56
Windows Vista Group Policy 介介 黃黃黃 Eric Huang 黃黃黃黃黃黃黃 Support Engineer Platform Desktop Support Team Global Technical Support Center – Taiwan

Windows Vista Group Policy 介紹

  • Upload
    nuala

  • View
    163

  • Download
    0

Embed Size (px)

DESCRIPTION

Windows Vista Group Policy 介紹. 黃信嘉 Eric Huang 技術支援工程師 Support Engineer Platform Desktop Support Team Global Technical Support Center – Taiwan. Agenda. Vista Group Policy 做了什麼改善 Vista Group Policy 新功能 如何使用 Windows 2003 網域來管理 Vista 的 Group Policy Case study. Vista Group Policy 做了什麼改善. - PowerPoint PPT Presentation

Citation preview

Windows XP

Windows Vista Group PolicyEric Huang Support EngineerPlatform Desktop Support TeamGlobal Technical Support Center TaiwanWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.1GP1800Policy in Windows XP 20032500Policy in Vista 2008700policy desktops,security

AgendaVista Group Policy

Vista Group Policy

Windows 2003VistaGroup Policy

Case study

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.2Vista Group Policy Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.31.Windows VistaWindows XPXPPolicyVistaActive DirectoryGPMC GPEDIT

GPO InfrastructureSYSVOLGroup policyDCgpeditgpmcXPclientDomain GPMCDCGroup PolicyPolicyDCDC clientMISGroup PolicyGpeditGPMC

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.4Windows Vista Group Policy?GPMC RSATADMXGroup Policy NLAEvent LogUSB802.1xWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.5Vista2008Slide Policy

ICMPDCNLAGroup PolicyVPNNetwork Location Awareness

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.6NLANLA?()VistaGroup PolicyNLAXPPolicyclientDC500K/b PolicyXPPINGFirewallRouterICMPVistaNLAICMPNLAVPNPolicyVPNPolicy90+ - 30VPNPolicy?VistaNLAinternetVPNDC VPN When a DC is detected, NLA tells GP it can refreshIf refresh did not occur within last interval, GP will automatically updateIf refresh did occur during last interval, GP will not refresh (waits for next scheduled refresh)When DC is not responsive, policy processing fails and uses the same state as last successful application

Group PolicyWinlogonGroup Policy ClientGroup Policy Client

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.7XPWinlogonprocessGroup Policy Windows Vista Winlogon ()Group Policy

DC??SYSVOL?

Client (2000/XP)Event Log Userenv.log (KB221833)Group Policy ?Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.8Trouble ShootingClientpolicyOUCheckDCPolicyDC ?SiteDCDCreplicationCheck DCFRS logDCSYSVOL

Windows XPEvent Log

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.9Check application logUserenvWindows XPUserEnv LogHKLME\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserEnvDebugLevel=DWORD 0x10002

C:\WINDOWS\Debug\UserMode\userenv.log

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.10gpupdate.

USERENV(374.130) 12:33:52:450 ProcessGPOList: Extension Security returned 0x4b8.

USERENV(374.130) 12:33:52:450 ProcessGPOList: Extension Security was able to log data. RsopStatus = 0x0, dwRet = 1208, Clearing the dirty bit

USERENV(374.130) 12:33:52:450 ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x4b8.UserEnv LogWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.11Event LogEvent Log>Microsoft>Windows>Group Policy VistaLog Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.12VistaPolicyWinlogon processGPCuserenv logVistaGroup Policy Event LogEvent Log>Microsoft>Windows>Group Policy ()Group Policy Log viewMonitorgpupdatelogGroup PolicyGPLogviewCommandline tool available for downloadAllows export to XML or HTML for event loggingMonitor mode to stream events as they are occurringEvent ID error

Vista Group Policy Log

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.13http://www.microsoft.com/downloads/details.aspx?FamilyID=bcfb1955-ca1d-4f00-9cff-6f541bad4563&DisplayLang=enTroubleshooting Group Policy Using Event Logshttp://technet2.microsoft.com/WindowsVista/en/library/7e940882-33b7-43db-b097-f3752c84f67f1033.mspx?mfr=trueGroup Policy Log ViewWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.14VistaPolicyWinlogon processGPCuserenv logVistaGroup Policy Event LogEvent Log>Microsoft>Windows>Group Policy ()Group Policy Log viewMonitorgpupdatelogGroup PolicyGPLogviewCommandline tool available for downloadAllows export to XML or HTML for event loggingMonitor mode to stream events as they are occurringEvent ID error

