Creating and managing GPO's

gpo
samba4

(Rob Bosch) #21

I have been looking for alternatives, but afaik there just is no tool for Linux that can do the same as RSAT on Windows.
The best thing we can do is mimicking the functionality with know options available in the Linux world. Part of it will be Samba-tool
What I can imagine is to create some kind of Webinterface around Samba-Tool. An example for this is how Linux-schools project has implemented this in Karoshi server

Some screens to get the idea:


(Rob Bosch) #22

Little bump. Would such an extention of the webinterface be feasible/possible/wanted?


(Markus Neuberger) #23

If it’s just about managing ldap/ad like change password or photo you may use phpldapadmin or lam.

For GPOs I found no webeditor. Maybe we could provide some default GPOs like in this example?

https://support.microsoft.com/en-ca/help/918239/how-to-write-custom-adm-and-admx-administrative-template-files-to-prov


(Davide Principi) #24

What are .adm and .admx files? :astonished:


(Markus Neuberger) #25

Active directory extensions:

https://whatis.techtarget.com/fileformat/ADM-Windows-NT-policy-template

I hoped we could apply them with samba-tool but I have to test, it was just an idea.

I even don’t know if they work with newer Windows versions…


(Davide Principi) #26

Did you see my #howto for a GPO built on the server? Do you think it can be a valid approach to automate GPO publishing from a NethServer DC?

Windows Logon/Logoff audit log


(Markus Neuberger) #27

This looks promising! :+1: We could do a lot with ps scripts.

I tried another ps script that way and it worked like a charm. It sets the proxy at logon which is nice for manual or auth proxy.

https://gallery.technet.microsoft.com/scriptcenter/Set-Proxy-65fff169

For more complex GPOs we may use gpmc to get the necessary files.


(Gabriel GHEORGHIU) #28

Hi all!

I just wonder …
An OEM license for Windows 10 Pro costs $ 150.00 and a Retail license for Windows 10 Pro costs € 186.00, w/o VAT, at least here, in Romania.
Share the cost of one of these licences to the number of the PCs on your network …
Is it worth for these costs to find alternative solutions against RSAT, anyway, if I understand well, not so good solutions?


(Markus Neuberger) #29

You are absoluty right about replacing RSAT, it’s not worth the effort and seems really hard.
I was more thinking about a “Nethserver client GPO” that may provide some typical settings like:

  • Set drive letters for shares
  • Set proxy
  • Logon/Logoff Audit
  • Folder redirection?

(Gabriel GHEORGHIU) #30

Combined with Samba Audit, Samba Status by @gecco, I think is enough for AD basics and with no so big effort to implement.
If you need more, use RSAT.


(Carlo Minucci) #31

where are stored GPO into nethserver?


(Markus Neuberger) #33

Here is the policy store:

/var/lib/machines/nsdc/var/lib/samba/sysvol/ad.example.com/Policies/

Example:


(Jeroen Visser) #34

I’m sorry, but if your decision maker worries about 23 euro’s, replace him.


(Jeroen Visser) #35

https://www.digitallicense.nl/windows-10-professional-retail


(Marc) #36

In general (not particularly from the linked site), how legit are those cheap digital licenses?


(Gabriel GHEORGHIU) #37

Yes, but those licenses are not valid/legal, at least here, in Romania.


(Jeroen Visser) #38

There are a lot of legal resellers. You might have to search a bit, but Google is your friend in that regard. A couple win10 licenses shouldn’t cost more then 100 euro’s. Let me know if you need help, if the forum allows I can compile a short list of reputable resellers.

But I really don’t see how any of this is even remotely valid, as I do not believe for 1 second that there are sysadmins who will not have at least 2 windows vm’s, when they support a windows client base. You need at least 1 for testing client updates and to diagnose issues and another for all administrative tasks.
That is, unless you want to tell an employee that they can’t work for an hour while you test updates and such…

Licensing cost is mainly an issue for server installs, where the number of cores you have, has an impact on your license fee (above 8 cores iirc)

If you can force all clients to Mac or Linux then there is no use-case for ad for the clients, except perhaps for centralised login. There is little use for gpo’s on a non-windows client tho, as they won’t be run, except for a few login related ones.

Maybe I am completely wrong about sysadmins elsewhere, but I don’t see how you get to guess that updates won’t bork the client machines and just risk it, and keep your job.


(Emiliano Vavassori) #39

That is usually not feasible, since we usually provide support to 3rd parties (as a business).

Don’t get me wrong, I have your same idea: if you need GPOs is because you have Windows clients to manage; since your client environment is already Windows-based, an additional (client) license, which costs greatly less than a server one, shouldn’t be a burden anyways.

But this is true only if you manage a network with four or more PCs. Unfortunately we have customers which are really small (2/3 people working in an office) which are bound by GDPR to have personal accesses and thus need AD. To standardise the deployments on these customers (with the respect of the other bigger ones) you will deploy GPOs, so you need RSAT tools; some of the policies are replaceable with other workarounds (e.g. share mapping), some others are simply not economically justifiable, if done manually, for 2/3 PCs (like blocking USBs). And doing stuff manually on single PC is much more expensive (implementation, maintenance, complexity) than doing it once for all PCs.

So yes, I am sure 90% of the people, when faced with the higher cost of not having a Windows client machine for RSAT tools, will agree that a single license is better. But this is not always the case, and since we are discussing general support of GPO without proprietary products in the middle, I second that having an interface for managing GPOs would be better, even if the support is basic.


(Rob Bosch) #40

IMO these kind of lists should not be in these forums. It would be a bit strange (to say the least) if we, as an opensource linux community, start promoting to buy windows licenses from sources that are impossible to judge if they are legit or not…
If it were to me, windows client licenses cost at least EUR150,- Then the opensource counterpart has the license cost advantage, although the main reason to use opensource is the philosophy behind opensource and not the cost. (but in this commercial world that probably will be an utopia)


(Jeroen Visser) #41

I get your point, but I do not suppose that you will tell them to come back tomorrow because today you will be reinstalling their machine, whenever windows decides it is time? Nor that you deploy untested updates ? What happens when ransomware hits ?

If that is actually what is accepted by the customer, then I just need to learn more about real world scenario’s that are alien to me, yet seem quite common.
I do agree that it is nice to have GPO editing from the webinterface for the basics you relay there, but I highly doubt you will find it enough.

Scenario: Policy has to be reworked to do X

  1. You change the policy
  2. You walk over to the user, ask them to gpupdate /force from the commandline
  3. ask them to log out and back in or even reboot
  4. Test
  5. etc?

Scenario: User has windows issues and end result is PC needs reinstall

  1. Send user home
  2. pick up PC
  3. reinstall PC
  4. bring back PC
  5. call user to come back to work?

Seems more expensive then the license to me, if you consider the lost time of that person. I am sounding overly critical tho, and made a statement that was clearly wrong, else there would not have been this discussion.

Can I have the snob badge now ? :wink: