[Samba] Automating creation of OUs, security groups and GPOs, in Samba AD DC

Rowland Penny rpenny at samba.org
Mon Apr 29 18:49:59 UTC 2019

On Mon, 29 Apr 2019 11:21:55 -0700
Mason Schmitt <mason at ftlcomputing.com> wrote:

> Thanks Rowland and Louis for your suggestions!
> I think I'll go with the samba-tool option, as presumably this will
> keep up with schema changes as samba evolves.

A few things that Louis didn't say about creating an OU with
samba-tool, if it is an OU off the base DN, you only need to supply
'OU=the_name_for_the_ou', but if it is an new OU off another OU, the
full path must be given as 'OU=newOU,OU=otherOU' and the OU 'otherOU'
must already exist.

Yes, the schema will evolve, just as the Window AD schema does, but
creating OU's will not change.

> As for application of GPOs, I think I'm going to go down a different
> path. I'm going to move to using a configuration tool, probably
> Puppet.  There are a few reasons for this:
>    - GPOs cannot easily be versioned in a SCM repository
>    - From what little I have learned about GPOs, it looks like it's
> not easy to copy policy and apply it in an automated fashion across
> many domains, whereas Puppet manifests are designed for exactly that
> purpose
>    - GPOs, even in an all Windows environment, do not provide
> reporting of whether a policy was successful applied or not
>    - I get the impression that building tooling around GPOs is not
> really in scope for the samba project

I sort of thought you might come to this conclusion, from my
understanding you can backup GPO's with a script, but not create them,
which is understandable, if you know that they are also stored in AD.


More information about the samba mailing list