From 8f8a9f01909ba29e2b781310baeeaaddc3f15f0d Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Tue, 22 Apr 2008 10:09:40 -0500 Subject: Moving docs tree to docs-xml to make room for generated docs in the release tarball. (This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14) --- docs-xml/Samba3-HOWTO/TOSHARG-PolicyMgmt.xml | 607 +++++++++++++++++++++++++++ 1 file changed, 607 insertions(+) create mode 100644 docs-xml/Samba3-HOWTO/TOSHARG-PolicyMgmt.xml (limited to 'docs-xml/Samba3-HOWTO/TOSHARG-PolicyMgmt.xml') diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-PolicyMgmt.xml b/docs-xml/Samba3-HOWTO/TOSHARG-PolicyMgmt.xml new file mode 100644 index 0000000000..0e8b1ef229 --- /dev/null +++ b/docs-xml/Samba3-HOWTO/TOSHARG-PolicyMgmt.xml @@ -0,0 +1,607 @@ + + + + + &author.jht; + April 3 2003 + + +System and Account Policies + + +validation +This chapter summarizes the current state of knowledge derived from personal +practice and knowledge from Samba mailing list subscribers. Before reproduction +of posted information, every effort has been made to validate the information given. +Where additional information was uncovered through this validation, it is provided +also. + + + +Features and Benefits + + +Group Policies +users +groups +When MS Windows NT 3.5 was introduced, the hot new topic was the ability to implement +Group Policies for users and groups. Then along came MS Windows NT4 and a few sites +started to adopt this capability. How do we know that? By the number of boo-boos +(or mistakes) administrators made and then requested help to resolve. + + + +group policies +Group Policy ObjectsGPO +GPOs +ADS +group policy objectsGPOs +By the time that MS Windows 2000 and Active Directory was released, administrators +got the message: Group Policies are a good thing! They can help reduce administrative +costs and actually make happier users. But adoption of the true +potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users +and machines were picked up on rather slowly. This was obvious from the Samba +mailing list back in 2000 and 2001 when there were few postings regarding GPOs and +how to replicate them in a Samba environment. + + + +exploit opportunities +Judging by the traffic volume since mid 2002, GPOs have become a standard part of +the deployment in many sites. This chapter reviews techniques and methods that can +be used to exploit opportunities for automation of control over user desktops and +network client workstations. + + + + + +Creating and Managing System Policies + + +NETLOGON +domain controller +registry +affect users +Under MS Windows platforms, particularly those following the release of MS Windows +NT4 and MS Windows 95, it is possible to create a type of file that would be placed +in the NETLOGON share of a domain controller. As the client logs onto the network, +this file is read and the contents initiate changes to the registry of the client +machine. This file allows changes to be made to those parts of the registry that +affect users, groups of users, or machines. + + + +Config.POL +poledit.exe +policy editor +For MS Windows 9x/Me, this file must be called Config.POL and may +be generated using a tool called poledit.exe, better known as the +Policy Editor. The policy editor was provided on the Windows 98 installation CD-ROM, but +disappeared again with the introduction of MS Windows Me. From +comments of MS Windows network administrators, it would appear that this tool became +a part of the MS Windows Me Resource Kit. + + + +System Policy Editor +MS Windows NT4 server products include the System Policy Editor +under Start -> Programs -> Administrative Tools. +For MS Windows NT4 and later clients, this file must be called NTConfig.POL. + + + +MMC +New with the introduction of MS Windows 2000 was the Microsoft Management Console +or MMC. This tool is the new wave in the ever-changing landscape of Microsoft +methods for management of network access and security. Every new Microsoft product +or technology seems to make the old rules obsolete and introduces newer and more +complex tools and methods. To Microsoft's credit, the MMC does appear to +be a step forward, but improved functionality comes at a great price. + + + +network policies +system policies +Profiles +Policies +Before embarking on the configuration of network and system policies, it is highly +advisable to read the documentation available from Microsoft's Web site regarding + +Implementing Profiles and Policies in Windows NT 4.0. +There are a large number of documents in addition to this old one that should also +be read and understood. Try searching on the Microsoft Web site for Group Policies. + + + +What follows is a brief discussion with some helpful notes. The information provided +here is incomplete &smbmdash; you are warned. + + + + Windows 9x/ME Policies + + +Group Policy Editor +tools\reskit\netadmin\poledit + You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/Me. + It