diff options
Diffstat (limited to 'docs/htmldocs/policymgmt.html')
| -rw-r--r-- | docs/htmldocs/policymgmt.html | 758 |
1 files changed, 758 insertions, 0 deletions
diff --git a/docs/htmldocs/policymgmt.html b/docs/htmldocs/policymgmt.html new file mode 100644 index 0000000000..65f50dc0fb --- /dev/null +++ b/docs/htmldocs/policymgmt.html @@ -0,0 +1,758 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>System and Account Policies</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Advanced Configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Advanced Network Manangement" +HREF="advancednetworkmanagement.html"><LINK +REL="NEXT" +TITLE="Desktop Profile Management" +HREF="profilemgmt.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="advancednetworkmanagement.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="profilemgmt.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="POLICYMGMT" +></A +>Chapter 17. System and Account Policies</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>17.1. <A +HREF="policymgmt.html#AEN2959" +>Creating and Managing System Policies</A +></DT +><DD +><DL +><DT +>17.1.1. <A +HREF="policymgmt.html#AEN2973" +>Windows 9x/Me Policies</A +></DT +><DT +>17.1.2. <A +HREF="policymgmt.html#AEN2985" +>Windows NT4 Style Policy Files</A +></DT +><DT +>17.1.3. <A +HREF="policymgmt.html#AEN3003" +>MS Windows 200x / XP Professional Policies</A +></DT +></DL +></DD +><DT +>17.2. <A +HREF="policymgmt.html#AEN3031" +>Managing Account/User Policies</A +></DT +><DD +><DL +><DT +>17.2.1. <A +HREF="policymgmt.html#AEN3046" +>With Windows NT4/200x</A +></DT +><DT +>17.2.2. <A +HREF="policymgmt.html#AEN3049" +>With a Samba PDC</A +></DT +></DL +></DD +><DT +>17.3. <A +HREF="policymgmt.html#AEN3053" +>System Startup and Logon Processing Overview</A +></DT +></DL +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2959" +>17.1. Creating and Managing System Policies</A +></H1 +><P +>Under MS Windows platforms, particularly those following the release of MS Windows +NT4 and MS Windows 95) it is possible to create a type of file that would be placed +in the NETLOGON share of a domain controller. As the client logs onto the network +this file is read and the contents initiate changes to the registry of the client +machine. This file allows changes to be made to those parts of the registry that +affect users, groups of users, or machines.</P +><P +>For MS Windows 9x/Me this file must be called <TT +CLASS="FILENAME" +>Config.POL</TT +> and may +be generated using a tool called <TT +CLASS="FILENAME" +>poledit.exe</TT +>, better known as the +Policy Editor. The policy editor was provided on the Windows 98 installation CD, but +dissappeared again with the introduction of MS Windows Me (Millenium Edition). From +comments from MS Windows network administrators it would appear that this tool became +a part of the MS Windows Me Resource Kit.</P +><P +>MS Windows NT4 Server products include the <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>System Policy Editor</I +></SPAN +> +under the <TT +CLASS="FILENAME" +>Start -> Programs -> Administrative Tools</TT +> menu item. +For MS Windows NT4 and later clients this file must be called <TT +CLASS="FILENAME" +>NTConfig.POL</TT +>.</P +><P +>New with the introduction of MS Windows 2000 was the Microsoft Management Console +or MMC. This tool is the new wave in the ever changing landscape of Microsoft +methods for management of network access and security. Every new Microsoft product +or technology seems to obsolete the old rules and to introduce newer and more +complex tools and methods. To Microsoft's credit though, the MMC does appear to +be a step forward, but improved functionality comes at a great price.</P +><P +>Before embarking on the configuration of network and system policies it is highly +advisable to read the documentation available from Microsoft's web site regarding +<A +HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" +TARGET="_top" +>Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</A +> available from Microsoft. +There are a large number of documents in addition to this old one that should also +be read and understood. Try searching on the Microsoft web site for "Group Policies".</P +><P +>What follows is a very brief discussion with some helpful notes. The information provided +here is incomplete - you are warned.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2973" +>17.1.1. Windows 9x/Me Policies</A +></H2 +><P +>You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. +It can be found on the Original full product Win98 installation CD under +<TT +CLASS="FILENAME" +>tools/reskit/netadmin/poledit</TT +>. Install this using the +Add/Remove Programs facility and then click on the 'Have Disk' tab.</P +><P +>Use the Group Policy Editor to create a policy file that specifies the location of +user profiles and/or the <TT +CLASS="FILENAME" +>My Documents</TT +> etc. stuff. Then +save these settings in a file called <TT +CLASS="FILENAME" +>Config.POL</TT +> that needs to +be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto +the Samba Domain, it will automatically read this file and update the Win9x/Me registry +of the machine as it logs on.</P +><P +>Further details are covered in the Win98 Resource Kit documentation.</P +><P +>If you do not take the right steps, then every so often Win9x/Me will check the +integrity of the registry and will restore it's settings from the back-up +copy of the registry it stores on each Win9x/Me machine. Hence, you will +occasionally notice things changing back to the original settings.</P +><P +>Install the group policy handler for Win9x to pick up group policies. Look on the +Win98 CD in <TT +CLASS="FILENAME" +>\tools\reskit\netadmin\poledit</TT +>. +Install group policies on a Win9x client by double-clicking +<TT +CLASS="FILENAME" +>grouppol.inf</TT +>. Log off and on again a couple of times and see +if Win98 picks up group policies. Unfortunately this needs to be done on every +Win9x/Me machine that uses group policies.