1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
7 <chapter id="PolicyMgmt">
10 <pubdate>April 3 2003</pubdate>
13 <title>System and Account Policies</title>
16 This chapter summarizes the current state of knowledge derived from personal
17 practice and knowledge from Samba mailing list subscribers. Before reproduction
18 of posted information, every effort has been made to validate the information given.
19 Where additional information was uncovered through this validation it is provided
24 <title>Features and Benefits</title>
27 When MS Windows NT 3.5 was introduced, the hot new topic was the ability to implement
28 Group Policies for users and groups. Then along came MS Windows NT4 and a few sites
29 started to adopt this capability. How do we know that? By the number of <quote>boo-boos</quote>
30 (or mistakes) administrators made and then requested help to resolve.
34 <indexterm><primary>group policies</primary></indexterm>
35 <indexterm><primary>GPOs</primary></indexterm>
36 <indexterm><primary>group policy objects</primary><see>GPOs</see></indexterm>
37 By the time that MS Windows 2000 and Active Directory was released, administrators
38 got the message: Group Policies are a good thing! They can help reduce administrative
39 costs and actually make happier users. But adoption of the true
40 potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
41 and machines were picked up on rather slowly. This was obvious from the Samba
42 mailing list as in 2000 and 2001 when there were few postings regarding GPOs and
43 how to replicate them in a Samba environment.
47 Judging by the traffic volume since mid 2002, GPOs have become a standard part of
48 the deployment in many sites. This chapter reviews techniques and methods that can
49 be used to exploit opportunities for automation of control over user desktops and
50 network client workstations.
54 A tool new to Samba &smbmdash; the <command>editreg</command> tool
55 &smbmdash; may become an important part of the future Samba administrators'
56 arsenal is described in this document.
62 <title>Creating and Managing System Policies</title>
65 Under MS Windows platforms, particularly those following the release of MS Windows
66 NT4 and MS Windows 95, it is possible to create a type of file that would be placed
67 in the NETLOGON share of a Domain Controller. As the client logs onto the network,
68 this file is read and the contents initiate changes to the registry of the client
69 machine. This file allows changes to be made to those parts of the registry that
70 affect users, groups of users, or machines.
74 <indexterm><primary>Config.POL</primary></indexterm>
75 For MS Windows 9x/ME, this file must be called <filename>Config.POL</filename> and may
76 be generated using a tool called <filename>poledit.exe</filename>, better known as the
77 Policy Editor. The policy editor was provided on the Windows 98 installation CD, but
78 disappeared again with the introduction of MS Windows Me (Millennium Edition). From
79 comments of MS Windows network administrators, it would appear that this tool became
80 a part of the MS Windows Me Resource Kit.
84 <indexterm><primary>System Policy Editor</primary></indexterm>
85 MS Windows NT4 Server products include the <emphasis>System Policy Editor</emphasis>
86 under <guimenu>Start -> Programs -> Administrative Tools</guimenu>.
87 For MS Windows NT4 and later clients, this file must be called <filename>NTConfig.POL</filename>.
91 New with the introduction of MS Windows 2000 was the Microsoft Management Console
92 or MMC. This tool is the new wave in the ever-changing landscape of Microsoft
93 methods for management of network access and security. Every new Microsoft product
94 or technology seems to make the old rules obsolete and introduces newer and more
95 complex tools and methods. To Microsoft's credit, the MMC does appear to
96 be a step forward, but improved functionality comes at a great price.
100 Before embarking on the configuration of network and system policies, it is highly
101 advisable to read the documentation available from Microsoft's Web site regarding
102 <ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp">
103 Implementing Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft.
104 There are a large number of documents in addition to this old one that should also
105 be read and understood. Try searching on the Microsoft Web site for <quote>Group Policies</quote>.
109 What follows is a brief discussion with some helpful notes. The information provided
110 here is incomplete &smbmdash; you are warned.
