[Samba] Open Source W2k Policy Implementation (was Re: Windows2000 policies in a Samba PDC)

John H Terpstra jht at samba.org
Mon Dec 29 17:11:08 GMT 2003 

Clint,

In my new book "Samba-3 by Example", which will be released to open source
when the book is in print, I have given step-by-step prescriptive guidance
on how to implement total control over client Windows workstations. I have
restricted coverage to NT4 style profiles, even though I am fully aware
that SYSVOL type Win2kx profiles do partly work.

That book will be available in April, and will be part of the samba-docs
project (that is where the Samba-HOWTO-Collection also has its home).

The reasons for which I have not provided guidance specific to Win2K GPO
implementation are:

	1. Part of the protocol is dependant on Active Directory queries
		that Samba-3 can not support.
	2. NT4 Policies allow almost everything that must be achieved
		without a whole lot more complicated steps that are
		very easy to get wrong.

But if you wish to help document what you have done I am most willing to
put it in the appendix and to point readers at it from appropriate
locations in the text.

Cheers,
John T.

On Mon, 29 Dec 2003, Sharp, Clint wrote:

> > -----Original Message-----
> > On Mon, 29 Dec 2003, [ISO-8859-1] Áncor González Sosa wrote:
> >
> > With Samba you can do only what you can do with NT4 using the
> > NTConfig.POL file.
> >
> >
> > You can copy the files Win2K creates in
> > c:\WINNT\SYSVOL\sysvol\domainname\profiles to a share called
> > "SYSVOL" under the path:
> > /var/lib/sysvol/sysvol/domainname/profiles/...
> > Where the root of the SYSVOL share is /var/lib/sysvol.
> >
> > From my experimentation this only partly works at best. Only NT4
> > NTConfig.POL policies work consistently.
> >
> > The other choice you have is to edit the NTUSER.DAT from the
> > users' profile, add the policy settings in it, then save it back.
> >
> > To do this you must load the NTUSER.DAT file as an add-on
> > hive in regedt32. Edit, then unload the hive. Be careful with
> > this! It can ruin your day!
> >
> >
> > No to create that you must use the NT4 Group Policy Editor.
> > No alternative exists.
> >
> >
> > Sorry. Not possible today.
> >
> >
> > - John T.
> > --
> > John H Terpstra
> > Email: jht at samba.org
>
> Sorry for badly hacking up your reply since most of this could be taken
> out of context w/o his message, but I wanted to leave a couple of the
> lines in there.
>
> The reason I joined the list was to ask this question.  I'm aware of the
> current situation with W2k policies, and I was wondering if anyone has
> undertaken work to implement all or part of the W2k GPO outside of
> Active Directory.  Since essentially GPOs are simply an ACL which
> implements registry changes dependent on the policy defined in the GPO,
> I would think this is definitely possible.  Maybe I'm over simplifying
> what GPOs do or possibly I only used GPO features which were NT4
> compatible (which would mean that I could get by with .POL files).
>
> I'm currently trying to solve three problems in my Samba implementation.
> Two of these are irrelevant to this discussion, but I want to include
> them as I'm considering solving them with the same software:
>
> * Microsoft implemented roaming profiles suck and are incredibly
> ineffecient over slow links.  I'm considering re-implementing them using
> a client-side process and librsync. * Patching systems is a pain, as
> well as installating software for users.  This is generally part of SUS
> or could be part of GPO (maybe SUS creates GPOs to install the updates,
> I dunno).  The problem I've always found is getting around my users not
> having admin priviledges on their machines.  I've found several free
> su-like implementations for Windows, but all still require a password on
> the command line or are just too insecure for me if they don't.  I'm
> considering implementing a service which would patch software on the
> Windows machine based on output from a server process running on my
> Samba servers (possibly only the PDC). * As mentioned before, I'd like
> an open-source implementation of W2k GPOs.  This wouldn't run using
> Microsoft's GPO process, instead it would be implemented by a
> client-side process which would make the necessary changes.
>
> Has anyone currently started work fixing any of these?  I'm ready to
> trash all the custom work I've done to solve these problems and start
> fresh with something that'll work cleanly and smoothly.  I've got some
> ideas for architecture including development language, communications
> protocols, etc, but nothing's firm, and I'd be glad to contribute to
> someone who's already started a project which solves one or more of the
> above problems.  If not, if anyone else is interested in the above
> problems and wants to start work on a new project which would solve
> those, I'd be happy to discuss with you offline.
>
> Cheers,
> Clint
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list