Windows 2000/2003(ADM files)SYSVOL DCADM FilesWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.15PolicySvsvol2.5 MBDomain100Policy250MBPolicyDC ADM Files

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.16folderpolicyIDpolicy2.5 MBWindows Vista/2008 ( ADML)SYSVOL (Central Store)XMLADMX FilesWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.17 Vista 2008PolicyADMADMXADMXCentral store20032.5MBCentral StoreXML\policies \ADM myapp.adm system.adm inetres.adm conf.adm wmplayer.adm wuau.admCentral StoreWindows Vista()Windows Vista()%windir%\policydefinitions printers.admx inetres.admx .. \en-us printers.adml inetres.adml %windir%\policydefinitions printers.admx inetres.admx ..\zh-tw printers.adml inetres.adml Central Store\policydefinitions printers.admx inetres.admx .. \en-us printers.adml inetres.adml \zh-tw printers.adml inetres.adml \ ..VistaC:\Windows\policydefinitionsADMXen-usfradmlprinters.admxprinters.admladmxadmlVistaDCadmlMISvistaDCadmlDC ADML

The Central Store is a domain-wide directoryIn Sysvol at \Policies\PolicyDefinitionsStores ADMX files (normally one per component)One subdirectory for each supported language (en_us, fr, etc.), each storing ADML filesIf the Central Store exists, Windows Vista tools use it for locating ADMX/ADML filesIf the Central Store does not exist, Windows Vista tools use their local policydefinitions directoryPre-Winodws Vista GO tools look to the GPO for the ADM files

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.18Vista Group PolicyWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.19Vista2000/XPvistaUSBVista Group Policy

USB

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.20 ()Domain

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.21policyOUOUPolicyVistaPolicyVistaPolicyPolicyPolicyDomain Policylocal policyDemo Multiple Local GPOsWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.22VM1.2.Group Policy3.4.UserWindows (Vista )Windows

()=1000 (501 ): (61930): 3.74/ (): 2.9/=(3.74+2.9)/2 = 3.32/HP Compaq dc7700Intel Core 2 Duo CPURN132ET2.13GHz Intel E6400 Core 2 Duo Intel Q965 Express Intel GMA 3000 1GB RAM160GB HP dx5150AMD Athlon 64 X2 CPUEU305ET2.4GHz AMD Athlon 64 3800 + ATI Radeon Xpress 200 ATI Radeon X300512MB RAM160GB HP Compaq D530SIntel 2.8GHz Pentium 4 CPUPB603A2.8GHz Intel Pentium 4 Intel 865G Intel 865G 512MB RAM40GBWindows XPWindows Vista 8 40% 30% Microsoft Word 15% MP3 15% XP Vista 60 18 20 60 3.32/ ()1PC: (NTD)HP d503sHP dx5150HP dc7700pXP 2,1341,4222,447Vista 7065437361,4288791,711 PC Windows XP Windows Vista Windows XP: Windows Vista: 60 18 XP vs. Vista 200 PC: (NTD)HP d503sHP dx5150HP dc7700pXP 426,800284,400489,400Vista 141,200108,600147,200285,600175,800342,200XP vs. Vista 200 200PCXPVistaIT 20 60 : (NTD)HP d503sHP dx5150HP dc7700pXP 426,800 284,400 489,400 Vista 141,200 108,600 147,200 Vista 122,69297,239122,692Vista vs XP 304,108187,161366,708Vista vs Vista 18,50811,36124,508 ()960.637CO2 200 Windows XP Windows VistaVista:()d503sdx5150dc7700pXP 81.9254.5693.88Vista 27.0920.8428.24Vista 23.5418.6523.97Vista vs. XP54.8333.7265.64Vista vs. Vista

3.552.194.27Vista vs. XP 58.3835.9169.91 Windows XP Windows Vista1711200366,708 (Vista342,200)

200 69.91(Vista65.64)

Windows XPPowercfgpowercfg.exe /create testpowercfg.exe /change test /monitor-timeout-ac 15powercfg.exe /change test /monitor-timeout-dc 15powercfg.exe /change test /disk-timeout-ac 25powercfg.exe /change test /disk-timeout-dc 25powercfg.exe /change test /standby-timeout-ac 0powercfg.exe /change test /standby-timeout-dc 0powercfg.exe /change test /hibernate-timeout-ac 120powercfg.exe /change test /hibernate-timeout-dc 120powercfg.exe /setactive testHKCU\Control Panel\PowerCfgHKLM\Software\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfgHKLM\SYSTEM\CURRENTCONTROLSET\Control\Session Manager\PowerWindows XPGroup Policy PowercfgCOMMANDpowercfg /?

