[Samba] [samba as AD] Scripting GPO creation

mathias dufresne infractory at gmail.com
Wed Jul 6 21:52:49 UTC 2016 

Too late for reading but that seems interesting, that remind me how we
deployed GPO for another client, years ago. The bad point of .pol, if my
memory works well which is not guaranteed (just leaving a pub right now) is
.pol must be deployed on each server manually when injecting GPO into AD DB
make them deployed automagically.

2016-07-06 18:11 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:

> You may be able to edit the GPO's completely from the linux side.
> They contain registry.pol files whom's syntax is not so difficult to read
> and write.
>
>
> https://msdn.microsoft.com/en-us/library/windows/desktop/aa374407%28v=vs.85%29.aspx
>
>
> Am 06.07.2016 um 17:24 schrieb mathias dufresne:
>
>> PS: I could share information about what should be modified to modify the
>> very same GPO, I didn't yet as I'm not sure anyone there would be
>> interested and because that would work only for that kind of GPO.
>>
>>
>> 2016-07-06 17:08 GMT+02:00 mathias dufresne <infractory at gmail.com>:
>>
>> Context: several teams have to manage only a a bunch of the company's
>>> computers, so these team must not being able to manage other computers.
>>> Firstly we split our computers into several OU, one by team.
>>> Secondly we created one group per team.
>>> Next step is to create one GPO per computer's OU which will add admins
>>> team's to local administrators group.
>>>
>>> Dealing with GPO (creating some of them, checking what we can do with
>>> them) is a good thing to learn Windows management and dive into AD world
>>> but doing same thing several is, for me, a waste of time.
>>>
>>> That's the reason of this thread.
>>>
>>> So, the question: how to script GPO? Not so easily.
>>> Our start point was there:
>>> https://technet.microsoft.com/en-us/library/ee461027.aspx
>>> Here we have some powershell stuff to export GPO. The result is one
>>> directory containing XML files and sysvol files + one other XML file
>>> outside of GPO's directory.
>>>
>>> Into these XML we have everything to import the GPO, in text format.
>>> That's all we need to have possibility to script injection.
>>>
>>> Steps we followed to clone our initial GPO:
>>> - copy the directory
>>> - replace strings into XML
>>> - import GPO using powershell.
>>>
>>> Replacement of strings need some time, for us at least, as we had to
>>> understand what was the releveant content to modify. It is the most
>>> complex
>>> part of that process.
>>> Once understanding was good enough we could create a second directory
>>> which was used to import that second GPO, successfully.
>>>
>>> There we just have to deal with awk and other unix tools to generate all
>>> GPO we were needing, we have generated also a powershell script to import
>>> all our GPO at once (laziness is a way of life) and after some time we
>>> get
>>> all our GPO created.
>>>
>>> Last step will be to link these GPO to the right OU, here again
>>> powershell
>>> will do.
>>>
>>> I expect some would find that subject not enough related to Samba but I'm
>>> not a dev. I'm an admin, I use products. Perhaps some others here are
>>> doing
>>> the same, not just playing with.
>>>
>>> Cheers,
>>>
>>> M.
>>>
>>>
>>>
>>> 2016-07-05 10:30 GMT+02:00 mathias dufresne <infractory at gmail.com>:
>>>
>>> Hi all,
>>>>
>>>> As I'm lazy I would like to script GPO creation and I did not found
>>>> anything relevant yet. Anyone already tried to extract whole information
>>>> regarding one GPO from LDAP tree? That would be a nice option to perform
>>>> that task, giving us possibility to create one GPO, extract it, modify
>>>> LDIF, inject it.
>>>>
>>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list