[Samba] Open Source W2k Policy Implementation (was Re: Windows2000 policies in a Samba PDC)

John H Terpstra jht at samba.org
Mon Dec 29 17:11:08 GMT 2003


In my new book "Samba-3 by Example", which will be released to open source
when the book is in print, I have given step-by-step prescriptive guidance
on how to implement total control over client Windows workstations. I have
restricted coverage to NT4 style profiles, even though I am fully aware
that SYSVOL type Win2kx profiles do partly work.

That book will be available in April, and will be part of the samba-docs
project (that is where the Samba-HOWTO-Collection also has its home).

The reasons for which I have not provided guidance specific to Win2K GPO
implementation are:

	1. Part of the protocol is dependant on Active Directory queries
		that Samba-3 can not support.
	2. NT4 Policies allow almost everything that must be achieved
		without a whole lot more complicated steps that are
		very easy to get wrong.

But if you wish to help document what you have done I am most willing to
put it in the appendix and to point readers at it from appropriate
locations in the text.

John T.

On Mon, 29 Dec 2003, Sharp, Clint wrote:

> > -----Original Message-----
> > On Mon, 29 Dec 2003, [ISO-8859-1] Áncor González Sosa wrote:
> >
> > With Samba you can do only what you can do with NT4 using the
> > NTConfig.POL file.
> >
> >
> > You can copy the files Win2K creates in
> > c:\WINNT\SYSVOL\sysvol\domainname\profiles to a share called
> > "SYSVOL" under the path:
> > /var/lib/sysvol/sysvol/domainname/profiles/...
> > Where the root of the SYSVOL share is /var/lib/sysvol.
> >
> > From my experimentation this only partly works at best. Only NT4
> > NTConfig.POL policies work consistently.
> >
> > The other choice you have is to edit the NTUSER.DAT from the
> > users' profile, add the policy settings in it, then save it back.
> >
> > To do this you must load the NTUSER.DAT file as an add-on
> > hive in regedt32. Edit, then unload the hive. Be careful with
> > this! It can ruin your day!
> >
> >
> > No to create that you must use the NT4 Group Policy Editor.
> > No alternative exists.
> >
> >
> > Sorry. Not possible today.
> >
> >
> > - John T.
> > --
> > John H Terpstra
> > Email: jht at samba.org
> Sorry for badly hacking up your reply since most of this could be taken
> out of context w/o his message, but I wanted to leave a couple of the
> lines in there.
> The reason I joined the list was to ask this question.  I'm aware of the
> current situation with W2k policies, and I was wondering if anyone has
> undertaken work to implement all or part of the W2k GPO outside of
> Active Directory.  Since essentially GPOs are simply an ACL which
> implements registry changes dependent on the policy defined in the GPO,
> I would think this is definitely possible.  Maybe I'm over simplifying
> what GPOs do or possibly I only used GPO features which were NT4
> compatible (which would mean that I could get by with .POL files).
> I'm currently trying to solve three problems in my Samba implementation.
> Two of these are irrelevant to this discussion, but I want to include
> them as I'm considering solving them with the same software:
> * Microsoft implemented roaming profiles suck and are incredibly
> ineffecient over slow links.  I'm considering re-implementing them using
> a client-side process and librsync. * Patching systems is a pain, as
> well as installating software for users.  This is generally part of SUS
> or could be part of GPO (maybe SUS creates GPOs to install the updates,
> I dunno).  The problem I've always found is getting around my users not
> having admin priviledges on their machines.  I've found several free
> su-like implementations for Windows, but all still require a password on
> the command line or are just too insecure for me if they don't.  I'm
> considering implementing a service which would patch software on the
> Windows machine based on output from a server process running on my
> Samba servers (possibly only the PDC). * As mentioned before, I'd like
> an open-source implementation of W2k GPOs.  This wouldn't run using
> Microsoft's GPO process, instead it would be implemented by a
> client-side process which would make the necessary changes.
> Has anyone currently started work fixing any of these?  I'm ready to
> trash all the custom work I've done to solve these problems and start
> fresh with something that'll work cleanly and smoothly.  I've got some
> ideas for architecture including development language, communications
> protocols, etc, but nothing's firm, and I'd be glad to contribute to
> someone who's already started a project which solves one or more of the
> above problems.  If not, if anyone else is interested in the above
> problems and wants to start work on a new project which would solve
> those, I'd be happy to discuss with you offline.
> Cheers,
> Clint
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list