Basic understanding
What is Group Policy
Group policy has nothing to do with working group, it is a collection of many policies, group policy group represents a group or multiple, does not represent a group of work groups. For example, the local security policy is part of the group policy. Group strategy is equivalent to a task plan. Can be assigned to different departments.
Multiple GPOs may be linked or applied in the same OU, so some settings may conflict. In this case, the priority of the GPO determines which setting is ultimately applied by the client. A GPO with a higher priority will override a GPO with a lower priority. In GPMC, the smaller the number, the higher the priority of the GPO.
Group policies are roughly divided into the following categories:
| Group Policy Classification | Processing priority | Management scope | Function or feature |
|---|---|---|---|
| Local group policy | 1 | Local computer | Before Vista, each computer has a local group policy, and then every account can have a local group policy to manage local computers |
| Site Group Policy | 2 | slightly | slightly |
| Domain Group Policy | 3 | Domain machine or account | Manage computers or accounts in the domain |
| Organizational Unit Group Policy | 4 | Machine or account in OU | Manage computers or accounts in OU |
What needs to be said here is that when the computer applies for the execution policy, it does apply in the direction from the local group policy to the organizational unit group policy, but if the policy settings at the same point conflict, then the policy settings applied later will override The setting of the previously applied strategy, in other words, the organizational unit strategy is the final strategy that will be executed.
It can be understood as a union relationship. If there is a conflict, the setting with high priority is taken.
The exception is that if there is a mandatory policy, the mandatory policy has the highest priority.
Location of Group Policy Management on Domain Controller
Organizational Unit Group Policy
The green box is the organizational unit.
Organizational unit group policy is a group policy set specifically for party members of an organization. For example: the
above default domain controllers policy only applies to the organizational unit domain controllers.
Intra-domain group policy
Click the "Group Policy Management" directly under the server management on the DC to manage group policies in the domain. This group policy is only useful for hosts in the domain.
The name is Default Domain Policy, and this group policy directly affects every machine in the domain. There is generally a group policy in the domain called Default Domain Controllers Policy, which is only useful for domain control machines.
The command on the command line is gpmc.msc. Its function is to generate and manage the group policy to be issued to the computers in the domain. I call it the group policy in the domain.
Local group policy
Local Group Policy (LGP or LocalGPO) is the basic version of Group Policy, which is aimed at independent and non-domain computers. At least it already exists in Windows XP Home Edition and can be applied to domain computers. Before Windows Vista, LGP can enforce group policy objects to a single local computer, but cannot apply policies to users or groups. Starting from Windows Vista, LGP allows local group policies to manage individual users and groups, and allows the use of "GPO Packs" to back up, import, and export group policies between independent computers-the group policy container contains the files needed to import policies to the target computer .
Deep understanding
Group Policy storage location
Creating a group policy is actually creating a group policy unit (GPO). When the group policy setting is right, it is divided into two parts, namely computer setting and user setting. So there will be two version numbers, one represents the version number set by the computer, and the other represents the version number set by the user. Each GPO has a unique identifier. There are two sets of version numbers on the identifier. One is the user version number, one is the version recorded in the AD database, and the other is the version recorded in the sysvol shared folder:
GPO is stored in two parts in the domain, GPC and GPT. The two of them represent the group policy version recorded in the Active Directory database (that is, the GPC record version) and the group policy version (that is, the GPT version) recorded in the SYSVOL share. The AD version number and the SYSVOL version number may be due to inter-domain data Failure to synchronize causes inconsistencies. To view the GPC properties (through the ADSI editor) or directly view the version number information seen by GPT (through the gpt.ini file), you need to calculate and convert.
GPC
This version number needs to be converted to binary, from left to right, the first four digits represent the user configuration version number, and the last four digits represent the computer configuration version number.
