[Samba] gpedit.msc as centralized policy for 2k/xp clients

[Ulrich Kohlhase]

John,

> I would like to figure out how to do this
> gpedit.msc+AD+gpc+gpt magic for
> win2k/xp with linux+samba(2.2/3.0/tng)+openldap and is it possible at
> all? 

We use local (!) GPOs on our Win2k clients with great success:
- log on to "master" workstation as administrator
- create a link to the "C:\WINNT\system32\GroupPolicy" folder on your
administrator's desktop
- optionally add gpedit.msc to mmc (add snapin ...)
- change settings in GPOs to fit your needs or your company's security
policy (especially admin templates)
- export and import on other workstations or clone "master" workstation

Please bear in mind that LGPOs affect ALL local users and Samba domain
users, including the local administrator account. So be careful when
changing the LGPOs since the user-specific policy settings are immediately
effective! Administrators control can be retained by denying read access on
the GroupPolicy folder, logging off and logging on again. This trick
probably won't work on WinXP any more, so you will need to find a different
solution.
Please post your findings, especially if an alternative for WinXP and/or
central policy management is at all possible.

Good luck,
Uli