hey what's going on everyone and uh welcome to another video um in this video uh i'm going to bring a quite an interesting video this is going to be a long video but it uh are we going to cover a lot of topics uh relevant to system administration but i'm going to show you how to install a samba active directory uh domain controller in ubuntu server what we're going to cover in this video we're going to install a sandbag to directory the main controller then we're going to test name resolution in the second part of the video this is the interesting part we get to join a windows 10 class to a domain we're going to download the microsoft remote system administration tool in order to manage an active directory installed in a linux server then we are going to perform all system administration tasks doing these remote system administration tool from a windows clan like creating uh users in active directory mapping network drive installing uh software using group policy object in msi packages um i know that microsoft is actually moving from a in-premises domain controller and servers to cloud based active directory but i believe an in-premise server with an active directory in a network environment it is still very um very relevant so that being said uh let's get started but before remember to subscribe give it a like and leave a comment and let me know what you guys think about the video and also remember to check my course on udemy i have two courses on udemy one on linux server system administration and another one on ubuntu desktop so let's get started um i'm going to do this from a bristol box i believe that beta box is extremely easy to use it allows for um easy network configuration and the best thing is free absolutely free so um i have two beta machines running the first one is a ubuntu server and the second one is a windows 10 professional i'm not going to go into uh the installation of ubuntu server you can search that online and install it in virtualbox if you need a video on how to do that check out the link in the description i have a video on how to download and install beta box and also how to download and install ubuntu server so the configuration uh if i click on file preferences um and i go to network notice that i have two network here if i click on the second one my range my range is 10.0.2.0 that's the network that i'm using and currently i have a port forward um [Music] configuration to a 10.0.2.15 and 2.22 so that is the ip address of my ubuntu server i'm going to go ahead and click ok ok and this is my ubuntu server machine here and what i'm going to do since this this is a little bit difficult to read i find these texts somewhat difficult to read i'm going to establish a connection from my local system so i'm going to do window r cmd and here i'm going to say ssh from das i'm going to use my username at localhost and if port forward was set up correctly i should be able to log into my remote ubuntu server all right so i'm going to enter my password and i'm currently logged in okay so i'm going to zoom this a little bit uh ctrl l to clear the screen and i have many of these commands already uh written in a text file but basically what i did i followed a samba wiki documentation so that's what i'm going to use the first thing is to make sure that our system is up to date so do a sudo apt update and sudo apt upgrade i've already done this so i'm not going to do it but if you haven't done if you haven't done it make sure you do this press enter and way until the um wait until the update finish the next thing that we need to do we need to give our server an identity when you talk about an identity uh you're talking about mainly two things the first one a hostname uh it needs to be a descriptive hostname that computers can find this server on the network and the second one is a static ip address the server is an important part of a network infrastructure which many computers rely on that server for let's say file sharing or print services or domain controller so it needs to have a static ip address so let's go ahead and change the hostname so i'm going to do the sudo vi hc hostname enter my password here i'm going to press the the letter d twice and that's going to junk that line from the text file so this is using vi which i know for many of you is going to be a little bit complicated to use but once you get used to it it's it's extremely uh convenient to use especially because it is installed in all linux distribution so next i'm going to go into insert mode i'm going to press the letter i and i'm going to name my computer dc1 and let me escape that i dc1 okay so that is the name of my um ubuntu server so i'm going to hit escape i'm going to press the column you see at the at the um at the end column wq to write the changes and exit all right so uh if i do cat hc host name that's the name of my computer and the second thing that i need to do i need to also reflect those changes inside the hc host file i'm going to press enter and on the second line here i'm going to press the letter j to go to the second line and actually as a matter of fact i'm going to do shift in dollar sign and that's going to take me to the end of the line and then i'm going to press the letter a and here i'm going to write the static ip address of my systems which is 10.0.2 and then dc1 which is the the hostname i'm going to hit escape i'm going to press the letter k to go one line above and i'm going to jank this line d twice all right so hit escape now you uh the column you you can save the file column see there at the bottom column wq and if we do cat hc holds and notice that this is the the name of my my ip address and the system name so finally i'm going to do ipa to view my ip configuration and notice that this is my ip address and right now i have a dynamic ip address and i want to change that to become a fixed or static ip address so i'm