From 0110102cd895602655615aae1d08240d9f3328a5 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 5 Apr 2003 23:27:47 +0000 Subject: Filling in more blanks. (This used to be commit 689b8e960dd8d8cdd5b01d493b14429624f437aa) --- docs/docbook/projdoc/PolicyMgmt.sgml | 56 ++++-- docs/docbook/projdoc/ProfileMgmt.sgml | 345 ++++++++++++++++++++++++++-------- 2 files changed, 309 insertions(+), 92 deletions(-) diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 9dee288b1f..867f5740e7 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -248,40 +248,68 @@ use this powerful tool. Please refer to the resource kit manuals for specific us Managing Account/User Policies -Document what are user policies (ie: Account Policies) here. +Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not not necessary. - -With Windows NT4/200x + +If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file NTconfig.POL. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This path can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, this change must be made individually to each workstation. + -Brief overview of the tools and how to use them. +When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain +controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then +applied to the user's part of the registry. - -Windows NT4 Tools + +MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, +acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory +itself. The key benefit of using AS GPOs is that they impose no registry tatooing effect. +This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates. + -Blah, blah, blah ... +Inaddition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. +Common restrictions that are frequently used includes: - + + + Logon Hours + Password Aging + Permitted Logon from certain machines only + Account type (Local or Global) + User Rights + + - -Windows 200x Tools + +With Windows NT4/200x -Blah, blah, blah ... +The tools that may be used to configure these types of controls from the MS Windows environment are: +The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). +Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate +"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor. - - With a Samba PDC -Document the HOWTO here. +With a Samba Domain Controller, the new tools for managing of user account and policy information includes: +smbpasswd, pdbedit, smbgroupedit, net, rpcclient.. The administrator should read the +man pages for these tools and become familiar with their use. diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index 8eded5e9fb..d894093c63 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -151,16 +151,16 @@ and deny them write access to this file. - + On the Windows 9x / Me machine, go to Control Panel -> Passwords and select the User Profiles tab. Select the required level of roaming preferences. Press OK, but do _not_ allow the computer to reboot. - + - + On the Windows 9x / Me machine, go to Control Panel -> Network -> Client for Microsoft Networks -> Preferences. Select 'Log on to @@ -168,8 +168,7 @@ and deny them write access to this file. Microsoft Networks'. Press OK, and this time allow the computer to reboot. - - + @@ -228,13 +227,14 @@ they will be told that they are logging in "for the first time". - + instead of logging in under the [user, password, domain] dialog, press escape. - - + + + run the regedit.exe program, and look in: @@ -251,7 +251,7 @@ they will be told that they are logging in "for the first time". [Exit the registry editor]. - + @@ -362,52 +362,52 @@ profile on the MS Windows workstation as follows: - -Log on as the LOCAL workstation administrator. - - - -Right click on the 'My Computer' Icon, select 'Properties' - - - -Click on the 'User Profiles' tab - - - -Select the profile you wish to convert (click on it once) - - - -Click on the button 'Copy To' - - - -In the "Permitted to use" box, click on the 'Change' button. - - - -Click on the 'Look in" area that lists the machine name, when you click -here it will open up a selection box. Click on the domain to which the -profile must be accessible. - + + Log on as the LOCAL workstation administrator. + + + + Right click on the 'My Computer' Icon, select 'Properties' + + + + Click on the 'User Profiles' tab + + + + Select the profile you wish to convert (click on it once) + + + + Click on the button 'Copy To' + + + + In the "Permitted to use" box, click on the 'Change' button. + + + + Click on the 'Look in" area that lists the machine name, when you click + here it will open up a selection box. Click on the domain to which the + profile must be accessible. + -You will need to log on if a logon box opens up. Eg: In the connect -as: MIDEARTH\root, password: mypassword. - + You will need to log on if a logon box opens up. Eg: In the connect + as: MIDEARTH\root, password: mypassword. + - -To make the profile capable of being used by anyone select 'Everyone' - + + To make the profile capable of being used by anyone select 'Everyone' + - -Click OK. The Selection box will close. - + + Click OK. The Selection box will close. + - -Now click on the 'Ok' button to create the profile in the path you -nominated. - + + Now click on the 'Ok' button to create the profile in the path you + nominated. + @@ -450,29 +450,29 @@ same way as a domain group policy): On the XP workstation log in with an Administrator account. -Click: "Start", "Run" -Type: "mmc" -Click: "OK" - -A Microsoft Management Console should appear. -Click: File, "Add/Remove Snap-in...", "Add" -Double-Click: "Group Policy" -Click: "Finish", "Close" -Click: "OK" - -In the "Console Root" window: -Expand: "Local Computer Policy", "Computer Configuration", -"Administrative Templates", "System", "User Profiles" -Double-Click: "Do not check for user ownership of Roaming Profile -Folders" -Select: "Enabled" -Click: OK" - -Close the whole console. You do not need to save the settings (this -refers to the console settings rather than the policies you have -changed). - -Reboot + Click: "Start", "Run" + Type: "mmc" + Click: "OK" + + A Microsoft Management Console should appear. + Click: File, "Add/Remove Snap-in...", "Add" + Double-Click: "Group Policy" + Click: "Finish", "Close" + Click: "OK" + + In the "Console Root" window: + Expand: "Local Computer Policy", "Computer Configuration", + "Administrative Templates", "System", "User Profiles" + Double-Click: "Do not check for user ownership of Roaming Profile + Folders" + Select: "Enabled" + Click: OK" + + Close the whole console. You do not need to save the settings (this + refers to the console settings rather than the policies you have + changed). + + Reboot @@ -706,14 +706,186 @@ To modify the registry directly, launch the Registry Editor (regedit.exe), selec "User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. + +How