114 <title>Windows 9x/ME Policies</title>
117 You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/ME.
118 It can be found on the original full product Windows 98 installation CD under
119 <filename>tools/reskit/netadmin/poledit</filename>. Install this using the
120 Add/Remove Programs facility and then click on <guiicon>Have Disk</guiicon>.
125 <indexterm><primary>NTConfig.POL</primary></indexterm>
126 Use the Group Policy Editor to create a policy file that specifies the location of
127 user profiles and/or <filename>My Documents</filename>, and so on. Then save these
128 settings in a file called <filename>Config.POL</filename> that needs to be placed in the
129 root of the <smbconfsection>[NETLOGON]</smbconfsection> share. If Windows 98 is configured to log onto
130 the Samba Domain, it will automatically read this file and update the Windows 9x/Me registry
131 of the machine as it logs on.
135 Further details are covered in the Windows 98 Resource Kit documentation.
139 If you do not take the correct steps, then every so often Windows 9x/ME will check the
140 integrity of the registry and restore its settings from the back-up
141 copy of the registry it stores on each Windows 9x/ME machine. So, you will
142 occasionally notice things changing back to the original settings.
146 Install the group policy handler for Windows 9x/Me to pick up Group Policies. Look on the
147 Windows 98 CDROM in <filename>\tools\reskit\netadmin\poledit</filename>.
148 Install group policies on a Windows 9x/Me client by double-clicking on
149 <filename>grouppol.inf</filename>. Log off and on again a couple of times and see
150 if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every
151 Windows 9x/Me machine that uses Group Policies.
156 <title>Windows NT4-Style Policy Files</title>
159 To create or edit <filename>ntconfig.pol</filename> you must use the NT Server
160 Policy Editor, <command>poledit.exe</command>, which is included with NT4 Server
161 but not with NT Workstation. There is a Policy Editor on an NT4
162 Workstation but it is not suitable for creating domain policies.
163 Furthermore, although the Windows 95 Policy Editor can be installed on an NT4
164 Workstation/Server, it will not work with NT clients. However, the files from
165 the NT Server will run happily enough on an NT4 Workstation.
169 You need <filename>poledit.exe</filename>, <filename>common.adm</filename> and <filename>winnt.adm</filename>.
170 It is convenient to put the two <filename>*.adm</filename> files in the <filename>c:\winnt\inf</filename>
171 directory, which is where the binary will look for them unless told otherwise. This
172 directory is normally <quote>hidden.</quote>
176 The Windows NT policy editor is also included with the Service Pack 3 (and
177 later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>,
178 that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The Policy Editor,
179 <command>poledit.exe</command>, and the associated template files (*.adm) should
180 be extracted as well. It is also possible to downloaded the policy template
181 files for Office97 and get a copy of the Policy Editor. Another possible
182 location is with the Zero Administration Kit available for download from Microsoft.
186 <title>Registry Spoiling</title>
189 With NT4-style registry-based policy changes, a large number of settings are not
190 automatically reversed as the user logs off. The settings that were in the
191 <filename>NTConfig.POL</filename> file were applied to the client machine registry and apply to the
192 hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
193 as tattooing. It can have serious consequences downstream and the administrator must
194 be extremely careful not to lock out the ability to manage the machine at a later date.
200 <title>MS Windows 200x/XP Professional Policies</title>
203 Windows NT4 system policies allow the setting of registry parameters specific to
204 users, groups and computers (client workstations) that are members of the NT4-style
205 domain. Such policy files will work with MS Windows 200x/XP clients also.
209 New to MS Windows 2000, Microsoft recently introduced a style of group policy that confers
210 a superset of capabilities compared with NT4-style policies. Obviously, the tool used
211 to create them is different, and the mechanism for implementing them is much improved.
215 <indexterm><primary>GPOs</primary></indexterm>
216 The older NT4-style registry-based policies are known as <emphasis>Administrative Templates</emphasis>
217 in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes the ability to set various security
218 configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
219 users desktop (including the location of <filename>My Documents</filename> files (directory), as
220 well as intrinsics of where menu items will appear in the Start menu). An additional new
221 feature is the ability to make available particular software Windows applications to particular
226 Remember, NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root
227 of the NETLOGON share on the Domain Controllers. A Windows NT4 user enters a username, password
228 and selects the domain name to which the logon will attempt to take place. During the logon process,
229 the client machine reads the <filename>NTConfig.POL</filename> file from the NETLOGON share on
230 the authenticating server and modifies the local registry values according to the settings in this file.