going to do sudo vi hc net plan 0 0 and then i'm going to press the tab key and that's going to auto complete the name of the file press enter and this is my um my jam netplan jammer file which contains information about ip configuration so the first change that i'm going to make here i'm going to what it says dhcp4 again if you need to navigate usually when you start the cursor will be somewhere up here press the letter j and that is going to take you one line down and the letter l to go to the right and then i'm going to hit the letter x to remove just insert or i to go into insert mode and i'm going to say no okay so it's not um it's not depending on the dhcp server in order to obtain ip address information next um i'm taking this from a file i'm going to say addresses column bracket and then this will be my fixed ip address and i need to append the sublime mask which is backslash 24 all right so the next thing is the gateway or um [Music] of the router so i'm going to say gateway 4 column 10. 10.0.2.2 and finally name servers column again addresses column bracket 10.0.2.10 comma and i'm going to also include google's dns server as a forwarder and the final line it says version two i'm going to leave that i'm going to hit escape column wq so if i do cad hc netplan is my configuration finally what i'm going to do now i'm going to do sudo net plan apply and as soon as i press enter my connection through a remote ssh is going to be lost because i just changed the ip address so as soon as the news changes take effect i'm going to lose the connection so i'm going to press enter if i keep pressing enter notice that nothing happens so i'm going to close out of here um going back again into virtualbox preferences network port forward and i need to change this to 10 instead that's my new ip address okay okay okay again window r cmd ssh add localhost press enter and we should be able to connect to the new ip address and what we need to do now and notice that the server name is still uh reflecting the old host name it's it hasn't been updated so we need to restart the system in order for those changes to take effect um so let's go ahead and do that let's let's do sudo reboot and i'm going to enter my password and it should reboot pretty fast let me try to log in see if i can maximize this a little bit no let me try to log in again and notice now that the um [Music] the server name has changed to dc1 all right so finally we are right to uh the good stuff um we've been doing managerial stuff so far so uh for installing now uh the active directory domain controller using samba what i want to do i want to log in as root so if you haven't set up a a root password this is a good time to do it so i'm going to say sudo password root i want to give my root a password okay so now i'm going to enter my root password and repeat it again all right so now i'm going to login as through su okay so cd to go back into my root directory and here i'm going to say opt install minus y to not get prompted and i want to install samba we need that we need win bind we need kerberos 5 config we need smb client in dns utils and also net tools i want to install every single one of these samba this is going to be our active directory it provides also file sharing winbind is to to allow linux and windows computers to share user and computer information kerberos 5 for user authentication smb clan for sharing for file for file sharing on the network dns utility for for testing dns uh communication and net tools uh it will install a bunch of tools for um monitoring and testing uh network connections so i'm going to go ahead and press enter and i'm going to let it install the installation process should be prompting us with information about the setup for arctic directory all right so the first question is the default kerberos files realm this uh this needs to be in capital letters so i'm going to say home net.com or copy the letters this is the same name as your as your domain but in capital letters i'm going to press tab press enter here this is the kerberos server for my realm um i've seen many tutorials online where people enter a domain here this needs to be a server not a domain so uh it needs to be the fully qualified domain name so and it is in lowercase so it's dc1.homenet.com tab press okay and um i mentioned this server for kerberos we on the same thing dc1 homenet.com press enter and that is as far as we need to enter for for the installation all right so installation is finished i'm going to do ctrl l to clear the screen screen okay so what i want to do now is to backup the original smb configuration file as a backup so i'm going to say move it c should be samba smb.conf to idc samba smb.com that [Music] original all right and what i'm going to do now i'm going to run the samba tool provisioning so this is what is going to set up our the information for our domain so i'm going to say samba to domain provision all right so i'm going to say use rfc 2307 interactive all right so we're going to get prompted for a lot of information not a lot of information i believe uh five um information that we need to provide so i'm going to press enter make sure that it's rfc 2307 all right so the first thing is that realm again and that should be home net i'm going to press enter actually it is homenet.com um i'm going to press enter the domain is home net so i'm going to leave it as default enter server role it is a domain controller so i'm going to leave a default enter the dns server it is going to be samba internal once you install samba as a domain controller it needs to active directory needs dns resolution in order to work so samba has the option to act also as a domain as a dns server so here the options are to have your own dns server running using buy nine which this is not the option uh and having a samba internal dns server so i'm going to press enter press enter enter