Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »

Introduction

This document serves the purpose of providing essential system prerequisites and requirements that must be met before initiating the installation process for the GYTPOL Validator product.

Audience

This User Guide is primarily intended for IT system and infrastructure teams responsible for implementing, managing, and maintaining servers and Active Directory within their organizations. It provides clear instructions and explanations suitable for technical users, ensuring that these teams can effectively utilize the software for their specific needs.

Checklist

Before proceeding with the installation of GYTPOL Validator software, it is crucial to verify that all the following requirements are met:

Operating System - GYTPOL Server:

Ensure that the operating system on the GYTPOL Server meets the specified requirements.

Server Sizing:

Determine the appropriate server sizing based on the anticipated number of devices that will interact with GYTPOL Validator.

Users and Groups:

Confirm the existence and configuration of Users and Groups in both Active Directory and the GYTPOL Server, ensuring proper synchronization.

Server Software - GYTPOL Server:

Make sure that the necessary server software components are installed and configured correctly on the GYTPOL Server.

Admin Interface:

Ensure that a web browser is available and compatible for use as the admin interface by end-users of GYTPOL Validator.

Client Requirements:

Verify that servers and workstations covered by GYTPOL Validator meet the required client-side specifications.

DNS - Routing to GYTPOL Server:

Add any necessary DNS configurations to ensure proper routing to the GYTPOL Server, allowing seamless communication.

Ports:

Determine and open the specific ports on both the server and client sides as required by GYTPOL Validator to facilitate communication and functionality.

Antivirus:

Implement measures to prevent any interference or blocking of GYTPOL Validator's proper execution by antivirus software.

Ensuring that all these prerequisites are met will contribute to a successful and efficient installation of GYTPOL Validator software.

Find additional help in Detailed Configuration Instructions when required.

System Architecture

Server Architecture

Server Sizing

Up to 3,000 Devices / PoC

RAM (GB)

System Storage (GB)

CPU (# Cores)

16

80 SSD

8

Up to 10,000 Devices

Server

RAM (GB)

Storage (GB)

CPU (# Reserved Cores)

GYTPOL

16

80 SSD

8

DB

24

200 SSD

8

Up to 15,000 Devices

Server

RAM (GB)

Storage (GB)

CPU (# Reserved Cores)

GYTPOL

24

80 SSD

8

DB

24

250 SSD

8

Up to 50,000 Devices

Server

RAM (GB)

Storage (GB)

CPU (# Reserved Cores)

GYTPOL

32

150 SSD

16

DB

64

450 SSD

16

For customers with specific scenarios, please take note of the following:

  • Customers managing more than 50,000 devices are advised to contact support@gytpol.com for specialized sizing recommendations.

  • If you are using the Nutanix hypervisor, please contact support@gytpol.com for further guidance and support tailored to your specific setup.

Operating System and Language

  • A dedicated physical or virtual server is required, running Windows Server 2016 Standard or a later version.

  • Windows Server language settings (detailed checks are here):

    • The Windows Server operating system must be set to use the English (United States) language.

    • The Windows Server language for non-Unicode programs must be set to use the English (United States) language.

  • Customers who use a separate database server should install SQL Server 2016 Standard or a later version. For detailed instructions on configuring MS SQL, please consult Appendix 1.

Users and Groups

To create a domain user with the specified permissions and ensure the password adheres to the given criteria, follow these steps:

Create the User:

  • Open the Active Directory Users and Computers management console.

  • Navigate to the appropriate organizational unit (OU) or location where you want to create the user.

  • Right-click on the OU, select "New," and then choose "User."

  • Follow the prompts to set up the user account. You can use your naming convention, but for purpose of this document, let's call the user "GYTPOLSVC."

Set Password Criteria:

When setting the password for "GYTPOLSVC," make sure it does not contain any of the following characters ', ", ~, ;, commas or spaces

Assign Permissions (optional):

  • For a more stringent permission setup, you can create a security group within Active Directory, e.g., "GYTPOL_UI_Access”.

  • Add "GYTPOLSVC" to the "GYTPOL_UI_Access" group.

  • This group will be used to access GYTPOL UI or system settings during the initial server configuration.

  • By default, all authenticated users are granted access to the GYTPOL UI, which can be modified using the Roles and Permissions screen after the initial installation process.

By following these steps, you will have created a domain user, set a password that adheres to your criteria, and established a security group for GYTPOL UI access, all in compliance with your requirements.

Permissions

Follow the below table to set the permissions regarding the user and the group (follow hyperlinks for how to’s):

Type

Name

Permission set

AD User

GytpolSvc

Domain level:

Member of Domain Group: “Performance Log Users”

GYTPOL Server local settings:

Local admin on GYTPOL server

Logon as a service

Logon as a batch job

GPMC permissions

Server software and general settings

Requirement

How to Verify

Web Browser supports Chromium

We recommend using the latest version of either MS Chromium Edge or Google Chrome browsers.

However, in offline or closed environments, a minimum version of 100 is required.

.NET 4.7.2 installed

(Installed by default on Server 2019)

https://dotnet.microsoft.com/en-us/download/dotnet-framework/thank-you/net472-web-installer

Notepad++ installed

(Optional, yet strongly advised to simplify configuration management)

https://notepad-plus-plus.org/downloads/

The minimum required version of PowerShell is 5.1.

(Installed by default on Server 2016 and later)

Ensure that the PowerShell script execution policy is not set to "Restricted" in any of its categories.

How to Check PowerShell Version and Restriction Mode

IPv6 disabled (Optional)

How to Check if IPv6 is disabled

Configure Windows Firewall inbound ports

- or -

Turn Windows Firewall OFF (service should be up and running)

In case of using the Windows Firewall

How to check if Windows Firewall is at ‘off’ state

IE enhanced disabled

How to Disable Internet Explorer Enhanced Security Configuration

Proxy is not configured

How to Disable Proxy Settings

After committed changes - restart the remote machine (GYTPOL server)

Admin Interface

  • You need a physical or virtual machine running at least Windows 7 SP1.

  • It is recommended to use the latest version of either MS Chromium Edge or Google Chrome browsers for optimal compatibility.

Client Requirements

  • Ensure that Task Scheduler is enabled for both user and computer.

  • Enable Event Viewer for both user and computer.

  • RSOP (Resultant Set of Policy) should be allowed.

  • PowerShell version requirements:

    • PowerShell 2.0 or later is required, with support for detection and auto-upgrade.

    • PowerShell 5.1 and later are preferred, as they support detection, auto-upgrade, remediation, and revert.

    • It is recommended to set PowerShell scripts to "All Signed" (or any option besides "Restricted" or "Remote Signed"), preferably via Group Policy (GPO).

    • Enable the ability for users to run PowerShell scripts.

DNS

Here are the instructions for setting up a CNAME record from a server running DNS or an IT admin computer:

Open PowerShell:

  • Press the "Start" button and type "Powershell" in the search box.

  • Click on "Windows PowerShell" to open the PowerShell console.

Access DNS Manager:

Type dnsmgmt.msc in the PowerShell console and press Enter. This command opens the DNS Manager.

Navigate to the Tree Name:

In the DNS Manager, navigate to the tree name of your organization.

Add CNAME Record:

Right-click on the tree name and select "Add CNAME Record."

Configure CNAME Record:

  • In the "Name" field, enter _gytpol.

  • In the CNAME record, click "Search" and navigate to the tree level where the GYTPOL server DNS name is listed.

  • Select the GYTPOL server's DNS name and click "OK."

Review and Confirm:

  • Review the results and configurations you have entered.

  • Click "OK" to confirm and save the CNAME record.

Testing the Record:

  • Open a command prompt by clicking "Start," typing "cmd," and double-clicking to open the Command Prompt window.

  • Type the following command: ping _gytpol

  • Ensure that the IP address returned matches the IP address of the GYTPOL server.

By following these steps, you will have successfully set up a CNAME record for "_gytpol" in your DNS, allowing it to resolve to the IP address of your GYTPOL server.

If you are not using Microsoft DNS and are using a different DNS service such as Infoblox or any other, please get in touch with us for further guidance and assistance regarding the setup of CNAME records and DNS configurations specific to your DNS service provider. We will provide you with tailored instructions and support to ensure proper integration with GYTPOL.

Ports

From

To

Port number

Purpose

All devices and OS

GYTPOL App Server

9093

HTTPS

9090 (Windows7 only)

HTTP

(Data is compressed and encrypted)

All Computers

(In case GYTPOL cloud service connection is desired for external devices and Remote Employees)

GYTPOL Cloud Service

EMEA & Asia:

https://<customer-tenant>.execute-api.eu-central-1.amazonaws.com/prod

https://gytpol-re-<customer-tenant>-tasks.s3. eu-central-1.amazonaws.com

443

HTTPS

Americas:

https://<customer-tenant>.execute-api.us-east-2.amazonaws.com/prod

https://gytpol-re-<customer-tenant>-tasks.s3. us-east-2.amazonaws.com

Specific customer tenant URL that requires whitelisting is specified in the appsettings.json file, which will be provided after the client is generated.

