Mac OS X Server: Pushing Out Policies Using Open Directory

Now if you’re looking to push policies out from a centralized directory service that is not Active Directory then you will have slightly more work to do.  You will be using the poledit.exe utility rather than gpedit.msc.  The poledit.exe tool is stored on a Windows 2000 Server CD.  If you install the Admin Tools using the driveletteri386adminpak.msi installer then you will be able to build a policy file in adm format that can then be distributed.  When you open the Poledit.exe application you will click on File-> New New Policy.  From here you will see Default User and Default computer (much as with it’s successor gpedit.msc). 

Options in poledit.exe for Computers include a variety of settings.  One of the more important here is the Local Computer->Network->System Policies Update->Remote Update which can be used to identify where the system will be getting policy updates and how they will be updated.  To set/create the policy file (Ntconfig.pol), first remove all #if version and #endif statements from the System.adm, Inetres.adm and conf.adm files on the local workstation in order to prevent the unintended loading of these files by the Poledit.exe tool.  This isn’t absolutely necessary. 

Next, save your policy settings as Ntconfig.pol. Save the file to the Netlogon share of the Windows NT 4.0 domain controller.  But, what if you do not have a Netlogon share or a replication service to replicate between shares.  Well, create the share by adding the following lines to your SMB config:

[netlogon]

comment = Network Logon Service

path = /path/to/your/adm/files

guest ok = Yes

browseable = No

Obviously you will replace the /path/to/your/adm/files with the actual directory you will store the data on your server.  This directory needs to allow everyone read only access.  Copy the ntconfig.pol file into this directory and you will now be pushing the policy out to your users.

Options in poledit.exe for users include policies dealing with Control Panels (restrict access to display), Desktop (wallpaper and color scheme), Shell (Start Menu controls and Network Neighborhood controls), System (Run Dialog), Windows NT Network ($ hidden shares), Windows NT Printers (beeps and priorities), Windows NT Remote Access (dialup networking), etc.

Finer Grained controls in Policy Editor

If you are building your policies from a system that has been bound into Open Directory then you can use the Add Groups option and then browse to the group you would like to build policies for.  This allows you to have one overarching policy hosted in the netlogon share. 

Another way to access obtain more finely grained access to policies is to deploy settings using the login scripts.  You can build multiple policy files and deploy them or deploy actual registry edits using login scripts.