okay so now the next question is to provide a dns for water so when computers in the network try to resolve from domain to ip address the first thing is they're going to do they're going to contact the local dns server if the local dns server doesn't have the entry for resolving dns to ip address it's going to forward that query to a dns to another dns server that might have that information that is what a forwarder is so i'm going to use a google dns server here as a forwarder a forwarder and i'm going to press enter and finally i'm going to set up the domain controller administration password this is the password that you're going to use to pretty much do all system administration in the domain okay so this is the equivalent of the root account in a linux system uh you know this is the guy who can't do pretty much anything so make sure don't forget this password all right i'm going to retype the password again and i'm going to let the setup finish all right so setup has complete and so clear the screen and the next thing that i want to do i want to copy the generated kerberos 5 from from the samba private directory into hc directory so i'm going to say copy and that will be var live samba i have the the text here because it's it's pretty it's pretty much impossible to remember this by memory so um that'll be private key r b5 dot conf into hc file okay if you want to make sure you successfully move that file so let's do let's see qrb5 and that's the file and uh next we need to enter information into our result.com file for name resolution so i'm going to say vi hc resolve that conf and i'm going to go to the end of the file by shift g twice that's going to take me to the end of the um to the end of the file and then shift a dollar sign that's going to take me to to the end of the line here we need to enter two information the first one when it says search i want to make sure that instead of a dot i enter my domain name so i'm going to press the letter i i'm going to say home net dot com and hit escape to delete the dot and i'm going to move up so i'm going to press the letter k and here instead of 127 i want to enter my ipr this one's at 10.0.2.10. once i have that information hit escape column wq make sure you have the right information to hc um bitc resolve.conf name server is 10.0.2.10. and search homenet.com double check on the spelling and finally um let's go ahead and disable some services that we're not going to need that somebody's going to provide for us so i'm going to copy it from here so i don't have to type it again and write ctrl mouse to paste it but basically we're going to disable smbd and mbd win buying and system resolved service press enter once that's done the next thing that i want to do i want to mask the sun back to directory so i'm going to say system ctl mask samba um a d dc dot services and basically we need to mask this because sometimes we install a service and if there if there are other application of other services that conflict with this service by default it gets on mask i might be wrong in this so if you guys know the correct explanation please leave a comment so i'm going to press enter all right the next thing that i want to do is to systemctl and enable and now samba active directory the main contour service that's why it's better to just copy the command don't be ashamed to copy the command nobody knows this by memory as a matter of fact that is exactly what you shouldn't be doing uh knowing everything by memory and this time it worked so what we want to do now let's see if samba is listening for um for connections so i'm going to say netstat a ntp egrep um and i'm going to say smbd or samba and yes we have smbd listening but we don't have samba listening so what i'm going to do i'm going to restart the system so i'm going to say reboot after we've done all this installation the best thing that you can do is to reset the system and let's go ahead and try to establish a connection through ssh no i said at the beginning of this video that it will be a long uh video but there is a lot of good information um so bear with me until the end of the video all right and i think now we've established a connection okay so the way we start samba this is an important part the way we start some bacteria directory is by typing samba actually i want to make sure that i go into root for this i'm pretty sure that i can do this from from sudo but let's go ahead type samba all right so samba now is running so if i recall net start again and notice and that i have rpc lda lightweight directory services running so at this point we should be able to do name resolution so if i do ping dc1 homenet.com i should be able to resolve from domain name to ip addresses and also i should be able to ping anything outside my network for example google.com and that's also working all right so um we have two important pieces here working we have active directory service running we are able to resolve from dns to ip address and we have a communication on the network so at this point i'm going to go into my windows computer my windows client and i'm ready to join the domain so i'm going to let me see if i remember the password for this for this computer um all right so we're successfully logged in this is where the second part of the video starts um so let's start by making sure window r cmd making sure that we can't establish and i have a lot of windows running a lot of i have a lot of scripts running in the background let's make sure that i can um [Music] resolve from domain name to ipr so i'm going to say ping homnet dc1homenet.com and that is working for this to work the setup that i have for my um [Music] for my windows 10 client machine if you right click on the start menu and then go to network connections because in order for in order for you to join a windows 10 client to a domain you need to make sure that your ip configuration