[Samba] Is Server-side GPO Configuration possible? (for logon script)

Marc Muehlfeld mmuehlfeld at samba.org
Fri Feb 27 09:39:59 MST 2015

Hello John,

Am 27.02.2015 um 16:03 schrieb John:
> I have a logon script and I can manually activate it using the Windows tools
> (see this screenshot: http://i.imgur.com/84pBo8e.png).
> I am building a scripted install of Samba ADDS that sets up a new
> server. This is performed on a Linux machine and deploys a preconfigured
> new server.
> I want that scripted install to do absolutely everything necessary to
> produce a final working system that end-users can log in to.
> The server has a login script that sets up the user environment upon
> login. Right now, this just sets up some shares but it could be used for
> other things.
> (example:
> \\<mydomain>\sysvol\<mydomain>\Policies\{<guid>}\USER\Scripts\Logon\logon.bat)
> The login script needs to be activated (not sure if that's the right
> term?) in the GPO. This needs to be done manually using the tools
> depicted in the screen-shot.
> I am using GPO rather than per-user account settings because it is the
> cleaner approach hopefully requiring less maintenance.
> I ideally want to do the script activation as part of the scripted
> install so that no further action is required.
> However, it does not appear to be possible to do that directly on the
> Samba server. So the next best thing is to provide a configuration
> script that can be run by an administrator on the new server before
> regular users log in. This script would perform the tasks that currently
> need to be done by hand via the GUI.
> So that's what I want to do - provide a script to install a logon script
> without having to use the Windows GUI. Ideally I would do this
> server-side but a script to be run by an administrator on Windows is an
> acceptable compromise.
> Does that explain it ok?

OK. Things getting clearer now.

Should the logon script be part of the Default Domain policy? This one
always has the same GUID (31B2F340-016D-11D2-945F-00C04FB984F9). You can
configure your stuff and then copy the content from one DC to a new one.
But reset the ACLs afterwards!

If it's not the Default domain policy, I think it's not possible to
script this on *nix side an easy way. You need to create directory
entries, set dirctory ACLs etc.


More information about the samba mailing list