mirror of
https://github.com/samba-team/samba.git
synced 2025-01-27 14:04:05 +03:00
472 lines
20 KiB
XML
472 lines
20 KiB
XML
<chapter id="PolicyMgmt">
|
|
<chapterinfo>
|
|
&author.jht;
|
|
<pubdate>April 3 2003</pubdate>
|
|
</chapterinfo>
|
|
|
|
<title>System and Account Policies</title>
|
|
|
|
<para>
|
|
This chapter summarises the current state of knowledge derived from personal
|
|
practice and knowledge from samba mailing list subscribers. Before reproduction
|
|
of posted information effort has been made to validate the information provided.
|
|
Where additional information was uncovered through this validation it is provided
|
|
also.
|
|
</para>
|
|
|
|
<sect1>
|
|
<title>Features and Benefits</title>
|
|
|
|
<para>
|
|
When MS Windows NT3.5 was introduced the hot new topic was the ability to implement
|
|
Group Policies for users and group. Then along came MS Windows NT4 and a few sites
|
|
started to adopt this capability. How do we know that? By way of the number of "booboos"
|
|
(or mistakes) administrators made and then requested help to resolve.
|
|
</para>
|
|
|
|
<para>
|
|
By the time that MS Windows 2000 and Active Directory was released, administrators
|
|
got the message: Group Policies are a good thing! They can help reduce administrative
|
|
costs and actually can help to create happier users. But adoption of the true
|
|
potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
|
|
and machines were picked up on rather slowly. This was very obvious from the samba
|
|
mailing list as in 2000 and 2001 there were very few postings regarding GPOs and
|
|
how to replicate them in a Samba environment.
|
|
</para>
|
|
|
|
<para>
|
|
Judging by the traffic volume since mid 2002, GPOs have become a standard part of
|
|
the deployment in many sites. This chapter reviews techniques and methods that can
|
|
be used to exploit opportunities for automation of control over user desktops and
|
|
network client workstations.
|
|
</para>
|
|
|
|
<para>
|
|
A tool new to Samba may become an important part of the future Samba Administrators'
|
|
arsenal. The <command>editreg</command> tool is described in this document.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Creating and Managing System Policies</title>
|
|
|
|
<para>
|
|
Under MS Windows platforms, particularly those following the release of MS Windows
|
|
NT4 and MS Windows 95) it is possible to create a type of file that would be placed
|
|
in the NETLOGON share of a domain controller. As the client logs onto the network
|
|
this file is read and the contents initiate changes to the registry of the client
|
|
machine. This file allows changes to be made to those parts of the registry that
|
|
affect users, groups of users, or machines.
|
|
</para>
|
|
|
|
<para>
|
|
For MS Windows 9x/Me this file must be called <filename>Config.POL</filename> and may
|
|
be generated using a tool called <filename>poledit.exe</filename>, better known as the
|
|
Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
|
|
disappeared again with the introduction of MS Windows Me (Millennium Edition). From
|
|
comments from MS Windows network administrators it would appear that this tool became
|
|
a part of the MS Windows Me Resource Kit.
|
|
</para>
|
|
|
|
<para>
|
|
MS Windows NT4 Server products include the <emphasis>System Policy Editor</emphasis>
|
|
under the <filename>Start -> Programs -> Administrative Tools</filename> menu item.
|
|
For MS Windows NT4 and later clients this file must be called <filename>NTConfig.POL</filename>.
|
|
</para>
|
|
|
|
<para>
|
|
New with the introduction of MS Windows 2000 was the Microsoft Management Console
|
|
or MMC. This tool is the new wave in the ever changing landscape of Microsoft
|
|
methods for management of network access and security. Every new Microsoft product
|
|
or technology seems to obsolete the old rules and to introduce newer and more
|
|
complex tools and methods. To Microsoft's credit though, the MMC does appear to
|
|
be a step forward, but improved functionality comes at a great price.
|
|
</para>
|
|
|
|
<para>
|
|
Before embarking on the configuration of network and system policies it is highly
|
|
advisable to read the documentation available from Microsoft's web site regarding
|
|
<ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp">
|
|
Implementing Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft.
|
|
There are a large number of documents in addition to this old one that should also
|
|
be read and understood. Try searching on the Microsoft web site for "Group Policies".
