Creating and managing GPO's

I was testing it about year ago, but now quick look at their homepage and they saying/writing this:

i can test this today - but later this evening and can tell you what they have

2 Likes

Ok i have made a quick look at Zentyal. What they have:

  • roaming profiles
  • user quota
  • organisation units
  • list of computers joined to AD

but i was mistaken about GPO’s - they use RSAT :wink:

1 Like

You will want a virtual or physical windoze anyway. How else will you test, evacuate that user again?

1 Like

I have been looking for alternatives, but afaik there just is no tool for Linux that can do the same as RSAT on Windows.
The best thing we can do is mimicking the functionality with know options available in the Linux world. Part of it will be Samba-tool
What I can imagine is to create some kind of Webinterface around Samba-Tool. An example for this is how Linux-schools project has implemented this in Karoshi server

Some screens to get the idea:

6 Likes

Little bump. Would such an extention of the webinterface be feasible/possible/wanted?

If it’s just about managing ldap/ad like change password or photo you may use phpldapadmin or lam.

For GPOs I found no webeditor. Maybe we could provide some default GPOs like in this example?

https://support.microsoft.com/en-ca/help/918239/how-to-write-custom-adm-and-admx-administrative-template-files-to-prov

What are .adm and .admx files? :astonished:

Active directory extensions:

https://whatis.techtarget.com/fileformat/ADM-Windows-NT-policy-template

I hoped we could apply them with samba-tool but I have to test, it was just an idea.

I even don’t know if they work with newer Windows versions…

1 Like

Did you see my #howto for a GPO built on the server? Do you think it can be a valid approach to automate GPO publishing from a NethServer DC?

Windows Logon/Logoff audit log

1 Like

This looks promising! :+1: We could do a lot with ps scripts.

I tried another ps script that way and it worked like a charm. It sets the proxy at logon which is nice for manual or auth proxy.

https://gallery.technet.microsoft.com/scriptcenter/Set-Proxy-65fff169

For more complex GPOs we may use gpmc to get the necessary files.

Hi all!

I just wonder …
An OEM license for Windows 10 Pro costs $ 150.00 and a Retail license for Windows 10 Pro costs € 186.00, w/o VAT, at least here, in Romania.
Share the cost of one of these licences to the number of the PCs on your network …
Is it worth for these costs to find alternative solutions against RSAT, anyway, if I understand well, not so good solutions?

You are absoluty right about replacing RSAT, it’s not worth the effort and seems really hard.
I was more thinking about a “Nethserver client GPO” that may provide some typical settings like:

  • Set drive letters for shares
  • Set proxy
  • Logon/Logoff Audit
  • Folder redirection?
2 Likes

Combined with Samba Audit, Samba Status by @gecco, I think is enough for AD basics and with no so big effort to implement.
If you need more, use RSAT.

1 Like

where are stored GPO into nethserver?

Here is the policy store:

/var/lib/machines/nsdc/var/lib/samba/sysvol/ad.example.com/Policies/

Example:

4 Likes

I’m sorry, but if your decision maker worries about 23 euro’s, replace him.

https://www.digitallicense.nl/windows-10-professional-retail

In general (not particularly from the linked site), how legit are those cheap digital licenses?

2 Likes

Yes, but those licenses are not valid/legal, at least here, in Romania.

There are a lot of legal resellers. You might have to search a bit, but Google is your friend in that regard. A couple win10 licenses shouldn’t cost more then 100 euro’s. Let me know if you need help, if the forum allows I can compile a short list of reputable resellers.

But I really don’t see how any of this is even remotely valid, as I do not believe for 1 second that there are sysadmins who will not have at least 2 windows vm’s, when they support a windows client base. You need at least 1 for testing client updates and to diagnose issues and another for all administrative tasks.
That is, unless you want to tell an employee that they can’t work for an hour while you test updates and such…

Licensing cost is mainly an issue for server installs, where the number of cores you have, has an impact on your license fee (above 8 cores iirc)

If you can force all clients to Mac or Linux then there is no use-case for ad for the clients, except perhaps for centralised login. There is little use for gpo’s on a non-windows client tho, as they won’t be run, except for a few login related ones.

Maybe I am completely wrong about sysadmins elsewhere, but I don’t see how you get to guess that updates won’t bork the client machines and just risk it, and keep your job.