Profiles/Policies: Beware the Registry Size (fwd)

Luke Kenneth Casson Leighton lkcl at samba.org
Fri Feb 18 17:52:11 GMT 2000 


<a href="mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton    </a>
<a href="http://cb1.com/~lkcl"  > Samba and Network Development   </a>
<a href="http://samba.org"      > Samba Web site                  </a>
<a href="http://www.iss.net"    > Internet Security Systems, Inc. </a>
<a href="http://mcp.com"        > Macmillan Technical Publishing  </a>
 
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

---------- Forwarded message ----------
Date: Fri, 18 Feb 2000 09:30:08 -0800
From: Scott Talkovic <satalkov at uci.edu>
To: 'Luke Kenneth Casson Leighton' <lkcl at SAMBA.ORG>
Subject: RE: Profiles/Policies: Beware the Registry Size (fwd)

Two other things to check on NT 4.0 workstation regarding the user policies
are:

A. Make sure that the permissions in the ntuser.dat file in the user's
profile are correct.

B. Make sure that the registry keys set directly in the ntuser.dat file are
not conflicting with the policy. (This will probably only affect the result
if the ntuser.dat file says to restrict something, while the policy does
nothing to change the restriction.)

Here are examples of what I mean:

For A:
1. Let's say we have a publicly accessible NT 4.0 workstation that has
certain restrictions in place and the user account used on this workstation
is User1 with a roaming profile.
2. Let's say that you'd like to install another workstation with the same
restrictions but something slightly different (like needing an extra icon on
the Desktop), so it requires a different user account and profile. To
implement this, you just copy the profile of User1 into a new profile
directory for User2.
3. You then create a policy for User2 that is identical to the policy for
User1. You notice that when User2 logs in, the policies aren't applied
properly.
**The likely reason for this is that the user permissions in the ntuser.dat
file for User2 are set for User1 Full Control and nothing for User2. As a
result User2 can't read the policy setting registry keys out of its own
profile in order to set them.
***To fix this, load up User2's ntuser.dat file as a hive in regedt32 and
reset the permissions on the registry keys so that User2 can read them.
After you do this, User2's policies should be applied properly on the
workstation.

For B:
You can use regedt32 to load the hive of a user's ntuser.dat file and
directly set the registry keys that the policies are normally used to set.
If they conflict in certain instances, there might be unexpected results.
So:
1. If you have a user account called User3 and you've decided to set certain
registry keys in the ntuser.dat file directly. You've loaded User3's hive
into regedt32 and set the registry key to disable right-clicking on the
Desktop.
2. You then make a policy that doesn't change the settings for
right-clicking on the Desktop for User3 and the Default User policy doesn't
change the settings for right-clicking on the Desktop. The net result of
this policy would be that right-clicking wouldn't be affected by the policy,
so it will be enabled.
3. You forget you did step 1 (or someone else did it), so when you log in as
User3, you can't right-click on the Desktop.
**If you check the ntuser.dat file in regedt32, you can locate the cause of
the unexpected result.

I hope this helps you out. I'm typing this fast, but I don't think I left
anything out.

Scott Talkovic, MCSE+I, MCDBA
U.C. Irvine, Library Information Systems
satalkov at uci.edu


-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM]On Behalf Of Luke Kenneth
Casson Leighton
Sent: Thursday, February 17, 2000 3:59 PM
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: Profiles/Policies: Beware the Registry Size (fwd)


does anyone know if this is a known problem on nt or not?  it's actually
not related to samba, it could happen in a pure nt-only environment.

<a href="mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton    </a>
<a href="http://cb1.com/~lkcl"  > Samba and Network Development   </a>
<a href="http://samba.org"      > Samba Web site                  </a>
<a href="http://www.iss.net"    > Internet Security Systems, Inc. </a>
<a href="http://mcp.com"        > Macmillan Technical Publishing  </a>

ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

---------- Forwarded message ----------
Date: Fri, 18 Feb 2000 10:49:53 +1100
From: Benjamin Kuit <bj at mcs.uts.edu.au>
To: Multiple recipients of list SAMBA-NTDOM <samba-ntdom at samba.org>
Subject: Profiles/Policies: Beware the Registry Size


Disclaimer: This is not a problem or feature of Samba as a PDC, but is
of interest to people setting up domains.

A couple of weeks ago I asked samba-ntdom for help/information. I'm back
again to say that one of our NT people may have solved the problem and
this finding should be shared amoungst others.

The problem was that we had the strange phenomenon whereby a particular
profile would inhibit the inforcement of policy settings, eg the
'shut down' menu option would show, control panel was accessable, regedit
was able to be run etc, and it was unclear why a profile could disable
the effects of the policy.

The problem seems to fall to a registry size limit on the NT workstation,
which can be accessed by
Control Panel -> System -> Performance -> (Virt. Mem)Change

This brings up the Virtual Memory properties dialog box, and at the bottom
of it shows current and maximum registry sizes.

The problem was the maximum registry size was set to the same value as the
current registry size, so once the profile was loaded, there simply wasn't
any more room for the policy to be loaded into the registry, so the policies
dont take any effect, and because it doesn't give any warning messages for
not having enough room, it remains a mystery to most people.

This could be a source of alot of 'my policies dont work' type problems.

The moral of the story is: Check the maximum registry size.

Just trying to help =)

caio

Bj

+-------------------------------+--------------------------------------+
|      Benjamin (Bj) Kuit       |  Faculty of Mathematical             |
|      Systems Programmer       |          and Computing Sciences.     |
|      Phone: 02 9514 1841      |  University of Technology, Sydney    |
|      Mobile: 0412 182 972     |  bj at mcs.uts.edu.au                   |
+-------------------------------+--------------------------------------+

------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro, Inc.:

http://www.antivirus.com/neatsuite.htm

ScanMail for Microsoft Exchange
* Stops viruses from spreading through Exchange Servers.
* Eliminates viruses from email in real time, even unknown macro viruses
* Filters spam (unsolicited junk email).
* Sends customized virus warning messages to specific parties and admins
* Remote installation and management via web or ScanMail's Windows GUI
------------------------------------------------------------------------

More information about the samba-technical mailing list