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2985" +>17.1.2. Windows NT4 Style Policy Files</A +></H2 +><P +>To create or edit <TT +CLASS="FILENAME" +>ntconfig.pol</TT +> you must use the NT Server +Policy Editor, <B +CLASS="COMMAND" +>poledit.exe</B +> which is included with NT4 Server +but <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>not NT Workstation</I +></SPAN +>. There is a Policy Editor on a NT4 +Workstation but it is not suitable for creating <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Domain Policies</I +></SPAN +>. +Further, although the Windows 95 Policy Editor can be installed on an NT4 +Workstation/Server, it will not work with NT clients. However, the files from +the NT Server will run happily enough on an NT4 Workstation.</P +><P +>You need <TT +CLASS="FILENAME" +>poledit.exe, common.adm</TT +> and <TT +CLASS="FILENAME" +>winnt.adm</TT +>. +It is convenient to put the two *.adm files in the <TT +CLASS="FILENAME" +>c:\winnt\inf</TT +> +directory which is where the binary will look for them unless told otherwise. Note also that that +directory is normally 'hidden'.</P +><P +>The Windows NT policy editor is also included with the Service Pack 3 (and +later) for Windows NT 4.0. Extract the files using <B +CLASS="COMMAND" +>servicepackname /x</B +>, +i.e. that's <B +CLASS="COMMAND" +>Nt4sp6ai.exe /x</B +> for service pack 6a. The policy editor, +<B +CLASS="COMMAND" +>poledit.exe</B +> and the associated template files (*.adm) should +be extracted as well. It is also possible to downloaded the policy template +files for Office97 and get a copy of the policy editor. Another possible +location is with the Zero Administration Kit available for download from Microsoft.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3000" +>17.1.2.1. Registry Tattoos</A +></H3 +><P +> With NT4 style registry based policy changes, a large number of settings are not + automatically reversed as the user logs off. Since the settings that were in the + NTConfig.POL file were applied to the client machine registry and that apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences down-stream and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. + </P +></DIV +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3003" +>17.1.3. MS Windows 200x / XP Professional Policies</A +></H2 +><P +>Windows NT4 System policies allows setting of registry parameters specific to +users, groups and computers (client workstations) that are members of the NT4 +style domain. Such policy file will work with MS Windows 2000 / XP clients also.</P +><P +>New to MS Windows 2000 Microsoft introduced a new style of group policy that confers +a superset of capabilities compared with NT4 style policies. Obviously, the tool used +to create them is different, and the mechanism for implementing them is much changed.</P +><P +>The older NT4 style registry based policies are known as <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Administrative Templates</I +></SPAN +> +in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security +configurations, enforce Internet Explorer browser settings, change and redirect aspects of the +users' desktop (including: the location of <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>My Documents</I +></SPAN +> files (directory), as +well as intrinsics of where menu items will appear in the Start menu). An additional new +feature is the ability to make available particular software Windows applications to particular +users and/or groups.</P +><P +>Remember: NT4 policy files are named <TT +CLASS="FILENAME" +>NTConfig.POL</TT +> and are stored in the root +of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password +and selects the domain name to which the logon will attempt to take place. During the logon +process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating +server, modifies the local registry values according to the settings in this file.</P +><P +>Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of +a Windows 200x policy file is stored in the Active Directory itself and the other part is stored +in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active +Directory domain controllers. The part that is stored in the Active Directory itself is called the +group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is +known as the group policy template (GPT).</P +><P +>With NT4 clients the policy file is read and executed upon only aas each user log onto the network. +MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine +startup (machine specific part) and when the user logs onto the network the user specific part +is applied. In MS Windows 200x style policy management each machine and/or user may be subject +to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows +the administrator to also set filters over the policy settings. No such equivalent capability +exists with NT4 style policy files.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN3014" +>17.1.3.1. Administration of Win2K / XP Policies</A +></H3 +><DIV +CLASS="PROCEDURE" +><P +><B +>Instructions</B +></P +><P +>Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the +executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console +(MMC) snap-in as follows:</P +><OL +TYPE="1" +><LI +><P +>Go to the Windows 200x / XP menu <TT +CLASS="FILENAME" +>Start->Programs->Administrative Tools</TT +> + and select the MMC snap-in called "Active Directory Users and Computers"</P +></LI +><LI +><P +>Select the domain or organizational unit (OU) that you wish to manage, then right click +to open the context menu for that object, select the properties item.