Author Topic: GPO security filtering is not working  (Read 1872 times)

casper

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
  • CEO of a danish IT consultant company DingIT.dk
    • View Profile
    • Ding IT
GPO security filtering is not working
« on: April 16, 2017, 10:01:22 am »
Hi all,

First some system information:

Zentyal version:
Code: [Select]
dingit@dc01:~$ dpkg -l | grep "zentyal"
ii  libhtml-mason-perl                    1:1.56+zentyal1-1                          all          HTML::Mason Perl module
ii  zentyal                               5.0.1                                      all          Zentyal - Core metapackage
ii  zentyal-antivirus                     5.0.1                                      all          Zentyal - Antivirus
ii  zentyal-core                          5.0.7                                      all          Zentyal - Core
ii  zentyal-dns                           5.0.1                                      all          Zentyal - DNS Server
ii  zentyal-firewall                      5.0.1                                      all          Zentyal - Firewall
ii  zentyal-network                       5.0.6                                      all          Zentyal - Network Configuration
ii  zentyal-ntp                           5.0                                        all          Zentyal - NTP Service
ii  zentyal-samba                         5.0.6                                      all          Zentyal - Domain Controller and File Sharing
ii  zentyal-software                      5.0.1                                      all          Zentyal - Software Management
dingit@dc01:~$

Ubuntu version:
Code: [Select]
dingit@dc01:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:        16.04
Codename:       xenial
dingit@dc01:~$

This is a freshly installed zentyal server installed from the iso provided by the zentyal website yestoday.

I plan on using this as a PDC server and nothing more.

I have my domain up and running.
I have 3 PC connected to it fine.

Now im trying to deploy my GPO to the clients.

I have 4 network drive GPO seperated in 4 GPOs.
network drive 1 2 3 and 4
I have a group in AD called network drive 1 2 3 and 4.
In each GPO for the network drive I have a security filter for the corrosponding group in AD.

So GPO "network drive 1" has a security filtering for AD group "network drive 1"
and so i plan to make the users that need "network drive 1" member of group "network drive 1".

My problem is that zentyal is not all registering that i put this security filter on the GPO.
Zentyal sees fine all the groups and users in the web interface.

by the way im setting all this up using RSAT tools from microsoft.

If i put "Authenticated users" back on the security filtering it works fine. As soon as i put a group on it doesn't work.

ALSO

I have made a OU harakiri aswell.

So i have:

dingit.lan
     DingIT
         Users
         Computers

and so on - I hope you get the point :)

but my GPO does not hit the client PC if they are in any of the OUs I have created. Like if i want the "network drive 1" GPO to be under dingit.lan/dingit/users/ it won't load on the clients. But if i put the GPO in the root under dingit.lan/ it works fine.

I could actually live with this if the security filtering was working since i would controll access to the GPO in that way. But since i need to run the GPO as authenticated users (first problem in this post) and also the GPO located in the root of the GPO tree all GPO would be assigned to ALL users and computers which is a BIG no go :) I hope you can see why..

I have no idea to proceed from here?!?!? can anyone help me? at least point me in the right direktion?

Both zentyal and ubuntu are fully updated.
CEO og Ding IT in Denmark. A IT consultant company with a strong focus on bringing IT costs down without compromising stability or functionality
http://Dingit.dk

casper

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
  • CEO of a danish IT consultant company DingIT.dk
    • View Profile
    • Ding IT
Re: GPO security filtering is not working
« Reply #1 on: April 21, 2017, 12:19:01 pm »
can no one help me here? or have i not supplied enough information
« Last Edit: April 21, 2017, 01:53:40 pm by casper »
CEO og Ding IT in Denmark. A IT consultant company with a strong focus on bringing IT costs down without compromising stability or functionality
http://Dingit.dk

Curry

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: GPO security filtering is not working
« Reply #2 on: May 31, 2017, 02:46:37 pm »
I would like to second that notion. I can't get security filtering to work. Fresh install, fully updated.
Code: [Select]
sadmin@salvi-server:~$ dpkg -l |grep "zentyal"
ii  libhtml-mason-perl                    1:1.56+zentyal1-1                          all          HTML::Mason Perl module
ii  zentyal                               5.0.1                                      all          Zentyal - Core metapackage
ii  zentyal-ca                            5.0                                        all          Zentyal - Certification Authority
ii  zentyal-core                          5.0.8                                      all          Zentyal - Core
ii  zentyal-dns                           5.0.1                                      all          Zentyal - DNS Server
ii  zentyal-firewall                      5.0.1                                      all          Zentyal - Firewall
ii  zentyal-network                       5.0.6                                      all          Zentyal - Network Configuration
ii  zentyal-ntp                           5.0                                        all          Zentyal - NTP Service
ii  zentyal-openvpn                       5.0.1                                      all          Zentyal - VPN
ii  zentyal-samba                         5.0.7                                      all          Zentyal - Domain Controller and File Sharing
ii  zentyal-software                      5.0.1                                      all          Zentyal - Software Management

casper

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
  • CEO of a danish IT consultant company DingIT.dk
    • View Profile
    • Ding IT
Re: GPO security filtering is not working
« Reply #3 on: May 31, 2017, 02:49:53 pm »
Hi Curry,

I found my problem.

I use RSAT GPO mananger to create my GPO.

when you create an new GPO and you change security filtering to something else then authenticated users. Then you need to add read rights for authenticated users under the delegation tap -> advanced button

This is not related to zentyal but a new GPO security design by microsoft implemented in 2008 R2 i belive.. im not sure about that..

that was what solved my problem
CEO og Ding IT in Denmark. A IT consultant company with a strong focus on bringing IT costs down without compromising stability or functionality
http://Dingit.dk

Curry

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: GPO security filtering is not working
« Reply #4 on: June 04, 2017, 01:33:21 pm »
Hey casper,

I appreciate you getting back to me. Adding read rights for auth. users seems to have worked.

Thanks!