標籤: AD

OpenVPN + PAM + SSSD + Active Directory

OpenVPN伺服器:

系統: Centos8
IP: 10.0.0.10/24

AD驗證伺服器(dc):
Windows 2012 DC (網域功能等級 2003)
網域: mydomain.com
主機FQDN: dc.mydomain.com

憑證伺服器(caserver):
Windows 2003 CA 加密方式SHA1
主機FQDN: caserver.mydomain.com
1. 安裝OpenVPN , 使用路由模式(原生android client不支援 TAP橋接模式)

# 安裝EPEL軟體庫
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf config-manager --set-enabled PowerTools
dnf repolist epel
# 安裝 git
dnf -y install git
cd ~
# 從github下載安裝命令檔
git clone https://github.com/Nyr/openvpn-install.git
cd openvpn-install/
chmod +x openvpn-install.sh
# 執行安裝檔 ./openvpn-install.sh

接下來依指示輸入你的設定值, 完成後自動產生設定檔

修改 /etc/openvpn/server/server.conf 讓OpenVPN支援PAM

local 10.0.0.10 #主機IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login #啟用PAM驗證, 使用預設設定檔/etc/pam.d/login

重新啟動openvpn

systemctl restart openvpn-server@server

修改Client 端的預設值, 由於用戶端要使用與主機不同網段10.1.0.0/24的資源故需要增加路由
/etc/openvpn/server/client-common.txt

client dev tun
proto udp
remote 1.2.3.4 1194 # 外部實體IP
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
auth-user-pass # 除了openvpn本身的金鑰驗證, 另外開啟AD使用者帳號密碼驗證
verb 3
route 10.1.0.0 255.255.255.0 10.0.0.253 # 增加通往10.1.0.0/24網斷路由, 網關為10.0.0.253

更改完成後重新執行安裝命令產生新的client端 .ovpn 設定檔

./openvpn-install.sh

過程中選 Add a new user, 至於第一次產生的user設定可以選擇 Revoke an existing user
移除掉. 產生的 .ovpn 檔會在/root資料夾下

2. 取得網域憑證伺服器的Public key ,通常會在以下位址且檔名類似
\\caserver\CertEnroll\caserver_MYDOMAIN Root Certification Authority.crt
使用cifs工具掛載目錄後 下載到centos8上並轉為PEM格式

# 掛載cifs, server2003使用smb1.0所以參數須加上vers=1.0
mount.cifs //ca_server/CertEnroll /mnt/cifs -o user=administrator,pass=password,dom=mydomain,vers=1.0
cp /mnt/cifs/xxxx.crt xxxx.crt
# 將der 轉換為 pem
openssl x509 -inform der -in xxxx.crt -out xxxx.pem
# 搬移到 trust資料夾
mv xxxx.pem /etc/pki/ca-trust/source/anchors
# 將憑證更新至主機信任憑證裡
update-ca-trust 

3. 設定sssd 連接 Active Directory
修改/etc/sssd/sssd.conf

[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = mydomain

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/mydomain]
cache_credentials = True
ldap_search_base = dc=mydomain,dc=com
id_provider = ldap
ldap_uri = ldaps://dc.mydomain.com:636   #AD主機, 使用ssl協定連線
ldap_schema = AD
ldap_default_bind_dn = cn=administrator,cn=users,dc= mydomain,dc=com  # 這裡為了方便使用管理員帳號, 為安全起見可以使用唯讀的網域帳號
ldap_default_authtok = password_for_administrator  # 管理員密碼
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_cacertdir = /etc/pki/tls/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_id_mapping = True
ldap_referrals = false

enumerate = False
fallback_homedir = /home/%u
default_shell = /bin/bash

修改 /etc/openlap/ldap.conf

URI ldaps://dc.mydomain.com:636
base    dc=mydomain,dc=com
TLS_CACERT  /etc/pki/tls/certs/ca-bundle.crt
SASL_NOCANON    on

