[WIP] Backup and restore of GPOs (across domains)

Garming Sam garming at catalyst.net.nz
Mon Jun 11 00:01:09 UTC 2018


I've recently been working on backing up and restoring GPOs which can
work between domains. This is actually more involved than it appears on
the surface. A number of settings are domain specific (share paths,
ACLs, SIDs), and being able to import settings from one domain to
another requires templating files which are neither entirely textual or
available in a consistent character encoding. Most of the work has been
to have a single coherent and somewhat unified representation for these
settings (XML), and then allowing substitutions (using XML entities in
DTD form).

I took some inspiration from some code I found while googling for
related GPO tooling, implemented by ANSSI, National Cybersecurity Agency
of France, credit to them. On their Github, they have a SYSVOL explorer
which they appear to use for auditing settings stored in GPOs which
export to a number of XML reporting files. Using a similar idea, I also
export files stored in SYSVOL to simple XML files that have annotations
for substitutions and build a corresponding parser to interpret the XML.
It would have been nice not to re-hash code that ANSSI appears to have
written, but the code is Windows-specific and has no ability to
interpret the outputted XML and so round-tripping a number of the files
would have been extremely difficult. The binary formats in particular
are better dealt with Samba IDL, but even then there are ambiguities
e.g. in the .aas format which still need to be clarified in order to
support them correctly. Fortunately, most of the parsing I've made is
quite extensible and the output XML can be edited manually if required
(in combination with custom entities). The Windows tools for GPO backup
and restore seem to have a number of well-known issues (particularly
with templating), with some binary formats being ignored, so we can
definitely do much better.


GPO issues continue to be a bit of difficult area to debug and deploy,
so hopefully this tool can be used to make that a bit easier (maybe
sometime in the not-too-distant future we can also get DFS-R working for
initial synchronizations to reduce ACL inconsistencies).

I'm currently working on finishing some automated tests from some backup
files I have created (by painstakingly clicking through a number of
settings in the Windows GUIs as much as I could tolerate). Manual
testing so far with Windows seems to show that all the imported settings
appear to be presented in the Windows GUI and can be edited again. Apart
from that, the tool is more or less complete for the majority of file
formats that we have adequate information about.

Code is currently here:

git.catalyst.net.nz/samba.git garming-gpo-backup-tidy




More information about the samba-technical mailing list