[Samba] Windows2000 policies in a Samba PDC

John H Terpstra jht at samba.org
Mon Dec 29 07:51:18 GMT 2003 

On Mon, 29 Dec 2003, [ISO-8859-1] Áncor González Sosa wrote:

> I'm installing a Samba 3.0 PDC with LDAP backend in a classroom in
> a Spanish school. Client workstations are Windows2000 and, in the future,
> there will be Linux clients.
>
> I'm following the Samba Project Documentation book (also known as Samba
> Howto Collection). The document is wonderfull, but there is a part that
> I don't fully understand, maybe because, as you can read, I'm not a
> native English speaker. :-(
> I work with Spanish versions of Windows, so some terms can be inexact
> (is MY translation from Spanish Windows's terms to English, not
> Microsoft's one).

Ok. I am the author of that HOWTO.

>
> I want to use complete policies, centralized in the server and applied
> depending of the user and the groups the user belongs to. I want to use
> those features that W2000 policies have and WinNT lacks, like making
> available particular applications to particular users and/or groups.
> After reading the document, I'm not sure of the way I can manage
> those advances policies without having a W2K Server:

With Samba you can do only what you can do with NT4 using the NTConfig.POL
file.

>
>  * It's said in the document (23.2.3) that W2k policies are not stored in the
>    NETLOGON share (like it's done with NT policies) but rather part of a
>    Windows 200x policy file is stored in the Active Directory itself and the
>    other part is stored in a shared (and replicated) volume called the
>    SYSVOL folder.
>
>  * It's also said (23.3) that policy files contains the registry settings for
>    all users, groups, and computers, so only a policy file is necessary for
>    managing a whole domain.
>
>  * The document also says (23.2.3.1) that W2k policies must be created with
>    a Microsoft Management Console (MMC) snap-in.
>        Start -> Programs ->Admntive Tools-> Active Directory Users and Computers
>
>        Right-click on the OU -> Properties -> Group Policy
>
> Well, when I use this tool, I need to create some GPOs for totally defining a
> policy. For each GPO I create, a complex directory is created in:
>    c:\WINNT\SYSVOL\sysvol\domainname\profiles
> This created folder includes several subfolders and files

You can copy the files Win2K creates in
c:\WINNT\SYSVOL\sysvol\domainname\profiles to a share called "SYSVOL"
under the path: /var/lib/sysvol/sysvol/domainname/profiles/...
Where the root of the SYSVOL share is /var/lib/sysvol.

>From my experimentation this only partly works at best. Only NT4
NTConfig.POL policies work consistently.

The other choice you have is to edit the NTUSER.DAT from the users'
profile, add the policy settings in it, then save it back.

To do this you must load the NTUSER.DAT file as an add-on hive in
regedt32. Edit, then unload the hive. Be careful with this! It can ruin
your day!

>
> The document says that NTConfig.POL must be copied in NETLOGON, but using the
> MMC I don't get a .POL file, but a set of complex folders! Furthermore, a part
> of the policy information is supposed to be located in the AD, not in that set
> of folders.

No to create that you must use the NT4 Group Policy Editor. No
alternative exists.

>
> I did the tests of the MMC with a W2k server that doesn't belong to the
> classroom I'm configuring. In fact, I can't use that W2k server usually.
>
> Well, I've already explained my situation, here are the questions:
>
>  * How can I create complex W2k policies with the W2k MMC and use them in my
>    Samba PDC?

See above comments.

>
>    Of course, I would like to change the policies (or, better, create them from
>    the beginning) without using a W2k server. It's possible?

Sorry. Not possible today.

>
>  * Maybe the client machine converts the profile in a single .POL file
>    (accessible in My Computer -> Properties -> User's Profiles) in the login
>    process.

No. See comments above.

>    If it occurs this way, is *everything* stored in this .POL file? Including
>    those settings that are not applied (for example, settings for a different
>    group)?
>
>    If this assumption is right, it would mean that the only way to get a
>    feature-rich policy ("a la" W2k, that are really more powerfull than WinNT
>    policies) is creating the policy in a W2k server and login afterwards from a
>    W2k worksation to obtain a single .POL file.
>    I expect there is a way of getting a W2k policy without installing and
>    configuring a W2k server and replacing it with Samba afterwards, so
>    Where are my assumptions wrong?
>    What is the best way for getting feature-rich W2k policies in a Samba PDC
>    without installing a W2k server?
>    Should I resign myself to using WinNT profiles (that are poorer but easier
>    to create)?
>
> Thanks a lot, I promise I will write a Spanish howto explaining everything.

:)

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list