storage management with active directory group policies · storage developer conference 2008 ©...
TRANSCRIPT
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Storage Management with Active Directory Group Policies
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Introduction
Aimed at developers of storage-based productsCovers information that will help implementors leverage existing Active Directory infrastructure
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Nomenclature
Client – a CIFS domain member, including a storage device
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Why Group Policies?
DistributedSome existing user familiarityConfiguration can be global and granularExtensible
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
Essentially a set of parameters and registry entries applied to client machines
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
Administrator creates Group Policy ObjectsStored on domain controllersCreated from parameters defined in template files
Administrator links objects to organizationalUnits (OUs) in Active Directory
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
Client queries Active Directory (over LDAP) for list of relevant Group Policies linksClient retrieves matching Group Policies Objects from DC(s) Client applies configuration locally
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
LDAP Queries
Find default naming context to use as base DNQuery all entries down to machine account. Applied in order from root to machine account:
Eg: cn=somehost,ou=Computers,dc=snia,dc=orgLooking for gPLink attribute
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
LDAP Queries
Each gPLink returned is a distinguishedName (DN) For each gPlink, retrieve entry's gPCFileSysPathattributegPCFileSysPath is a UNC path to group policy objects on DCs' SYSVOL share
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
gPLink
dn: OU=CIFS, OU=Engineering, OU=Backend, OU=Organisation, DC=dev2003DC=agami,DC=comobjectClass: topobjectClass: organizationalUnitou: CIFSname: CIFSobjectGUID:: iM/wwrq4NkuLyfPfV1i7aQ==objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=dev2003,DC=agami,DC=comgPLink: [LDAP://cn={ECFD9B0F-129F-413C-9021-F7C087B4F084},cn=policies,cn=system,DC=dev2003,DC=agami,DC=com;]
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
gPCFileSysPath
dn: CN={ECFD9B0F-129F-413C-9021-F7C087B4F084},CN=Policies,CN=System,DC=dev2003,DC=agami,DC=comobjectClass: groupPolicyContainercn: {ECFD9B0F-129F-413C-9021-F7C087B4F084}displayName: CIFS EngineeringgPCFunctionalityVersion: 2gPCFileSysPath: \\dev2003.agami.com\SysVol\dev2003.agami.com\Policies\{ECFD9B0F-129F-413C-9021-F7C087B4F084}
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
gPCFileSysPath
dn: CN={ECFD9B0F-129F-413C-9021-F7C087B4F084},CN=Policies,CN=System,DC=dev2003,DC=agami,DC=comobjectClass: groupPolicyContainercn: {ECFD9B0F-129F-413C-9021-F7C087B4F084}displayName: CIFS EngineeringgPCFunctionalityVersion: 2gPCFileSysPath: \\dev2003.agami.com\SysVol\dev2003.agami.com\Policies\{ECFD9B0F-129F-413C-9021-F7C087B4F084}
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
GPO Files
A set for users and a set for machines – the former less relevant to usGptTmpl.infRegistry.polScripts directory
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Scripts directory
Contains administrator-specified scripts to be run by clientBecause these scripts are interpreted by the client, they can be sets of device-specific CLI commandsNot mentioned in [MS-GPOL]
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
GptTmpl.inf
Unicode .ini-style file:[Unicode]Unicode=yes[Event Audit]AuditSystemEvents = 1AuditLogonEvents = 1...
Contains audit parameters, LSA privilege settings, registry entries and filesystem permissions
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
GptTmpl.inf
[] to denote different sections[Privilege Rights]SeBackupPrivilege = *S-1-5-19SeRestorePrivilege = *S-1-5-19SeDiskOperatorPrivilege =SeAuditPrivilege = *S-1-5-19,*S-1-5-20
Actually called Gpt.ini in [MS-GPOL]
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Registry.pol
Contains the registry entries not part of the subset handled by GptTmpl.infBinary Unicode file
8-byte header (signature and version) Records made up of:
Key nameValueTypeSize
Not mentioned in [MS-GPOL]
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Client-side template
Templates allow custom parameters to be configured using the same infrastructureA storage device/application vendor can use it to extend Group PoliciesConsists of two sections:
[strings] section that defines user-visible stringsPolicy template section that defines what user sees and what is set in GPO
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Client-side templates
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Client-side templates
POLICY !!schedulenameEXPLAIN !!scheduledescPART !!schedulepartlabel DROPDOWNLIST REQUIRED VALUENAME
"frobnasticateSchedulePolicy" ITEMLIST
NAME !!sched_none VALUE NUMERIC 0 DEFAULTNAME !!sched_hourly VALUE NUMERIC 1NAME !!sched_daily VALUE NUMERIC 2NAME !!sched_weekly VALUE NUMERIC 3NAME !!sched_monthly VALUE NUMERIC 4
END ITEMLISTEND PART
END POLICY
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Example custom parameters
Filesystem snapshot policyReplication sync/async policyHeartbeat and other timeoutsDefault filesystem securityWindows Privilege support in LSAAny policy-based information
-
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Slide Number 1IntroductionNomenclatureWhy Group Policies?Group Policies OverviewGroup Policies OverviewSlide Number 7Group Policies OverviewGroup Policies OverviewLDAP QueriesLDAP QueriesSlide Number 12Slide Number 13Slide Number 14GPO FilesScripts directoryGptTmpl.infGptTmpl.infRegistry.polClient-side templateClient-side templatesClient-side templatesExample custom parametersSlide Number 24