[Samba] Is Server-side GPO Configuration possible? (for logon script)

John samba at jelmail.com
Thu Feb 26 04:17:37 MST 2015

Is it possible to make GPO changes from the server (i.e. without using
Windows) ?

I would like to include some configuration in my build-out script and
wonder if it is possible. Specifically, I am trying to provide a logon
script. Here's what I know.

1. I can identify the correct GPO GUID object using "samba-tool gpo
listall" or with something like this

$ ldbsearch -H /var/lib/samba/private/sam.ldb displayName="Default
Domain Policy" name | grep name | cut -d\  -f2

2. I then write my  "logon.bat" script, chmod 755, to


3. Enabling the script on windows (with the "Group Policy Management"
tool) alters the following files:

(a) /var/lib/samba/private/sam.ldb
(b) /var/lib/samba/private/sam.ldb.d/DC=MYDOMAIN,DC=CO,DC=UK.ldb

The change in (a) adds a GUID to "gPCUserExtensionNames" within object
DN "CN={<GPO GUID>},CN=Policies,CN=System,DC=mydomain...."

A similar change is made in (b) , plus "replPropertyMetaData" is
altered. This I can view using "ldp.exe" on Windows but I don't
understand it.

There may be other things that happen that I am unaware of. I am
stopping myself from delving in further and reverse-engineering it!

I'd like to be able to script the GPO changes to enable the logon
script. I've looked at "samba-tool gpo" but wonder if this is at all

If this is documented anywhere please let me know - I couldn't find
anything about doing GPO configuration on the server.
(I found a question on the ML
https://lists.samba.org/archive/samba/2013-March/172079.html but it just
points the OP to ADUC tool on Windows)


More information about the samba mailing list