John Newhouse
2003-Mar-12 14:36 UTC
[Samba] gpedit.msc as centralized policy for 2k/xp clients in domain
I found this from http://charon.minilab.bdeb.qc.ca/anonym/nt/2000/ads/TTGW2KGP_Vol1through4.pdf I would like to figure out how to do this gpedit.msc+AD+gpc+gpt magic for win2k/xp with linux+samba(2.2/3.0/tng)+openldap and is it possible at all? Thanks. Although GPOs provide significantly more policy features than NT 4.0 System Policy provides, GPOs are stored and processed differently than NT 4.0 System Policy is. In NT 4.0, the System Policy file (often called ntconfig.pol) is stored in the Netlogon share on domain controllers within an NT 4.0 domain. When an NT 4.0 user logs onto a workstation in an NT 4.0 domain, the system reads the System Policy file from the Netlogon share, then sets registry values that are specific to a computer, user, or user group according to the policy file. NT 4.0 allows only a single policy file to be processed at a given time. NT 4.0 System Policy could apply to a specific computer (or all computers), a specific user (or all users), or an NT 4.0 domain global group. In contrast, GPOs are composed of two parts: the Group Policy Container (GPC), which is stored within Active Directory (AD), and the Group Policy Template (GPT), which is stored within the replicated SYSVOL folder on all AD domain controllers in a domain. Whereas System Policy is processed only when a user logs onto an NT 4.0 workstation, GPOs are processed at both machine startup (at which point machine-specific policy is processed) and user logon (at which point user-specific policy is processed). Again, in contrast to System Policies, you can define a virtually unlimited number of GPOs within an AD domain (though practically speaking, large numbers of GPOs will take a long time to process). And, whereas System Policies apply to individual users, individual computers, and NT security groups, GPOs are processed only by AD users and computers. However, AD security groups composed of either machines or users can filter GPOs' effects. This filtering capability, in conjunction with the ability to have multiple GPOs processed by a given user or computer, can provide much greater policy flexibility than is available in NT 4.0. Figure 1.2 shows an example of how you can use security groups to filter the effects of a GPO.
Wolfgang Ratzka
2003-Mar-12 15:17 UTC
[Samba] Re: gpedit.msc as centralized policy for 2k/xp clients in domain
-----BEGIN PGP SIGNED MESSAGE----- John Newhouse schrieb: | I found this from http://charon.minilab.bdeb.qc.ca/anonym/nt/2000/ads/TTGW2KGP_Vol1through4.pdf | | I would like to figure out how to do this gpedit.msc+AD+gpc+gpt magic for win2k/xp with | linux+samba(2.2/3.0/tng)+openldap and is it possible at all? Group policies are stored in Active Directory. Current samba development is still improving on "good old" Windows NT 4.0 domain services. I would suspect, that Active Directory services on samba will not be available anytime soon. (I would love to be proven wrong :-) on that.) - -- Wolfgang Ratzka Phone: +49 6421 2823531 FAX: +49 6421 2826994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany ~ http://www.uni-marburg.de/hrz/mitarbeiter/ratzka.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBPm9PiRwiO5rz0xULAQHG8Qf+NmOjxJfMAG8vKu0UQiSub4P9bM/vh9k7 67H/B5105nICEnK8VCX4WcGr9+bKv5P5EwnrhJ0CNnFwAGc2uxT99utECsKnV7Tp czvU3YarmVxFXGF6eLz5ZF1ApA8l+qusKhdNn1F9BBx57a4qYeVUqXGbMdLcUmOi 7IyH34S8LNELlc49eyHB7pBKjsjv48iecVrcMotqPaGXxZGgv37yOx1fd4cKMI8I d8bJKckzLy/WKrhq55zEd1pu8//KEbUY56tGgFTMNmWn8e0b+d9HKS/5DPa76aOO c8gNQA7zjUWnBk5bPdIxkKmmWItWlMwYx/OMGPPH2ODGQAxHtasAyw==p713 -----END PGP SIGNATURE-----