Discussion:
[Samba] [samba as AD] Scripting GPO creation
mathias dufresne
2016-07-05 08:30:37 UTC
Permalink
Hi all,

As I'm lazy I would like to script GPO creation and I did not found
anything relevant yet. Anyone already tried to extract whole information
regarding one GPO from LDAP tree? That would be a nice option to perform
that task, giving us possibility to create one GPO, extract it, modify
LDIF, inject it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-07-06 15:08:28 UTC
Permalink
Context: several teams have to manage only a a bunch of the company's
computers, so these team must not being able to manage other computers.
Firstly we split our computers into several OU, one by team.
Secondly we created one group per team.
Next step is to create one GPO per computer's OU which will add admins
team's to local administrators group.

Dealing with GPO (creating some of them, checking what we can do with them)
is a good thing to learn Windows management and dive into AD world but
doing same thing several is, for me, a waste of time.

That's the reason of this thread.

So, the question: how to script GPO? Not so easily.
Our start point was there:
https://technet.microsoft.com/en-us/library/ee461027.aspx
Here we have some powershell stuff to export GPO. The result is one
directory containing XML files and sysvol files + one other XML file
outside of GPO's directory.

Into these XML we have everything to import the GPO, in text format. That's
all we need to have possibility to script injection.

Steps we followed to clone our initial GPO:
- copy the directory
- replace strings into XML
- import GPO using powershell.

Replacement of strings need some time, for us at least, as we had to
understand what was the releveant content to modify. It is the most complex
part of that process.
Once understanding was good enough we could create a second directory which
was used to import that second GPO, successfully.

There we just have to deal with awk and other unix tools to generate all
GPO we were needing, we have generated also a powershell script to import
all our GPO at once (laziness is a way of life) and after some time we get
all our GPO created.

Last step will be to link these GPO to the right OU, here again powershell
will do.

I expect some would find that subject not enough related to Samba but I'm
not a dev. I'm an admin, I use products. Perhaps some others here are doing
the same, not just playing with.

