14.2 Group Policy Objects

Group Policy settings are stored in Group Policy Objects (GPO). A GPO consists of the following:

Group Policy Container: Stored in the directory.

Group Policy Template: Stored in the SYSVOL SMB volume.

The default configuration of SYSVOL resides in the smb.conf file.

   comment = Group Policies
   path = /var/opt/novell/xad/sysvol/sysvol
   writable = Yes
   share modes = No
   nt acl support = No

Group Policy Template is stored in the SYSVOL SMB volume.

14.2.1 GPO Account Policies

The group of security settings in the GPO is called Account Policies and contains the following policies:

  • Password Policy

  • Account Lockout Policy

  • Kerberos Policy

The MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf file inside SYSVOL contains the Account Policies of the GPO. They are managed by the Samba server.

In a Domain Services for Windows domain, the password policies are stored in the container cn=Domain Password Policy,cn=Password Policies,cn=System, <domain root>.

The Password Policy and the Account Lockout Policy are enforced by eDirectory. The Account Policies settings are not read directly by eDirectory or KDC.

The Kerberos Policy is enforced by the Kerberos Key Distribution Center (KDC). The eDirectory server enforces only those policies that are stored in its Directory Information Base (DIB). The Kerberos KDC expects the Kerberos Policy to be stored in eDirectory.

The following Account Policies settings are supported:

  • Password Policies

    • Enforce Password History

    • Maximum Password Age

    • Minimum Password Age

    • Minimum Password Length

  • Account Lockout Policy

    • Account Lockout Duration

    • Account Lockout Threshold

    • Reset Account Lockout Counter After

  • Kerberos Policy

    • Maximum Lifetime for User Ticket

    • Maximum Lifetime for User Ticket Renewal

14.2.2 gpo2nmas

The gpo2nmas tool synchronizes the policies stored in eDirectory with those in SYSVOL.

This tool is programmed to run every 30 minutes by using the cron service. If the policies stored in eDirectory are newer than the Account Policies in SYSVOL, gpo2nmas updates the Account Policies. Similarly, it updates the policies in eDirectory if they do not match the Account Policies. When you modify the Account Policies in SYSVOL by using Group Policy Management Console (GPMC). gpo2nmas makes the relevant changes to the policies in eDirectory when it runs again.

14.2.3 Enforcing Computer Configuration and User Configuration

DSfW supports computer configuration and user configuration settings in GPOs. You can change the computer configuration settings, such as customizing the start menu, desktop, and Internet Explorer, and the user configuration settings, such as roaming profiles and desktop customization.

14.2.4 Troubleshooting

If you receive a message indicating that the computer configuration or user configuration is not applicable, do one of the following:

  • Verify that winbindd is running and functional. The getent passwd <username> command returns the information for the local users and the domain users.

    If you are using the getent utility in the DSfW environment, substitute the username with the domain user name.

  • Check the Samba log files in /var/log/samba for any errors.