Group Policy settings are stored in Group Policy Objects (GPO). A GPO consists of the following:
Group Policy Container: Stored in the directory.
Group Policy Template: Stored in the SYSVOL SMB volume.
The default configuration of SYSVOL resides in the smb.conf file.
[sysvol] comment = Group Policies path = /var/opt/novell/xad/sysvol/sysvol writable = Yes share modes = No nt acl support = No
Group Policy Template is stored in the SYSVOL SMB volume.
The group of security settings in the GPO is called Account Policies and contains the following policies:
Password Policy
Account Lockout Policy
Kerberos Policy
The MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf file inside SYSVOL contains the Account Policies of the GPO. They are managed by the Samba server.
In a Domain Services for Windows domain, the password policies are stored in the container cn=Domain Password Policy,cn=Password Policies,cn=System, <domain root>.
The Password Policy and the Account Lockout Policy are enforced by eDirectory. The Account Policies settings are not read directly by eDirectory or KDC.
The Kerberos Policy is enforced by the Kerberos Key Distribution Center (KDC). The eDirectory server enforces only those policies that are stored in its Directory Information Base (DIB). The Kerberos KDC expects the Kerberos Policy to be stored in eDirectory.
The following Account Policies settings are supported:
Enforce Password History
Maximum Password Age
Minimum Password Age
Minimum Password Length
Account Lockout Duration
Account Lockout Threshold
Reset Account Lockout Counter After
Maximum Lifetime for User Ticket
Maximum Lifetime for User Ticket Renewal
The gpo2nmas tool synchronizes the policies stored in eDirectory with those in SYSVOL.
This tool is programmed to run every 30 minutes by using the cron service. If the policies stored in eDirectory are newer than the Account Policies in SYSVOL, gpo2nmas updates the Account Policies. Similarly, it updates the policies in eDirectory if they do not match the Account Policies. When you modify the Account Policies in SYSVOL by using Group Policy Management Console (GPMC). gpo2nmas makes the relevant changes to the policies in eDirectory when it runs again.
DSfW supports computer configuration and user configuration settings in GPOs. You can change the computer configuration settings, such as customizing the start menu, desktop, and Internet Explorer, and the user configuration settings, such as roaming profiles and desktop customization.
If you receive a message indicating that the computer configuration or user configuration is not applicable, do one of the following:
Verify that winbindd is running and functional. The getent passwd <username> command returns the information for the local users and the domain users.
If you are using the getent utility in the DSfW environment, substitute the username with the domain user name.
Check the Samba log files in /var/log/samba for any errors.