From 45c1bd560292277db0ca898c479f87f8d3f333a0 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 27 May 2003 08:10:24 +0000 Subject: More edit food. More updates. (This used to be commit 7941f5998617bd7a8912f189545c51f03c8a1b3d) --- docs/docbook/projdoc/AdvancedNetworkAdmin.xml | 13 +- docs/docbook/projdoc/PolicyMgmt.xml | 429 +++++++++++++++----------- docs/docbook/projdoc/ProfileMgmt.xml | 124 ++++++++ 3 files changed, 377 insertions(+), 189 deletions(-) (limited to 'docs') diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml index bbaf5c2e59..5f29f32448 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml @@ -82,8 +82,9 @@ is the best tool in your network environment. The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003. - It is presented in full (with author details omitted for privacy reasons). - + It is presented in slightly edited form (with author details omitted for privacy reasons). + The entire answer is reproduced below with some comments removed. + @@ -94,8 +95,8 @@ is the best tool in your network environment. > > Is there a way to acomplish this? Do I need a windows terminal server? > Do I need to configure it so that it is a member of the domain or a -> BDC,PDC? Are there any hacks for MS Windows XP to enable remote login even if -> the computer is in a domain? +> BDC,PDC? Are there any hacks for MS Windows XP to enable remote login +> even if the computer is in a domain? > > Any ideas/experience would be appreciated :) @@ -350,7 +351,9 @@ See the documentation in the + + +By the time that MS Windows 2000 and Active Directory was released, administrators +got the message: Group Policies are a good thing! They can help reduce administrative +costs and actually can help to create happier users. But adoption of the true +potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users +and machines were picked up on rather slowly. This was very obvious from the samba +mailing list as in 2000 and 2001 there were very few postings regarding GPOs and +how to replicate them in a Samba environment. + + + +Judging by the traffic volume since mid 2002, GPOs have become a standard part of +the deployment in many sites. This chapter reviews techniques and methods that can +be used to exploit opportunities for automation of control over user desktops and +network client workstations. + + + +A tool new to Samba-3 may become an important part of the future Samba Administrators' +arsenal. The editreg tool is described in this document. + + + + Creating and Managing System Policies @@ -55,194 +98,193 @@ What follows is a very brief discussion with some helpful notes. The information here is incomplete - you are warned. - -Windows 9x/Me Policies - - -You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. -It can be found on the Original full product Win98 installation CD under -tools/reskit/netadmin/poledit. Install this using the -Add/Remove Programs facility and then click on the 'Have Disk' tab. - - - -Use the Group Policy Editor to create a policy file that specifies the location of -user profiles and/or the My Documents etc. stuff. Then -save these settings in a file called Config.POL that needs to -be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto -the Samba Domain, it will automatically read this file and update the Win9x/Me registry -of the machine as it logs on. - + + Windows 9x/Me Policies - -Further details are covered in the Win98 Resource Kit documentation. - - - -If you do not take the right steps, then every so often Win9x/Me will check the -integrity of the registry and will restore it's settings from the back-up -copy of the registry it stores on each Win9x/Me machine. Hence, you will -occasionally notice things changing back to the original settings. - - - -Install the group policy handler for Win9x to pick up group policies. Look on the -Win98 CD in \tools\reskit\netadmin\poledit. -Install group policies on a Win9x client by double-clicking -grouppol.inf. Log off and on again a couple of times and see -if Win98 picks up group policies. Unfortunately this needs to be done on every -Win9x/Me machine that uses group policies. - - - - -Windows NT4 Style Policy Files - - -To create or edit ntconfig.pol you must use the NT Server -Policy Editor, poledit.exe which is included with NT4 Server -but not NT Workstation. There is a Policy Editor on a NT4 -Workstation but it is not suitable for creating Domain Policies. -Further, although the Windows 95 Policy Editor can be installed on an NT4 -Workstation/Server, it will not work with NT clients. However, the files from -the NT Server will run happily enough on an NT4 Workstation. - - - -You need poledit.exe, common.adm and winnt.adm. -It is convenient to put the two *.adm files in the c:\winnt\inf -directory which is where the binary will look for them unless told otherwise. Note also that that -directory is normally 'hidden'. - + + You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. + It can be found on the Original full product Win98 installation CD under + tools/reskit/netadmin/poledit. Install this using the + Add/Remove Programs facility and then click on the 'Have Disk' tab. + - -The Windows NT policy editor is also included with the Service Pack 3 (and -later) for Windows NT 4.0. Extract the files using servicepackname /x, -i.e. that's Nt4sp6ai.exe /x for service pack 6a. The policy editor, -poledit.exe and the associated template files (*.adm) should -be extracted as well. It is also possible to downloaded the policy template -files for Office97 and get a copy of the policy editor. Another possible -location is with the Zero Administration Kit available for download from Microsoft. - + + Use the Group Policy Editor to create a policy file that specifies the location of + user profiles and/or the My Documents etc. stuff. Then + save these settings in a file called Config.POL that needs to + be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto + the Samba Domain, it will automatically read this file and update the Win9x/Me registry + of the machine as it logs on. + - -Registry Tattoos + + Further details are covered in the Win98 Resource Kit documentation. + - With NT4 style registry based policy changes, a large number of settings are not - automatically reversed as the user logs off. Since the settings that were in the - NTConfig.POL file were applied to the client machine registry and that apply to the - hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known - as tattooing. It can have serious consequences down-stream and the administrator must - be extremely careful not to lock out the ability to manage the machine at a later date. + If you do not take the right steps, then every so often Win9x/Me will check the + integrity of the registry and will restore it's settings from the back-up + copy of the registry it stores on each Win9x/Me machine. Hence, you will + occasionally notice things changing back to the original settings. + + Install the group policy handler for Win9x to pick up group policies. Look on the + Win98 CD in \tools\reskit\netadmin\poledit. + Install group policies on a Win9x client by double-clicking + grouppol.inf. Log off and on again a couple of times and see + if Win98 picks up group policies. Unfortunately this needs to be done on every + Win9x/Me machine that uses group policies. + - - - -MS Windows 200x / XP Professional Policies + + + Windows NT4 Style Policy Files - -Windows NT4 System policies allows setting of registry parameters specific to -users, groups and computers (client workstations) that are members of the NT4 -style domain. Such policy file will work with MS Windows 2000 / XP clients also. - + + To create or edit ntconfig.pol you must use the NT Server + Policy Editor, poledit.exe which is included with NT4 Server + but not NT Workstation. There is a Policy Editor on a NT4 + Workstation but it is not suitable for creating Domain Policies. + Further, although the Windows 95 Policy Editor can be installed on an NT4 + Workstation/Server, it will not work with NT clients. However, the files from + the NT Server will run happily enough on an NT4 Workstation. + - -New to MS Windows 2000 Microsoft introduced a new style of group policy that confers -a superset of capabilities compared with NT4 style policies. Obviously, the tool used -to create them is different, and the mechanism for implementing them is much changed. - + + You need poledit.exe, common.adm and winnt.adm. + It is convenient to put the two *.adm files in the c:\winnt\inf + directory which is where the binary will look for them unless told otherwise. Note also that that + directory is normally 'hidden'. + - -The older NT4 style registry based policies are known as Administrative Templates -in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security -configurations, enforce Internet Explorer browser settings, change and redirect aspects of the -users' desktop (including: the location of My Documents files (directory), as -well as intrinsics of where menu items will appear in the Start menu). An additional new -feature is the ability to make available particular software Windows applications to particular -users and/or groups. - + + The Windows NT policy editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using servicepackname /x, + i.e. that's Nt4sp6ai.exe /x for service pack 6a. The policy editor, + poledit.exe and the associated template files (*.adm) should + be extracted as well. It is also possible to downloaded the policy template + files for Office97 and get a copy of the policy editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. + - -Remember: NT4 policy files are named NTConfig.POL and are stored in the root -of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password -and selects the domain name to which the logon will attempt to take place. During the logon -process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating -server, modifies the local registry values according to the settings in this file. - + + Registry Spoiling - -Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of -a Windows 200x policy file is stored in the Active Directory itself and the other part is stored -in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active -Directory domain controllers. The part that is stored in the Active Directory itself is called the -group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is -known as the group policy template (GPT). - + + With NT4 style registry based policy changes, a large number of settings are not + automatically reversed as the user logs off. Since the settings that were in the + NTConfig.POL file were applied to the client machine registry and that apply to the + hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known + as tattooing. It can have serious consequences down-stream and the administrator must + be extremely careful not to lock out the ability to manage the machine at a later date. + - -With NT4 clients the policy file is read and executed upon only as each user logs onto the network. -MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine -startup (machine specific part) and when the user logs onto the network the user specific part -is applied. In MS Windows 200x style policy management each machine and/or user may be subject -to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows -the administrator to also set filters over the policy settings. No such equivalent capability -exists with NT4 style policy files. - - -Administration of Win2K / XP Policies + + + + MS Windows 200x / XP Professional Policies -Instructions - -Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the -executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console -(MMC) snap-in as follows: - - - -Go to the Windows 200x / XP menu Start->Programs->Administrative Tools - and select the MMC snap-in called "Active Directory Users and Computers" - - + + Windows NT4 System policies allows setting of registry parameters specific to + users, groups and computers (client workstations) that are members of the NT4 + style domain. Such policy file will work with MS Windows 2000 / XP clients also. + - -Select the domain or organizational unit (OU) that you wish to manage, then right click -to open the context menu for that object, select the properties item. - + + New to MS Windows 2000 Microsoft introduced a new style of group policy that confers + a superset of capabilities compared with NT4 style policies. Obviously, the tool used + to create them is different, and the mechanism for implementing them is much changed. + - -Now left click on the Group Policy tab, then left click on the New tab. Type a name -for the new policy you will create. - + + The older NT4 style registry based policies are known as Administrative Templates + in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security + configurations, enforce Internet Explorer browser settings, change and redirect aspects of the + users' desktop (including: the location of My Documents files (directory), as + well as intrinsics of where menu items will appear in the Start menu). An additional new + feature is the ability to make available particular software Windows applications to particular + users and/or groups. + - -Now left click on the Edit tab to commence the steps needed to create the GPO. - - + + Remember: NT4 policy files are named NTConfig.POL and are stored in the root + of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password + and selects the domain name to which the logon will attempt to take place. During the logon + process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating + server, modifies the local registry values according to the settings in this file. + - -All policy configuration options are controlled through the use of policy administrative -templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. -Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x. -The later introduces many new features as well as extended definition capabilities. It is -well beyond the scope of this documentation to explain how to program .adm files, for that -the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular -version of MS Windows. - + + Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of + a Windows 200x policy file is stored in the Active Directory itself and the other part is stored + in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active + Directory domain controllers. The part that is stored in the Active Directory itself is called the + group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is + known as the group policy template (GPT). + - - -The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used -to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you -use this powerful tool. Please refer to the resource kit manuals for specific usage information. - - + + With NT4 clients the policy file is read and executed upon only as each user logs onto the network. + MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine + startup (machine specific part) and when the user logs onto the network the user specific part + is applied. In MS Windows 200x style policy management each machine and/or user may be subject + to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows + the administrator to also set filters over the policy settings. No such equivalent capability + exists with NT4 style policy files. + - - + + Administration of Win2K / XP Policies + + + Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the + executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console + (MMC) snap-in as follows: + + + + Go to the Windows 200x / XP menu Start->Programs->Administrative Tools + and select the MMC snap-in called "Active Directory Users and Computers" + + + + + Select the domain or organizational unit (OU) that you wish to manage, then right click + to open the context menu for that object, select the properties item. + + + + Now left click on the Group Policy tab, then left click on the New tab. Type a name + for the new policy you will create. + + + + Now left click on the Edit tab to commence the steps needed to create the GPO. + + + + + All policy configuration options are controlled through the use of policy administrative + templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. + Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x. + The later introduces many new features as well as extended definition capabilities. It is + well beyond the scope of this documentation to explain how to program .adm files, for that + the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular + version of MS Windows. + + + + + The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used + to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you + use this powerful tool. Please refer to the resource kit manuals for specific usage information. + + + + + @@ -272,7 +314,7 @@ applied to the user's part of the registry. MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally, acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory -itself. The key benefit of using AS GPOs is that they impose no registry tatooing effect. +itself. The key benefit of using AS GPOs is that they impose no registry spoiling effect. This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates. @@ -293,27 +335,36 @@ Common restrictions that are frequently used includes: - -With Windows NT4/200x + + Samba Editreg Toolset - -The tools that may be used to configure these types of controls from the MS Windows environment are: -The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). -Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate -"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor. - - + + Describe in detail the benefits of editreg and how to use it. + - -With a Samba PDC + - -With a Samba Domain Controller, the new tools for managing of user account and policy information includes: -smbpasswd, pdbedit, net, rpcclient.. The administrator should read the -man pages for these tools and become familiar with their use. - + + Windows NT4/200x - + + The tools that may be used to configure these types of controls from the MS Windows environment are: + The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe). + Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate + "snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor. + + + + + Samba PDC + + + With a Samba Domain Controller, the new tools for managing of user account and policy information includes: + smbpasswd, pdbedit, net, rpcclient.. The administrator should read the + man pages for these tools and become familiar with their use. + + + @@ -381,4 +432,14 @@ reboot and as part of the user logon: + + +Common Errors + + +Stuff goes here. + + + + diff --git a/docs/docbook/projdoc/ProfileMgmt.xml b/docs/docbook/projdoc/ProfileMgmt.xml index 140dd44ba1..58c6af3b90 100644 --- a/docs/docbook/projdoc/ProfileMgmt.xml +++ b/docs/docbook/projdoc/ProfileMgmt.xml @@ -6,6 +6,30 @@ Desktop Profile Management + +Features and Benefits + + +Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for +some administrators. + + + +Roaming Profiles allow an administrator to make available a consistent user desktop +as the user moves from one machine to another. This chapter provides much information +regarding how to configure and manage Roaming Profiles. + + + +While Roaming Profiles might sound like nirvana to some, they are a real and tangible +problem to others. In particular, users of mobile computing tools, where often there may not +be a sustained network connection, are often better served by purely Local Profiles. +This chapter provides information to help the Samba administrator to deal with those +situations also. + + + + Roaming Profiles @@ -1171,6 +1195,106 @@ be either: + + + +Can NOT use Roaming Profiles + + + +> I dont want Roaming profile to be implemented, I just want to give users +> local profiles only. +... +> Please help me I am totally lost with this error from past two days I tried +> everything and googled around quite a bit but of no help. Please help me. + + +Your choices are: + 1. Local profiles + - I know of no registry keys that will allow auto-deletion + of LOCAL profiles on log out + 2. Roaming profiles + - your options here are: + - can use auto-delete on logout option + - requires a registry key change on workstation + a) Personal Roaming profiles + - should be preserved on a central server + - workstations 'cache' (store) a local copy + - used in case the profile can not be downloaded + at next logon + b) Group profiles + - loaded from a cetral place + c) Mandatory profiles + - can be personal or group + - can NOT be changed (except by an administrator + +A WinNT4/2K/XP profile can vary in size from 130KB to off the scale. +Outlook PST files are most often part of the profile and can be many GB in +size. On average (in a well controlled environment) roaming profie size of +2MB is a good rule of thumb to use for planning purposes. In an +undisciplined environment I have seen up to 2GB profiles. Users tend to +complain when it take an hour to log onto a workstation but they harvest +the fuits of folly (and ignorance). + +The point of all the above is to show that roaming profiles and good +controls of how they can be changed as well as good discipline make up for +a problem free site. + +PS: Microsoft's answer to the PST problem is to store all email in an MS +Exchange Server back-end. But this is another story ...! + +So, having LOCAL profiles means: + a) If lots of users user each machine + - lot's of local disk storage needed for local profiles + b) Every workstation the user logs into has it's own profile + - can be very different from machine to machine + +On the other hand, having roaming profiles means: + a) The network administrator can control EVERY aspect of user + profiles + b) With the use of mandatory profiles - a drastic reduction + in network management overheads + c) User unhappiness about not being able to change their profiles + soon fades as they get used to being able to work reliably + +But note: + +I have managed and installed MANY NT/2K networks and have NEVER found one +where users who move from machine to machine are happy with local +profiles. In the long run local profiles bite them. + +> When the client tries to logon to the PDC it looks for a profile to download +> where do I put this default profile. + +Firstly, your samba server need to be configured as a domain controller. + server = user + os level = 32 (or more) + domain logons = Yes + + Plus you need to have a NETLOGON share that is world readable. + It is a good idea to add a logon script to pre-set printer and + drive connections. There is also a facility for automatically + synchronizing the workstation time clock with that of the logon + server (another good thing to do). + +Note: To invoke auto-deletion of roaming profile from the local +workstation cache (disk storage) you need to use the Group Policy Editor +to create a file called NTConfig.POL with the appropriate entries. This +file needs to be located in the NETLOGON share root directory. + +Oh, of course the windows clients need to be members of the domain. +Workgroup machines do NOT do network logons - so they never see domain +profiles. + +Secondly, for roaming profiles you need: + + logon path = \\%N\profiles\%U (with some such path) + logon drive = H: (Z: is the default) + + Plus you need a PROFILES share that is world writable. + + + -- cgit