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.33>>>Vista

VistaWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.34DemoWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.35VM1.2.Group Policy3.4.UserWindows XP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor Start4HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStorEveryone Windows XP USB http://support.microsoft.com/kb/823732 Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.36USB storage mail serverUSBWindows XPKB823732USB 4

CD/DVDTapesUSB Windows Portable Devices (WPD)Windows VistaVistaPolicyUSBDVD CDWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.37

Windows Vista Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.38DemoWindows Vista Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.39VM1.2.Group Policy3.4.UserWindows XP Windows Firewall Policy

InboundPortInboundAPFirewallIPSEC

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.40Windows Vista Windows Firewall Policy

Windows FirewallIPSecIPV4IPV6InboundBlockOutboundICMPICMP 6APServiceAD(DomainPublic Private)

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.41DemoWindows Vista Windows Firewall PolicyWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.42VM1.2.Group Policy3.4.UserWindows 2003VistaWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.43Central StoreServerCentral StoreServer ADMX

VistaADMXWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.441.Central Store?()The central store for ADMX files allows all administrators editing domain-based GPOs to access the same set of ADMX

To open Group Policy Object Editor on a WindowsVista machine, press the Windows logo key + R, and then type GPEDIT.msc.Group Policy Object Editor will automatically read all ADMX files stored in the %systemroot%\PolicyDefinitions\ folder.Locate the policy setting you wish to edit and open it. Additional considerations

Central Store DC C:\WINDOWS\SYSVOL\sysvol\domain\Policies\PolicyDefinitions C:\WINDOWS\SYSVOL\sysvol\domain\Policies\PolicyDefinitions\[MUIculture]\

ClientCopy %systemroot%\PolicyDefinitions\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions Copy %systemroot%\PolicyDefinitions\[MUIculture]\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\[MUIculture]\

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.45DemoCentral Store Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.46VM1.2.Group Policy3.4.UserVista2003 DCWindows 2003 PolicyWindows VistaWindows 2003Vista RTM-GPMCVista SP1-Remote Server Administration Tools (RSAT)

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.47Remote Server Administration Tools(RSAT) >>Windows GPMC

Windows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.48GPMCGPOWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.49Preferences - Preferences provide more than twenty Group Policy extensions that expand the range of configurable preference settings within a Group Policy object. Group Policy preferences allow you to manage drive mappings, registry settings, local users and groups, services, files, and folders without the need to learn a scripting language. Starter Group Policy objects - Group Policy in Windows Server 2008 provides the ability to create Starter Group Policy objects. Using a Starter GPO, you can store a collection of Administrative template policy settings in a single object and incorporate those policy settings into new GPOs. Comments for GPOs and policy settings - Group Policy in Windows Server 2008 provides the option to add comments at the GPO level and at the policy setting level for Administrative templates. Filtering and sorting administrative template policy settings - In Windows Server 2008, an All Settings node is displayed under the Administrative Templates node, providing a comprehensive list of all Administrative template policy settings, including both those in ADMX and ADM formats. You can sort this list alphabetically by setting name, state, comment, or path. Additionally, you can filter the list of Administrative template settings using the options available when you right-click the All Settings node.

Case studyWindows Vista TAP Airlift 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.50

VistaGPMC.mscDC UserOUPolicy>>>

Vista XP Firewall PolicyWorkXP Client

Windows VistaFirewall PolicyVista Client

Firewall PolicyWorkWMI filter

Select * from Win32_operatingsystem where BuildNumber != 6000Select * from Win32_operatingsystem where BuildNumber = 6000Select * from Win32_OperatingSystem where Caption = Microsoft WindowsXP Professional or Caption = Microsoft Windows2000 ProfessionalSelect * from Win32_OperatingSystem where Caption = "Microsoft Windows Vista Enterprise

Group Policy?script?

