Creating Organizational Units (OU) and Enableing GPO (Group Policy) in Zentyal PDC

Creating Organizational Units (OU) and Enableing GPO (Group Policy) in Zentyal PDC Server – Part 3

As you might already know GPO is software that controls user accounts, computers, work environments, settings, applications and other security related issues form a central point on all Windows desktop and servers Operating Systems.
This subject is a very complex one and tons of documentations have been published on subject but this tutorial covers some basic implementation on how to enable GPO on users and computers joined in a Zentyal 3.4 PDC Server.

Step 1: Create Organizational Units (OU)

1. Access your Zentyal Web Administration Tools through “https://your_domain_name” or “https://your_zentyal_ip_addess” and go to Users and Computers Module –> Manage.

2. Highlight your domain, click on green “+” button, select Organizational Unit and on the prompt enter your “Organizational Unit Name” ( choose a descriptive name ) and then shoot on Add ( OU’s can also be created from Remote Administrative Tools like Active Directory Users and Computer or Group Policy Management).

Enter Organizational Unit Name

Add Organization Unit

3. Now go to your Windows Remote System and open Group Policy Management shortcut ( as you can see the your newly created Organizational Unit appears on your domain).

Group Policy Management

4. Right click on your Organization Name just created and select Create a GPO in this domain, and Link it here….

Create a GPO

5. On the New GPO prompt enter a descriptive name for this new GPO and the hit OK.

Enter New GPO Name

6. This creates your GPO Basic File for this Organizational Unit but has no settings configured yet. To start editing this file right click on this file name and select Edit.

Edit GPO

7. This will open Group Policy Management Editor for this file (this settings will apply only on users and computers moved to this OU).

Group Policy Management Editor

8. Now lets start configure some simple settings for this Group Policy File.

Here are some basic settings

A. Navigate to Computer Configuration –> Windows settings –> Security Settings –> Local Policies –> Security Options –> Interactive Logon –> Message text/title for users attempting to logon, enter some text on Define this policy settings on both settings and hit OK.

Define Policy Settings

Define Policy Settings

WARN: To apply this setting on your entire domain users and computers so far you should select and edit Default Domain Policy file on Domain Forest List.
B. Navigate to User Configuration –> Policies –> Administrative Templates –> Control Panel –> prohibit Access to Control Panel and PC Settings, double click and select Enabled.

User and Computer Settings

Control Panel Settings

You can do all sorts of security settings related to Users and Computers for this Organizational Unit (only your needs and imagination is the limit ) like the ones in the screenshot below but that’s not the purpose of this tutorial (I have configured this only for demonstrating).

Security Settings

9. After you have done all your security settings and configurations close all windows and go back to Zentyal Web Admin Interface ( https://mydomain.com ), go to Domain Module –> Group Policy Links, highlight your GPO file from your domain Forest, select both Link Enabled and Enforced  and hit on Edit button to apply settings for this OU.

Group Policy Links

Group Policy Object

As you can see from Windows Group Policy Management remote tool this policy has been enabled on OU.

Group Policy Enabled

You can also see a list of all your OU GPO settings by clicking on Settings tab.

OU GPO Settings

10. Now for actually being able to see your new settings applied just reboot twice your Windows machines joined in this domain to see the effect.

Welcome to Domain

Step 2: Add Users to Organizational Units (OU)

Now lets add a user into our new OU for effective applying this settings. Lets say that you have some doubts about user2 on your domain and you what him to have restrictions imposed by Allowed_User OU GPO.
11. On Windows Remote Machine open Active Directory Users and Computers, navigate to Users, select user2 and do a right click for menu appearance.

Add Users to Organizational Units

12. On the Move window prompt select Allowed_Users OU and hit OK.

Select Allowed_Users OU

Allowed User List

Now all settings on this GPO will apply to this user as soon as he logs back in the next time. As proven this user does not have access to Task Manager, Control Panel or other related computer settings joined into this domain.

Restrictions Applied

Switch User

All of this settings where made possible under a server running a Linux based distribution, Zentyal 3.4, with free open source software, Samba4 and LDAP, that acts almost like a Windows 2003 genuine Server and a few remote management tools that are available on any Windows Desktop machine.