samba - Feb 2015 - Is Server-side GPO Configuration possible? (for logon script)

On 26/02/15 16:54, Marc Muehlfeld wrote:
> Hello John,
>
> Am 26.02.2015 um 12:17 schrieb John:
>> Is it possible to make GPO changes from the server (i.e. without using
>> Windows) ?
> No. There's no tool for *nix, to edit GPOs. At least I've never
seen
> one. :-)
>
>
> Regards,
> Marc
>
Shame, that. But I kind of expected that to be the answer.

I guess the next best thing is to script it on Windows. Provide a script
(perhaps in sysvol/scripts) that can be run on a windows box as a domain
admin to finish the configuration. I guess this would be a Windows
Powershell script.

Here I go off into unknown waters. Has anyone done this that could
provide some insight?

Hi John
> On 26/02/15 16:54, Marc Muehlfeld wrote:
>> Hello John,
>>
>> Am 26.02.2015 um 12:17 schrieb John:
>>> Is it possible to make GPO changes from the server (i.e. without
using
>>> Windows) ?
>> No. There's no tool for *nix, to edit GPOs. At least I've never
seen
>> one. :-)
>>
>>
>> Regards,
>> Marc
>>
> Shame, that. But I kind of expected that to be the answer.
>
> I guess the next best thing is to script it on Windows. Provide a script
> (perhaps in sysvol/scripts) that can be run on a windows box as a domain
> admin to finish the configuration. I guess this would be a Windows
> Powershell script.
>
> Here I go off into unknown waters. Has anyone done this that could
> provide some insight?
I don't know how much there is in common between local gpo and domain 
gpo, but I had to dive in the local gpo subject for another software I 
working on [1]. If you don't want gui and powershell, the documentation 
is really scarce and most code sample you can find don't properly create 
the GPO. You can checkout our local gpo code here:

https://github.com/tranquilit/WAPT/blob/master/setuphelpers.py#L1340

Hope this helps,

Denis

[1] WAPT, Windows apt-get : 
http://dev.tranquil.it/wiki/WAPT_-_apt-get_pour_Windows (sorry, website 
is in French, but comments in the code are in English :-)
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, b?timent A
12 avenue Jules Verne
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

Am 27.02.2015 um 09:42 schrieb John:
> Shame, that. But I kind of expected that to be the answer.
> 
> I guess the next best thing is to script it on Windows. Provide a script
> (perhaps in sysvol/scripts) that can be run on a windows box as a domain
> admin to finish the configuration. I guess this would be a Windows
> Powershell script.
> 
> Here I go off into unknown waters. Has anyone done this that could
> provide some insight?

What is your final goal?

You said you want to provide a logon script. This is possible without
GPO if you put it to the netlogon share and mention it in each users
account settings. But GPO based logon scripts also work.

I don't understand, why you want to script now something in windows?



Regards,
Marc

On 27/02/15 14:34, Marc Muehlfeld wrote:
> Am 27.02.2015 um 09:42 schrieb John:
>> Shame, that. But I kind of expected that to be the answer.
>>
>> I guess the next best thing is to script it on Windows. Provide a
script
>> (perhaps in sysvol/scripts) that can be run on a windows box as a
domain
>> admin to finish the configuration. I guess this would be a Windows
>> Powershell script.
>>
>> Here I go off into unknown waters. Has anyone done this that could
>> provide some insight?
>
> What is your final goal?
>
> You said you want to provide a logon script. This is possible without
> GPO if you put it to the netlogon share and mention it in each users
> account settings. But GPO based logon scripts also work.
>
> I don't understand, why you want to script now something in windows?
>
I have a logon script and I can manually activate it using the Windows tools
(see this screenshot: http://i.imgur.com/84pBo8e.png).

I am building a scripted install of Samba ADDS that sets up a new
server. This is performed on a Linux machine and deploys a preconfigured
new server.

I want that scripted install to do absolutely everything necessary to
produce a final working system that end-users can log in to.

The server has a login script that sets up the user environment upon
login. Right now, this just sets up some shares but it could be used for
other things.
(example:
\\<mydomain>\sysvol\<mydomain>\Policies\{<guid>}\USER\Scripts\Logon\logon.bat)

The login script needs to be activated (not sure if that's the right
term?) in the GPO. This needs to be done manually using the tools
depicted in the screen-shot.

I am using GPO rather than per-user account settings because it is the
cleaner approach hopefully requiring less maintenance.

I ideally want to do the script activation as part of the scripted
install so that no further action is required.

However, it does not appear to be possible to do that directly on the
Samba server. So the next best thing is to provide a configuration
script that can be run by an administrator on the new server before
regular users log in. This script would perform the tasks that currently
need to be done by hand via the GUI.

So that's what I want to do - provide a script to install a logon script
without having to use the Windows GUI. Ideally I would do this
server-side but a script to be run by an administrator on Windows is an
acceptable compromise.

Does that explain it ok?

Thanks for trying to help,
John
>
> Regards,
> Marc
>
>