Linux question

ColmOT [MSFT]

Hi all, I'm curious whether redhat/mandrake etc (the distros most commonly used as 'windows replacements' in corporate settings) have functionality that is similiar to group policy in Windows.

What I mean is, from a central localtion, can a linux admin enforce certain computer (force a certain type of network encryption) and user (restricting access to icons on the desktop, configuration settings, force installation of apps on a per user basis etc) policies ?

Thanks for your help!

ssh

Yes, we've had NIS and Kerberos for years, though we are lacking any standardised method for pushing software to the desktop, like say that whole MSI thing.

Though a clueful admin will always be able to put something good together.

maxheadroom

Hmm - I don't know offhand, but I'd be suprised if the likes of redhat enterprise, or sun JDS don't have something like that in them. Of course, if it doesn't exist, and someone felt the need for it, I'm sure it could / would be written (I'm thinking Ximian / Novell here).

I've used mandrake a bit, and I'm not aware of anything like you've described, but I'vce always considered Mandrake as more of a "windows replacement" in the home user sense.


EDIT: looks like Red Carpet Enterprise looks after pushing software / updates etc to workstations. I'd imagine the whole novell zen works package is quite close to what you were asking about?

niallb

Originally posted by maxheadroom
...I've used mandrake a bit, and I'm not aware of anything like you've described, but I'vce always considered Mandrake as more of a "windows replacement" in the home user sense.

Mandrake's own urpmi tool has a --parallel mode
which allows simultaneous updates to a list of machines
held in /etc/urpmi/parallel.cfg to be centrally maintained.

Another approach is to keep your own repository of software
on your lan, and add your updates to this.
All the machines can scan this periodically and install
available updates.

NiallB

ssh

I've been thinking a bit about this, and the real problem I have with the notion of "restricting access to icons on the desktop, configuration settings, force installation of apps on a per user basis etc)" is that it is purely a superficial limitation.

A friend of mine couldn't install software on his PC in work, and wanted to use MSN messenger. I just zipped up the win32 binaries of gaim, sent it to him and he was able to unzip it and run it directly from his PC.

Likewise with any attempts to limit the software executed on PCs. Say in the library in college, you could always wriggle your way around any restrictions they put on program execution.

I don't feel it's much of a way of enforcing any form of security.

nadir

yea, but if you set up a good linux VPN, I mean there are all your group and user policies sorted out, and as for desktop icons, i mean, like thats just cosmetic stuff.

Syth

Likewise with any attempts to limit the software executed on PCs. Say in the library in college, you could always wriggle your way around any restrictions they put on program execution.

Definity have to agree on that one. The computers in college have Windows 200 on them, and us irresponsible undergrads aren't supposed to install things. All it means is we can't create a folder in C:/Program Files/, so you just install it in it's own folder in C:. Piece of cake. Security, Pah, What security.