Introduction

This document describes how to manage domain members using Group Policy.

About Group Policy

Group Policy provides centralized management and configuration of operating system, application, and user settings. Policies are delivered to clients by listing them in LDAP, under groupPolicyContainer objects. These objects provide the gPCFileSysPath attribute, which points to policy information stored on the domains SYSVOL share. Policies are enforced at a random interval between 90 and 120 seconds.

Policies can be manually enforced on a Linux domain member using the samba-gpupdate --force command.

On a Windows domain member, policies are enforced using the gpupdate /force command.

Configuring Group Policy

Enabling Group Policy on a Domain Member

Winbind

To enable Group Policy application in winbind, set the global option apply group policies to yes.

apply group policies = yes

SSSD

Group Policy application can be enforced using oddjob-gpupdate. The samba-gpupdate command from Samba must be installed.

Windows

Group Policy is automatically enabled in Windows domain members.

Samba Group Policies

Installing Samba ADMX templates

In order to configure Samba Group Policies, you must first install the ADMX templates provided by Samba.

If you install the Samba ADMX templates, you MUST also install Microsoft's ADMX templates, otherwise you will be unable to administer Windows domain members.

$ samba-tool gpo admxload -U Administrator

This command copies the Samba ADMX templates to the <domain>/Policies/PolicyDefinitions directory on the SYSVOL share.

If you have more than one domain controller you should run the command with '-H' in order to insure the ADMX templates are installed on the correct DC; e.g.

$ samba-tool gpo admxload -H dc2.samdom.example.com -U Administrator

Installing Microsoft's ADMX templates

To install Microsoft's ADMX templates, download the latest Administrative Templates for your OS version, then (example with ADMX for Windows 10 2022):

$ msiextract /path/to/microsoft/download/Administrative\ Templates\ \(.admx\)\ for\ Windows\ 10\ October\ 2022\ Update.msi
$ samba-tool gpo admxload -U Administrator --admx-dir=/path/to/extracted/msi/Program\ Files/Microsoft\ Group\ Policy/Windows\ 10\ October\ 2022\ Update\ \(22H2\)/PolicyDefinitions/

The msiextract command can be found in the msitools package on most distributions, including Debian/Ubuntu, RHEL/CentOS, and Arch linux in the AUR.

Creating a Group Policy Object

Group Policy Management Editor

Open the Group Policy Management Console (which is part of Windows RSAT tools). Highlight a policy, and select Edit from the Action menu to open the policy for editing.

To create the Group Policy Object, highlight the domain or container where you want the object linked, then open the Action menu and select "Create a GPO in this domain, and Link it here".

Enter the name of the new Group Policy in the dialog that appears, then click ok.

samba-tool

Alternatively, to create a Group Policy Object from the command line, issue the samba-tool gpo create command. To then link it to a container, issue the samba-tool gpo setlink command.

Editing a Group Policy Object

Group Policy Management Editor

Open the Group Policy Management Console (which is part of Windows RSAT tools). Highlight a policy, and select Edit from the Action menu to open the policy for editing.

Samba policies can be found in the Group Policy Management Editor within User or Computer Configuration > Policies > Administrative Templates > Samba. For Samba Domain Controllers, the Password and Kerberos settings are also applied, which are found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy.

samba-tool

Alternatively, some Group Policies can be managed using the samba-tool gpo manage command.

Listing Existing Group Policies

List existing Group Policies using the samba-tool gpo listall command.

 # samba-tool gpo listall -UAdministrator
 GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
 display name : Default Domain Policy
 path         : \\example.com\sysvol\example.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
 dn           : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=example,DC=com
 version      : 2097290
 flags         : NONE

The first attribute of each GPO listed is the GUID (Globally Unique Identifier) of the GPO (in the form {31B2F340-016D-11D2-945F-00C04FB984F9}). You'll need this GUID in order to identify the GPO in other samba-tool gpo commands.

Removing Policy from a Domain Member

Linux Domain Member

To remove policies applied to a domain member, issue the command:

 samba-gpupdate --unapply --target=Computer

Or, to remove applied user policy:

 samba-gpupdate --unapply --target=User -U<username>

Only a user with root privileges can remove applied policy.

