--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 25. System and Account Policies</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="AdvancedNetworkManagement.html" title="Chapter 24. Advanced Network Management"><link rel="next" href="ProfileMgmt.html" title="Chapter 26. Desktop Profile Management"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 25. System and Account Policies</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="PolicyMgmt"></a>Chapter 25. System and Account Policies</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="PolicyMgmt.html#id2625507">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id2625613">Creating and Managing System Policies</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id2625802">Windows 9x/ME Policies</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id2625939">Windows NT4-Style Policy Files</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id2626161">MS Windows 200x/XP Professional Policies</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id2626609">Managing Account/User Policies</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id2626836">Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id2626849">Samba Editreg Toolset</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id2626931">Windows NT4/200x</a></span></dt><dt><span class="sect2"><a href="PolicyMgmt.html#id2626971">Samba PDC</a></span></dt></dl></dd><dt><span class="sect1"><a href="PolicyMgmt.html#id2627036">System Startup and Logon Processing Overview</a></span></dt><dt><span class="sect1"><a href="PolicyMgmt.html#id2627194">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="PolicyMgmt.html#id2627205">Policy Does Not Work</a></span></dt></dl></dd></dl></div><p>
+<a class="indexterm" name="id2625494"></a>
+This chapter summarizes the current state of knowledge derived from personal
+practice and knowledge from Samba mailing list subscribers. Before reproduction
+of posted information, every effort has been made to validate the information given.
+Where additional information was uncovered through this validation, it is provided
+also.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2625507"></a>Features and Benefits</h2></div></div></div><p>
+<a class="indexterm" name="id2625515"></a>
+<a class="indexterm" name="id2625522"></a>
+<a class="indexterm" name="id2625529"></a>
+When MS Windows NT 3.5 was introduced, the hot new topic was the ability to implement
+Group Policies for users and groups. Then along came MS Windows NT4 and a few sites
+started to adopt this capability. How do we know that? By the number of “<span class="quote">boo-boos</span>”
+(or mistakes) administrators made and then requested help to resolve.
+</p><p>
+<a class="indexterm" name="id2625548"></a>
+<a class="indexterm" name="id2625555"></a>
+<a class="indexterm" name="id2625564"></a>
+<a class="indexterm" name="id2625571"></a>
+<a class="indexterm" name="id2625578"></a>
+By the time that MS Windows 2000 and Active Directory was released, administrators
+got the message: Group Policies are a good thing! They can help reduce administrative
+costs and actually make happier users. But adoption of the true
+potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
+and machines were picked up on rather slowly. This was obvious from the Samba
+mailing list back in 2000 and 2001 when there were few postings regarding GPOs and
+how to replicate them in a Samba environment.
+</p><p>
+<a class="indexterm" name="id2625599"></a>
+Judging by the traffic volume since mid 2002, GPOs have become a standard part of
+the deployment in many sites. This chapter reviews techniques and methods that can
+be used to exploit opportunities for automation of control over user desktops and
+network client workstations.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2625613"></a>Creating and Managing System Policies</h2></div></div></div><p>
+<a class="indexterm" name="id2625621"></a>
+<a class="indexterm" name="id2625628"></a>
+<a class="indexterm" name="id2625635"></a>
+<a class="indexterm" name="id2625642"></a>
+Under MS Windows platforms, particularly those following the release of MS Windows
+NT4 and MS Windows 95, it is possible to create a type of file that would be placed
+in the NETLOGON share of a domain controller. As the client logs onto the network,
+this file is read and the contents initiate changes to the registry of the client
+machine. This file allows changes to be made to those parts of the registry that
+affect users, groups of users, or machines.
+</p><p>
+<a class="indexterm" name="id2625660"></a>
+<a class="indexterm" name="id2625667"></a>
+<a class="indexterm" name="id2625673"></a>
+For MS Windows 9x/Me, this file must be called <code class="filename">Config.POL</code> and may
+be generated using a tool called <code class="filename">poledit.exe</code>, better known as the
+Policy Editor. The policy editor was provided on the Windows 98 installation CD-ROM, but
+disappeared again with the introduction of MS Windows Me. From
+comments of MS Windows network administrators, it would appear that this tool became
+a part of the MS Windows Me Resource Kit.
