diff options
author | Gerald Carter <jerry@samba.org> | 2003-07-16 05:34:56 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-07-16 05:34:56 +0000 |
commit | 4a090ba06a54f5da179ac02bb307cc03d08831bf (patch) | |
tree | ed652ef36be7f16682c358816334f969a22f1c27 /docs/docbook/projdoc/PolicyMgmt.xml | |
parent | 95fe82670032a3a43571b46d7bbf2c26bc8cdcd9 (diff) | |
download | samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.gz samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.bz2 samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.zip |
trying to get HEAD building again. If you want the code
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
(This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
Diffstat (limited to 'docs/docbook/projdoc/PolicyMgmt.xml')
-rw-r--r-- | docs/docbook/projdoc/PolicyMgmt.xml | 456 |
1 files changed, 268 insertions, 188 deletions
diff --git a/docs/docbook/projdoc/PolicyMgmt.xml b/docs/docbook/projdoc/PolicyMgmt.xml index 2ae3fa5ea7..12289df7c3 100644 --- a/docs/docbook/projdoc/PolicyMgmt.xml +++ b/docs/docbook/projdoc/PolicyMgmt.xml @@ -3,8 +3,51 @@ &author.jht; <pubdate>April 3 2003</pubdate> </chapterinfo> + <title>System and Account Policies</title> +<para> +This chapter summarises the current state of knowledge derived from personal +practice and knowledge from samba mailing list subscribers. Before reproduction +of posted information effort has been made to validate the information provided. +Where additional information was uncovered through this validation it is provided +also. +</para> + +<sect1> +<title>Features and Benefits</title> + +<para> +When MS Windows NT3.5 was introduced the hot new topic was the ability to implement +Group Policies for users and group. Then along came MS Windows NT4 and a few sites +started to adopt this capability. How do we know that? By way of the number of "booboos" +(or mistakes) administrators made and then requested help to resolve. +</para> + +<para> +By the time that MS Windows 2000 and Active Directory was released, administrators +got the message: Group Policies are a good thing! They can help reduce administrative +costs and actually can help to create happier users. But adoption of the true +potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users +and machines were picked up on rather slowly. This was very obvious from the samba +mailing list as in 2000 and 2001 there were very few postings regarding GPOs and +how to replicate them in a Samba environment. +</para> + +<para> +Judging by the traffic volume since mid 2002, GPOs have become a standard part of +the deployment in many sites. This chapter reviews techniques and methods that can +be used to exploit opportunities for automation of control over user desktops and +network client workstations. +</para> + +<para> +A tool new to Samba-3 may become an important part of the future Samba Administrators' +arsenal. The <command>editreg</command> tool is described in this document. +</para> + +</sect1> + <sect1> <title>Creating and Managing System Policies</title> @@ -21,7 +64,7 @@ affect users, groups of users, or machines. For MS Windows 9x/Me this file must be called <filename>Config.POL</filename> and may be generated using a tool called <filename>poledit.exe</filename>, better known as the Policy Editor. The policy editor was provided on the Windows 98 installation CD, but -dissappeared again with the introduction of MS Windows Me (Millenium Edition). From +disappeared again with the introduction of MS Windows Me (Millennium Edition). From comments from MS Windows network administrators it would appear that this tool became a part of the MS Windows Me Resource Kit. </para> @@ -55,194 +98,193 @@ What follows is a very brief discussion with some helpful notes. The information here is incomplete - you are warned. </para> -<sect2> -<title>Windows 9x/Me Policies</title> - -<para> -You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. -It can be found on the Original full product Win98 installation CD under -<filename>tools/reskit/netadmin/poledit</filename>. Install this using the -Add/Remove Programs facility and then click on the 'Have Disk' tab. -</para> - -<para> -Use the Group Policy Editor to create a policy file that specifies the location of -user profiles and/or the <filename>My Documents</filename> etc. stuff. Then -save these settings in a file called <filename>Config.POL</filename> that needs to -be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto -the Samba Domain, it will automatically read this file and update the Win9x/Me registry -of the machine as it logs on. -</para> - -<para> -Further details are covered in the Win98 Resource Kit documentation. -</para> - -<para> -If you do not take the right steps, then every so often Win9x/Me will check the -integrity of the registry and will restore it's settings from the back-up -copy of the registry it stores on each Win9x/Me machine. Hence, you will -occasionally notice things changing back to the original settings. -</para> + <sect2> + <title>Windows 9x/Me Policies</title> -<para> -Install the group policy handler for Win9x to pick up group policies. Look on the -Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>. -Install group policies on a Win9x client by double-clicking -<filename>grouppol.inf</filename>. Log off and on again a couple of times and see -if Win98 picks up group policies. Unfortunately this needs to be done on every -Win9x/Me machine that uses group policies. -</para> - -</sect2> -<sect2> -<title>Windows NT4 Style Policy Files</title> - -<para> -To create or edit <filename>ntconfig.pol</filename> you must use the NT Server -Policy Editor, <command>poledit.exe</command> which is included with NT4 Server -but <emphasis>not NT Workstation</emphasis>. There is a Policy Editor on a NT4 -Workstation but it is not suitable for