are set up correctly because right now i don't have a dhcp in the network so there is no services handing out uh actually there is a dhcp in the virtual network but it's not handing out dns configuration so here i'm going to click on change adapter options right click on your adapter go to properties double click on tcp version 4 and make sure that you have a static ip address this is my static ip address 10.0.2.20 this is my subnet mask this is my default gateway and for the dns server this is important here you need to set up the your your linux active directory domain controller as the dns server and then as an alternative use the google google dns server once you have that information set up go ahead and click ok ok close and close and test for dns resolution by pinging um your linux domain hostname all right so once you have that working right click on start menu go to system here click on rename pc uh change um was it change rename this computer and click on domain here i'm going to enter homenet.com that is the name of my domain so i'll click ok here you need to enter your active directory domain active directory system administrator and that was the uh the password that you use when you set up your active directory domain controller so i'm going to say administrator and enter my password press ok and we should be able to join the domain all right welcome to domain click ok restart is necessary so click close and restart now the next thing that we're going to do we're going to download the microsoft rsat2 which is remote system administration tool so do a search online and you are going to land on this page here and click the download section and in my case i have a 64-bit platform operating system so i'm going to click on that one and click next and finally download i advise you to do this from the windows clan computer otherwise you're going to have to find a way to move it inside the um the virtual machine so now we've joined the domain how we log into a domain that's that's simple i'm going to click on other user okay so notice that if you want to log in as a domain you use the domain name followed by the username so i'm going to say homenet forward slash administrator and then my password press enter and we should be able to log in okay so if i do active directory and notice that i have a bunch of tools from remote system administration tool already installed in my system so in order to make it easier for me to have all the tools in one place i'm going to use the microsoft mmc which is the management console so again window letter r mmc press enter and here i'm going to set up my mmc by clicking on file add snap-ins and i want i want to add a few snappings here i want to add arctic directory users and computer i also want to add computer management here i need to select what computer do i want to manage remotely i'm going to say browse here i'm going to enter dc1 click check name he found it this that's how amazing actor director is in ubuntu linux i'm going to click ok i'm going to click finish it's right here um i also want to add dns um what else do i want here i think that's basically oh group policy management this is a very important all right so i'm going to click ok and i have all the snappings in one place so now i'm going to go ahead and save this snapping or this console and i'm going to place it on my desktop i'm going to name it um [Music] dc1 actually that homenet.com actually domnet mmc all right so i'm going to click save now if i expand active directory and then i expect expand my home net domain and i expand my uh the user section actually if i click on the user section and notice that i have all the users and groups in my domain so if i wanted to create a new user let's go ahead and create a new user so i'm going to right click on users and then i'm going to click on new and i'm going to say user and this is going to create a new user you can do this from from linux using the samba tool um utility but it's much easier to do this using the graphical interface so i'm going to name my user john smith and the logon name is jsmith i'm going to click next user must change password no i'm going to uncheck this user cannot change password and you can you can set password never expires but this is not a good practice so i'm going to set the password using capital case in alphanumeric numbers click finish and this this time it went through notice now that my user it's right here so i can right click on the user and click on properties and i can go into account and here i can set the logon hours for that user for example if i only want the user to log in from 8 to 5 i can set that here and i can also specify the computers that this user is allowed to log in from right now the default is all computers but i can set i can click on the following computers and then make those changes here i'm going to set it i'm going to leave it as default also i can disable the user account from here and and reset the password also from here um profile this is your your home user profile for example if you want um roaming profiles um you want this the user profile instead of being in the local system being on the network that way it doesn't matter the computer from where the user logs in he's going to have all these documents available um so you set um the home profile here and also the login script uh you can set many of these from group policy uh this is what we're going to do in this video the other thing that i wanted to show you is that if you click on computers under [Music] active directory user and computers if you click on computers this is where all your computers that you join into the domain are going to show up um you can move users and computers for example you can create an audio if you right click on the domain and then on the new you can create an organizational unit let's say that i have a department called text text