Windows 7 offers a wide
variety of security options. If the Windows 7 computer is a part of a
domain, then you can apply security through a Group Policy Object using
the Group Policy Management Console, If the Windows 7 computer is not a
part of a domain, then you use Local Group Policy Objects to manage
local security.
You can use policies to
help manage user accounts. Account policies control the logon
environment for the computer, such as password and logon restrictions.
Local policies specify what users can do once they log on and include
auditing, user rights, and security options. You can also manage
critical security features through the Windows Security Center.
We will continue with NTFS security and shared permissions and how they work independently and together.
1. Managing Security Configurations
The tools you use to manage
Windows 7 computer security configurations depend on whether the Windows
7 computer is a part of a Windows 2000, Windows 2003, or Windows 2008
domain environment.
If the Windows 7 client is not a part of a domain, then you apply security settings through Local Group Policy Objects (LGPOs).
LGPOs are sets of security configuration settings that are applied to
users and computers. LGPOs are created and stored on the Windows 7
computer.
If your Windows 7 computer
is a part of a domain, which uses the services of Active Directory, then
you typically manage and configure security through Group Policy
objects (GPOs). Active Directory is the database that contains all of
your domain user and group accounts along with all other domain objects.
Group Policy objects are
policies that can be placed on either users or computers in the domain.
The Group Policy Management Console (GPMC) is a Microsoft Management
Console (MMC) snap-in that is used to configure and manage GPOs for
users and computers via Active Directory.
Windows 7 computers that
are part of a domain still have LGPOs, and you can use LGPOs in
conjunction with the Active Directory group policies (GPOs).
NOTE
Usage of Group Policy Objects for domains is covered in greater detail in MCTS: Windows Server 2008 Active Directory Configuration, by William Panek and James Chellis (Sybex, 2008).
The settings you can
apply through the Group Policy utility within Active Directory are more
comprehensive than the settings you can apply through LGPOs.
Table 1
lists some of the options that can be set for GPOs within Active
Directory and which of those options can be applied through LGPOs.
Table 1. Group Policy and LGPO setting options
| Group Policy Setting | Available for LGPO? |
|---|
| Software installation | No |
| Remote Installation Services | Yes |
| Scripts | Yes |
| Printers | Yes |
| Security settings | Yes |
| Policy-based QOS | Yes |
| Administrative templates | Yes |
| Folder redirection | No |
| Internet Explorer configuration | Yes |
Now that we have looked at LGPOs, let's take a look at some of the tools available for creating and managing them.
2. Using the Group Policy Result Tool
When a user logs on to a
computer or domain, a resulting set of policies to be applied is
generated based on the LGPOs, site GPOs, domain GPOs, and OU GPOs. The
overlapping nature of group policies can make it difficult to determine
what group policies will actually be applied to a computer or user.
To help determine what
policies will actually be applied, Windows 7 includes a tool called the
Group Policy Result Tool, also known as the Resultant Set of Policy
(RSoP). You can access this tool through the GPResult command-line
utility. The gpresult command displays the resulting set of policies
that were enforced on the computer and the specified user during the
logon process.
The gpresult command will display the Resultant Set of Policy (RSoP) for the computer and user who is currently logged in. Several options can be used with this command. Table 2 shows the different switches that can be used for the gpresult command.
Table 2. Gpresult switches
| Switch | Explanation |
|---|
| /F | Forces gpresult to override the file name specified in the /X or /H command. |
| /H | Saves the report in an HTML format. |
| /P | Specifies the password for a given user context. |
| /R | Displays RSoP summary data. |
| /S | Specifies the remote system to connect to. |
| /U | Specifies the user context under which the command should be executed. |
| /V | Specifies that verbose information should be displayed. |
| /X | Saves the report in XML format. |
| /Z | Specifies that the super verbose information should be displayed. |
| /? | Shows all the gpresult command switches. |
| /scope | Specifies whether the user or the computer settings need to be displayed. |
| /User | Specifies the username for which the RSoP data is to be displayed. |