creating <emphasis>Domain Policies</emphasis>. -Further, although the Windows 95 Policy Editor can be installed on an NT4 -Workstation/Server, it will not work with NT clients. However, the files from -the NT Server will run happily enough on an NT4 Workstation. -</para> - -<para> -You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>. -It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename> -directory which is where the binary will look for them unless told otherwise. Note also that that -directory is normally 'hidden'. -</para> + <para> + You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. + It can be found on the Original full product Win98 installation CD under + <filename>tools/reskit/netadmin/poledit</filename>. Install this using the + Add/Remove Programs facility and then click on the 'Have Disk' tab. + </para> -<para> -The Windows NT policy editor is also included with the Service Pack 3 (and -later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>, -i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The policy editor, -<command>poledit.exe</command> and the associated template files (*.adm) should -be extracted as well. It is also possible to downloaded the policy template -files for Office97 and get a copy of the policy editor. Another possible -location is with the Zero Administration Kit available for download from Microsoft. -</para> + <para> + Use the Group Policy Editor to create a policy file that specifies the location of + user profiles and/or the <filename>My Documents</filename> etc. Then save these + settings in a file called <filename>Config.POL</filename> that needs to be placed in the + root of the <parameter>[NETLOGON]</parameter> share. If Win98 is configured to log onto + the Samba Domain, it will automatically read this file and update the Win9x/Me registry + of the machine as it logs on. + </para> -<sect3> -<title>Registry Tattoos</title> + <para> + Further details are covered in the Win98 Resource Kit documentation. + </para> <para> - With NT4 style registry based policy changes, a large number of settings are not - automatically reversed as the user logs off. Since the settings that were in the - NTConfig.POL file were applied to the client machine registry and that apply to the - hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known - as tattooing. It can have serious consequences down-stream and the administrator must - be extremely careful not to lock out the ability to manage the machine at a later date. + If you do not take the right steps, then every so often Win9x/Me will check the + integrity of the registry and will restore it's settings from the back-up + copy of the registry it stores on each Win9x/Me machine. Hence, you will + occasionally notice things changing back to the original settings. </para> + <para> + Install the group policy handler for Win9x to pick up group policies. Look on the + Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>. + Install group policies on a Win9x client by double-clicking + <filename>grouppol.inf</filename>. Log off and on again a couple of times and see + if Win98 picks up group policies. Unfortunately this needs to be done on every + Win9x/Me machine that uses group policies. + </para> -</sect3> -</sect2> -<sect2> -<title>MS Windows 200x / XP Professional Policies</title> + </sect2> + <sect2> + <title>Windows NT4 Style Policy Files</title> -<para> -Windows NT4 System policies allows setting of registry parameters specific to -users, groups and computers (client workstations) that are members of the NT4 -style domain. Such policy file will work with MS Windows 2000 / XP clients also. -</para> + <para> + To create or edit <filename>ntconfig.pol</filename> you must use the NT Server + Policy Editor, <command>poledit.exe</command> which is included with NT4 Server + but <emphasis>not NT Workstation</emphasis>. There is a Policy Editor on a NT4 + Workstation but it is not suitable for creating <emphasis>Domain Policies</emphasis>. + Further, although the Windows 95 Policy Editor can be installed on an NT4 + Workstation/Server, it will not work with NT clients. However, the files from + the NT Server will run happily enough on an NT4 Workstation. + </para> -<para> -New to MS Windows 2000 Microsoft introduced a new style of group policy that confers -a superset of capabilities compared with NT4 style policies. Obviously, the tool used -to create them is different, and the mechanism for implementing them is much changed. -</para> + <para> + You need <filename>poledit.exe</filename>, <filename>common.adm</filename> and <filename>winnt.adm</filename>. + It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename> + directory which is where the binary will look for them unless told otherwise. Note also that that + directory is normally 'hidden'. + </para> -<para> -The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis> -in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security -configurations, enforce Internet Explorer browser settings, change and redirect aspects of the -users' desktop (including: the location of <emphasis>My Documents</emphasis> files (directory), as -well as intrinsics of where menu items will appear in the Start menu). An additional new -feature is the ability to make available particular software Windows applications to particular -users and/or groups. -</para> + <para> + The Windows NT policy editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>, + i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The policy editor, + <command>poledit.exe</command> and the associated template files (*.adm) should + be extracted as well. It is also possible to downloaded the policy template + files for Office97 and get a copy of the policy editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. + </para> -<para> -Remember: NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root -of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password -and selects the domain name to which the logon will attempt to take place. During the logon -process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating -server, modifies the local registry values according to the settings in this file. -</para> + <sect3> + <title>Registry Spoiling</title> -<para> -Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of -a Windows 200x policy file is stored in the Active Directory itself and the other part is stored -in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active -Directory domain controllers. The part that is stored in the Active Directory itself is called the -group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is -known as the group policy template (GPT). -</para> + <para> + With NT4 style registry based policy changes, a large number of settings are not + automatically reversed as the user logs off. Since the settings that were in the + NTConfig.POL file were applied to the client machine registry and that apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences down-stream and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. + </para> -<para> -With NT4 clients the policy file is read and executed upon only as each user logs onto the network. -MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine -startup (machine specific part) and when the user logs onto the network the user specific part -is applied. In MS Windows 200x style policy management each machine and/or user may be subject -to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows -the administrator to also set filters over the policy settings. No such equivalent capability -exists with NT4 style policy files. -</para> -<sect3> -<title>Administration of Win2K / XP Policies</title> + </sect3> + </sect2> + <sect2> + <title>MS Windows 200x / XP Professional Policies</title> -<title>Instructions</title> -<para> -Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the -executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console -(MMC) snap-in as follows:</para> -<procedure> -<step> -<para> -Go to the Windows 200x / XP menu <filename>Start->Programs->Administrative Tools</filename> - and select the MMC snap-in called "Active Directory Users and Computers" -</para> -</step> + <para> + Windows NT4 System policies allows setting of registry parameters specific to + users, groups and computers (client workstations) that are members of the NT4 + style domain. Such policy file will work with MS Windows 2000 / XP clients also. + </para> -<step><para> -Select the domain or organizational unit (OU) that you wish to manage, then right click -to open the context menu for that object, select the properties item. -</para></step> + <para> + New to MS Windows 2000 Microsoft introduced a new style of group policy that confers + a superset of capabilities compared with NT4 style policies. Obviously, the tool used + to create them is different, and the mechanism for implementing them is much changed. + </para> -<step><para> -Now left click on the Group Policy tab, then left click on the New tab. Type a name -for the new policy you will create. -</para></step> + <para> + The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis> + in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security + configurations, enforce Internet Explorer browser settings, change and redirect aspects of the + users' desktop (including: the location of <filename>My Documents</filename> files (directory), as + well as intrinsics of where menu items will appear in the Start menu). An additional new + feature is the ability to make available particular software Windows applications to particular + users and/or groups. + </para> -<step><para> -Now left click on the Edit tab to commence the steps needed to create the GPO. -</para></step> -</procedure> + <para> + Remember: NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root + of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password + and selects the domain name to which the logon will attempt to take place. During the logon + process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating + server, modifies the local registry values according to the settings in this file. + </para> -<para> -All policy configuration options are controlled through the use of policy administrative -templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. -Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x. -The later introduces many new features as well as extended definition capabilities. It is -well beyond the scope of this documentation to explain how to program .adm files, for that -the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular -version of MS Windows. -</para> + <para> + Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of + a Windows 200x policy file is stored in the Active Directory itself and the other part is stored + in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active + Directory domain controllers. The part that is stored in the Active Directory itself is called the + group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is + known as the group policy template (GPT). + </para> -<note> -<para> -The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used -to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you -use this powerful tool. Please refer to the resource kit manuals for specific usage information. -</para> -</note> + <para> + With NT4 clients the policy file is read and executed upon only as each user logs onto the network. + MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine + startup (machine specific part) and when the user logs onto the network the user specific part + is applied. In MS Windows 200x style policy management each machine and/or