Backup and restore of GPOs (across domains)

Garming Sam garming at
Fri Jun 15 03:12:01 UTC 2018

Updated patchset with some testing of the backup and restore. Included
is a fixed generalized backup of a GPO I constructed and some additional
documentation for the generated output. garming-gpo-backup-tidy;a=shortlog;h=refs/heads/garming-gpo-backup-tidy

Comments would be appreciated.



On 11/06/18 12:01, Garming Sam wrote:
> Hi,
> I've recently been working on backing up and restoring GPOs which can
> work between domains. This is actually more involved than it appears on
> the surface. A number of settings are domain specific (share paths,
> ACLs, SIDs), and being able to import settings from one domain to
> another requires templating files which are neither entirely textual or
> available in a consistent character encoding. Most of the work has been
> to have a single coherent and somewhat unified representation for these
> settings (XML), and then allowing substitutions (using XML entities in
> DTD form).
> I took some inspiration from some code I found while googling for
> related GPO tooling, implemented by ANSSI, National Cybersecurity Agency
> of France, credit to them. On their Github, they have a SYSVOL explorer
> which they appear to use for auditing settings stored in GPOs which
> export to a number of XML reporting files. Using a similar idea, I also
> export files stored in SYSVOL to simple XML files that have annotations
> for substitutions and build a corresponding parser to interpret the XML.
> It would have been nice not to re-hash code that ANSSI appears to have
> written, but the code is Windows-specific and has no ability to
> interpret the outputted XML and so round-tripping a number of the files
> would have been extremely difficult. The binary formats in particular
> are better dealt with Samba IDL, but even then there are ambiguities
> e.g. in the .aas format which still need to be clarified in order to
> support them correctly. Fortunately, most of the parsing I've made is
> quite extensible and the output XML can be edited manually if required
> (in combination with custom entities). The Windows tools for GPO backup
> and restore seem to have a number of well-known issues (particularly
> with templating), with some binary formats being ignored, so we can
> definitely do much better.
> GPO issues continue to be a bit of difficult area to debug and deploy,
> so hopefully this tool can be used to make that a bit easier (maybe
> sometime in the not-too-distant future we can also get DFS-R working for
> initial synchronizations to reduce ACL inconsistencies).
> I'm currently working on finishing some automated tests from some backup
> files I have created (by painstakingly clicking through a number of
> settings in the Windows GUIs as much as I could tolerate). Manual
> testing so far with Windows seems to show that all the imported settings
> appear to be presented in the Windows GUI and can be edited again. Apart
> from that, the tool is more or less complete for the majority of file
> formats that we have adequate information about.
> Code is currently here:
> garming-gpo-backup-tidy
> Cheers,
> Garming

More information about the samba-technical mailing list