can be found on the original full-product Windows 98 installation CD-ROM under + tools\reskit\netadmin\poledit. Install this using the + Add/Remove Programs facility, and then click on Have Disk. + + + + +NTConfig.POL +Config.POL + Use the Group Policy Editor to create a policy file that specifies the location of + user profiles and/or My Documents, and so on. Then save these + settings in a file called Config.POL that needs to be placed in the + root of the share. If Windows 98 is configured to log onto + the Samba domain, it will automatically read this file and update the Windows 9x/Me registry + of the machine as it logs on. + + + + Further details are covered in the Windows 98 Resource Kit documentation. + + + +registry + If you do not take the correct steps, then every so often Windows 9x/Me will check the + integrity of the registry and restore its settings from the backup + copy of the registry it stores on each Windows 9x/Me machine. So, you will + occasionally notice things changing back to the original settings. + + + +grouppol.inf +Group Policy + Install the Group Policy handler for Windows 9x/Me to pick up Group Policies. Look on the + Windows 98 CD-ROM in \tools\reskit\netadmin\poledit. + Install Group Policies on a Windows 9x/Me client by double-clicking on + grouppol.inf. Log off and on again a couple of times and see + if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every + Windows 9x/Me machine that uses Group Policies. + + + + + Windows NT4-Style Policy Files + + +ntconfig.pol +poledit.exe +Policy Editor +domain policies + To create or edit ntconfig.pol, you must use the NT Server + Policy Editor, poledit.exe, which is included with NT4 Server + but not with NT workstation. There is a Policy Editor on an NT4 + Workstation but it is not suitable for creating domain policies. + Furthermore, although the Windows 95 Policy Editor can be installed on an NT4 + workstation/server, it will not work with NT clients. However, the files from + the NT Server will run happily enough on an NT4 workstation. + + + +poledit.exe +common.adm +winnt.adm +c:\winnt\inf + You need poledit.exe, common.adm, and winnt.adm. + It is convenient to put the two *.adm files in the c:\winnt\inf + directory, which is where the binary will look for them unless told otherwise. This + directory is normally hidden. + + + +Policy Editor +Nt4sp6ai.exe +poledit.exe +Zero Administration Kit + The Windows NT Policy Editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using servicepackname /x + &smbmdash; that's Nt4sp6ai.exe /x for Service Pack 6a. The Policy Editor, + poledit.exe, and the associated template files (*.adm) should + be extracted as well. It is also possible to download the policy template + files for Office97 and get a copy of the Policy Editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. + + + + Registry Spoiling + + +NTConfig.POL +HKEY_LOCAL_MACHINE + With NT4-style registry-based policy changes, a large number of settings are not + automatically reversed as the user logs off. The settings that were in the + NTConfig.POL file were applied to the client machine registry and apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences downstream, and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. + + + + + + MS Windows 200x/XP Professional Policies + + +registry + Windows NT4 system policies allow the setting of registry parameters specific to + users, groups, and computers (client workstations) that are members of the NT4-style + domain. Such policy files will work with MS Windows 200x/XP clients also. + + + + New to MS Windows 2000, Microsoft recently introduced a style of Group Policy that confers + a superset of capabilities compared with NT4-style policies. Obviously, the tool used + to create them is different, and the mechanism for implementing them is much improved. + + + + GPOs +Administrative Templates + The older NT4-style registry-based policies are known as Administrative Templates + in MS Windows 2000/XP GPOs. The latter includes the ability to set various security + configurations, enforce Internet Explorer browser settings, change and redirect aspects of the + users desktop (including the location of My Documents files, as + well as intrinsics of where menu items will appear in the Start menu). An additional new + feature is the ability to make available particular software Windows applications to particular + users and/or groups. + + + +NTConfig.POL +NETLOGON +local registry values + Remember, NT4 policy files are named NTConfig.POL and are stored in the root + of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username and password + and selects the domain name to which the logon will attempt to take place. During the logon process, + the client machine reads the NTConfig.POL file from the NETLOGON share on + the authenticating server and modifies the local registry values according to the settings