Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Storage Management with Active Directory Group Policies
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Introduction
Aimed at developers of storage-based productsCovers information that will help implementors leverage existing Active Directory infrastructure
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Nomenclature
Client – a CIFS domain member, including a storage device
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Why Group Policies?
DistributedSome existing user familiarityConfiguration can be global and granularExtensible
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
Essentially a set of parameters and registry entries applied to client machines
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
Administrator creates Group Policy ObjectsStored on domain controllersCreated from parameters defined in template files
Administrator links objects to organizationalUnits (OUs) in Active Directory
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Group Policies Overview
Client queries Active Directory (over LDAP) for list of relevant Group Policies linksClient retrieves matching Group Policies Objects from DC(s) Client applies configuration locally
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
LDAP Queries
Find default naming context to use as base DNQuery all entries down to machine account. Applied in order from root to machine account:
Eg: cn=somehost,ou=Computers,dc=snia,dc=orgLooking for gPLink attribute
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
LDAP Queries
Each gPLink returned is a distinguishedName (DN) For each gPlink, retrieve entry's gPCFileSysPathattributegPCFileSysPath is a UNC path to group policy objects on DCs' SYSVOL share
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
gPLink
dn: OU=CIFS, OU=Engineering, OU=Backend, OU=Organisation, DC=dev2003DC=agami,DC=comobjectClass: topobjectClass: organizationalUnitou: CIFSname: CIFSobjectGUID:: iM/wwrq4NkuLyfPfV1i7aQ==objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=dev2003,DC=agami,DC=comgPLink: [LDAP://cn={ECFD9B0F-129F-413C-9021-F7C087B4F084},cn=policies,cn=system,DC=dev2003,DC=agami,DC=com;]
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
gPCFileSysPath
dn: CN={ECFD9B0F-129F-413C-9021-F7C087B4F084},CN=Policies,CN=System,DC=dev2003,DC=agami,DC=comobjectClass: groupPolicyContainercn: {ECFD9B0F-129F-413C-9021-F7C087B4F084}displayName: CIFS EngineeringgPCFunctionalityVersion: 2gPCFileSysPath: \\dev2003.agami.com\SysVol\dev2003.agami.com\Policies\{ECFD9B0F-129F-413C-9021-F7C087B4F084}
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
gPCFileSysPath
dn: CN={ECFD9B0F-129F-413C-9021-F7C087B4F084},CN=Policies,CN=System,DC=dev2003,DC=agami,DC=comobjectClass: groupPolicyContainercn: {ECFD9B0F-129F-413C-9021-F7C087B4F084}displayName: CIFS EngineeringgPCFunctionalityVersion: 2gPCFileSysPath: \\dev2003.agami.com\SysVol\dev2003.agami.com\Policies\{ECFD9B0F-129F-413C-9021-F7C087B4F084}
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
GPO Files
A set for users and a set for machines – the former less relevant to usGptTmpl.infRegistry.polScripts directory
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Scripts directory
Contains administrator-specified scripts to be run by clientBecause these scripts are interpreted by the client, they can be sets of device-specific CLI commandsNot mentioned in [MS-GPOL]
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
GptTmpl.inf
Unicode .ini-style file:[Unicode]Unicode=yes[Event Audit]AuditSystemEvents = 1AuditLogonEvents = 1...
Contains audit parameters, LSA privilege settings, registry entries and filesystem permissions
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
GptTmpl.inf
[] to denote different sections[Privilege Rights]SeBackupPrivilege = *S-1-5-19SeRestorePrivilege = *S-1-5-19SeDiskOperatorPrivilege =SeAuditPrivilege = *S-1-5-19,*S-1-5-20
Actually called Gpt.ini in [MS-GPOL]
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Registry.pol
Contains the registry entries not part of the subset handled by GptTmpl.infBinary Unicode file
8-byte header (signature and version) Records made up of:
Key nameValueTypeSize
Not mentioned in [MS-GPOL]
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Client-side template
Templates allow custom parameters to be configured using the same infrastructureA storage device/application vendor can use it to extend Group PoliciesConsists of two sections:
[strings] section that defines user-visible stringsPolicy template section that defines what user sees and what is set in GPO
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Client-side templates
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Client-side templates
POLICY !!schedulenameEXPLAIN !!scheduledescPART !!schedulepartlabel DROPDOWNLIST REQUIRED VALUENAME
"frobnasticateSchedulePolicy" ITEMLIST
NAME !!sched_none VALUE NUMERIC 0 DEFAULTNAME !!sched_hourly VALUE NUMERIC 1NAME !!sched_daily VALUE NUMERIC 2NAME !!sched_weekly VALUE NUMERIC 3NAME !!sched_monthly VALUE NUMERIC 4
END ITEMLISTEND PART
END POLICY
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Example custom parameters
Filesystem snapshot policyReplication sync/async policyHeartbeat and other timeoutsDefault filesystem securityWindows Privilege support in LSAAny policy-based information
Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.
www.storage-developer.org
Slide Number 1IntroductionNomenclatureWhy Group Policies?Group Policies OverviewGroup Policies OverviewSlide Number 7Group Policies OverviewGroup Policies OverviewLDAP QueriesLDAP QueriesSlide Number 12Slide Number 13Slide Number 14GPO FilesScripts directoryGptTmpl.infGptTmpl.infRegistry.polClient-side templateClient-side templatesClient-side templatesExample custom parametersSlide Number 24