|
|
</para>
|
|
|
|
<para>
|
|
What follows is a very brief discussion with some helpful notes. The information provided
|
|
here is incomplete - you are warned.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Windows 9x/Me Policies</title>
|
|
|
|
<para>
|
|
You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
|
|
It can be found on the Original full product Win98 installation CD under
|
|
<filename>tools/reskit/netadmin/poledit</filename>. Install this using the
|
|
Add/Remove Programs facility and then click on the 'Have Disk' tab.
|
|
</para>
|
|
|
|
<para>
|
|
Use the Group Policy Editor to create a policy file that specifies the location of
|
|
user profiles and/or the <filename>My Documents</filename> etc. Then save these
|
|
settings in a file called <filename>Config.POL</filename> that needs to be placed in the
|
|
root of the <smbconfsection>[NETLOGON]</smbconfsection> share. If Win98 is configured to log onto
|
|
the Samba Domain, it will automatically read this file and update the Win9x/Me registry
|
|
of the machine as it logs on.
|
|
</para>
|
|
|
|
<para>
|
|
Further details are covered in the Win98 Resource Kit documentation.
|
|
</para>
|
|
|
|
<para>
|
|
If you do not take the right steps, then every so often Win9x/Me will check the
|
|
integrity of the registry and will restore it's settings from the back-up
|
|
copy of the registry it stores on each Win9x/Me machine. Hence, you will
|
|
occasionally notice things changing back to the original settings.
|
|
</para>
|
|
|
|
<para>
|
|
Install the group policy handler for Win9x to pick up group policies. Look on the
|
|
Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>.
|
|
Install group policies on a Win9x client by double-clicking
|
|
<filename>grouppol.inf</filename>. Log off and on again a couple of times and see
|
|
if Win98 picks up group policies. Unfortunately this needs to be done on every
|
|
Win9x/Me machine that uses group policies.
|
|
</para>
|
|
|
|
</sect2>
|
|
<sect2>
|
|
<title>Windows NT4 Style Policy Files</title>
|
|
|
|
<para>
|
|
To create or edit <filename>ntconfig.pol</filename> you must use the NT Server
|
|
Policy Editor, <command>poledit.exe</command> which is included with NT4 Server
|
|
but <emphasis>not NT Workstation</emphasis>. There is a Policy Editor on a NT4
|
|
Workstation but it is not suitable for creating <emphasis>Domain Policies</emphasis>.
|
|
Further, although the Windows 95 Policy Editor can be installed on an NT4
|
|
Workstation/Server, it will not work with NT clients. However, the files from
|
|
the NT Server will run happily enough on an NT4 Workstation.
|
|
</para>
|
|
|
|
<para>
|
|
You need <filename>poledit.exe</filename>, <filename>common.adm</filename> and <filename>winnt.adm</filename>.
|
|
It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename>
|
|
directory which is where the binary will look for them unless told otherwise. Note also that that
|
|
directory is normally 'hidden'.
|
|
</para>
|
|
|
|
<para>
|
|
The Windows NT policy editor is also included with the Service Pack 3 (and
|
|
later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>,
|
|
i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The policy editor,
|
|
<command>poledit.exe</command> and the associated template files (*.adm) should
|
|
be extracted as well. It is also possible to downloaded the policy template
|
|
files for Office97 and get a copy of the policy editor. Another possible
|
|
location is with the Zero Administration Kit available for download from Microsoft.
|
|
</para>
|
|
|
|
<sect3>
|
|
<title>Registry Spoiling</title>
|
|
|
|
<para>
|
|
With NT4 style registry based policy changes, a large number of settings are not
|
|
automatically reversed as the user logs off. Since the settings that were in the
|
|
NTConfig.POL file were applied to the client machine registry and that apply to the
|
|
hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
|
|
as tattooing. It can have serious consequences down-stream and the administrator must
|
|
be extremely careful not to lock out the ability to manage the machine at a later date.
|
|
</para>
|
|
|
|
|
|
</sect3>
|
|
</sect2>
|
|
<sect2>
|
|
<title>MS Windows 200x / XP Professional Policies</title>
|
|
|
|
<para>
|
|
Windows NT4 System policies allows setting of registry parameters specific to
|
|
users, groups and computers (client workstations) that are members of the NT4
|
|
style domain. Such policy file will work with MS Windows 2000 / XP clients also.
|
|
</para>
|
|
|
|
<para>
|
|
New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
|
|
a superset of capabilities compared with NT4 style policies. Obviously, the tool used
|
|
to create them is different, and the mechanism for implementing them is much changed.
