O'Reilly logo

Windows Vista Security: Praxisorientierte Sicherheit für Profis by Marcus Nasarek

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Exploring Group Policy in Windows Vista
|
849
users no longer have to explicitly disable or remove settings that interfere with their
ability to manage a computer before performing administrator tasks. Instead, an
administrator user can implement one LGPO for administrators and another LGPO
for nonadministrators.
Administrator and nonadministrator LGPOs are the two standard
types of LGPOs available. See “Working with Multiple Local Group
Policy Objects,” later in this chapter, for more information.
Enhancing Group Policy Application
Thanks to the Network Location Awareness feature in Windows Vista, Group Pol-
icy can respond better to changing network conditions and no longer relies on ICMP
(ping) for policy application. Network Location Awareness ensures that a computer
is aware of the type of network to which it is currently connected—in other words,
whether the computer is on a private, public, or work network—and is responsive to
changes in the system status or network configuration. This gives Group Policy
access to the resource detection and event notification capabilities in the operating
system, allowing Group Policy to determine when a computer is in standby mode or
resuming from hibernation, as well as when a network connection has been disabled
or disconnected. In cases where the network isn’t available, Group Policy won’t wait
for the network, allowing for faster startup.
Because ICMP (ping) is no longer used for slow link detection, business networks
can filter this protocol on their firewalls. Group Policy in Windows Vista uses Net-
work Location Awareness to determine the network bandwidth. When mobile users
connect to a business network, Group Policy can detect the availability of a domain
controller and initiate a background refresh of policy over the VPN connection.
Improving Group Policy Management
Windows Vista includes the Group Policy Management Console (GPMC) and Group
Policy Object Editor (GPOE) for managing Group Policy. While GPMC was previ-
ously provided as a separate download from Microsoft, it is now integrated directly
into the operating system.
Using the GPMC, shown in Figure 26-1, you can manage Active Directory Group
Policy in an enterprise environment. To open the GPMC, follow these steps:
1. Log on to a computer running Windows Vista with an administrative user
account.
2. Click Start, type
mmc into the Search box, and then press Enter.
3. In the Microsoft Management Console, click File
Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Group Policy Management
Console, click Add, and then click OK.
850
|
Chapter 26: Using Group Policy with Windows Vista
5. You can now navigate through the forest and domains in the organization to
view individual Group Policy Objects (GPOs).
6. If you expand the site, domain, or organizational unit node in which a related
policy object is stored, you can right-click the policy object and then choose
Edit. This opens the object for editing in the GPOE.
Using the GPOE, shown in Figure 26-2, you can manage individual GPOs. To open
the GPOE, follow these steps:
1. Log on to a computer running Windows Vista with an administrative user
account.
2. Click Start, type
mmc into the Search box, and then press Enter.
3. In the Microsoft Management Console, click File
Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor and
then click Add.
5. In the Select Group Policy Object dialog box, the default object is the Local
Computer Group Policy Object. If this is the object you want to work with, click
Finish. If this isn’t the object you want to work with, click Browse, select the
object you want to work with, and then click OK.
6. Click OK to close the Add or Remove Snap-ins dialog box.
7. You can now work with the GPO you’ve opened.
Figure 26-1. Accessing Active Directory Group Policy

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required