Topic: Advice and help configuring new production server

[abel2b]

Hello !! First things first ,thanks for your time.

I have been reading sme manuals and varios post in the forums,for some time now and succesfully installed on a test box, althought I have worked out minor problems, I have not been able to workout things like group policy, profiles, public email setting, backups..

A little background...

I´m trying to implement a small server at a Hotel, consisting of:

15 workstations running windows XP Pro SP2/SP3, Office 2003/20007, some have Corel Draw, and some have 3rd party restaurant or hotel management software.

1 Box running SME Server in server only mode.
1 Box running xp pro with shared folder containing management soft
1 TP-link 4 port TL-R402M Router Link
1 Tp-link 16 port TL-SF1016D switch Link
1 D-link 5 port switch (unkwoned model)


Ok so what we basically want to do is:

--Group 1 and 2 have to be lockdown completely, meaning no internet access at all, block or prevent user from installing, executing any type of games, or software  brought in with any type of media (mainly USB pendrives), block usage of portable USB 3G internet modems.  Allow intranet or local email and web access

--All other user have full internet acces, ibay access for company documents storage.

--Implement netlogon scripts or redirect important user folder to their server ibay for easy backups

--Redirect outlook express, 2003, 2007 folders or pst files to server for easy storage and backup

-- Add extra HDD on same box as non raid for backups

--Do scheduled backup to extra hardrive on the same box with sme server


Here comes the ugly part:

Currently the company´s web page and email services is been hosted at www.mesi.com.ar

1. So where do I configure SME to use our pop3 and smtp,mail server at mail.mesi.com.ar, and also be able to send out and receive email withing sme webmail?

2. I have not been able to implement group policies at a per user/group basis, I have tried to follow instructions at http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/PolicyMgmt.html#id2651852 yet 2Active directory user and computer" does not work stating the domain controller does not exist or can´t establish connection !!

3. I have not been able to restrict USB usage, turning off usb ports in bios is not allowed because users need to use scanners and printers.

4. Also what would be you advice in backup methods for a total noob ( eventually server will be managed by a guy in accounting  really!! )


Updates:

I created 5 groups: Group1,Group2.......Group5

I created 15 accpounts: Acc1,Acc2.....Acc15

I blocked internet access via router´s mac address filtering
 
I worked out minor smtp conections with outlook 2003/2007 and sme server I can send and receive email within the lan.

I am currently experimenting with user profiles management following instructions from http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html

[Jáder]

I´ll try to address some of your requests:

Hello !! First things first ,thanks for your time.

I have been reading sme manuals and varios post in the forums,for some time now and succesfully installed on a test box, althought I have worked out minor problems, I have not been able to workout things like group policy, profiles, public email setting, backups..

A little background...

I´m trying to implement a small server at a Hotel, consisting of:

15 workstations running windows XP Pro SP2/SP3, Office 2003/20007, some have Corel Draw, and some have 3rd party restaurant or hotel management software.

1 Box running SME Server in server only mode.
1 Box running xp pro with shared folder containing management soft
1 TP-link 4 port TL-R402M Router Link
1 Tp-link 16 port TL-SF1016D switch Link
1 D-link 5 port switch (unkwoned model)


Ok so what we basically want to do is:

--Group 1 and 2 have to be lockdown completely, meaning no internet access at all, block or prevent user from installing, executing any type of games, or software  brought in with any type of media (mainly USB pendrives), block usage of portable USB 3G internet modems.  Allow intranet or local email and web access

I suggest you to lock up USB ports with physical locks (google for it).
For Web control, install SquidGuard.
For APP control, policies.

--All other user have full internet acces, ibay access for company documents storage.

--Implement netlogon scripts or redirect important user folder to their server ibay for easy backups

--Redirect outlook express, 2003, 2007 folders or pst files to server for easy storage and backup

-- Add extra HDD on same box as non raid for backups

--Do scheduled backup to extra hardrive on the same box with sme server

Backup  = Affa (do it on another server). If you INSIST on backup on extra HDD, default install do it.
You can find info about this on wiki. Search for it there.

Here comes the ugly part:

Currently the company´s web page and email services is been hosted at www.mesi.com.ar

1. So where do I configure SME to use our pop3 and smtp,mail server at mail.mesi.com.ar, and also be able to send out and receive email withing sme webmail?

To redirect hosts, use "hosts" on server-manager.
I just not sure you can have your e-mail at both sites same time.
Can I suggest you to use all e-mail in YOUR sme to be able to control it as you wish not as your ISP allow you ? (spam polices are just one example!)

2. I have not been able to implement group policies at a per user/group basis, I have tried to follow instructions at http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/PolicyMgmt.html#id2651852 yet 2Active directory user and computer" does not work stating the domain controller does not exist or can´t establish connection !!

AFAIR Samba3 do not support AD polices. These are in roadmap for Samba4

3. I have not been able to restrict USB usage, turning off usb ports in bios is not allowed because users need to use scanners and printers.

4. Also what would be you advice in backup methods for a total noob ( eventually server will be managed by a guy in accounting  really!! )

Use physical locks... anything else will be a later problem.

[abel2b]

Thanks jader!

I´m looking into your suggestions, so if ADM policies are not supported I´ve read that POL do, do just place these in ../netlogon, can they be in a per user basis??

AFFA looks good, for it can be automated, so that´s a plus, what does sme use as default, to do backup jobs, for example when you use server-manager to backup to usb??

About the email  I do want to use MY sme email (horde) and I can send and recieve within the local LAN yet I can not send out to the public via the internet, how do I configure that???

[Stefano]

I´m looking into your suggestions, so if ADM policies are not supported I´ve read that POL do, do just place these in ../netlogon, can they be in a per user basis??

yes..

be sure to use poledit.exe from w2k resource kit as xp's adm file are in unicode. then save your NTCONFIG.POL file into netlogon share.. that's all..

Ciao
Stefano

[Jáder]

About the email  I do want to use MY sme email (horde) and I can send and recieve within the local LAN yet I can not send out to the public via the internet, how do I configure that???

I do not understand this. I presume you can  not receive external e-mail because you do not have DNS correctly configurated. You must point external DNS (ISP) to your server and open ports on Firewall/DSL modem to point to your SME server.

I´m from Brazil (RS - Porto Alegre). If you have too many problems... I can even go there to help you

[CharlieBrady]

I have not been able to workout things like group policy, profiles, public email setting, backups..

In the future, please create a separate thread for each issue.