Windows Domain Member

Windows does not provide a feature for removing policy. The only work-around is to unjoin the domain, then force an apply with:

 gpupdate /force /boot

Linux Domain Member Policies

Linux domain member policies are applied using the samba-gpupdate command. These policies are non-tatooing, meaning when a Group Policy Object is removed from a computer or user, the policies are also removed from the associated domain member.

For additional details on how to configure Linux Group Policies, see the Group Policy on Linux documentation.

smb.conf Policies

smb.conf policies are found in Computer Configuration > Policies > Administrative Templates > Samba > smb.conf. These policies distribute smb.conf global options to the client. This policy is unable to apply idmap policies.

Password and Kerberos Policies

Password and Kerberos policies, found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy, are only applicable to Samba Domain Controllers.

The following password policies are applicable:

• Minimum password age
• Maximum password age
• Minimum password length
• Password must meet complexity requirements

And Kerberos policies:

• Maximum ticket age (Maximum lifetime for user ticket)
• Maximum service age (Maximum lifetime for service ticket)
• Maximum renew age (Maximum lifetime for user ticket renewal)

Script Policies

Script policies create cron jobs on client machines which execute the specified commands. Script policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Scripts.

To add a script policy, open the policy, enable it, and click Show. In the dialog that appears, add the command to execute on the client. Click OK, then Apply to save the policy.

Script policies are applied as cron jobs on the winbind client.

 linux-h7xz:~ # /usr/sbin/samba-gpupdate --force
 linux-h7xz:~ # cat /etc/cron.daily/tmp6l0m809i 
 #!/bin/sh
 whoami > /daily.log

Startup Script Policies

Startup script policies allow you to upload the script that will be executed to the SYSVOL, as well as scheduling the command to run at startup. These scripts can be set using the samba-tool gpo manage scripts startup command.

For example:

 samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'

This command would upload the local script test_script.sh to the SYSVOL, then schedule it to run on clients at startup and will pass the parameter '-n' to the script when it runs. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. You can use the samba-tool gpo listall command to find the GUID for the GPO.

Centrify Crontab Entries

Samba provides an extension which adds compatibility with Centrify's Crontab Entries Group Policy. If you are currently using Centrify Group Policy to distribute Crontab entry policies, these will automatically be applied by samba-gpupdate.

Files Policy

The Files policy deploys files to client machines. These files are uploaded to the SYSVOL via the samba-tool gpo manage files command.

For example:

 samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt /usr/share/doc/target.txt root root 600

This command will upload the local file source.txt to the SYSVOL, which will then be deployed to client machines as /usr/share/doc/target.txt, with the ownership root:root, and the permissions 600. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. You can use the samba-tool gpo listall command to find the GUID for the GPO.

This policy is useful to use in conjunction with the Scripts policy.

Symlink Policies

The symlink policy creates symbolic links on client machines. This policy is set via the samba-tool gpo manage symlink command.

For example:

 samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target

This policy will cause clients to symlink the source to the target. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. You can use the samba-tool gpo listall command to find the GUID for the GPO.

Sudoers Policies

Sudoers policies add sudo rules to client machines. Sudoers policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Sudo Rights.

To add a sudo policy, open the policy, enable it, and click Show. In the dialog that appears, add the sudo rules to the list. Click OK, then Apply to save the policy.

 linux-h7xz:~ # /usr/sbin/samba-gpupdate --force
 linux-h7xz:~ # cat /etc/sudoers.d/gp_eockoryg
 
 ### autogenerated by samba
 #
 # This file is generated by the gp_sudoers_ext Group Policy
 # Client Side Extension. To modify the contents of this file,
 # modify the appropriate Group Policy objects which apply
 # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
 #
 
 tux ALL=(ALL) NOPASSWD: ALL

VGP Sudoers Policies

Another Sudoers extension is available for compatibility with Vintela's Sudoers Group Policy. The policy for this extension can be modified using the samba-tool gpo manage sudo command.

