So only for old NT4 style PDC - BDC environment one needs poledit. While AD's (with virtual pdc role servers) can use the MMC.? We got a pure Samba AD environment and thus it should work. Be it that we might not have all mmc templates (not yet checked that). Thanks Viktor. -----Original message----- From: Viktor Trojanovic?<viktor at troja.ch> Sent: Wednesday 21st October 2020 11:14 To: Peter Boos <peter.boos at quest-innovations.com>; samba at lists.samba.org Subject: Re: [Samba] Policies for AD clients (still poledit only ?). In the article you provided you'll find the following paragraph: ::: Currently Samba, the Free Software SMB Server, does not implement Active Directory functionality when using it as a Primary Domain Controller. If you deploy any Samba PDCs you will want to master System Policies using the SPE. So this article will cover the basics of Microsoft's older System Policy Editor, how to obtain it, use it and implement it's policies.? ::: So this is specifically not about an AD setup and therefore not relevant for you IMHO.? Viktor? On October 21, 2020 10:32:32 Peter Boos via samba <samba at lists.samba.org> wrote: I'm creating a deploy plan, for strict client policies (to comply to ISO standards and security) For mixed win 7 enterprise and win 10 enterprise on a Samba Active Directory. On the lookout if Samba would be any different towards client policies. I did some googling, and got pointed to old samba articles of 2007: ? ?https://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba Saying that samba allows only for poledit.exe (not the mmc variants?) Is this still the case ?? And why?, as there is a policy editor mmc on a win 10 pro client. And even non win 10 pro clients have ways to get it. -----Original message----- From: samba-request at lists.samba.org <samba-request at lists.samba.org> Sent: Tuesday 20th October 2020 14:00 To: samba at lists.samba.org Subject: samba Digest, Vol 214, Issue 19 Send samba mailing list submissions to samba at lists.samba.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.samba.org/mailman/listinfo/samba or, via email, send a message with subject or body 'help' to samba-request at lists.samba.org You can reach the person managing the list at samba-owner at lists.samba.org When replying, please edit your Subject line so it is more specific than "Re: Contents of samba digest..." Today's Topics: 1. Re: Samba AD with multiple DC and multiple NICs (Rowland penny) 2. DNS Records (Nico B) 3. Re: DNS Records (Rowland penny) 4. Re: DNS Records (Jon Gerdes) 5. Re: Samba AD with multiple DC and multiple NICs (Stefano Vargiu) 6. Re: Samba AD with multiple DC and multiple NICs (Stefano Vargiu) 7. Replication issues / local DRS authentication failure (Derek Lambert) 8. Re: Replication issues / local DRS authentication failure (Rowland penny) 9. Re: Replication issues / local DRS authentication failure (Rowland penny) _______________________________________________ samba mailing list samba at lists.samba.org https://lists.samba.org/mailman/listinfo/samba --? To unsubscribe from this list go to the following URL and read the instructions: ?https://lists.samba.org/mailman/options/samba
Norbert Hanke
2020-Oct-21 11:32 UTC
[Samba] Policies for AD clients (still poledit only ?).
You have to upload the GP templates into the appropriate Sysvol subdirectory on the Samba DC and mmc/gpedit will get them from there. That is \\<yourdc>\sysvol\<yourdomain>\Policies\PolicyDefinitions , 100's of .admx files and language-specific subdirectories with as many .adml files. You can download the templates for the various products (Windows 10 versions, Office versions etc.) from Microsoft. Make sure that you point the GP editor at that DC from where sysvol gets synchronized to other DCs (and upload the templates to that same DC). regards, Norbert On 21.10.2020 11:44, Peter Boos via samba wrote:> So only for old NT4 style PDC - BDC environment one needs poledit. > > While AD's (with virtual pdc role servers) can use the MMC. > > We got a pure Samba AD environment and thus it should work. > Be it that we might not have all mmc templates (not yet checked that). > > Thanks Viktor. > > > > -----Original message----- > From: Viktor Trojanovic?<viktor at troja.ch> > Sent: Wednesday 21st October 2020 11:14 > To: Peter Boos <peter.boos at quest-innovations.com>; samba at lists.samba.org > Subject: Re: [Samba] Policies for AD clients (still poledit only ?). > > In the article you provided you'll find the following paragraph: > > ::: > Currently Samba, the Free Software SMB Server, does not implement Active Directory functionality when using it as a Primary Domain Controller. If you deploy any Samba PDCs you will want to master System Policies using the SPE. So this article will cover the basics of Microsoft's older System Policy Editor, how to obtain it, use it and implement it's policies. > ::: > > So this is specifically not about an AD setup and therefore not relevant for you IMHO. > > Viktor > > On October 21, 2020 10:32:32 Peter Boos via samba <samba at lists.samba.org> wrote: > > I'm creating a deploy plan, for strict client policies (to comply to ISO standards and security) > For mixed win 7 enterprise and win 10 enterprise on a Samba Active Directory. > > On the lookout if Samba would be any different towards client policies. > I did some googling, and got pointed to old samba articles of 2007: > > ? ?https://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba > > Saying that samba allows only for poledit.exe (not the mmc variants?) > Is this still the case ? > And why?, as there is a policy editor mmc on a win 10 pro client. > And even non win 10 pro clients have ways to get it. > > > > > > > > -----Original message----- > From: samba-request at lists.samba.org <samba-request at lists.samba.org> > Sent: Tuesday 20th October 2020 14:00 > To: samba at lists.samba.org > Subject: samba Digest, Vol 214, Issue 19 > > Send samba mailing list submissions to > samba at lists.samba.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.samba.org/mailman/listinfo/samba > or, via email, send a message with subject or body 'help' to > samba-request at lists.samba.org > > You can reach the person managing the list at > samba-owner at lists.samba.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of samba digest..." > Today's Topics: > > 1. Re: Samba AD with multiple DC and multiple NICs (Rowland penny) > 2. DNS Records (Nico B) > 3. Re: DNS Records (Rowland penny) > 4. Re: DNS Records (Jon Gerdes) > 5. Re: Samba AD with multiple DC and multiple NICs (Stefano Vargiu) > 6. Re: Samba AD with multiple DC and multiple NICs (Stefano Vargiu) > 7. Replication issues / local DRS authentication failure > (Derek Lambert) > 8. Re: Replication issues / local DRS authentication failure > (Rowland penny) > 9. Re: Replication issues / local DRS authentication failure > (Rowland penny) > _______________________________________________ > samba mailing list > samba at lists.samba.org > https://lists.samba.org/mailman/listinfo/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba
Robert Marcano
2020-Oct-21 12:59 UTC
[Samba] Policies for AD clients (still poledit only ?).
