Topic: In a bit of a muddle- security on client XP's

[Andrew Hawkins]

First off, apologies, I'm new to all this, learning a lot, but got a bit confused and need help unravellling it all. Am using 5.6 as a roaming domain controller,  with fresh installs of xp on some machines (joined to domain) and a winxp box that was on a 2003 server, but is now part of the sme domain (called LOCAL just to be confusing. Will refer to Domain stuff as e.g. LOCAL\users local client computer as e.g local\users). Have done the controlset reg edits on all machines

As you may guesss I am getting confused about admin rights on the client machines. If I look in folder/ file security in windows xp, and do find users, there are LOCAL\Domain Users, Admins, Users etc. Looking in the memebers of Administrators groups, users Groups etc I can see linux-xxxxxxxx added to them suggesting that XP is recognising the Linux groups. When I try to add any of these LOCAL\groups to a security policy in XP (allow access to...) I can add users, but groups aren't recognised. strange non?

I can't see how to change users groups on my SME server, can make them (and wndows doesn't recognise these either), but surely there are domain user, user, admin groups that can be set- how? I know it's not a win server, but the fact that the linux-xxxxxxx shows in memberships seems to indicate they exist.

Do I have to create local users on every machine I want the LOCAL\USERS to use. Should they all be admins, best practice would say no, but at the moment it's the only way programs run. Would prefer to assign rights to LOCAL\USERS rahter than have to type in every user to every machine. The one that was on the win 2003 server can't run much unless I create a new account on the local machine

Maybe what I'm getting confused with is that SME server acts as authentication for logon, distribute the profile, but then windows won't use those server groups for security permissions. I'm a bit confused


I'll stop now as hopefully I can ask more questions and I'm sure someone will point me to a forum posting of howto I've missed. sorry for my ineptitude and rambling, I use Windows, but I'm trying

[Andrew Hawkins]

Think I am getting a bit clearer about what I am asking. Want to check the whole process. Will deal with transfered machines later. want to check order of installation. In order :

Install SME server and configure
Add users to SME server

Install XP on client and join domain (regedit etc) with admin account

Setup local users on XP machine mirroring SME server users through admin domain account.
(Do you need to add domain\admin as local\administrator? Seems to already be there?  )
This is the point that I would like to add users groups to save time e..g DOMAIN\USERS rather than user1 user2 individually- possible?  
Do they have to be added to administrators group? Would prefer standard users, but then some software doesn't seem to work
When installing software (assuming users are not Administrators) should I be installing as local\Administrator or Domain\admin. Or will either one have the same effect
Login as user and programs should work


Will this work?
If you install programs as the administrator account on the XP machine, should these be available to domain users (they aren't all for some reason)?

[mike mattos]

XP has two login methods, local machine, and domain.

Any user of the domain can login to the domain from any XP machine in the domain.

HOWEVER, if you use the local login, I believe it uses the local user security  files, which can have their own groups, BUT at this point you are NOT logged into the domain, so can't benefit from the domain policies, if you see what I mean!

When you install software, you have a choice on who gets access, but to be honest, it is rather confusing because access isn't the same as ading to menu!

Hope this helps

Mike

[mike mattos]

XP has two login methods, local machine, and domain.

Any user of the domain can login to the domain from any XP machine in the domain.

HOWEVER, if you use the local login, I believe it uses the local user security  files, which can have their own groups, BUT at this point you are NOT logged into the domain, so can't benefit from the domain policies, if you see what I mean!

When you install software, you have a choice on who gets access, but to be honest, it is rather confusing because access isn't the same as ading to menu!

Hope this helps

Mike

[Andrew Hwakins]

thanks for your help

then maybe I'm asking whether SME server can set group policy & security on the local machine. Or at the very least that I can set whole groups from the domain (domain users/ domain administrators if they ever exist) as administrators/ users on the local machine rather than having to enter each individual user? To rephrase, should the local computer (when logged on as domain\admin) recognise domain\users domain\power users etc or are they different names (\domain\"linux phrase")

the sound issue was just a wrong update, so working.

I do understand  about the local vs domain I think in principle it's the workings of it.

For example on 1 machine all domain users can get into office fine, on two other machines (including the one installed on d:, see below) just excel screws up. Maybe it's just microsoft (probably ) but seems strange.

Also on one machine I stupidly installed the OS XP on d: Will that cause errors with roaming profiles when other machines are installed on c:

[ryan]

Andrew,

I have been using SME as a PDC since 4.1.2.    Below are suggestions you might consider.  I sounds like your expecting the default domain groups listed in 2k/xp to function normally.  Bill Gates did not intend your you to use linux as a PDC, so the group names exist even though they are not valid or don't function.  

Here is how I set it up:   (You might have to research these, understand them before you do anything and I would test it before relying on it).

1.  Configure SME to be a PDC.

2.  At SME command line, create smbuser account 'root'.  Activate this account and set password to the same as your SME root password.  Remember to change this password if your server password is changed.

3a. Prep your 2k & XP machines.  Run the reg patch included in SME on your XP machines.  Install latest SPs before you add to domain.  For XPsp1 & 2ksp4, I suggest you disable roaming profiles, as windows will use them even if they are turned off in server-manger.  It will create "profile" in the home folder.  You will use Run:  gpedit.msc in XP to do this.  In 2k, after a user first logs in, set user profiles to local in my computer\properties\advanced\profiles.   I also disable offline files which can cause problems.  There are several registry hacks for both XP and 2k that have to be manually done...you should look those up.  (I can email you all the guides I have in a zip if you send an email address...all info in these is from forums).

3b.  As local administrator, add the PC to domain.  Use either admin or root account when prompted for admin account to join domain.  I prefer the root account (created in step 2), as it seems to work more smooth...(again, this might be bad...so you have to verify yourself).

3c.  After reboot, login as local administrator again.  In computer management, remove the linux group from the administrators group.  Add the linux user root to the local administrator group.   Log out and back in as root....root is your domain admin account for all MS PCs.

3d.  On this note, root can be used by the net admin.  Login as root on XP or 2k.  You now can access c$ or remotely access other PCs using computer management.  Also, at Run:  \SMEservername\username...you will have access to the users home directory and can back it up.  You have to manually type the \sme...\username the first time since they don't show up in the browser unless you have entered them manually.  Do this for all users and you can backup their files and email using a Windows PC.  

4.  I found you can use the LOCAL group "authenticated users" as a replacement for Domain users.  I have used LOCAL "authenicated users" to solve application permissions issues.  

If you edit smb.conf and share \home\e-smith\files you can view or map all your user & ibay files to a single drive letter for backup & administration.  Just remember to enter the unc path manually  \smename\ in smb.conf.  You have to be logged in as root to do this.  

Your SME user accounts should not need local accounts on your PCs.  Also, I have not explored using SME to set policy for 2k or XP.  I have read you can use NT4 .pol files for w9x clients.  You might just have to use Run: gpedit.msc on each machine.  Explore importing and exporting policy, so you only have to set it up one time for each OS.  

ryan