GYTPOL App Server

GYTPOL DB server

(Required for deployments over 3,000 devices)

1433, 1434

SQL queries

GYTPOL App Server

DC’s

389, 9389, 636, 135, 138-139, 445, 464, 53, 3268, 3269 +

Dynamic ports (49152-65535)

GP PS queries +

GP modeling queries

GYTPOL App Server

GYTPOL Cloud Service

EMEA & Asia:

https://<customer-tenant>.execute-api.eu-central-1.amazonaws.com/prod

https://gytpol-re-<customer-tenant>-tasks.s3. eu-central-1.amazonaws.com

443

HTTPS

(In case GYTPOL cloud service connection is desired for external devices and Remote Employees)

Americas:

https://<customer-tenant>.execute-api.us-east-2.amazonaws.com/prod

https://gytpol-re-<customer-tenant>-tasks.s3. us-east-2.amazonaws.com

Specific customer tenant URL that requires whitelisting is specified in the appsettings.json file, which will be provided after the client is generated.

IT Admin Computers

GYTPOL App Server

3389

9093

RDP

UI – HTTPS

Local Ports on GYTPOL server should be free and not used.

5000, 8080, 8082, 8083, 9090, 9093, 9370

Ports needed for GYTPOL to run properly.

Antivirus

Exclude the following directory for GYTPOL App server only:

<GYTPOLSERVER> \ (Gytpol installation drive – i.e. ‘C’ or ‘D’ drive) \ Gytpol

Detailed Configuration Instructions

Windows Server language settings

To verify whether the server language is configured as English (United States) in Powershell, you can execute the following commands:

Get-Culture

The expected outcome is 'en-US'.

Get-WinSystemLocale

The expected outcome is 'en-US'.

If you need to modify the locale settings, you can do so through the Control Panel's language settings:

Open Control Panel:

Click the bottom-left Start button to open the Start Menu, type “control panel” in the search box and select Control Panel in the results.

Change View by Category:

If your Control Panel is not already in Category view, change it to Category view by selecting "Category" from the "View by" drop-down menu in the top-right corner of the Control Panel window.

Click on "Clock and Region":

In the Control Panel, click on the "Clock and Region" option.

Click on "Region":

Within the "Clock and Region" section, click on the "Region" link.

Change Formats Tab:

In the "Region" dialog box, go to the "Formats" tab.

Click "Additional settings...":

In the "Formats" tab, you'll see a button labeled "Additional settings..."; click on it.

Change the Current system locale:

A new window titled "Customize Format" will open. In the "Numbers" tab, you will find a section labeled "Current system locale." Here, you can select the desired system locale from the drop-down menu. Choose "English (United States)" if that's what you want.

Apply Changes:

After selecting the desired system locale, click the "OK" button in the "Customize Format" window.

Apply and Restart:

Back in the "Region" dialog box, click "Apply" and then confirm any prompts that appear.

Restart Your Computer:

To fully apply the changes, you will need to restart your server.

After following these steps, your server's locale settings should be updated to the selected locale, in this case, "English (United States)."

Important note: When installing on the latest Server 2022 builds, please ensure that the Beta checkbox is not selected.

image-20240317-103306.png

How to check if Windows Firewall is at ‘off’ state

To configure the Windows Firewall settings on the GYTPOL server, follow these steps:

Open Command Prompt as Administrator:

  • Click on "Start," type "cmd," and right-click on "Command Prompt."

  • Select "Run as Administrator" to open Command Prompt with administrative privileges.

Access Windows Firewall Settings:

In the Command Prompt, type firewall.cpl and press Enter.

Disable Firewall Components:

  • Ensure that the following components are set to "Off" (indicated by a red X):

    • Domain networks

    • Private networks

    • Guest or public networks

If Any Component is Set to "On" (Green):

  • Click on "Turn Windows Firewall on or off."

  • Set all tabs to "Off" and confirm the changes.

Access Services:

In the Command Prompt, type services.msc and press Enter.

Check Windows Firewall Service:

  • In the Services window, locate the service named "Windows Firewall."

  • Ensure that the service is set to "Automatic" and is running.


If the Service is Stopped and Startup Type is Disabled:

  • Double-click on the "Windows Firewall" service.

  • Change the Startup type to "Automatic."