強制啟用sssd

authselect select sssd –force
systemctl enable --now sssd
systemctl restart sssd

由於Windows 2003 CA仍使用舊版SHA1, 因此需要改crypto政策

update-crypto-policies --set LEGACY

完成後重新開機

4. 防火牆上設定允許連向1.2.3.4 UDP1194的流量並引導至內部10.0.0.10

5. 用戶端安裝OpenVPN Client軟體後匯入.ovpn檔
Windows7/8/10 Client: OpenVPN-GUI (嘗試過OpenVPN Connect for Windows無法匯入.ovpn)
iOS/Android Client: OpenVPN Connect

參考資料:
https://computingforgeeks.com/install-and-configure-openvpn-server-on-rhel-centos-8/
https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8
https://medium.com/jerrynotes/linux-authentication-windows-ad-without-join-domain-7963c3fd44c5

Samba4 AD DC + DHCPD + BIND (Dynamic DNS)

Samba 4 已經釋出很長一段時間了 因此趁著升級電腦與 centos 6 順便將 Samba 3 AD DC + dhcpd + bind 更新為 Samba 4 + bind 9 dlz 模組 + dhcpd

DC DQDN名稱 : samba4dc

DC IP : 192.168.0.1/24

  1. 首先到 https://portal.enterprisesamba.com/users/sign_up 註冊. 方便使用 yum 升級 samba , 如果使用 source 安裝就不需申請. 登入後把給 centos6 用的 sernet-samba-4.1.repo 檔下載回來並修改檔案中 USERNAME:ACCESSKEY 的部分.
  2. 升級前先備份 /etc/samba, /var/lib/samba, /etc/dhcp, /etc/named.conf, /var/named, /var/cache/samba 等目錄
  3. 安裝 samba 4 
    # yum install sernet-samba -y
  4. 升級 Samba AD 網域
    移動設定檔

    mv /etc/smb.conf /etc/smb.PDC.conf

    將舊資料庫等檔案移到其他位置

    # mv /var/lib/samba/ /var/lib/samba.PDC/
# mv /var/cache/samba/ /var/cache/samba.PDC/

    新增資料夾. 並將升級時會用到的資料庫檔案複製到該目錄

    # mkdir /var/lib/samba.PDC/dbdir/
# cp -p /var/lib/samba.PDC/private/secrets.tdb /var/lib/samba.PDC/dbdir/
# cp -p /var/lib/samba.PDC/private/schannel_store.tdb /var/lib/samba.PDC/dbdir/
# cp -p /var/lib/samba.PDC/private/passdb.tdb /var/lib/samba.PDC/dbdir/
# cp -p /var/cache/samba.PDC/gencache_notrans.tdb /var/lib/samba.PDC/dbdir/
# cp -p /var/cache/samba.PDC/group_mapping.tdb /var/lib/samba.PDC/dbdir/
# cp -p /var/cache/samba.PDC/account_policy.tdb /var/lib/samba.PDC/dbdir/

    升級資料庫以及使用 bind_dlz 模組

    # samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir/ --use-xattrs=yes --realm=home.com --dns-backend=BIND9_DLZ /etc/smb.PDC.conf --option="interfaces=lo eth0" --option="bind interfaces only=yes"
    PS: --option="interfaces=lo eth0" --option="bind interfaces only=yes" 這是限定 samba 只作用在網卡 loopback 及 eth0
  5. 調整產生的 samba 設定即啟動檔
    /etc/samba/smb.conf

    [global]
        workgroup = HOME
        realm = home.com
        netbios name = SAMBA4DC
        interfaces = lo, eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        log level = 2
        log file = /var/log/samba/log.%m
        max log size = 50
        wins support = yes
        syslog = 0
        username map = /etc/samba/smbusers
        domain master = yes
        domain logons = yes
        local master = yes
        preferred master = yes

[netlogon]
        path = /var/lib/samba/sysvol/home.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[homes]
        comment = Home Directories
        browseable = no
        read only = No
        valid users = %S
        create mask = 0700
        directory mask = 0700

[nas]
        comment = storage
        path = /home/data
        public = yes
        writable = yes
        printable = no
        write list = +adm

    因為是作為 dc , 只要開啟 sernet-samba-ad 服務. 其餘 sernet-samba-nmbd, sernet-samba-smbd, sernet-samba-winbindd 不須啟動.