|
|
</para>
|
|
|
|
<para>
|
|
The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis>
|
|
in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
|
|
configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
|
|
users' desktop (including: the location of <filename>My Documents</filename> files (directory), as
|
|
well as intrinsics of where menu items will appear in the Start menu). An additional new
|
|
feature is the ability to make available particular software Windows applications to particular
|
|
users and/or groups.
|
|
</para>
|
|
|
|
<para>
|
|
Remember: NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root
|
|
of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
|
|
and selects the domain name to which the logon will attempt to take place. During the logon
|
|
process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
|
|
server, modifies the local registry values according to the settings in this file.
|
|
</para>
|
|
|
|
<para>
|
|
Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
|
|
a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
|
|
in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
|
|
Directory domain controllers. The part that is stored in the Active Directory itself is called the
|
|
group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
|
|
known as the group policy template (GPT).
|
|
</para>
|
|
|
|
<para>
|
|
With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
|
|
MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
|
|
startup (machine specific part) and when the user logs onto the network the user specific part
|
|
is applied. In MS Windows 200x style policy management each machine and/or user may be subject
|
|
to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
|
|
the administrator to also set filters over the policy settings. No such equivalent capability
|
|
exists with NT4 style policy files.
|
|
</para>
|
|
|
|
<sect3>
|
|
<title>Administration of Win2K / XP Policies</title>
|
|
|
|
<para>
|
|
Instead of using the tool called <application>The System Policy Editor</application>, commonly called Poledit (from the
|
|
executable name <command>poledit.exe</command>), <acronym>GPOs</acronym> are created and managed using a
|
|
<application>Microsoft Management Console</application> <acronym>(MMC)</acronym> snap-in as follows:</para>
|
|
<procedure>
|
|
<step>
|
|
<para>
|
|
Go to the Windows 200x / XP menu <guimenu>Start->Programs->Administrative Tools</guimenu>
|
|
and select the MMC snap-in called <guimenuitem>Active Directory Users and Computers</guimenuitem>
|
|
</para>
|
|
</step>
|
|
|
|
<step><para>
|
|
Select the domain or organizational unit (OU) that you wish to manage, then right click
|
|
to open the context menu for that object, select the properties item.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Now left click on the <guilabel>Group Policy</guilabel> tab, then left click on the New tab. Type a name
|
|
for the new policy you will create.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Now left click on the <guilabel>Edit</guilabel> tab to commence the steps needed to create the GPO.
|
|
</para></step>
|
|
</procedure>
|
|
|
|
<para>
|
|
All policy configuration options are controlled through the use of policy administrative
|
|
templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
|
|
Beware however, since the .adm files are NOT interchangeable across NT4 and Windows 200x.
|
|
The later introduces many new features as well as extended definition capabilities. It is
|
|
well beyond the scope of this documentation to explain how to program .adm files, for that
|
|
the administrator is referred to the Microsoft Windows Resource Kit for your particular
|
|
version of MS Windows.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
|
|
to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
|
|
use this powerful tool. Please refer to the resource kit manuals for specific usage information.
|
|
</para>
|
|
</note>
|
|
|
|
</sect3>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Managing Account/User Policies</title>
|
|
|
|
<para>
|
|
Policies can define a specific user's settings or the settings for a group of users. The resulting
|
|
policy file contains the registry settings for all users, groups, and computers that will be using
|
|
the policy file. Separate policy files for each user, group, or computer are not necessary.
|
|
</para>
|
|
|
|
<para>
|
|
If you create a policy that will be automatically downloaded from validating domain controllers,
|
|
you should name the file NTconfig.POL. As system administrator, you have the option of renaming the
|
|
policy file and, by modifying the Windows NT-based workstation, directing the computer to update
|
|
the policy from a manual path. You can do this by either manually changing the registry or by using
|
|
the System Policy Editor. This path can even be a local path such that each machine has its own policy file,
|
|
but if a change is necessary to all machines, this change must be made individually to each workstation.
|
|
</para>
|
|
|
|
<para>
|
|
When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain
|
|
controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then
|
|
applied to the user's part of the registry.
|
|
</para>
|
|
|
|
<para>
|
|
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
|
|
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
|
|
itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
|
|
This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.