  • Click on the "Start" button to start the service and wait for it to start.

  • After it has started, click "OK."

If Unable to Change Service:

Check the Group Policy settings to ensure that the Windows Firewall service is not disabled.

By following these steps, you will configure the Windows Firewall settings on the GYTPOL server to meet the specified requirements.

In case of using the Windows Firewall

To configure the Windows Firewall settings for GYTPOL on the server, please follow these detailed steps:

Open Command Prompt as Administrator:

  • Click on the "Start" menu, type "cmd" in the search bar.

  • Right-click on "Command Prompt" in the search results.

  • Select "Run as Administrator" to open Command Prompt with administrative privileges.

Access Windows Firewall Settings:

In the Command Prompt window, type firewall.cpl and press Enter.

Access Advanced Settings:

In the "Windows Firewall" window that appears, click on "Advanced settings." This will open "Windows Firewall with Advanced Security."

Create an Inbound Rule:

In the "Windows Firewall with Advanced Security" window, locate and select "Inbound Rules" in the left pane.

Add a New Rule:

Right-click on "Inbound Rules" and choose "New Rule."

Configure Rule Type:

In the "New Inbound Rule Wizard," select "Port" and click "Next."

Specify Protocol and Ports:

  • Choose "TCP" as the protocol type.

  • In the "Specific local ports" field, enter "9090,9093" to specify the required ports.

  • Click "Next."

Action:

Select "Allow the connection" and click "Next."

Profiles:

  • Ensure that "Domain" and "Private" profiles are selected.

  • Click "Next."

Name the Rule:

  • Provide a relevant name for the rule, such as "GYTPOL Port Access."

  • Optionally, you can add a description for reference.

  • Click "Finish" to create the rule.

By following these steps, you will have configured the Windows Firewall to allow inbound connections on TCP ports 9090 and 9093 for GYTPOL, ensuring that it functions as intended on your server.

How to Check if IPv6 is disabled (Optional)

To check if IPv6 is disabled on the GYTPOL server, you can follow these steps:

Open the Registry Editor:

  • Click on the "Start" button.

  • Type "regedit" in the search bar.

  • Select the "regedit" icon from the search results to open the Registry Editor. Please note that making changes to the Windows Registry can have significant consequences, so proceed with caution.

Navigate to the IPv6 Parameters:

In the Registry Editor, navigate to the following location:

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > TCPIP6 > Parameters

Create a New DWORD Value:

  • Right-click on the "Parameters" key.

  • Hover over "New," and select "DWORD (32-bit) Value."

  • Replace the New Value #1 with DisabledComponents

  • Double click on DisabledComponents and set the value to ffffffff and press OK

How to Disable Internet Explorer Enhanced Security Configuration

To disable Internet Explorer Enhanced Security Configuration (IE ESC) on the GYTPOL server, please follow these steps:

Open Server Manager:

  • Click on the "Start" button, and in the search bar, type "Server Manager."

  • Select "Server Manager" from the search results to open the Server Manager console.

Access Local Server Settings:

  • In the Server Manager console, navigate to "Server Manager" in the left-hand navigation pane.

  • Click on "Local Server" under "Server Manager."

Locate IE Enhanced Security Configuration:

In the "Properties" section, scroll to the right until you find the option labeled "IE Enhanced Security Configuration."

Toggle the Setting to Off:

  • Click on the "IE Enhanced Security Configuration" option.

  • In the window that appears, set the toggle switch to "Off."

Disable IE ESC for Administrators and Users:

  • After setting IE Enhanced Security Configuration to "Off," locate the settings for "Administrators" and "Users" within the same window.

  • For both "Administrators" and "Users," change the setting from "On" to "Off."

Apply the Changes:

Click "OK" to confirm and apply the changes.

How to Disable Proxy Settings

To configure Internet Explorer proxy settings on the GYTPOL server, please follow these steps:

Open Control Panel:

  • Click on the "Start" button.

  • Type "Control Panel" in the search bar and select "Control Panel" from the search results.

Access Internet Options:

In the Control Panel, locate and click on "Internet Options."

Configure Proxy Settings:

  • In the "Internet Properties" window that opens, go to the "Connections" tab.

  • Under the "Local Area Network (LAN) settings" section, click the "LAN settings" button.

Adjust Proxy Settings:

In the "Local Area Network (LAN) Settings" window, uncheck the checkbox labeled "Use a proxy server for your LAN."

Apply the Changes:

  • Click "OK" to save the changes and close the "Local Area Network (LAN) Settings" window.

