summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/PolicyMgmt.xml
diff options
context:
space:
mode:
authorAlexander Bokovoy <ab@samba.org>2003-04-30 21:26:24 +0000
committerAlexander Bokovoy <ab@samba.org>2003-04-30 21:26:24 +0000
commit3d6bb1823c3a82958ee2b80be4f953e23703eb9d (patch)
treecf26d289c63bb1365aab490938515991602b5db3 /docs/docbook/projdoc/PolicyMgmt.xml
parent318acec837279edaf74e331afc8ebdba5c05db71 (diff)
downloadsamba-3d6bb1823c3a82958ee2b80be4f953e23703eb9d.tar.gz
samba-3d6bb1823c3a82958ee2b80be4f953e23703eb9d.tar.bz2
samba-3d6bb1823c3a82958ee2b80be4f953e23703eb9d.zip
Docbook XML conversion: projdoc
(This used to be commit f7c9df751459da2d4a996d5f0135334fb3f87f69)
Diffstat (limited to 'docs/docbook/projdoc/PolicyMgmt.xml')
-rw-r--r--docs/docbook/projdoc/PolicyMgmt.xml384
1 files changed, 384 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/PolicyMgmt.xml b/docs/docbook/projdoc/PolicyMgmt.xml
new file mode 100644
index 0000000000..2ae3fa5ea7
--- /dev/null
+++ b/docs/docbook/projdoc/PolicyMgmt.xml
@@ -0,0 +1,384 @@
+<chapter id="PolicyMgmt">
+<chapterinfo>
+ &author.jht;
+ <pubdate>April 3 2003</pubdate>
+</chapterinfo>
+<title>System and Account Policies</title>
+
+<sect1>
+<title>Creating and Managing System Policies</title>
+
+<para>
+Under MS Windows platforms, particularly those following the release of MS Windows
+NT4 and MS Windows 95) it is possible to create a type of file that would be placed
+in the NETLOGON share of a domain controller. As the client logs onto the network
+this file is read and the contents initiate changes to the registry of the client
+machine. This file allows changes to be made to those parts of the registry that
+affect users, groups of users, or machines.
+</para>
+
+<para>
+For MS Windows 9x/Me this file must be called <filename>Config.POL</filename> and may
+be generated using a tool called <filename>poledit.exe</filename>, better known as the
+Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
+dissappeared again with the introduction of MS Windows Me (Millenium Edition). From
+comments from MS Windows network administrators it would appear that this tool became
+a part of the MS Windows Me Resource Kit.
+</para>
+
+<para>
+MS Windows NT4 Server products include the <emphasis>System Policy Editor</emphasis>
+under the <filename>Start -> Programs -> Administrative Tools</filename> menu item.
+For MS Windows NT4 and later clients this file must be called <filename>NTConfig.POL</filename>.
+</para>
+
+<para>
+New with the introduction of MS Windows 2000 was the Microsoft Management Console
+or MMC. This tool is the new wave in the ever changing landscape of Microsoft
+methods for management of network access and security. Every new Microsoft product
+or technology seems to obsolete the old rules and to introduce newer and more
+complex tools and methods. To Microsoft's credit though, the MMC does appear to
+be a step forward, but improved functionality comes at a great price.
+</para>
+
+<para>
+Before embarking on the configuration of network and system policies it is highly
+advisable to read the documentation available from Microsoft's web site regarding
+<ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp">
+Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</ulink> available from Microsoft.
+There are a large number of documents in addition to this old one that should also
+be read and understood. Try searching on the Microsoft web site for "Group Policies".
+</para>
+
+<para>
+What follows is a very brief discussion with some helpful notes. The information provided
+here is incomplete - you are warned.
+</para>
+
+<sect2>
+<title>Windows 9x/Me Policies</title>
+
+<para>
+You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
+It can be found on the Original full product Win98 installation CD under
+<filename>tools/reskit/netadmin/poledit</filename>. Install this using the
+Add/Remove Programs facility and then click on the 'Have Disk' tab.
+</para>
+
+<para>
+Use the Group Policy Editor to create a policy file that specifies the location of
+user profiles and/or the <filename>My Documents</filename> etc. stuff. Then
+save these settings in a file called <filename>Config.POL</filename> that needs to
+be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto
+the Samba Domain, it will automatically read this file and update the Win9x/Me registry
+of the machine as it logs on.
+</para>
+
+<para>
+Further details are covered in the Win98 Resource Kit documentation.
