Samba4 Administration
From Stadm
Contents
Creating Users
- users can be created in two ways:
- they can be done through the gui provided by RSAT(Remote Service Administration Tools) to add users into Active Directory (AD)
- simply click new user in the appropriate OU (organizational unit) and enter in name,username and password
- User UID can be changed or specified using modXid script on AD server
- to create user into AD using terminal use samba-tool
samba-tool user add USERNAME
- UID can be specified at creation using command line, use:
samba-tool user add USERNAME --uid-number=UIDNUMBER
Changing XID
- uid and gid for users in samab are translated from the users windows SID using idmap
- idmap stores its database locally which contains the mappings
- a script
GPO Office
- admx files must be downloaded for each version of microsoft office that clients use(office 2007, 2010, etc.)
- run a "gpudate \force" if you dont see them appear in group policy editor
- once placed in policyDefinitions under sysvol GPO may be applied to that specific version of office
- User Configuration->Administrative Templates ->"Microsoft Office [version]" ->Privacy->Trust Center
- enable the "Disable opt-in..", disable "Enable Customer Experience..." and "Automatically receive small.."
- must be done for every version of office clients are running(annoying pop up messages when office starts if this is not set)
GPO Windows Update
- locate a copy of wuau.adm and install into PolicyDefinitions
- Windows update group policy should be set up on a per machine bases(GPO applied to Machines not Users)
- Computer Configuration ->Policies-> Administrative Templates ->Windows Components->Windows Update
Configure Automatic Update: Enabled Allow non-administrators to receive update notifications: enabled Allow Automatic Updates Immediate installations: enabled No auto-restart with logged in users: enabled Reschedule Automatic Updates scheduled installation: enabled
GPO Network, Firewall, Remote Desktop Connections
- GPO for RDC are in two locations
- Computer Configuration->Policies->Administrative Templates->Network->Network Connections->Windows Firewall-> Domain Profile
Windows Firewall:Allow inbound Remote Desktop conneciotns
- limit to subnets of eri and vpn
Windows Firewall: Allow ICMP exceptions: Enabled
- check Allow inbound echo Request
- Computer Configuration->Policies->Administrative Templates->Windows Components->Remote Desktop Connection Host->Connections
Allow users to connect remotely using Remote Desktop Services: enabled
- to allow specific users/group login:
- Computer Configuration->Policies->Windows Settings->Security Settings->Restricted Groups
- create Remote Desktop Users group if not created, add users manually into group or add an entire group to allow Remote Desktop Connections
- DNS suffix search list
- Computer Configuration->Policies->Administrative Templates => Netowrk => DNS client => DNS suffix search list
- Enabled: mydomain.edu, name.mydomain.edu