  • Click "OK" again to close the "Internet Options" window.

How to Check PowerShell Version and Restriction Mode

To check the PowerShell version and execution policy on the GYTPOL server, please follow these steps:

Open Windows PowerShell:

  • Click on the "Start" button.

  • Type "Powershell" in the search bar and select "Windows PowerShell" from the search results.

Check the PowerShell Version:

In the Windows PowerShell window, type the following command and press Enter: $PSVersionTable.PSVersion

Verify the PowerShell Version:

  • Ensure that the "Major" version is set to 5 or above.

  • Ensure that the "Minor" version is set to 1 or above.

Check the Execution Policy:

To check the PowerShell script execution policy, type the following command and press Enter: Get-ExecutionPolicy -List

Review Execution Policies:

Verify that the execution policy is not set to "Restricted" in any of its categories.

By following these steps, you can confirm the PowerShell version and review the execution policies to ensure that scripts are not restricted on the GYTPOL server.

Add the GYTPOL user to the Domain group: “Performance Log Users”

To add the GYTPOL user to the Domain group "Performance Log Users" using Active Directory tools (RSAT), follow these steps:

Open Command Prompt:

From a computer running Remote Server Administration Tools (RSAT), open a Command Prompt.

Access Active Directory Users and Computers:

In the Command Prompt, type dsa.msc and press ENTER. This command opens the Active Directory Users and Computers console.

Search for the "Performance Log Users" Group:

In the Active Directory Users and Computers console, use the search feature to locate the "Performance Log Users" group within your domain.

Add GYTPOL User:

  • Double-click on the "Performance Log Users" group to open its properties.

  • Navigate to the "Members" tab.

  • Click the "Add..." button to add a new member.

  • In the "Select Users, Computers, or Groups" dialog box, type the name of the GYTPOL user that you created earlier.

  • Click "OK" to confirm the selection.

  • Click "OK" again to close the "Select Users, Computers, or Groups" dialog box.

Save Changes:

  • Back in the "Performance Log Users Properties" window, click "OK" to save the changes and add the GYTPOL user to the group.

  • Click "OK" again to close the group's properties.

Adding a Local Administrator

To add a local admin on the GYTPOL server, follow these steps:

Open Command Prompt:

On the GYTPOL server, open Command Prompt.

Access Local Users and Groups:

In the Command Prompt, type lusrmgr.msc and press Enter. This command opens the Local Users and Groups management console.

Select Groups:

In the left pane of the Local Users and Groups console, select "Groups."

Open Administrators Group:

In the right pane, double-click on the "Administrators" group to open its properties.

Add a User:

In the "Administrators Properties" window, click the "Add..." button.

Specify Location:

Ensure that "From this location:" is set to the domain name and not the GYTPOL server itself.

Enter the User Name:

  • In the "Enter the object names to select" field, type "gytpolSvc."

  • Click on "Check Names" and wait for the name to be validated. It should appear with an underline and with the domain name.

Confirm and Add User:

Once the name is validated, click "OK" to confirm and add the "gytpolSvc" user to the Administrators group.

Logon as a batch

GYTPOL utilizes several tasks in the task scheduler to execute hourly, daily, and weekly routines using GYTPOLSVC account created earlier. To ensure these tasks operate without any limitations, it is essential to add the "Logon as a batch" privilege to the GYTPOLSVC account.

If there are no Group Policies with "logon as a batch" restrictions, you can follow these steps to add the user "GytpolSvc" to the "Log on as a batch" policy on a server where GYTPOL is installed:

  1. Open Local Group Policy Editor:

    1. Go to a server where GYTPOL is installed.

    2. Open Command Prompt as an administrator.

    3. Type gpedit.msc and press Enter. This will open the Local Group Policy Editor.

  2. Navigate to "Log on as a batch" Policy:

    1. In the Local Group Policy Editor window, navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment

  3. Edit "Log on as a batch" Policy:

    1. Double-click on the "Log on as a batch" policy.

  4. Add User or Group:

    1. In the "Log on as a batch Properties" window, click on the "Add User or Group" button.

  5. Specify Domain and User:

    1. In the "Select Users or Groups" dialog, select your domain from the "Locations" field.

    2. Type "GytpolSvc" in the "Enter the object names to select" field and click on "Check Names" to validate the user.

    3. Ensure that "GytpolSvc" is the selected user and click "OK."

  6. Save Changes:

    1. Click "OK" in the "Log on as a batch Properties" window to save the changes.

If there are Group Policies with "logon as a batch" restrictions, and you need to add the "GytpolSvc" user to this policy, follow these steps using the Group Policy Management Console (GPMC):

Open Group Policy Management Console (GPMC):

  • Go to a computer where the Group Policy Management Console (GPMC) is installed. It is typically installed by default on all Domain Controllers.

