LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-24-2004, 04:31 AM   #1
mikepengelly
LQ Newbie
 
Registered: Aug 2004
Posts: 5

Rep: Reputation: 0
Question Group Policies on samba


ok,

i have set up samba and everything running as a pdc and its working fine..
the only trouble im now having is how do i set group policies...

I have .pol files ready to use and not sure where to put them or how to assign them to a specific user group.

i.e. i want members of the group sales only to have very limited access to their computers like no control panel etc but technical to have full access.

I have set up the groups sales and tech and assigned users under them

any help would be appreciate.

thanks in advance.
 
Old 08-24-2004, 08:15 AM   #2
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
I'm not so sure but I thought you will need to download these utilities:

SVRMGR.EXE and USRMGR.EXE from Microsoft for use on XP machines. Just search these on MSN or www.microsoft.com/download. Not quiet sure.

You can surely find the info that you need at www.samba.org official HOWTO.

If you're planning now to implement directory and file permissions, I suggest you do it on the Linux Samba server. I have tried it on XP machine, I can't make it work. The ACL's changes can't be written, access denied. I'm still at lost searching for the answers. But to simplify, I just do it on the Linux server creating groups, users and adding users to their respective groups and then applying the appropriate permissions. It works and this could be much easier. Don't forget to add "force create mode = 0660" and "force directory mode = 0770" to the share defined in your smb.conf intended to be used by your windows users. This directory share shall have 770 mode. (chmod -R 770 /dir.../dir.../share). This will prevent other users (not the owner and not a member of the group) to have access on it.

Usrmgr works on an XP machines but you will need to press F5 (refresh the screen) for you to see the changes you've made.
 
Old 08-24-2004, 08:46 AM   #3
mikepengelly
LQ Newbie
 
Registered: Aug 2004
Posts: 5

Original Poster
Rep: Reputation: 0
I have looked at the samba how to and found a few other places but they only specify a system wide policy for @NT machines or 98 machines..

The permissions is not a directory thing.. My aim is to get system policies in place for the groups so that on log in to any computer the policy is applied and control panel access is disabled and users cant change settings etc.. But on ly for a certain group.

I have seen around other things that hint towards how to but not found anything solid.

The policies are all created jsut how to actually apply them to a group without having to go onto every computer and set up individual ones....

*(would be a nightmare with every computer in the office as its not that small )
 
Old 08-25-2004, 09:52 PM   #4
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
Creating and Managing System Policies

Under MS Windows platforms, particularly those following the release of MS Windows NT4 and MS Windows 95, it is possible to create a type of file that would be placed in the NETLOGON share of a Domain Controller. As the client logs onto the network, this file is read and the contents initiate changes to the registry of the client machine. This file allows changes to be made to those parts of the registry that affect users, groups of users, or machines.

For MS Windows 9x/ME, this file must be called Config.POL and may be generated using a tool called poledit.exe, better known as the Policy Editor. The policy editor was provided on the Windows 98 installation CD, but disappeared again with the introduction of MS Windows Me (Millennium Edition). From comments of MS Windows network administrators, it would appear that this tool became a part of the MS Windows Me Resource Kit.

MS Windows NT4 Server products include the System Policy Editor under Start -> Programs -> Administrative Tools. For MS Windows NT4 and later clients, this file must be called NTConfig.POL.

New with the introduction of MS Windows 2000 was the Microsoft Management Console or MMC. This tool is the new wave in the ever-changing landscape of Microsoft methods for management of network access and security. Every new Microsoft product or technology seems to make the old rules obsolete and introduces newer and more complex tools and methods. To Microsoft's credit, the MMC does appear to be a step forward, but improved functionality comes at a great price.

Before embarking on the configuration of network and system policies, it is highly advisable to read the documentation available from Microsoft's Web site regarding Implementing Profiles and Policies in Windows NT 4.0 available from Microsoft. There are a large number of documents in addition to this old one that should also be read and understood. Try searching on the Microsoft Web site for “Group Policies”.

What follows is a brief discussion with some helpful notes. The information provided here is incomplete you are warned.

Windows 9x/ME Policies

You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/ME. It can be found on the original full product Windows 98 installation CD under tools/reskit/netadmin/poledit. Install this using the Add/Remove Programs facility and then click on Have Disk.

Use the Group Policy Editor to create a policy file that specifies the location of user profiles and/or My Documents, and so on. Then save these settings in a file called Config.POL that needs to be placed in the root of the [NETLOGON] share. If Windows 98 is configured to log onto the Samba Domain, it will automatically read this file and update the Windows 9x/Me registry of the machine as it logs on.

Further details are covered in the Windows 98 Resource Kit documentation.

If you do not take the correct steps, then every so often Windows 9x/ME will check the integrity of the registry and restore its settings from the back-up copy of the registry it stores on each Windows 9x/ME machine. So, you will occasionally notice things changing back to the original settings.

