summaryrefslogtreecommitdiffstats
path: root/docs/docbook/projdoc/PolicyMgmt.sgml
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2003-04-03 09:50:33 +0000
committerJohn Terpstra <jht@samba.org>2003-04-03 09:50:33 +0000
commit536eda24033cadebb7db47e5affa9a6d118ea109 (patch)
treeac118afa4f55f9a16d36a2a63696ec9186482c84 /docs/docbook/projdoc/PolicyMgmt.sgml
parentb5989bdb1c5b3bb40e993f8ced85696c27e498dc (diff)
downloadsamba-536eda24033cadebb7db47e5affa9a6d118ea109.tar.gz
samba-536eda24033cadebb7db47e5affa9a6d118ea109.tar.xz
samba-536eda24033cadebb7db47e5affa9a6d118ea109.zip
More doco updates. Another few days and it will be cooked.
(This used to be commit 79e66288f96b029208d11b3aa095002de9447020)
Diffstat (limited to 'docs/docbook/projdoc/PolicyMgmt.sgml')
-rw-r--r--docs/docbook/projdoc/PolicyMgmt.sgml261
1 files changed, 261 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml
new file mode 100644
index 00000000000..d9d24956739
--- /dev/null
+++ b/docs/docbook/projdoc/PolicyMgmt.sgml
@@ -0,0 +1,261 @@
+<chapter id="PolicyMgmt">
+<chapterinfo>
+ <author>
+ <firstname>John H</firstname><surname>Terpstra</surname>
+ <affiliation>
+ <orgname>Samba Team</orgname>
+ <address>
+ <email>jht@samba.org</email>
+ </address>
+ </affiliation>
+ </author>
+ <pubdate>April 3 2003</pubdate>
+</chapterinfo>
+<title>Policy Management - Hows and Whys</title>
+
+<sect1>
+<title>System Policies</title>
+
+<para>
+Under MS Windows platforms, particularly those following the release of MS Windows
+NT4 and MS Windows 95) it is possible to create a type of file that would be placed
+in the NETLOGON share of a domain controller. As the client logs onto the network
+this file is read and the contents initiate changes to the registry of the client
+machine. This file allows changes to be made to those parts of the registry that
+affect users, groups of users, or machines.
+</para>
+
+<para>
+For MS Windows 9x/Me this file must be called <filename>Config.POL</filename> and may
+be generated using a tool called <filename>poledit.exe</filename>, better known as the
+Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
+dissappeared again with the introduction of MS Windows Me (Millenium Edition). From
+comments from MS Windows network administrators it would appear that this tool became
+a part of the MS Windows Me Resource Kit.
+</para>
+
+<para>
+MS Windows NT4 Server products include the <emphasis>System Policy Editor</emphasis>
+under the <filename>Start->Programs->Administrative Tools</filename> menu item.
+For MS Windows NT4 and later clients this file must be called <filename>NTConfig.POL</filename>.
+</para>
+
+<para>
+New with the introduction of MS Windows 2000 was the Microsoft Management Console
+or MMC. This tool is the new wave in the ever changing landscape of Microsoft
+methods for management of network access and security. Every new Microsoft product
+or technology seems to obsolete the old rules and to introduce newer and more
+complex tools and methods. To Microsoft's credit though, the MMC does appear to
+be a step forward, but improved functionality comes at a great price.
+</para>
+
+<para>
+Before embarking on the configuration of network and system policies it is highly
+advisable to read the documentation available from Microsoft's web site from
+<ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp">
+Implementing Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft.
+There are a large number of documents in addition to this old one that should also
+be read and understood. Try searching on the Microsoft web site for "Group Policies".
+</para>
+
+<para>
+What follows is a very discussion with some helpful notes. The information provided
+here is incomplete - you are warned.
+</para>
+
+<sect2>
+<title>Creating and Managing Windows 9x/Me Policies</title>
+
+<para>
+You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
+It can be found on the Original full product Win98 installation CD under
+<filename>tools/reskit/netadmin/poledit</filename>. You install this using the
+Add/Remove Programs facility and then click on the 'Have Disk' tab.
+</para>
+
+<para>
+Use the Group Policy Editor to create a policy file that specifies the location of
+user profiles and/or the <filename>My Documents</filename> etc. stuff. You then
+save these settings in a file called <filename>Config.POL</filename> that needs to
+be placed in the root of the [NETLOGON] share. If your Win98 is configured to log onto
+the Samba Domain, it will automatically read this file and update the Win9x/Me registry
+of the machine that is logging on.
+</para>
+
+<para>
+Further details are covered in the Win98 Resource Kit documentation.
+</para>
+
+<para>
+If you do not do it this way, then every so often Win9x/Me will check the
+integrity of the registry and will restore it's settings from the back-up
+copy of the registry it stores on each Win9x/Me machine. Hence, you will
+occasionally notice things changing back to the original settings.
+</para>
+
+<para>
+Install the group policy handler for Win9x to pick up group policies. Look on the
+Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>.
+Install group policies on a Win9x client by double-clicking
+<filename>grouppol.inf</filename>. Log off and on again a couple of times and see
+if Win98 picks up group policies. Unfortunately this needs to be done on every
+Win9x/Me machine that uses group policies.
+</para>
+
+</sect2>
+<sect2>
+<title>Creating and Managing Windows NT4 Style Policy Files</title>
+
+<para>
+To create or edit <filename>ntconfig.pol</filename> you must use the NT Server
+Policy Editor, <command>poledit.exe</command> which is included with NT4 Server
+but <emphasis>not NT Workstation</emphasis>. There is a Policy Editor on a NT4
+Workstation but it is not suitable for creating <emphasis>Domain Policies</emphasis>.
+Further, although the Windows 95 Policy Editor can be installed on an NT4
+Workstation/Server, it will not work with NT clients. However, the files from
+the NT Server will run happily enough on an NT4 Workstation.
+</para>
+
+<para>
+You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>.
+It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename>
+directory which is where the binary will look for them unless told otherwise. Note also that that
+directory is normally 'hidden'.
+</para>
+
+<para>
+The Windows NT policy editor is also included with the Service Pack 3 (and
+later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>,
+i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The policy editor,
+<command>poledit.exe</command> and the associated template files (*.adm) should
+be extracted as well. It is also possible to downloaded the policy template
+files for Office97 and get a copy of the policy editor. Another possible
+location is with the Zero Administration Kit available for download from Microsoft.
+</para>
+
+<sect3>
+<title>Registry Tattoos</title>
+
+<para>
+With NT4 style registry based policy changes, a large number of settings are not
+automatically reversed as the user logs off. Since the settings that were in the
+NTConfig.POL file were applied to the client machine registry and that apply to the
+hive key HKEY_LOCAL_MACHINE are permanent until explicitly reveresd. This is known
+as tattooing. It can have serious consequences down-stream and the administrator must
+be extreemly careful not to lock out the ability to manage the machine at a later date.
+</para>
+
+
+</sect3>
+</sect2>
+<sect2>
+<title>Creating and Managing MS Windows 200x Policies</title>
+
+<para>
+Windows NT4 System policies allows setting of registry parameters specific to
+users, groups and computers (client workstations) that are members of the NT4
+style domain. Such policy file will work with MS Windows 2000 / XP clients also.
+</para>
+
+<para>
+New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
+a superset of capabilities compared with NT4 style policies. Obviously, the tool used
+to create them is different, and the mechanism for implementing them is much changed.
+</para>
+
+<para>
+The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis>
+in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
+configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
+users' desktop (including: the location of <emphasis>My Documents</emphasis> files (directory), as
+well as intrinsics of where menu items will appear in the Start menu). An additional new
+feature is the ability to make available particular software Windows applications to particular
+users and/or groups.
+</para>
+
+<para>
+Remember: NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root
+of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
+and selects the domain name to which the logon will attempt to take place. During the logon
+process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
+server, modifies the local registry values according to the settings in this file.
+</para>
+
+<para>
+Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
+a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
+in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
+Directory domain controllers. The part that is stored in the Active Directory itself is called the
+group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
+known as the group policy template (GPT).
+</para>
+
+<para>
+With NT4 clients the policy file is read and executed upon only aas each user log onto the network.
+MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
+startup (machine specific part) and when the user logs onto the network the user specific part
+is applied. In MS Windows 200x style policy management each machine and/or user may be subject
+to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows
+the administrator to also set filters over the policy settings. No such equivalent capability
+exists with NT4 style policy files.
+</para>
+
+<sect3>
+<title>Administration of Win2K Policies</title>
+
+<para>
+Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the
+executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console
+(MMC) snap-in as follows:
+</para>
+
+<itemizedlist>
+ <listitem>
+ <para>
+ Go to the Windows 200x / XP menu <filename>Start->Programs->Adminsitrative Tools</filename>
+ and select the MMC snap-in called "Active Directory Users and Computers"
+ <para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Select the domain or organizational unit (OU) that you wish to manage, then right click
+ to open the context menu for that object, select the properties item.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Now left click on the Group Policy tab, then left click on the New tab. Type a name
+ for the new policy you will create.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Now left click on the Edit tab to commence the steps needed to create the GPO.
+ </para>
+ </listitem>
+</intemizedlist>
+
+<para>
+All policy configuration options are controlled through the use of policy administrative
+templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
+Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x.
+The later introduces many new features as well as extended definition capabilities. It is
+well beyond the scope of this documentation to explain how to program .adm files, for that
+the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular
+version of MS Windows.
+</para>
+
+<note>
+<para>
+The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
+to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
+use this powerful tool. Please refer to the resource kit manuals for specific usage information.
+</para>
+</note>
+
+</sect2>
+</sect1>
+</chapter>