  • Open Command Prompt as an administrator.

  • Type gpmc.msc and press Enter. This will open the Group Policy Management Console.

Edit the Applicable Group Policy:

  • In the GPMC, navigate to the specific Group Policy Object (GPO) where the "logon as a batch" restriction is set.

  • Right-click on the GPO and select "Edit" to open the Group Policy Editor.

Navigate to "Log on as a batch" Policy:

In the Group Policy Editor, navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment

Edit "Log on as a service" Policy:

Double-click on the "Log on as a batch" policy.

Add User or Group:

In the "Log on as a batch Properties" window, click on the "Add User or Group" button.

Specify Domain and User:

  • In the "Select Users or Groups" dialog, select your domain from the "Locations" field.

  • Type "GytpolSvc" in the "Enter the object names to select" field and click on "Check Names" to validate the user.

  • Ensure that "GytpolSvc" is the selected user and click "OK."

Save Changes:

Click "OK" in the "Log on as a batch Properties" window to save the changes.

Logon as a service

GYTPOL runs several services and microservices using the GYTPOLSVC account created earlier. To ensure these services operate without any limitations, it is crucial to add the "Logon as a service" privilege for the GYTPOLSVC account.

If there are no Group Policies with "logon as a service" restrictions, you can follow these steps to add the user "GytpolSvc" to the "Log on as a service" policy on a server where GYTPOL is installed:

  1. Open Local Group Policy Editor:

    1. Go to a server where GYTPOL is installed.

    2. Open Command Prompt as an administrator.

    3. Type gpedit.msc and press Enter. This will open the Local Group Policy Editor.

  2. Navigate to "Log on as a service" Policy:

    1. In the Local Group Policy Editor window, navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment

  3. Edit "Log on as a service" Policy:

    1. Double-click on the "Log on as a service" policy.

  4. Add User or Group:

    1. In the "Log on as a service Properties" window, click on the "Add User or Group" button.

  5. Specify Domain and User:

    1. In the "Select Users or Groups" dialog, select your domain from the "Locations" field.

    2. Type "GytpolSvc" in the "Enter the object names to select" field and click on "Check Names" to validate the user.

    3. Ensure that "GytpolSvc" is the selected user and click "OK."

  6. Save Changes:

    1. Click "OK" in the "Log on as a service Properties" window to save the changes.

If there are Group Policies with "logon as a service" restrictions, and you need to add the "GytpolSvc" user to this policy, follow these steps using the Group Policy Management Console (GPMC):

Open Group Policy Management Console (GPMC):

  • Go to a computer where the Group Policy Management Console (GPMC) is installed. It is typically installed by default on all Domain Controllers.

  • Open Command Prompt as an administrator.

  • Type gpmc.msc and press Enter. This will open the Group Policy Management Console.

Edit the Applicable Group Policy:

  • In the GPMC, navigate to the specific Group Policy Object (GPO) where the "logon as a service" restriction is set.

  • Right-click on the GPO and select "Edit" to open the Group Policy Editor.

Navigate to "Log on as a service" Policy:

In the Group Policy Editor, navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment

Edit "Log on as a service" Policy:

Double-click on the "Log on as a service" policy.

Add User or Group:

In the "Log on as a service Properties" window, click on the "Add User or Group" button.

Specify Domain and User:

  • In the "Select Users or Groups" dialog, select your domain from the "Locations" field.

  • Type "GytpolSvc" in the "Enter the object names to select" field and click on "Check Names" to validate the user.

  • Ensure that "GytpolSvc" is the selected user and click "OK."

Save Changes:

Click "OK" in the "Log on as a service Properties" window to save the changes.

Network access: Do not allow storage of passwords and credentials for network authentication

To configure the "Network access: Do not allow storage of passwords and credentials for network authentication" policy for GYTPOL, follow these steps:

If there are no Group Policies with this restriction:

Open Local Group Policy Editor:

  • Go to a server where GYTPOL is installed.

  • Open Command Prompt as an administrator.

  • Type gpedit.msc and press Enter. This will open the Local Group Policy Editor.