Install the group policy handler for Windows 9x/Me to pick up Group Policies. Look on the Windows 98 CDROM in \tools\reskit\netadmin\poledit. Install group policies on a Windows 9x/Me client by double-clicking on grouppol.inf. Log off and on again a couple of times and see if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every Windows 9x/Me machine that uses Group Policies.

Windows NT4-Style Policy Files

To create or edit ntconfig.pol you must use the NT Server Policy Editor, poledit.exe, which is included with NT4 Server but not with NT Workstation. There is a Policy Editor on an NT4 Workstation but it is not suitable for creating domain policies. Furthermore, although the Windows 95 Policy Editor can be installed on an NT4 Workstation/Server, it will not work with NT clients. However, the files from the NT Server will run happily enough on an NT4 Workstation.

You need poledit.exe, common.adm and winnt.adm. It is convenient to put the two *.adm files in the c:\winnt\inf directory, which is where the binary will look for them unless told otherwise. This directory is normally “hidden.”

The Windows NT policy editor is also included with the Service Pack 3 (and later) for Windows NT 4.0. Extract the files using servicepackname /x, that's Nt4sp6ai.exe /x for service pack 6a. The Policy Editor, poledit.exe, and the associated template files (*.adm) should be extracted as well. It is also possible to downloaded the policy template files for Office97 and get a copy of the Policy Editor. Another possible location is with the Zero Administration Kit available for download from Microsoft.

Registry Spoiling
With NT4-style registry-based policy changes, a large number of settings are not automatically reversed as the user logs off. The settings that were in the NTConfig.POL file were applied to the client machine registry and apply to the hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known as tattooing. It can have serious consequences downstream and the administrator must be extremely careful not to lock out the ability to manage the machine at a later date.

MS Windows 200x/XP Professional Policies
Windows NT4 system policies allow the setting of registry parameters specific to users, groups and computers (client workstations) that are members of the NT4-style domain. Such policy files will work with MS Windows 200x/XP clients also.

New to MS Windows 2000, Microsoft recently introduced a style of group policy that confers a superset of capabilities compared with NT4-style policies. Obviously, the tool used to create them is different, and the mechanism for implementing them is much improved.

The older NT4-style registry-based policies are known as Administrative Templates in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes the ability to set various security configurations, enforce Internet Explorer browser settings, change and redirect aspects of the users desktop (including the location of My Documents files (directory), as well as intrinsics of where menu items will appear in the Start menu). An additional new feature is the ability to make available particular software Windows applications to particular users and/or groups.

Remember, NT4 policy files are named NTConfig.POL and are stored in the root of the NETLOGON share on the Domain Controllers. A Windows NT4 user enters a username, password and selects the domain name to which the logon will attempt to take place. During the logon process, the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating server and modifies the local registry values according to the settings in this file.

Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of a Windows 200x policy file is stored in the Active Directory itself and the other part is stored in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active Directory Domain Controllers. The part that is stored in the Active Directory itself is called the Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is known as the Group Policy Template (GPT).

With NT4 clients, the policy file is read and executed only as each user logs onto the network. MS Windows 200x policies are much more complex GPOs are processed and applied at client machine startup (machine specific part) and when the user logs onto the network, the user-specific part is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows the administrator to also set filters over the policy settings. No such equivalent capability exists with NT4-style policy files.

Administration of Windows 200x/XP Policies
Instead of using the tool called The System Policy Editor, commonly called Poledit (from the executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console (MMC) snap-in as follows:

Go to the Windows 200x/XP menu Start->Programs->Administrative Tools and select the MMC snap-in called Active Directory Users and Computers

Select the domain or organizational unit (OU) that you wish to manage, then right-click to open the context menu for that object, and select the Properties.

Left-click on the Group Policy tab, then left-click on the New tab. Type a name for the new policy you will create.

Left-click on the Edit tab to commence the steps needed to create the GPO.

All policy configuration options are controlled through the use of policy administrative templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP. Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x. The latter introduces many new features as well as extended definition capabilities. It is well beyond the scope of this documentation to explain how to program .adm files; for that the administrator is referred to the Microsoft Windows Resource Kit for your particular version of MS Windows.

Pasted from www.samba.org, Chapter 22 - System and Account Policies.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Managing user Accounts with Group Policies, LDAP AdamSBS Linux - Software 2 08-24-2005 08:10 PM
Samba and Win98 Group Policies MurrayL Linux - Software 1 08-20-2004 07:09 AM
Group Policies (Win9x) and Samba pirx Linux - Networking 4 02-05-2004 10:15 AM
How can apply group policies on windows clients from Linux Server linuxeagle Linux - Networking 5 11-17-2003 10:21 AM
How can i use group policies using samba linuxeagle Linux - Networking 0 11-13-2003 11:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration