Re: [Samba] Automating creation of OUs, security groups and GPOs, in Samba AD DC
- Date: Mon, 29 Apr 2019 19:49:59 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Automating creation of OUs, security groups and GPOs, in Samba AD DC
On Mon, 29 Apr 2019 11:21:55 -0700
Mason Schmitt <mason@xxxxxxxxxxxxxxxx> wrote:
> Thanks Rowland and Louis for your suggestions!
> I think I'll go with the samba-tool option, as presumably this will
> keep up with schema changes as samba evolves.
A few things that Louis didn't say about creating an OU with
samba-tool, if it is an OU off the base DN, you only need to supply
'OU=the_name_for_the_ou', but if it is an new OU off another OU, the
full path must be given as 'OU=newOU,OU=otherOU' and the OU 'otherOU'
must already exist.
Yes, the schema will evolve, just as the Window AD schema does, but
creating OU's will not change.
> As for application of GPOs, I think I'm going to go down a different
> path. I'm going to move to using a configuration tool, probably
> Puppet. There are a few reasons for this:
> - GPOs cannot easily be versioned in a SCM repository
> - From what little I have learned about GPOs, it looks like it's
> not easy to copy policy and apply it in an automated fashion across
> many domains, whereas Puppet manifests are designed for exactly that
> - GPOs, even in an all Windows environment, do not provide
> reporting of whether a policy was successful applied or not
> - I get the impression that building tooling around GPOs is not
> really in scope for the samba project
I sort of thought you might come to this conclusion, from my
understanding you can backup GPO's with a script, but not create them,
which is understandable, if you know that they are also stored in AD.
To unsubscribe from this list go to the following URL and read the