Author Topic: Setting Up Group Policy  (Read 18698 times)

B0UJI

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +3/-0
    • View Profile
Setting Up Group Policy
« on: October 17, 2012, 03:39:44 am »
Hey all, has anyone had any luck setting up group policy through Microsoft Server Management tools?

When i use the Group Policy Management tool and try to either edit the Default Domain Policy or Create a new policy on an OU, I get the attached error saying Acces Denied.  The user i'm doing it with is definitely a domain administrator.

Has anyone seen this?

Krisztián Czakó

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +5/-0
    • View Profile
    • Zentyal Gold Partner in Hungary
Re: Setting Up Group Policy
« Reply #1 on: October 17, 2012, 10:47:50 am »
Hi,

Yes, it works.

I've done the following:
  • Installed Zentyal 3.0 + file sharing (samba) + user management + dhcp + dns
  • Be sure that your domain name (DNS, Kerberos and Windows) and your DNS zone are in sync, but I think it is in your case. If not, you (Zentyal) won't be able to provision samba and the DC won't work.
  • Use at least Windows 7 SP1 on the workstation (it may work with non SP1, I haven't tried).
  • Join that Windows to the domain!
  • Log in to Windows with a domain administrator (not with a local one). I suggest using the "Administrator" user of the domain (other Domain Admin group member may not work).
  • Install RSAT from here: http://www.microsoft.com/en-US/download/details.aspx?id=7887
  • Run RSAT. It will identify your server and will save policies to there.
  • Note that all policy magics are stored in simple files on the server in specific directories (same on a Windows Server). This means that the user you use must have write access to these shares (these are technical shares, not shares created by you).
I hope it helps you.
Regards,
Krisztián


B0UJI

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +3/-0
    • View Profile
Re: Setting Up Group Policy
« Reply #2 on: October 18, 2012, 05:43:25 am »
Thanks for your reply.

I get the same issue if it's a user who is part of the "Domain Admins" but I've noticed what might be my issue.... perhaps.

When I set up Zentyal I set up the user as "Administrator".  Now i think that there may be two "Administrator" users and the system is NOT happy with it.  Does this sound right?

So there's an Administrator user on the Samba side for the Domain Controller aspect.  But my local user for the Zentyal SYSTEM itself is also called "Administrator".  Was this a bad call!? eeep!

*update* Just had a look through AD Management Console, indeed the "Administrator" user in Samba4 has no "User logon name".  So this perhaps leads more credence to this being my actual issue?
« Last Edit: October 18, 2012, 05:46:29 am by B0UJI »

Krisztián Czakó

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +5/-0
    • View Profile
    • Zentyal Gold Partner in Hungary
Re: Setting Up Group Policy
« Reply #3 on: October 18, 2012, 11:40:13 am »
Hi,

You're right. You shouldn't use a user name for Zentyal administration who is also a user in Zentyal itself (added on the web interface or from the AD). It's a bit strange, I know. The technical reason is that they're all real Linux users in the background handled differently. There shouldn't exist two users with the same login name (however in Linux this can happen).
Do not choose "administrator" as a user name when installing Zentyal!
I think Zentyal's installer should prevent this (but does not).

Regards,
Krisztián



B0UJI

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +3/-0
    • View Profile
Re: Setting Up Group Policy
« Reply #4 on: October 18, 2012, 11:56:39 am »
Yeah i noticed that and was like "awwwww damn".

Reckon I can recover this server by filling in the logon name (for the Samba Administrator) as "admin"? Or rename the other one?

Krisztián Czakó

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +5/-0
    • View Profile
    • Zentyal Gold Partner in Hungary
Re: Setting Up Group Policy
« Reply #5 on: October 18, 2012, 03:01:52 pm »
I recommend renaming the one you've created at installation time, but I don't know the side effects.
First, log off from the web interface!
Try this in a terminal (make a backup first!):
Check your real user id:
Code: [Select]
idIf it's really administrator, try to rename it to "myadmin":
Code: [Select]
sudo usermod -d /home/myadmin -l myadmin administrator
sudo mv /home/administrator /home/myadmin
Reboot your system immediately!
After reboot, you should be able to log in on the console and to the web interface with the new name and the old password.
I hope that the Zentyal's "Administrator" account (visible in the users list) is there and you can use it. Change the password for that user!

I hope it helps, but be aware that you can lock out yourself from your system, so make a backup!

Regards,
Krisztián


B0UJI

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +3/-0
    • View Profile
Re: Setting Up Group Policy
« Reply #6 on: October 19, 2012, 11:08:16 am »
You sir, are a saviour.  That was indeed the issue.  A note for next time, i will ensure my Zentyal administrator is NOT "Administrator" as that is needed by the Domain.

Phew.

Against your advice (sorry! :( ) i just renamed the DomainAdministrator "logon name" to "Admin".  My stance is it was currently blank so any services that "relied" on it were screwed anyway.  Seems to have worked and it definately lets me apply Group Policy.  Interesting to note, i set up the account I designated as my Administrator to be the same as it, and it still didn't allow Group Policy creations so it must be something to do with special privileges of the inbuilt Domain Administrator.

But again, many thanks!