user may be subject + to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows + the administrator to also set filters over the policy settings. No such equivalent capability + exists with NT4 style policy files. + </para> -</sect3> -</sect2> + <sect3> + <title>Administration of Win2K / XP Policies</title> + + <para> + Instead of using the tool called <application>The System Policy Editor</application>, commonly called Poledit (from the + executable name <command>poledit.exe</command>), <acronym>GPOs</acronym> are created and managed using a + <application>Microsoft Management Console</application> <acronym>(MMC)</acronym> snap-in as follows:</para> + <procedure> + <step> + <para> + Go to the Windows 200x / XP menu <guimenu>Start->Programs->Administrative Tools</guimenu> + and select the MMC snap-in called <guimenuitem>Active Directory Users and Computers</guimenuitem> + </para> + </step> + + <step><para> + Select the domain or organizational unit (OU) that you wish to manage, then right click + to open the context menu for that object, select the properties item. + </para></step> + + <step><para> + Now left click on the <guilabel>Group Policy</guilabel> tab, then left click on the New tab. Type a name + for the new policy you will create. + </para></step> + + <step><para> + Now left click on the <guilabel>Edit</guilabel> tab to commence the steps needed to create the GPO. + </para></step> + </procedure> + + <para> + All policy configuration options are controlled through the use of policy administrative + templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. + Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x. + The later introduces many new features as well as extended definition capabilities. It is + well beyond the scope of this documentation to explain how to program .adm files, for that + the administrator is referred to the Microsoft Windows Resource Kit for your particular + version of MS Windows. + </para> + + <note> + <para> + The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used + to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you + use this powerful tool. Please refer to the resource kit manuals for specific usage information. + </para> + </note> + + </sect3> + </sect2> </sect1> <sect1> @@ -272,8 +314,8 @@ applied to the user's part of the registry. <para> MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory -itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>tatooing</emphasis> effect. -This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates. +itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect. +This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates. </para> <para> @@ -293,27 +335,37 @@ Common restrictions that are frequently used includes: </simplelist> </para> -<sect2> -<title>With Windows NT4/200x</title> + <sect2> + <title>Samba Editreg Toolset</title> -<para> -The tools that may be used to configure these types of controls from the MS Windows environment are: -The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). -Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate -"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor. -</para> -</sect2> + <para> + Describe in detail the benefits of <command>editreg</command> and how to use it. + </para> -<sect2> -<title>With a Samba PDC</title> + </sect2> -<para> -With a Samba Domain Controller, the new tools for managing of user account and policy information includes: -<filename>smbpasswd, pdbedit, net, rpcclient.</filename>. The administrator should read the -man pages for these tools and become familiar with their use. -</para> + <sect2> + <title>Windows NT4/200x</title> -</sect2> + <para> + The tools that may be used to configure these types of controls from the MS Windows environment are: + The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). + Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate + "snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor. + </para> + </sect2> + + <sect2> + <title>Samba PDC</title> + + <para> + With a Samba Domain Controller, the new tools for managing of user account and policy information includes: + <command>smbpasswd</command>, <command>pdbedit</command>, <command>net</command>, <command>rpcclient</command>. + The administrator should read the + man pages for these tools and become familiar with their use. + </para> + + </sect2> </sect1> <sect1> @@ -342,7 +394,7 @@ reboot and as part of the user logon: </para></listitem> <listitem><para> - Execution of start-up scripts (hidden and synchronous by defaut). + Execution of start-up scripts (hidden and synchronous by default). </para></listitem> <listitem><para> @@ -354,7 +406,7 @@ reboot and as part of the user logon: </para></listitem> <listitem><para> - An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of: + An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of: <simplelist> <member>Is user a domain member, thus subject to particular policies</member> @@ -381,4 +433,32 @@ reboot and as part of the user logon: </orderedlist> </sect1> + +<sect1> +<title>Common Errors</title> + +<para> +Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following +collection demonstrates only basic issues. +</para> + +<sect2> +<title>Policy Does Not Work</title> + +<para> +Question: We have created the <filename>config.pol</filename> file and put it in the <emphasis>NETLOGON</emphasis> share. +It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not +work any longer since we upgraded to Win XP Pro. Any hints? +</para> + +<para> +<emphasis>ANSWER:</emphasis> Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based +platforms. You need to use the NT4 Group Policy Editor to create a file called <filename>NTConfig.POL</filename> so that +it is in the correct format for your MS Windows XP Pro clients. +</para> + +</sect2> + +</sect1> + </chapter> |