Ako som spominal v predchadzajucom clanku, lokalne politiky nie su moc vhodne na centralne spravovanie prostredia, kedze kazda lokalna politika zije svoj “lokalny zivot” 🙂 Na centralne spravovanie politik pre koncove pocitace potrebujeme funkcnu Active Directory (dalej len AD) domenu a v nej vyuzijeme Group Policy Object. Ale co to vlastne ten Group Policy Object je?
Skor ako sa pustime do samotnych Active Directory GPO, by som rad pripomenul, ze na kazdom pocitaci od Windows 2000 su Local Group Policy. Jedna sa o lokalne politiky. Ku tymto lokalnym politikam sa dostaneme spustenim prikazu gpedit.msc. Ked si spustime dany prikaz na pocitaci uvidime nasledovnu obrazovku:
Coraz viac zistujem, ze lokalni administratori vo firmach nerozumeju GPO a preto ich nepouzivaju. A ked ich aj pouzivaju, tak im vacsina aj tak nerozumie. Preto som sa rozhodol o napisanie serialu o GPO politikach a spravit tak osvetu v tomto smere.
Tak mi drzte palec. Dufam, ze sa bude pacit.
———
Obsah serialu:
#1 GPO Serial – Lokalne Politiky
#2 GPO Serial – GPO v domene cast 1.
#3 GPO Serial – GPO v domene cast 2.
#4 GPO Serial – Aplikovanie GPO
Once upon the time I was at customer which had all infrastructure servers (and also all domain controllers) in VMWare VM. He decided to have one more domain controller on physical server. Only server he could use was management server, which was full of management tools.
At one of our customer I was asked if there is any tool to make some statistics out of Exchange mailflow. You can use GUI Microsoft Exchange Tracking Log Explorer. This tool it usefull unless you need to make some smarter data handling. This tool doesn’t count how many mails user sent or received. Even those data displayed on the end are not exportable.
Sometimes when you install Exchange, you want to allow users to use their e-mail addresses as a login name. Most of the time UPN suffixes are not usefull. For example you have internal name for domain “company.corp”, but your e-mail addresses are “username@company.com“. You want to give an option for users to log into OWA using “username@company.com” instead of “company.corp\username”.
Most of the time I found at customers’ sites that they disable firewalls completely, because they don’t have time or they are just lazy to define exceptions in firewall settings. But this is not really good idea according to security.
These days I’m working on one RDS (Terminal Services before) farm and I’m playing with setting users’ environment as secure as possible, but also as usefull as possible. When I disabled access to Control Panel for all users with settings in GPO I found one issue. When I right-clicked on Desktop under normal user I could see following options:
Today I went to one of our customers and they were complaining about not being able to access admin shares on their clients’ computers. Admin shares are those following:
I’m implementing RDS (TS) farm at one of our customers. From my previous experiences I love to have %USERNAME% and %COMPUTER% name variables in name od Computer on RDS User’s Desktop.
Recent Comments