As shown in the figure above, the converted hexadecimal is 007a0007, so the user configuration group policy version stored on ad is 0x007a, that is
, the version of the 122 computer configuration is 0x0007, which is 7. We view the real configuration version:
GPT
GPT is stored through the gpt.ini file, and the version information inside is the version information of the group policy sysvol. The usage is to convert it to hexadecimal. The first four digits from left to right are the sysvol version number configured by the user, and the right four digits are the sysvol version number configured by the computer.
As shown in the above figure, the converted hexadecimal is 007a0007, so the user configuration group policy version stored on ad is 0x007a, which is 122.
Therefore, the version number is 122 for the user and 7 for the computer, both of which are sysvol, as follows As shown
Group Policy version in the registry
The currently applied group policy information is located in the two nodes under State. The Machine node contains the group policy of the computer configuration application. The version number inside is the version number of the computer version type. The current user SID node contains the user configuration application. In the group policy, the version number in it is the version number of the user version type. Both nodes contain GPO-List, and the group policy is respectively applied under it.
ACL access control list
ACL can control whether a process can "add, delete, modify, and check" an object, that is, control the access rights of a process. Windows will create an access token for each process, and when the accessed object is created, Windows will give it a security descriptor. ACL control access permissions are mainly related to these two parameters.
ACL is equivalent to a convention that processes in a computer must follow when they want to access data. Whenever a process wants to manipulate an object, the operating system queries the security descriptor of the object, and then records the access token of the process. The operating system now has two kinds of data, a security descriptor and an access token. At this time, the security descriptor is equivalent to a manual, and the access token is equivalent to the ID card of the program. The operating system will query the access token of the current program in the security descriptor for which operation permissions the access token of the current program has.
Access token
When the user logs in successfully, the system will create an access token for the user, and every process running with the user's authority will use a copy of the access token . The access token contains Security Identifiers (SID), this sid represents the identity of the user. The operating system determines whether the process has the authority to perform a certain operation according to the access token of the process.
According to Wikipedia, the content of the access token is as follows:
1. The security identifier (SID) of the
user account 2. The SIDs of the user group to which the user account belongs
3. A logon SID that identifies the current login session
4. The list of privileges of the user or user group
5. The owner's SID
6. The basic group of the SID
7. the safe when the user creates an object (securable object) and the security descriptor is not given, the default system using discretionary access control list (the DACL)
8. the access token resources
9. whether primary or impersonation token
10. Optional list of restricted SIDs
11. Current impersonation level
12. Other statistics
Security identifier SID
SID is divided into two types:
Built-in SID
automatically assign SID
Generally, you only need to understand the built-in SID. The built-in SID has:
Format:S-[修订级别]-[权值]-[标识符]
S-1-5-18 (LocalSystem)
S-1-5-19 (LocalService)
S-1-5-20 (NetworkService)
S-1-5-32-544 (Administrators)
S-1-5-32-545 (Users)
S-1-5-32-550 (PrintOperators)
Relative identifier RID
Generally refers to the last part of the sid, that is, 500, 501, etc. Different RIDs represent different identities. Examples are as follows:
Format:S-[修订级别]-[权值]-[标识符]-[相对标识符]
S-1-5-21-xxxx-xxx-500 (Administrator) Local administrator
S-1-5-21-xxxx-xxx-501 (Guest) Local guest user
S-1-5-21-xxxx-xxx- 1004 (Workstaion) local workstation,
Security descriptor
The security descriptor stores the permission information of the corresponding access token. To put it simply, it is similar to a dictionary. Different security tokens correspond to different permissions. These are one-to-one correspondence and are stored in the security description. The security descriptor is generated when the object is created.
The security descriptor has about four parts:
1. The security identifier of the object owner (SID)
2. The SID of the default group of the object (generally useless)
3. SACL specifies that if a process performs an operation on this object, it will What kind of logs are recorded.
4. DACL points out to allow and deny a certain operation of a certain user or user group on the object. If an object does not have a DACL, it means that anyone can have full access to the object.
Appendix:
gpedit.msc opens the local group policy
gpupdate /force synchronizes the group policy
gpmc.msc opens the domain group policy (can only be executed on the domain controller)