diff options
Diffstat (limited to 'docs/htmldocs/policymgmt.html')
| -rw-r--r-- | docs/htmldocs/policymgmt.html | 758 |
1 files changed, 0 insertions, 758 deletions
diff --git a/docs/htmldocs/policymgmt.html b/docs/htmldocs/policymgmt.html deleted file mode 100644 index 5d0c9b19f9..0000000000 --- a/docs/htmldocs/policymgmt.html +++ /dev/null @@ -1,758 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->System and Account Policies</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="SAMBA Project Documentation" -HREF="samba-howto-collection.html"><LINK -REL="UP" -TITLE="Advanced Configuration" -HREF="optional.html"><LINK -REL="PREVIOUS" -TITLE="Advanced Network Manangement" -HREF="advancednetworkmanagement.html"><LINK -REL="NEXT" -TITLE="Desktop Profile Management" -HREF="profilemgmt.html"></HEAD -><BODY -CLASS="CHAPTER" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->SAMBA Project Documentation</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="advancednetworkmanagement.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="profilemgmt.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="CHAPTER" -><H1 -><A -NAME="POLICYMGMT" -></A ->Chapter 17. System and Account Policies</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->17.1. <A -HREF="policymgmt.html#AEN2958" ->Creating and Managing System Policies</A -></DT -><DD -><DL -><DT ->17.1.1. <A -HREF="policymgmt.html#AEN2972" ->Windows 9x/Me Policies</A -></DT -><DT ->17.1.2. <A -HREF="policymgmt.html#AEN2984" ->Windows NT4 Style Policy Files</A -></DT -><DT ->17.1.3. <A -HREF="policymgmt.html#AEN3002" ->MS Windows 200x / XP Professional Policies</A -></DT -></DL -></DD -><DT ->17.2. <A -HREF="policymgmt.html#AEN3030" ->Managing Account/User Policies</A -></DT -><DD -><DL -><DT ->17.2.1. <A -HREF="policymgmt.html#AEN3045" ->With Windows NT4/200x</A -></DT -><DT ->17.2.2. <A -HREF="policymgmt.html#AEN3048" ->With a Samba PDC</A -></DT -></DL -></DD -><DT ->17.3. <A -HREF="policymgmt.html#AEN3052" ->System Startup and Logon Processing Overview</A -></DT -></DL -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN2958" ->17.1. Creating and Managing System Policies</A -></H1 -><P ->Under MS Windows platforms, particularly those following the release of MS Windows -NT4 and MS Windows 95) it is possible to create a type of file that would be placed -in the NETLOGON share of a domain controller. As the client logs onto the network -this file is read and the contents initiate changes to the registry of the client -machine. This file allows changes to be made to those parts of the registry that -affect users, groups of users, or machines.</P -><P ->For MS Windows 9x/Me this file must be called <TT -CLASS="FILENAME" ->Config.POL</TT -> and may -be generated using a tool called <TT -CLASS="FILENAME" ->poledit.exe</TT ->, better known as the -Policy Editor. The policy editor was provided on the Windows 98 installation CD, but -dissappeared again with the introduction of MS Windows Me (Millenium Edition). From -comments from MS Windows network administrators it would appear that this tool became -a part of the MS Windows Me Resource Kit.</P -><P ->MS Windows NT4 Server products include the <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->System Policy Editor</I -></SPAN -> -under the <TT -CLASS="FILENAME" ->Start -> Programs -> Administrative Tools</TT -> menu item. -For MS Windows NT4 and later clients this file must be called <TT -CLASS="FILENAME" ->NTConfig.POL</TT ->.</P -><P ->New with the introduction of MS Windows 2000 was the Microsoft Management Console -or MMC. This tool is the new wave in the ever changing landscape of Microsoft -methods for management of network access and security. Every new Microsoft product -or technology seems to obsolete the old rules and to introduce newer and more -complex tools and methods. To Microsoft's credit though, the MMC does appear to -be a step forward, but improved functionality comes at a great price.</P -><P ->Before embarking on the configuration of network and system policies it is highly -advisable to read the documentation available from Microsoft's web site regarding -<A -HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp" -TARGET="_top" ->Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</A -> available from Microsoft. -There are a large number of documents in addition to this old one that should also -be read and understood. Try searching on the Microsoft web site for "Group Policies".</P -><P ->What follows is a very brief discussion with some helpful notes. The information provided -here is incomplete - you are warned.