+</p><p>
+<a class="indexterm" name="id2625702"></a>
+MS Windows NT4 server products include the <span class="emphasis"><em>System Policy Editor</em></span>
+under <span class="guimenu">Start -> Programs -> Administrative Tools</span>.
+For MS Windows NT4 and later clients, this file must be called <code class="filename">NTConfig.POL</code>.
+</p><p>
+<a class="indexterm" name="id2625731"></a>
+New with the introduction of MS Windows 2000 was the Microsoft Management Console
+or MMC. This tool is the new wave in the ever-changing landscape of Microsoft
+methods for management of network access and security. Every new Microsoft product
+or technology seems to make the old rules obsolete and introduces newer and more
+complex tools and methods. To Microsoft's credit, the MMC does appear to
+be a step forward, but improved functionality comes at a great price.
+</p><p>
+<a class="indexterm" name="id2625748"></a>
+<a class="indexterm" name="id2625755"></a>
+<a class="indexterm" name="id2625762"></a>
+<a class="indexterm" name="id2625769"></a>
+Before embarking on the configuration of network and system policies, it is highly
+advisable to read the documentation available from Microsoft's Web site regarding
+<a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp" target="_top">
+Implementing Profiles and Policies in Windows NT 4.0</a>.
+There are a large number of documents in addition to this old one that should also
+be read and understood. Try searching on the Microsoft Web site for “<span class="quote">Group Policies</span>”.
+</p><p>
+What follows is a brief discussion with some helpful notes. The information provided
+here is incomplete you are warned.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2625802"></a>Windows 9x/ME Policies</h3></div></div></div><p>
+<a class="indexterm" name="id2625810"></a>
+<a class="indexterm" name="id2625817"></a>
+ You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/Me.
+ It can be found on the original full-product Windows 98 installation CD-ROM under
+ <code class="filename">tools\reskit\netadmin\poledit</code>. Install this using the
+ Add/Remove Programs facility, and then click on <span class="guiicon">Have Disk</span>.
+ </p><p>
+<a class="indexterm" name="id2625843"></a>
+<a class="indexterm" name="id2625850"></a>
+ Use the Group Policy Editor to create a policy file that specifies the location of
+ user profiles and/or <code class="filename">My Documents</code>, and so on. Then save these
+ settings in a file called <code class="filename">Config.POL</code> that needs to be placed in the
+ root of the <em class="parameter"><code>[NETLOGON]</code></em> share. If Windows 98 is configured to log onto
+ the Samba domain, it will automatically read this file and update the Windows 9x/Me registry
+ of the machine as it logs on.
+ </p><p>
+ Further details are covered in the Windows 98 Resource Kit documentation.
+ </p><p>
+<a class="indexterm" name="id2625889"></a>
+ If you do not take the correct steps, then every so often Windows 9x/Me will check the
+ integrity of the registry and restore its settings from the backup
+ copy of the registry it stores on each Windows 9x/Me machine. So, you will
+ occasionally notice things changing back to the original settings.
+ </p><p>
+<a class="indexterm" name="id2625904"></a>
+<a class="indexterm" name="id2625911"></a>
+ Install the Group Policy handler for Windows 9x/Me to pick up Group Policies. Look on the
+ Windows 98 CD-ROM in <code class="filename">\tools\reskit\netadmin\poledit</code>.
+ Install Group Policies on a Windows 9x/Me client by double-clicking on
+ <code class="filename">grouppol.inf</code>. Log off and on again a couple of times and see
+ if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every
+ Windows 9x/Me machine that uses Group Policies.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2625939"></a>Windows NT4-Style Policy Files</h3></div></div></div><p>
+<a class="indexterm" name="id2625947"></a>
+<a class="indexterm" name="id2625954"></a>
+<a class="indexterm" name="id2625961"></a>
+<a class="indexterm" name="id2625968"></a>
+ To create or edit <code class="filename">ntconfig.pol</code>, you must use the NT Server
+ Policy Editor, <span><strong class="command">poledit.exe</strong></span>, which is included with NT4 Server
+ but not with NT workstation. There is a Policy Editor on an NT4
+ Workstation but it is not suitable for creating domain policies.
