管理 Azure Active Directory 域服务托管域中的组策略Administer Group Policy in an Azure Active Directory Domain Services managed domain

Azure Active Directory 域服务 (Azure AD DS) 中的用户和计算机对象的设置通常使用组策略对象 (GPO) 来管理。Settings for user and computer objects in Azure Active Directory Domain Services (Azure AD DS) are often managed using Group Policy Objects (GPOs). Azure AD DS 包括 AADDC 用户和 AADDC 计算机容器的内置 GPO 。Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. 可以自定义这些内置 GPO,以根据环境的需要配置组策略。You can customize these built-in GPOs to configure Group Policy as needed for your environment. Azure AD DC 管理员组的成员在 Azure AD DS 域中具有组策略管理特权,还可以创建自定义 GPO 和组织单位 (OU)。Members of the Azure AD DC administrators group have Group Policy administration privileges in the Azure AD DS domain, and can also create custom GPOs and organizational units (OUs). 有关组策略的定义及其工作原理的详细信息,请参阅组策略概述More more information on what Group Policy is and how it works, see Group Policy overview.

在混合环境中,本地 AD DS 环境中配置的组策略不会同步到 Azure AD DS。In a hybrid environment, group policies configured in an on-premises AD DS environment aren't synchronized to Azure AD DS. 若要为 Azure AD DS 中的用户或计算机定义配置设置,请编辑其中一个默认 GPO 或创建一个自定义 GPO。To define configuration settings for users or computers in Azure AD DS, edit one of the default GPOs or create a custom GPO.

本文介绍如何安装组策略管理工具,然后编辑内置 GPO 并创建自定义 GPO。This article shows you how to install the Group Policy Management tools, then edit the built-in GPOs and create custom GPOs.

准备阶段Before you begin

需有以下资源和特权才能完成本文:To complete this article, you need the following resources and privileges:


可以通过将新模板复制到管理工作站,来使用组策略管理模板。You can use Group Policy Administrative Templates by copying the new templates to the management workstation. 将 .admx 文件复制到 %SYSTEMROOT%\PolicyDefinitions 并将特定于区域设置的 .adml 文件复制到 %SYSTEMROOT%\PolicyDefinitions\[Language-CountryRegion],其中 Language-CountryRegion 与 .adml 文件的语言和区域相匹配 。Copy the .admx files into %SYSTEMROOT%\PolicyDefinitions and copy the locale-specific .adml files to %SYSTEMROOT%\PolicyDefinitions\[Language-CountryRegion], where Language-CountryRegion matches the language and region of the .adml files.

例如,将 .adml 文件的美国英语版本复制到 \en-us 文件夹中。For example, copy the English, United States version of the .adml files into the \en-us folder.

或者,你可以在托管域中的域控制器上集中存储组策略管理模板。Alternatively, you can centrally store your Group Policy Administrative Template on the domain controllers that are part of the managed domain. 有关详细信息,请参阅如何为 Windows 中的组策略管理模板创建和管理中心存储For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

安装组策略管理工具Install Group Policy Management tools

若要创建和配置组策略对象 (GPO),需要安装组策略管理工具。To create and configure Group Policy Object (GPOs), you need to install the Group Policy Management tools. 这些工具可以作为 Windows Server 中的一项功能进行安装。These tools can be installed as a feature in Windows Server. 有关如何在 Windows 客户端上安装管理工具的详细信息,请参阅安装远程服务器管理工具 (RSAT)For more information on how to install the administrative tools on a Windows client, see install Remote Server Administration Tools (RSAT).

  1. 登录到管理 VM。Sign in to your management VM. 有关如何使用 Azure 门户进行连接的步骤,请参阅连接到 Windows Server VMFor steps on how to connect using the Azure portal, see Connect to a Windows Server VM.

  2. 登录到 VM 时,系统默认会打开“服务器管理器”。Server Manager should open by default when you sign in to the VM. 如果未打开,请在“开始”菜单中选择“服务器管理器” 。If not, on the Start menu, select Server Manager.

  3. 在“服务器管理器”窗口的“仪表板”窗格中,选择“添加角色和功能”。In the Dashboard pane of the Server Manager window, select Add Roles and Features.

  4. 在“添加角色和功能向导”的“准备工作”页上,选择“下一步”。On the Before You Begin page of the Add Roles and Features Wizard, select Next.

  5. 对于“安装类型”,请保留选中“基于角色或基于功能的安装”选项,然后选择“下一步”。For the Installation Type, leave the Role-based or feature-based installation option checked and select Next.

  6. 在“服务器选择”页上,从服务器池中选择当前的 VM(例如 myvm.aaddscontoso.com),然后选择“下一步”。On the Server Selection page, choose the current VM from the server pool, such as myvm.aaddscontoso.com, then select Next.

  7. 在“服务器角色”页上,单击“下一步”。On the Server Roles page, click Next.

  8. 在“功能”页上,选择“组策略管理”功能。 On the Features page, select the Group Policy Management feature.


  9. 在“确认”页上选择“安装”。 On the Confirmation page, select Install. 安装组策略管理工具可能需要一两分钟时间。It may take a minute or two to install the Group Policy Management tools.

  10. 功能安装完成后,选择“关闭”退出“添加角色和功能”向导。 When feature installation is complete, select Close to exit the Add Roles and Features wizard.

