Home

Security Tab Grants Permissions to Users or Groups

Group policies are refreshed and applied every 90 minutes, but group policies on Domain Controllers are refreshed every 5 minutes. GPOs work not only by editing information in the Registry but also by using dynamic link libraries (DLLs) as extensions located on workstations. Note that if you use group policies, the local group policy on the local machine will process the policies for the site, domain, or OU first.

- View the local policies of a remote computer.

To view a local policy on other computers in the domain, you must have administrative rights on that computer or the domain administrator. You can then use the GPEDIT.MSC command.

/gpcomputer:machinename, for example, to view the policy on the PCO1 machine, type GPEDIT.MSC /gpcomputer: PCO1. Note that this method cannot be used to set group policies on a remote computer, due to security reasons, Microsoft does not allow setting group policies remotely.

- Create domain policies.

Maybe you are interested!

We use the Group Policy snap-in in Active Directory User and Computer or directly call the Group Policy Object Editor utility from the command line on the Domain Controller to create group policies for the domain. If you open Group Policy from Active Directory User and Computer, in the main window of the program, right-click on the domain name icon (in this example, netclass.edu.vn), select Properties. In the dialog box that appears, select the Group Policy Tab

Figure 2.44: Creating policies on the domain

If no policy has been created, only one policy named Default Domain Policy will be visible. At the bottom of the dialog box, there is a checkbox named Block Policy inheritance, which prevents the settings of any higher-level policies from propagating down to the current level. Note that the policy is applied first at the site level, then to the domain level, and finally to the OU level. Select the Default Domain Policy policy and click the Options button to configure the policy application options. In the Options dialog box, if No Override is checked, other policies applied in the row below will not override the settings of this policy, even if the Block Policy inheritance box is not checked. Next, if Disabled is checked, this policy will not work at this level. Disabling a policy at a level does not disable the policy object itself.

To create a new policy, click the New button, then enter the name of the new policy. To declare more information for this policy, you can click the Properties button, the dialog box appears with many Tabs, you can go to the Links Tab to indicate which sites, domains or OUs are linked to the policy. In the Security Tab, you can grant permissions to users or user groups on this policy.

Figure 2.45: Security tab grants permissions to users or groups

In the main Group Policy dialog box, policies are applied from bottom to top, so the top policy will be applied last. Therefore, the higher the GPO is in the list, the higher the priority, if they have conflicting settings, the policy on top will win. For that reason

So Microsoft designed two Up and Down buttons to help us move these policies up or down.

Of the buttons we have not yet examined, the most important button in this dialog box is the Edit button. Click the Edit button to set the settings for this policy, based on the capabilities of Group Policy can set anything you want. We will examine some illustrative examples later.

2.3. Managing access to network resources

As an administrator, you need to ensure that users have access to folders on the network that contain the files they need to work with. This can be done by sharing these folders. For added security, you can control who can access these shared folders. If the files and folders of the users are to be stored on the network, you can use the Distributed File System (DFS), which makes it easy for users to access the files and folders.

Figure 2.46: DFS usage model for data sharing

Use shared folders to provide users with a method of accessing files and folders over a network. Users can connect to shared folders on the network to access the content they need. Shared folders contain applications, data, or users' personal data. Using shared application folders centralizes management by allowing applications to be installed and maintained on a server instead of on client computers. Using shared data folders provides a central location for users to access their most common files and also helps to back up the data contained in these files.

2.3.1. Organizing information storage in Windows Server

1) Related concepts

Windows Server 2003 uses two types of hard disk organization and management, Basic and Dynamic Storage . A physical hard disk can only belong to one of the two above organizations, it cannot use both at the same time. However, in a system with many hard disks, both of these organizations can be applied.

Figure 2.47: Information storage organization in Windows Server 2003

- Basic Storage

Consists of primary and extended partitions. The first partition created on a disk is called the primary partition and all the space allocated to the partition is used completely. Each physical disk can have a maximum of four partitions. It is possible to create three primary partitions and one extended partition. With extended partitions, multiple logical partitions can be created.

- Partition

For Basic Disk, the disk is divided into partitions or Partitions. There are two types of Partitions: Primary Partition and Extended Partition. Each Primary Partition corresponds to a user-facing drive. Extended Partition is then further divided into logical drives.

