[Samba] Samba and Winbind Group Policy

Robert Marcano robert at marcanoonline.com
Thu Oct 7 15:08:56 UTC 2021 

On 10/7/21 10:04 AM, David Mulder via samba wrote:
> 
> 
> On 10/7/21 7:19 AM, Robert Marcano via samba wrote:
>>
>> This is great to know, amazing work. Do anyone know of someone working 
>> on a console based GPO editor. I remotely manage some small networks 
>> and it is becoming really painful to have to use remote desktop to fix 
>> some GPO some local sysadmin needs help, specially on small business 
>> Internet connections that tend to be saturated, and our country bad 
>> ISPs with 2MB "super mega fast" internet service.
>>
>> Now that I see this kind of work, is there some documentation on the 
>> GPO file formats? Is the samba code base to parse them reusable enough 
>> to experiment building a console based GPO editor? I am starting to 
>> think I should invest some time on this.
>>
> 
> I started work on a console based GPO editor: 
> https://github.com/yast/yast2-gpmc and 
> https://github.com/suse-samba-tools/admin-tools
> It needs a lot of work though. I've only implemented a couple of 
> policies, and last I checked, I couldn't even build/run the admin-tools. 
> The gpmc still works under yast, but crashes in odd places.
> 
> As for documentation on file formats, there is none. And Group Policy is 
> a mess (I've spent too much time in the guts of this). The majority of 
> Group Policies are now implemented in reg_pol syntax though. Take a look 
> at python/samba/gp_parse/gp_pol.py in the Samba source tree to see how 
> to parse one of these. Those policies are stored in the Registry.pol 
> file on the SYSVOL. There are also policies stored in ini files and xml 
> files. These are easy to parse. The tough ones (such as software install 
> policies) are stored in a mixture of locations, including random bits in 
> LDAP.
> The tough part about creating a console based editor, is how varied the 
> Windows implementation is. Most recent policies are implemented using 
> ADMX templates. These are relatively easy to parse, and you can create a 
> UI based on the ADML presentation details. More confusing though, are 
> the many hard coded policies into the GPMC, which have to be 
> individually inspected to determine what they do. These hard coded 
> policies include reg_pol, ini, xml, and ldap (from what I've observed). 
> There are still some which I haven't ever determined what they do and 
> how. I've confusingly come across a few which seem to do nothing at all.
> If you want to implement a UI, I'd recommend just sticking to parsing 
> the ADMX/ADML templates and ignore the rest of the mess.

Thank for the info. This is why it has been so hard, I had some idea 
that there was some hard coding in the MS tools (for example proxy 
settings) that don't follow any kind of template.

I agree with you, if some kind of tool is able to ar least create and 
modify a GPO based on modern templates without touching or losing the 
hard coded policies, it is a good start.

> 
> One more note, if you start a project, let me know and I'll see what I 
> can do to help!
>

More information about the samba mailing list