[Samba] Is Server-side GPO Configuration possible? (for logon script)
John
samba at jelmail.com
Thu Feb 26 04:17:37 MST 2015
Is it possible to make GPO changes from the server (i.e. without using
Windows) ?
I would like to include some configuration in my build-out script and
wonder if it is possible. Specifically, I am trying to provide a logon
script. Here's what I know.
1. I can identify the correct GPO GUID object using "samba-tool gpo
listall" or with something like this
$ ldbsearch -H /var/lib/samba/private/sam.ldb displayName="Default
Domain Policy" name | grep name | cut -d\ -f2
2. I then write my "logon.bat" script, chmod 755, to
/var/lib/samba/sysvol/<domain>/Policies/{<GPO
GUID>}/USER/Scripts/Logon/logon.bat
3. Enabling the script on windows (with the "Group Policy Management"
tool) alters the following files:
(a) /var/lib/samba/private/sam.ldb
(b) /var/lib/samba/private/sam.ldb.d/DC=MYDOMAIN,DC=CO,DC=UK.ldb
The change in (a) adds a GUID to "gPCUserExtensionNames" within object
DN "CN={<GPO GUID>},CN=Policies,CN=System,DC=mydomain...."
A similar change is made in (b) , plus "replPropertyMetaData" is
altered. This I can view using "ldp.exe" on Windows but I don't
understand it.
There may be other things that happen that I am unaware of. I am
stopping myself from delving in further and reverse-engineering it!
I'd like to be able to script the GPO changes to enable the logon
script. I've looked at "samba-tool gpo" but wonder if this is at all
possible?
If this is documented anywhere please let me know - I couldn't find
anything about doing GPO configuration on the server.
(I found a question on the ML
https://lists.samba.org/archive/samba/2013-March/172079.html but it just
points the OP to ADUC tool on Windows)
TIA
More information about the samba
mailing list