Editing issues in RSAT : missing functionalities

apiron · March 28, 2019, 1:56pm

Dear all,

I’m using 2x redundant UCS. I’m satisfied with most of the functionalities using the interface.

I have nonetheless a problem with (i think) RSAT and / or sysvol.

1/
Sysvol is often generating provisioning errors, solved by a samba-tool command (ntacl sysvol-reset) in CLI or graphically.

Errors are similar to this :

ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/int.artis.fr/Policies/{29D984ED-5CB9-466F-9C27-07BC02CE032C}/Machine/Scripts/Shutdown O:S-1-5-21-3325294162-1806136982-3518422568-1125G:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;S-1-5-21-3325294162-1806136982-3518422568-1125)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU) does not match value O:EAG:EAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU) expected from GPO object ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/int.artis.fr/Policies/{29D984ED-5CB9-466F-9C27-07BC02CE032C}/Machine/Scripts/Shutdown O:S-1-5-21-3325294162-1806136982-3518422568-1125G:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;S-1-5-21-3325294162-1806136982-3518422568-1125)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU) does not match value O:EAG:EAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU) expected from GPO object

I really don’t measure the severity of this, nor if this is related to my second problem :

2/
I have issues with the RSAT I installed on my windows client (Windows 10 Enterprise LTSP 2015).

I have this version of RSAT : 10.0.10240.16384
Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.10240.16384

When I right-click on an item and choose properties, I’m never seeing what I expect in dsa.msc : members for a group for instance, or all user details including groups membership.

Instead, I see security and attributes tabs for some groups. Other times (?) I see nothing and nothing shows up with a right-click on a user or a group. Same in gpmc.msc
Therefore, I cannot fully edit my directory as I would.

Is there something I’m missing ?

apiron · April 1, 2019, 2:39pm

Add : I cannot either add a group in an MMC. I only can create objects in the management interface.

Moritz_Bunkus · April 2, 2019, 11:44am

In LDAP directories there two common types of containers: organizational units and regular contains. The thing with the defaults in UCS is that users, groups and computers are stored inside organizational units whereas you can only see objects inside regular containers with the RSAT’s “Active Directory users & computers” tool. What most people do is adding a regular container in UCS (e.g. named after your company, e.g. linet), adding regular containers for users, groups & computers inside said regular container and moving the objects into those newly created containers. Afterwards you can see & manage them from the RSAT (including the GPO management).

Here’s a short explanation how to do that:

Log in to the UMC (Univention Management Console), go to “Domain” → “LDAP directory”, left-click on the root object and click on “Add” above the list on the right. In the dialog asking you what to add select a “Container: Container”.
After the tree’s been reloaded showing your new container, left-click on it and “add” a “Container: Container” again, this time for users. Name it e.g. “Users” or “People” or whatever floats your boat. Before creating it, make sure to enable the "
Add to standard user containers" checkbox in the “Container settings” section. That way you can select that new container as the place to store a new user whenever you add one.
Repeat step 2 for groups & computers.
Now move users, groups & computers to the new containers. For that navigate to the “users”, “groups” or “computers” top-level objects in the tree, select the elements to move and move them to the new containers.

There are a couple of caveats:

You should not move certain system accounts. These include:
1. The users dns-*, join-*, kbackup, krbtgt, sys-idp-user, ucs-sso
2. Users created by apps you might have installed, e.g. oxadmin
3. Any other user of type simple authentication account
When you move the account of the user you’re currently logged in to the UMC with, this will fail with interesting error messages. Log out & back in again. The user object should be moved, but subsequent ones will probably not have been moved.
Only move computer objects belonging to Windows computers. Don’t move computer objects belonging to UCS servers (!) as they use their DN to log in to the LDAP — and if you move an object, its DN changes.
If people are logged in on computers that you’re moving in the LDAP, they may experience issues. Simply reboot the affected machines.

apiron · April 2, 2019, 2:26pm

Thanks for your answer, I’m going to have a detailed look on your answer. I already appreciate the time you took for it.

apiron · April 4, 2019, 10:28am

Dear Moritz,

I carefully read your post and I’m no sure I’m getting everything. Actually, I am not sure it’s going to solve my problem. Let me explain differently :

Computers :
My computers are located in Container:Organisational Units (two levels : computers and under it department1, 2, etc…). Computers policies created for those are applied.
In the MMC, when I right-click / properties on a computer object, I don’t see a normal property window : I only see the security and attributes tabs when I should see a lot more …

… as in the screenshot above for instance.