+</para>
+
+<para>
+If you do not take the right steps, then every so often Win9x/Me will check the
+integrity of the registry and will restore it's settings from the back-up
+copy of the registry it stores on each Win9x/Me machine. Hence, you will
+occasionally notice things changing back to the original settings.
+</para>
+
+<para>
+Install the group policy handler for Win9x to pick up group policies. Look on the
+Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>.
+Install group policies on a Win9x client by double-clicking
+<filename>grouppol.inf</filename>. Log off and on again a couple of times and see
+if Win98 picks up group policies. Unfortunately this needs to be done on every
+Win9x/Me machine that uses group policies.
+</para>
+
+</sect2>
+<sect2>
+<title>Windows NT4 Style Policy Files</title>
+
+<para>
+To create or edit <filename>ntconfig.pol</filename> you must use the NT Server
+Policy Editor, <command>poledit.exe</command> which is included with NT4 Server
+but <emphasis>not NT Workstation</emphasis>. There is a Policy Editor on a NT4
+Workstation but it is not suitable for creating <emphasis>Domain Policies</emphasis>.
+Further, although the Windows 95 Policy Editor can be installed on an NT4
+Workstation/Server, it will not work with NT clients. However, the files from
+the NT Server will run happily enough on an NT4 Workstation.
+</para>
+
+<para>
+You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>.
+It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename>
+directory which is where the binary will look for them unless told otherwise. Note also that that
+directory is normally 'hidden'.
+</para>
+
+<para>
+The Windows NT policy editor is also included with the Service Pack 3 (and
+later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>,
+i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The policy editor,
+<command>poledit.exe</command> and the associated template files (*.adm) should
+be extracted as well. It is also possible to downloaded the policy template
+files for Office97 and get a copy of the policy editor. Another possible
+location is with the Zero Administration Kit available for download from Microsoft.
+</para>
+
+<sect3>
+<title>Registry Tattoos</title>
+
+ <para>
+ With NT4 style registry based policy changes, a large number of settings are not
+ automatically reversed as the user logs off. Since the settings that were in the
+ NTConfig.POL file were applied to the client machine registry and that apply to the
+ hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
+ as tattooing. It can have serious consequences down-stream and the administrator must
+ be extremely careful not to lock out the ability to manage the machine at a later date.
+ </para>
+
+
+</sect3>
+</sect2>
+<sect2>
+<title>MS Windows 200x / XP Professional Policies</title>
+
+<para>
+Windows NT4 System policies allows setting of registry parameters specific to
+users, groups and computers (client workstations) that are members of the NT4
+style domain. Such policy file will work with MS Windows 2000 / XP clients also.
+</para>
+
+<para>
+New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
+a superset of capabilities compared with NT4 style policies. Obviously, the tool used
+to create them is different, and the mechanism for implementing them is much changed.
+</para>
+
+<para>
+The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis>
+in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
+configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
+users' desktop (including: the location of <emphasis>My Documents</emphasis> files (directory), as
+well as intrinsics of where menu items will appear in the Start menu). An additional new
+feature is the ability to make available particular software Windows applications to particular
+users and/or groups.
+</para>
+
+<para>
+Remember: NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root
+of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
+and selects the domain name to which the logon will attempt to take place. During the logon
+process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
+server, modifies the local registry values according to the settings in this file.
+</para>
+
+<para>
+Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
+a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
+in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
+Directory domain controllers. The part that is stored in the Active Directory itself is called the
+group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
+known as the group policy template (GPT).
+</para>
+
+<para>
+With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
+MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
+startup (machine specific part) and when the user logs onto the network the user specific part
+is applied. In MS Windows 200x style policy management each machine and/or user may be subject
+to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows
+the administrator to also set filters over the policy settings. No such equivalent capability
+exists with NT4 style policy files.
+</para>
+
+<sect3>
+<title>Administration of Win2K / XP Policies</title>
+
+<title>Instructions</title>
+<para>
+Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the
+executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console
+(MMC) snap-in as follows:</para>
+<procedure>
+<step>
+<para>
+Go to the Windows 200x / XP menu <filename>Start->Programs->Administrative Tools</filename>
+ and select the MMC snap-in called "Active Directory Users and Computers"
+</para>
+</step>
+
+<step><para>
+Select the domain or organizational unit (OU) that you wish to manage, then right click
+to open the context menu for that object, select the properties item.
+</para></step>
+
+<step><para>
+Now left click on the Group Policy tab, then left click on the New tab. Type a name
+for the new policy you will create.
