-----Original Message-----
hello every one
please reply my question
what is different between Group Policy and setting permission for objects?
thank you for every thing.
.
Can you elaborate a little bit more? For what are you
really looking?
Group Policy is a function in Active Directory whereby an
Administrator can centrally make changes on one machine (
an AD Domain Controller ) and have those changes take
affect on either the Users Configuration or the Computers
Configuration ( or, BTW, on both! ). For this to happen
there needs to be a properly functioning DNS
Infrastructure and typically an Organizational Unit
hierarchy ( as GPOs are applied to the OU level - well,
that is not entirely true! There are four levels: local,
Site, Domain, OU - and then any sub-OUs. The vast
majority of GPOs are applied at the OU level so I tend to
focus on that level! Please remember that this does not
have to always be the case ). An Administrator can also
make use of GPOs to install software ( so long as there
is an appropriate .msi file for the desired
application ). Again, this can be done to either the
Users Configuration or to the Computers Configuration.
The major Application to use as an example here would be
Office 2000 or Office XP. You simply make an
administrative installation ( on a File Server or
Application Server, for example ) and then tell the GPO
where the data1.msi file is located and to which OU(s)
that this should apply! You can also make use of
Security Groups to filter the GPO as, by default, the
group 'Authenticated Users' has both the "read"
and "apply group policy" rights to that GPO. Simply
replace it with the Security Group of your choice! But
remember - only the user account objects / computer
account objects in the OU(s) to which this GPO is applied
are 'available' to be affected.
Setting permissions for objects could be a whole bunch of
things. This has more to do with the ACL / ACE whereby
you use either individual user accounts or security
groups to allow / deny access to network resources. In
the case of 'allow' you determine to what extent access
is allowed. An example of a network resource could be a
shared folder or a networked printer. You set the
security on it by allowing certain "objects" specific
access ( or a specific 'deny' ) to it. You can also do
the same in the way of Delegation! You can delegate to a
specific user or group certain types of control over
certain functions. For example, in an OU you might have
35 user accounts. You might want Mary to be able to
create and manage user accounts in this particular OU.
You can delegate this to her.
Does this help you?
Cary
