Domain controller security policy tool

Thu May 20 02:35:34 MDT 2010

On Thu, 2010-05-20 at 01:37 +0400, Matthieu Patou wrote:
> Hello Anatoly,
> 
> > Hi Matthieu,
> >
> > I have to open that tool and edit User Rights Assignment like so:
> > * Add the 'Manage Security' group to the 'Manage Auditing and Security Log' policy.
> > How can I open that tool against Samba at all?
> > Is this possible to do with Samba?
> > Is this working via LDAP or else?
> >
> >    
> Thanks for pointing me this ... as I suspected, this tool is just a 
> shortcut to edit the default domain controler policy.

But this should work with samba 4, right? Provided the provision set the
correct GUID on the Default Domain Controller Policy. (Don't know if
Matthias fixed that already?)

> 
> You can acheive the same by editing the default domain controler policy 
> in gpmc (with w7/w2k8r2), path in the tool is:
> 
> Computer Policy -> Windows Settings -> Security Settings -> local policy 
> -> User righs assigments

> So basicaly you should be able to just put a utf16 encoded file + create 
> folders + do a little trick on policy control file GPT.ini at the root 
> of the default domain policy folder.
> But please ask wilco because he is a guru on server side policy 
> manipulation.

Well, you can edit this.. but this doesn't do anything useful, at least
for the part of samba 4. 

Samba 4 does not currently read or replicate the sysvol settings. If you
do manual replication then it will work for win2k8 dc's, etc. 

Editing the policies for the clients will work, though. That would be
the default domain policy and whatever else the administrator created.

I'm actually currently working on group policy apply and manipulation
support for samba4 in a private branch, where I've implemented the
following and corresponding functions in the net gpo tool.

Done:
 * create GPO
 * setlink on container
 * dellink on container
 * list applicable links for user
 * list all GPO's
 * get gpo info
 * get inheritance of container
 * set inheritance on container
 * fetch gpo from sysvol
 * create gpo

Currently working on:
 * Set GPO ACL (works for creation, needs sddl arguments in net gpo
option)
 * Push GPO to DC (needs updating (ini, ldap) version and needs
corresponding net gpo util option)

Next up:
 * apply GPO
 * refresh GPO
 * extensions to actually make the ini files do something useful
 * more python bindings
 * Edit: load ADM template, load GPO, save GPO
 * Getting pam_winbind to trigger creating a registry context and
applying the apply GPO

For getting DC's to read and apply the GPO, then the first three 'next
up' must be applied, as the DC's need to read and refresh the GPO's.

You can check the progress on http://www.synnack.net/git/samba.git in
branch 'libgpo', though I do not always immediately push my changes and
everything there is subject to rebasing against origin/master.

Regards,

Wilco Baan Hofman