打开组策略管理控制台并编辑对象Open the Group Policy Management Console and edit an object

托管域中的用户和计算机有默认的组策略对象 (GPO)。Default group policy objects (GPOs) exist for users and computers in a managed domain. 在上一部分安装了组策略管理功能后,让我们来查看和编辑现有 GPO。With the Group Policy Management feature installed from the previous section, let's view and edit an existing GPO. 在下一部分,你将创建自定义 GPO。In the next section, you create a custom GPO.


若要管理托管域中的组策略,必须登录到 AAD DC 管理员组成员的用户帐户。To administer group policy in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

  1. 在“开始”屏幕中选择“管理工具”。From the Start screen, select Administrative Tools. 显示了可用的管理工具列表,其中包括上一节中安装的“组策略管理”。A list of available management tools is shown, including Group Policy Management installed in the previous section.

  2. 若要打开组策略管理控制台 (GPMC),请选择“组策略管理”。To open the Group Policy Management Console (GPMC), choose Group Policy Management.


托管域中有两种内置组策略对象 (GPO):一种用于 AADDC 计算机容器,另一种用于 AADDC 用户容器 。There are two built-in Group Policy Objects (GPOs) in a managed domain - one for the AADDC Computers container, and one for the AADDC Users container. 可以自定义这些 GPO,以在托管域中根据需要配置组策略。You can customize these GPOs to configure group policy as needed within your managed domain.

  1. 在“组策略管理”控制台中,展开“林: aaddscontoso.com”节点 。In the Group Policy Management console, expand the Forest: aaddscontoso.com node. 接下来,展开“域”节点。Next, expand the Domains nodes.

    有两个适用于 AADDC 计算机和 AADDC 用户的内置容器 。Two built-in containers exist for AADDC Computers and AADDC Users. 其中每个容器都应用了一个默认 GPO。Each of these containers has a default GPO applied to them.

    应用于默认“AADDC 计算机”和“AADDC 用户”容器的内置 GPO

  2. 可以自定义这些内置 GPO,以在托管域上配置特定组策略。These built-in GPOs can be customized to configure specific group policies on your managed domain. 右键选择其中一个 GPO,如 AADDC 计算机 GPO,然后选择“编辑...”。Right-select one of the GPOs, such as AADDC Computers GPO, then choose Edit....

    选择选项以“编辑”其中一个内置 GPO

  3. 将打开组策略管理编辑器工具,以自定义 GPO,如帐户策略:The Group Policy Management Editor tool opens to let you customize the GPO, such as Account Policies:

    自定义 GPO 以根据需要配置设置

    完成后,选择“文件”>“保存”以保存策略。When done, choose File > Save to save the policy. 默认情况下,计算机每 90 分钟刷新一次组策略,并应用更改。Computers refresh Group Policy by default every 90 minutes and apply the changes you made.

创建自定义组策略对象Create a custom Group Policy Object

若要对类似的策略设置进行分组,通常会创建其他 GPO,而不是在单个默认 GPO 中应用所有必需的设置。To group similar policy settings, you often create additional GPOs instead of applying all of the required settings in the single, default GPO. 使用 Azure AD DS,可以创建或导入自己的自定义组策略对象,并将其链接到自定义 OU。With Azure AD DS, you can create or import your own custom group policy objects and link them to a custom OU. 如果需要首先创建自定义 OU,请参阅在托管域中创建自定义 OUIf you need to first create a custom OU, see create a custom OU in a managed domain.

  1. 在“组策略管理”控制台中,选择自定义组织单位 (OU),如 MyCustomOU。In the Group Policy Management console, select your custom organizational unit (OU), such as MyCustomOU. 右键选择 OU,然后选择“在此域中创建 GPO 并在此处链接...”:Right-select the OU and choose Create a GPO in this domain, and Link it here...:

    在组策略管理控制台中创建自定义 GPO

  2. 为新 GPO 指定名称,例如自定义 GPO,然后选择“确定”。Specify a name for the new GPO, such as My custom GPO, then select OK. 可以选择将此自定义 GPO 基于现有 GPO 和策略选项集。You can optionally base this custom GPO on an existing GPO and set of policy options.

    为新的自定义 GPO 指定名称

  3. 将创建自定义 GPO 并将其链接到自定义 OU。The custom GPO is created and linked to your custom OU. 现在若要配置策略设置,请右键选择自定义 GPO,然后选择“编辑...”:To now configure the policy settings, right-select the custom GPO and choose Edit...:

    选择选项以“编辑”自定义 GPO

  4. 将打开组策略管理编辑器,以自定义 GPO:The Group Policy Management Editor opens to let you customize the GPO:

    自定义 GPO 以根据需要配置设置

    完成后,选择“文件”>“保存”以保存策略。When done, choose File > Save to save the policy. 默认情况下,计算机每 90 分钟刷新一次组策略,并应用更改。Computers refresh Group Policy by default every 90 minutes and apply the changes you made.

后续步骤Next steps

有关可以使用组策略管理控制台配置的可用组策略设置的详细信息,请参阅使用组策略首选项For more information on the available Group Policy settings that you can configure using the Group Policy Management Console, see Work with Group Policy preference items.