in this file. + + + +SYSVOL +NETLOGON +replicated +ADS +domain controllers +Group Policy ContainerGPC +Group Policy TemplateGPT +replicated SYSVOL + Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of + a Windows 200x policy file is stored in the Active Directory itself and the other part is stored + in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active + Directory domain controllers. The part that is stored in the Active Directory itself is called the + Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is + known as the Group Policy Template (GPT). + + + +GPOs + With NT4 clients, the policy file is read and executed only as each user logs onto the network. + MS Windows 200x policies are much more complex &smbmdash; GPOs are processed and applied at client machine + startup (machine specific part), and when the user logs onto the network, the user-specific part + is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject + to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows + the administrator to also set filters over the policy settings. No such equivalent capability + exists with NT4-style policy files. + + + + Administration of Windows 200x/XP Policies + + + GPOs + System Policy Editor +poledit.exe +MMC snap-in +Poledit + Instead of using the tool called the System Policy Editor, commonly called Poledit (from the + executable name poledit.exe), GPOs are created and managed using a + Microsoft Management Console (MMC) snap-in as follows: + + + Go to the Windows 200x/XP menu Start->Programs->Administrative Tools + and select the MMC snap-in called Active Directory Users and Computers + + + +organizational unitOU + Select the domain or organizational unit (OU) that you wish to manage, then right-click + to open the context menu for that object, and select the Properties. + + + + Left-click on the Group Policy tab, then + left-click on the New tab. Type a name + for the new policy you will create. + + + + Left-click on the Edit tab to commence the steps needed to create the GPO. + + + + + All policy configuration options are controlled through the use of policy administrative + templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP. + Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x. + The latter introduces many new features as well as extended definition capabilities. It is + well beyond the scope of this documentation to explain how to program .adm files; for that, + refer to the Microsoft Windows Resource Kit for your particular + version of MS Windows. + + + + +gpolmig.exe +NTConfig.POL +resource kit + The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used + to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you + use this powerful tool. Please refer to the resource kit manuals for specific usage information. + + + + + + + Custom System Policy Templates + + + Over the past year, there has been a bit of talk regarding the creation of customized + templates for the Windows Sytem Policy Editor. A recent announcement on the Samba mailing + list is worthy of mention. + + + + Mike Petersen has announced the availability of a template file he has created. This custom System Policy + Editor Template will allow you to successfully control Microsoft Windows workstations from an SMB server, such + as Samba. This template has been tested on a few networks, although if you find any problems with any of these + policies, or have any ideas for additional policies, let me know at mailto:mgpeter@pcc-services.com. This + Template includes many policies for Windows XP to allow it to behave better in a professional environment. + + + + For further information please see the Petersen Computer Consulting web site. There is + a download link for the template file. + + + + + + + +Managing Account/User Policies + + +Policies +policy file +registry settings +Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not necessary. + + + +NTConfig.POL +If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file NTConfig.POL. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, it must be made individually to each workstation. + + + +NTConfig.POL +NETLOGON +When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on +the authenticating domain controller for the presence of the NTConfig.POL file. If one exists, it is +downloaded, parsed, and then applied to the user's part of the registry. + + + +GPOs +ADS +NTConfig.POL +NT4 style policy updates +MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally +acquire policy settings through GPOs that are defined and stored in Active Directory +itself. The key benefit of using AD GPOs is that they impose no registry spoiling effect. +This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates. + + + +account restrictions +Common restrictions +In addition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per-domain as well as per-user account restrictions to be applied. +Common restrictions that are