Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Storage Management with Active Directory Group Policies

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Introduction

Aimed at developers of storage-based productsCovers information that will help implementors leverage existing Active Directory infrastructure

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Nomenclature

Client – a CIFS domain member, including a storage device

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Why Group Policies?

DistributedSome existing user familiarityConfiguration can be global and granularExtensible

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Group Policies Overview

Essentially a set of parameters and registry entries applied to client machines

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Group Policies Overview

Administrator creates Group Policy ObjectsStored on domain controllersCreated from parameters defined in template files

Administrator links objects to organizationalUnits (OUs) in Active Directory

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Group Policies Overview

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Group Policies Overview

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Group Policies Overview

Client queries Active Directory (over LDAP) for list of relevant Group Policies linksClient retrieves matching Group Policies Objects from DC(s) Client applies configuration locally

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

LDAP Queries

Find default naming context to use as base DNQuery all entries down to machine account. Applied in order from root to machine account:

Eg: cn=somehost,ou=Computers,dc=snia,dc=orgLooking for gPLink attribute

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

LDAP Queries

Each gPLink returned is a distinguishedName (DN) For each gPlink, retrieve entry's gPCFileSysPathattributegPCFileSysPath is a UNC path to group policy objects on DCs' SYSVOL share

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

gPLink

dn: OU=CIFS, OU=Engineering, OU=Backend, OU=Organisation, DC=dev2003DC=agami,DC=comobjectClass: topobjectClass: organizationalUnitou: CIFSname: CIFSobjectGUID:: iM/wwrq4NkuLyfPfV1i7aQ==objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=dev2003,DC=agami,DC=comgPLink: [LDAP://cn={ECFD9B0F-129F-413C-9021-F7C087B4F084},cn=policies,cn=system,DC=dev2003,DC=agami,DC=com;]

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

gPCFileSysPath

dn: CN={ECFD9B0F-129F-413C-9021-F7C087B4F084},CN=Policies,CN=System,DC=dev2003,DC=agami,DC=comobjectClass: groupPolicyContainercn: {ECFD9B0F-129F-413C-9021-F7C087B4F084}displayName: CIFS EngineeringgPCFunctionalityVersion: 2gPCFileSysPath: \\dev2003.agami.com\SysVol\dev2003.agami.com\Policies\{ECFD9B0F-129F-413C-9021-F7C087B4F084}

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

gPCFileSysPath

dn: CN={ECFD9B0F-129F-413C-9021-F7C087B4F084},CN=Policies,CN=System,DC=dev2003,DC=agami,DC=comobjectClass: groupPolicyContainercn: {ECFD9B0F-129F-413C-9021-F7C087B4F084}displayName: CIFS EngineeringgPCFunctionalityVersion: 2gPCFileSysPath: \\dev2003.agami.com\SysVol\dev2003.agami.com\Policies\{ECFD9B0F-129F-413C-9021-F7C087B4F084}

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

GPO Files

A set for users and a set for machines – the former less relevant to usGptTmpl.infRegistry.polScripts directory

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Scripts directory

Contains administrator-specified scripts to be run by clientBecause these scripts are interpreted by the client, they can be sets of device-specific CLI commandsNot mentioned in [MS-GPOL]

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

GptTmpl.inf

Unicode .ini-style file:[Unicode]Unicode=yes[Event Audit]AuditSystemEvents = 1AuditLogonEvents = 1...

Contains audit parameters, LSA privilege settings, registry entries and filesystem permissions

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

GptTmpl.inf

[] to denote different sections[Privilege Rights]SeBackupPrivilege = *S-1-5-19SeRestorePrivilege = *S-1-5-19SeDiskOperatorPrivilege =SeAuditPrivilege = *S-1-5-19,*S-1-5-20

Actually called Gpt.ini in [MS-GPOL]

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Registry.pol

Contains the registry entries not part of the subset handled by GptTmpl.infBinary Unicode file

8-byte header (signature and version) Records made up of:

Key nameValueTypeSize

Not mentioned in [MS-GPOL]

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Client-side template

Templates allow custom parameters to be configured using the same infrastructureA storage device/application vendor can use it to extend Group PoliciesConsists of two sections:

[strings] section that defines user-visible stringsPolicy template section that defines what user sees and what is set in GPO

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Client-side templates

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Client-side templates

POLICY !!schedulenameEXPLAIN !!scheduledescPART !!schedulepartlabel DROPDOWNLIST REQUIRED VALUENAME

"frobnasticateSchedulePolicy" ITEMLIST

NAME !!sched_none VALUE NUMERIC 0 DEFAULTNAME !!sched_hourly VALUE NUMERIC 1NAME !!sched_daily VALUE NUMERIC 2NAME !!sched_weekly VALUE NUMERIC 3NAME !!sched_monthly VALUE NUMERIC 4

END ITEMLISTEND PART

END POLICY

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Example custom parameters

Filesystem snapshot policyReplication sync/async policyHeartbeat and other timeoutsDefault filesystem securityWindows Privilege support in LSAAny policy-based information

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Slide Number 1IntroductionNomenclatureWhy Group Policies?Group Policies OverviewGroup Policies OverviewSlide Number 7Group Policies OverviewGroup Policies OverviewLDAP QueriesLDAP QueriesSlide Number 12Slide Number 13Slide Number 14GPO FilesScripts directoryGptTmpl.infGptTmpl.infRegistry.polClient-side templateClient-side templatesClient-side templatesExample custom parametersSlide Number 24