Navigate to the Policy:

In the Local Group Policy Editor, navigate to the following location: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Edit the Policy:

Double-click on the "Network access: Do not allow storage of passwords and credentials for network authentication" policy.

Disable the Policy:

  • In the policy properties window, select "Disabled."

  • Click "OK" to save the changes.

If there is a Group Policy with this restriction and you want to exclude GYTPOL server:

To exclude the GYTPOL server from this policy, you will need to modify the Group Policy that enforces this restriction. Specifically, you should create an exception or exclude the GYTPOL server from this policy within your Group Policy settings.

Validate the Setting:

You can validate the setting by running the following PowerShell command as an administrator on the GYTPOL server:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name disabledomaincreds -ErrorAction Stop | Select-Object -ExpandProperty disabledomaincreds

The expected output should be "0," indicating that the "Network access: Do not allow storage of passwords and credentials for network authentication" policy is not enforced or is disabled on the GYTPOL server.

DB Creator - external SQL only (for Installations of more than 3,000 devices)

To create a database user with the "dbcreator" role in SQL Server for installations of more than 3,000 devices, follow these steps:

Log in to the System:

Log in to the system using either your domain account (my_domain\my_account) or the local system administrator account.

Log in to SQL Server:

Log in to SQL Server using an account with administrator (sa) permissions.

Expand the Security Folder:

In SQL Server Management Studio (SSMS), expand the "Security" folder in the navigation tree on the left.

Create a New Login:

Right-click the "Logins" folder under the "Security" folder and select "New Login..."

Configure the New Login:

In the "New Login" dialog, under the "General" section, perform the following actions: 5.1. Select "Windows Authentication." 5.2. Click the "Search" button, enter a login name (for example, "GytpolSvc"), and then click "Check Names."

Verify the Resolved Account:

In the dialog that appears, verify that the resolved account is displayed as my_domain\GytpolSvc.

Assign Server Roles:

Under the "Server Roles" tab, add the "dbcreator" role to the user.

Confirm and Save:

Click "OK" to confirm the new login configuration.

By following these steps, you will have created a database user with the "dbcreator" role in SQL Server. This user will have sufficient privileges to create GYTPOL databases for environments with more than 3,000 devices.GPMC Permission

To perform group policy validation through GPO modeling, GYTPOLSVC requires delegation rights to execute GPO planning.

Active Directory Delegation – Group Policy Permission

To delegate Group Policy permission in Active Directory, follow these steps:

Open Active Directory Users and Computers:

Open "Active Directory Users and Computers" on your server.

Access Delegation Control:

  • Right-click on your domain (e.g., "yourDomain.com") in the left pane.

  • Select "Delegation Control..." from the context menu.

Initiate Delegation Wizard:

In the Delegation of Control Wizard, click "Next."

Select the GYTPOL User:

Click "Add" to select the GYTPOL user (mentioned in the table below). This user will receive the delegated permissions.

After adding the user, click "Next."

Choose Tasks to Delegate:

Under "Tasks to Delegate," select "Generate Resultant Set of Policy (Planning)."

Continue and Finish:

  • Click "Next" to proceed through any remaining steps.

  • Finally, click "Finish" to complete the delegation process.

How to Test Permissions

To test permissions for Group Policy Objects (GPOs) using the GYTPOLSVC user, follow these steps:

Open Group Policy Management Console (GPMC.MSC):

  • Open the Group Policy Management Console with the GYTPOLSVC user account created.

    • You can either log in to the server with the GYTPOLSVC user or run GPMC as a different user.

Navigate to "Group Policy Objects":

In GPMC, navigate to "Group Policy Objects" in the left pane.

Verify GPOs:

Make sure you can see all of the GPO items.

If GPOs Are Not Visible:

  • If you cannot see the GPO items, open GPMC as an administrator by running it with elevated privileges.

  • In GPMC, navigate to "Group Policy Objects" under "Forest" or "Domains."

  • In the right pane, go to the "Delegation" tab.

  • Click "Add..." and choose "GytpolSvc" from the user list. Click "OK."

Navigate to "Group Policy Modeling" and Simulate a Scenario:

In GPMC, navigate to "Group Policy Modeling."

Run the Group Policy Modeling Wizard:

Right-click on "Group Policy Modeling" and select "Group Policy Modeling Wizard."

Configure the Modeling Wizard:

  • Click "Next."

  • Choose your domain and your Primary Domain Controller (PDC) server. Click "Next."

  • Under "User Information," click "User:" and then "Browse..." to select your username.