    # chkconfig --level 2345 sernet-samba-ad on
  6. 調整 bind9 & kerberos 設定
    /etc/named.conf

    options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";

        forwarders {
                168.95.1.1;
                };
        forward first;
        listen-on {
                home;
        };
        allow-recursion {home;};
        allow-update { home; };
        allow-query { home; };
        allow-transfer { home;};
        listen-on-v6 { none; };
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; #加入這行
        auth-nxdomain yes;
        empty-zones-enable no;
        version none;
        hostname none;
        server-id none;
};

logging {
        channel Named_log {
            file "data/named.run";# versions 5 size 5m;
            severity dynamic;
            print-severity  yes;
            print-time yes; };
        category default {Named_log; };
        category xfer-out {Named_log; };
        category queries {Named_log; };
};

acl "home" { 192.168.0.0/24; 127.0.0.1;};

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/rndc.key";
include "/var/lib/samba/private/named.conf";   #加入這行

    /var/lib/samba/private/named.conf

    lz "AD DNS Zone" {
    # For BIND 9.8.0
    database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; #選擇對應的 bind 版本

    # For BIND 9.9.0
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
};

    修改 keytab 檔案權限讓 bind 可以用其來動態更新 zone

    # chgrp named /var/lib/samba/private
# chgrp named /var/lib/samba/private/dns.keytab
# chmod g+r /var/lib/samba/private/dns.keytab

    連結 kerberos 設定檔到 /etc 下

    # ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

    重啟 named

    # service named restart

    增加反解析區域

    # samba-tool dns zonecreate samba4dc.home.com 0.168.192.in-addr.arpa

    將 DC 的 PTR 加入反解區域

    # samba-tool dns add samba4dc.home.com 0.168.192.in-addr.arpa 1 PTR samba4dc.home.com

    如果有設定 ntpd (選擇性) 請修改 socket 的位址讓 samba 可以讀取

    driftfile /var/lib/ntp/drift
logfile         /var/log/ntp
ntpsigndsocket  /var/lib/samba/ntp_signd

restrict default kod nomodify notrap nopeer mssntp noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

includefile /etc/ntp/crypto/pw

keys /etc/ntp/keys

    修改權限及重啟 ntpd

    # chown root:ntp /var/lib/samba/ntp_signd
# chmod 750 /var/lib/samba/ntp_signd
# service ntpd restart

    重啟 samba

    # service smbd stop
# service nmbd stop
# service sernet-samba-ad start
  7. DHCPD 設定
    在 AD 裡新增 dhcp 這個使用者並給予權限讓它可以動態更新 DNS(也可以使用 Windows 遠端伺服器管理工具 RSAT 來新增)

    # samba-tool user create dhcp --description="Unprivileged user for DNS updates via DHCP server"
# samba-tool group addmembers DnsAdmins dhcp

    將該使用者憑證匯出成 keytab 檔

    # cd /etc/dhcp
# samba-tool domain exportkeytab --principal=dhcp@HOME.COM dhcpd.keytab
# chown root:dhcpd /etc/dhcp/dhcpd.keytab
# chmod 440 /etc/dhcp/dhcpd.keytab
# chgrp dhcpd /etc/dhcp

    新增以下兩個執行檔
    /usr/local/sbin/dhcp-dyndns.sh

    #!/bin/bash
$(dirname $0)/dns-krbnsupdate.sh $@ 2>&1 | logger &

    /usr/local/sbin/dns-krbnsupdate.sh

    #!/bin/bash

# This script is for secure DDNS updates using GSS/TSIG
# Version: 0.1

## CONFIGURATION ##
# Kerberos realm
realm="HOME.COM"
# Kerberos principal
principal="dhcp@$realm"
# Kerberos keytab
keytab="/etc/dhcp/dhcpd.keytab"
# Kerberos credentials cache
krb5cc="/tmp/krb5cc_0"
# Use MIT kerberos args instead of heimdal.
KRB5MIT="YES"

# Domain appended to hostname
domain="home.com"
# Space separated list of DNS servers for sending updates to
NSRVS="cchisheng.home.com"
# Default DNS resource records TTL
RRTTL="3600"
# Do not use TXT RRs (rfc4701)
NOTXTRRS="YES"

# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
#NSUPDFLAGS="-d"
# Run in the foreground (for manual run only!!!), it's better to use "-d" as script's first argument
#DEBUG="YES"

