Next Previous Contents

6. Windows workstation setup

6.1 Introduction

We will stick to setting up the network, user management and policies on the Windows workstations.

I will not go through all those steps, naming each dialog box. I will presume that if you can read and understand this document you can find your way through that mess.

6.2 Network protocols

First, unless you really need, remove all network protocols but TCP/IP. Even without their own protocol, Windows machines like to broadcast a lot, and this doesn't please anyone. Anyway, with TCP/IP who needs anything else?

6.3 DHCP setup

If you setup a DHCP server on your Linux box, remember that Windows workstations can get the nameservers and gateway's address besides its own IP address from it. So, you don't need to set all these items on each workstation.

6.4 Join your Linux server domain

Configure the Windows workstation to log in a Domain, and give the domain name of your Linux server. This is essential to the gateway work.

You must know that in order to join some versions of Windows to a SAMBA domain controller, you must create machine accounts in your Linux PDC. Check the SAMBA documentation on how to setup your PDC to the specific version of Windows which you have.

Windows fo workgroups

This version seems to need no special configuration to join the Linux PDC domain.

The netlogon script shall be named "WfWg.bat" so when %a is translated the right script is chosen.

Example:

REM WFWG.BAT
net use z: \\linux\samba /yes

Windows 95/98/ME

These versions also seems to need no special configuration to join the Linux PDC domain.

The netlogon script shall be named "Win95.bat" so when %a is translated the right script is chosen.

Example:

REM WIN95.BAT
net use z: \\linux\samba /yes

Windows NT

This version requires machine accounts at the Linux box. Check the SAMBA documentation.

The netlogon script shall be named "WinNT.bat" so when %a is translated the right script is chosen.

Example:

REM WINNT.BAT
net use z: \\linux\samba /yes /persistent:no

Windows 2000

This version requires machine accounts at the Linux box. Again, check the SAMBA documentation.

The netlogon script shall be named "Win2K.bat" so when %a is translated the right script is chosen.

Example:

REM WIN2K.BAT
net use z: \\linux\samba /yes /persistent:no

Windows XP

This version needs a machine account at the Linux box and a tweak at the registry, as follows.

Locate the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal". The default value is 1. Set it to 0 and it will no more complain about joining the domain.

If you have many workstation to configure create a file named anything.reg with the following content and use it to modify the "faulty" registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000

This version also needs an adjust at the logon script. Sometimes it insists on making the mounting persistent. The netlogon script shall be named "WinXP.bat" so when %a is translated the right script is chosen.

Example:

REM WINXP.BAT
net use z: \\linux\samba /yes /persistent:no

6.5 Policy editor

There is a utility named policy editor bundled on the Windows CD. The file name is poledit.exe. This tool, as the name suggest, allows to create a user and system policy file.

Unfortunately, this tool does not generate a plain text configuration file, so I can't place an example here.

Use the policy editor to create a policy to your workstations and users. You should disable the local password cache and domain cache in order to get some security. Save the policy file as config.pol and place it at the netlogon share of your Linux server. In this way, your Windows workstations will download and use the config.pol file to set their policy. Of course this task must be done on a Windows machine.

If you don't use a config.pol file, your Windows workstations will annoy you asking for a Windows password and you will become nuts trying to synchronize and manage your Domain and Windows passwords. It seems that the OS doesn't know that it joined a domain. You must tell it and then you have to slap it in the face so it will believe you.


Next Previous Contents
Copyright © 2010-2024 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout