Chapter 26. System and Account Policies

John H. Samba Team Terpstra

Samba Team

April 3 2003

Table of Contents

Features and Benefits
Creating and Managing System Policies
Windows 9x/ME Policies
Windows NT4-Style Policy Files
MS Windows 200x/XP Professional Policies
Managing Account/User Policies
Management Tools
Samba Editreg Toolset
Windows NT4/200x
Samba PDC
System Startup and Logon Processing Overview
Common Errors
Policy Does Not Work

This chapter summarizes the current state of knowledge derived from personal practice and knowledge from Samba mailing list subscribers. Before reproduction of posted information, every effort has been made to validate the information given. Where additional information was uncovered through this validation, it is provided also.

Features and Benefits

When MS Windows NT 3.5 was introduced, the hot new topic was the ability to implement Group Policies for users and groups. Then along came MS Windows NT4 and a few sites started to adopt this capability. How do we know that? By the number of “boo-boos” (or mistakes) administrators made and then requested help to resolve.

By the time that MS Windows 2000 and Active Directory was released, administrators got the message: Group Policies are a good thing! They can help reduce administrative costs and actually make happier users. But adoption of the true potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users and machines were picked up on rather slowly. This was obvious from the Samba mailing list back in 2000 and 2001 when there were few postings regarding GPOs and how to replicate them in a Samba environment.

Judging by the traffic volume since mid 2002, GPOs have become a standard part of the deployment in many sites. This chapter reviews techniques and methods that can be used to exploit opportunities for automation of control over user desktops and network client workstations.

Creating and Managing System Policies

Under MS Windows platforms, particularly those following the release of MS Windows NT4 and MS Windows 95, it is possible to create a type of file that would be placed in the NETLOGON share of a domain controller. As the client logs onto the network, this file is read and the contents initiate changes to the registry of the client machine. This file allows changes to be made to those parts of the registry that affect users, groups of users, or machines.

For MS Windows 9x/Me, this file must be called Config.POL and may be generated using a tool called poledit.exe, better known as the Policy Editor. The policy editor was provided on the Windows 98 installation CD-ROM, but disappeared again with the introduction of MS Windows Me. From comments of MS Windows network administrators, it would appear that this tool became a part of the MS Windows Me Resource Kit.

MS Windows NT4 server products include the System Policy Editor under Start -> Programs -> Administrative Tools. For MS Windows NT4 and later clients, this file must be called NTConfig.POL.

New with the introduction of MS Windows 2000 was the Microsoft Management Console or MMC. This tool is the new wave in the ever-changing landscape of Microsoft methods for management of network access and security. Every new Microsoft product or technology seems to make the old rules obsolete and introduces newer and more complex tools and methods. To Microsoft's credit, the MMC does appear to be a step forward, but improved functionality comes at a great price.

Before embarking on the configuration of network and system policies, it is highly advisable to read the documentation available from Microsoft's Web site regarding Implementing Profiles and Policies in Windows NT 4.0. There are a large number of documents in addition to this old one that should also be read and understood. Try searching on the Microsoft Web site for “Group Policies”.

What follows is a brief discussion with some helpful notes. The information provided here is incomplete you are warned.

Windows 9x/ME Policies

You need the Windows 98 Group Policy Editor to set up Group Profiles under Windows 9x/Me. It can be found on the original full-product Windows 98 installation CD-ROM under tools\reskit\netadmin\poledit. Install this using the Add/Remove Programs facility, and then click on Have Disk.

Use the Group Policy Editor to create a policy file that specifies the location of user profiles and/or My Documents, and so on. Then save these settings in a file called Config.POL that needs to be placed in the root of the [NETLOGON] share. If Windows 98 is configured to log onto the Samba domain, it will automatically read this file and update the Windows 9x/Me registry of the machine as it logs on.

Further details are covered in the Windows 98 Resource Kit documentation.

If you do not take the correct steps, then every so often Windows 9x/Me will check the integrity of the registry and restore its settings from the backup copy of the registry it stores on each Windows 9x/Me machine. So, you will occasionally notice things changing back to the original settings.

Install the Group Policy handler for Windows 9x/Me to pick up Group Policies. Look on the Windows 98 CD-ROM in \tools\reskit\netadmin\poledit. Install Group Policies on a Windows 9x/Me client by double-clicking on grouppol.inf. Log off and on again a couple of times and see if Windows 98 picks up Group Policies. Unfortunately, this needs to be done on every Windows 9x/Me machine that uses Group Policies.

Windows NT4-Style Policy Files

To create or edit ntconfig.pol, you must use the NT Server Policy Editor, poledit.exe, which is included with NT4 Server but not with NT workstation. There is a Policy Editor on an NT4 Workstation but it is not suitable for creating domain policies. Furthermore, although the Windows 95 Policy Editor can be installed on an NT4 workstation/server, it will not work with NT clients. However, the files from the NT Server will run happily enough on an NT4 workstation.

