[geeks] I love it when software gets more efficient

Phil Brutsche phil at tux.obix.com
Sat Sep 9 19:02:12 CDT 2006 

Charles Shannon Hendrix wrote:
>> Restricting what settings can and cannot be seen or changed by the end
>> user - cache size, proxy settings, everything you see in about:config.
> 
> Well, that requires some form of ACLs, which really don't scale very
> well.

The most common way of doing it is an ACL to restrict access to
about:config, this tab isn't accessible, that tab is accessible, etc.  I
think you're thinking of a different scale than I.

The key is to have a scalable mechanism to determine which policies get
applied to each user - a huge policy file to handle all possible
contingencies is unwieldy.

The most common ways to do it are group membership, or based on the
location of the user object in an LDAP tree - the OU would have a policy
file associated with it that specifies the settings to apply to the user
environment.

> You'd want applications to follow some universal conventions like an
> "allowed actions" file.  

My thought would be to have each application rely on gconf (or the KDE
equivalent) to find out what they should do under certain circumstances.

Ya see, the basis is there, they just need to get off their arses and
use it (glares at OpenOffice over their
experimental-and-totally-undocumented gconf support)!

> That's about the only way to keep ACL performance at acceptable levels,
> especially in something as complex as application settings.
> 
>> Globally adding a link to the bookmarks or link bar.
> 
> You can set up KDE and Gnome to have global bookmark folders in
> addition to the user folder.

Selectable on a per group basis, ie user group A (teachers) has this set
of global bookmarks, user group B (students) has that set?

>> Those are things that can be done with Group Policies in a Windows
>> environment.
> 
> Hmmm... I've never seen that.
> 
> I've seen Windows shops manage a few of the basics, but not the level of
> control you've described.

Most admins don't need to worry about GPOs for a school, with a bunch of
shared computers used by teachers and students alike; each group of
users needs their own (different) set of restrictions.

AD group policies allow you to (among many other things):

* restrict access to the IE settings tabs on a per-tab basis
* restrict access to control panel applets
* change the default options - file paths, default file format when you
hit "save", tell Outlook to use plain text by default, force a
particular screen saver to come on after x minutes
* remove desktop features
* grant access to previously restricted features
* hide parts of the file system hierarchy

> Not all Windows applications use things like network settings and other
> managed resources, so how do you handle them?

Reasonable applications usually come with their own GPO templates.  You
can also create your own GPO templates, using pre-existing registry
entries as a basis.

Stuff like Firefox doesn't use the registry for most settings, so you
need to hope the developers documented the application properly.

In Firefox's case, the lack of documentation for the mozilla-specific
javascript methods doesn't help.

-- 

Phil Brutsche
phil at tux.obix.com

More information about the geeks mailing list