diff options
author | John Terpstra <jht@samba.org> | 2003-04-03 09:50:33 +0000 |
---|---|---|
committer | John Terpstra <jht@samba.org> | 2003-04-03 09:50:33 +0000 |
commit | 536eda24033cadebb7db47e5affa9a6d118ea109 (patch) | |
tree | ac118afa4f55f9a16d36a2a63696ec9186482c84 /docs/docbook/projdoc/PolicyMgmt.sgml | |
parent | b5989bdb1c5b3bb40e993f8ced85696c27e498dc (diff) | |
download | samba-536eda24033cadebb7db47e5affa9a6d118ea109.tar.gz samba-536eda24033cadebb7db47e5affa9a6d118ea109.tar.xz samba-536eda24033cadebb7db47e5affa9a6d118ea109.zip |
More doco updates. Another few days and it will be cooked.
(This used to be commit 79e66288f96b029208d11b3aa095002de9447020)
Diffstat (limited to 'docs/docbook/projdoc/PolicyMgmt.sgml')
-rw-r--r-- | docs/docbook/projdoc/PolicyMgmt.sgml | 261 |
1 files changed, 261 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml new file mode 100644 index 00000000000..d9d24956739 --- /dev/null +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -0,0 +1,261 @@ +<chapter id="PolicyMgmt"> +<chapterinfo> + <author> + <firstname>John H</firstname><surname>Terpstra</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address> + <email>jht@samba.org</email> + </address> + </affiliation> + </author> + <pubdate>April 3 2003</pubdate> +</chapterinfo> +<title>Policy Management - Hows and Whys</title> + +<sect1> +<title>System Policies</title> + +<para> +Under MS Windows platforms, particularly those following the release of MS Windows +NT4 and MS Windows 95) it is possible to create a type of file that would be placed +in the NETLOGON share of a domain controller. As the client logs onto the network +this file is read and the contents initiate changes to the registry of the client +machine. This file allows changes to be made to those parts of the registry that +affect users, groups of users, or machines. +</para> + +<para> +For MS Windows 9x/Me this file must be called <filename>Config.POL</filename> and may +be generated using a tool called <filename>poledit.exe</filename>, better known as the +Policy Editor. The policy editor was provided on the Windows 98 installation CD, but +dissappeared again with the introduction of MS Windows Me (Millenium Edition). From +comments from MS Windows network administrators it would appear that this tool became +a part of the MS Windows Me Resource Kit. +</para> + +<para> +MS Windows NT4 Server products include the <emphasis>System Policy Editor</emphasis> +under the <filename>Start->Programs->Administrative Tools</filename> menu item. +For MS Windows NT4 and later clients this file must be called <filename>NTConfig.POL</filename>. +</para> + +<para> +New with the introduction of MS Windows 2000 was the Microsoft Management Console +or MMC. This tool is the new wave in the ever changing landscape of Microsoft +methods for management of network access and security. Every new Microsoft product +or technology seems to obsolete the old rules and to introduce newer and more +complex tools and methods. To Microsoft's credit though, the MMC does appear to +be a step forward, but improved functionality comes at a great price. +</para> + +<para> +Before embarking on the configuration of network and system policies it is highly +advisable to read the documentation available from Microsoft's web site from +<ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"> +Implementing Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft. +There are a large number of documents in addition to this old one that should also +be read and understood. Try searching on the Microsoft web site for "Group Policies". +</para> + +<para> +What follows is a very discussion with some helpful notes. The information provided +here is incomplete - you are warned. +</para> + +<sect2> +<title>Creating and Managing Windows 9x/Me Policies</title> + +<para> +You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me. +It can be found on the Original full product Win98 installation CD under +<filename>tools/reskit/netadmin/poledit</filename>. You install this using the +Add/Remove Programs facility and then click on the 'Have Disk' tab. +</para> + +<para> +Use the Group Policy Editor to create a policy file that specifies the location of +user profiles and/or the <filename>My Documents</filename> etc. stuff. You then +save these settings in a file called <filename>Config.POL</filename> that needs to +be placed in the root of the [NETLOGON] share. If your Win98 is configured to log onto +the Samba Domain, it will automatically read this file and update the Win9x/Me registry +of the machine that is logging on. +</para> + +<para> +Further details are covered in the Win98 Resource Kit documentation. +</para> + +<para> +If you do not do it this way, then every so often Win9x/Me will check the +integrity of the registry and will restore it's settings from the back-up +copy of the registry it stores on each Win9x/Me machine. Hence, you will +occasionally notice things changing back to the original settings. +</para> + +<para> +Install the group policy handler for Win9x to pick up group policies. Look on the +Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>. +Install group policies on a Win9x client by double-clicking +<filename>grouppol.inf</filename>. Log off and on again a couple of times and see +if Win98 picks up group policies. Unfortunately this needs to be done on every +Win9x/Me machine that uses group policies. +</para> + +</sect2> +<sect2> +<title>Creating and Managing Windows NT4 Style Policy Files</title> + +<para> +To create or edit <filename>ntconfig.pol</filename> you must use the NT Server +Policy Editor, <command>poledit.exe</command> which is included with NT4 Server +but <emphasis>not NT Workstation</emphasis>. There is a Policy Editor on a NT4 +Workstation but it is not suitable for creating <emphasis>Domain Policies</emphasis>. +Further, although the Windows 95 Policy Editor can be