[Samba] Samba and Winbind Group Policy

David Mulder dmulder at samba.org
Thu Oct 7 14:04:05 UTC 2021

On 10/7/21 7:19 AM, Robert Marcano via samba wrote:
> This is great to know, amazing work. Do anyone know of someone working 
> on a console based GPO editor. I remotely manage some small networks and 
> it is becoming really painful to have to use remote desktop to fix some 
> GPO some local sysadmin needs help, specially on small business Internet 
> connections that tend to be saturated, and our country bad ISPs with 2MB 
> "super mega fast" internet service.
> Now that I see this kind of work, is there some documentation on the GPO 
> file formats? Is the samba code base to parse them reusable enough to 
> experiment building a console based GPO editor? I am starting to think I 
> should invest some time on this.

I started work on a console based GPO editor: 
https://github.com/yast/yast2-gpmc and 
It needs a lot of work though. I've only implemented a couple of 
policies, and last I checked, I couldn't even build/run the admin-tools. 
The gpmc still works under yast, but crashes in odd places.

As for documentation on file formats, there is none. And Group Policy is 
a mess (I've spent too much time in the guts of this). The majority of 
Group Policies are now implemented in reg_pol syntax though. Take a look 
at python/samba/gp_parse/gp_pol.py in the Samba source tree to see how 
to parse one of these. Those policies are stored in the Registry.pol 
file on the SYSVOL. There are also policies stored in ini files and xml 
files. These are easy to parse. The tough ones (such as software install 
policies) are stored in a mixture of locations, including random bits in 
The tough part about creating a console based editor, is how varied the 
Windows implementation is. Most recent policies are implemented using 
ADMX templates. These are relatively easy to parse, and you can create a 
UI based on the ADML presentation details. More confusing though, are 
the many hard coded policies into the GPMC, which have to be 
individually inspected to determine what they do. These hard coded 
policies include reg_pol, ini, xml, and ldap (from what I've observed). 
There are still some which I haven't ever determined what they do and 
how. I've confusingly come across a few which seem to do nothing at all.
If you want to implement a UI, I'd recommend just sticking to parsing 
the ADMX/ADML templates and ignore the rest of the mess.

One more note, if you start a project, let me know and I'll see what I 
can do to help!

*David Mulder*
Labs Software Engineer, Samba
1800 Novell Place
Provo, UT 84606
(P)+1 801.861.6571
dmulder at suse.com

More information about the samba mailing list