As you might already know
GPO is software that
controls user accounts, computers, work environments, settings,
applications and other security related issues form a central point on
all Windows desktop and servers Operating Systems.
This subject is a very complex one and tons of documentations have
been published on subject but this tutorial covers some basic
implementation on how to enable
GPO on users and computers joined in a
Zentyal 3.4 PDC Server.
Step 1: Create Organizational Units (OU)
1. Access your
Zentyal Web Administration Tools through “
https://your_domain_name” or “
https://your_zentyal_ip_addess” and go to
Users and Computers Module –>
Manage.
2. Highlight your domain, click on green “
+” button, select
Organizational Unit and on the prompt enter your “
Organizational Unit Name” ( choose a descriptive name ) and then shoot on
Add
( OU’s can also be created from Remote Administrative Tools like Active
Directory Users and Computer or Group Policy Management).
Enter Organizational Unit Name
Add Organization Unit
3. Now go to your
Windows Remote System and open
Group Policy Management shortcut ( as you can see the your newly created
Organizational Unit appears on your domain).
Group Policy Management
4. Right click on your
Organization Name just created and select
Create a GPO in this domain, and Link it here….
Create a GPO
5. On the
New GPO prompt enter a descriptive name for this new
GPO and the hit
OK.
Enter New GPO Name
6. This creates your
GPO Basic File for this
Organizational Unit but has no settings configured yet. To start editing this file right click on this file name and select
Edit.
Edit GPO
7. This will open
Group Policy Management Editor for this file (this settings will apply only on users and computers moved to this OU).
Group Policy Management Editor
8. Now lets start configure some simple settings for this
Group Policy File.
Here are some basic settings
A. Navigate to
Computer Configuration –>
Windows settings –>
Security Settings –>
Local Policies –>
Security Options –>
Interactive Logon –>
Message text/title for users attempting to logon, enter some text on
Define this policy settings on both settings and hit OK.
Define Policy Settings
Define Policy Settings
WARN: To apply this setting on
your entire domain users and computers so far you should select and edit
Default Domain Policy file on Domain Forest List.
B. Navigate
to User Configuration –>
Policies –>
Administrative Templates –>
Control Panel –>
prohibit Access to Control Panel and PC Settings, double click and select Enabled.
User and Computer Settings
Control Panel Settings
You can do all sorts of security settings related to
Users and
Computers for this
Organizational Unit
(only your needs and imagination is the limit ) like the ones in the
screenshot below but that’s not the purpose of this tutorial (I have
configured this only for demonstrating).
Security Settings
9. After you have done all your security settings
and configurations close all windows and go back to Zentyal Web Admin
Interface (
https://mydomain.com ), go to
Domain Module –>
Group Policy Links, highlight your GPO file from your domain
Forest, select both
Link Enabled and Enforced and hit on
Edit button to apply settings for this
OU.
Group Policy Links
Group Policy Object
As you can see from
Windows Group Policy Management remote tool this policy has been enabled on OU.
Group Policy Enabled
You can also see a list of all your OU GPO settings by clicking on
Settings tab.
OU GPO Settings
10. Now for actually being able to see your new
settings applied just reboot twice your Windows machines joined in this
domain to see the effect.
Welcome to Domain
Step 2: Add Users to Organizational Units (OU)
Now lets add a user into our new
OU for effective applying this settings. Lets say that you have some doubts about
user2 on your domain and you what him to have restrictions imposed by
Allowed_User OU GPO.
11. On Windows Remote Machine open
Active Directory Users and Computers, navigate to
Users, select
user2 and do a right click for menu appearance.
Add Users to Organizational Units
12. On the Move window prompt select
Allowed_Users OU and hit OK.
Select Allowed_Users OU
Allowed User List
Now all settings on this
GPO will apply to this user
as soon as he logs back in the next time. As proven this user does not
have access to Task Manager, Control Panel or other related computer
settings joined into this domain.
Restrictions Applied
Switch User
All of this settings where made possible under a server running a
Linux based distribution,
Zentyal 3.4, with
free open source software,
Samba4 and
LDAP, that acts almost like a
Windows 2003 genuine Server and a few remote management tools that are available on any Windows Desktop machine.
No comments:
Post a Comment