</P +></LI +><LI +><P +>Now left click on the Group Policy tab, then left click on the New tab. Type a name +for the new policy you will create.</P +></LI +><LI +><P +>Now left click on the Edit tab to commence the steps needed to create the GPO.</P +></LI +></OL +></DIV +><P +>All policy configuration options are controlled through the use of policy administrative +templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. +Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x. +The later introduces many new features as well as extended definition capabilities. It is +well beyond the scope of this documentation to explain how to program .adm files, for that +the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular +version of MS Windows.</P +><DIV +CLASS="NOTE" +><P +></P +><TABLE +CLASS="NOTE" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +HSPACE="5" +ALT="Note"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used +to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you +use this powerful tool. Please refer to the resource kit manuals for specific usage information.</P +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3031" +>17.2. Managing Account/User Policies</A +></H1 +><P +>Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not not necessary.</P +><P +>If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file NTconfig.POL. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This path can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, this change must be made individually to each workstation.</P +><P +>When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain +controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then +applied to the user's part of the registry.</P +><P +>MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, +acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory +itself. The key benefit of using AS GPOs is that they impose no registry <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>tatooing</I +></SPAN +> effect. +This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.</P +><P +>Inaddition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. +Common restrictions that are frequently used includes:</P +><P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Logon Hours</TD +></TR +><TR +><TD +>Password Aging</TD +></TR +><TR +><TD +>Permitted Logon from certain machines only</TD +></TR +><TR +><TD +>Account type (Local or Global)</TD +></TR +><TR +><TD +>User Rights</TD +></TR +></TBODY +></TABLE +><P +></P +></P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3046" +>17.2.1. With Windows NT4/200x</A +></H2 +><P +>The tools that may be used to configure these types of controls from the MS Windows environment are: +The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). +Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate +"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.</P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN3049" +>17.2.2. With a Samba PDC</A +></H2 +><P +>With a Samba Domain Controller, the new tools for managing of user account and policy information includes: +<TT +CLASS="FILENAME" +>smbpasswd, pdbedit, smbgroupedit, net, rpcclient.</TT +>. The administrator should read the +man pages for these tools and become familiar with their use.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN3053" +>17.3. System Startup and Logon Processing Overview</A +></H1 +><P +>The following attempts to document the order of processing of system and user policies following a system +reboot and as part of the user logon:</P +><P +></P +><OL +TYPE="1" +><LI +><P +> Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming + Convention Provider (MUP) start + </P +></LI +><LI +><P +> Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded + and applied. The list may include GPOs that: +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Apply to the location of machines in a Directory</TD +></TR +><TR +><TD +>Apply only when settings have changed</TD +></TR +><TR +><TD +>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</TD +></TR +></TBODY +></TABLE +><P +></P +> + No desktop user interface is presented until the above have been processed. + </P +></LI +><LI +><P +> Execution of start-up scripts (hidden and synchronous by defaut). + </P +></LI +><LI +><P +> A keyboard action to affect start of logon (Ctrl-Alt-Del). + </P +></LI +><LI +><P +> User credentials are validated, User profile is loaded (depends on policy settings). + </P +></LI +><LI +><P +> An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of: + +<P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>Is user a domain member, thus subject to particular policies</TD +></TR +><TR +><TD +>Loopback enablement, and the state of the loopback policy (Merge or Replace)</TD +></TR +><TR +><TD +>Location of the Active Directory itself</TD +></TR +><TR +><TD +>Has the list of GPOs changed. No processing is needed if not changed.</TD +></TR +></TBODY +></TABLE +><P +></P +> + </P +></LI +><LI +><P +> User Policies are applied from Active Directory. Note: There are several types. + </P +></LI +><LI +><P +> Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group + Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal + window. + </P +></LI +><LI +><P +> The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4 + Domain) machine (system) policies are applied at start-up, User policies are applied at logon. + </P +></LI +></OL +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="advancednetworkmanagement.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="profilemgmt.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Advanced Network Manangement</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Desktop Profile Management</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file |