User Profiles Are Handled in Windows 9x / Me? + +When a user logs on to a Windows 9x / Me machine, the local profile path, +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList, is checked +for an existing entry for that user: + + + +If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached +version of the user profile. Windows 9x / Me also checks the user's home directory (or other +specified directory if the location has been modified) on the server for the User Profile. +If a profile exists in both locations, the newer of the two is used. If the User Profile exists +on the server, but does not exist on the local machine, the profile on the server is downloaded +and used. If the User Profile only exists on the local machine, that copy is used. + + + +If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me +machine is used and is copied to a newly created folder for the logged on user. At log off, any +changes that the user made are written to the user's local profile. If the user has a roaming +profile, the changes are written to the user's profile on the server. + + MS Windows NT4 Workstation -Document NT4 default profile handling stuff here! Someone - please contribute appropriate -material here. Email your contribution to jht@samba.org. +On MS Windows NT4 the default user profile is obtained from the location +%SystemRoot%\Profiles which in a default installation will translate to +C:\WinNT\Profiles. Under this directory on a clean install there will be +three (3) directories: Administrator, All Users, Default User. + + + +The All Users directory contains menu settings that are common across all +system users. The Default User directory contains menu entries that are +customisable per user depending on the profile settings chosen/created. + + + +When a new user first logs onto an MS Windows NT4 machine a new profile is created from: + + + + All Users settings + Default User settings (contains the default NTUser.DAT file) + + + +When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain +the following steps are followed in respect of profile handling: + + + + + + The users' account information which is obtained during the logon process contains + the location of the users' desktop profile. The profile path may be local to the + machine or it may be located on a network share. If there exists a profile at the location + of the path from the user account, then this profile is copied to the location + %SystemRoot%\Profiles\%USERNAME%. This profile then inherits the + settings in the All Users profile in the %SystemRoot%\Profiles + location. + + + + + + If the user account has a profile path, but at it's location a profile does not exist, + then a new profile is created in the %SystemRoot%\Profiles\%USERNAME% + directory from reading the Default User profile. + + + + + + If the NETLOGON share on the authenticating server (logon server) contains a policy file + (NTConfig.POL) then it's contents are applied to the NTUser.DAT + which is applied to the HKEY_CURRENT_USER part of the registry. + + + + + + When the user logs out, if the profile is set to be a roaming profile it will be written + out to the location of the profile. The NTuser.DAT file is then + re-created from the contents of the HKEY_CURRENT_USER contents. + Thus, should there not exist in the NETLOGON share an NTConfig.POL at the + next logon, the effect of the provious NTConfig.POL will still be held + in the profile. The effect of this is known as tatooing. + + + + + +MS Windows NT4 profiles may be Local or Roaming. A Local profile +will stored in the %SystemRoot%\Profiles\%USERNAME% location. A roaming profile will +also remain stored in the same way, unless the following registry key is created: + + + + + HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ + "DeleteRoamingCache"=dword:00000001 + + +In which case, the local copy (in %SystemRoot%\Profiles\%USERNAME%) will be +deleted on logout. + + + +Under MS Windows NT4 default locations for common resources (like My Documents +may be redirected to a network share by modifying the following registry keys. These changes may be affected +via use of the System Policy Editor (to do so may require that you create your owns template extension +for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first +creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings. + + + +The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows NT4 is: + + + + + HKEY_CURRENT_USER + \Software + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders\ + + + + +The above hive key contains a list of automatically managed folders. The default entries are: + + + + + Name Default Value + -------------- ----------------------------------------- + AppData %USERPROFILE%\Application Data + Desktop %USERPROFILE%\Desktop + Favorites %USERPROFILE%\Favorites + NetHood %USERPROFILE%\NetHood + PrintHood %USERPROFILE%\PrintHood + Programs %USERPROFILE%\Start Menu\Programs + Recent %USERPROFILE%\Recent + SendTo %USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup %USERPROFILE%\Start Menu\Programs\Startup + + + + +The registry key that contains the location of the default profile settings is: + + + HKEY_LOCAL_MACHINE + \SOFTWARE + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders + + +The default entries are: + + + Common Desktop %SystemRoot%\Profiles\All Users\Desktop + Common Programs %SystemRoot%\Profiles\All Users\Programs + Common Start Menu %SystemRoot%\Profiles\All Users\Start Menu + Common Startu p %SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup + @@ -804,7 +976,7 @@ are controlled by entries on Windows 200x/XP is: HKEY_CURRENT_USER \Software \Microsoft - \Windows NT + \Windows \CurrentVersion \Explorer \User Shell Folders\ @@ -852,15 +1024,19 @@ write Outlook PST file over the network for every login and logout. -To set this to a network location you could use the followin examples: +To set this to a network location you could use the following examples: + %LOGONSERVER%\%USERNAME%\Default Folders + This would store the folders in the user's home directory under a directory called "Default Folders" You could also use: + \\SambaServer\FolderShare\%USERNAME% + in which case the default folders will be stored in the server named SambaServer in the share called FolderShare under a directory that has the name of the MS Windows @@ -872,6 +1048,19 @@ Please note that once you have created a default profile share, you MUST migrate (default or custom) to it. + +MS Windows 200x/XP profiles may be Local or Roaming. +A roaming profile will be cached locally unless the following registry key is created: + + + + + HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\ + "DeleteRoamingCache"=dword:00000001 + + +In which case, the local cache copy will be deleted on logout. + -- cgit