234 Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of
235 a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
236 in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
237 Directory Domain Controllers. The part that is stored in the Active Directory itself is called the
238 Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is
239 known as the Group Policy Template (GPT).
243 With NT4 clients, the policy file is read and executed only as each user logs onto the network.
244 MS Windows 200x policies are much more complex &smbmdash; GPOs are processed and applied at client machine
245 startup (machine specific part) and when the user logs onto the network, the user-specific part
246 is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject
247 to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows
248 the administrator to also set filters over the policy settings. No such equivalent capability
249 exists with NT4-style policy files.
253 <title>Administration of Windows 200x/XP Policies</title>
256 <indexterm><primary>GPOs</primary></indexterm>
257 <indexterm><primary>System Policy Editor</primary></indexterm>
258 Instead of using the tool called <application>The System Policy Editor</application>, commonly called Poledit (from the
259 executable name <command>poledit.exe</command>), <acronym>GPOs</acronym> are created and managed using a
260 <application>Microsoft Management Console</application> <acronym>(MMC)</acronym> snap-in as follows:</para>
263 Go to the Windows 200x/XP menu <guimenu>Start->Programs->Administrative Tools</guimenu>
264 and select the MMC snap-in called <guimenuitem>Active Directory Users and Computers</guimenuitem>
268 Select the domain or organizational unit (OU) that you wish to manage, then right-click
269 to open the context menu for that object, and select the <guibutton>Properties</guibutton>.
273 Left-click on the <guilabel>Group Policy</guilabel> tab, then
274 left-click on the New tab. Type a name
275 for the new policy you will create.
279 Left-click on the <guilabel>Edit</guilabel> tab to commence the steps needed to create the GPO.
284 All policy configuration options are controlled through the use of policy administrative
285 templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP.
286 Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x.
287 The latter introduces many new features as well as extended definition capabilities. It is
288 well beyond the scope of this documentation to explain how to program .adm files; for that
289 the administrator is referred to the Microsoft Windows Resource Kit for your particular
290 version of MS Windows.
295 The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
296 to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
297 use this powerful tool. Please refer to the resource kit manuals for specific usage information.
306 <title>Managing Account/User Policies</title>
309 Policies can define a specific user's settings or the settings for a group of users. The resulting
310 policy file contains the registry settings for all users, groups, and computers that will be using
311 the policy file. Separate policy files for each user, group, or computer are not necessary.
315 <indexterm><primary>NTConfig.POL</primary></indexterm>
316 If you create a policy that will be automatically downloaded from validating Domain Controllers,
317 you should name the file <filename>NTConfig.POL</filename>. As system administrator, you have the option of renaming the
318 policy file and, by modifying the Windows NT-based workstation, directing the computer to update
319 the policy from a manual path. You can do this by either manually changing the registry or by using
320 the System Policy Editor. This can even be a local path such that each machine has its own policy file,
321 but if a change is necessary to all machines, it must be made individually to each workstation.
325 When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on
326 the authenticating domain controller for the presence of the NTConfig.POL file. If one exists it is
327 downloaded, parsed and then applied to the user's part of the registry.
331 <indexterm><primary>GPOs</primary></indexterm>
332 MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally
333 acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
334 itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
335 This has considerable advantage compared with the use of <filename>NTConfig.POL</filename> (NT4) style policy updates.
339 In addition to user access controls that may be imposed or applied via system and/or group policies
340 in a manner that works in conjunction with user profiles, the user management environment under
341 MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
342 Common restrictions that are frequently used include:
346 <indexterm><primary>Account Controls</primary></indexterm>
348 <listitem><para>Logon hours</para></listitem>
349 <listitem><para>Password aging</para></listitem>
350 <listitem><para>Permitted logon from certain machines only</para></listitem>
351 <listitem><para>Account type (local or global)</para></listitem>
352 <listitem><para>User rights</para></listitem>
357 Samba-3.0.0 does not yet implement all account controls that are common to MS Windows NT4/200x/XP.
358 While it is possible to set many controls using the Domain User Manager for MS Windows NT4, only password
359 expiry is functional today. Most of the remaining controls at this time have only stub routines
360 that may eventually be completed to provide actual control. Do not be misled by the fact that a
361 parameter can be set using the NT4 Domain User Manager or in the <filename>NTConfig.POL</filename>.
