samba - Mar 2003 - gpedit.msc as centralized policy for 2k/xp clients

John,
> I would like to figure out how to do this
> gpedit.msc+AD+gpc+gpt magic for
> win2k/xp with linux+samba(2.2/3.0/tng)+openldap and is it possible at
> all? 
We use local (!) GPOs on our Win2k clients with great success:
- log on to "master" workstation as administrator
- create a link to the "C:\WINNT\system32\GroupPolicy" folder on your
administrator's desktop
- optionally add gpedit.msc to mmc (add snapin ...)
- change settings in GPOs to fit your needs or your company's security
policy (especially admin templates)
- export and import on other workstations or clone "master"
workstation

Please bear in mind that LGPOs affect ALL local users and Samba domain
users, including the local administrator account. So be careful when
changing the LGPOs since the user-specific policy settings are immediately
effective! Administrators control can be retained by denying read access on
the GroupPolicy folder, logging off and logging on again. This trick
probably won't work on WinXP any more, so you will need to find a different
solution.
Please post your findings, especially if an alternative for WinXP and/or
central policy management is at all possible.

Good luck,
Uli

Hi Uli,
Is it possible to apply these at logon? through/via logon scripts to
centralize admin? I believe the user side is not applied till login
anyway? regards,
Richard Coates.

On Fri, 2003-03-14 at 03:30, Ulrich Kohlhase wrote:
> We use local (!) GPOs on our Win2k clients with great success:
> - log on to "master" workstation as administrator
> - create a link to the "C:\WINNT\system32\GroupPolicy" folder on
your
> administrator's desktop
> - optionally add gpedit.msc to mmc (add snapin ...)
> - change settings in GPOs to fit your needs or your company's security
> policy (especially admin templates)
> - export and import on other workstations or clone "master"
workstation
> 
> Please bear in mind that LGPOs affect ALL local users and Samba domain
> users, including the local administrator account. So be careful when
> changing the LGPOs since the user-specific policy settings are immediately
> effective! Administrators control can be retained by denying read access on
> the GroupPolicy folder, logging off and logging on again. This trick
> probably won't work on WinXP any more, so you will need to find a
different
> solution.
> Please post your findings, especially if an alternative for WinXP and/or
> central policy management is at all possible.
> 
> Good luck,
> Uli

Richard,
> Is it possible to apply these at logon? through/via logon scripts to
> centralize admin? I believe the user side is not applied till login
> anyway? regards, Richard Coates.
LGPOs are applied at logon, at least the user-specific part. The
machine-specific part comes to effect after rebooting the system. As I
understand the GPO stuff usually depends on an AD environment if (more or
less time consuming) LGPO tweaking on each and every non AD local machine is
not an option. In the document you mentioned
http://charon.minilab.bdeb.qc.ca/anonym/nt/2000/ads/TTGW2KGP_Vol1through4.pd
f
The answer to question 6.2 says the scripting possibilities are limited so
logon scripts probably won't work. This GPO stuff is very powerful and
interesting in terms of user and machine restrictions but MUCH more
complicated compared to the NT4 policy scheme (sigh). I don't have time to
investigate any further on this right now, sorry.

After applying LGPOs the users profile folders contain the following files:
----------------------
...
NTUSER.DAT
...
ntuser.dat.LOG
ntuser.ini
ntuser.pol
----------------------

May be it's possible to set up LGPOs on one computer and copy
"ntuser.pol"
(GPO settings) and "ntuser.ini" (profile Exclusion List) to users
profile
folders on other machines? Just guessing and hoping there's a clean and easy
solution ...

The following guide provided by MS may be of interest too:
http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps
.asp

Good luck,
Uli
> On Fri, 2003-03-14 at 03:30, Ulrich Kohlhase wrote:
>> We use local (!) GPOs on our Win2k clients with great success:
>> - log on to "master" workstation as administrator
>> - create a link to the "C:\WINNT\system32\GroupPolicy" folder
on
>> your administrator's desktop 
>> - optionally add gpedit.msc to mmc (add snapin ...)
>> - change settings in GPOs to fit your needs or your company's
>> security policy (especially admin templates)
>> - export and import on other workstations or clone "master"
>> workstation

Hi Uli,
How can I export/import on other workstations GPO deployed for local 
computer from the "master" workstations ?

Thanks,
Sergiu


Ulrich Kohlhase wrote:
>John,
>
>  
>
>>I would like to figure out how to do this
>>gpedit.msc+AD+gpc+gpt magic for
>>win2k/xp with linux+samba(2.2/3.0/tng)+openldap and is it possible at
>>all? 
>>    
>>
>
>We use local (!) GPOs on our Win2k clients with great success:
>- log on to "master" workstation as administrator
>- create a link to the "C:\WINNT\system32\GroupPolicy" folder on
your
>administrator's desktop
>- optionally add gpedit.msc to mmc (add snapin ...)
>- change settings in GPOs to fit your needs or your company's security
>policy (especially admin templates)
>- export and import on other workstations or clone "master"
workstation
>
>Please bear in mind that LGPOs affect ALL local users and Samba domain
>users, including the local administrator account. So be careful when
>changing the LGPOs since the user-specific policy settings are immediately
>effective! Administrators control can be retained by denying read access on
>the GroupPolicy folder, logging off and logging on again. This trick
>probably won't work on WinXP any more, so you will need to find a
different
>solution.
>Please post your findings, especially if an alternative for WinXP and/or
>central policy management is at all possible.
>
>Good luck,
>Uli
>
>
>  
>

aahhhh.........

Local Group Policy does not allow you to apply security filters or to
have multiple sets of Group Policy objects, unlike Active
Directory?based Group Policy objects. You can, however, set
Discretionary Access Control Lists (DACLs) on the
%systemroot%\System32\GroupPolicy folder so that specified groups are
either affected or are not affected by the settings contained within the
local Group Policy object. This option is useful if you have to control
and administer computers that are used in situations such as kiosk
environments, where the computer is not connected to a local area
network (LAN). Unlike Group Policy administered from Active Directory,
the local Group Policy object uses only the Read attribute, which makes
it possible for the local Group Policy object to affect ordinary users
but not local administrators. The local administrator can first set the
policy settings he or she wants and then set the DACLs to the local
Group Policy object directory so that administrators as a group no
longer have Read access. For the administrator to make subsequent
changes to the local Group Policy object, he or she must first take
ownership of the directory to give him or herself Read access, make the
changes, and then remove Read access.