On 10/21/20 5:44 AM, Peter Boos via samba wrote:> So only for old NT4 style PDC - BDC environment one needs poledit.Even if you are running an NT4 domain and manage a recent Windows client to join it, poledit based policies never applied to them, IIRC since Windows Vista (or 7) even that NT4 domains still worked at launch, the policies were ignored.> > While AD's (with virtual pdc role servers) can use the MMC. > > We got a pure Samba AD environment and thus it should work. > Be it that we might not have all mmc templates (not yet checked that). > > Thanks Viktor. > > > > -----Original message----- > From: Viktor Trojanovic?<viktor at troja.ch> > Sent: Wednesday 21st October 2020 11:14 > To: Peter Boos <peter.boos at quest-innovations.com>; samba at lists.samba.org > Subject: Re: [Samba] Policies for AD clients (still poledit only ?). > > In the article you provided you'll find the following paragraph: > > ::: > Currently Samba, the Free Software SMB Server, does not implement Active Directory functionality when using it as a Primary Domain Controller. If you deploy any Samba PDCs you will want to master System Policies using the SPE. So this article will cover the basics of Microsoft's older System Policy Editor, how to obtain it, use it and implement it's policies. > ::: > > So this is specifically not about an AD setup and therefore not relevant for you IMHO. > > Viktor > > On October 21, 2020 10:32:32 Peter Boos via samba <samba at lists.samba.org> wrote: > > I'm creating a deploy plan, for strict client policies (to comply to ISO standards and security) > For mixed win 7 enterprise and win 10 enterprise on a Samba Active Directory. > > On the lookout if Samba would be any different towards client policies. > I did some googling, and got pointed to old samba articles of 2007: > > ? ?https://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba > > Saying that samba allows only for poledit.exe (not the mmc variants?) > Is this still the case ? > And why?, as there is a policy editor mmc on a win 10 pro client. > And even non win 10 pro clients have ways to get it. > > > > > > > > -----Original message----- > From: samba-request at lists.samba.org <samba-request at lists.samba.org> > Sent: Tuesday 20th October 2020 14:00 > To: samba at lists.samba.org > Subject: samba Digest, Vol 214, Issue 19 > > Send samba mailing list submissions to > samba at lists.samba.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.samba.org/mailman/listinfo/samba > or, via email, send a message with subject or body 'help' to > samba-request at lists.samba.org > > You can reach the person managing the list at > samba-owner at lists.samba.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of samba digest..." > Today's Topics: > > 1. Re: Samba AD with multiple DC and multiple NICs (Rowland penny) > 2. DNS Records (Nico B) > 3. Re: DNS Records (Rowland penny) > 4. Re: DNS Records (Jon Gerdes) > 5. Re: Samba AD with multiple DC and multiple NICs (Stefano Vargiu) > 6. Re: Samba AD with multiple DC and multiple NICs (Stefano Vargiu) > 7. Replication issues / local DRS authentication failure > (Derek Lambert) > 8. Re: Replication issues / local DRS authentication failure > (Rowland penny) > 9. Re: Replication issues / local DRS authentication failure > (Rowland penny) > _______________________________________________ > samba mailing list > samba at lists.samba.org > https://lists.samba.org/mailman/listinfo/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba >
Marco Gaiarin
2020-Oct-21 15:16 UTC
[Samba] Policies for AD clients (still poledit only ?).
Mandi! Robert Marcano via samba In chel di` si favelave...> Even if you are running an NT4 domain and manage a recent Windows client to > join it, poledit based policies never applied to them, IIRC since Windows > Vista (or 7) even that NT4 domains still worked at launch, the policies were > ignored.I can confirm that. The only way to apply 'policies' to a NT4-Domain joined workstation Vista+ id by the way of 'MLGPO' (Multiple Local Group Policy Object'): https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766291(v=ws.10)?redirectedfrom=MSDN that have to be 'packed' and distributed by some other mean to clients, for example: https://docs.microsoft.com/it-it/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0 -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)