366 <title>Management Tools</title>
369 Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools.
370 The following sections describe a few key tools that will help you to create a low maintenance user
375 <title>Samba Editreg Tool-set</title>
378 <indexterm><primary>editreg</primary></indexterm>
379 <indexterm><primary>NTUser.DAT</primary></indexterm>
380 <indexterm><primary>NTConfig.POL</primary></indexterm>
381 A new tool called <command>editreg</command> is under development. This tool can be used
382 to edit registry files (called <filename>NTUser.DAT</filename>) that are stored in user
383 and group profiles. <filename>NTConfig.POL</filename> files have the same structure as the
384 <filename>NTUser.DAT</filename> file and can be edited using this tool. <command>editreg</command>
385 is being built with the intent to enable <filename>NTConfig.POL</filename> files to be saved in text format and to
386 permit the building of new <filename>NTConfig.POL</filename> files with extended capabilities. It is proving difficult
387 to realize this capability, so do not be surprised if this feature does not materialize. Formal
388 capabilities will be announced at the time that this tool is released for production use.
394 <title>Windows NT4/200x</title>
397 The tools that may be used to configure these types of controls from the MS Windows environment are:
398 the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe).
399 Under MS Windows 200x/XP, this is done using the Microsoft Management Console (MMC) with appropriate
400 <quote>snap-ins,</quote> the registry editor, and potentially also the NT4 System and Group Policy Editor.
405 <title>Samba PDC</title>
408 With a Samba Domain Controller, the new tools for managing user account and policy information include:
409 <command>smbpasswd</command>, <command>pdbedit</command>, <command>net</command>, <command>rpcclient</command>.
410 The administrator should read the man pages for these tools and become familiar with their use.
417 <title>System Startup and Logon Processing Overview</title>
420 The following attempts to document the order of processing the system and user policies following a system
421 reboot and as part of the user logon:
426 Network starts, then Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming
427 Convention Provider (MUP) start.
431 Where Active Directory is involved, an ordered list of Group Policy Objects (GPOs) is downloaded
432 and applied. The list may include GPOs that:
434 <listitem><para>Apply to the location of machines in a Directory.</para></listitem>
435 <listitem><para>Apply only when settings have changed.</para></listitem>
436 <listitem><para>Depend on configuration of the scope of applicability: local,
437 site, domain, organizational unit, and so on.</para></listitem>
439 No desktop user interface is presented until the above have been processed.
443 Execution of start-up scripts (hidden and synchronous by default).
447 A keyboard action to effect start of logon (Ctrl-Alt-Del).
451 User credentials are validated, user profile is loaded (depends on policy settings).
455 An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of:
458 <listitem>Is the user a Domain Member, thus subject to particular policies?</listitem>
459 <listitem>Loopback enablement, and the state of the loopback policy (Merge or Replace).</listitem>
460 <listitem>Location of the Active Directory itself.</listitem>
461 <listitem>Has the list of GPOs changed? No processing is needed if not changed.</listitem>
466 User Policies are applied from Active Directory. Note: There are several types.
470 Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on Group
471 Policy objects (hidden and executed synchronously). NT4-style logon scripts are then run in a normal
476 The User Interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4
477 Domain), machine (system) policies are applied at start-up; user policies are applied at logon.
484 <title>Common Errors</title>
487 Policy-related problems can be quite difficult to diagnose and even more difficult to rectify. The following
488 collection demonstrates only basic issues.
492 <title>Policy Does Not Work</title>
495 <quote>We have created the <filename>Config.POL</filename> file and put it in the <emphasis>NETLOGON</emphasis> share.
496 It has made no difference to our Win XP Pro machines, they just do not see it. It worked fine with Win 98 but does not
497 work any longer since we upgraded to Win XP Pro. Any hints?</quote>
501 Policy files are not portable between Windows 9x/Me and MS Windows NT4/200x/XP-based platforms. You need to
502 use the NT4 Group Policy Editor to create a file called <filename>NTConfig.POL</filename> so it is in the
503 correct format for your MS Windows XP Pro clients.