From 5ac9305f22d3887698f308d9f185beed842569f5 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 5 Apr 2003 23:27:16 +0000 Subject: Filling in some more blanks. (This used to be commit 157a5525d371b6c90d9d634eaf3d98fed648569a) --- docs/docbook/projdoc/PolicyMgmt.sgml | 56 +++++++++++++++++++++++++++--------- 1 file changed, 42 insertions(+), 14 deletions(-) (limited to 'docs/docbook/projdoc/PolicyMgmt.sgml') diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 9dee288b1f..867f5740e7 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -248,40 +248,68 @@ use this powerful tool. Please refer to the resource kit manuals for specific us Managing Account/User Policies -Document what are user policies (ie: Account Policies) here. +Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not not necessary. - -With Windows NT4/200x + +If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file NTconfig.POL. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This path can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, this change must be made individually to each workstation. + -Brief overview of the tools and how to use them. +When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain +controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then +applied to the user's part of the registry. - -Windows NT4 Tools + +MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, +acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory +itself. The key benefit of using AS GPOs is that they impose no registry tatooing effect. +This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates. + -Blah, blah, blah ... +Inaddition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. +Common restrictions that are frequently used includes: - + + + Logon Hours + Password Aging + Permitted Logon from certain machines only + Account type (Local or Global) + User Rights + + - -Windows 200x Tools + +With Windows NT4/200x -Blah, blah, blah ... +The tools that may be used to configure these types of controls from the MS Windows environment are: +The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). +Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate +"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor. - - With a Samba PDC -Document the HOWTO here. +With a Samba Domain Controller, the new tools for managing of user account and policy information includes: +smbpasswd, pdbedit, smbgroupedit, net, rpcclient.. The administrator should read the +man pages for these tools and become familiar with their use. -- cgit