Success Report

Andrew Bartlett abartlet at samba.org
Tue Apr 20 05:58:16 MDT 2010 

On Mon, 2010-04-19 at 17:52 -0600, Rick Widmer wrote:
> I have just installed a copy of SAMBA 4 from git, and so far all is 
> well.  An attempt last Thursday failed with compile errors, but after a 
> git pull today it worked.
> 
> By 'worked' I mean that I have made it through the entire installation 
> HOWTO, including connecting to the domain on SAMBA 4 and connecting with 
> the Windows Remote Administration tools, and the Group Policy Management 
> Console.

Great!

> Now the real work begins.  I am the IT manager at a small library that 
> is currently using Windows SteadyState on Windows XP machines.  We hope 
> to upgrade our public machines to Windows 7 at the end of this budget 
> year.  At this time SteadyState is not available or expected on 7, so we 
> must re-evaluate our security procedures.
> 
> My hope is to replace the SteadyState account restrictions with Group 
> Policy, preferably served via SAMBA 4.
> 
> I haven't chosen a replacement for Disk Protection yet, but I have used 
> Faronics Deep Freeze in the past, so they have an advantage.  I wasn't 
> very happy with their WinSelect tool for account restrictions though.

When I was a School sysadmin, the best thing I ever did was remove users
from the "power users" group, and give them all a single mandatory
profile.  It meant that we set things up right, once, and had very
little trouble after that. 

I didn't need many polices, as most of those were just for removing UI
elements, and being outside "Power users" stopped the actual changes. 

If I ever had any real trouble, I could have just wiped the disks and
re-installed with 'unattended' (which I used for all the computers).

(It did take me some time to find a way to install the library software
without giving students "power user" rights.  After a lot of back and
forth with the authors of "Alice" we found that it just wanted to
install a .dll.  We did that manually, and then locked the students
out).

> Finally there is a need on some web browsers to limit access to a single 
> web site.  These are all things that currently depend on Windows 
> SteadyState.

That is best done with firewall rules.  I would use a transparent proxy
and squid ACLs myself.  

> Back to the topic of this list...
> 
> I have until the end of August to decide what to do, but as of now I am 
> hopeful that Group Policy served from SAMBA 4 will be part of the 
> solution.  There will be much testing between now and then.
> 
> Thanks for all your hard work!

No worries!  We are glad it's working out for you, and we will continue
to do our best to make Samba4 the best we can. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100420/f6ba9077/attachment.pgp>

More information about the samba-technical mailing list