[Samba] [samba as AD] Scripting GPO creation

mathias dufresne infractory at gmail.com
Wed Jul 6 15:08:28 UTC 2016


Context: several teams have to manage only a a bunch of the company's
computers, so these team must not being able to manage other computers.
Firstly we split our computers into several OU, one by team.
Secondly we created one group per team.
Next step is to create one GPO per computer's OU which will add admins
team's to local administrators group.

Dealing with GPO (creating some of them, checking what we can do with them)
is a good thing to learn Windows management and dive into AD world but
doing same thing several is, for me, a waste of time.

That's the reason of this thread.

So, the question: how to script GPO? Not so easily.
Our start point was there:
https://technet.microsoft.com/en-us/library/ee461027.aspx
Here we have some powershell stuff to export GPO. The result is one
directory containing XML files and sysvol files + one other XML file
outside of GPO's directory.

Into these XML we have everything to import the GPO, in text format. That's
all we need to have possibility to script injection.

Steps we followed to clone our initial GPO:
- copy the directory
- replace strings into XML
- import GPO using powershell.

Replacement of strings need some time, for us at least, as we had to
understand what was the releveant content to modify. It is the most complex
part of that process.
Once understanding was good enough we could create a second directory which
was used to import that second GPO, successfully.

There we just have to deal with awk and other unix tools to generate all
GPO we were needing, we have generated also a powershell script to import
all our GPO at once (laziness is a way of life) and after some time we get
all our GPO created.

Last step will be to link these GPO to the right OU, here again powershell
will do.

I expect some would find that subject not enough related to Samba but I'm
not a dev. I'm an admin, I use products. Perhaps some others here are doing
the same, not just playing with.

Cheers,

M.



2016-07-05 10:30 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Hi all,
>
> As I'm lazy I would like to script GPO creation and I did not found
> anything relevant yet. Anyone already tried to extract whole information
> regarding one GPO from LDAP tree? That would be a nice option to perform
> that task, giving us possibility to create one GPO, extract it, modify
> LDIF, inject it.
>


More information about the samba mailing list