######################################################

## VARIABLES ##
[ "$1" = "-d" ] && DEBUG="YES" && shift
action=$1
ip=$2
DHCID=$3
name=${4%%.*}
[ -n "$5" ] && RRTTL="$5"

_usage() {
echo "Usage:"
echo " `basename $0` [-d] add ip-address dhcid|mac-address hostname [dns-ttl]"
echo " `basename $0` [-d] delete ip-address dhcid|mac-address"
}

_kerberos() {
export KRB5_KTNAME="$keytab"
export KRB5CCNAME="$krb5cc"

if [ "$KRB5MIT" = "YES" ]; then
 KLISTARG="-s"
else
 KLISTARG="-t"
fi

klist $KLISTARG || kinit -k -t "$keytab" -c "$krb5cc" "$principal" || { echo "DDNS: kinit failed"; exit 1; }
}

_main() {
umask 77

if [ -z "$ip" ] || [ -z "$DHCID" ]; then
 _usage
 exit 1
fi


## NSUPDATE ##
case "$action" in
 add)
 RRPTR="$name.$domain"
 if [ "$NOTXTRRS" != "YES" ]; then
 NOTXTRRS=""
 RRAOLD=`host $RRPTR | awk '/has address/ {print $4}'`
 if [ -n "$RRAOLD" ]; then
 RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
 [ -z "$RRTXTOLD" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1

 RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
 RRTXT="000101${RRTXT%% *}"
 [ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1
 else
 RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
 RRTXT="000101${RRTXT%% *}"
 fi
 else
 NOTXTRRS=";"
 fi

 RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`

 _kerberos

 for NSRV in $NSRVS; do
 nsupdate -g $NSUPDFLAGS << UPDATE
server $NSRV
realm $realm
update delete $RRPTR. $RRTTL A
${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
${NOTXTRRS}update add $RRPTR. $RRTTL TXT $RRTXT
update add $RRPTR. $RRTTL A $ip
send
update delete $RRPTRNAME. $RRTTL PTR
update add $RRPTRNAME. $RRTTL PTR $name.$domain.
send
UPDATE
  result=$?
 [ "$result" -eq "0" ] && echo "DDNS: adding records for $ip ($RRPTR) succeeded" && exit 0
 done

 [ "$result" != "0" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: nsupdate status $result" && exit "$result"
 ;;
 delete)
 RRPTR=`host $ip | awk '/domain name pointer/ { sub(/\.$/, "", $5); print $5}'`
 if [ "$NOTXTRRS" != "YES" ]; then
 NOTXTRRS=""
 if [ -n "$RRPTR" ]; then
 RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
 [ -z "$RRTXTOLD" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1

 RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
 RRTXT="000101${RRTXT%% *}"
 [ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1
 else
 echo "DDNS: removing records for $ip FAILED: has no PTR, can not determine A record" && exit 1
 fi
 else
 NOTXTRRS=";"
 fi

 RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`

 _kerberos

 for NSRV in $NSRVS; do
 nsupdate -g $NSUPDFLAGS << UPDATE
server $NSRV
realm $realm
update delete $RRPTR. $RRTTL A
${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
send
update delete $RRPTRNAME. $RRTTL PTR
send
UPDATE
 result=$?
 [ "$result" -eq "0" ] && echo "DDNS: removing records for $ip ($RRPTR) succeeded" && exit 0
 done

 [ "$result" != "0" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: nsupdate status $result" && exit "$result"
 ;;
 *)
 _usage && exit 1
 ;;
esac
}

if [ "$DEBUG" = "YES" ]; then
 _main
else
 :
 _main | logger -s -t dhcpd &
fi

    修改 /etc/dhcp/dhcpd.conf

    subnet 192.168.0.0 netmask 255.255.255.0 {
 authoritative;
 option netbios-name-servers 192.168.0.1;
 option domain-name-servers 192.168.0.1;
 option domain-name "home.com";
 option netbios-node-type 8;
 option routers 192.168.1.1;
 option subnet-mask 255.255.255.0;
 default-lease-time 259200;
 range 192.168.0.10 192.168.1.250;
 on commit {
 set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
 set ClientName = pick-first-value(option host-name, host-decl-name);
 set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
 execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
 }
 on release {
 set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
 set ClientName = pick-first-value(option host-name, host-decl-name);
 set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
 execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
 }
 on expiry {
 set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
 set ClientName = pick-first-value(option host-name, host-decl-name);
 set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
 execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
 }
}

