Bug 47915 - Assign GPOs to computer rooms / Move computer objects to OUs
Assign GPOs to computer rooms / Move computer objects to OUs
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: Samba 4
UCS@school 4.3
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-05 18:16 CEST by Valentin Heidelberger
Modified: 2020-07-21 13:26 CEST (History)
10 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020061021000331
Bug group (optional): API change
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Heidelberger univentionstaff 2018-10-05 18:16:02 CEST
A school customer separates their Windows clients in computer rooms. Now they want to assign various (non-compatible) GPOs to those rooms, but the rooms are not available in the Group Policy Management Tool because GPOs can only be assigned to OUs.
The customer would have to create a new OU and move their computer objects there to be able to assign GPOs to the rooms.

It would be nice, if there was a feature (UCRV controlled?) that created OUs for the computer rooms, thus allowing for group policy assignment.
Currently the computers are saved at

LDAP Base -> school OU -> computers (CN)

Since containers below OUs inherit GPOs we could change the LDAP layout as follows for example, allowing for GPO assignment based on computer rooms:

Client with no room assignment:
LDAP Base -> school OU -> computers (CN) -> client A
LDAP Base -> school OU -> computers (CN) -> client B

Client with room assignment:
LDAP Base -> school OU -> computer rooms OU -> room 1 OU -> computers (CN) -> client A
LDAP Base -> school OU -> computer rooms OU -> room 2 OU -> computers (CN) -> client B
Comment 1 Michael Grandjean univentionstaff 2018-10-06 22:19:53 CEST
IMHO we should start creating the whole structure underneath the school OUs as organizational units instead of simple containers. This would make GPO management much easiert, but we somehow have to migrate existing installation, then.

On the other hand: GPOs can be limited to certain groups with the feature "Security Filtering". And computerrooms are just that (groups). So it should be possible to link all GPOs for all computerrooms to the school OU (or even the LDAP base), but then use the Security Filtering to apply certain GPOs only to certain groups.
Comment 2 Valentin Heidelberger univentionstaff 2018-10-08 15:09:28 CEST
(In reply to Michael Grandjean from comment #1)
> IMHO we should start creating the whole structure underneath the school OUs
> as organizational units instead of simple containers. This would make GPO
> management much easiert, but we somehow have to migrate existing
> installation, then.
> 
> On the other hand: GPOs can be limited to certain groups with the feature
> "Security Filtering". And computerrooms are just that (groups). So it should
> be possible to link all GPOs for all computerrooms to the school OU (or even
> the LDAP base), but then use the Security Filtering to apply certain GPOs
> only to certain groups.

Thanks for the hint towards Security Filtering. That's indeed a nice workaround. 

In case there are no technical reasons not to switch from CNs to OUs I'd still support the idea because just like you pointed out the OU structure in the Group Policy Manager is much more intuitive.
Comment 3 Michael Salm 2019-05-21 13:19:17 CEST
We - users of paedML Linux with UCS 4.3 - would be very interested in an OU-type implementation of rooms and classes in UCS@school.