• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 358
  • Last Modified:

Disabling samba password changes

I have a RedHat linux 9 install with the original Samba 2.2.7 (With latest security updates). We use a regular smbpasswd file to store the samba user accounts. their accounts are assigneed a specific password and should not be changed because a supervisor needs to regularly login as each person and check what documents are in the users home directory. Usually, when we deploy the Windows XP machines to thie users, we disable the change password functionality on the Ctrl-alt-delete screen to prevent them from doing just that. However, we have just noticed that I forgot to do that on out latest deployment (about 300 xp computers). Some of the users are changing their password without us knowing about it. I have to enable unix password sync in order for computers to be able to join the domain. Is there any way I can prevent the users from changing thier passwords?

I am already in the process of creating a new image with the correct config values but I would like to have a temporary solution in the meantime before everyone starts changing their password. I thought about using a windows nt .pol file but I have not found any utility that can create pol files but still use the windows xp sp2 adm templates.
0
jpwallen
Asked:
jpwallen
  • 4
  • 3
1 Solution
 
johnb6767Commented:
Disable the Change Password Button (Windows NT/2000)
http://www.pctools.com/guides/registry/detail/265/

Can deploy it using PSEXEC......

PsExec
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
0
 
jpwallenAuthor Commented:
Unfortunately, Windows will only accept that registry on a per user profile basis. I would have no way of mounting each users individual profile and making the change to the registry from there.
0
 
johnb6767Commented:
Should work for HKLM as well, in which case it will work in this deployment method....

If your situation must use HKCU, then you could still use psexec to deploy a script to each machine with a single command, and copy the .reg commands to each pc's local startup.....
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
jpwallenAuthor Commented:
I tried that but it does not work because startup scripts only run when the machine is first started. When the machine is started you don't have access to a users registry hive because now one has logged in yet.
0
 
johnb6767Commented:
Put in thier startup folder. Each user has FULL CONTROL over thier CU hive.....
0
 
jpwallenAuthor Commented:
WOW, I would sure hope they don't have control over the policies key. If a user has control over their HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System registry entry then they can essentially disable any group policies that are in it. Check this for yourself in a user (not an administrator) account, you should see that you have read only permissions to that part of the key.

I was able to create a Ntconfig.pol file and have the machines load that as an old-style NT policy implementation. Seems to work good, but later I will re-image the machines with the correct registry information.
0
 
johnb6767Commented:
You know what? I stand corrected. Default image has pretty much full contorl over HKCU EXCEPT for the 2 main policy keys. That was a way off assumption on my part from previous experience.  Guess everytime I have done this in the past successfully, something was definately not default...

Thanks for clarifying that for me. Guess you learn something new everyday....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now