Chapter 23. System and Account Policies

Chapter 23. System and Account Policies
Prev	Part III. Advanced Configuration	Next

John H. Terpstra

Samba Team

<jht@samba.org>

April 3 2003

Table of Contents

Features and Benefits

Creating and Managing System Policies

Windows 9x/ME Policies
Windows NT4-Style Policy Files
MS Windows 200x/XP Professional Policies

Managing Account/User Policies

Management Tools

Samba Editreg Toolset
Windows NT4/200x
Samba PDC

System Startup and Logon Processing Overview

Common Errors

Policy Does Not Work

-This chapter summarizes the current state of knowledge derived from personal -practice and knowledge from Samba mailing list subscribers. Before reproduction -of posted information, every effort has been made to validate the information given. -Where additional information was uncovered through this validation it is provided -also. -

Features and Benefits

-When MS Windows NT 3.5 was introduced, the hot new topic was the ability to implement -Group Policies for users and groups. Then along came MS Windows NT4 and a few sites -started to adopt this capability. How do we know that? By the number of “booboos” -(or mistakes) administrators made and then requested help to resolve. -

- - - -By the time that MS Windows 2000 and Active Directory was released, administrators -got the message: Group Policies are a good thing! They can help reduce administrative -costs and actually make happier users. But adoption of the true -potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users -and machines were picked up on rather slowly. This was obvious from the Samba -mailing list as in 2000 and 2001 when there were few postings regarding GPOs and -how to replicate them in a Samba environment. -

-Judging by the traffic volume since mid 2002, GPOs have become a standard part of -the deployment in many sites. This chapter reviews techniques and methods that can -be used to exploit opportunities for automation of control over user desktops and -network client workstations. -

-A tool new to Samba the editreg tool - may become an important part of the future Samba administrators' -arsenal is described in this document. -

Creating and Managing System Policies

-Under MS Windows platforms, particularly those following the release of MS Windows -NT4 and MS Windows 95, it is possible to create a type of file that would be placed -in the NETLOGON share of a Domain Controller. As the client logs onto the network, -this file is read and the contents initiate changes to the registry of the client -machine. This file allows changes to be made to those parts of the registry that -affect users, groups of users, or machines. -

- -For MS Windows 9x/ME, this file must be called Config.POL and may -be generated using a tool called poledit.exe, better known as the -Policy Editor. The policy editor was provided on the Windows 98 installation CD, but -disappeared again with the introduction of MS Windows Me (Millennium Edition). From -comments of MS Windows network administrators, it would appear that this tool became -a part of the MS Windows Me Resource Kit. -

- -MS Windows NT4 Server products include the System Policy Editor -under Start -> Programs -> Administrative Tools. -For MS Windows NT4 and later clients, this file must be called NTConfig.POL. -

-New with the introduction of MS Windows 2000 was the Microsoft Management Console -or MMC. This tool is the new wave in the ever-changing landscape of Microsoft -methods for management of network access and security. Every new Microsoft product -or technology seems to make the old rules obsolete and introduces newer and more -complex tools and methods. To Microsoft's credit, the MMC does appear to -be a step forward, but improved functionality comes at a great price. -

-Before embarking on the configuration of network and system policies, it is highly -advisable to read the documentation available from Microsoft's Web site regarding - -Implementing Profiles and Policies in Windows NT 4.0 available from Microsoft. -There are a large number of documents in addition to this old one that should also -be read and understood. Try searching on the Microsoft Web site for “Group Policies”. -

-What follows is a brief discussion with some helpful notes. The information provided -here is incomplete you are warned. -

Windows 9x/ME Policies

- You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/ME. - It can be found on the original full product Windows 98 installation CD under - tools/reskit/netadmin/poledit. Install this using the - Add/Remove Programs facility and then click on Have Disk. -

- - Use the Group Policy Editor to create a policy file that specifies the location of - user profiles and/or My Documents, and so on. Then save these - settings in a file called Config.POL that needs to be placed in the - root of the [NETLOGON] share. If Windows 98 is configured to log onto - the Samba Domain, it will automatically read this file and update the Windows 9x/Me registry - of the machine as it logs on. -

- Further details are covered in the Windows 98 Resource Kit documentation. -

- If you do not take the correct steps, then every so often Windows 9x/ME will check the - integrity of the registry and restore its settings from the back-up - copy of the registry it stores on each Windows 9x/ME machine. So, you will - occasionally notice things changing back to the original settings. -