support i'm going to click ok notice now that i have this text organizational unit here so now i can move uh users let's say that john smith is part of the of that department so i can right click on that user and click move and i can move that user to that ou and so when i apply group policy instead of applying at the domain level which is going to affect everyone i can apply only to the organizational unit and therefore this allow me more uh control over the users um let me go ahead and move that user as a matter of fact i'm going to leave it there um the other thing that i wanted to show you is that if you uh expand here on on the dns and click on your domain controller and notice that you have a forward zone a forward lookup zone and a reverse lookup zone now we're not going to get um too deep into dns so if i expand my domain name and notice that these are all the entries for all the computers and servers on the network this is computer zero one the computer that we just joined into the domain and this is uh the domain controller notice that i have for every single computer i have two entries um the one that has a four a attached to it that's ip version six and a single a which is a host entry is for ip version 4. um here on the computer management i don't know why this always gives me this event view error i guess it's kind of buggy [Music] i mean something has to something has to uh give you an error um i mean for something that is absolutely free it works extremely well i'm extremely surprised how well uh it integrates with uh microsoft remote system administration tool here on the computer management if i click on share folders expand share folders and click on shares these are all my shares on the domain controller right now i have two shares the net logon directory and the sys volume and this share is a hidden shares that automatically gets created once you share once you create windows share over the network again if i'm saying something that is not 100 correct please leave a comment down in the description here you can see all the sessions established to the domain controller right now the administrator is the only one connected and here you can see all the open files on the server um extremely useful uh when when you want to view all the connected users and disconnect any user uh from the network um so the next thing that i wanted to show you it's how to create a a network share on the domain controller and how to map those shares automatically to all the users on the network using group policy so let's go over to the server and let me clear the screen and if i do cat it's c samba smb.conf and notice that these are my two share inside the samba configuration file there is a command that that would allow you to display all the shares on your server i believe the command is smb clan minus l local host minus capital n and i'm going to enter my password and as you can see the same shares that we looked at from the windows side um are here so these are the chairs the um the next thing that i'm going to do i'm going to create two uh directories um and i'm going to create it in the same place at the same place where these two shares are so the first one is going to be um let's say bar lib samba and inside the system volume i'm going to i'm going to create a chair called apps all right so that's going to be the first one and the other share that i'm going to create is going to be data all right so this share is going to host applications for the users and this share is going to hold data for the users the next thing that i have to do is to create uh entries on the com file for these two directories clear the screen sudo vi hc samba smb.com file and if i do shift g twice it's going to take me to the last line shift dollar sign to the end of the line a to go into insert mode and i'm going to press enter here i'm going to do brackets and this is going to be the label that this share is going to show up on the network so i'm going to say apps indentation is important i'll say path equal var live samba says this wall by the way the system volume is a very important uh folder or directory in a active directory domain controller this is where all the information pertaining to active directory and all the objects in the in the domain reside so it's very important to restrict access to this a directory so next i'm going to say homenet.com that will be apps read only yes these are apps that are going to be executed user will not be allowed to modify the content of this directory the next one the next one is going to be data path will be the same bar live samba says wall homnet.com data and read only no all right so that's that's a simple configuration so when i'm done hit escape column wq press enter so if i recall a command to display the shares on the server and notice now that i have the apps and data shares available okay now if you want to see the permission though on those shares do um ls minus l and then var live samba systemvolume homnet.com um and press enter and of course you need to become you need to become suited for this all right so these are the permissions notice that um the the first three are for the root the user and everyone else so if i want to change the permission for those two for those for these two um directories so i'm going to say sudo shemat and i want to give it let's say 775 okay and then i want to say var live samba says volume homnet.com and apps all right and i want to do the same thing for data okay so if i list the permissions again notice now that um user users in groups have all the permissions but everyone else has read and execute in order to execute you need to have read permission it is very important to understand permissions and rights when when assigning permissions on the network so let's go ahead and go back into my windows clan and if i refresh the share folder now notice that i have apps and