CJ Code Junction Simple practical guides
Home / IKT Admin

IKT

Simple admin guides for client, server, and network tasks

This page puts Office 365, Group Policy, Visual Studio, Samba, ACL, SSH, Apache localhost, Windows OOBE, and Mikrotik in one clear place.

How to use this page

Open the section you need, follow the steps in order, run the shown commands, and finish with the quick check.

IKT

All supplied tasks in one clean page

This page turns the supplied materials into one simple guide. The text is shorter, sorted, and free of note-style comments.

Each section shows the goal, the working steps, and the commands you can copy.

Windows client

Office 365, Group Policy, Visual Studio, and the Windows setup trick.

Linux server

Samba, ACL, SSH, and Apache localhost.

Network tasks

Shared folders, access rights, and tests from Windows.

Mikrotik

Router setup, Wi-Fi, SSH, backup, and AP work.

Office 365Install from a server share Group PolicyCreate a user and apply rules SambaMake a working Linux share SSHConnect from Windows to Linux ApacheMake localhost work MikrotikFinish the router tasks fast
Windows

Install Office 365 from a server share

Use this when the install files are already prepared on a shared folder on the server.

Windows clientShared folderOffice Deployment Tool

Steps

  1. On the client, create the working folder C:\odt.
  2. Open the shared path from the server, for example \\192.168.70.254\sdileny\install\odt-office.
  3. Copy setup.exe, the XML configuration file, and the other needed files into C:\odt.
  4. Open Command Prompt as administrator.
  5. Move to the folder C:\odt.
  6. Run setup.exe /configure configuration-Office365-x64.xml.
  7. Wait for the Microsoft 365 install window to finish.
  8. After the install, open Word or Excel and check that the app starts normally.

What must already exist

  1. The server must already share the install folder.
  2. The client must have read access to that folder.
  3. The folder must contain the correct file configuration-Office365-x64.xml.
  4. If the XML downloads packages from the internet, the client must also have internet access.
COMMANDS
CMD - Office 365 
mkdir C:\odt
xcopy \192.168.70.254\sdileny\install\odt-office\* C:\odt\ /E /I /Y
cd /d C:\odt
setup.exe /configure configuration-Office365-x64.xml
Windows

Group Policy Editor and local user setup

This is the full task written as small steps so you do not need to search through many menus.

lusrmgr.mscgpedit.mscWindows user

Task 1: create the user user

  1. Press Win + R.
  2. Type lusrmgr.msc and confirm.
  3. Open the Users folder.
  4. Right-click the empty area and choose New User.
  5. Enter the name user, set a password, and create the account.
  6. Check that the user is in the Users group.

Task 2: start Microsoft Edge after sign-in

  1. Press Win + R.
  2. Type shell:startup and confirm.
  3. Put a shortcut to Microsoft Edge into that folder.
  4. Sign out and sign in again to check that Edge starts automatically.

Task 3: block Control Panel access

  1. Press Win + R.
  2. Type gpedit.msc and confirm.
  3. Open User Configuration -> Administrative Templates -> Control Panel.
  4. Find the rule Prohibit access to Control Panel and PC settings.
  5. Open it and set it to Enabled.

Task 4: hide Documents in the Start menu

  1. In gpedit.msc, open User Configuration -> Administrative Templates -> Start Menu and Taskbar.
  2. Find the rule Remove Documents icon from Start Menu.
  3. Set it to Enabled.

Task 5: remove Recycle Bin from the desktop

  1. In gpedit.msc, open User Configuration -> Administrative Templates -> Desktop.
  2. Find the rule Remove Recycle Bin icon from desktop.
  3. Set it to Enabled.

Task 6: show This PC, Network, and the user files on the desktop

  1. Right-click the desktop and choose Personalize.
  2. Open Themes -> Desktop icon settings.
  3. Turn on Computer, User's Files, and Network.
  4. Confirm with OK.

