Group Policy Management

UCS - Univention Corporate Server
#1

I’ve installed a UCS server to act as a domain controller for a small group of Windows 7 computers. It’s the only domain controller for this domain.

Added to the new domain some Windows 7 machines after setting their DNS to the UCS domain controller.

Created an OU for a subset of users so I can apply on only them a software execution restriction group policy (run only executables from c:\programs and c:\windows).

Created some users on this OU and logged with them on the Windows 7 machines. Everything runs smooth and without errors.

Installed “Remote Server Administration Tools” on a Windows 7 computer and, using group policy manager, I was able to create and link a new group policy on my test users OU.

From the windows 7 machines I can browse the sysvol share and confirm that my custom policy is there.

The problem:
This policy does not show up on the browser administration console (domain -> policies)
The policy is not applied to the clients, even after “gpupdate /force” on the clients and reboots (the DC and the clients).

Best regards,
mjda

#2

Hi,

UMC doesnt show Windows policies. The module is looking at Univention Policies to administer UCS-based Linux systems.
Documentation: Policies.

A first step to check why gpudate is not working as expected should be to look for related entries in the Windows Eventlog of the client.

Best Regards,
Dirk Ahrnke

#3

Thank you for your reply.
I am able to manage Windows Policies by using the Windows Active Directory and Policy Manager clients from a Windows 7 machine, member of the domain controlled by UCS server.

These policies work as expected if I link them at the same level of the “Default Domain Policy”. If I link them to an Organizational Unit they are not applied.

That’s OK for my purposes but it would be nice to be able to apply policies to specific OUs.

Best regards,
mjda

Block Powershell for specific Usergroups
#4

[quote=“mjda”]These policies work as expected if I link them at the same level of the “Default Domain Policy”. If I link them to an Organizational Unit they are not applied.

That’s OK for my purposes but it would be nice to be able to apply policies to specific OUs.
[/quote]

That’s strange. I think I tested it several times without any problems. Maybe this article helps: sdb.univention.de/1265

#5

[quote=“Gohmann”]
That’s strange. I think I tested it several times without any problems.[/quote]
It’s working fine…
I’m embarrassed to discover that policies not working had settings applied to the computer branch and, the computers I was testing on… were not on the correct OU. That’s why it worked only when the policy was linked to the domain root.

Sorry all to waste your time :slight_smile:
Best regards,
mjda

#6

[quote=“mjda”]Sorry all to waste your time :slight_smile:
[/quote]
No problem. :slight_smile:

Mastodon