Groups and Users :

My groups and users are each in their own container:container. Obviously, I cannot apply any GPO on this. I’m pretty sure I should put in the same kind of hierarchical structure in OUs as I did for computers.
This one thing I should do.
Second point : in the MMC :

when I right-click / properties on a group, I see only security and attributes tabs whe I should see :
when I right-click / properties on a user, I can see :

when I should see :

That is why I am confused when you advise me to create a container:container hierarchy. the only diffference with my actual situation and your solution is one more sublevel. and boxes you mention are checked already.

I do hope I’m not looking ungrateful to you with my answer !

Thanks again for your time.

Moritz_Bunkus · April 4, 2019, 10:32am

Meh, I mixed container types. Yes, you do need to create organizational units and move users/groups/computers there if they’re currently located in containers. Sorry.

apiron · October 21, 2019, 1:07pm

Hello again,

I’m back on this topic. I did a few tests on my own. I installed a pure Samba4 4.9 in a test environnement and I’m not getting the issues described earlier linked to RSAT and LDAP objects.

With a pure Samba4, I’m able to have full RSAT functionalities : right click, properties, and then getting almost everything : member tab, member of tab … which I don’t have with UCS.

My UCS is updated and Samba 4 version is now 4.10, so the issue is probably not related to Samba itself but to its configuration or its interaction with UCS. And now, I’m not sure of what to do. Obviously, I’m not going to play with fire and break Samba4 configuration on my DC’s.

If my message implies functionalities which are to pay for, don’t be shy and tell me :).

Moritz_Bunkus · October 21, 2019, 1:27pm

The functionality you seem to be missing is definitely present in UCS. I’ve just verified that I do have all the tabs in the properties of computers, users & groups in my own UCS environment. I have no idea why you don’t.

The user account you’re logged in as, which groups is it a member of?

apiron · October 21, 2019, 1:53pm

I’m in Administrators and Domain Users.
Obviously, in Administrators, there are Domain Admins and Enterprise Admins.

Moritz_Bunkus · October 21, 2019, 2:06pm

Try adding the user directly to Domain Admins, please.

apiron · October 21, 2019, 2:33pm

Sorry : still limited…

I first added the department group I’m in in Domain Admins, the added myself directly.
Each time, I disconnected reconnected.
I also tried launching dsa console with a shift-right-click, to be sure I’m using a domain account and still the same.

I definitely am with you on the privilege topic but I cannot see what is wrong.

Moritz_Bunkus · October 21, 2019, 2:56pm

Me neither, I’m sorry to say.

apiron · October 21, 2019, 3:07pm

If it helps, I tested with a laptop I’m using for week-end shifts which is a Windows 7 (I know, End of support next year) and … it works…

So I’m guessing this is an issue related to Windows 10 …
An issue I’m adding to the pile of issues I have with Windows 10, including the non-deployment of GPOs…

Moritz_Bunkus · September 1, 2020, 7:43am

I just stumbled across the same problem on a new machine. Turns out all I had to do was to enable the “Advanced features” option in the “View” menu for all tabs to be shown.

apiron · September 1, 2020, 8:02am

Hi Moritz,

turns out that I solved my problem by migrating my client station from Windows 2015 Entreprise LTSB to Windows 10 Pro. So I guess it was Windows related after all. From an expert colleague of mine, what you get in rsat is dependent from what you have as a client station os.