[Samba] [samba as AD] Scripting GPO creation

mathias dufresne infractory at gmail.com
Wed Jul 6 15:24:56 UTC 2016 

PS: I could share information about what should be modified to modify the
very same GPO, I didn't yet as I'm not sure anyone there would be
interested and because that would work only for that kind of GPO.


2016-07-06 17:08 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Context: several teams have to manage only a a bunch of the company's
> computers, so these team must not being able to manage other computers.
> Firstly we split our computers into several OU, one by team.
> Secondly we created one group per team.
> Next step is to create one GPO per computer's OU which will add admins
> team's to local administrators group.
>
> Dealing with GPO (creating some of them, checking what we can do with
> them) is a good thing to learn Windows management and dive into AD world
> but doing same thing several is, for me, a waste of time.
>
> That's the reason of this thread.
>
> So, the question: how to script GPO? Not so easily.
> Our start point was there:
> https://technet.microsoft.com/en-us/library/ee461027.aspx
> Here we have some powershell stuff to export GPO. The result is one
> directory containing XML files and sysvol files + one other XML file
> outside of GPO's directory.
>
> Into these XML we have everything to import the GPO, in text format.
> That's all we need to have possibility to script injection.
>
> Steps we followed to clone our initial GPO:
> - copy the directory
> - replace strings into XML
> - import GPO using powershell.
>
> Replacement of strings need some time, for us at least, as we had to
> understand what was the releveant content to modify. It is the most complex
> part of that process.
> Once understanding was good enough we could create a second directory
> which was used to import that second GPO, successfully.
>
> There we just have to deal with awk and other unix tools to generate all
> GPO we were needing, we have generated also a powershell script to import
> all our GPO at once (laziness is a way of life) and after some time we get
> all our GPO created.
>
> Last step will be to link these GPO to the right OU, here again powershell
> will do.
>
> I expect some would find that subject not enough related to Samba but I'm
> not a dev. I'm an admin, I use products. Perhaps some others here are doing
> the same, not just playing with.
>
> Cheers,
>
> M.
>
>
>
> 2016-07-05 10:30 GMT+02:00 mathias dufresne <infractory at gmail.com>:
>
>> Hi all,
>>
>> As I'm lazy I would like to script GPO creation and I did not found
>> anything relevant yet. Anyone already tried to extract whole information
>> regarding one GPO from LDAP tree? That would be a nice option to perform
>> that task, giving us possibility to create one GPO, extract it, modify
>> LDIF, inject it.
>>
>
>

More information about the samba mailing list