Книга: Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

Deploying a security policy to multiple computers

Deploying a security policy to multiple computers

In an organization with many computers, you probably won’t want to apply a security policy to each computer separately. As discussed in “Deploying security templates to multiple computers” earlier in this chapter, you might want to apply a security policy through Group Policy, and you might want to create computer OUs for this purpose.

After you’ve created the necessary OUs, you can use the Scwcmd utility’s transform command to create a GPO that includes the settings in the security policy (and any security templates attached to the policy). You then deploy the settings to computers by linking the new GPO to the appropriate OU or OUs. By default, security policies created with the Security Configuration Wizard are saved in the %SystemRoot%securitymsscwPolicies folder.

Use the following syntax to transform a security policy:

scwcmd transform /p: FullFilePathToSecurityPolicy /g: GPOName

FullFilePathToSecurityPolicy is the full file path to the security policy’s.xml file, and GPOName is the display name for the new GPO. Consider the following example:

scwcmd transform /p: "c:userswrsdocumentsfspolicy.xml" /g: "FileServer GPO"

When you create the GPO, you can link the GPO by following these steps:

1. In the Group Policy Management Console (GPMC), select the OU with which you want to work. In the right pane, the Linked Group Policy Objects tab shows the GPOs that are currently linked to the selected OU (if any).

2. Press and hold or right-click the OU to which you want to link the previously created GPO, and then select Link An Existing GPO. In the Select GPO dialog box, select the GPO to which you want to link, and then tap or click OK. When Group Policy is refreshed for computers in the applicable OU, the policy settings in the GPO are applied.

Because you created a new GPO and linked the GPO to the appropriate level in the Active Directory structure, you can restore the computers to their original state by removing the link to the GPO. To remove a link to a GPO, follow these steps:

1. In the GPMC, select and then expand the OU with which you want to work. In the right pane, the Linked Group Policy Objects tab shows the GPOs that are currently linked to the selected OU.

2. Press and hold or right-click the GPO. On the shortcut menu, the Link Enabled option should have a check mark to show it is enabled. Clear this option to remove the link.

Оглавление книги