For example, to add an entry for the user 'fakeu':

 > samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg

The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. You can use the samba-tool gpo listall command to find the GUID for the GPO.

This will create the following entry within /etc/sudoers.d:

 > cat /etc/sudoers.d/gp_XXXXX
 ### autogenerated by samba
 #
 # This file is generated by the gp_sudoers_ext Group Policy
 # Client Side Extension. To modify the contents of this file,
 # modify the appropriate Group Policy objects which apply
 # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
 #
 
 fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL

Centrify Sudoers Policies

A third Sudoers extension is available to provide compatibility with Centrify's Sudoers Group Policy. If you are currently using Centrify Group Policy to distribute Sudoers policies, these will automatically be applied by samba-gpupdate.

Samba Sudoers, VGP Sudoers, and Centrify Sudoers policies can be safely used in conjunction with one another, since these policies are non-overlapping.

Message Policies

Message policies set the contents of the /etc/motd and /etc/issue files on client machines. Message policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Messages.

To add a message of the day policy, for example, open the policy and enable it. In the text box provided, enter the message you'd like displayed after a successful login.

 linux-h7xz:~ # samba-gpupdate
 linux-h7xz:~ # cat /etc/motd
 This message is distributed by Samba!

To add a login prompt policy, open the 'Logon Prompt Message' policy and enable it. In the text box provided, enter the message you'd like displayed before the login prompt. You can use escape sequences supported by the client /etc/issue file.

 linux-h7xz:~ # samba-gpupdate
 linux-h7xz:~ # cat /etc/issue
 Samba Group Policy \s \r \l

VGP Message Policies

Other VGP Message extensions are available for compatibility with Vintela's MOTD and Issue Group Policies. The policies for these extensions can be modified using the samba-tool gpo manage motd and samba-tool gpo manage issue commands.

Beware that applying both the Samba and VGP message policies will cause unpredictable behavior, since both policies will apply and will overwrite one another.

PAM Access Policies

PAM Access policies set access rules within /etc/security/access.d. These policies are set using the `samba-tool gpo manage access` command. This policy is compatible with Vintela's Access Group Policy.

For example, to add an allow policy for the user (or group) goodguy in the domain example.com:

 > samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com

This will set the policy on the SYSVOL to the GPO specified by the GUID {31B2F340-016D-11D2-945F-00C04FB984F9}. You can use the samba-tool gpo listall command to find the GUID for the GPO.

 linux-h7xz:~ # samba-gpupdate
 linux-h7xz:~ # cat /etc/security/access.d/0000000001_gp.conf
 ### autogenerated by samba
 #
 # This file is generated by the vgp_access_ext Group Policy
 # Client Side Extension. To modify the contents of this file,
 # modify the appropriate Group Policy objects which apply
 # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
 #
 
 -:example.com\goodguy:ALL

Certificate Auto Enrollment

Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.

Configuring Certificate Auto Enrollment on the Server

The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, and Certificate Enrollment Web Service all must be installed and configured. Optionally the role Network Device Enrollment Service can be installed to simplify the fetching of the root certificate chain.

Configure Group Policy auto enrollment as described in the documentation here.

Enable Certificate Auto Enrollment on the Client

To setup Certificate Auto Enrollment:

1. Install certmonger, and cepces. Optionally also install sscep to simplify fetching of the certificate root chain. Samba uses certmonger paired with cepces to monitor the host certificate templates.
2. Join to an Active Directory domain (one where the CA has been previously configured as explained above).

Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically.

1. Enable group policy apply:
   • For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
   • For a SSSD joined machine by installing the oddjob-gpupdate package.
2. To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`

Resultant Set of Policy
Computer Policy

 GPO: Default Domain Policy
======================================================================================================================
CSE: gp_cert_auto_enroll_ext
-----------------------------------------------------------
Policy Type: Auto Enrollment Policy
-----------------------------------------------------------
[ <REDACTED CA NAME> ] =
[ CA Certificate ] =
----BEGIN CERTIFICATE----
<REDACTED>
----END CERTIFICATE----
[ Auto Enrollment Server ] = <REDACTED DNS NAME>
[ Templates ] =
[ Machine ]
-----------------------------------------------------------
-----------------------------------------------------------
======================================================================================================================

