The management of group policy is generally an application belonging to the domain. What is the role of group policy? Group policy can realize the unified behavior policy management of users and computers in the domain control environment, such as unifying everyone's desktop background, unifying theme style, unifying user settings, etc.
Table of contents
1. Publish software through Group Policy
basic knowledge
Group Policy is divided into Computer Configuration and User Configuration
Computer Configuration: Used to manage policies that control specific items on a computer. Includes desktop appearance, security settings, operating system execution, file deployment, application distribution, and computer startup and shutdown script execution. These configurations are applied to a specific computer, and when the computer is started, the set Group Policy is automatically applied.
User Configuration: Administrative policies for managing more user-specific items. Includes application configuration, desktop configuration, application assignment, and computer startup and shutdown script running, among others. User Configuration Group Policy is applied when a user logs on to the computer.
Computer configuration application time limit
when the computer is turned on
After the computer is turned on, the domain controller automatically applies the
After the computer is turned on, non-domain controllers are automatically applied every 90-120 minutes
Apply manually
User-configured application time limit
Automatically applied when the user logs in
After the user logs in, the system will automatically apply once every 90-120 minutes
Apply manually
Manual application: open the command line and execute gpupdate /force
mission target:
- Publishing software through Group Policy, the published program will appear in the Add or Remove Programs dialog, and it can be installed from there. The software needs to be in msi format, which can be downloaded by itself, such as 7-zip or others.
- Find a picture you like, set the desktop background for Win10, and no modification is allowed.
- Hide the C drive of Win10 to prevent accidental deletion. At the same time, map a network drive for Win10 to store data.
- Add a shortcut to the desktop of Win10 users, and set the address to an address that you usually like to browse.
- Finally, you add ordinary domain users who log in to Win10 to the local administrator group of Win10 through group policy. After logging in to Win10, ordinary domain users check whether the verification results are added.
default setting
Use the environment of the last domain control service, prepare a domain control server, prepare a client, and join the domain.
Create a new user and use this user to log in to the domain on the client computer
1. Publish software through Group Policy
In the server manager of the domain control server, Tools--Group Policy Management
Open in sequence as shown in the figure, select New GPO
Open the newly created GPO
Add the newly created user
Right-click on the newly created Group Policy and select Edit
Because we want to install the software, the software installation package must be in a network location. If we set it as a local desktop, then there is this software package on the desktop of the domain server, but what about on the client computer? If the desktop of the client computer does not have this installation package, it must not be found, right?
So the installation location here must be set to a network location
Set up shareware
Put the installation package in a directory
Return to share share this folder
Add everyone read permission
Then the network address of the package becomes
\\IP address of domain server\share\7z2201-x64.msi
for example:
Enter the user name and password, I entered user here
This is shared success
Go back to the Group Policy Management Editor you just opened
Open User Configuration--Policy--Software Settings--Software Installation in turn, and right-click on the blank part on the right to create a new data package
Enter the network address just now in the file name, and then click OK
Published is for users to install themselves, assigned is for computers to install automatically, and the computer configuration cannot be set to Published
According to the requirements of the topic, the published program will be displayed in..., and you can install it, which is obviously installed by yourself, so we choose published
Open the client computer and refresh the group policy
Open the control panel of the client machine
You can see that there are released programs here, double-click to install
It can be seen that it can be installed normally
At this point, the group policy configuration for software installation is complete
2. Set the desktop background
First, put a wallpaper in the newly created share folder
In the same way, select the GPO we just created in the domain server and open the edit
Open User Configuration--Policies--Administrative Templates--Desktop--Desktop in turn, double-click to open the desktop wallpaper
Specify the desktop background location, and then confirm
After the update is complete, log out of the user and log in again
3. Hide the C drive
Open the editor of the newly created GPO and open it in turn
User Configuration--Policies--Administrative Templates--Windows Components--File Explorer
On the right interface, find the hidden drive and double-click to open it
Return to client refresh group policy
Turn on this computer to verify
successfully set
4. Add shortcut
Open the newly created GPO, select Edit
Open User Configuration--Preferences--Windows Settings--Shortcuts
Right click on the blank area on the right to create
Fill in the information in these four boxes and confirm
Return to client refresh group policy
successfully set
5. User settings
The requirement here is that on the client computer, the logged-in domain common user is added to the local administrator group of the client computer. The actual application effect in our environment is that the newly created user user in the domain is automatically added to the client computer. in the local administrators group
Open the newly created GPO, select Edit
Open User Configuration--Preferences--Control Panel Settings--Local Users and Groups
Right click on the blank area, select All Tasks - Add
Modify the contents of these two boxes
Client Refresh Policy
The client computer opens the server manager, tools - computer management
Find Local Users and Groups - Groups, double-click Administrators on the right
You can see that the user has been added here, and the setting is complete