frequently used include: + + + +Account Controls + + Logon hours + Password aging + Permitted logon from certain machines only + Account type (local or global) + User rights + + + + +Domain User Manager +NTConfig.POL +Samba-3.0.20 does not yet implement all account controls that are common to MS Windows NT4/200x/XP. +While it is possible to set many controls using the Domain User Manager for MS Windows NT4, only password +expiry is functional today. Most of the remaining controls at this time have only stub routines +that may eventually be completed to provide actual control. Do not be misled by the fact that a +parameter can be set using the NT4 Domain User Manager or in the NTConfig.POL. + + + + +Management Tools + + +Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools. +The following sections describe a few key tools that will help you to create a low-maintenance user +environment. + + + + Samba Editreg Toolset + + + editreg + NTUser.DAT + NTConfig.POL + A new tool called editreg is under development. This tool can be used + to edit registry files (called NTUser.DAT) that are stored in user + and group profiles. NTConfig.POL files have the same structure as the + NTUser.DAT file and can be edited using this tool. editreg + is being built with the intent to enable NTConfig.POL files to be saved in text format and to + permit the building of new NTConfig.POL files with extended capabilities. It is proving difficult + to realize this capability, so do not be surprised if this feature does not materialize. Formal + capabilities will be announced at the time that this tool is released for production use. + + + + + + Windows NT4/200x + + +regedt32.exe +Group Policy Editor +MMC + The tools that may be used to configure these types of controls from the MS Windows environment are + the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe). + Under MS Windows 200x/XP, this is done using the MMC with appropriate + snap-ins, the registry editor, and potentially also the NT4 System and Group Policy Editor. + + + + + Samba PDC + + +smbpasswd +pdbedit +NET +rpcclient + With a Samba domain controller, the new tools for managing user account and policy information include: + smbpasswd, pdbedit, net, and rpcclient. + The administrator should read the man pages for these tools and become familiar with their use. + + + + + + +System Startup and Logon Processing Overview + + +The following attempts to document the order of processing the system and user policies following a system +reboot and as part of the user logon: + + + + +Remote Procedure Call System ServiceRPCSS +multiple universal naming convention providerMUP + Network starts, then Remote Procedure Call System Service (RPCSS) and multiple universal naming + convention provider (MUP) start. + + + +ADS +GPOs + Where Active Directory is involved, an ordered list of GPOs is downloaded + and applied. The list may include GPOs that: + + Apply to the location of machines in a directory. + Apply only when settings have changed. + Depend on configuration of the scope of applicability: local, + site, domain, organizational unit, and so on. + + No desktop user interface is presented until the above have been processed. + + + + Execution of startup scripts (hidden and synchronous by default). + + + + A keyboard action to effect start of logon (Ctrl-Alt-Del). + + + + User credentials are validated, user profile is loaded (depends on policy settings). + + + + An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of: + + + Is the user a domain member, thus subject to particular policies? + Loopback enablement, and the state of the loopback policy (merge or replace). + Location of the Active Directory itself. + Has the list of GPOs changed? No processing is needed if not changed. + + + + + User policies are applied from Active Directory. Note: There are several types. + + + + Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on GPOs + (hidden and executed synchronously). NT4-style logon scripts are then run in a normal + window. + + + + The user interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4 + domain), machine (system) policies are applied at startup; user policies are applied at logon. + + + + + + +Common Errors + + +Policy-related problems can be quite difficult to diagnose and even more difficult to rectify. The following +collection demonstrates only basic issues. + + + +Policy Does Not Work + + +We have created the Config.POL file and put it in the NETLOGON share. +It has made no difference to our Win XP Pro machines, they just do not see it. It worked fine with Win 98 but does not +work any longer since we upgraded to Win XP Pro. Any hints? + + + +Policy files are not portable between Windows 9x/Me and MS Windows NT4/200x/XP-based platforms. You need to +use the NT4 Group Policy Editor to create a file called NTConfig.POL so it is in the +correct format for your MS Windows XP Pro clients. + + + + + + + -- cgit