once the AD schema has been extended, then you run GPMC on the global catalog / domain controller system you just added to the network. This new system will have the new Group Policy Management Console on the system that will “see” the AD group policy structure of Policies and Preferences.
If you ran an older copy of the Group Policy Editor on an older global catalog / domain controller system, while the policy objects exist, the GPMC / GPEdit utility running on the older system would not show the underlying updated policies.
以上摘录的一部分来自于我的书“的Windows Server 2008 R2偷跑”,涵盖了从主动Driectory设计和迁移1550页的精装书,远程桌面服务(“终端服务”),对Windows管理,在配置DHCP / DNS,到Hyper-V R2,等等。