+ Furthermore, although the Windows 95 Policy Editor can be installed on an NT4
+ workstation/server, it will not work with NT clients. However, the files from
+ the NT Server will run happily enough on an NT4 workstation.
+ </p><p>
+<a class="indexterm" name="id2625998"></a>
+<a class="indexterm" name="id2626004"></a>
+<a class="indexterm" name="id2626011"></a>
+<a class="indexterm" name="id2626018"></a>
+ You need <code class="filename">poledit.exe</code>, <code class="filename">common.adm</code>, and <code class="filename">winnt.adm</code>.
+ It is convenient to put the two <code class="filename">*.adm</code> files in the <code class="filename">c:\winnt\inf</code>
+ directory, which is where the binary will look for them unless told otherwise. This
+ directory is normally “<span class="quote">hidden.</span>”
+ </p><p>
+<a class="indexterm" name="id2626064"></a>
+<a class="indexterm" name="id2626071"></a>
+<a class="indexterm" name="id2626078"></a>
+<a class="indexterm" name="id2626085"></a>
+ The Windows NT Policy Editor is also included with the Service Pack 3 (and
+ later) for Windows NT 4.0. Extract the files using <span><strong class="command">servicepackname /x</strong></span>
+ that's <span><strong class="command">Nt4sp6ai.exe /x</strong></span> for Service Pack 6a. The Policy Editor,
+ <span><strong class="command">poledit.exe</strong></span>, and the associated template files (*.adm) should
+ be extracted as well. It is also possible to download the policy template
+ files for Office97 and get a copy of the Policy Editor. Another possible
+ location is with the Zero Administration Kit available for download from Microsoft.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2626121"></a>Registry Spoiling</h4></div></div></div><p>
+<a class="indexterm" name="id2626129"></a>
+<a class="indexterm" name="id2626136"></a>
+ With NT4-style registry-based policy changes, a large number of settings are not
+ automatically reversed as the user logs off. The settings that were in the
+ <code class="filename">NTConfig.POL</code> file were applied to the client machine registry and apply to the
+ hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
+ as tattooing. It can have serious consequences downstream, and the administrator must
+ be extremely careful not to lock out the ability to manage the machine at a later date.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2626161"></a>MS Windows 200x/XP Professional Policies</h3></div></div></div><p>
+<a class="indexterm" name="id2626169"></a>
+ Windows NT4 system policies allow the setting of registry parameters specific to
+ users, groups, and computers (client workstations) that are members of the NT4-style
+ domain. Such policy files will work with MS Windows 200x/XP clients also.
+ </p><p>
+ New to MS Windows 2000, Microsoft recently introduced a style of Group Policy that confers
+ a superset of capabilities compared with NT4-style policies. Obviously, the tool used
+ to create them is different, and the mechanism for implementing them is much improved.
+ </p><p>
+ <a class="indexterm" name="id2626191"></a>
+<a class="indexterm" name="id2626198"></a>
+ The older NT4-style registry-based policies are known as <span class="emphasis"><em>Administrative Templates</em></span>
+ in MS Windows 2000/XP GPOs. The latter includes the ability to set various security
+ configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
+ users desktop (including the location of <code class="filename">My Documents</code> files, as
+ well as intrinsics of where menu items will appear in the Start menu). An additional new
+ feature is the ability to make available particular software Windows applications to particular
+ users and/or groups.
+ </p><p>
+<a class="indexterm" name="id2626226"></a>
+<a class="indexterm" name="id2626233"></a>
+<a class="indexterm" name="id2626240"></a>
+ Remember, NT4 policy files are named <code class="filename">NTConfig.POL</code> and are stored in the root
+ of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username and password
+ and selects the domain name to which the logon will attempt to take place. During the logon process,
+ the client machine reads the <code class="filename">NTConfig.POL</code> file from the NETLOGON share on
+ the authenticating server and modifies the local registry values according to the settings in this file.
+ </p><p>
+<a class="indexterm" name="id2626270"></a>
+<a class="indexterm" name="id2626277"></a>
+<a class="indexterm" name="id2626284"></a>
+<a class="indexterm" name="id2626290"></a>
+<a class="indexterm" name="id2626297"></a>
+<a class="indexterm" name="id2626304"></a>
+<a class="indexterm" name="id2626313"></a>
+<a class="indexterm" name="id2626323"></a>
+ Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of
+ a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
+ in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
+ Directory domain controllers. The part that is stored in the Active Directory itself is called the
+ Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is
+ known as the Group Policy Template (GPT).
