Did you see my #howto for a GPO built on the server? Do you think it can be a valid approach to automate GPO publishing from a NethServer DC?
1 Like
This looks promising! 
We could do a lot with ps scripts.
I tried another ps script that way and it worked like a charm. It sets the proxy at logon which is nice for manual or auth proxy.
https://gallery.technet.microsoft.com/scriptcenter/Set-Proxy-65fff169
For more complex GPOs we may use gpmc to get the necessary files.
Hi all!
I just wonder …
An OEM license for Windows 10 Pro costs $ 150.00 and a Retail license for Windows 10 Pro costs € 186.00, w/o VAT, at least here, in Romania.
Share the cost of one of these licences to the number of the PCs on your network …
Is it worth for these costs to find alternative solutions against RSAT, anyway, if I understand well, not so good solutions?
You are absoluty right about replacing RSAT, it’s not worth the effort and seems really hard.
I was more thinking about a “Nethserver client GPO” that may provide some typical settings like:
- Set drive letters for shares
- Set proxy
- Logon/Logoff Audit
- Folder redirection?
2 Likes
Combined with Samba Audit, Samba Status by @gecco, I think is enough for AD basics and with no so big effort to implement.
If you need more, use RSAT.
1 Like
where are stored GPO into nethserver?
Here is the policy store:
/var/lib/machines/nsdc/var/lib/samba/sysvol/ad.example.com/Policies/
Example:
4 Likes
I’m sorry, but if your decision maker worries about 23 euro’s, replace him.
In general (not particularly from the linked site), how legit are those cheap digital licenses?
2 Likes
Yes, but those licenses are not valid/legal, at least here, in Romania.
There are a lot of legal resellers. You might have to search a bit, but Google is your friend in that regard. A couple win10 licenses shouldn’t cost more then 100 euro’s. Let me know if you need help, if the forum allows I can compile a short list of reputable resellers.
But I really don’t see how any of this is even remotely valid, as I do not believe for 1 second that there are sysadmins who will not have at least 2 windows vm’s, when they support a windows client base. You need at least 1 for testing client updates and to diagnose issues and another for all administrative tasks.
That is, unless you want to tell an employee that they can’t work for an hour while you test updates and such…
Licensing cost is mainly an issue for server installs, where the number of cores you have, has an impact on your license fee (above 8 cores iirc)
If you can force all clients to Mac or Linux then there is no use-case for ad for the clients, except perhaps for centralised login. There is little use for gpo’s on a non-windows client tho, as they won’t be run, except for a few login related ones.
Maybe I am completely wrong about sysadmins elsewhere, but I don’t see how you get to guess that updates won’t bork the client machines and just risk it, and keep your job.
That is usually not feasible, since we usually provide support to 3rd parties (as a business).
Don’t get me wrong, I have your same idea: if you need GPOs is because you have Windows clients to manage; since your client environment is already Windows-based, an additional (client) license, which costs greatly less than a server one, shouldn’t be a burden anyways.
But this is true only if you manage a network with four or more PCs. Unfortunately we have customers which are really small (2/3 people working in an office) which are bound by GDPR to have personal accesses and thus need AD. To standardise the deployments on these customers (with the respect of the other bigger ones) you will deploy GPOs, so you need RSAT tools; some of the policies are replaceable with other workarounds (e.g. share mapping), some others are simply not economically justifiable, if done manually, for 2/3 PCs (like blocking USBs). And doing stuff manually on single PC is much more expensive (implementation, maintenance, complexity) than doing it once for all PCs.
So yes, I am sure 90% of the people, when faced with the higher cost of not having a Windows client machine for RSAT tools, will agree that a single license is better. But this is not always the case, and since we are discussing general support of GPO without proprietary products in the middle, I second that having an interface for managing GPOs would be better, even if the support is basic.
1 Like
IMO these kind of lists should not be in these forums. It would be a bit strange (to say the least) if we, as an opensource linux community, start promoting to buy windows licenses from sources that are impossible to judge if they are legit or not…
If it were to me, windows client licenses cost at least EUR150,- Then the opensource counterpart has the license cost advantage, although the main reason to use opensource is the philosophy behind opensource and not the cost. (but in this commercial world that probably will be an utopia)
1 Like
I get your point, but I do not suppose that you will tell them to come back tomorrow because today you will be reinstalling their machine, whenever windows decides it is time? Nor that you deploy untested updates ? What happens when ransomware hits ?
If that is actually what is accepted by the customer, then I just need to learn more about real world scenario’s that are alien to me, yet seem quite common.