  • Under "Computer Information," click "Computer:" and then "Browse..." to select your computer name. Click "Next."

  • Select "Loopback processing" and choose "Replace."

  • Under "Site," select your site name. Click "Next."

Complete the Wizard:

  • Continue clicking "Next" until the wizard is finished.

  • Review the results to verify that the GYTPOLSVC user has the necessary permissions to perform Group Policy Modeling.

By following these steps, you can test permissions and verify that the GYTPOLSVC user has the required access to Group Policy Objects and can perform Group Policy Modeling as needed.

Windows Features installation

To install Windows Features on the GYTPOL server, including Group Policy Management and Remote Server Administration Tools, follow these steps:

Open Server Manager:

Open Server Manager on the GYTPOL server.

Access "Add Roles and Features":

In Server Manager, click on "Add Roles and Features."

Navigate Through the Wizard:

Click "Next" until you reach the "Features" tab.

Select the Following Features:

Group Policy Management:

  • Remote Server Administration Tools:

    • Role Administration Tools:

  1. Active Directory module for PowerShell

  2. AD DS Tools

  3. AD LDS Snap-Ins and Command-Line Tools

Proceed with Installation:

Click "Next" to proceed.

Confirm and Install:

  • Review the selected features.

  • Click "Install" to start the installation process.

Wait for Installation to Complete:

Wait for the installation to finish. The progress will be displayed.

Once the installation is complete, the selected features, including Group Policy Management and Remote Server Administration Tools, will be installed on the GYTPOL server.

Automatic pre-checker tool

To use the Automatic Pre-checker tool for GYTPOL, follow these steps:

Download and Copy the Tool:

  • Download the Automatic Pre-checker tool from the following link: https://gytpol.com/checker.

  • Copy the downloaded tool to the GYTPOL server.

Run the Tool as Administrator:

  • Right-click on the downloaded tool.

  • Select "Run as Administrator" to start the Checker tool.

Enter the GYTPOL User:

  • In the Checker tool, enter the GYTPOL user in the format DOMAIN\gytpolSvc.

  • Press the "Check" button to start the checks.

Wait for Checks to Complete:

  • The checks will run for 1-2 minutes.

  • The checklist includes internal ports, DC communication ports, user permissions, DNS CName record, and other features to ensure they are set correctly.

Review the Results:

Once the checks are complete, review the results.

  • The results may include:

    • Red X sign (error): Indicates an error that needs to be fixed before installation. Hover over the question mark (?) for details on what needs to be done.

    • Yellow Exclamation mark (warning): Indicates a non-critical issue that can be addressed, but it's not required for installation.

    • Defender icon: Indicates that the check has passed.

Export Results:

  • If there were issues that needed to be fixed, once everything is set and fixed, click "Export results."

  • Send the log with the results to the assigned GYTPOL Point of Contact (PoC) engineer.

Exit the Tool:

Click "Exit" to close the Checker tool.

Restart the Server:

Restart the server before proceeding with the installation.

By following these steps, you can use the Automatic Pre-checker tool to ensure that your GYTPOL server meets the necessary requirements and configurations before installation.

Appendix 1 – SQL Technical Requirements

In this appendix, you will find the technical requirements for SQL Server in the context of GYTPOL installation:

Initial Storage Requirements for Database and Log Files:

  • Data: Allocate 40GB of storage for every 10,000 devices.

  • Log: Allocate 10GB of storage for every 10,000 devices.

SQL Collation/Character Set:

SQL Server collation/character set should be set to SQL_Latin1_General_CP1_CI_AS.

Database Recovery Model:

Databases' recovery model should be set to SIMPLE after the GYTPOL setup is complete.

Database User:

The GYTPOLSVC user created earlier should be assigned the db_creator role only for the initial GYTPOL setup. The db_creator role can be removed once the setup is complete.

Data Types:

  • The system stores data of the following types:

    • OLTP (Online Transactional Processing)

    • OLAP (Online Analytical Processing)

Data Access Method:

Data access method is .Net SQL client.

Unnecessary Components During MS SQL Installation:

  • The following components are not required during the MS SQL Server Installation:

    • Full-text engine

    • SQL Server Integration Services (SSIS)

    • SQL Server Reporting Services (SSRS)

    • SQL Server Analysis Services (SSAS)

    • T-SQL

    • Database mail setup

Database Administration (DBA):

The customer will be responsible for standard DBA routines and backups.

These technical requirements ensure that the SQL Server environment is properly configured to support the GYTPOL installation and operation effectively.

  • No labels