+ </p><p>
+<a class="indexterm" name="id2626342"></a>
+ With NT4 clients, the policy file is read and executed only as each user logs onto the network.
+ MS Windows 200x policies are much more complex GPOs are processed and applied at client machine
+ startup (machine specific part), and when the user logs onto the network, the user-specific part
+ is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject
+ to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
+ the administrator to also set filters over the policy settings. No such equivalent capability
+ exists with NT4-style policy files.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2626364"></a>Administration of Windows 200x/XP Policies</h4></div></div></div><p>
+ <a class="indexterm" name="id2626372"></a>
+ <a class="indexterm" name="id2626378"></a>
+<a class="indexterm" name="id2626385"></a>
+<a class="indexterm" name="id2626392"></a>
+<a class="indexterm" name="id2626399"></a>
+ Instead of using the tool called <span class="application">the System Policy Editor</span>, commonly called Poledit (from the
+ executable name <span><strong class="command">poledit.exe</strong></span>), <span class="acronym">GPOs</span> are created and managed using a
+ <span class="application">Microsoft Management Console</span> <span class="acronym">(MMC)</span> snap-in as follows:</p><div class="procedure"><ol type="1"><li><p>
+ Go to the Windows 200x/XP menu <span class="guimenu">Start->Programs->Administrative Tools</span>
+ and select the MMC snap-in called <span class="guimenuitem">Active Directory Users and Computers</span>
+ </p></li><li><p>
+<a class="indexterm" name="id2626463"></a>
+ Select the domain or organizational unit (OU) that you wish to manage, then right-click
+ to open the context menu for that object, and select the <span class="guibutton">Properties</span>.
+ </p></li><li><p>
+ Left-click on the <span class="guilabel">Group Policy</span> tab, then
+ left-click on the New tab. Type a name
+ for the new policy you will create.
+ </p></li><li><p>
+ Left-click on the <span class="guilabel">Edit</span> tab to commence the steps needed to create the GPO.
+ </p></li></ol></div><p>
+ All policy configuration options are controlled through the use of policy administrative
+ templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP.
+ Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x.
+ The latter introduces many new features as well as extended definition capabilities. It is
+ well beyond the scope of this documentation to explain how to program .adm files; for that,
+ refer to the Microsoft Windows Resource Kit for your particular
+ version of MS Windows.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2626529"></a>
+<a class="indexterm" name="id2626535"></a>
+<a class="indexterm" name="id2626542"></a>
+ The MS Windows 2000 Resource Kit contains a tool called <span><strong class="command">gpolmig.exe</strong></span>. This tool can be used
+ to migrate an NT4 <code class="filename">NTConfig.POL</code> file into a Windows 200x style GPO. Be VERY careful how you
+ use this powerful tool. Please refer to the resource kit manuals for specific usage information.
+ </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2626569"></a>Custom System Policy Templates</h4></div></div></div><p>
+ Over the past year, there has been a bit of talk regarding the creation of customized
+ templates for the Windows Sytem Policy Editor. A recent announcement on the Samba mailing
+ list is worthy of mention.
+ </p><p>
+ Mike Petersen has announced the availability of a template file he has created. This custom System Policy
+ Editor Template will allow you to successfully control Microsoft Windows workstations from an SMB server, such
+ as Samba. This template has been tested on a few networks, although if you find any problems with any of these
+ policies, or have any ideas for additional policies, let me know at mailto:mgpeter@pcc-services.com. This
+ Template includes many policies for Windows XP to allow it to behave better in a professional environment.
+ </p><p>
+ For further information please see the <a href="http://www.pcc-services.com/custom_poledit.html" target="_top">Petersen</a> Computer Consulting web site. There is
+ a download link for the template file.