I do agree that it is nice to have GPO editing from the webinterface for the basics you relay there, but I highly doubt you will find it enough.
Scenario: Policy has to be reworked to do X
- You change the policy
- You walk over to the user, ask them to gpupdate /force from the commandline
- ask them to log out and back in or even reboot
- Test
- etc?
Scenario: User has windows issues and end result is PC needs reinstall
- Send user home
- pick up PC
- reinstall PC
- bring back PC
- call user to come back to work?
Seems more expensive then the license to me, if you consider the lost time of that person. I am sounding overly critical tho, and made a statement that was clearly wrong, else there would not have been this discussion.
Can I have the snob badge now ? 
@planet_jeroen, I don’t see the license cost being an issue in your 2 situations or am I missing something?
Even with valid licenses, a reinstall might occur. It’s the sysadmins job to have that covered so other personnel can switch to another machine or have a (very) limited downtime (at least not in terms of ‘sending them home and call back when the computer has been fixed’.)
BTW, a distribution option like FOG would be very nice to have to cover such a situation.
Yeah … the sysadmin needs licenses or evacuate an employee from their workstation to get access to windows.
In fact I think you are in a very fortunate bubble, since you deal with users and not with lusers 
Jokes apart, usually our mean customer isn’t very fond of IT and/or technology and doesn’t care even when we try to explain the situation, because “I pay you to deal with this stuff that I cannot understand and neither I want to”.
Small customers simply accept Windows downtime as part of Windows itself, because any other alternatives for them are not acceptable (they are spending lots of money in Office licenses, even if they use maybe the 2% of the functions it has and probably LibreOffice would be much more than sufficient for their needs, but since “all the others do it with Office, why I should do differently” is the main excuse); let alone spending money for something infrastructural for 3/4 PCs. We have a customer with more than 6 PCs and we forced them to get a NAS for their data, since for years they managed their files on the C: drive of their machines without having a single working backup for their stuff; then they suffered robbery and someone stole their entire PCs.
If they get a ransomware, usually they don’t understand the implications, they only say “I cannot open my files anymore”. We have to explain what it really means and that we were too good to take 2 different type of backups for their data even if they didn’t bought us a NAS for their backups; some of them don’t even understand the importance of backup: one of them said to us “you should have said clearly that backup was so important” after loosing all theirs data; we replied with “we wrote you that at the beginning” and finally he replied “I thought your email wasn’t so important back then”. When reminded of the fact that their data would have been completely made useless if we didn’t have the backups, this doesn’t even move them to think better of their (poor) technology behaviour: “it seemed a valid invoice to me” “but did you ever had any contracts with this ‘Quiche Inc.’ company?” “No, not once”.
We have ads company as customers that requested us a quotation for 5k€ on a new Mac for a single person, but refused to accept the quote for a new server for all their 50+ users (and they were just stopped for a couple of days because their 8yrs old Mac-mini server was malfunctioning) “because 4k€ are too much and were not budgeted…”.
You seem, again, in a fortunate bubble, where people use their brain to understand that if they have to wait hours before starting their jobs because of system updates, something is wrong. You are working with people with a technical (in the sense of IT) understanding and they have precise issues and needs, which are completely different from small customers where the main and only issue is to spend less money possible. Even spend a recurring yearly sum to have a “support contract with assured updates” seems like swearing to the gods to them.
I’m sorry; I completely understand your point of view as a technician; not all the customers are technicians, though, so they cannot understand half of this discussion and are still convinced that they are right not following any advice from professionists (and sometimes they also paid the consultancy ).
3 Likes
I live on the other end of the spectrum, where you are not allowed to provide services without being certified, and every tech needing his certifications up to date for his role. ISO-land.
That means IT managers, and they would get fired for downtime. Customers pay for services, not for payed IT labour, and we offer a solution that is signed off on before it is implemented with SLA’s even for internal services. Not sure it’s fortunate, but makes that the scenario you describe is only seen at vey small and sortof old-fashioned companies. Hipsters are in the cloud 
(untill the regular consumer internet connection dies)
But yeah, being liable for data loss, downtime, not meeting SLA’s and target response times, we are forced to work different or close shop. That being said, I just left a company that sounds much like what you described, but they resisted change for the last 15 years and are the exception in a way.
Thats why I didnt understand at first why it would be so hard to just bill another license and make it a term of service that a proper OTAP procedure is in place so you have a staging and testing area, and thus your RSAT machine. But yeah, if you have to argue to even get a cabinet instead of a spare desk, and a patchpannel instead of spaghetti, I think I would experience a system shock when I would tag along for a day with you 