</P -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN2972" ->17.1.1. Windows 9x/Me Policies</A -></H2 -><P ->You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. -It can be found on the Original full product Win98 installation CD under -<TT -CLASS="FILENAME" ->tools/reskit/netadmin/poledit</TT ->. Install this using the -Add/Remove Programs facility and then click on the 'Have Disk' tab.</P -><P ->Use the Group Policy Editor to create a policy file that specifies the location of -user profiles and/or the <TT -CLASS="FILENAME" ->My Documents</TT -> etc. stuff. Then -save these settings in a file called <TT -CLASS="FILENAME" ->Config.POL</TT -> that needs to -be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto -the Samba Domain, it will automatically read this file and update the Win9x/Me registry -of the machine as it logs on.</P -><P ->Further details are covered in the Win98 Resource Kit documentation.</P -><P ->If you do not take the right steps, then every so often Win9x/Me will check the -integrity of the registry and will restore it's settings from the back-up -copy of the registry it stores on each Win9x/Me machine. Hence, you will -occasionally notice things changing back to the original settings.</P -><P ->Install the group policy handler for Win9x to pick up group policies. Look on the -Win98 CD in <TT -CLASS="FILENAME" ->\tools\reskit\netadmin\poledit</TT ->. -Install group policies on a Win9x client by double-clicking -<TT -CLASS="FILENAME" ->grouppol.inf</TT ->. Log off and on again a couple of times and see -if Win98 picks up group policies. Unfortunately this needs to be done on every -Win9x/Me machine that uses group policies.</P -></DIV -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN2984" ->17.1.2. Windows NT4 Style Policy Files</A -></H2 -><P ->To create or edit <TT -CLASS="FILENAME" ->ntconfig.pol</TT -> you must use the NT Server -Policy Editor, <B -CLASS="COMMAND" ->poledit.exe</B -> which is included with NT4 Server -but <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->not NT Workstation</I -></SPAN ->. There is a Policy Editor on a NT4 -Workstation but it is not suitable for creating <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Domain Policies</I -></SPAN ->. -Further, although the Windows 95 Policy Editor can be installed on an NT4 -Workstation/Server, it will not work with NT clients. However, the files from -the NT Server will run happily enough on an NT4 Workstation.</P -><P ->You need <TT -CLASS="FILENAME" ->poledit.exe, common.adm</TT -> and <TT -CLASS="FILENAME" ->winnt.adm</TT ->. -It is convenient to put the two *.adm files in the <TT -CLASS="FILENAME" ->c:\winnt\inf</TT -> -directory which is where the binary will look for them unless told otherwise. Note also that that -directory is normally 'hidden'.</P -><P ->The Windows NT policy editor is also included with the Service Pack 3 (and -later) for Windows NT 4.0. Extract the files using <B -CLASS="COMMAND" ->servicepackname /x</B ->, -i.e. that's <B -CLASS="COMMAND" ->Nt4sp6ai.exe /x</B -> for service pack 6a. The policy editor, -<B -CLASS="COMMAND" ->poledit.exe</B -> and the associated template files (*.adm) should -be extracted as well. It is also possible to downloaded the policy template -files for Office97 and get a copy of the policy editor. Another possible -location is with the Zero Administration Kit available for download from Microsoft.</P -><DIV -CLASS="SECT3" -><H3 -CLASS="SECT3" -><A -NAME="AEN2999" ->17.1.2.1. Registry Tattoos</A -></H3 -><P -> With NT4 style registry based policy changes, a large number of settings are not - automatically reversed as the user logs off. Since the settings that were in the - NTConfig.POL file were applied to the client machine registry and that apply to the - hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known - as tattooing. It can have serious consequences down-stream and the administrator must - be extremely careful not to lock out the ability to manage the machine at a later date. - </P -></DIV -></DIV -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN3002" ->17.1.3. MS Windows 200x / XP Professional Policies</A -></H2 -><P ->Windows NT4 System policies allows setting of registry parameters specific to -users, groups and computers (client workstations) that are members of the NT4 -style domain. Such policy file will work with MS Windows 2000 / XP clients also.</P -><P ->New to MS Windows 2000 Microsoft introduced a new style of group policy that confers -a superset of capabilities compared with NT4 style policies. Obviously, the tool used -to create them is different, and the mechanism for implementing them is much changed.