Script ???Group Policyscript?http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=41dc179b-3328-4350-ade1-c0d9289f09ef&DisplayLang=en

Windows Vista http://technet2.microsoft.com/windowsvista/zh-CHT/library/a8366c42-6373-48cd-9d11-2510580e48171028.mspx


MD1230 Family 製品紹介

MD1230 Family 製品紹介

Documents
Calm紹介POPolTitle Calm紹介POPol Created Date 8/9/2016 9:29:54 AM

Calm紹介POPolTitle Calm紹介POPol Created Date 8/9/2016 9:29:54 AM

Documents
Cisco EnergyWise ソリューション紹介

Cisco EnergyWise ソリューション紹介

Documents
1.建案介紹 mirage

1.建案介紹 mirage

Documents
紹介・逆紹介患者率 56 A)紹介患者率 B)逆紹介患 …56 Process 紹介・逆紹介患者率 A)紹介患者率 B)逆紹介患者率 Created Date 5/15/2017 7:56:27

紹介・逆紹介患者率 56 A)紹介患者率 B)逆紹介患 …56 Process 紹介・逆紹介患者率 A)紹介患者率 B)逆紹介患者率 Created Date 5/15/2017 7:56:27

Documents
iOS Keychain 介紹

iOS Keychain 介紹

Software
Barracuda Web Filter 製品のご紹介

Barracuda Web Filter 製品のご紹介

Business
NX 4 新機能紹介ug/pdf/NX4.pdfNX 4 新機能紹介 伊藤忠テクノソリューションズ 株式会社 PLM 技術部 1. Gateway のごのご紹介 紹介 2. Modeling のごののごごのご紹介

NX 4 新機能紹介ug/pdf/NX4.pdfNX 4 新機能紹介 伊藤忠テクノソリューションズ 株式会社 PLM 技術部 1. Gateway のごのご紹介 紹介 2. Modeling のごののごごのご紹介

Documents
Good2 節目介紹

Good2 節目介紹

Education
嵌入式 Linux 系統介紹

嵌入式 Linux 系統介紹

Documents
Ⅰ. トマト銀行の紹介 - Tomato Bank

Ⅰ. トマト銀行の紹介 - Tomato Bank

Documents
Ambient紹介20170130 IoTLT

Ambient紹介20170130 IoTLT

Technology
Liquid の紹介

Liquid の紹介

Documents
Ipod nano vs sony w273介紹

Ipod nano vs sony w273介紹

Technology
iSEC VDIのご紹介

iSEC VDIのご紹介

Documents
BranchCache 機能紹介資料

BranchCache 機能紹介資料

Documents
20150324ハロワA4紹介 兵庫...Title 20150324ハロワA4紹介_兵庫 Created Date 3/24/2015 11:39:20 AM

20150324ハロワA4紹介 兵庫...Title 20150324ハロワA4紹介_兵庫 Created Date 3/24/2015 11:39:20 AM

Documents
読者紹介キャンペーンチラシTitle 読者紹介キャンペーンチラシ Created Date 1/17/2020 5:08:39 PM

読者紹介キャンペーンチラシTitle 読者紹介キャンペーンチラシ Created Date 1/17/2020 5:08:39 PM

Documents
Excel Interactive Viewの紹介

Excel Interactive Viewの紹介

Technology
COPYRIGHT€¦ · 目 錄 產品介紹.....1

COPYRIGHT€¦ · 目 錄 產品介紹.....1

Documents
Angular 2 Taiwan 小聚 Forms 介紹

Angular 2 Taiwan 小聚 Forms 介紹

Technology
論文紹介 Fast imagetagging

論文紹介 Fast imagetagging

Technology
GALEOシリーズ 油圧ショベルPC200-7製品紹介...GALEOシリーズ 油圧ショベルPC200-7製品紹介 — 35 — 2002 q VOL. 48 NO.149 製品紹介 GALEOシリーズ 油圧ショベルPC200-7製品紹介

GALEOシリーズ 油圧ショベルPC200-7製品紹介...GALEOシリーズ 油圧ショベルPC200-7製品紹介 — 35 — 2002 q VOL. 48 NO.149 製品紹介 GALEOシリーズ 油圧ショベルPC200-7製品紹介

Documents
インダストリアルデザインコース紹介パンフレットTitle インダストリアルデザインコース紹介パンフレット Created Date 3/13/2020 10:21:59 AM

インダストリアルデザインコース紹介パンフレットTitle インダストリアルデザインコース紹介パンフレット Created Date 3/13/2020 10:21:59 AM

Documents
SELinux 介紹

SELinux 介紹

Education
YUI 3.x 介紹

YUI 3.x 介紹

Technology
MIRACLE ZBX VA3.0 製品紹介

MIRACLE ZBX VA3.0 製品紹介

Documents
製品紹介: MD8470A シグナリングテスタ

製品紹介: MD8470A シグナリングテスタ

Documents
bnank?vdaタエ紹介 - NEC(Japan)

bnank?vdaタエ紹介 - NEC(Japan)

Documents
Isightの御紹介 - engineering-eye

Isightの御紹介 - engineering-eye

Documents