John
2015-Feb-27 15:03 UTC
[Samba] Is Server-side GPO Configuration possible? (for logon script)
On 27/02/15 14:34, Marc Muehlfeld wrote:> Am 27.02.2015 um 09:42 schrieb John: >> Shame, that. But I kind of expected that to be the answer. >> >> I guess the next best thing is to script it on Windows. Provide a script >> (perhaps in sysvol/scripts) that can be run on a windows box as a domain >> admin to finish the configuration. I guess this would be a Windows >> Powershell script. >> >> Here I go off into unknown waters. Has anyone done this that could >> provide some insight? > > What is your final goal? > > You said you want to provide a logon script. This is possible without > GPO if you put it to the netlogon share and mention it in each users > account settings. But GPO based logon scripts also work. > > I don't understand, why you want to script now something in windows? >I have a logon script and I can manually activate it using the Windows tools (see this screenshot: http://i.imgur.com/84pBo8e.png). I am building a scripted install of Samba ADDS that sets up a new server. This is performed on a Linux machine and deploys a preconfigured new server. I want that scripted install to do absolutely everything necessary to produce a final working system that end-users can log in to. The server has a login script that sets up the user environment upon login. Right now, this just sets up some shares but it could be used for other things. (example: \\<mydomain>\sysvol\<mydomain>\Policies\{<guid>}\USER\Scripts\Logon\logon.bat) The login script needs to be activated (not sure if that's the right term?) in the GPO. This needs to be done manually using the tools depicted in the screen-shot. I am using GPO rather than per-user account settings because it is the cleaner approach hopefully requiring less maintenance. I ideally want to do the script activation as part of the scripted install so that no further action is required. However, it does not appear to be possible to do that directly on the Samba server. So the next best thing is to provide a configuration script that can be run by an administrator on the new server before regular users log in. This script would perform the tasks that currently need to be done by hand via the GUI. So that's what I want to do - provide a script to install a logon script without having to use the Windows GUI. Ideally I would do this server-side but a script to be run by an administrator on Windows is an acceptable compromise. Does that explain it ok? Thanks for trying to help, John> > Regards, > Marc > >
Marc Muehlfeld
2015-Feb-27 16:39 UTC
[Samba] Is Server-side GPO Configuration possible? (for logon script)
Hello John, Am 27.02.2015 um 16:03 schrieb John:> I have a logon script and I can manually activate it using the Windows tools > (see this screenshot: http://i.imgur.com/84pBo8e.png). > > I am building a scripted install of Samba ADDS that sets up a new > server. This is performed on a Linux machine and deploys a preconfigured > new server. > > I want that scripted install to do absolutely everything necessary to > produce a final working system that end-users can log in to. > > The server has a login script that sets up the user environment upon > login. Right now, this just sets up some shares but it could be used for > other things. > (example: > \\<mydomain>\sysvol\<mydomain>\Policies\{<guid>}\USER\Scripts\Logon\logon.bat) > > The login script needs to be activated (not sure if that's the right > term?) in the GPO. This needs to be done manually using the tools > depicted in the screen-shot. > > I am using GPO rather than per-user account settings because it is the > cleaner approach hopefully requiring less maintenance. > > I ideally want to do the script activation as part of the scripted > install so that no further action is required. > > However, it does not appear to be possible to do that directly on the > Samba server. So the next best thing is to provide a configuration > script that can be run by an administrator on the new server before > regular users log in. This script would perform the tasks that currently > need to be done by hand via the GUI. > > So that's what I want to do - provide a script to install a logon script > without having to use the Windows GUI. Ideally I would do this > server-side but a script to be run by an administrator on Windows is an > acceptable compromise. > > Does that explain it ok?OK. Things getting clearer now. Should the logon script be part of the Default Domain policy? This one always has the same GUID (31B2F340-016D-11D2-945F-00C04FB984F9). You can configure your stuff and then copy the content from one DC to a new one. But reset the ACLs afterwards! If it's not the Default domain policy, I think it's not possible to script this on *nix side an easy way. You need to create directory entries, set dirctory ACLs etc. Regards, Marc
John
2015-Feb-27 19:11 UTC
[Samba] Is Server-side GPO Configuration possible? (for logon script)
On 27/02/15 16:39, Marc Muehlfeld wrote: Thanks Marc for taking the time to reply.> OK. Things getting clearer now. > > > Should the logon script be part of the Default Domain policy? This one > always has the same GUID (31B2F340-016D-11D2-945F-00C04FB984F9). You can > configure your stuff and then copy the content from one DC to a new one. > But reset the ACLs afterwards!It is that GUID indeed. I am not sure how I would copy the content from the DC, however. Not being a Windows person, my natural inclination would be to so it server-side. Somehow diff the before and after ldbs and get a LDIF for ldbmodify. There's probably a better way however and I am getting beyond my knowledge. I may have to accept that you just can't do the things in the windows world that you can on the good-old *nix command line ;) John
Possibly Parallel Threads
- Is Server-side GPO Configuration possible? (for logon script)
- Is Server-side GPO Configuration possible? (for logon script)
- Is Server-side GPO Configuration possible? (for logon script)
- Is Server-side GPO Configuration possible? (for logon script)
- Cannot add a new GPO opject at GPMC on win7