Policy Issues

[Ghassan Barkasiah]

hi.
I have installed Zentyal4 and configured domain and file sharing.every thing is ok, but i have tow complex situations:

first, in GPO i can't allow normal user to change LAN setting even after add and force it via RSAT .

second, may this request be strange a little bit, but there is no other way. there is some users use a software that doesn't work without administrator privilege. I have to make them as a domain admin with restrict on file sharing. is that possible?

Can any one help me with this please?
thanks.

[mateusz.stepien]

1. Samba is still working on GPO so not everything is working. Therefore use the registry entries instead of GPO templates.
2. You are doing this a bit wrong. Do not make a user a Domain Admin as that will cause a massive security issues.
3. Use the security template in GPO to deploy certain security groups to application (you can find that on youtube). Best practice is to create new security group and make a user as a member.

[Ghassan Barkasiah]

thank you Mateusz.Stepien I appreciate.

I have to make them domain admins for more than reason, so i found a way to restrict them for share.
1- I add a special-user to Administrators built-in group, and remove domain admins from it.
2- In sharing folders -> Properties  -> Security, I edit the domain admin group permissions.
3- prevent snap-in access for any one except the special-user i have added to Administrators group.
every thing is going well.
I have only one problem, when i change privilege sharing folder from Zentyal GUI. Domain Admin permissions reset to default and I have to reconfigure it manually. Do have any idea may help with this?

regards.