Creating Organizational Units (OU) and Enableing GPO (Group Policy) in Zentyal PDC Server – Part 3

After my previous two tutorials on installing, basic configurations and remotely access Zentyal 3.4 PDC form a Windows based node it’s time to apply some degree of security and configurations on your users and computers that are joined onto your domain through creating Organizational Units (OU) and enabling GPO (Group Policy).

  1. Install Zentyal as PDC (Primary Domain Controller) and Integrate Windows – Part 1
  2. Manage Zentyal PDC (Primary Domain Controller) from Windows – Part 2
Create OU and Enable GPO

Create OU and Enable GPO

As you might already know GPO is software that controls user accounts, computers, work environments, settings, applications and other security related issues form a central point on all Windows desktop and servers Operating Systems.

This subject is a very complex one and tons of documentations have been published on subject but this tutorial covers some basic implementation on how to enable GPO on users and computers joined in a Zentyal 3.4 PDC Server.

Step 1: Create Organizational Units (OU)

1. Access your Zentyal Web Administration Tools through “https://your_domain_name” or “https://your_zentyal_ip_addess” and go to Users and Computers Module –> Manage.

2. Highlight your domain, click on green “+” button, select Organizational Unit and on the prompt enter your “Organizational Unit Name” ( choose a descriptive name ) and then shoot on Add ( OU’s can also be created from Remote Administrative Tools like Active Directory Users and Computer or Group Policy Management).

Enter Organizational Unit Name

Enter Organizational Unit Name

Add Organization Unit

Add Organization Unit

3. Now go to your Windows Remote System and open Group Policy Management shortcut ( as you can see the your newly created Organizational Unit appears on your domain).

Group Policy Management

Group Policy Management

4. Right click on your Organization Name just created and select Create a GPO in this domain, and Link it here….

Create a GPO

Create a GPO

5. On the New GPO prompt enter a descriptive name for this new GPO and the hit OK.

Enter New GPO Name

Enter New GPO Name

6. This creates your GPO Basic File for this Organizational Unit but has no settings configured yet. To start editing this file right click on this file name and select Edit.

Edit GPO

Edit GPO

7. This will open Group Policy Management Editor for this file (this settings will apply only on users and computers moved to this OU).

Group Policy Management Editor

Group Policy Management Editor

8. Now lets start configure some simple settings for this Group Policy File.

Here are some basic settings

A. Navigate to Computer Configuration –> Windows settings –> Security Settings –> Local Policies –> Security Options –> Interactive Logon –> Message text/title for users attempting to logon, enter some text on Define this policy settings on both settings and hit OK.

Define Policy Settings

Define Policy Settings

Define Policy Settings

Define Policy Settings

WARN: To apply this setting on your entire domain users and computers so far you should select and edit Default Domain Policy file on Domain Forest List.

B. Navigate to User Configuration –> Policies –> Administrative Templates –> Control Panel –> prohibit Access to Control Panel and PC Settings, double click and select Enabled.

User and Computer Settings

User and Computer Settings

Control Panel Settings

Control Panel Settings

You can do all sorts of security settings related to Users and Computers for this Organizational Unit (only your needs and imagination is the limit ) like the ones in the screenshot below but that’s not the purpose of this tutorial (I have configured this only for demonstrating).

Security Settings

Security Settings

9. After you have done all your security settings and configurations close all windows and go back to Zentyal Web Admin Interface ( https://mydomain.com ), go to Domain Module –> Group Policy Links, highlight your GPO file from your domain Forest, select both Link Enabled and Enforced  and hit on Edit button to apply settings for this OU.

 Group Policy Links

Group Policy Links

Group Policy Object

Group Policy Object

As you can see from Windows Group Policy Management remote tool this policy has been enabled on OU.

Group Policy Enabled

Group Policy Enabled

You can also see a list of all your OU GPO settings by clicking on Settings tab.

OU GPO Settings

OU GPO Settings

10. Now for actually being able to see your new settings applied just reboot twice your Windows machines joined in this domain to see the effect.

Welcome to Domain

Welcome to Domain

Step 2: Add Users to Organizational Units (OU)

Now lets add a user into our new OU for effective applying this settings. Lets say that you have some doubts about user2 on your domain and you what him to have restrictions imposed by Allowed_User OU GPO.

11. On Windows Remote Machine open Active Directory Users and Computers, navigate to Users, select user2 and do a right click for menu appearance.

Add Users to Organizational Units

Add Users to Organizational Units

12. On the Move window prompt select Allowed_Users OU and hit OK.

Select Allowed_Users OU

Select Allowed_Users OU

Allowed User List

Allowed User List

Now all settings on this GPO will apply to this user as soon as he logs back in the next time. As proven this user does not have access to Task Manager, Control Panel or other related computer settings joined into this domain.

Restrictions Applied

Restrictions Applied

Switch User

Switch User

All of this settings where made possible under a server running a Linux based distribution, Zentyal 3.4, with free open source software, Samba4 and LDAP, that acts almost like a Windows 2003 genuine Server and a few remote management tools that are available on any Windows Desktop machine.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

20 Responses

  1. Sergiu says:

    Hello ! I got a request of the Group Policy Management in windows 7 fail to add that GPO ( Allowed_GPO ) tells me that I have access to all that are connected to the win with a user from Domain Admins created zentyal where wrong ? or how can I give rights to a user to have full access to the Group Policy Management.

  2. Matei Cezar says:

    Is your user3 added to the right GPO?

  3. Marco says:

    Hi again, Finally i can access to de GPOs and all this stuff, but my GPOs didn´t work. If i modify “Default Domain Policy” only my user “administrator” have applied this GPO, other domain users no, and allowed_GPO not work for users3…

    Can you tell me where is the problem??

    thank you!

  4. Gud44 says:

    Hi,
    Great tutorials, I’m gonna test all that soon. Go on!!

  5. Marco says:

    Hi!
    Thank you so much for all your tutorials, there are very useful!

    I have some problems with zentyal 3.4 and Group Policy Management. I have my domain (medsan.net), DNS, all right, Samba works, DHCP works, everything is fine.

    Then, I have a virtual machine with windows 7 Professional x32. It is on my medsan domain. I enter with a user called “Administrator” (he is in Domain Admins group so i think he is an admin, right?). But, when I try to create a new GPO in the windows 7 Group Policy Management, it says “Access Denied” or when i try to edit Default domain policy.

    what is the problem here? :S

    Thank you! waiting for an answer. Im doing a school project with zentyal :)

  6. tejas says:

    Hi,
    I am big fan of your tutorials please keep continue your ingeniously simplified tutorials

  7. matei cezar says:

    @Ivan : You cannot edit LDAP schema on Zentyal from Web admin tool but you shoud try add object fields form a Windows RSAT Active Directory…the LDAP schema can be edited from command line also but the changes are not permanent (they will be rewritten) .
    @Shaunx : I don’t understand what you mean? The basic GPO file can be created from Zentyal but for editing GPO setting you must use Group Policy Management from Windows RSAT.The file will then behave in the same way as a genuine GPO file created from AD.

    • Ivan says:

      Thanks man,

      I know how to edit LDAP schema, just wanted to make sure that this is supported in Zentyal. Didn’t get a chance to test it yet.

  8. Shaunx says:

    Hi Matei, can I make a question??? Can a GPO that’s created by Zentyal work correctly like Window’s AD???

  9. Ivan says:

    Is it possible to edit the schema in a Zentyal domain and add new fields to objects ?

  10. Guido Rolon says:

    Nothing to say but Clap Clap, thanks !

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.