+</para></step>
+
+<step><para>
+Now left click on the Edit tab to commence the steps needed to create the GPO.
+</para></step>
+</procedure>
+
+<para>
+All policy configuration options are controlled through the use of policy administrative
+templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
+Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x.
+The later introduces many new features as well as extended definition capabilities. It is
+well beyond the scope of this documentation to explain how to program .adm files, for that
+the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular
+version of MS Windows.
+</para>
+
+<note>
+<para>
+The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
+to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
+use this powerful tool. Please refer to the resource kit manuals for specific usage information.
+</para>
+</note>
+
+</sect3>
+</sect2>
+</sect1>
+
+<sect1>
+<title>Managing Account/User Policies</title>
+
+<para>
+Policies can define a specific user's settings or the settings for a group of users. The resulting
+policy file contains the registry settings for all users, groups, and computers that will be using
+the policy file. Separate policy files for each user, group, or computer are not not necessary.
+</para>
+
+<para>
+If you create a policy that will be automatically downloaded from validating domain controllers,
+you should name the file NTconfig.POL. As system administrator, you have the option of renaming the
+policy file and, by modifying the Windows NT-based workstation, directing the computer to update
+the policy from a manual path. You can do this by either manually changing the registry or by using
+the System Policy Editor. This path can even be a local path such that each machine has its own policy file,
+but if a change is necessary to all machines, this change must be made individually to each workstation.
+</para>
+
+<para>
+When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain
+controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then
+applied to the user's part of the registry.
+</para>
+
+<para>
+MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
+acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
+itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>tatooing</emphasis> effect.
+This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.
+</para>
+
+<para>
+In addition to user access controls that may be imposed or applied via system and/or group policies
+in a manner that works in conjunction with user profiles, the user management environment under
+MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
+Common restrictions that are frequently used includes:
+</para>
+
+<para>
+<simplelist>
+ <member>Logon Hours</member>
+ <member>Password Aging</member>
+ <member>Permitted Logon from certain machines only</member>
+ <member>Account type (Local or Global)</member>
+ <member>User Rights</member>
+</simplelist>
+</para>
+
+<sect2>
+<title>With Windows NT4/200x</title>
+
+<para>
+The tools that may be used to configure these types of controls from the MS Windows environment are:
+The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
+Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate
+"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
+</para>
+</sect2>
+
+<sect2>
+<title>With a Samba PDC</title>
+
+<para>
+With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
+<filename>smbpasswd, pdbedit, net, rpcclient.</filename>. The administrator should read the
+man pages for these tools and become familiar with their use.
+</para>
+
+</sect2>
+</sect1>
+
+<sect1>
+<title>System Startup and Logon Processing Overview</title>
+
+<para>
+The following attempts to document the order of processing of system and user policies following a system
+reboot and as part of the user logon:
+</para>
+
+<orderedlist>
+ <listitem><para>
+ Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
+ Convention Provider (MUP) start
+ </para></listitem>
+
+ <listitem><para>
+ Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
+ and applied. The list may include GPOs that:
+<simplelist>
+ <member>Apply to the location of machines in a Directory</member>
+ <member>Apply only when settings have changed</member>
+ <member>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</member>
+</simplelist>
+ No desktop user interface is presented until the above have been processed.
+ </para></listitem>
+
+ <listitem><para>
+ Execution of start-up scripts (hidden and synchronous by defaut).
+ </para></listitem>
+
+ <listitem><para>
+ A keyboard action to affect start of logon (Ctrl-Alt-Del).
+ </para></listitem>
+
+ <listitem><para>
+ User credentials are validated, User profile is loaded (depends on policy settings).
+ </para></listitem>
+
+ <listitem><para>
+ An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of:
+
+<simplelist>
+ <member>Is user a domain member, thus subject to particular policies</member>
+ <member>Loopback enablement, and the state of the loopback policy (Merge or Replace)</member>
+ <member>Location of the Active Directory itself</member>
+ <member>Has the list of GPOs changed. No processing is needed if not changed.</member>
+</simplelist>
+ </para></listitem>
+
+ <listitem><para>
+ User Policies are applied from Active Directory. Note: There are several types.
+ </para></listitem>
+
+ <listitem><para>
+ Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group
+ Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal
+ window.
+ </para></listitem>
+
+ <listitem><para>
+ The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4
+ Domain) machine (system) policies are applied at start-up, User policies are applied at logon.
+ </para></listitem>
+</orderedlist>
+
+</sect1>
+</chapter>