Issuing the `getcert list` command will display the installed certificates:

Number of certificates and requests being tracked: 1.
Request ID 'Machine':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
        certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
        CA: <My CA>
        issuer: CN=<My CA>
        subject: CN=<my hostname>
        expires: 2017-08-15 17:37:02 UTC
        dns: <my hostname>
        key usage: digitalSignature,keyEncipherment
        eku: id-kp-clientAuth,id-kp-serverAuth
        certificate template/profile: Machine
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Certificates

Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.

Firefox Policy

Firefox policies can be administered using the mozilla templates available here. To install the templates, issue the command:

samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/mozilla/download/policy-templates/windows

Once installed, the policies can be administered from the Group Policy Management Editor (which is part of Windows RSAT tools).

Applying policy will generate two policy files on the local host:

 /usr/lib64/firefox/distribution/policies.json
 /etc/firefox/policies/policies.json

Both are valid Firefox policies, but the expected location for the policy template recently changed.

Chromium/Chrome Policy

Chromium and Google Chrome policies can be administered using the templates available here. To install the templates, issue the command:

samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/google/download/policy_templates/windows/admx

Once installed, the policies can be administered from the Group Policy Management Editor (which is part of Windows RSAT tools).

Applying policy will generate four policy files on the local host:

 /etc/chromium/policies/managed/policies.json
 /etc/chromium/policies/recommended/policies.json
 /etc/opt/chrome/policies/managed/policies.json
 /etc/opt/chrome/policies/recommended/policies.json

The managed policy files specify required Chrome and Chromium settings, while the recommended policy files specify settings which will be applied but not enforced.

GNOME Settings

GNOME Settings policies are found in the Group Policy Management Editor (which is part of Windows RSAT tools) > Computer Configuration > Policies > Administrative Templates > Samba > GNOME when the default samba ADMX templates are installed. These templates can be installed by executing the command:

 samba-tool gpo admxload -UAdministrator

These policies manage some GNOME user settings, as described in the GNOME system admin guide, such as the compose key, screen dimming, online account management, extensions, and the ability to disable printing, file saving, command line access, fingerprint logon, logout, user switching, and reparitioning. There is also a general method for disabling any specific GNOME lockdown value.

OpenSSH Policy

OpenSSH policy applies settings to /etc/ssh/sshd_config.d. These policies can be set using the samba-tool gpo manage openssh command.

For example, to require kerberos authentication in OpenSSH:

 > samba-tool gpo manage openssh set {31B2F340-016D-11D2-945F-00C04FB984F9} KerberosAuthentication Yes

The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. You can use the samba-tool gpo listall command to find the GUID for the GPO.

Firewalld Policy

Firewalld policy applies firewall rules using the firewall-cmd command. These policies can be found in the Group Policy Management Editor (which is part of Windows RSAT tools) > Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Firewalld when the default samba ADMX templates are installed. These templates can be installed by executing the command:

 samba-tool gpo admxload -UAdministrator

The policy provides for the creation of rules and zones. Zones are defined as a list in the Zones setting in the Firewalld policy. Existing zones on the host will be unaffected.

Rules are defined using a JSON dictionary, containing zones paired with a list of rules.

For example, to create rules for the Work and Home zones, specify the following JSON:

 {
   "work": [
     {"rule": {"family": "ipv4"}, "source address": "172.25.1.7", "service name": "ftp", "reject": {}},
     {"rule": {}, "source address": "172.25.1.8", "service name": "ftp", "reject": {}}
   ],
   "home": [
     {"rule": {}, "protocol value": "icmp", "reject": {}},
     {"rule": {"family": "ipv4"}, "source address": "192.168.1.2/32", "service name": "telnet", "accept": {"limit value": "1/m"}}
   ]
 }

The rule structure loosely follows the Firewalld Rich Language Documentation.