</P -><P ->The older NT4 style registry based policies are known as <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->Administrative Templates</I -></SPAN -> -in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security -configurations, enforce Internet Explorer browser settings, change and redirect aspects of the -users' desktop (including: the location of <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->My Documents</I -></SPAN -> files (directory), as -well as intrinsics of where menu items will appear in the Start menu). An additional new -feature is the ability to make available particular software Windows applications to particular -users and/or groups.</P -><P ->Remember: NT4 policy files are named <TT -CLASS="FILENAME" ->NTConfig.POL</TT -> and are stored in the root -of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password -and selects the domain name to which the logon will attempt to take place. During the logon -process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating -server, modifies the local registry values according to the settings in this file.</P -><P ->Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of -a Windows 200x policy file is stored in the Active Directory itself and the other part is stored -in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active -Directory domain controllers. The part that is stored in the Active Directory itself is called the -group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is -known as the group policy template (GPT).</P -><P ->With NT4 clients the policy file is read and executed upon only aas each user log onto the network. -MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine -startup (machine specific part) and when the user logs onto the network the user specific part -is applied. In MS Windows 200x style policy management each machine and/or user may be subject -to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows -the administrator to also set filters over the policy settings. No such equivalent capability -exists with NT4 style policy files.</P -><DIV -CLASS="SECT3" -><H3 -CLASS="SECT3" -><A -NAME="AEN3013" ->17.1.3.1. Administration of Win2K / XP Policies</A -></H3 -><DIV -CLASS="PROCEDURE" -><P -><B ->Instructions</B -></P -><P ->Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the -executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console -(MMC) snap-in as follows:</P -><OL -TYPE="1" -><LI -><P ->Go to the Windows 200x / XP menu <TT -CLASS="FILENAME" ->Start->Programs->Administrative Tools</TT -> - and select the MMC snap-in called "Active Directory Users and Computers"</P -></LI -><LI -><P ->Select the domain or organizational unit (OU) that you wish to manage, then right click -to open the context menu for that object, select the properties item.</P -></LI -><LI -><P ->Now left click on the Group Policy tab, then left click on the New tab. Type a name -for the new policy you will create.</P -></LI -><LI -><P ->Now left click on the Edit tab to commence the steps needed to create the GPO.</P -></LI -></OL -></DIV -><P ->All policy configuration options are controlled through the use of policy administrative -templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. -Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x. -The later introduces many new features as well as extended definition capabilities. It is -well beyond the scope of this documentation to explain how to program .adm files, for that -the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular -version of MS Windows.</P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P ->The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used -to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you -use this powerful tool. Please refer to the resource kit manuals for specific usage information.</P -></TD -></TR -></TABLE -></DIV -></DIV -></DIV -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3030" ->17.2. Managing Account/User Policies</A -></H1 -><P ->Policies can define a specific user's settings or the settings for a group of users. The resulting -policy file contains the registry settings for all users, groups, and computers that will be using -the policy file. Separate policy files for each user, group, or computer are not not necessary.</P -><P ->If you create a policy that will be automatically downloaded from validating domain controllers, -you should name the file NTconfig.POL. As system administrator, you have the option of renaming the -policy file and, by modifying the Windows NT-based workstation, directing the computer to update -the policy from a manual path. You can do this by either manually changing the registry or by using -the System Policy Editor. This path can even be a local path such that each machine has its own policy file, -but if a change is necessary to all machines, this change must be made individually to each workstation.