Task 7: the user must not shut down the PC

  1. In gpedit.msc, open User Configuration -> Administrative Templates -> Start Menu and Taskbar.
  2. Find the rule Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands.
  3. Set it to Enabled.
  4. Sign out the user or run gpupdate /force.
Windows

Install Visual Studio from the server

This version uses a shared network folder and starts the offline installer from there.

Network drive J:CMDVisual Studio Community

Steps

  1. Open Command Prompt.
  2. Map the network drive with net use J: \\192.168.70.254\sdileny.
  3. Switch to drive J:.
  4. Open the folder install\vs22.
  5. Run vs_community.exe --noweb --wait.
  6. Wait until the install finishes.
  7. After the install, check that Visual Studio opens from the Start menu.

Quick check

  1. The drive J: must be available.
  2. The folder vs22 must contain the installer EXE.
  3. The install should finish without an error and without switching to a web installer.
COMMANDS
CMD - Visual Studio 
net use J: \\192.168.70.254\sdileny
J:
cd install\vs22
vs_community.exe --noweb --wait
Debian

Install Samba and make the share work

This is a basic working version: two users, one group, one shared folder, and a test from Linux and Windows.

DebianSambaShared folder

Steps on the server

  1. Install the packages samba and smbclient.
  2. Create the users karel and marie.
  3. Create the group sdileni and add both users to it.
  4. Create the folder /srv/data, set the owner to root:sdileni, and set permissions to 770.
  5. Add both users to Samba with smbpasswd -a.
  6. Add the share definition into /etc/samba/smb.conf.
  7. Run testparm -s and restart smbd and nmbd.

Quick check

  1. Check the service with systemctl status smbd and systemctl status nmbd.
  2. On Linux, test the share list with smbclient -L localhost -U karel.
  3. On Windows, open \\SERVER_IP\data.
  4. Sign in with karel or marie.
COMMANDS
Debian - Samba install 
sudo apt update
sudo apt install samba smbclient
sudo adduser karel
sudo adduser marie
sudo groupadd sdileni
sudo usermod -aG sdileni karel
sudo usermod -aG sdileni marie
sudo mkdir -p /srv/data
sudo chown root:sdileni /srv/data
sudo chmod 770 /srv/data
sudo smbpasswd -a karel
sudo smbpasswd -a marie
sudo nano /etc/samba/smb.conf
sudo testparm -s
sudo systemctl restart smbd nmbd
systemctl status smbd
systemctl status nmbd
smbclient -L localhost -U karel
COMMANDS
/etc/samba/smb.conf 
[data]
path = /srv/data
browseable = yes
read only = no
valid users = karel marie @sdileni
create mask = 0660
directory mask = 0770
Debian

ACL permissions for Pavel, Dana, and Radek

This part turns the folder tree and permission table into one working Debian and Samba setup.

ACLSambaPavel / Dana / Radek
FolderPavelDanaRadek
THP / documentsfullnonenone
THP / privatefullnonenone
THP / sharedread, save, deletenonenone
ACCOUNTING / documentsnonefullread, execute
ACCOUNTING / worknoneread, writeread, write
FOREMAN / documentsnonenonefull
FOREMAN / sharedreadnonerwx
FOREMAN / programsrwreadrwx

Steps

  1. Install the packages samba and acl.
  2. Create the users pavel, dana, and radek.
  3. Create the folder tree from the task.
  4. Set pass-through access on the top folders and set 770 on the working subfolders.
  5. Use setfacl to set user rights on each folder.
  6. Set the same ACL rules as default so new files inherit them.
  7. Add the users to Samba and share /srv/firma/home/zamestnanci.

Quick check

  1. Check the rights with getfacl.
  2. After restarting Samba, connect to the share from Windows.
  3. Sign in as Pavel, Dana, and Radek and test the correct folders.
  4. A user must not see or change folders that are not allowed by the table.
COMMANDS
Debian - ACL and folder tree 
sudo apt update
sudo apt install samba acl
sudo adduser pavel
sudo adduser dana
sudo adduser radek
sudo mkdir -p /srv/firma/home/zamestnanci/THP/{dokumenty,soukrome,sdilene}
sudo mkdir -p /srv/firma/home/zamestnanci/UCETNI/{dokumenty,prace}
sudo mkdir -p /srv/firma/home/zamestnanci/MISTR/{dokumenty,sdilene,programy}
sudo chmod 755 /srv/firma /srv/firma/home /srv/firma/home/zamestnanci
sudo find /srv/firma/home/zamestnanci -type d -exec chmod 770 {} \;

BASE=/srv/firma/home/zamestnanci

# THP
sudo setfacl -m u:pavel:rwx,u:dana:---,u:radek:--- $BASE/THP/dokumenty
sudo setfacl -d -m u:pavel:rwx,u:dana:---,u:radek:--- $BASE/THP/dokumenty
sudo setfacl -m u:pavel:rwx,u:dana:---,u:radek:--- $BASE/THP/soukrome
sudo setfacl -d -m u:pavel:rwx,u:dana:---,u:radek:--- $BASE/THP/soukrome
sudo setfacl -m u:pavel:rwx,u:dana:---,u:radek:--- $BASE/THP/sdilene
sudo setfacl -d -m u:pavel:rwx,u:dana:---,u:radek:--- $BASE/THP/sdilene

# UCETNI
sudo setfacl -m u:pavel:---,u:dana:rwx,u:radek:r-x $BASE/UCETNI/dokumenty
sudo setfacl -d -m u:pavel:---,u:dana:rwx,u:radek:r-x $BASE/UCETNI/dokumenty
sudo setfacl -m u:pavel:---,u:dana:rwx,u:radek:rwx $BASE/UCETNI/prace
sudo setfacl -d -m u:pavel:---,u:dana:rwx,u:radek:rwx $BASE/UCETNI/prace

# MISTR
sudo setfacl -m u:pavel:---,u:dana:---,u:radek:rwx $BASE/MISTR/dokumenty
sudo setfacl -d -m u:pavel:---,u:dana:---,u:radek:rwx $BASE/MISTR/dokumenty
sudo setfacl -m u:pavel:r-x,u:dana:---,u:radek:rwx $BASE/MISTR/sdilene
sudo setfacl -d -m u:pavel:r-x,u:dana:---,u:radek:rwx $BASE/MISTR/sdilene
sudo setfacl -m u:pavel:rwx,u:dana:r-x,u:radek:rwx $BASE/MISTR/programy
sudo setfacl -d -m u:pavel:rwx,u:dana:r-x,u:radek:rwx $BASE/MISTR/programy

sudo smbpasswd -a pavel
sudo smbpasswd -a dana
sudo smbpasswd -a radek
sudo getfacl $BASE/MISTR/programy
COMMANDS
/etc/samba/smb.conf - employees 
[zamestnanci]
path = /srv/firma/home/zamestnanci
browseable = yes
read only = no
valid users = pavel dana radek
create mask = 0660
directory mask = 0770
Debian + Windows

Install SSH on Linux and connect from Windows

If Samba AD runs on Linux, SSH is installed on the same server. The Windows client then connects with the built-in SSH client or with PuTTY.

openssh-serverWindows clientSamba AD server

Debian / Samba AD server

  1. Install openssh-server.
  2. Start the ssh service and enable auto-start.
  3. Check that it listens on port 22.
  4. If you use a firewall, allow the SSH port.
  5. On a Samba AD server, use an account that has a shell and permission to manage the server.

