We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Disabling samba password changes

Medium Priority
367 Views
Last Modified: 2013-12-06
I have a RedHat linux 9 install with the original Samba 2.2.7 (With latest security updates). We use a regular smbpasswd file to store the samba user accounts. their accounts are assigneed a specific password and should not be changed because a supervisor needs to regularly login as each person and check what documents are in the users home directory. Usually, when we deploy the Windows XP machines to thie users, we disable the change password functionality on the Ctrl-alt-delete screen to prevent them from doing just that. However, we have just noticed that I forgot to do that on out latest deployment (about 300 xp computers). Some of the users are changing their password without us knowing about it. I have to enable unix password sync in order for computers to be able to join the domain. Is there any way I can prevent the users from changing thier passwords?

I am already in the process of creating a new image with the correct config values but I would like to have a temporary solution in the meantime before everyone starts changing their password. I thought about using a windows nt .pol file but I have not found any utility that can create pol files but still use the windows xp sp2 adm templates.
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
Disable the Change Password Button (Windows NT/2000)
http://www.pctools.com/guides/registry/detail/265/

Can deploy it using PSEXEC......

PsExec
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Author

Commented:
Unfortunately, Windows will only accept that registry on a per user profile basis. I would have no way of mounting each users individual profile and making the change to the registry from there.
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
Should work for HKLM as well, in which case it will work in this deployment method....

If your situation must use HKCU, then you could still use psexec to deploy a script to each machine with a single command, and copy the .reg commands to each pc's local startup.....

Author

Commented:
I tried that but it does not work because startup scripts only run when the machine is first started. When the machine is started you don't have access to a users registry hive because now one has logged in yet.
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
Put in thier startup folder. Each user has FULL CONTROL over thier CU hive.....
Commented:
WOW, I would sure hope they don't have control over the policies key. If a user has control over their HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System registry entry then they can essentially disable any group policies that are in it. Check this for yourself in a user (not an administrator) account, you should see that you have read only permissions to that part of the key.

I was able to create a Ntconfig.pol file and have the machines load that as an old-style NT policy implementation. Seems to work good, but later I will re-image the machines with the correct registry information.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
You know what? I stand corrected. Default image has pretty much full contorl over HKCU EXCEPT for the 2 main policy keys. That was a way off assumption on my part from previous experience.  Guess everytime I have done this in the past successfully, something was definately not default...

Thanks for clarifying that for me. Guess you learn something new everyday....
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.