- Install the group policy handler for Windows 9x/Me to pick up Group Policies. Look on the - Windows 98 CDROM in \tools\reskit\netadmin\poledit. - Install group policies on a Windows 9x/Me client by double-clicking on - grouppol.inf. Log off and on again a couple of times and see - if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every - Windows 9x/Me machine that uses Group Policies. -

Windows NT4-Style Policy Files

- To create or edit ntconfig.pol you must use the NT Server - Policy Editor, poledit.exe, which is included with NT4 Server - but not with NT Workstation. There is a Policy Editor on an NT4 - Workstation but it is not suitable for creating domain policies. - Furthermore, although the Windows 95 Policy Editor can be installed on an NT4 - Workstation/Server, it will not work with NT clients. However, the files from - the NT Server will run happily enough on an NT4 Workstation. -

- You need poledit.exe, common.adm and winnt.adm. - It is convenient to put the two *.adm files in the c:\winnt\inf - directory, which is where the binary will look for them unless told otherwise. This - directory is normally “hidden.” -

- The Windows NT policy editor is also included with the Service Pack 3 (and - later) for Windows NT 4.0. Extract the files using servicepackname /x, - that's Nt4sp6ai.exe /x for service pack 6a. The Policy Editor, - poledit.exe, and the associated template files (*.adm) should - be extracted as well. It is also possible to downloaded the policy template - files for Office97 and get a copy of the Policy Editor. Another possible - location is with the Zero Administration Kit available for download from Microsoft. -

Registry Spoiling

- With NT4-style registry-based policy changes, a large number of settings are not - automatically reversed as the user logs off. The settings that were in the - NTConfig.POL file were applied to the client machine registry and apply to the - hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known - as tattooing. It can have serious consequences downstream and the administrator must - be extremely careful not to lock out the ability to manage the machine at a later date. -

MS Windows 200x/XP Professional Policies

- Windows NT4 system policies allow the setting of registry parameters specific to - users, groups and computers (client workstations) that are members of the NT4-style - domain. Such policy files will work with MS Windows 200x/XP clients also. -

- New to MS Windows 2000, Microsoft recently introduced a style of group policy that confers - a superset of capabilities compared with NT4-style policies. Obviously, the tool used - to create them is different, and the mechanism for implementing them is much improved. -

- - The older NT4-style registry-based policies are known as Administrative Templates - in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes the ability to set various security - configurations, enforce Internet Explorer browser settings, change and redirect aspects of the - users desktop (including the location of My Documents files (directory), as - well as intrinsics of where menu items will appear in the Start menu). An additional new - feature is the ability to make available particular software Windows applications to particular - users and/or groups. -

- Remember, NT4 policy files are named NTConfig.POL and are stored in the root - of the NETLOGON share on the Domain Controllers. A Windows NT4 user enters a username, password - and selects the domain name to which the logon will attempt to take place. During the logon process, - the client machine reads the NTConfig.POL file from the NETLOGON share on - the authenticating server and modifies the local registry values according to the settings in this file. -

- Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of - a Windows 200x policy file is stored in the Active Directory itself and the other part is stored - in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active - Directory Domain Controllers. The part that is stored in the Active Directory itself is called the - Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is - known as the Group Policy Template (GPT). -

- With NT4 clients, the policy file is read and executed only as each user logs onto the network. - MS Windows 200x policies are much more complex GPOs are processed and applied at client machine - startup (machine specific part) and when the user logs onto the network, the user-specific part - is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject - to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows - the administrator to also set filters over the policy settings. No such equivalent capability - exists with NT4-style policy files. -

Administration of Windows 200x/XP Policies

- - - Instead of using the tool called The System Policy Editor, commonly called Poledit (from the - executable name poledit.exe), GPOs are created and managed using a - Microsoft Management Console (MMC) snap-in as follows:

- Go to the Windows 200x/XP menu Start->Programs->Administrative Tools - and select the MMC snap-in called Active Directory Users and Computers -
- Select the domain or organizational unit (OU) that you wish to manage, then right-click - to open the context menu for that object, and select the Properties. -
- Left-click on the Group Policy tab, then - left-click on the New tab. Type a name - for the new policy you will create. -
- Left-click on the Edit tab to commence the steps needed to create the GPO. -

- All policy configuration options are controlled through the use of policy administrative - templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP. - Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x. - The latter introduces many new features as well as extended definition capabilities. It is - well beyond the scope of this documentation to explain how to program .adm files; for that - the administrator is referred to the Microsoft Windows Resource Kit for your particular - version of MS Windows. -

Note

- The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used - to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you - use this powerful tool. Please refer to the resource kit manuals for specific usage information. -

Managing Account/User Policies

-Policies can define a specific user's settings or the settings for a group of users. The resulting -policy file contains the registry settings for all users, groups, and computers that will be using -the policy file. Separate policy files for each user, group, or computer are not necessary. -

- -If you create a policy that will be automatically downloaded from validating Domain Controllers, -you should name the file NTConfig.POL. As system administrator, you have the option of renaming the -policy file and, by modifying the Windows NT-based workstation, directing the computer to update -the policy from a manual path. You can do this by either manually changing the registry or by using -the System Policy Editor. This can even be a local path such that each machine has its own policy file, -but if a change is necessary to all machines, it must be made individually to each workstation. -

-When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on -the authenticating domain controller for the presence of the NTConfig.POL file. If one exists it is -downloaded, parsed and then applied to the user's part of the registry. -

- -MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally -acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory -itself. The key benefit of using AS GPOs is that they impose no registry spoiling effect. -This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates. -

-In addition to user access controls that may be imposed or applied via system and/or group policies -in a manner that works in conjunction with user profiles, the user management environment under -MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. -Common restrictions that are frequently used include: -

- -

Logon hours
Password aging
Permitted logon from certain machines only
Account type (local or global)
User rights

-Samba-3.0.0 doe not yet implement all account controls that are common to MS Windows NT4/200x/XP. -While it is possible to set many controls using the Domain User Manager for MS Windows NT4, only password -expirey is functional today. Most of the remaining controls at this time have only stub routines -that may eventually be completed to provide actual control. Do not be misled by the fact that a -parameter can be set using the NT4 Domain User Manager or in the NTConfig.POL. -

Management Tools

-Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools. -The following sections describe a few key tools that will help you to create a low maintenance user -environment. -

Samba Editreg Toolset

- - - - A new tool called editreg is under development. This tool can be used - to edit registry files (called NTUser.DAT) that are stored in user - and group profiles. NTConfig.POL files have the same structure as the - NTUser.DAT file and can be edited using this tool. editreg - is being built with the intent to enable NTConfig.POL files to be saved in text format and to - permit the building of new NTConfig.POL files with extended capabilities. It is proving difficult - to realize this capability, so do not be surprised if this feature does not materialize. Formal - capabilities will be announced at the time that this tool is released for production use. -

Windows NT4/200x

- The tools that may be used to configure these types of controls from the MS Windows environment are: - the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe). - Under MS Windows 200x/XP, this is done using the Microsoft Management Console (MMC) with appropriate - “snap-ins,” the registry editor, and potentially also the NT4 System and Group Policy Editor. -

Samba PDC

- With a Samba Domain Controller, the new tools for managing user account and policy information include: - smbpasswd, pdbedit, net, rpcclient. - The administrator should read the man pages for these tools and become familiar with their use. -

System Startup and Logon Processing Overview

-The following attempts to document the order of processing the system and user policies following a system -reboot and as part of the user logon: -

- Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming - Convention Provider (MUP) start. -
- Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded - and applied. The list may include GPOs that: -
- Apply to the location of machines in a Directory.
- Apply only when settings have changed.
- Depend on configuration of the scope of applicability: local, - site, domain, organizational unit, and so on.
- No desktop user interface is presented until the above have been processed. -
- Execution of start-up scripts (hidden and synchronous by default). -
- A keyboard action to effect start of logon (Ctrl-Alt-Del). -
- User credentials are validated, user profile is loaded (depends on policy settings). -
- An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of: - -
- Is the user a Domain Member, thus subject to particular policies?
- Loopback enablement, and the state of the loopback policy (Merge or Replace).
- Location of the Active Directory itself.
- Has the list of GPOs changed? No processing is needed if not changed.
-
- User Policies are applied from Active Directory. Note: There are several types. -
- Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on Group - Policy objects (hidden and executed synchronously). NT4-style logon scripts are then run in a normal - window. -
- The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4 - Domain), machine (system) policies are applied at start-up; user policies are applied at logon. -

Common Errors

-Policy-related problems can be quite difficult to diagnose and even more difficult to rectify. The following -collection demonstrates only basic issues. -

Policy Does Not Work

-“We have created the Config.POL file and put it in the NETLOGON share. -It has made no difference to our Win XP Pro machines, they just do not see it. It worked fine with Win 98 but does not -work any longer since we upgraded to Win XP Pro. Any hints?” -

-Policy files are not portable between Windows 9x/Me and MS Windows NT4/200x/XP-based platforms. You need to -use the NT4 Group Policy Editor to create a file called NTConfig.POL so it is in the -correct format for your MS Windows XP Pro clients. -

Prev	Up	Next
Chapter 22. Advanced Network Management	Home	Chapter 24. Desktop Profile Management