|
|
</para>
|
|
|
|
<para>
|
|
In addition to user access controls that may be imposed or applied via system and/or group policies
|
|
in a manner that works in conjunction with user profiles, the user management environment under
|
|
MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
|
|
Common restrictions that are frequently used includes:
|
|
</para>
|
|
|
|
<para>
|
|
<itemizedlist>
|
|
<listitem>Logon Hours</listitem>
|
|
<listitem>Password Aging</listitem>
|
|
<listitem>Permitted Logon from certain machines only</listitem>
|
|
<listitem>Account type (Local or Global)</listitem>
|
|
<listitem>User Rights</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Samba Editreg Toolset</title>
|
|
|
|
<para>
|
|
A new tool called <command>editreg</command> is under development. This tool can be used
|
|
to edit registry files (called NTUser.DAT) that are stored in user and group profiles.
|
|
NTConfig.POL files have the same structure as the NTUser.DAT file and can be editted using
|
|
this tool. <command>editreg</command> is being built with the intent to enable NTConfig.POL
|
|
files to be saved in text format and to permit the building of new NTConfig.POL files with
|
|
extended capabilities. It is proving difficult to realise this capability, so do not be surprised
|
|
if this feature does not materialise. Formal capabilities will be announced at the time that
|
|
this tool is released for production use.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Windows NT4/200x</title>
|
|
|
|
<para>
|
|
The tools that may be used to configure these types of controls from the MS Windows environment are:
|
|
The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
|
|
Under MS Windows 200x/XP this is done using the Microsoft Management Console (MMC) with appropriate
|
|
"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
|
|
</para>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Samba PDC</title>
|
|
|
|
<para>
|
|
With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
|
|
<command>smbpasswd</command>, <command>pdbedit</command>, <command>net</command>, <command>rpcclient</command>.
|
|
The administrator should read the
|
|
man pages for these tools and become familiar with their use.
|
|
</para>
|
|
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>System Startup and Logon Processing Overview</title>
|
|
|
|
<para>
|
|
The following attempts to document the order of processing of system and user policies following a system
|
|
reboot and as part of the user logon:
|
|
</para>
|
|
|
|
<orderedlist>
|
|
<listitem><para>
|
|
Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
|
|
Convention Provider (MUP) start
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
|
|
and applied. The list may include GPOs that:
|
|
<itemizedlist>
|
|
<listitem><para>Apply to the location of machines in a Directory</para></listitem>
|
|
<listitem><para>Apply only when settings have changed</para></listitem>
|
|
<listitem><para>Depend on configuration of scope of applicability: local, site, domain, organizational unit, etc.</para></listitem>
|
|
</itemizedlist>
|
|
No desktop user interface is presented until the above have been processed.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Execution of start-up scripts (hidden and synchronous by default).
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
A keyboard action to affect start of logon (Ctrl-Alt-Del).
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
User credentials are validated, User profile is loaded (depends on policy settings).
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
An ordered list of User GPOs is obtained. The list contents depends on what is configured in respect of:
|
|
|
|
<itemizedlist>
|
|
<listitem>Is user a domain member, thus subject to particular policies</listitem>
|
|
<listitem>Loopback enablement, and the state of the loopback policy (Merge or Replace)</listitem>
|
|
<listitem>Location of the Active Directory itself</listitem>
|
|
<listitem>Has the list of GPOs changed. No processing is needed if not changed.</listitem>
|
|
</itemizedlist>
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
User Policies are applied from Active Directory. Note: There are several types.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Logon scripts are run. New to Win2K and Active Directory, logon scripts may be obtained based on Group
|
|
Policy objects (hidden and executed synchronously). NT4 style logon scripts are then run in a normal
|
|
window.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like and NT4
|
|
Domain) machine (system) policies are applied at start-up, User policies are applied at logon.
|
|
</para></listitem>
|
|
</orderedlist>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Common Errors</title>
|
|
|
|
<para>
|
|
Policy related problems can be very difficult to diagnose and even more difficult to rectify. The following
|
|
collection demonstrates only basic issues.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Policy Does Not Work</title>
|
|
|
|
<para>
|
|
<quote>We have created the <filename>config.pol</filename> file and put it in the <emphasis>NETLOGON</emphasis> share.
|
|
It has made no difference to our Win XP Pro machines, they just don't see it. IT worked fine with Win 98 but does not
|
|
work any longer since we upgraded to Win XP Pro. Any hints?</quote>
|
|
</para>
|
|
|
|
<para>
|
|
Policy files are NOT portable between Windows 9x / Me and MS Windows NT4 / 200x / XP based
|
|
platforms. You need to use the NT4 Group Policy Editor to create a file called <filename>NTConfig.POL</filename> so that
|
|
it is in the correct format for your MS Windows XP Pro clients.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
</chapter>
|