Chapter 23. System and Account Policies

Chapter 23. System and Account Policies
Prev	Part III. Advanced Configuration	Next

John H. Terpstra

Samba Team

<jht@samba.org>

April 3 2003

Table of Contents

Features and Benefits

Creating and Managing System Policies

Windows 9x/Me Policies
Windows NT4 Style Policy Files
MS Windows 200x / XP Professional Policies

Managing Account/User Policies

Samba Editreg Toolset
Windows NT4/200x
Samba PDC

System Startup and Logon Processing Overview

Common Errors

Policy Does Not Work

+This chapter summarises the current state of knowledge derived from personal +practice and knowledge from samba mailing list subscribers. Before reproduction +of posted information effort has been made to validate the information provided. +Where additional information was uncovered through this validation it is provided +also. +

Features and Benefits

+When MS Windows NT3.5 was introduced the hot new topic was the ability to implement +Group Policies for users and group. Then along came MS Windows NT4 and a few sites +started to adopt this capability. How do we know that? By way of the number of "booboos" +(or mistakes) administrators made and then requested help to resolve. +

+By the time that MS Windows 2000 and Active Directory was released, administrators +got the message: Group Policies are a good thing! They can help reduce administrative +costs and actually can help to create happier users. But adoption of the true +potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users +and machines were picked up on rather slowly. This was very obvious from the samba +mailing list as in 2000 and 2001 there were very few postings regarding GPOs and +how to replicate them in a Samba environment. +

+Judging by the traffic volume since mid 2002, GPOs have become a standard part of +the deployment in many sites. This chapter reviews techniques and methods that can +be used to exploit opportunities for automation of control over user desktops and +network client workstations. +

+A tool new to Samba may become an important part of the future Samba Administrators' +arsenal. The editreg tool is described in this document. +

Creating and Managing System Policies

+Under MS Windows platforms, particularly those following the release of MS Windows +NT4 and MS Windows 95) it is possible to create a type of file that would be placed +in the NETLOGON share of a domain controller. As the client logs onto the network +this file is read and the contents initiate changes to the registry of the client +machine. This file allows changes to be made to those parts of the registry that +affect users, groups of users, or machines. +

+For MS Windows 9x/Me this file must be called Config.POL and may +be generated using a tool called poledit.exe, better known as the +Policy Editor. The policy editor was provided on the Windows 98 installation CD, but +disappeared again with the introduction of MS Windows Me (Millennium Edition). From +comments from MS Windows network administrators it would appear that this tool became +a part of the MS Windows Me Resource Kit. +

+MS Windows NT4 Server products include the System Policy Editor +under the Start -> Programs -> Administrative Tools menu item. +For MS Windows NT4 and later clients this file must be called NTConfig.POL. +

+New with the introduction of MS Windows 2000 was the Microsoft Management Console +or MMC. This tool is the new wave in the ever changing landscape of Microsoft +methods for management of network access and security. Every new Microsoft product +or technology seems to obsolete the old rules and to introduce newer and more +complex tools and methods. To Microsoft's credit though, the MMC does appear to +be a step forward, but improved functionality comes at a great price. +

+Before embarking on the configuration of network and system policies it is highly +advisable to read the documentation available from Microsoft's web site regarding + +Implementing Profiles and Policies in Windows NT 4.0 available from Microsoft. +There are a large number of documents in addition to this old one that should also +be read and understood. Try searching on the Microsoft web site for "Group Policies". +

+What follows is a very brief discussion with some helpful notes. The information provided +here is incomplete - you are warned. +

Windows 9x/Me Policies

+ You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. + It can be found on the Original full product Win98 installation CD under + tools/reskit/netadmin/poledit. Install this using the + Add/Remove Programs facility and then click on the 'Have Disk' tab. +

+ Use the Group Policy Editor to create a policy file that specifies the location of + user profiles and/or the My Documents etc. Then save these + settings in a file called Config.POL that needs to be placed in the + root of the [NETLOGON] share. If Win98 is configured to log onto + the Samba Domain, it will automatically read this file and update the Win9x/Me registry + of the machine as it logs on. +