 General rule structure:
 {
   "rule": {
     "family": "ipv4 | ipv6",
     "priority": "priority"
   },
   "source [not] address | mac | ipset": "address[/mask] | mac-address | ipset",
   "destination [not] adress": "address[/mask]",
   "service name": "service name",
   "port": {
     "port": "port value",
     "protocol": "tcp | udp"
   }
   "protocol value": "protocol value",
   "icmp-block name": "icmptype name",
   "Masquerade": true|false,
   "icmp-type": "icmptype name",
   "forward-port": {
     "port": "port value",
     "protocol": "tcp | udp",
     "to-port": "port value",
     "to-addr": "address"
   },
   "source-port": {
     "port": "port value",
     "protocol": "tcp | udp"
   },
   "log": {
     "prefix": "prefix text",
     "level": "emerg | alert | crit | error | warning | notice | info | debug",
     "limit value": "rate/duration"
   },
   "audit": {
     "limit value": "rate/duration"
   },
   "accept" : {
     "limit value": "rate/duration"
   } | "reject": {
     "type": "reject type",
     "limit value": "rate/duration"
   } | "drop": {
     "limit value": "rate/duration"
   } | "mark": {
     "set": "mark[/mask]",
     "limit value": "rate/duration"
   }
 }

Windows Domain Member Policies

User Home Folders

Using group policy preferences, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically assign home folder paths to all users in the OU or domain. If you move the account to a different OU or domain, the setting is removed or updated. Using this way, you do not have to assign manually the setting to each user account.

To create a group policy object (GPO) for the domain that automatically assigns the \\server\users\user_name path as home folder to each user:

• Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.

• Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.

• Right-click to your AD domain and select Create a GPO in this domain, and Link it here.

• Enter a name for the GPO, such as Home folders on server. The new GPO is shown below the domain entry.

• Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.

• Navigate to the User Configuration → Preferences → Windows Settings → Drive Maps entry.

• Right-click to the Drive Maps entry and select New → Mapped Drive.

• Set the following:

• On the General tab:

• Action: Create
• Location: \\server\users\%LogonUser%

Windows automatically replaces the %LogonUser% variable when a user logs in

• Select Reconnect
• Label: Enter a string. For example: Home
• Use: Select a drive letter the home folder is mapped to.

• On the Common tab:

• Select Run in logged-on user's security context (user policy option)

• Click OK.

• Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).

• Close the Group Policy Management Console.

The policy is applied to users in the OU or domain, the policy is assigned to, during the next log in.

Folder Redirection

Using group policies, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically set folder redirections to all users in the OU or domain. If you move the account to a different OU or domain, the settings are removed or updated. Using this way, you do not have to set the redirection manually for each user account.

Using Group Policy Folder Redirection

Using a group policy object (GPO) is the preferred way to set folder redirections.

Windows does not support dynamically-generated user home folders provided by the Samba [homes] section. If you used this way to provide home folders, set up a group policy preference instead. See Using a Group Policy Preference.

To create a group policy object (GPO) for the domain that automatically redirects profile folders to user's home folder:

• Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.

• Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.

• Right-click to your AD domain and select Create a GPO in this domain, and Link it here.

• Enter a name for the GPO, such as Folder Redirections. The new GPO is shown below the domain entry.

• Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.

• Navigate to the User Configuration → Policies → Windows Settings → Folder Redirection entry.

• Right-click to the folder to redirect, such as Documents, and select Properties.

• Set the following:

• On the Target tab:

• Setting: Basic - Redirect everyone's folder to the same location
• Target folder location: Redirect to the user's home directory

• On the Settings tab:

• Unselect Grant the user exclusive rights.
• Unselect Move the contents of Documents to the new location.
• Select Also apply redirection to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.
• Select Leave the folder in the new location when policy is removed.

(If you choose to set these options differently and run into problems such as Event ID 502 in the application event log when a user logs in, see this Microsoft support article which boils down to either setting both Grant user exclusive and Also apply to Windows 2000 or neither of them.)

• Click OK.

• Optionally, redirect other folders in the same way.

• Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).

• Close the Group Policy Management Console.

The policy is applied to users in domain at the next log in.

