samba - Apr 2002 - Group policy for Win2K/XP

Has anyone looked in to domain policy for Win2K/XP machines from a SAMBA
controlled domain?

I have played around with these policies from within a Win2K AD-domain, and
wondered if I can carry my policies over to a SAMBA domain.

Any info, or reference to relevent documentation is appreciated.



This mail has passed through an insecure network.  
All enquires should be directed to the message author.

>From: "Russell McGregor" <DTSA20@brisbane.qld.gov.au>
>To: <samba@lists.samba.org>
>Subject: [Samba] Group policy for Win2K/XP
>Date: Fri, 26 Apr 2002 14:32:11 +1000
>
>Has anyone looked in to domain policy for Win2K/XP machines from a SAMBA
co>ntrolled domain?
>
>I have played around with these policies from within a Win2K AD-domain,
and> wondered if I can carry my policies over to a SAMBA domain.
>
>Any info, or reference to relevent documentation is appreciated.

Ditto.  I'd very much like to see this if possible.


Other thought:-

The 3.0 version is moving towards this.  See 

	http://ie.samba.org/samba/development.html

(or your local mirror)

Also, are you aware of Samba TNG

	http://www.samba-tng.org/


                               Mac
          Assistant Systems Adminstrator @nibsc.ac.uk
                        dmccann@nibsc.ac.uk
   Work: +44 1707 654753 x285      Everything else: +44 7956 237670 (anytime)

With SAMBA 2.x.x you can use the Policy Editor from NT 4.0
There are all kinds of ADM files out there to control about 95% of what you
can control in AD

Like NT 4.0 Server save the .pol (That's a policy file) and NTconfig.pol and
place that in a netlogin share on you SAMBA server. Make sure you have a
share like this in you smb.conf file

[netlogon]
        path = /usr/local/samba/netlogon

Here are a few sites that have lots of ADM files and even the Policy Editor
itself at. (BTW, the policy editor can also be found on the windows 98 CD in
admin\tools I believe)

http://www.elkantler.net/security/security.htm has some good ADM templates.
Geared towards 9x/ME but most will work for it. The Office 2k templates are
good

http://www.thethin.net/tsdownload.cfm has some good 2k policy templates
designed for then clients but work very well

http://www.worldofasp.com/ts/download.cfm is another goodie



   -Scott Shackelford
    Custom Transport Systems


----- Original Message -----
From: "Russell McGregor" <DTSA20@brisbane.qld.gov.au>
To: <samba@lists.samba.org>
Sent: Friday, April 26, 2002 12:32 AM
Subject: [Samba] Group policy for Win2K/XP


Has anyone looked in to domain policy for Win2K/XP machines from a SAMBA
controlled domain?

I have played around with these policies from within a Win2K AD-domain, and
wondered if I can carry my policies over to a SAMBA domain.

Any info, or reference to relevent documentation is appreciated.



This mail has passed through an insecure network.
All enquires should be directed to the message author.

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Sorry to re-send, but I think this may have gotten missed last time,
possibly because of the inaccurate subject line. Can someone throw me a
bone here? I am very lost as far as this one part of the administration
goes.

Thanks for any help you can provide!

The thing that I have been having great difficulty understanding, and this
could be because of lack of Windows knowledge but bear with me, is how you
can have DIFFERENT policy files based on... well, anything. I know group
support is limited... how about even based on NetBIOS name as I can easily
get that from %m at least. I know, for example, the profile of a Win2k
machine will be located in \\SERVER\NETLOGON\Default Profile, but what if
I want to have one for lab PC's and one for Office PC's, and for some
remote sites, none at all, just authentication? I know how to implement
policies per user, too, but I don't want to have to login as the user, set
the policy and then save the policy and log out. How can I apply a policy
to a user based on some arbitrary information? Is the logon script early
enough to do some work behind the scenes to smylink the proper files into
the right place, or... am I totally off track here? I'm sure this is
something everyone does, but I can't for the life of me figure out the way
to make this stuff apply to different users differently.

PS: This information would be EXCEEDINGLY helpful to have in the HOWTO.
The Oreilly book covers it a little, but... not that much either.

---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX Systems Admin
|$&| |__| |  | |__/ | \| _|  | novosirj@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630

>The thing that I have been having great difficulty 
>understanding, and this could be because of lack of 
>Windows knowledge but bear with me, is how you can 
>have DIFFERENT policy files based on... well, 
>anything.
Shouldn't it be possible to add some macros like %m
to the "path =" parameter in [netlogon] stanza? I
haven't used the trick myself, but it sounds like
this is what you really want:

   [netlogon]
        path = /local/%m/netlogon
        write list = root
        browseable = No
>I know group support is limited... how about even 
>based on NetBIOS name as I can easily get that from 
>%m at least. I know, for example, the profile of a 
>Win2k machine will be located in 
>\\SERVER\NETLOGON\Default Profile, but what if
>I want to have one for lab PC's and one for Office 
>PC's, and for some remote sites, none at all, just 
>authentication? I know how to implement policies per 
>user, too, but I don't want to have to login as the 
Now that you mention it, can you share some of your
experiences? Which tool do you use? What is your
typical set of rules?

This is one area where I'm still having problems.
When a PC is added to a samba domain DOM I can see
that the local Administrators group gets a new member
DOM\Administrators and the Local Users group gets
DOM\Users. Everyone who can authenticat himself as
a DOM\User can use the PC. However, there is very
little they can do with their own environment. They
can't change the Wallpaper, they can't change Explorer
properties, the mounted shares are not carried forward
to a new session etc. Even if I add DOM\Users to the
group of local Power Users, no further privileges can
be seen.

So how do you set up such things with the group
policies?
>user, set the policy and then save the policy and log 
>out. How can I apply a policy to a user based on some 
>arbitrary information? Is the logon script early
>enough to do some work behind the scenes to smylink 
>the proper files into the right place, or... am I 
>totally off track here? I'm sure this is something 
>everyone does, but I can't for the life of me figure 
>out the way to make this stuff apply to different >users differently.
If privileges are right, you can do much with the
logon script (which is in [netlogon]). If you
configure the path to be dependent upon both %m
and %u then you can use links to set up any 
combination of machines getting their own profiles
and users getting their profiles too.


____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005