summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/PolicyMgmt.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc/PolicyMgmt.sgml')
-rw-r--r--docs/docbook/projdoc/PolicyMgmt.sgml56
1 files changed, 42 insertions, 14 deletions
diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml
index 9dee288b1f..867f5740e7 100644
--- a/docs/docbook/projdoc/PolicyMgmt.sgml
+++ b/docs/docbook/projdoc/PolicyMgmt.sgml
@@ -248,40 +248,68 @@ use this powerful tool. Please refer to the resource kit manuals for specific us
<title>Managing Account/User Policies</title>
<para>
-Document what are user policies (ie: Account Policies) here.
+Policies can define a specific user's settings or the settings for a group of users. The resulting
+policy file contains the registry settings for all users, groups, and computers that will be using
+the policy file. Separate policy files for each user, group, or computer are not not necessary.
</para>
-<sect2>
-<title>With Windows NT4/200x</title>
+<para>
+If you create a policy that will be automatically downloaded from validating domain controllers,
+you should name the file NTconfig.POL. As system administrator, you have the option of renaming the
+policy file and, by modifying the Windows NT-based workstation, directing the computer to update
+the policy from a manual path. You can do this by either manually changing the registry or by using
+the System Policy Editor. This path can even be a local path such that each machine has its own policy file,
+but if a change is necessary to all machines, this change must be made individually to each workstation.
+</para>
<para>
-Brief overview of the tools and how to use them.
+When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain
+controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then
+applied to the user's part of the registry.
</para>
-<sect3>
-<title>Windows NT4 Tools</title>
+<para>
+MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
+acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
+itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>tatooing</emphasis> effect.
+This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.
+</para>
<para>
-Blah, blah, blah ...
+Inaddition to user access controls that may be imposed or applied via system and/or group policies
+in a manner that works in conjunction with user profiles, the user management environment under
+MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
+Common restrictions that are frequently used includes:
</para>
-</sect3>
+<para>
+<simplelist>
+ <member>Logon Hours</member>
+ <member>Password Aging</member>
+ <member>Permitted Logon from certain machines only</member>
+ <member>Account type (Local or Global)</member>
+ <member>User Rights</member>
+</simplelist>
+</para>
-<sect3>
-<title>Windows 200x Tools</title>
+<sect2>
+<title>With Windows NT4/200x</title>
<para>
-Blah, blah, blah ...
+The tools that may be used to configure these types of controls from the MS Windows environment are:
+The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
+Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate
+"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
</para>
-
-</sect3>
</sect2>
<sect2>
<title>With a Samba PDC</title>
<para>
-Document the HOWTO here.
+With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
+<filename>smbpasswd, pdbedit, smbgroupedit, net, rpcclient.</filename>. The administrator should read the
+man pages for these tools and become familiar with their use.
</para>
</sect1>