+ </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2626609"></a>Managing Account/User Policies</h2></div></div></div><p>
+<a class="indexterm" name="id2626618"></a>
+<a class="indexterm" name="id2626624"></a>
+<a class="indexterm" name="id2626631"></a>
+Policies can define a specific user's settings or the settings for a group of users. The resulting
+policy file contains the registry settings for all users, groups, and computers that will be using
+the policy file. Separate policy files for each user, group, or computer are not necessary.
+</p><p>
+<a class="indexterm" name="id2626646"></a>
+If you create a policy that will be automatically downloaded from validating domain controllers,
+you should name the file <code class="filename">NTConfig.POL</code>. As system administrator, you have the option of renaming the
+policy file and, by modifying the Windows NT-based workstation, directing the computer to update
+the policy from a manual path. You can do this by either manually changing the registry or by using
+the System Policy Editor. This can even be a local path such that each machine has its own policy file,
+but if a change is necessary to all machines, it must be made individually to each workstation.
+</p><p>
+<a class="indexterm" name="id2626672"></a>
+<a class="indexterm" name="id2626679"></a>
+When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on
+the authenticating domain controller for the presence of the <code class="filename">NTConfig.POL</code> file. If one exists, it is
+downloaded, parsed, and then applied to the user's part of the registry.
+</p><p>
+<a class="indexterm" name="id2626700"></a>
+<a class="indexterm" name="id2626707"></a>
+<a class="indexterm" name="id2626713"></a>
+<a class="indexterm" name="id2626720"></a>
+MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally
+acquire policy settings through GPOs that are defined and stored in Active Directory
+itself. The key benefit of using AD GPOs is that they impose no registry <span class="emphasis"><em>spoiling</em></span> effect.
+This has considerable advantage compared with the use of <code class="filename">NTConfig.POL</code> (NT4) style policy updates.
+</p><p>
+<a class="indexterm" name="id2626746"></a>
+<a class="indexterm" name="id2626753"></a>
+In addition to user access controls that may be imposed or applied via system and/or group policies
+in a manner that works in conjunction with user profiles, the user management environment under
+MS Windows NT4/200x/XP allows per-domain as well as per-user account restrictions to be applied.
+Common restrictions that are frequently used include:
+</p><p>
+<a class="indexterm" name="id2626769"></a>
+</p><div class="itemizedlist"><ul type="disc"><li><p>Logon hours</p></li><li><p>Password aging</p></li><li><p>Permitted logon from certain machines only</p></li><li><p>Account type (local or global)</p></li><li><p>User rights</p></li></ul></div><p>
+</p><p>
+<a class="indexterm" name="id2626806"></a>
+<a class="indexterm" name="id2626813"></a>
+Samba-3.0.20 does not yet implement all account controls that are common to MS Windows NT4/200x/XP.
+While it is possible to set many controls using the Domain User Manager for MS Windows NT4, only password
+expiry is functional today. Most of the remaining controls at this time have only stub routines
+that may eventually be completed to provide actual control. Do not be misled by the fact that a
+parameter can be set using the NT4 Domain User Manager or in the <code class="filename">NTConfig.POL</code>.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2626836"></a>Management Tools</h2></div></div></div><p>
+Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools.
+The following sections describe a few key tools that will help you to create a low-maintenance user
+environment.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2626849"></a>Samba Editreg Toolset</h3></div></div></div><p>
+ <a class="indexterm" name="id2626857"></a>
+ <a class="indexterm" name="id2626864"></a>
+ <a class="indexterm" name="id2626870"></a>
+ A new tool called <span><strong class="command">editreg</strong></span> is under development. This tool can be used
+ to edit registry files (called <code class="filename">NTUser.DAT</code>) that are stored in user
+ and group profiles. <code class="filename">NTConfig.POL</code> files have the same structure as the
+ <code class="filename">NTUser.DAT</code> file and can be edited using this tool. <span><strong class="command">editreg</strong></span>
+ is being built with the intent to enable <code class="filename">NTConfig.POL</code> files to be saved in text format and to
+ permit the building of new <code class="filename">NTConfig.POL</code> files with extended capabilities. It is proving difficult
+ to realize this capability, so do not be surprised if this feature does not materialize. Formal
+ capabilities will be announced at the time that this tool is released for production use.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2626931"></a>Windows NT4/200x</h3></div></div></div><p>
+<a class="indexterm" name="id2626939"></a>
+<a class="indexterm" name="id2626946"></a>
+<a class="indexterm" name="id2626953"></a>
+ The tools that may be used to configure these types of controls from the MS Windows environment are
+ the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe).