</P -><P ->When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain -controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then -applied to the user's part of the registry.</P -><P ->MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, -acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory -itself. The key benefit of using AS GPOs is that they impose no registry <SPAN -CLASS="emphasis" -><I -CLASS="EMPHASIS" ->tatooing</I -></SPAN -> effect. -This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.</P -><P ->Inaddition to user access controls that may be imposed or applied via system and/or group policies -in a manner that works in conjunction with user profiles, the user management environment under -MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. -Common restrictions that are frequently used includes:</P -><P -><P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->Logon Hours</TD -></TR -><TR -><TD ->Password Aging</TD -></TR -><TR -><TD ->Permitted Logon from certain machines only</TD -></TR -><TR -><TD ->Account type (Local or Global)</TD -></TR -><TR -><TD ->User Rights</TD -></TR -></TBODY -></TABLE -><P -></P -></P -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN3045" ->17.2.1. With Windows NT4/200x</A -></H2 -><P ->The tools that may be used to configure these types of controls from the MS Windows environment are: -The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). -Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate -"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.</P -></DIV -><DIV -CLASS="SECT2" -><H2 -CLASS="SECT2" -><A -NAME="AEN3048" ->17.2.2. With a Samba PDC</A -></H2 -><P ->With a Samba Domain Controller, the new tools for managing of user account and policy information includes: -<TT -CLASS="FILENAME" ->smbpasswd, pdbedit, smbgroupedit, net, rpcclient.</TT ->. The administrator should read the -man pages for these tools and become familiar with their use.</P -></DIV -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN3052" ->17.3. System Startup and Logon Processing Overview</A -></H1 -><P ->The following attempts to document the order of processing of system and user policies following a system -reboot and as part of the user logon:</P -><P -></P -><OL -TYPE="1" -><LI -><P -> Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming - Convention Provider (MUP) start - </P -></LI -><LI -><P -> Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded - and applied. The list may include GPOs that: -<P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->Apply to the location of machines in a Directory</TD -></TR -><TR -><TD ->Apply only when settings have changed</TD -></TR -><TR -><TD ->Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</TD -></TR -></TBODY -></TABLE -><P -></P -> - No desktop user interface is presented until the above have been processed. - </P -></LI -><LI -><P -> Execution of start-up scripts (hidden and synchronous by defaut). - </P -></LI -><LI -><P -> A keyboard action to affect start of logon (Ctrl-Alt-Del). - </P -></LI -><LI -><P -> User credentials are validated, User profile is loaded (depends on policy settings). - </P -></LI -><LI -><P -> An ordered list of User GPOs is obtained. The list contents depends on what is configured in respsect of: - -<P -></P -><TABLE -BORDER="0" -><TBODY -><TR -><TD ->Is user a domain member, thus subject to particular policies</TD -></TR -><TR -><TD ->Loopback enablement, and the state of the loopback policy (Merge or Replace)</TD -></TR -><TR -><TD ->Location of the Active Directory itself</TD -></TR -><TR -><TD ->Has the list of GPOs changed. No processing is needed if not changed.</TD -></TR -></TBODY -></TABLE -><P -></P -> - </P -></LI -><LI -><P -> User Policies are applied from Active Directory. Note: There are several types. - </P -></LI -><LI -><P -> Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group - Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal - window. - </P -></LI -><LI -><P -> The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4 - Domain) machine (system) policies are applied at start-up, User policies are applied at logon. - </P -></LI -></OL -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="advancednetworkmanagement.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="samba-howto-collection.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="profilemgmt.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->Advanced Network Manangement</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="optional.html" -ACCESSKEY="U" ->Up</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Desktop Profile Management</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file |