Cheers,

M.
Post by mathias dufresne
Hi all,
As I'm lazy I would like to script GPO creation and I did not found
anything relevant yet. Anyone already tried to extract whole information
regarding one GPO from LDAP tree? That would be a nice option to perform
that task, giving us possibility to create one GPO, extract it, modify
LDIF, inject it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-07-06 15:24:56 UTC
Permalink
PS: I could share information about what should be modified to modify the
very same GPO, I didn't yet as I'm not sure anyone there would be
interested and because that would work only for that kind of GPO.
Post by mathias dufresne
Context: several teams have to manage only a a bunch of the company's
computers, so these team must not being able to manage other computers.
Firstly we split our computers into several OU, one by team.
Secondly we created one group per team.
Next step is to create one GPO per computer's OU which will add admins
team's to local administrators group.
Dealing with GPO (creating some of them, checking what we can do with
them) is a good thing to learn Windows management and dive into AD world
but doing same thing several is, for me, a waste of time.
That's the reason of this thread.
So, the question: how to script GPO? Not so easily.
https://technet.microsoft.com/en-us/library/ee461027.aspx
Here we have some powershell stuff to export GPO. The result is one
directory containing XML files and sysvol files + one other XML file
outside of GPO's directory.
Into these XML we have everything to import the GPO, in text format.
That's all we need to have possibility to script injection.
- copy the directory
- replace strings into XML
- import GPO using powershell.
Replacement of strings need some time, for us at least, as we had to
understand what was the releveant content to modify. It is the most complex
part of that process.
Once understanding was good enough we could create a second directory
which was used to import that second GPO, successfully.
There we just have to deal with awk and other unix tools to generate all
GPO we were needing, we have generated also a powershell script to import
all our GPO at once (laziness is a way of life) and after some time we get
all our GPO created.
Last step will be to link these GPO to the right OU, here again powershell
will do.
I expect some would find that subject not enough related to Samba but I'm
not a dev. I'm an admin, I use products. Perhaps some others here are doing
the same, not just playing with.
Cheers,
M.
Post by mathias dufresne
Hi all,
As I'm lazy I would like to script GPO creation and I did not found
anything relevant yet. Anyone already tried to extract whole information
regarding one GPO from LDAP tree? That would be a nice option to perform
that task, giving us possibility to create one GPO, extract it, modify
LDIF, inject it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-06 16:11:10 UTC
Permalink
You may be able to edit the GPO's completely from the linux side.
They contain registry.pol files whom's syntax is not so difficult to
read and write.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374407%28v=vs.85%29.aspx
Post by mathias dufresne
PS: I could share information about what should be modified to modify the
very same GPO, I didn't yet as I'm not sure anyone there would be
interested and because that would work only for that kind of GPO.
Post by mathias dufresne
Context: several teams have to manage only a a bunch of the company's
computers, so these team must not being able to manage other computers.
Firstly we split our computers into several OU, one by team.
Secondly we created one group per team.
Next step is to create one GPO per computer's OU which will add admins
team's to local administrators group.
Dealing with GPO (creating some of them, checking what we can do with
them) is a good thing to learn Windows management and dive into AD world
but doing same thing several is, for me, a waste of time.
That's the reason of this thread.
So, the question: how to script GPO? Not so easily.
https://technet.microsoft.com/en-us/library/ee461027.aspx
Here we have some powershell stuff to export GPO. The result is one
directory containing XML files and sysvol files + one other XML file
outside of GPO's directory.
Into these XML we have everything to import the GPO, in text format.
That's all we need to have possibility to script injection.
- copy the directory
- replace strings into XML
- import GPO using powershell.
Replacement of strings need some time, for us at least, as we had to
understand what was the releveant content to modify. It is the most complex
part of that process.
Once understanding was good enough we could create a second directory
which was used to import that second GPO, successfully.
There we just have to deal with awk and other unix tools to generate all
GPO we were needing, we have generated also a powershell script to import
all our GPO at once (laziness is a way of life) and after some time we get
all our GPO created.
Last step will be to link these GPO to the right OU, here again powershell
will do.
I expect some would find that subject not enough related to Samba but I'm
not a dev. I'm an admin, I use products. Perhaps some others here are doing
the same, not just playing with.
Cheers,
M.
Post by mathias dufresne
Hi all,
As I'm lazy I would like to script GPO creation and I did not found
anything relevant yet. Anyone already tried to extract whole information
regarding one GPO from LDAP tree? That would be a nice option to perform
that task, giving us possibility to create one GPO, extract it, modify
LDIF, inject it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-07-06 21:52:49 UTC
Permalink
Too late for reading but that seems interesting, that remind me how we
deployed GPO for another client, years ago. The bad point of .pol, if my
memory works well which is not guaranteed (just leaving a pub right now) is
.pol must be deployed on each server manually when injecting GPO into AD DB
make them deployed automagically.
Post by Achim Gottinger
You may be able to edit the GPO's completely from the linux side.
They contain registry.pol files whom's syntax is not so difficult to read
and write.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374407%28v=vs.85%29.aspx
Post by mathias dufresne
PS: I could share information about what should be modified to modify the
very same GPO, I didn't yet as I'm not sure anyone there would be
interested and because that would work only for that kind of GPO.
Context: several teams have to manage only a a bunch of the company's
Post by mathias dufresne
computers, so these team must not being able to manage other computers.
Firstly we split our computers into several OU, one by team.
Secondly we created one group per team.
Next step is to create one GPO per computer's OU which will add admins
team's to local administrators group.
Dealing with GPO (creating some of them, checking what we can do with
them) is a good thing to learn Windows management and dive into AD world
but doing same thing several is, for me, a waste of time.
That's the reason of this thread.
So, the question: how to script GPO? Not so easily.
https://technet.microsoft.com/en-us/library/ee461027.aspx
Here we have some powershell stuff to export GPO. The result is one
directory containing XML files and sysvol files + one other XML file
outside of GPO's directory.
Into these XML we have everything to import the GPO, in text format.
That's all we need to have possibility to script injection.
- copy the directory
- replace strings into XML
- import GPO using powershell.
Replacement of strings need some time, for us at least, as we had to
understand what was the releveant content to modify. It is the most complex
part of that process.
Once understanding was good enough we could create a second directory
which was used to import that second GPO, successfully.
There we just have to deal with awk and other unix tools to generate all
GPO we were needing, we have generated also a powershell script to import
all our GPO at once (laziness is a way of life) and after some time we get
all our GPO created.
Last step will be to link these GPO to the right OU, here again powershell
will do.
I expect some would find that subject not enough related to Samba but I'm
not a dev. I'm an admin, I use products. Perhaps some others here are doing
the same, not just playing with.
Cheers,
M.
Hi all,
Post by mathias dufresne
As I'm lazy I would like to script GPO creation and I did not found
anything relevant yet. Anyone already tried to extract whole information
regarding one GPO from LDAP tree? That would be a nice option to perform
that task, giving us possibility to create one GPO, extract it, modify
LDIF, inject it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...