Windows client

  1. Open PowerShell or CMD.
  2. If OpenSSH Client is installed, use ssh user@IP.
  3. If you use PuTTY, enter the server IP, choose SSH, and use port 22.
  4. On the first connection, confirm the fingerprint and enter the password.
  5. After sign-in, check the server with hostname or ip a.
COMMANDS
Debian + Windows - SSH 
sudo apt update
sudo apt install openssh-server
sudo systemctl enable --now ssh
sudo systemctl status ssh
sudo ss -tlnp | grep :22

# Windows client (PowerShell or CMD)
ssh user@192.168.70.254
Debian

Debian / Apache: make localhost work

The fastest working version is to install Apache, start the service, and check the default page on http://localhost.

apache2localhostWeb server

Steps

  1. Install the package apache2.
  2. Start the service and enable auto-start.
  3. On the server, open http://localhost in a browser.
  4. If the default Apache page appears, the server is working.
  5. Put your own test page into /var/www/html/index.html.
  6. After editing the page, refresh the browser or use curl http://localhost.

Quick check

  1. systemctl status apache2 must show an active service.
  2. http://localhost must open in a browser.
  3. From another PC on the network you can also test http://SERVER_IP.
COMMANDS
Debian - Apache localhost 
sudo apt update
sudo apt install apache2
sudo systemctl enable --now apache2
systemctl status apache2
curl http://localhost
sudo nano /var/www/html/index.html
COMMANDS
/var/www/html/index.html 
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Apache test</title>
</head>
<body>
  <h1>Apache works on Debian</h1>
  <p>This page is served by localhost.</p>
</body>
</html>
Windows 11

Shift + F10 and the OOBE command

Use this during the first Windows setup when you need to open Command Prompt inside the setup process.

Shift + F10CMDOOBE

Steps

  1. During the first Windows setup, press Shift + F10.
  2. Command Prompt opens.
  3. Type OOBE\BYPASSNRO.
  4. After the restart, continue with the setup path that your Windows version allows.

Important

  1. The original notes had a typo. The correct command is OOBE\BYPASSNRO.
  2. If one Windows build does not accept the command, continue with another available setup option.
COMMANDS
Windows OOBE 
Shift + F10
OOBE\BYPASSNRO
Mikrotik

Mikrotik setup from the supplied task

Both Mikrotik tasks are rewritten below in the order that is easiest to configure in WinBox.

WinBoxDHCPWi-FiSSH 10022

Task 1: router 192.168.50.1, Wi-Fi demo_test, SSH port 10022

  1. Open System -> Reset Configuration and tick No Default Configuration.
  2. After restart, set 192.168.50.1/24 on the LAN or bridge interface.
  3. Run IP -> DHCP Server -> DHCP Setup and make a pool with only 5 addresses.
  4. In Wireless, set the SSID to demo_test.
  5. In Security Profiles, set WPA and WPA2 and use the password mikrotik.
  6. In IP -> Services, keep WinBox enabled, change SSH to port 10022, and disable the other unused services.
  7. On the client, install PuTTY and test the router IP on port 10022.
  8. In WinBox, create a backup named routerbackup.

Task 2: Router 1 and Router 2 as an AP over PoE

  1. On Router 1, set IP 192.168.60.1/24.
  2. Set DHCP for only 5 addresses.
  3. Power Router 2 from Router 1 over PoE.
  4. Set Router 2 as an access point.
  5. Set Wi-Fi SSID to zkouska and the password to test.
  6. Set the AP address range to the network 10.20.x.x with mask 255.255.0.0.
  7. After you connect everything, check that a client gets an address from the range and joins the Wi-Fi.
COMMANDS
WinBox - Task 1 
System -> Reset Configuration -> tick No Default Configuration
IP -> Addresses -> 192.168.50.1/24 on LAN/bridge
IP -> DHCP Server -> DHCP Setup -> pool for example 192.168.50.10-192.168.50.14
Wireless -> SSID demo_test
Wireless -> Security Profiles -> WPA/WPA2, password mikrotik
IP -> Services -> keep WinBox, move SSH to port 10022, disable the others
Files -> Backup -> name routerbackup
COMMANDS
WinBox - Task 2 
Router 1: 192.168.60.1/24, DHCP range for 5 addresses
Router 2: power over PoE from Router 1
Set Router 2 as AP
SSID: zkouska
Wi-Fi password: test
AP network: 10.20.x.x / 255.255.0.0