John
2015-Feb-26 11:17 UTC
[Samba] Is Server-side GPO Configuration possible? (for logon script)
Is it possible to make GPO changes from the server (i.e. without using
Windows) ?
I would like to include some configuration in my build-out script and
wonder if it is possible. Specifically, I am trying to provide a logon
script. Here's what I know.
1. I can identify the correct GPO GUID object using "samba-tool gpo
listall" or with something like this
$ ldbsearch -H /var/lib/samba/private/sam.ldb displayName="Default
Domain Policy" name | grep name | cut -d\ -f2
2. I then write my "logon.bat" script, chmod 755, to
/var/lib/samba/sysvol/<domain>/Policies/{<GPO
GUID>}/USER/Scripts/Logon/logon.bat
3. Enabling the script on windows (with the "Group Policy Management"
tool) alters the following files:
(a) /var/lib/samba/private/sam.ldb
(b) /var/lib/samba/private/sam.ldb.d/DC=MYDOMAIN,DC=CO,DC=UK.ldb
The change in (a) adds a GUID to "gPCUserExtensionNames" within object
DN "CN={<GPO GUID>},CN=Policies,CN=System,DC=mydomain...."
A similar change is made in (b) , plus "replPropertyMetaData" is
altered. This I can view using "ldp.exe" on Windows but I don't
understand it.
There may be other things that happen that I am unaware of. I am
stopping myself from delving in further and reverse-engineering it!
I'd like to be able to script the GPO changes to enable the logon
script. I've looked at "samba-tool gpo" but wonder if this is at
all
possible?
If this is documented anywhere please let me know - I couldn't find
anything about doing GPO configuration on the server.
(I found a question on the ML
https://lists.samba.org/archive/samba/2013-March/172079.html but it just
points the OP to ADUC tool on Windows)
TIA
Marc Muehlfeld
2015-Feb-26 16:54 UTC
[Samba] Is Server-side GPO Configuration possible? (for logon script)
Hello John, Am 26.02.2015 um 12:17 schrieb John:> Is it possible to make GPO changes from the server (i.e. without using > Windows) ?No. There's no tool for *nix, to edit GPOs. At least I've never seen one. :-) Regards, Marc
John
2015-Feb-27 08:42 UTC
[Samba] Is Server-side GPO Configuration possible? (for logon script)
On 26/02/15 16:54, Marc Muehlfeld wrote:> Hello John, > > Am 26.02.2015 um 12:17 schrieb John: >> Is it possible to make GPO changes from the server (i.e. without using >> Windows) ? > No. There's no tool for *nix, to edit GPOs. At least I've never seen > one. :-) > > > Regards, > Marc >Shame, that. But I kind of expected that to be the answer. I guess the next best thing is to script it on Windows. Provide a script (perhaps in sysvol/scripts) that can be run on a windows box as a domain admin to finish the configuration. I guess this would be a Windows Powershell script. Here I go off into unknown waters. Has anyone done this that could provide some insight?