Using a Group Policy Preference

When you use the Samba [homes] section to dynamically generate user home folders, you must set registry keys using a group policy preference to redirect folders. If you provide home folders using a different share name, see Using Group Policy Folder Redirection.

To create a group policy preference for the domain that automatically redirects profile folders to user's home folder:

• Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.

• Open the Group Policy Management Console. If you do not already have the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.

• Right-click to your AD domain and select Create a GPO in this domain, and Link it here.

• Enter a name for the GPO, such as Folder Redirections. The new GPO is shown below the domain entry.

• Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.

• Navigate to the User Configuration → Preferences → Windows Settings entry.

• Right-click to the Registry entry in the navigation and select New → Registry Item.

• Set the following:

• Action: Replace
• Hive: HKEY_CURRENT_USER
• Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
• Value name: For example, to redirect the Documents folder, enter: Personal

For a list of other registry keys of folders you can redirect, see the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders entry in your local Windows registry.

• Value type: REG_EXPAND_SZ
• Value data: For example: \\server\%USERNAME%\Documents

Windows automatically replaces the %USERNAME% variable with the name of the current user when the policy is applied.

• Optionally, redirect other folders in the same way.

• Close the Group Policy Management Editor. The GPOs are automatically saved on the Sysvol share on the domain controller (DC).

• Close the Group Policy Management Console.

The policy is applied to users in domain at the next log in.

Restricted Groups

Introduction

AD administrators often have the requirement to manage local group memberships of Windows workstations and servers from on a central way. Group Policies Restricted Groups is a simple way to accomplish this requirement and works in a Samba AD as well as in a MS controlled.

Restricted Groups are non-tatooing changes. This means, if you undo this change in the GPO, the changes are reset to their previous state on the affected computers after the next GPO refresh.

A best practice is, to use only AD groups instead of individual user accounts, to add to local groups. This allows changes on a central place (AD), by adding/removing members to/from the group, instead of modifying the GPO.

For simplicity, all examples in this documentation are configured on domain level through the Default Domain Policy. Needless to say, that is possible in self-created GPOs and OU-level, too.

Preconditions

• Installed Group Policy Management Console. It is part of the Remote Server Administration Tools (RSAT).

• The examples used below add a AD domain group „SAMDOM\Wks Admins“. Groups can be added to the AD using 'samba-tool' or Active Directory User and Computer (ADUC).

Modify local group membership and keep existing members

This is the most typical field of application: An AD group should be added as a member to a local group and all already existing members should be untouched.

Example: The AD domain group „SAMDOM\Wks Admins“ should be added to the local „Administrators“ group on all computers in the domain (workstations and server). The members of this domain group can be managed centrally in AD and allows member accounts to have local administrator permissions on all Windows computers, without knowing the Domain Administrator password or being member of the „Domain Admins“ group. All existing members in the local „Administrators“ group should stay. Only the domain group „SAMDOM\Wks Admins“should be added.

• Create a domain group „Wks Admins“, using 'samba-tool' or Active Directory Users and Computers from the Remote Server Administration Tools (RSAT).

• Open the Group Policy Management Console

• Select the "Default Domain Policy". Verify that the "Authenticated Users" principal is listed in the "Security Filters" list (this is the default). If the principal is not part of the list, add it. In case you removed this principal intentionally, you must alternatively add the computer account(s) to the list and grant "read" permissions. For details, see MS16-072.

• Right-click to „Default Domain Policy“ and choose „Edit...“

• The Group Policy Management Editor opens

• Navigate and right-click to „Computer Configuration“ / „Policies“ / „Windows Settings“ / „Security Settings“ / „Restricted Groups“ and choose „Add group...“.

• Enter the name of the AD group „SAMDOM\Wks Admins“ by browsing your directory and click „OK“.

• The properties window opens. Click the „Add“ button next to the „This group is a member of“ box.

• Enter the local „Administrators“ group name. If you use the „Browse“ button, select the local computer, by using the „Locations...“ button in the upcomming window, to browse local instead of AD security objects!

• You see the local „Administrators“ group entry in the „This group is a member of“ list.

• Click „OK“.

