[Samba] Samba and Winbind Group Policy
dmulder at samba.org
Thu Oct 7 14:04:05 UTC 2021
On 10/7/21 7:19 AM, Robert Marcano via samba wrote:
> This is great to know, amazing work. Do anyone know of someone working
> on a console based GPO editor. I remotely manage some small networks and
> it is becoming really painful to have to use remote desktop to fix some
> GPO some local sysadmin needs help, specially on small business Internet
> connections that tend to be saturated, and our country bad ISPs with 2MB
> "super mega fast" internet service.
> Now that I see this kind of work, is there some documentation on the GPO
> file formats? Is the samba code base to parse them reusable enough to
> experiment building a console based GPO editor? I am starting to think I
> should invest some time on this.
I started work on a console based GPO editor:
It needs a lot of work though. I've only implemented a couple of
policies, and last I checked, I couldn't even build/run the admin-tools.
The gpmc still works under yast, but crashes in odd places.
As for documentation on file formats, there is none. And Group Policy is
a mess (I've spent too much time in the guts of this). The majority of
Group Policies are now implemented in reg_pol syntax though. Take a look
at python/samba/gp_parse/gp_pol.py in the Samba source tree to see how
to parse one of these. Those policies are stored in the Registry.pol
file on the SYSVOL. There are also policies stored in ini files and xml
files. These are easy to parse. The tough ones (such as software install
policies) are stored in a mixture of locations, including random bits in
The tough part about creating a console based editor, is how varied the
Windows implementation is. Most recent policies are implemented using
ADMX templates. These are relatively easy to parse, and you can create a
UI based on the ADML presentation details. More confusing though, are
the many hard coded policies into the GPMC, which have to be
individually inspected to determine what they do. These hard coded
policies include reg_pol, ini, xml, and ldap (from what I've observed).
There are still some which I haven't ever determined what they do and
how. I've confusingly come across a few which seem to do nothing at all.
If you want to implement a UI, I'd recommend just sticking to parsing
the ADMX/ADML templates and ignore the rest of the mess.
One more note, if you start a project, let me know and I'll see what I
can do to help!
Labs Software Engineer, Samba
1800 Novell Place
Provo, UT 84606
dmulder at suse.com
More information about the samba