[Samba] Samba and Winbind Group Policy
Robert Marcano
robert at marcanoonline.com
Thu Oct 7 15:08:56 UTC 2021
On 10/7/21 10:04 AM, David Mulder via samba wrote:
>
>
> On 10/7/21 7:19 AM, Robert Marcano via samba wrote:
>>
>> This is great to know, amazing work. Do anyone know of someone working
>> on a console based GPO editor. I remotely manage some small networks
>> and it is becoming really painful to have to use remote desktop to fix
>> some GPO some local sysadmin needs help, specially on small business
>> Internet connections that tend to be saturated, and our country bad
>> ISPs with 2MB "super mega fast" internet service.
>>
>> Now that I see this kind of work, is there some documentation on the
>> GPO file formats? Is the samba code base to parse them reusable enough
>> to experiment building a console based GPO editor? I am starting to
>> think I should invest some time on this.
>>
>
> I started work on a console based GPO editor:
> https://github.com/yast/yast2-gpmc and
> https://github.com/suse-samba-tools/admin-tools
> It needs a lot of work though. I've only implemented a couple of
> policies, and last I checked, I couldn't even build/run the admin-tools.
> The gpmc still works under yast, but crashes in odd places.
>
> As for documentation on file formats, there is none. And Group Policy is
> a mess (I've spent too much time in the guts of this). The majority of
> Group Policies are now implemented in reg_pol syntax though. Take a look
> at python/samba/gp_parse/gp_pol.py in the Samba source tree to see how
> to parse one of these. Those policies are stored in the Registry.pol
> file on the SYSVOL. There are also policies stored in ini files and xml
> files. These are easy to parse. The tough ones (such as software install
> policies) are stored in a mixture of locations, including random bits in
> LDAP.
> The tough part about creating a console based editor, is how varied the
> Windows implementation is. Most recent policies are implemented using
> ADMX templates. These are relatively easy to parse, and you can create a
> UI based on the ADML presentation details. More confusing though, are
> the many hard coded policies into the GPMC, which have to be
> individually inspected to determine what they do. These hard coded
> policies include reg_pol, ini, xml, and ldap (from what I've observed).
> There are still some which I haven't ever determined what they do and
> how. I've confusingly come across a few which seem to do nothing at all.
> If you want to implement a UI, I'd recommend just sticking to parsing
> the ADMX/ADML templates and ignore the rest of the mess.
Thank for the info. This is why it has been so hard, I had some idea
that there was some hard coding in the MS tools (for example proxy
settings) that don't follow any kind of template.
I agree with you, if some kind of tool is able to ar least create and
modify a GPO based on modern templates without touching or losing the
hard coded policies, it is a good start.
>
> One more note, if you start a project, let me know and I'll see what I
> can do to help!
>
More information about the samba
mailing list