[Samba] [samba as AD] Scripting GPO creation
Achim Gottinger
achim at ag-web.biz
Wed Jul 6 16:11:10 UTC 2016
You may be able to edit the GPO's completely from the linux side.
They contain registry.pol files whom's syntax is not so difficult to
read and write.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374407%28v=vs.85%29.aspx
Am 06.07.2016 um 17:24 schrieb mathias dufresne:
> PS: I could share information about what should be modified to modify the
> very same GPO, I didn't yet as I'm not sure anyone there would be
> interested and because that would work only for that kind of GPO.
>
>
> 2016-07-06 17:08 GMT+02:00 mathias dufresne <infractory at gmail.com>:
>
>> Context: several teams have to manage only a a bunch of the company's
>> computers, so these team must not being able to manage other computers.
>> Firstly we split our computers into several OU, one by team.
>> Secondly we created one group per team.
>> Next step is to create one GPO per computer's OU which will add admins
>> team's to local administrators group.
>>
>> Dealing with GPO (creating some of them, checking what we can do with
>> them) is a good thing to learn Windows management and dive into AD world
>> but doing same thing several is, for me, a waste of time.
>>
>> That's the reason of this thread.
>>
>> So, the question: how to script GPO? Not so easily.
>> Our start point was there:
>> https://technet.microsoft.com/en-us/library/ee461027.aspx
>> Here we have some powershell stuff to export GPO. The result is one
>> directory containing XML files and sysvol files + one other XML file
>> outside of GPO's directory.
>>
>> Into these XML we have everything to import the GPO, in text format.
>> That's all we need to have possibility to script injection.
>>
>> Steps we followed to clone our initial GPO:
>> - copy the directory
>> - replace strings into XML
>> - import GPO using powershell.
>>
>> Replacement of strings need some time, for us at least, as we had to
>> understand what was the releveant content to modify. It is the most complex
>> part of that process.
>> Once understanding was good enough we could create a second directory
>> which was used to import that second GPO, successfully.
>>
>> There we just have to deal with awk and other unix tools to generate all
>> GPO we were needing, we have generated also a powershell script to import
>> all our GPO at once (laziness is a way of life) and after some time we get
>> all our GPO created.
>>
>> Last step will be to link these GPO to the right OU, here again powershell
>> will do.
>>
>> I expect some would find that subject not enough related to Samba but I'm
>> not a dev. I'm an admin, I use products. Perhaps some others here are doing
>> the same, not just playing with.
>>
>> Cheers,
>>
>> M.
>>
>>
>>
>> 2016-07-05 10:30 GMT+02:00 mathias dufresne <infractory at gmail.com>:
>>
>>> Hi all,
>>>
>>> As I'm lazy I would like to script GPO creation and I did not found
>>> anything relevant yet. Anyone already tried to extract whole information
>>> regarding one GPO from LDAP tree? That would be a nice option to perform
>>> that task, giving us possibility to create one GPO, extract it, modify
>>> LDIF, inject it.
>>>
>>
More information about the samba
mailing list