Policies (Again) GROUPPOL.DLL

THSD Network Admin thsd at thsd.k12.ca.us
Wed Feb 14 17:21:32 GMT 2001 

Jim.
Yes, group policies do work, but not using the implementation
used for NT.  We tried at our school to make a single config.pol
handle multiple groups within Samba with no success.  We took a 
different approach with great success.

We wanted different policies for students, teachers and admins using
the group names "students", "teachers" and "wheel".  Within the smb.conf
file, we defined "netlogon" as follows:
	[netlogon]
		comment = Network Logon Service
		path = /home/netlogon/%g
		guest ok = yes
		writable = no
		share modes = no
		locking = no
		write list = @wheel

Then within /home/netlogon we make 3 separate directories named students,
teachers and wheel, and put a config.pol and login.bat file in each.  
When making the policy file, just use the default user.  In this way, 
each user gets a policy appropriate for his/her group as well as a group-
specific login batch file to map drives for that group.  To aid maintenance, 
within the wheel directory we made symbolic links to the teachers and 
students directories.  Therefore an admin could make policy changes from
a Win9x workstation.  

This implementation has been in operation in 3 schools for 2 years.  We
are in the process of replacing our last remaining NT box with a Linux
box.  Overall we handle about 450+ accounts and have had no policy problems
using Win95 and Win98 workstations.  BTW, all our Linux boxes are RH 6.2
using Samba version 2.0.6.

	Mike Lamasney
	Network Admin
	Twain Harte-Long Barn USD
	thsd at thsd.k12.ca.us
		or
	lamasney at mlode.com

>>Delivered-To: samba-ntdom at lists.samba.org
>>From: "JBCurry" <jbcurry at hline.localhealth.net>
>>To: "Jim Jarvie" <ntl-linux at ntlworld.com>,
>>	<samba-ntdom at lists.samba.org>
>>Subject: RE: Policies (Again) GROUPPOL.DLL
>>X-MSMail-Priority: Normal
>>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
>>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
>>Importance: Normal
>>Sender: samba-ntdom-admin at lists.samba.org
>>X-BeenThere: samba-ntdom at lists.samba.org
>>X-Mailman-Version: 2.0beta6
>>List-Help: <mailto:samba-ntdom-request at lists.samba.org?subject=help>
>>List-Post: <mailto:samba-ntdom at lists.samba.org>
>>List-Subscribe: <http://lists.samba.org/listinfo/samba-ntdom>,
><mailto:samba-ntdom-request at lists.samba.org?subject=subscribe>
>>List-Id: Using Samba with Windows NT domains <samba-ntdom.lists.samba.org>
>>List-Unsubscribe: <http://lists.samba.org/listinfo/samba-ntdom>,
><mailto:samba-ntdom-request at lists.samba.org?subject=unsubscribe>
>>List-Archive: http://lists.samba.org/pipermail/samba-ntdom/
>>Date: Tue, 13 Feb 2001 09:42:26 -0500
>>
>>> -----Original Message-----
>>> From: samba-ntdom-admin at lists.samba.org
>>> [mailto:samba-ntdom-admin at lists.samba.org]On Behalf Of Jim Jarvie
>>>
>>>
>>> I have a network of around 1000 users, using Win98 logging onto a number
>>> of Samba [2.0.7] servers.
>>>
>>> I've checked the archives, read everything I can find, but *still* cannot
>>> get group policies to work.  User policies are OK, default policies are
>>> OK, machine policies are OK.
>>
>>According to my book on System Policies (O'Reilly's "Windows System Policy
>>Editor", pg. 43), if a specific user policy exists then the group policy
>>will be ignored.  I don't know if that's true or not, as I've never tried
>>using both simultaneously.
>>
>>On a specific user, make sure there's no user or machine policies and see if
>>the group policy begins to work for that user.
>>
>>>
>>> I have grouppol.dll installed and configured as per the instructions.
>>> I've checked the ms website and everything looks OK.
>>>
>>> However, group policies still do not work.
>>>
>>> My windows 98 media has 2 versions of grouppol.dll, BOTH of which I've
>>> tried.
>>
>>I'm assuming you have assigned the users to groups in your Unix group file
>>(i.e., /etc/group).  If not, you can use the command "groupadd" to add the
>>groups, then use "usermod -G" to specify the groups a user should belong to.
>>
>>In your config.pol file, (on the server in the /netlogon directory), the
>>groups must match those listed in your Unix group file.
>>
>>>
>>> Ver.1 (Part Of Poledit (tools\reskit\net))
>>> grouppol.dll, 11,776 bytes, 23 apr 1999
>>>
>>> Ver.2 (Part of Win98 (\win98\win98_61.cab))
>>> grouppol.dll, 32,768 bytes, 23 apr 1999
>>>
>>
>>I've always used the reskit file.  And that should be a recent enough
>>version.
>>
>>> Can someone tell me which one is the correct – all the previous postings
>>> simply say to get the working one !  Which is the working one ?
>>>
>>> (I've even used example configs, but these still give identical results)
>>>
>>
>>Hope I was of some help.
>>
>>> Regards
>>> Jim
>>>
>>>
>>>
>>
>>
>>
>
>

More information about the samba-ntdom mailing list