+ Under MS Windows 200x/XP, this is done using the MMC with appropriate
+ “<span class="quote">snap-ins,</span>” the registry editor, and potentially also the NT4 System and Group Policy Editor.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2626971"></a>Samba PDC</h3></div></div></div><p>
+<a class="indexterm" name="id2626979"></a>
+<a class="indexterm" name="id2626986"></a>
+<a class="indexterm" name="id2626993"></a>
+<a class="indexterm" name="id2627000"></a>
+ With a Samba domain controller, the new tools for managing user account and policy information include:
+ <span><strong class="command">smbpasswd</strong></span>, <span><strong class="command">pdbedit</strong></span>, <span><strong class="command">net</strong></span>, and <span><strong class="command">rpcclient</strong></span>.
+ The administrator should read the man pages for these tools and become familiar with their use.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2627036"></a>System Startup and Logon Processing Overview</h2></div></div></div><p>
+The following attempts to document the order of processing the system and user policies following a system
+reboot and as part of the user logon:
+</p><div class="orderedlist"><ol type="1"><li><p>
+<a class="indexterm" name="id2627058"></a>
+<a class="indexterm" name="id2627068"></a>
+ Network starts, then Remote Procedure Call System Service (RPCSS) and multiple universal naming
+ convention provider (MUP) start.
+ </p></li><li><p>
+<a class="indexterm" name="id2627084"></a>
+<a class="indexterm" name="id2627091"></a>
+ Where Active Directory is involved, an ordered list of GPOs is downloaded
+ and applied. The list may include GPOs that:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Apply to the location of machines in a directory.</p></li><li><p>Apply only when settings have changed.</p></li><li><p>Depend on configuration of the scope of applicability: local,
+ site, domain, organizational unit, and so on.</p></li></ul></div><p>
+ No desktop user interface is presented until the above have been processed.
+ </p></li><li><p>
+ Execution of startup scripts (hidden and synchronous by default).
+ </p></li><li><p>
+ A keyboard action to effect start of logon (Ctrl-Alt-Del).
+ </p></li><li><p>
+ User credentials are validated, user profile is loaded (depends on policy settings).
+ </p></li><li><p>
+ An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of:
+
+</p><div class="itemizedlist"><ul type="disc"><li><p>Is the user a domain member, thus subject to particular policies?</p></li><li><p>Loopback enablement, and the state of the loopback policy (merge or replace).</p></li><li><p>Location of the Active Directory itself.</p></li><li><p>Has the list of GPOs changed? No processing is needed if not changed.</p></li></ul></div><p>
+ </p></li><li><p>
+ User policies are applied from Active Directory. Note: There are several types.
+ </p></li><li><p>
+ Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on GPOs
+ (hidden and executed synchronously). NT4-style logon scripts are then run in a normal
+ window.
+ </p></li><li><p>
+ The user interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4
+ domain), machine (system) policies are applied at startup; user policies are applied at logon.
+ </p></li></ol></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2627194"></a>Common Errors</h2></div></div></div><p>
+Policy-related problems can be quite difficult to diagnose and even more difficult to rectify. The following
+collection demonstrates only basic issues.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2627205"></a>Policy Does Not Work</h3></div></div></div><p>
+“<span class="quote">We have created the <code class="filename">Config.POL</code> file and put it in the <span class="emphasis"><em>NETLOGON</em></span> share.
+It has made no difference to our Win XP Pro machines, they just do not see it. It worked fine with Win 98 but does not
+work any longer since we upgraded to Win XP Pro. Any hints?</span>”
+</p><p>
+Policy files are not portable between Windows 9x/Me and MS Windows NT4/200x/XP-based platforms. You need to
+use the NT4 Group Policy Editor to create a file called <code class="filename">NTConfig.POL</code> so it is in the
+correct format for your MS Windows XP Pro clients.
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="AdvancedNetworkManagement.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ProfileMgmt.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 24. Advanced Network Management </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 26. Desktop Profile Management</td></tr></table></div></body></html>
projects / samba / blobdiff