# ecs-system Part of **ECS** > πŸ’‘ **Path Selection**: This skill is one implementation path for [Troubleshoot system-level issues on ECS instances](../../intent/ecs-troubleshoot-issues/SKILL.md). If you're unsure which path to take, check the routing skill first. # ECS System Management Console Guide ## Operations Overview | Operation | Console Entry | Prerequisites | Description | |----------|---------------|---------------|-------------| | Disable Privacy Setup on First Login | Portal > Active Directory > Group Policy Management | - Group Policy Management Console (GPMC) installed and configured
- Write permissions to the target Organizational Unit (OU)
- Target devices joined to domain | Disables the Windows privacy settings wizard during initial user logon using Group Policy. | | Configure Account Lockout Policy | Terminal / SSH session on Ubuntu 20.04 instance | - Backup of `/etc/pam.d/` files
- Active root SSH session (preferably two terminals open) | Configures account lockout behavior on Ubuntu 20.04 using `pam_faillock.so`; no GUI/console involved. | ## Operation Steps ### Disable Privacy Setup on First Login **Navigation**: Portal > Active Directory > Group Policy Management **Prerequisites**: - Group Policy Management Console (GPMC) installed and configured - Write permissions to the target Organizational Unit (OU) - Target devices joined to domain 1. Open the Group Policy Management Console (GPMC) - Element: ** (GPMC)** (link) β€” located in Start Menu or Server Manager Tools - Notes: Ensure you are logged in with domain admin privileges. 2. Create a new Group Policy Object (GPO) or edit an existing one - Element: ** GPO** (button) β€” right-side panel in GPMC console - Notes: Link the GPO to the OU containing target users or computers based on your deployment scope. 3. Navigate to the OOBE privacy policy setting and enable it - Element: **Don’t launch privacy settings experience on user logon** (checkbox) β€” under User Configuration\Administrative Templates\Windows Components\OOBE - Notes: Choose either User Configuration or Computer Configuration based on whether the policy should apply per-user or per-machine. **Form Fields**: None ### Configure Account Lockout Policy **Navigation**: Not applicable (performed via terminal on Ubuntu 20.04 instance) **Prerequisites**: - Backup of `/etc/pam.d/` files - Active root SSH session (preferably two terminals open) 1. Access the Ubuntu 20.04 instance via SSH as root or a sudo-capable user - Element: N/A (terminal command line) - Notes: Keep a second terminal session open in case the configuration locks you out. 2. Edit PAM configuration files (e.g., `/etc/pam.d/common-auth`) to include `pam_faillock.so` - Element: N/A (text editor such as `nano` or `vim`) - Notes: Add lines like `auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900` before other auth lines. 3. Configure `/etc/security/faillock.conf` to set global lockout parameters - Element: N/A (configuration file) - Notes: Options include `deny`, `unlock_time`, `even_deny_root`, and `root_unlock_time`. Use `even_deny_root` cautiously. 4. Test the lockout behavior with a non-root account - Element: N/A (command line) - Notes: After 5 failed attempts (or your configured `deny` value), the account should be locked for the specified duration. **Form Fields**: None ## FAQ Q: Where can I find the "Don’t launch privacy settings experience on user logon" policy in Group Policy? A: It is located under User Configuration β†’ Administrative Templates β†’ Windows Components β†’ OOBE in the Group Policy Management Editor. Q: Can I apply the Windows privacy disable policy to computers instead of users? A: Yes. You can configure the same setting under Computer Configuration if you want the policy to apply regardless of the user logging in. Q: Does configuring account lockout on Ubuntu require a GUI or web console? A: No. This operation is performed entirely through terminal commands and file editing on the Ubuntu instance itself; no web-based console is used. Q: What happens if I lock out the root account on Ubuntu during configuration? A: If `even_deny_root` is enabled and root exceeds failed attempts, root will be locked out. Always keep a backup session open and avoid enabling `even_deny_root` unless absolutely necessary. Q: Do these system management operations incur any cloud usage fees? A: No. Both operations involve local system or domain-level configuration and do not trigger any billable cloud resources or services. ## Pricing & Billing ### Billing Model free ### Free Tier No free tier limits apply; this functionality uses built-in OS or domain policy features and incurs no additional cost. ### Billing Notes These operations involve only system configuration changes and do not consume billable cloud resources. No charges are associated with applying Group Policy or editing PAM configurations on ECS instances.