data okay so now we can map those networks share on the network so now i'm going to go over to group policy management and i'm going to expand the forest i'm going to expand the domain i'm going to spin my domain name and here on the group policy object i'm going to expand this as you can see when you create an active directory domain controller by default you're going to have two policy one is the default domain controller policy that applies to the uh the domain controller and you're also going to have the default domain policy which applies to uh to the domain at the domain level uh which everyone will be affected by it so what i'm going to do i'm going to write uh i want to click on group policy object and i'm going to right click on it i'm going to say new i'm going to call my policy map drives policy and i'm going to click ok so now this policy has been created it's showing up here right click on it edit and it's going to open the group policy editor um this is to map a network drive so it's not it's something that is done under the user configuration notice that you can set policies uh or settings at the computer configuration or the user configuration i'm going to span on preferences windows settings here where it says map drive maps i'm going to select it right click new map trial all right so i'm going to leave the action as update location location this is going to be the location of the of the network share on the server on the network that will be dc1 um apps and reconnect yes label us apps and here the drive that we are going to assign that will be j and that's it okay all right so that is my that is my share i'm going to create another one and this one will be for data all right label data and use k apply all right so those are my two my two shares um i'm going to go ahead and close this and notice uh this is when you apply group policy it's a two-step process the first one is create uh the policy the gpo and in the second one is to link the gpo to the domain or the um or the gra of the organizational unit so here i'm going to click the domain and right click on it and i'm going to say link an existing gpo and i'm going to select map drive policy i'm going to click okay okay so if i click on my drive policies notice that when it says link enable yes and there is link at the domain level so meaning that everyone inside that domain is going to be affected by this policy all right so let's go ahead and open the file manager or the file explorer and go to this pc and notice that i don't have any of my shares neither the data or the apps share here so why this is happening i'm going to leave you with that question even though we've created the gpo why the user doesn't have those drives already mapped [Music] i give you three seconds to to leave the comment down in the description in the in the comment section but basically every time that we create a gpo we need to enforce it so i'm going to do window r cmd to open the terminal and i'm going to type a command called gp update forward slash or backslash force and this is going to refresh every what this is going to do is going to it's going to pull all the group policy from the domain controller so i'm going to press enter all right group policy has been completed successfully all right so now i'm going to exit out of here if i open the file explorer again notice and that i have my two shares okay so now what i'm going to do i'm going to upload a couple of msi packages to the apps share all right so now i'm going to open winscp all right so i've already logged into the server and this is my local computer this is the server under msi i have two msi packages one is for adobe acrobat and the other one is for seven sip so i'm going to upload those into my server drag and drop and drag and drop all right so they should be on the server now i'm going to close this don't need it anymore so i need to move this to my apps directory so i'm going to say sudo move everything dot msi to this path here which which i'm not going to copy it this is the dos so right click copy right click again and press enter if i recall this command here and now i should have my two msi packages there if i go to my windows 10 computer you might click on the apps network share and notice that i have my two msi packages available here for the user to install it but i want to automate the installation process um i don't want i don't want to get the end user involved in installing packages or software uh on the computer on the local computer so i'm going to take over that process so i'm going to open my um my mmc console and i already have one open okay and i'm going to create another group policy object now this one is going to be for installing 7-zip so i'm going to say 7 sip installation policy all right so the thing about group policy is that you want to create a group policy for enabling enable or perform a specific action that way when it's time to travel shoot anything that might go wrong on the network it's easier to troubleshoot if you have um [Music] a policy performing a specific action instead of creating a policy and enabling a bunch of settings so i'm going to click ok and i'm going to right click on it click edit installation of packages is either you can do this at the user level or at the computer level if you do this at the computer level which is the way you're supposed to do it um the software will be installed when the computer restarts so it'll perform the action in the background so the user is completely unaware of the installation process so i'm going to click on software installation right click new package and here i want to select the package that i want to install because this is a network package i don't want to enter the local directory in the file system i want i want to enter in the unc path in the network okay so i'm going to click on this pc apps and click open and i want this