gpedit.msc as centralized policy for 2k/xp clients in domain

John H Terpstra jht at samba.org
Wed Mar 12 17:17:20 GMT 2003 

John,

Thanks for this info and for the link. This is most timely. We are looking
at what we can do to implement group policies from the Samba server end.
Only Samba3 negotiates the new protocols that expose (with Win2K/XP) the
ability to do some of this stuff. Despite the tatooing effect of NT4
Policies it looks like in the short term this may be the best we can do.
I'd like to see a Unix/Linux tool to create them though.

Also, Samba3 has the ability to interact with the HKLM registry structure
and we are looking at areas of potential exploitation that will help us
towards a powerful zero administration desktop environment.

Keep tuned.

- John T.

On Wed, 12 Mar 2003, John Newhouse wrote:

> I found this from http://charon.minilab.bdeb.qc.ca/anonym/nt/2000/ads/TTGW2KGP_Vol1through4.pdf
>
> I would like to figure out how to do this gpedit.msc+AD+gpc+gpt magic for win2k/xp with
> linux+samba(2.2/3.0/tng)+openldap and is it possible at all?
>
> Thanks.
>
> Although GPOs provide significantly more policy features than NT 4.0
> System Policy provides,
> GPOs are stored and processed differently than NT 4.0 System Policy is.
> In NT 4.0, the System
> Policy file (often called ntconfig.pol) is stored in the Netlogon share
> on domain controllers
> within an NT 4.0 domain. When an NT 4.0 user logs onto a workstation in
> an NT 4.0 domain,
> the system reads the System Policy file from the Netlogon share, then
> sets registry values that are
> specific to a computer, user, or user group according to the policy
> file. NT 4.0 allows only a
> single policy file to be processed at a given time. NT 4.0 System Policy
> could apply to a specific
> computer (or all computers), a specific user (or all users), or an NT
> 4.0 domain global group.
> In contrast, GPOs are composed of two parts: the Group Policy Container
> (GPC), which is stored
> within Active Directory (AD), and the Group Policy Template (GPT), which
> is stored within the
> replicated SYSVOL folder on all AD domain controllers in a domain.
> Whereas System Policy is
> processed only when a user logs onto an NT 4.0 workstation, GPOs are
> processed at both
> machine startup (at which point machine-specific policy is processed)
> and user logon (at which
> point user-specific policy is processed). Again, in contrast to System
> Policies, you can define a
> virtually unlimited number of GPOs within an AD domain (though
> practically speaking, large
> numbers of GPOs will take a long time to process). And, whereas System
> Policies apply to
> individual users, individual computers, and NT security groups, GPOs are
> processed only by AD
> users and computers. However, AD security groups composed of either
> machines or users can
> filter GPOs' effects. This filtering capability, in conjunction with the
> ability to have multiple
> GPOs processed by a given user or computer, can provide much greater
> policy flexibility than is
> available in NT 4.0. Figure 1.2 shows an example of how you can use
> security groups to filter
> the effects of a GPO.
>
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba-technical mailing list