+ Further details are covered in the Win98 Resource Kit documentation. +

+ If you do not take the right steps, then every so often Win9x/Me will check the + integrity of the registry and will restore it's settings from the back-up + copy of the registry it stores on each Win9x/Me machine. Hence, you will + occasionally notice things changing back to the original settings. +

+ Install the group policy handler for Win9x to pick up group policies. Look on the + Win98 CD in \tools\reskit\netadmin\poledit. + Install group policies on a Win9x client by double-clicking + grouppol.inf. Log off and on again a couple of times and see + if Win98 picks up group policies. Unfortunately this needs to be done on every + Win9x/Me machine that uses group policies. +

Windows NT4 Style Policy Files

+ To create or edit ntconfig.pol you must use the NT Server + Policy Editor, poledit.exe which is included with NT4 Server + but not NT Workstation. There is a Policy Editor on a NT4 + Workstation but it is not suitable for creating Domain Policies. + Further, although the Windows 95 Policy Editor can be installed on an NT4 + Workstation/Server, it will not work with NT clients. However, the files from + the NT Server will run happily enough on an NT4 Workstation. +

+ You need poledit.exe, common.adm and winnt.adm. + It is convenient to put the two *.adm files in the c:\winnt\inf + directory which is where the binary will look for them unless told otherwise. Note also that that + directory is normally 'hidden'. +

+ The Windows NT policy editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using servicepackname /x, + i.e. that's Nt4sp6ai.exe /x for service pack 6a. The policy editor, + poledit.exe and the associated template files (*.adm) should + be extracted as well. It is also possible to downloaded the policy template + files for Office97 and get a copy of the policy editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. +

Registry Spoiling

+ With NT4 style registry based policy changes, a large number of settings are not + automatically reversed as the user logs off. Since the settings that were in the + NTConfig.POL file were applied to the client machine registry and that apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences down-stream and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. +

MS Windows 200x / XP Professional Policies

+ Windows NT4 System policies allows setting of registry parameters specific to + users, groups and computers (client workstations) that are members of the NT4 + style domain. Such policy file will work with MS Windows 2000 / XP clients also. +

+ New to MS Windows 2000 Microsoft introduced a new style of group policy that confers + a superset of capabilities compared with NT4 style policies. Obviously, the tool used + to create them is different, and the mechanism for implementing them is much changed. +

+ The older NT4 style registry based policies are known as Administrative Templates + in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security + configurations, enforce Internet Explorer browser settings, change and redirect aspects of the + users' desktop (including: the location of My Documents files (directory), as + well as intrinsics of where menu items will appear in the Start menu). An additional new + feature is the ability to make available particular software Windows applications to particular + users and/or groups. +

+ Remember: NT4 policy files are named NTConfig.POL and are stored in the root + of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password + and selects the domain name to which the logon will attempt to take place. During the logon + process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating + server, modifies the local registry values according to the settings in this file. +

+ Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of + a Windows 200x policy file is stored in the Active Directory itself and the other part is stored + in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active + Directory domain controllers. The part that is stored in the Active Directory itself is called the + group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is + known as the group policy template (GPT). +

+ With NT4 clients the policy file is read and executed upon only as each user logs onto the network. + MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine + startup (machine specific part) and when the user logs onto the network the user specific part + is applied. In MS Windows 200x style policy management each machine and/or user may be subject + to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows + the administrator to also set filters over the policy settings. No such equivalent capability + exists with NT4 style policy files. +

Administration of Win2K / XP Policies

+ Instead of using the tool called The System Policy Editor, commonly called Poledit (from the + executable name poledit.exe), GPOs are created and managed using a + Microsoft Management Console (MMC) snap-in as follows:

+ Go to the Windows 200x / XP menu Start->Programs->Administrative Tools + and select the MMC snap-in called Active Directory Users and Computers +
+ Select the domain or organizational unit (OU) that you wish to manage, then right click + to open the context menu for that object, select the properties item. +
+ Now left click on the Group Policy tab, then left click on the New tab. Type a name + for the new policy you will create. +
+ Now left click on the Edit tab to commence the steps needed to create the GPO. +

+ All policy configuration options are controlled through the use of policy administrative + templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. + Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x. + The later introduces many new features as well as extended definition capabilities. It is + well beyond the scope of this documentation to explain how to program .adm files, for that + the administrator is referred to the Microsoft Windows Resource Kit for your particular + version of MS Windows. +

Note

+ The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used + to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you + use this powerful tool. Please refer to the resource kit manuals for specific usage information. +

Managing Account/User Policies

+Policies can define a specific user's settings or the settings for a group of users. The resulting +policy file contains the registry settings for all users, groups, and computers that will be using +the policy file. Separate policy files for each user, group, or computer are not necessary. +

+If you create a policy that will be automatically downloaded from validating domain controllers, +you should name the file NTconfig.POL. As system administrator, you have the option of renaming the +policy file and, by modifying the Windows NT-based workstation, directing the computer to update +the policy from a manual path. You can do this by either manually changing the registry or by using +the System Policy Editor. This path can even be a local path such that each machine has its own policy file, +but if a change is necessary to all machines, this change must be made individually to each workstation. +

+When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain +controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then +applied to the user's part of the registry. +

+MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, +acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory +itself. The key benefit of using AS GPOs is that they impose no registry spoiling effect. +This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates. +

+In addition to user access controls that may be imposed or applied via system and/or group policies +in a manner that works in conjunction with user profiles, the user management environment under +MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. +Common restrictions that are frequently used includes: +

Logon Hours
Password Aging
Permitted Logon from certain machines only
Account type (Local or Global)
User Rights

Samba Editreg Toolset

+ A new tool called editreg is under development. This tool can be used + to edit registry files (called NTUser.DAT) that are stored in user and group profiles. + NTConfig.POL files have the same structure as the NTUser.DAT file and can be editted using + this tool. editreg is being built with the intent to enable NTConfig.POL + files to be saved in text format and to permit the building of new NTConfig.POL files with + extended capabilities. It is proving difficult to realise this capability, so do not be surprised + if this feature does not materialise. Formal capabilities will be announced at the time that + this tool is released for production use. +

Windows NT4/200x

+ The tools that may be used to configure these types of controls from the MS Windows environment are: + The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). + Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate + "snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor. +

Samba PDC

+ With a Samba Domain Controller, the new tools for managing of user account and policy information includes: + smbpasswd, pdbedit, net, rpcclient. + The administrator should read the + man pages for these tools and become familiar with their use. +

System Startup and Logon Processing Overview

+The following attempts to document the order of processing of system and user policies following a system +reboot and as part of the user logon: +

+ Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming + Convention Provider (MUP) start +
+ Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded + and applied. The list may include GPOs that: +
- Apply to the location of machines in a Directory
- Apply only when settings have changed
- Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.
+ No desktop user interface is presented until the above have been processed. +
+ Execution of start-up scripts (hidden and synchronous by default). +
+ A keyboard action to affect start of logon (Ctrl-Alt-Del). +
+ User credentials are validated, User profile is loaded (depends on policy settings). +
+ An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of: + +
- Is user a domain member, thus subject to particular policies
- Loopback enablement, and the state of the loopback policy (Merge or Replace)
- Location of the Active Directory itself
- Has the list of GPOs changed. No processing is needed if not changed.
+
+ User Policies are applied from Active Directory. Note: There are several types. +
+ Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group + Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal + window. +
+ The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4 + Domain) machine (system) policies are applied at start-up, User policies are applied at logon. +

Common Errors

+Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following +collection demonstrates only basic issues. +

Policy Does Not Work

+ “We have created the config.pol file and put it in the NETLOGON share. +It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not +work any longer since we upgraded to Win XP Pro. Any hints?” +

+Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based +platforms. You need to use the NT4 Group Policy Editor to create a file called NTConfig.POL so that +it is in the correct format for your MS Windows XP Pro clients. +

Prev	Up	Next
Chapter 22. Advanced Network Management	Home	Chapter 24. Desktop Profile Management