installed on an NT4 +Workstation/Server, it will not work with NT clients. However, the files from +the NT Server will run happily enough on an NT4 Workstation. +</para> + +<para> +You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>. +It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename> +directory which is where the binary will look for them unless told otherwise. Note also that that +directory is normally 'hidden'. +</para> + +<para> +The Windows NT policy editor is also included with the Service Pack 3 (and +later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>, +i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The policy editor, +<command>poledit.exe</command> and the associated template files (*.adm) should +be extracted as well. It is also possible to downloaded the policy template +files for Office97 and get a copy of the policy editor. Another possible +location is with the Zero Administration Kit available for download from Microsoft. +</para> + +<sect3> +<title>Registry Tattoos</title> + +<para> +With NT4 style registry based policy changes, a large number of settings are not +automatically reversed as the user logs off. Since the settings that were in the +NTConfig.POL file were applied to the client machine registry and that apply to the +hive key HKEY_LOCAL_MACHINE are permanent until explicitly reveresd. This is known +as tattooing. It can have serious consequences down-stream and the administrator must +be extreemly careful not to lock out the ability to manage the machine at a later date. +</para> + + +</sect3> +</sect2> +<sect2> +<title>Creating and Managing MS Windows 200x Policies</title> + +<para> +Windows NT4 System policies allows setting of registry parameters specific to +users, groups and computers (client workstations) that are members of the NT4 +style domain. Such policy file will work with MS Windows 2000 / XP clients also. +</para> + +<para> +New to MS Windows 2000 Microsoft introduced a new style of group policy that confers +a superset of capabilities compared with NT4 style policies. Obviously, the tool used +to create them is different, and the mechanism for implementing them is much changed. +</para> + +<para> +The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis> +in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security +configurations, enforce Internet Explorer browser settings, change and redirect aspects of the +users' desktop (including: the location of <emphasis>My Documents</emphasis> files (directory), as +well as intrinsics of where menu items will appear in the Start menu). An additional new +feature is the ability to make available particular software Windows applications to particular +users and/or groups. +</para> + +<para> +Remember: NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root +of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password +and selects the domain name to which the logon will attempt to take place. During the logon +process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating +server, modifies the local registry values according to the settings in this file. +</para> + +<para> +Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of +a Windows 200x policy file is stored in the Active Directory itself and the other part is stored +in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active +Directory domain controllers. The part that is stored in the Active Directory itself is called the +group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is +known as the group policy template (GPT). +</para> + +<para> +With NT4 clients the policy file is read and executed upon only aas each user log onto the network. +MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine +startup (machine specific part) and when the user logs onto the network the user specific part +is applied. In MS Windows 200x style policy management each machine and/or user may be subject +to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows +the administrator to also set filters over the policy settings. No such equivalent capability +exists with NT4 style policy files. +</para> + +<sect3> +<title>Administration of Win2K Policies</title> + +<para> +Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the +executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console +(MMC) snap-in as follows: +</para> + +<itemizedlist> + <listitem> + <para> + Go to the Windows 200x / XP menu <filename>Start->Programs->Adminsitrative Tools</filename> + and select the MMC snap-in called "Active Directory Users and Computers" + <para> + </listitem> + + <listitem> + <para> + Select the domain or organizational unit (OU) that you wish to manage, then right click + to open the context menu for that object, select the properties item. + </para> + </listitem> + + <listitem> + <para> + Now left click on the Group Policy tab, then left click on the New tab. Type a name + for the new policy you will create. + </para> + </listitem> + + <listitem> + <para> + Now left click on the Edit tab to commence the steps needed to create the GPO. + </para> + </listitem> +</intemizedlist> + +<para> +All policy configuration options are controlled through the use of policy administrative +templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP. +Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x. +The later introduces many new features as well as extended definition capabilities. It is +well beyond the scope of this documentation to explain how to program .adm files, for that +the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular +version of MS Windows. +</para> + +<note> +<para> +The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used +to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you +use this powerful tool. Please refer to the resource kit manuals for specific usage information. +</para> +</note> + +</sect2> +</sect1> +</chapter> |