gpedit.msc as centralized policy for 2k/xp clients in domain

John Newhouse john at ylenurme.ee
Wed Mar 12 14:34:52 GMT 2003 

I found this from http://charon.minilab.bdeb.qc.ca/anonym/nt/2000/ads/TTGW2KGP_Vol1through4.pdf

I would like to figure out how to do this gpedit.msc+AD+gpc+gpt magic for win2k/xp with
linux+samba(2.2/3.0/tng)+openldap and is it possible at all?

Thanks.

Although GPOs provide significantly more policy features than NT 4.0
System Policy provides,
GPOs are stored and processed differently than NT 4.0 System Policy is.
In NT 4.0, the System
Policy file (often called ntconfig.pol) is stored in the Netlogon share
on domain controllers
within an NT 4.0 domain. When an NT 4.0 user logs onto a workstation in
an NT 4.0 domain,
the system reads the System Policy file from the Netlogon share, then
sets registry values that are
specific to a computer, user, or user group according to the policy
file. NT 4.0 allows only a
single policy file to be processed at a given time. NT 4.0 System Policy
could apply to a specific
computer (or all computers), a specific user (or all users), or an NT
4.0 domain global group.
In contrast, GPOs are composed of two parts: the Group Policy Container
(GPC), which is stored
within Active Directory (AD), and the Group Policy Template (GPT), which
is stored within the
replicated SYSVOL folder on all AD domain controllers in a domain.
Whereas System Policy is
processed only when a user logs onto an NT 4.0 workstation, GPOs are
processed at both
machine startup (at which point machine-specific policy is processed)
and user logon (at which
point user-specific policy is processed). Again, in contrast to System
Policies, you can define a
virtually unlimited number of GPOs within an AD domain (though
practically speaking, large
numbers of GPOs will take a long time to process). And, whereas System
Policies apply to
individual users, individual computers, and NT security groups, GPOs are
processed only by AD
users and computers. However, AD security groups composed of either
machines or users can
filter GPOs' effects. This filtering capability, in conjunction with the
ability to have multiple
GPOs processed by a given user or computer, can provide much greater
policy flexibility than is
available in NT 4.0. Figure 1.2 shows an example of how you can use
security groups to filter
the effects of a GPO.

More information about the samba-technical mailing list