You need poledit.exe, common.adm, and winnt.adm. It is convenient to put the two *.adm files in the c:\winnt\inf directory, which is where the binary will look for them unless told otherwise. This directory is normally “hidden.

The Windows NT Policy Editor is also included with the Service Pack 3 (and later) for Windows NT 4.0. Extract the files using servicepackname /x that's Nt4sp6ai.exe /x for Service Pack 6a. The Policy Editor, poledit.exe, and the associated template files (*.adm) should be extracted as well. It is also possible to download the policy template files for Office97 and get a copy of the Policy Editor. Another possible location is with the Zero Administration Kit available for download from Microsoft.

Registry Spoiling

With NT4-style registry-based policy changes, a large number of settings are not automatically reversed as the user logs off. The settings that were in the NTConfig.POL file were applied to the client machine registry and apply to the hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known as tattooing. It can have serious consequences downstream, and the administrator must be extremely careful not to lock out the ability to manage the machine at a later date.

MS Windows 200x/XP Professional Policies

Windows NT4 system policies allow the setting of registry parameters specific to users, groups, and computers (client workstations) that are members of the NT4-style domain. Such policy files will work with MS Windows 200x/XP clients also.

New to MS Windows 2000, Microsoft recently introduced a style of Group Policy that confers a superset of capabilities compared with NT4-style policies. Obviously, the tool used to create them is different, and the mechanism for implementing them is much improved.

The older NT4-style registry-based policies are known as Administrative Templates in MS Windows 2000/XP GPOs. The latter includes the ability to set various security configurations, enforce Internet Explorer browser settings, change and redirect aspects of the users desktop (including the location of My Documents files, as well as intrinsics of where menu items will appear in the Start menu). An additional new feature is the ability to make available particular software Windows applications to particular users and/or groups.

Remember, NT4 policy files are named NTConfig.POL and are stored in the root of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username and password and selects the domain name to which the logon will attempt to take place. During the logon process, the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating server and modifies the local registry values according to the settings in this file.

Windows 200x GPOs are feature-rich. They are not stored in the NETLOGON share, but rather part of a Windows 200x policy file is stored in the Active Directory itself and the other part is stored in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active Directory domain controllers. The part that is stored in the Active Directory itself is called the Group Policy Container (GPC), and the part that is stored in the replicated share called SYSVOL is known as the Group Policy Template (GPT).

With NT4 clients, the policy file is read and executed only as each user logs onto the network. MS Windows 200x policies are much more complex GPOs are processed and applied at client machine startup (machine specific part), and when the user logs onto the network, the user-specific part is applied. In MS Windows 200x-style policy management, each machine and/or user may be subject to any number of concurrently applicable (and applied) policy sets (GPOs). Active Directory allows the administrator to also set filters over the policy settings. No such equivalent capability exists with NT4-style policy files.

Administration of Windows 200x/XP Policies

Instead of using the tool called the System Policy Editor, commonly called Poledit (from the executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console (MMC) snap-in as follows:

  1. Go to the Windows 200x/XP menu Start->Programs->Administrative Tools and select the MMC snap-in called Active Directory Users and Computers

  2. Select the domain or organizational unit (OU) that you wish to manage, then right-click to open the context menu for that object, and select the Properties.

  3. Left-click on the Group Policy tab, then left-click on the New tab. Type a name for the new policy you will create.

  4. Left-click on the Edit tab to commence the steps needed to create the GPO.

All policy configuration options are controlled through the use of policy administrative templates. These files have an .adm extension, both in NT4 as well as in Windows 200x/XP. Beware, however, the .adm files are not interchangeable across NT4 and Windows 200x. The latter introduces many new features as well as extended definition capabilities. It is well beyond the scope of this documentation to explain how to program .adm files; for that, refer to the Microsoft Windows Resource Kit for your particular version of MS Windows.

Note

The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you use this powerful tool. Please refer to the resource kit manuals for specific usage information.

Custom System Policy Templates

Over the past year, there has been a bit of talk regarding the creation of customized templates for the Windows Sytem Policy Editor. A recent announcement on the Samba mailing list is worthy of mention.

Mike Petersen has announced the availability of a template file he has created. This custom System Policy Editor Template will allow you to successfully control Microsoft Windows workstations from an SMB server, such as Samba. This template has been tested on a few networks, although if you find any problems with any of these policies, or have any ideas for additional policies, let me know at mailto:mgpeter@pcc-services.com. This Template includes many policies for Windows XP to allow it to behave better in a professional environment.

For further information please see the Petersen Computer Consulting web site. There is a download link for the template file.

Managing Account/User Policies

Policies can define a specific user's settings or the settings for a group of users. The resulting policy file contains the registry settings for all users, groups, and computers that will be using the policy file. Separate policy files for each user, group, or computer are not necessary.

If you create a policy that will be automatically downloaded from validating domain controllers, you should name the file NTConfig.POL. As system administrator, you have the option of renaming the policy file and, by modifying the Windows NT-based workstation, directing the computer to update the policy from a manual path. You can do this by either manually changing the registry or by using the System Policy Editor. This can even be a local path such that each machine has its own policy file, but if a change is necessary to all machines, it must be made individually to each workstation.

When a Windows NT4/200x/XP machine logs onto the network, the client looks in the NETLOGON share on the authenticating domain controller for the presence of the NTConfig.POL file. If one exists, it is downloaded, parsed, and then applied to the user's part of the registry.

MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally acquire policy settings through GPOs that are defined and stored in Active Directory itself. The key benefit of using AD GPOs is that they impose no registry spoiling effect. This has considerable advantage compared with the use of NTConfig.POL (NT4) style policy updates.

In addition to user access controls that may be imposed or applied via system and/or group policies in a manner that works in conjunction with user profiles, the user management environment under MS Windows NT4/200x/XP allows per-domain as well as per-user account restrictions to be applied. Common restrictions that are frequently used include:

  • Logon hours

  • Password aging

  • Permitted logon from certain machines only

  • Account type (local or global)

  • User rights

Samba-3.0.20 does not yet implement all account controls that are common to MS Windows NT4/200x/XP. While it is possible to set many controls using the Domain User Manager for MS Windows NT4, only password expiry is functional today. Most of the remaining controls at this time have only stub routines that may eventually be completed to provide actual control. Do not be misled by the fact that a parameter can be set using the NT4 Domain User Manager or in the NTConfig.POL.

Management Tools

Anyone who wishes to create or manage Group Policies will need to be familiar with a number of tools. The following sections describe a few key tools that will help you to create a low-maintenance user environment.

Samba Editreg Toolset

A new tool called editreg is under development. This tool can be used to edit registry files (called NTUser.DAT) that are stored in user and group profiles. NTConfig.POL files have the same structure as the NTUser.DAT file and can be edited using this tool. editreg is being built with the intent to enable NTConfig.POL files to be saved in text format and to permit the building of new NTConfig.POL files with extended capabilities. It is proving difficult to realize this capability, so do not be surprised if this feature does not materialize. Formal capabilities will be announced at the time that this tool is released for production use.

Windows NT4/200x

The tools that may be used to configure these types of controls from the MS Windows environment are the NT4 User Manager for Domains, the NT4 System and Group Policy Editor, and the Registry Editor (regedt32.exe). Under MS Windows 200x/XP, this is done using the MMC with appropriate “snap-ins,” the registry editor, and potentially also the NT4 System and Group Policy Editor.

Samba PDC

With a Samba domain controller, the new tools for managing user account and policy information include: smbpasswd, pdbedit, net, and rpcclient. The administrator should read the man pages for these tools and become familiar with their use.

System Startup and Logon Processing Overview

The following attempts to document the order of processing the system and user policies following a system reboot and as part of the user logon:

  1. Network starts, then Remote Procedure Call System Service (RPCSS) and multiple universal naming convention provider (MUP) start.

  2. Where Active Directory is involved, an ordered list of GPOs is downloaded and applied. The list may include GPOs that:

    • Apply to the location of machines in a directory.

    • Apply only when settings have changed.

    • Depend on configuration of the scope of applicability: local, site, domain, organizational unit, and so on.

    No desktop user interface is presented until the above have been processed.

  3. Execution of startup scripts (hidden and synchronous by default).

  4. A keyboard action to effect start of logon (Ctrl-Alt-Del).

  5. User credentials are validated, user profile is loaded (depends on policy settings).

  6. An ordered list of user GPOs is obtained. The list contents depends on what is configured in respect of:

    • Is the user a domain member, thus subject to particular policies?

    • Loopback enablement, and the state of the loopback policy (merge or replace).

    • Location of the Active Directory itself.

    • Has the list of GPOs changed? No processing is needed if not changed.

  7. User policies are applied from Active Directory. Note: There are several types.

  8. Logon scripts are run. New to Windows 200x and Active Directory, logon scripts may be obtained based on GPOs (hidden and executed synchronously). NT4-style logon scripts are then run in a normal window.

  9. The user interface as determined from the GPOs is presented. Note: In a Samba domain (like an NT4 domain), machine (system) policies are applied at startup; user policies are applied at logon.

Common Errors

Policy-related problems can be quite difficult to diagnose and even more difficult to rectify. The following collection demonstrates only basic issues.

Policy Does Not Work

We have created the Config.POL file and put it in the NETLOGON share. It has made no difference to our Win XP Pro machines, they just do not see it. It worked fine with Win 98 but does not work any longer since we upgraded to Win XP Pro. Any hints?

Policy files are not portable between Windows 9x/Me and MS Windows NT4/200x/XP-based platforms. You need to use the NT4 Group Policy Editor to create a file called NTConfig.POL so it is in the correct format for your MS Windows XP Pro clients.