17.2 Group Policy Objects

Group Policy settings are stored in Group Policy Objects (GPO). A GPO consists of the following:

Group Policy Container: Stored in the directory.

Group Policy Template: Stored in the SYSVOL SMB volume.

The default configuration of SYSVOL resides in the /etc/samba/smb.conf file.

[sysvol]
   comment = Group Policies
   path = /var/opt/novell/xad/sysvol/sysvol
   writable = Yes
   share modes = No
   nt acl support = No

Group Policy Template is stored in the SYSVOL SMB volume.

17.2.1 GPO Account Policies

The group of security settings in the GPO is called Account Policies and contains the following policies:

  • Password Policy

  • Account Lockout Policy

  • Kerberos Policy

In a Domain Services for Windows domain, the password policies are stored in the container cn=Domain Password Policy,cn=Password Policies,cn=System, <domain root>.

The Password Policy and the Account Lockout Policy are enforced by eDirectory. The Account Policies settings are not read directly by eDirectory or KDC.

The Kerberos Policy is enforced by the Kerberos Key Distribution Center (KDC). The eDirectory server enforces only those policies that are stored in its Directory Information Base (DIB). The Kerberos KDC expects the Kerberos Policy to be stored in eDirectory.

The following Account Policies settings are supported:

Password Policies

Table 17-1 GPO and eDirectory Parameter Mapping for Password Policies

GPO Parameter

eDirectory Parameter

Enforce Password History

pwdInHistory

Maximum Password Age

passwordExpirationInterval

Minimum Password Age

nspmMinPasswordLifetime

Minimum Password Length

passwordMinimumLength

Account Lockout Policy

Table 17-2 GPO and eDirectory Parameter Mapping for Account Lockout Policies

GPO Parameter

eDirectory Parameter

Account Lockout Duration

intruderLockoutResetInterval

Account Lockout Threshold

loginIntruderLimit

Reset Account Lockout Counter After

intruderAttemptResetInterval

Kerberos Policy

Table 17-3 GPO and eDirectory Parameter Mapping for Kerberos Policies

GPO Parameter

eDirectory Parameter

Maximum Lifetime for User Ticket

maxTicketAge

Maximum Lifetime for User Ticket Renewal

maxRenewAge

17.2.2 gposync

The gposync tool synchronizes the policies stored in eDirectory with those in SYSVOL.

This tool is programmed to run every 30 minutes by using the cron service. If the policies stored in eDirectory are newer than the Account Policies in SYSVOL, gposync updates the Account Policies. Similarly, it updates the policies in eDirectory if they are older than Account Policies maintained in SYSVOL.When you modify the Account Policies in SYSVOL by using Group Policy Management Console (GPMC), gposync makes the relevant changes to the policies in eDirectory when it runs the next time.

The gposync utility parses all the applied GPO policies and synchronizes appropriately to containers it is associated with. A typical output gposync utility on success will be as follows:

The list of Group Policies present in the domain dc=multizone,dc=com are:
        {31B2F340-016D-11D2-945F-00C04FB984F9} 

Syncing {31B2F340-016D-11D2-945F-00C04FB984F9} Group Policy
Update NMAS Password Policy Links 
Link present at : dc=multizone,dc=com
Group Policy Template is older than NMAS login policy <cn=Domain Password Policy,cn=Password Policies,cn=System,dc=multizone,dc=com>.
DOMAIN\intruderLockoutResetInterval[1800] => System Access\LockoutDuration[30]
DOMAIN\intruderAttemptResetInterval[1800] => System Access\ResetLockoutCount[30]
DOMAIN\loginIntruderLimit[0] => System Access\LockoutBadCount[0]
NMAS\passwordExpirationInterval[3628800] => System Access\MaximumPasswordAge[42]
NMAS->GPO synchronization OK. 

17.2.3 Enforcing Computer Configuration and User Configuration

DSfW supports computer configuration and user configuration settings in GPOs. You can change the computer configuration settings, such as customizing the start menu, desktop, and Internet Explorer, and the user configuration settings, such as roaming profiles and desktop customization.

17.2.4 Troubleshooting

If you receive a message indicating that the computer configuration or user configuration is not applicable, do one of the following:

  • Verify that winbindd is running and functional. The getent passwd <username> command returns the information for the local users and the domain users.

    If you are using the getent utility in the DSfW environment, substitute the username with the domain user name.

  • Check the Samba log files in /var/log/samba for any errors.