to be assigned okay i'm going to click ok and as you can see i have the unc path here and the type of software and that is a sign once i'm done go ahead close it again you need to link this policy so i'm going to click on the the main level link a group policy and i'm going to select the group policy i'm going to click okay okay so what i'm going to do i'm going to exit out here and um just to show you that if i do refresh group policy so i'm going to do gp update [Music] force um i believe it will not be installed you need to restart the computer for this it's unable to buy because changes will be proceed changes must be processed before system uh or user logged in okay so that's what i told you and now it's prompting me to restart the system which i'm going to say yes you don't have to do this by the way you can cancel out here and restart the system so i'm going to say shutdown restart now all right and this is going to restart the operating system the next time we boot up it's going to install 7-zip all right so if i open the file explorer and i right click on a folder notice that i have seven sip already available to me here within the menu so it has been installed the other thing that i wanted to show you is how to restrict access to specific applications or settings within the operating system and also how to run script using group policy object so again double click on the mmc and [Music] expand group policy objects and i want to create another group policy this one is going to be for restricting access to control panel so i'm going to say restrict control panel policy and i'm going to click ok and i'm going to double click on it actually i want to right click and edit so this setting is on the user configuration policy administrator templates and then control panel if you expand control panel here where it says um prohibit access to control panel i'm going to double click on it and i'm going to say enable click ok and that should be it so now we'll we need to link this policy but if we linked it at the domain level it's going to affect everyone including the um the the active directory administrator so what i'm going to do i'm going to link it to annoy you you see the all you that i created that contains one user so i'm going to right click on it and i'm going to say link an existing gpo i'm going to select it click ok um the other thing that i wanted to do i wanted to create a group policy in order to run um scripts which it's also very important to do to be able to run script in order to automate many things on the network so i'm going to create another group policy i'm going to call this one login script policy click ok right click on it edit all right so it is on the policy windows settings scripts all right so i want to create a logon script so i'm going to double click on logon and here i'm going to add a logon script but first i need to create that script um let me open the file manager go to my desktop right click and say new text document and i'm going to call this one um login that bad all right so right click on it edit and uh the first line is going to be echo off and uh here i'm going to say um i want to install another package i'm going to say msi exact install um in the and the other package that i wanted to install you can do this using group policy but i just wanted to show you the many ways that you can do this i'm going to click on apps and this one is acro pro how to enter the unc path dc1 apps ctrl v and that msi and that will be a quiet installation so the user will not be prompted for for any action during the installation um here you can also map network drives so i'm going to i'm going to say save and i'm going to add actually i need to place it but first i need to do something here notice that this is is still a text file and that's because it still has the text extension which um it's hidden by default okay so i need to rename it i need to get rid of the text extension yes now it is a bad file let me go ahead and select copy now if i do here dc1 and press enter should i be able to paste it here let's see yes it is there so now it is on the server so now i'm going to go ahead and just to show you something if we go to the server and you see the into um var liv samba says volume homenet.com and um i need to become root for this notice that i have a script directory here and this is this is where i'm going to place my script now this script directory is being shared as net logon on the network so going back to the clan let's finish this group policy going to add the script script name is going to be adobe install going to select it the user needs to have read and execute permission to this file so you should be able to find it here and i'm going to say apply and click ok um so that's everything that i wanted to cover so let's go ahead and refresh group policy let's go ahead and log in as jasmine and here i want to say other user this will be to homenet jsmith and the password okay so if i open the file manager the file explorer and i go to this pc and noted notice that i have my two drives here so that group policy is working and i have a bunch of scripts running in the background let's see if we have access to control panel which apparently we do we don't have access to control panels so that group policy object was successfully applied and that's it for this video guys i know it was a long video um but i believe it's a it's a good video i cover a lot of important information not only to system administration and active directory domain controller but um networking and how well um the remote system administration tool integrates or how well when those clients integrate into a samba active directory running in a linux server thanks for watching this video guys as always remember to subscribe give it a like leave a comment and let me know what you guys think about the video see you in the next video you