4 Managing Group Policies
Before diving into specific Group Policies, let’s review the basics of managing Group Policy.
A Windows Active Directory Administrator should know that Group Policies are managed via the Group Policy Management Console (GPMC). Unfortunately there isn’t a similar tool for Samba Active Directory Administrators. The Samba project does provide the comprehensive samba-tool gpo command, which supplants much of the GPMC.
There are instances where Samba’s Group Policy can only be managed via the GPMC, with no samba-tool gpo alternative. These cases will be highlighted in the text.
4.1 Opening a Group Policy Object in the Group Policy Management Console
To open the Default Domain Policy (for example) in the Group Policy Management Console:
Open the Group Policy Management Console by going to Start > Administrative Tools > Group Policy Management.
In the Group Policy Management Console, expand the Forest node, then expand the Domains node.
Select the domain that contains the Default Domain Policy.
Figure 4.1: Group Policy Management Console
In the right pane, right-click on the Default Domain Policy and select “Edit” from the context menu.
The Group Policy Management Editor window will open, allowing you to view and edit the Default Domain Policy.
Figure 4.2: Default Domain Policy
Note: You will need to have the appropriate permissions to edit the Default Domain Policy. If you do not have the necessary permissions, you will not be able to edit the policy.
4.2 Creating a Group Policy Object
4.2.1 samba-tool
The samba-tool gpo create command is used to create a Group Policy Object (GPO). To create a GPO using the samba-tool gpo create command, you would use the following syntax:
Where GPO_NAME is the name of the GPO that you want to create. This name should be unique within the domain, as it will be used to identify the GPO when it is linked to a domain or organizational unit (OU).
Once the GPO has been created, you can use the samba-tool gpo setlink command to add or update a GPO link to a container. The syntax for this command is:
Where CONTAINER_DN is the distinguished name of the container from which you want to create the GPO link, and GPO_NAME is the name of the GPO you want to link.
4.2.2 GPMC
To create a Group Policy object (GPO) using the Group Policy Management Console (GPMC):
Open the GPMC by going to
Start > Administrative Tools > Group Policy Management.In the GPMC, expand the Domains node in the tree, and then expand the domain where you want to create the GPO.
Right-click on the domain, or the container where you’d like the GPO created and linked, and select
Create a GPO in this domain, and Link it here....
Figure 4.3: Create a GPO
In the
New GPOdialog box, enter a name for the GPO and click on theOKbutton.The new GPO will be created and will appear in the list of GPOs under the
Group Policy Objectsnode.
4.3 Deleting a Group Policy Object
4.3.1 samba-tool
To delete a Group Policy Object (GPO), you would use the samba-tool gpo del command. The syntax for this command is:
Where GPO_NAME is the name of the GPO you want to delete.
This command will delete the GPO from the server. Keep in mind that this operation cannot be undone, so make sure you really want to delete the GPO before running this command.
To delete a Group Policy Object (GPO) link from a container, you would use the samba-tool gpo dellink command. The syntax for this command is:
Where CONTAINER_DN is the distinguished name of the container from which you want to delete the GPO link, and GPO_NAME is the name of the GPO you want to unlink.
4.3.2 GPMC
To delete a Group Policy object (GPO) using the Group Policy Management Console (GPMC):
In the left pane of the GPMC, expand the forest and domain that contain the GPO you want to delete.
In the left pane, select the Group Policy Objects container. This will display a list of GPOs in the right pane.
In the right pane, right-click the GPO you want to delete and select “Delete.”
A warning message will appear, asking you to confirm that you want to delete the GPO. Click “Yes” to delete the GPO.
4.4 Listing a Group Policy
To list the contents of a Group Policy Object (GPO), you would use the samba-tool gpo list command. The syntax for this command is:
Where GPO_NAME is the name of the GPO you want to list the contents of.
This command will list all of the settings and policies contained in the specified GPO.
4.5 Modifying a Group Policy
The samba-tool gpo manage command is used for modifying settings on a Group Policy Object. See the individual chapters for each subcommand explanation.
| Command | Chapter |
|---|---|
| samba-tool gpo manage smb_conf | 4 |
| samba-tool gpo manage security | 5 |
| samba-tool gpo manage scripts startup | 7 |
| samba-tool gpo manage files | 8 |
| samba-tool gpo manage symlink | 9 |
| samba-tool gpo manage sudoers | 10 |
| samba-tool gpo manage issue | 11 |
| samba-tool gpo manage motd | 11 |
| samba-tool gpo manage access | 12 |
| samba-tool gpo manage openssh | 17 |
Each of these subcommands has its own set of options and parameters that can be used to specify the details of the operation. For more information on a specific subcommand, you can consult the documentation for that subcommand.
Additionally, the samba-tool gpo load and samba-tool gpo remove commands (see section 21.1) may be used to modify any policy which is loaded to the SYSVOL in a Registry.pol file. This applies to smb.conf policies, Script Policies, Sudoers Policies, Message Policies, Certificate Auto Enrollment Policy (advanced configuration only), Firefox Policy, Chromium/Chrome Policy, GNOME Settings Policy, and Firewalld Policy.