After the clients have re-read the changed group policy, the domain group „SAMDOM\Wks Admins“ will appear in the local „Administrators“ group on each client affected by the GPO. All existing members of this group stay untouched.

Explicit control of local group membership

This way describes how to explicitly set the membership of a local group by replacing existing memberships with the ones defined in the GPO. Use this with care, to ensure that you don't break existing permissions of accounts used by users and applications!

Example: On all computer in the domain (workstations and servers), the local Administrator and the domain group „SAMDOM\Wks Admins“ should be the only members of the local „Administrators“ group. All existing members of this group should be removed and just these two objects should be part of it.

• Create a domain group „Wks Admins“, using 'samba-tool' or Active Directory Users and Computers from the Remote Server Administration Tools (RSAT).

• Open the Group Policy Management Console

• Select the "Default Domain Policy". Verify that the "Authenticated Users" principal is listed in the "Security Filters" list (this is the default). If the principal is not part of the list, add it. In case you removed this principal intentionally, you must alternatively add the computer account(s) to the list and grant "read" permissions. For details, see MS16-072.

• Right-click to „Default Domain Policy“ and choose „Edit...“

• The Group Policy Management Editor opens

• Navigate and right-click to „Computer Configuration“ / „Policies“ / „Windows Settings“ / „Security Settings“ / „Restricted Groups“ and choose „Add group...“.

• Enter the local „Administrators“ group name. If you use the „Browse“ button, select the local computer, by using the „Locations...“ button in the upcomming window, to browse local instead of AD security objects!

• Click the „Add“ button next to the „Members of this group“ box.

• Enter the domain group „SAMDOM\Wks Admins“ and the local „Administrator“ account. If you use the „Browse“ button, select the domain/local computer, by using the „Locations...“ button, to browse the domain/local security objects!

• You see the local „Administrator“ account and the AD group „SAMDOM\Wks Admins“ in the „Members of this group“ list.

• Click „OK“.

After the clients have re-read the changed group policy, only the local „Administrator“ account and then domain group „SAMDOM\Wks Admins“ will appear in the local „Administrators“ group on each client affected by the GPO. All previous members have been replaced by this new members.

Force manual group policy refresh

Windows computers refresh and apply group policies on changes per default every 90 minutes with a random offset of 0 to 30 minutes. See http://technet.microsoft.com/en-us/library/cc940895.aspx.

To see if changes took effect, you can force an immediate refresh of all GPOs on a host by running:

> gpupdate /force /target:computer

The „/target:computer“ option reads only the „Computer Configuration“ part of GPOs.

Resultant Set of Policy

The Resultant Set of Policy assists in troubleshooting policy implementation. It is a report indicating what policies have been, or what will be, applied to a domain member.

Linux Domain Member

To display the Resultant Set of Policy, use the samba-gpupdate --rsop command:

 linux-h7xz:~ # samba-gpupdate --rsop
 Resultant Set of Policy
 Computer Policy
 
 GPO: Default Domain Policy
 ================================================================================================
   CSE: gp_sec_ext
   -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_sec_ext
   -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_scripts_ext
   -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_sudoers_ext
   -----------------------------------------------------------
     Policy Type: Sudo Rights
     -----------------------------------------------------------
     [ tux ALL=(ALL) NOPASSWD: ALL ]
     -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_smb_conf_ext
   -----------------------------------------------------------
     Policy Type: smb.conf
     -----------------------------------------------------------
     [ apply group policies ] = 1
     [ client max protocol ] = SMB2_02
     -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_msgs_ext
   -----------------------------------------------------------
     Policy Type: /etc/motd
     -----------------------------------------------------------
 This message is distributed by Samba!
     -----------------------------------------------------------
     Policy Type: /etc/issue
     -----------------------------------------------------------
 Samba Group Policy \s \r \l
     -----------------------------------------------------------
   -----------------------------------------------------------
 ================================================================================================

Windows Domain Member

To view the Resultant Set of Policy on a Windows domain member:

1. Open the Microsoft Management Console
2. Click File > Add/Remove Snap-in
3. Select the Resultant Set of Policy, and then click Add.
4. Click OK