Figure 2.48: Partitions for Basic Disk

Primary Partition: Windows 2000 uses Primary Partition to boot the system. Among the Primary Partitions, one will be set to Active mode and BIOS will look for the operating system boot files. At a time, only one Partition is Active. If you want to boot the computer with both Windows 2000 and Windows 9x, the Active Partition must be formatted in FAT.

System Partition: is the Active Partition that contains the files needed to start the operating system boot process.

Boot Partition: is a Partition or logical drive that contains the WinNT folder. Boot Partition and System Partition can be on the same Partition or on different Partitions.

Extended Partition: is usually the remaining part of the hard drive besides the Primary Partition. There is only 1 Extended Partition on a hard drive. Extended Partition cannot be used directly but must be divided into logical drives.

Basic Disk can contain up to 4 Primary Partitions or 3 Primary Partitions and one Extended Partition

- Dynamic Storage

This is a new feature of Windows Server 2003. Dynamic storage disks are divided into dynamic volumes. Dynamic volumes do not contain partitions or logical drives, and can only be accessed by Windows Server 2003 and Windows 2000. Windows Server 2003/Windows 2000 supports five types of dynamic volumes: simple, spanned, striped, mirrored, and RAID-5. Advantages of Dynamic storage technology over Basic storage technology:

- Allows combining multiple physical drives to create logical drives (Volumes).

- Allows multiple non-contiguous free areas on multiple physical hard disks to be merged to create a logical drive.

- Can create logical drives with high fault tolerance and increased access speed

export

- Volume simple

Contains space taken from a single dynamic disk. This disk space can be contiguous or non-contiguous. The following figure illustrates a physical disk divided into two simple volumes.

Figure 2.49: Simple Volume Storage

- Volume spanned

Consists of one or more dynamic disks (up to 32 disks). Used when you want to increase the size of a volume. Data is written to the volume in order, from disk to disk. Typically, administrators use spanned volumes when the disks in use in the volume are almost full and they want to increase the size of the volume by adding another disk.

Figure 2.50: Spanned Volume Storage

Since data is written sequentially, this type of volume does not increase performance. The main disadvantage of spanned volumes is that if one disk fails, all data on the volume cannot be accessed.

- Volume striped

Store data in equal strips on one or more physical disks (up to 32). Because data is written sequentially to each strip, multiple I/O operations can be performed concurrently, increasing data access speed. Typically, network administrators use striped volumes to combine the capacity of multiple physical disks into one logical disk and increase access speed.

Figure 2.51: Striped Volume Storage

The main disadvantage of striped volumes is that if one drive fails, the data on the entire volume is invalid.

- Volume mirrored

Two copies of a simple volume. Uses one primary disk and one secondary disk. Data written to the primary disk is also written to the secondary disk. This type of volume provides good fault tolerance. If one disk fails, the other disk still works and does not interrupt data access. The disadvantage of this method is that the disk controller must write to two disks at a time, reducing performance.

Figure 2.52: Mirrored Volume Storage

To increase write speed while also increasing fault tolerance, a variation of volume mirroring called duplexing can be used. This way a different disk controller must be used for the second drive.

Figure 2.53: Mirrored volume storage is duplexing

The main disadvantage of this method is the high cost. To have a 4GB volume, it takes 8GB for two drives.

- RAID-5 Volume

Similar to striped volumes, RAID-5 uses an additional strip of parity information. If one disk in the volume fails, the parity information written on another disk can help recover data from the failed disk. RAID-5 volumes use at least three disks (maximum 32).

Figure 2.54: RAID-5 Volume Storage

The main advantages of this technique are high fault tolerance and high access speed by using multiple I/O channels.

2) Storage system administration

Disk Manager is a graphical interface utility for managing disks and volumes in Windows 2000 and Windows Server 2003 environments. To use all the program's functions, you must log in to the computer with an Administrator account. Go to the Start menu Programs Administrative Tools Computer Management. Then open the Storage item and select Disk Management. The Disk Management window appears as follows:

Figure 2.55: Disk Management tool

a) View disk properties

Right-click on the physical drive you want information about and select Properties. The Disk Properties dialog box appears as follows:

Figure 2.56: General Tab

- General Tab

Provides information such as disk label, type, file system, used space, free space, and total space. The Disk Cleanup button opens the Disk Cleanup program to delete unnecessary files, freeing up disk space.

- Tab Tools

Comment


Agree Privacy Policy *