    改變檔案權限

    # chmod 755 /usr/local/sbin/dhcp-dyndns.sh
# chmod 755 /usr/local/sbin/dns-krbnsupdate.sh

    重啟 dhcpd

    # service dhcpd restart
  8. 測試 
    # samba_dnsupdate --verbose --all-names

    若上述指令沒有錯誤表示 bind9 設定正確. 若有錯誤請檢查檔案及目錄權限, 讓 bind9 可以讀取  dns.keytab
    當 dhcp client 端開機或者在 Windows 命令提示視窗執行 ipconfig /renew 時, server上的 syslog 會有以下紀錄, 表示動態更新成功

    Dec  9 00:00:15 samba4dc dhcpd: DDNS: adding records for 192.168.0.186 (win7.home.com) succeeded
Dec  9 00:00:15 samba4dc logger: dhcpd: DDNS: adding records for 192.168.0.186 (win7.home.com) succeeded
  9. 問題
    I.Windows client本身會執行 secure dns update, 因此 named 紀錄裡會有更新失敗的錯誤. 由於我們是透過dhcpd更新dns, 因此該錯誤可以忽略.
    II.Samba4目前對於讓 dc 及file server 在同台伺服器上尚未完整支援, 因此 client 端在網路芳鄰內找不到 server, 需要手動輸入 \\server 連結伺服器. 如果在登入指令檔或者 RSAT 的使用者管理裡指定連線磁碟機就可以解決該問題
    III. RSAT 的 DNS 管理員可以新增刪除紀錄但有時會有錯誤訊息但不影響
  10. 參考文獻
    https://wiki.samba.org/index.php/User_Documentation
    http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
    https://wiki.archlinux.org/index.php/Samba_4_Active_Directory_Domain_Controller

Windows 7 加入 Windows 2003 AD 後防火牆及網路無法啟動

Dell 最近告知雖有降級XP license, 但出廠機器無法預設安裝xp給客戶, 這下真的是麻煩了, 還得自行處理安裝xp. 公司內仍有部份舊版erp軟體無法在Windows 7 上面安裝, 必須版更但是版更帶來的影響尚無法估計. 但遲早得升級, 還是得裝幾台來測試.

看過文件似乎直接加入網域即可, Windows 7 找不到給 window 7的GPO時會使用本機端的admx 檔. 但是事實上可沒這麼好 … 加入網域重開機後即發生網路無法連線的問題,dhcp client,network location awareness等服務都無法啟動, 防火牆開啟會有”0x8007042c”的錯誤. 可見還是會套用windows XP的部份安全性原則, 以至於部份服務的系統服務帳號的權限被移除.

Google了好一陣發現可以使用WMI filter的方式避免Window 7套用網域安全性原則. 方式如如下

  1. 從Windows XP或Windows 2003開啟”Active Directory 使用者及電腦”, 並於你要管理的網域上按右鍵, 點選內容.
    win7_gpo
  2. 切到”群組原則”攔, 點選要修改的原則, 這邊要修改的是預設網域原則, 然後點選內容
    win7_gpo1 
  3. 切到WMI篩選器, 選擇” 瀏覽/管理”
    win7_gpo2 
  4. 點選”進階”
    win7_gpo3
  5. 點選新增, 然後輸入名稱及描述, 主要是在查詢部份需加入”Select * from Win32_operatingsystem where BuildNumber! = 7600”. 7600 是 Windows 版號, 可以在命令提示字元下”winver”查詢.完成後儲存設定. 如果其它OU有不同的安全性原則且windows 7也會放置到該OU下, 那麼該WMI filter也需套用在其上.
    win7_gpo4

完成後安全性原則就不會被套用到windows 7. 至於windows 7的安全性原則可以先在 windows 2003 AD 上建立 Central Store 然後在 windows 7 安裝 RSAT 來管理. 詳細可參考 KB929841